Waking Up To Compliance Risk


Do you know what your legal exposure is?

Fortnightly Magazine - September 2006

The recent criminal convictions of Kenneth Lay and Jeffrey Skilling close another chapter in the long-running Enron drama, but the impact of this drama on the way corporate America is governed will be felt well into the future.

As the seventh largest U.S. enterprise and the crown jewel of the energy industry, Enron has provided lessons for both corporations generally as well as the energy industry specifically. Predictably, the Enron debacle has spawned a plethora of regulatory reforms—from the broad-ranging corporate governance dictates of the Sarbanes-Oxley Act of 2002 to the specifically tailored proscriptions of the Energy Policy Act of 2005 (EPACT).

How can energy market participants effectively manage the risks inherent in complying with those regulatory reforms?

Congress expresses itself clearly in EPACT. It wants more active enforcement by the Federal Energy Regulatory Commission (FERC), especially against energy market manipulation. It directs FERC to promulgate a rule to protect natural gas and electricity ratepayers from this evil.

Armed with enhanced enforcement and penalty authority granted in EPACT, FERC recently adopted a rule detailing broad prohibitions on energy market manipulation.

Compliance Risks

Compliance risks are threats to an organization’s strategy, operations, financial condition, and reputation resulting from a failure to comply with laws, regulations, internal policies and procedures, ethical standards, and customer expectations. The energy industry has faced some major compliance threats in the very recent past. At the forefront are the allegations of market manipulation of electricity and natural-gas prices in the West, ultimately resulting in settlements totaling more than $6 billion. Enron and other power-trading companies were found to have manipulated prices through sham transactions, collusion, and gaming activities. Though not as widely publicized, compliance threats also have resulted from allegations or findings of preferences afforded affiliates, failures to abide by codes/standards of conduct, and other violations of federal energy laws and regulations.

While intentional unscrupulous behavior always will create compliance risks, unintentional operational failures also can generate such risks. When the lights go out for any reason other than obvious force majeure, there almost inevitably will be compliance consequences. In the risk-management world, operational risks are exposures to loss resulting from inadequate or failed internal processes and systems, and can manifest themselves in errors and business interruptions. The August 2003 blackout highlights the operational risks faced by the energy industry. Although the blackout was the result of violations of voluntary reliability standards, those standards are now mandatory and enforceable. Moreover, even with the voluntary standards, the operational failures that caused the blackout had many compliance consequences.

Compliance Programs

EPACT upped the compliance ante for public utilities by granting FERC enhanced enforcement authority and the power to assess civil penalties in a wider scope of violations, up to $1 million per violation per day. EPACT also increased the penalties for criminal violations of energy laws. Further, FERC’s new market manipulation rule provides it with expansive enforcement authority to pursue “any entity” for fraudulent conduct in connection with jurisdictional transactions.

FERC’s recent Policy Statement on Enforcement encourages energy companies to implement comprehensive compliance programs, self-report violations, and cooperate with FERC in investigating violations. FERC has committed to give mitigation credit for formal compliance programs fully supported by senior management with the capability to prevent, detect, and address violations of law and regulation.

In listing the steps of an effective compliance approach, the commission drew heavily upon the compliance and ethics program standards delineated in the federal sentencing guidelines. Those guidelines entitle an organization to seek mitigation of punishment for a federal criminal offense if the enterprise has implemented an effective compliance program. The guidelines contain program standards that have become “best practices” for compliance programs in corporate America.

Self-reporting also is an important element of an effective compliance program entitling a company to mitigation. The FERC enforcement policy delineates the circumstances under which self-reporting warrants mitigation credit. In short, prompt and full self-reporting of violations, coupled with steps to correct the adverse impact on customers or third parties from the misconduct, may result in significant reductions in the amount of civil penalty or even no civil penalty being assessed. Finally, FERC will reward exemplary cooperation that quickly ends wrongful conduct, determines the facts, and corrects a problem.

Compliance Risk Management

The key premise underpinning the sentencing guidelines is that effective compliance and ethics programs are grounded in an organization’s periodic assessment of compliance risks. Unless an organization is aware of its major compliance risks, it cannot possibly design and implement a program to ameliorate those risks. Knowing the key compliance threats enables an organization to tailor policies and procedures, training, and audits to address those threats.

Energy companies should consider compliance risk management (CRM) as a tool for evaluating and improving the effectiveness of compliance controls. CRM is a cutting-edge approach to managing major compliance threats in a way that avoids surprises through a methodical process of: (1) identifying compliance risks; (2) assessing and prioritizing those risks; (3) putting in place compliance controls to manage those risks; and (4) auditing and monitoring the effectiveness of those controls on an ongoing basis.

To ensure that risk assessment findings are accorded credibility and deference within an organization, the process of identifying, assessing and prioritizing compliance risks should be managed by an independent department within the organization. The most defensible approach is for the risk assessment to be conducted by the chief compliance officer with the assistance of independent outside legal counsel or by independent counsel alone. Independent counsel would be free of actual or apparent conflicts of interest and, as such, the risk assessment is more likely to produce findings that are unbiased and therefore less likely to be impeached if challenged. Risk assessment reports that delineate the compliance threats to an organization are just as critical to the health of an enterprise as independent auditor reports and should have the same degree of integrity attached to them. Certainly, in the current Sarbanes-Oxley environment, there is an expectation by regulators that compliance officers, assisted by independent counsel, will exercise the degree of independence necessary to implement an effective compliance and ethics program.

Further, since risk assessments involve evaluating compliance with applicable laws and regulations and assessing potential legal exposure, the use of independent counsel may better enable the assertion of the attorney-client privilege or work product doctrine to protect the findings from compelled disclosure.

1. Identify Global Risks

The first step in the CRM process is for the chief compliance officer or independent counsel to identify global risks. Knowledge about a company’s business practices, prior history, prior compliance exposure, and its industry’s compliance exposure when measured against applicable legal and ethical standards will yield a list of global risk activities. Global risks are identified by implementing a due diligence process focused on key interviews and document review.

Due diligence interviews should begin with internal legal counsel, who can provide critical judgments on the application of legal principles to business practices. Interviews also should target key employees who can provide information on business operations, systems applications, financial reporting, internal audits, hotline calls, and disciplinary actions.

Document review should include corporate governance documents, relevant internal audit reports, recent financial disclosures, self-evaluative reports, hotline call reports, customer complaint logs, internal investigation reports, employee surveys, sales and marketing plans, and various business presentations relating to business practices, plans and operations.

2. Prioritize Risks

After risks have been identified, they need to be prioritized based upon likelihood of occurrence of compliance violations and severity of likely violations (e.g., lawsuits, fines, damage to reputation) to determine the major compliance threats to the organization. Determinations of likelihood and severity are based upon an analysis of both objective and subjective criteria. Objective criteria include past FERC enforcement activity, current FERC enforcement guidance and investigations, and the frequency of consumer or market participant complaints. Subjective criteria include perceived exposure based upon findings in internal audits and investigations, and employee disgruntlement caused by workplace conditions, reorganizations, or dysfunctional channels of communication that can manifest itself in whistleblower activity.

In addition, the status of the control environment greatly affects determinations of likelihood and severity. Internal controls are designed to mitigate the risk inherent in undertaking a business activity. Strong internal controls make compliance violations less likely to occur and minimize the severity of those violations. The evaluation of the control environment considers any relevant process, procedure, policy, practice, or people in place to mitigate identified risks. An assessment of controls is necessary because a determination of whether a control is effective, partially effective or ineffective affects the prioritization of the residual risk that remains after the application of the control. The responses received from due diligence interviews that characterize risks and describe the status of the control environment further enable an assessment of likelihood and severity.

All business activities involve some measure of inherent risk. Depending upon the effectiveness of controls put in place to manage risks, the residual risks resulting after the application of controls can be high, medium, or low. High risks have the potential to result in significant exposure to regulatory fines and penalties, costly business impacts, or significant damage to reputation. High risks require immediate action. Medium risks have the potential to result in serious but limited exposure to regulatory, business, or reputational injury. Medium risks require close attention. Low risks have the potential for a modest regulatory, business, or reputational impact, and, therefore require only routine action. However, low risks should not be ignored. It is possible that a low residual risk will become a medium or high risk over time, which is why these risks need to be periodically reviewed and appropriate action needs to be taken.

3. Manage Identified Risks

After compliance risks have been identified and prioritized, the effectiveness of the control environment needs to be tested by subjecting controls to hypothetical yet plausible risk scenarios to determine whether they are robust enough to manage a range of risk variations. Scenario analysis assesses the effectiveness of internal controls to manage risk variations caused by one or more events, e.g., a blackout, or volatile spot-market prices.

The results of this analysis will facilitate a determination of whether compliance risks are being managed properly through various approaches, including risk avoidance, and risk acceptance coupled with mitigation (e.g., training, internal controls). If there is a high probability that a risk activity will result in a severe compliance violation, a company likely will avoid the activity altogether. However, most risk activities are managed through various internal controls to prevent violations of law (e.g., separation of duties and functions will minimize conflicts of interest; a management information system that ensures transparency in reporting will reduce the incidence of fraud and misstatement in financials; ethics training will drive integrity in decision making).

4. Audit and Monitor Control Effectiveness

Organizations must audit and monitor internal controls put in place to prevent and detect violations of law. The separation of functions between departments that develop controls (business process owners) and the departments that audit controls is critical to validate the effectiveness of controls. Internal audit departments periodically must evaluate the effectiveness of compliance controls, which includes developing protocols for periodically testing controls. Internal audit departments also must regularly review exception approvals by type and frequency in determining the effectiveness of policies and mitigating controls. For example, waiving conflict of interest rules to allow senior executives to have a stake in an off-balance sheet entity that does business with the company could weaken controls designed to safeguard company assets and business opportunities, and protect against fraud and other improper activities.

In addition to internal audit departments, various other departments also audit and monitor compliance with internal controls. For example, law departments audit and monitor for violations of law in business areas they counsel. Likewise, human-resource departments audit and monitor for violations of various employment laws.

Business-process owners responsible for internal controls need to be held accountable for keeping controls up to date and effective. A control that is effective today could be ineffective tomorrow because of changing circumstances. If control weaknesses are detected, the timetable for corrective action should be governed by the risk ratings (discussed above).

CRM enables an organization to better anticipate compliance problems, thereby avoiding surprises, through a better understanding of how compliance risks evolve. In addition, CRM improves the decision-making process by providing more information on compliance risks and mitigating strategies, thereby assisting managers in better understanding risk/reward tradeoffs.

Before the enactment of EPACT, FERC brought some significant enforcement actions and suggested that its penalties would have been tougher had it the authority to impose them. Now that FERC has that expanded penalty authority, we can expect that FERC will use it. The stakes are higher now. That is why the need for CRM is so much more compelling. CRM enables energy companies to self-police their conduct by identifying, assessing, and correcting compliance problems before they are discovered by regulators. Moreover, given the recent damage to the franchise value of several major corporations, having an early warning process in place capable of detecting compliance threats is a sound and essential risk-management tool.