Evaluating Your GRC Program’s Effectiveness

Last week I traveled to Houston to be a part of the SCCE’s 2011 Utilities, Energy Compliance & Ethics Conference. While there, I was fortunate to host a panel discussion with three great compliance professionals representing Schlumberger, ConocoPhillips and Chesapeake Energy for an audience of compliance professionals in the energy industry. During our presentation and following discussion, I was able to electronically survey the audience to learn where they stood on the questions we were discussing as a panel.

Four questions were asked. Each was designed to capture a general understanding from the utilities & energy audience’s perspective and was not intended to be statistically relevant. What we anonymously collected was a frank internal perspective on how they view their current GRC programs.

The multiple choice questions and results are as follows:

Where do you believe your company’s compliance program is in terms of maturity and effectiveness?

No one in the room believed that they had an “optimized” program and most considered their program “a work in progress.”

What drives your desire to assess your program’s overall effectiveness?

While the operational and regulatory risks represented the majority of thoughts in the room, it was great to see 22% of the audience acknowledge that a well-functioning GRC program is, simply, good for business.

What is the biggest hurdle you faced, or are facing, while developing your compliance program?

Tracking consistently with recent surveys I’ve read regarding GRC funding availability in 2011 the lack of “financial support” was not considered a significant hurdle. The “lack of resources” was presented as a combination of “people, process & technology” available to the compliance organization. When the survey results were shown, I asked if “organizational complexity” was a new problem and learned that keeping abreast of employee count, geographies served, number of business units and sub-contractors utilized has long been the most daunting task for this audience.

How are you currently managing your compliance matters?

No real surprises here. This information tracks with several of the recent surveys that state more than 50% of compliance professional operate with off the shelf, or limited tools, to manage their compliance programs.

As the discussion continued, a number of people in the audience engaged with the panel around other GRC-related concerns. They included the transition of the Federal Energy Regulatory Commission (FERC) from regulatory agency to enforcement agency as well as the continued expansion (and conflicts) of global regulatory mandates. FERC concerns are not limited to energy and utility organizations, as most regulatory agencies have moved to an enforcement model. Both concerns underscore the need for a comprehensive compliance program that transcends traditional Enterprise Risk Management (ERM). Successful programs allow organizations to broadly collect and analyze data on their current state of affairs. I have been evangelizing transparency into operational risk events for the past five years because working from the actual risks you face versus the perceived risk you think you might face not only illustrates an effective risk and compliance program, it is simply good for business.

If you had been in the audience in Houston, how would you have respond to the survey about your organization’s compliance program effectiveness?

Recent Changes to the UK Bribery Act Parameters

Monday's Daily Telegraph in London disclosed that the Act will loosen its grip on corporate hospitality, be more understanding with facilitation payments – as long as the payments are not considered “serious” – and extends plausible deniability to companies who find themselves involved in questionable joint ventures.

We are still waiting to see how the Ministry of Justice and SFO will outline the adequate procedures, but they are heading in the right direction. These recent adjustments will enable multinational companies with UK interests to operate rationally without eminent fear of retribution.

The UK Bribery Act – Hurry Up and Wait

For most multinational organizations the UK Bribery Act has caused a great deal of concern. Not totally dissimilar from the Foreign Corrupt Practices Act, it does have some unique differences such as disallowing facilitation payments and much broader jurisdictional reach. Organizations have accelerated their preparations only to be kept waiting for the official guidelines to be issued by the UK Serious Fraud Office. On February 2, 2011, the Serious Fraud Office announced that the twice delayed April 2011 effective date would now be sometime this “autumn.” This begs the question, why are we still waiting?

Do our colleagues across the pond really need help putting together the guidelines around defining bribery? Or establishing adequate procedures to mitigate bribery and corruption? Riddle me this…we are talking about a concept that is as old as Judas, and the US has been refining the Foreign Corrupt Practices Act (FCPA) for over thirty years! With an active FCPA “template” that has levied fines in the billions of dollars the past three years, developing the UK’s regulatory guidelines around bribery and corruption should not be this arduous. But do they really need the FCPA? The UK signed the anti-bribery convention – and has its language – in accordance with OECD more than 10 years ago. In my mind, there is no technical reason why the UK is having trouble developing a bribery policy.

But observers protest that is only half the problem– what about the defining the guardrails for adequacy in mitigation and potential injunctive relief? No good template you say? Au contraire! The US Sentencing Guidelines – and specifically Chapter 8 of the guidelines – have been around since 1991 and were revised again last year. So what is the hold up?

I could be a bit of an ugly American here and suggest that the Brits are simply distracted from the task and more consumed with high tea, Manchester United’s march to the EPL Championship, or preparing diligently for the Chelsea Flower Show than getting the Act fully promulgated. But my jest aside, this problem is completely political.

The reality is the change in government after the recent election and aggressive lobbying from UK business have created this delay. I have the utmost respect for Vivian Robinson, the General Counsel for the SFO. Robinson is bright, engaged and dedicated to the task. He knows what to do, but he must gain consensus in the UK government before announcing the guidelines. I will be moderating a panel in London the end of March where Robinson will be sharing his views. I sincerely look forward to learning from him and sharing with you after our meeting.

So let me turn the tables. What is keeping corporations who do business in England, Ireland and Scotland from taking appropriate steps to mitigate their impending risk? Multinational companies who contend with FCPA are already 95% compliant. Most do a good job of defining appropriate facilitation payments and controlling them. All indications are that the SFO will be logical with their view to these payments. But what is keeping the rest of these companies doing business in the region, especially the ones who comprise the “extended enterprise” of most multinationals, sitting on the sideline?

The writing on the wall is clear, but it seems that unfortunately we continue to confuse good business practice with regulatory requirement. Mitigation of bribery and corruption is good for business and good for the global economy. So, in my opinion, it is time to do what is right – even without a looming legal mandate.

Does anyone else share my opinion?

French Rules on Whistleblower Hotlines are Changing

As many of you operating globally know, the laws and regulations in differing countries can prove tricky to navigate. There have been changes recently in the way an organization can operate whistleblower hotlines in France that will be of interest to our multinational clients. In October 2010, the Commission nationale de l'informatique et des libertés (or CNIL), the French data privacy regulatory body, amended the “single authorization” method for whistleblower hotlines. The amendments included both a clarification and broadening of the scope of acceptable issues organizations can receive through the hotline and still be in compliance with the single authorization.

The October amendments removed the ability to capture issues of “vital interests [to] the company or moral or physical integrity of the employees.” However, the CNIL did broaden the scope of reportable issue types to include issues related to anti-competition practices, Sarbanes-Oxley and Japanese SOX. Accordingly, the CNIL clarified that the single authorization method will allow reporting on all of the following: finance/accounting, banking, fight against corruption, anti-competitive practices and compliance with Section 301(4) of the Sarbanes-Oxley Act and the Japanese Financial Instruments and Exchange Act.

An organization has six (6) months (beginning December 8, 2010) to modify their system to be in line with these new single authorization rules, or apply for formal consideration of their hotline through the CNIL. Operation of a whistleblower hotline outside the scope of the single authorization or without formal approval from the CNIL on a broader scope, puts organizations at risk for criminal sanctions and hefty fines. These criminal sanctions and fines may be issued by the CNIL and the French courts have the authority, in civil litigation, to multiply these sanctions up to 5 times.

For more information, please see the following from the IAPP (requires membership in IAPP to access). Or this article from the Global Regulatory Enforcement Law Blog.