Session 105 Panelists
Eugenia Hernandez, Vice President, Ethics, Compliance and Privacy, Sodexo, Inc.
Stephanie Lambert, Chief Compliance Officer, NetScout Systems, Inc.
Deborah Penza, Group Chief Compliance Officer, Hikma Pharmaceuticals
Charles Wilkinson, Senior Director and Counsel, Flex International
What was the most valuable thing you learned during this session?
“Defining the scope and identifying what to include in the compliance program.”Nancy Hazlett, Assistant General Counsel, National Student Clearinghouse
Consider, when developing a global compliance program, what you need to cover. Evaluate the following:
First, it’s important to confirm your compliance scope:
- Identify your firm’s primary business activities.
- Identify the key regulatory compliance requirements for these activities in the relevant geographies.
- Determine and agree with management which functions have oversight responsibility for these requirements (e.g., compliance, human resources, legal, environment, health, and safety, quality).
“Risk assessment process is an ongoing process.”Deborah Penza, Group Chief Compliance Officer, Hikma Pharmaceuticals
Compliance program elements
Be aware of the varied areas of focus that make up a compliance program, such as:
- Organization and reporting structures;
- Code of conduct, policies, and standards of operating procedures;
- Reporting mechanisms;
- Risk assessments; and
- Auditing and monitoring activities.
Compliance risk assessment
Identify the principal compliance risks and risk appetite:
- These should be determined by the board of directors together with management and reviewed annually and updated as needed.
- The principal compliance risks should be comprehensive to ensure compliance-related risks for the organization are considered from many different perspectives.
- They should reflect the firm’s risk context: industry, footprint, and strategy.
- The risk appetite for each principal compliance risk should outline expectations for management. The risk appetite is not public, it is for internal use.
Formal risk assessment is important because you have to determine where to allocate your resources.
“Without risk assessment you are doing compliance blindly.”Stephanie Lambert, Chief Compliance Officer, NetScout Systems, Inc.
Building to scale
Consider your size, product or services, revenue, and how this fits in to your compliance responsibilities:
- Are you publicly traded, nonprofit, or privately held? Compliance needs can vary for each.
- Which privacy laws govern you? Compliance is different, in many respects, for healthcare than for industrial chemicals.
- To what extent do you do business internationally? The US Foreign Corrupt Practices Act compliance focus will be different if you’re an issuer subject to US Securities and Exchange oversight.
- What is your industry? Compliance for consumer products is different than for aerospace, for example, and exporting computer chips is different than potato chips.
- What is your revenue? Understand your spending and profits.
- Is the cost of the compliance program structure commensurate with size of the enterprise? Be up on whether the cost of the compliance program is inversely proportionate to the risks.
The compliance program in action
“Be creative and thoughtful and don’t be closeminded.”Eugenia Hernandez, Compliance and Privacy – Sodexo, Inc.
- Document and map out what is being covered and who is covering it. Identify gaps.
- Make sure your program is properly resourced. If the US Department of Justice gets involved, they will examine how much you put into your efforts.
- Create a compliance calendar. Make it high level with dedicated areas of focus (tied to frequency of assessment).
- Get others inspired by using a headline from the news relevant to your industry to illustrate the importance of running the program. It makes it more real and helps justify resources.
- Assess resources. Elements of a compliance program probably exist or will be implemented within your organization that can help stretch dollars.
- Talk with your auditors. They will know who to talk to and what to ask.
- Bring in experts (communications, IT) to assist with crisis management. But know you can’t prepare for the specifics of everything that might happen.
- Conduct risk assessments frequently. Remember it’s not one-size-fits-all. Every six months to one year, revisit your risk profile.