Ask Ed Bell about energy trading and risk management (ETRM) technology and he’ll likely bring up his days with Enron back in the early 1990s. Bell—now a principal at Houston-based technology...
Waking Up To Compliance Risk
Do you know what your legal exposure is?
degree of integrity attached to them. Certainly, in the current Sarbanes-Oxley environment, there is an expectation by regulators that compliance officers, assisted by independent counsel, will exercise the degree of independence necessary to implement an effective compliance and ethics program.
Further, since risk assessments involve evaluating compliance with applicable laws and regulations and assessing potential legal exposure, the use of independent counsel may better enable the assertion of the attorney-client privilege or work product doctrine to protect the findings from compelled disclosure.
1. Identify Global Risks
The first step in the CRM process is for the chief compliance officer or independent counsel to identify global risks. Knowledge about a company’s business practices, prior history, prior compliance exposure, and its industry’s compliance exposure when measured against applicable legal and ethical standards will yield a list of global risk activities. Global risks are identified by implementing a due diligence process focused on key interviews and document review.
Due diligence interviews should begin with internal legal counsel, who can provide critical judgments on the application of legal principles to business practices. Interviews also should target key employees who can provide information on business operations, systems applications, financial reporting, internal audits, hotline calls, and disciplinary actions.
Document review should include corporate governance documents, relevant internal audit reports, recent financial disclosures, self-evaluative reports, hotline call reports, customer complaint logs, internal investigation reports, employee surveys, sales and marketing plans, and various business presentations relating to business practices, plans and operations.
2. Prioritize Risks
After risks have been identified, they need to be prioritized based upon likelihood of occurrence of compliance violations and severity of likely violations ( e.g., lawsuits, fines, damage to reputation) to determine the major compliance threats to the organization. Determinations of likelihood and severity are based upon an analysis of both objective and subjective criteria. Objective criteria include past FERC enforcement activity, current FERC enforcement guidance and investigations, and the frequency of consumer or market participant complaints. Subjective criteria include perceived exposure based upon findings in internal audits and investigations, and employee disgruntlement caused by workplace conditions, reorganizations, or dysfunctional channels of communication that can manifest itself in whistleblower activity.
In addition, the status of the control environment greatly affects determinations of likelihood and severity. Internal controls are designed to mitigate the risk inherent in undertaking a business activity. Strong internal controls make compliance violations less likely to occur and minimize the severity of those violations. The evaluation of the control environment considers any relevant process, procedure, policy, practice, or people in place to mitigate identified risks. An assessment of controls is necessary because a determination of whether a control is effective, partially effective or ineffective affects the prioritization of the residual risk that remains after the application of the control. The responses received from due diligence interviews that characterize risks and describe the status of the control environment further enable an assessment of likelihood and severity.
All business activities involve some measure of inherent risk. Depending upon the effectiveness of controls put in place to manage risks, the residual risks resulting after the