Understanding and Optimizing Legal & Regulatory Risk Management

Transcription

1 The 360 approach to compliance and risk management Understanding and Optimizing Legal & Regulatory Risk Management SPEAKER: Steve McGraw Compliance 360, Inc., President & CEO Agenda Credits Overview of ERM Legal and Regulatory Definition Issues Solution Examples Best Practices Recommendations 2

2 Credits Mark S. Beasley, PhD, CPA Director, Enterprise Risk Management Initiative Board Member of Committee of Sponsoring Organizations of the Treadway Commission (COSO) Dana R. Hermanson, Ph.D. Dinos Eminent Scholar Chair of Private Enterprise Professor of Accounting at Kennesaw State University Customers 3 ERM An Overview of the Basics By definition: o ERM is a process, o effected by an entity s board of directors, management, and other personnel, o applied in a strategy setting and across the enterprise, o designed to identify potential events that may affect the entity, o manage risks to be within its risk appetite, o to provide reasonable assurance regarding the achievement of entity objectives. Committee of Sponsoring Organizations of the Treadway Commission (COSO 2004) (see 4

3 ERM Technology Risk Appetite/ Risk Tolerance Enterprise not just selected silos of risk A process that is ongoing, living & systematic Consideration of risks on portfolio basis Heavily integrated with business strategy Focus is on coordinated program for identification, measurement, assessment, and response to risks primarily across 2 dimensions Probability (Likelihood) Criticality (Consequence/Impact) Controls (Processes that mitigate the risk) Key part of entity s corporate governance Responsibility of senior management and board Pushed down to key business segment management 5 Traditional Risk Management Approach Legal Reg. Operations Finance Weather Environment IT Strategic Market Geo Political Silo or Stove-Pipe Risk Management 6

4 Traditional Risk Management Approach Valuation Creation and Preservation Enterprise Focus on Legal Reg. Operation s Finance Weather Environment IT Strategic Market Geo Political 7 What is Legal & Regulatory Risk? Definition: associated with the uncertainty of violating laws or regulations. POSITIVE The company may be the beneficiary of legal or regulatory risk if another party is the violator (e.g. contract violation) and the company is able to successfully sue. NEGATIVE Risk that company may INTENTIONALLY or UNINTENTIONALLY violate a law, contract, or regulatory provision and face potential litigation which could lead to cash loss and could impact enterprise by triggering other risks such as reputation loss, customer backlash, employee embarrassment, etc. THUS, LEGAL/REG RISK COULD BE BOTH POSITIVE AND NEGATIVE (BUT MOSTLY NEGATIVE) 8

5 What is Legal & Regulatory Risk? 9 Major Issues Associated with L&R Risk Exposure to fines by regulatory agencies Significant workload by legal & regulatory staff Blind sided by newly enacted laws, new regulatory trends My competitor s problem could be my problem Managing legal & regulatory risk outside legal & regulatory department HUGE uncertainty as to what may trigger it. (What might be deemed LEGAL today, might be deemed as ILLEGAL tomorrow as the culture shifts over time.) 10

6 Legal and Regulatory Risk Leakage Example Valuation Creation and Preservation Enterprise Focus on Legal Reg. Operations Finance Weather Environment IT Strategic Market Geo Political Privacy laws Data Breach Brand Erosion 11 Legal and Regulatory Risk Leakage Example Valuation Creation and Preservation Enterprise Focus on Legal Reg. Operations Finance Weather Environment IT Strategic Market Geo Political CMS announces RAC Coding Compliance Lost Revenue S&P, Moody s Ratings 12

7 Recent High Profile Example 13 Recent High Profile Example Negative Press 14

8 Recent High Profile Example Negative Press Barbie toys make up the majority of the recall 15 Recent High Profile Example Mattel Earnings Press Release Q4 Sales up 4% Q4 Earnings down 7% 16

9 Recent High Profile Example Mattel Stock Price Chart 1 st Recall Announced 2 nd Recall Announced Earnings Warnings Announced 17 Major Components of Legal & Regulatory Risk 18

10 1. Early Warning System Legislative and regulatory notification and awareness notification of newly proposed law Notification of newly enacted law Notification of newly proposed regulations Notification of final regulations Notification of regulatory enforcement actions Alerting of news and announcements by political figures, agency heads and other influential public figures 19 Early Warning Tools (Free Alerts) WSJ Online Google Key legislator s newsletter via CMS subscription RSS Feeds 20

11 Early Warning Tools (Free) Newspapers 21 Early Warning Tools (Free) Google Alerts 22

12 Early Warning Tools (Free) Key Legislative Newsletters 23 Early Warning Tools (Free) CMS Subscription 24

13 Early Warning Tools (Free) Web Sites 25 Early Warning Tools (Free) Law Firm Newsletters 26

14 Premium Services American Health Lawyers Association Lexis Nexis WestLaw Wolters Kluwer FastCase Risk-Based Impact Assessment Assess company s impact with a risk-based approach A knowledge base of applicable laws and regulations The current legal interpretation A repository of previous opinions The responsible party(ies) for implementing changes The impact to your Enterprise Risk Framework (ERM) 28

15 Example IRS Form 990 Sen. Grassley Letter to MD Anderson Cash Before Chemo Sen. Grassley Letter to Non-Profits New Federal Legislation? Change / Project Management Make sure to have an automated, consistent management process of Legal & Regulatory Risk 1. Legal and/or compliance personnel alerted to an issue 2. The issue is documented and tracked electronically 3. Management in legal will rank order the issue by risk classification 4. Legal and compliance agree on the risk and controls implementation 5. Compliance reviews (tests) the Policies & Procedures and controls on for each issue 6. Compliance determines if the testing of the controls is effective 7. Compliance works with the business owners to educate and manage the compliance process at the business level/unit 8. Results from controls testing and other processes are reported to the ERM 30

16 4. Controls & Controls Monitoring Establish controls and monitor and test controls on a regular basis Robust Policy & Procedures System Independent Controls Testing Frequency Testing Failures What to do next? Document & Communicate 31 Process Flow New Issue Legal Legal Compliance Alert Document Issue Risk Ranking Review Current Policies & Controls Control Testing Legislative Influence Government Affairs Communicate To Business Owners 32

17 Organizational Legal Privacy Compliance Alert Issue Category? BSA/USA PA Eastern States Legislative Influence Western States Government Affairs Communicate To Business Owners 33 Additional Recommendations Ensure strong legal counsel Ideally, keep legal, compliance and related data in one system of record. Be proactive in anticipating potential drivers of legal risks Look for factors that drive change such as new political appointee or increase scrutiny in adjacent markets and then respond to those risks proactively 34

18 THANK YOU Contact Information: Steve McGraw Chief Executive Officer Compliance 360, Inc