OVERVIEW OF EVENT  

DATE AND VENUE

Event Agenda 

1400-1500 – Introduction   and Critical Anti-Fraud Program 

1515 –1700 – GRC Product   Demonstration and Product Functionalities:

· Governance

· Risk Management (ERM + ORM)

· Compliance

1700 – 1730 – Question   and Answer Session and Closing 

DATE & Venue

Friday - 16 August   2019

Sunway Nexis, Jalan PJU5/1, Kota Damansara, Petaling   Jaya

 The DOJ issued New April 2019 Guidance  (“Guidance”, or “2019 Guidance”) detailing how prosecutors will evaluate the effectiveness of corporate programs to prevent fraud and other misconduct, a key consideration in determining the penalties imposed against companies.  This is an update from the On February 8, 2017, the DOJ published Guidance entitled, “Evaluation of Corporate Compliance Programs”. 

 The 2019 Guidance contains 12 high-level topics (below) that are grouped to track the Three Core Questions about compliance program effectiveness contained in Section 9-28.800 of the Justice Manual and candidly are the key questions the board of directors should be asking.  After all it’s expected the the organization’s “governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight” of it (See U.S.S.G. § 8B2.1(b)(2)(A)-(C)). 

 Three Core Questions

1. Is the Corporation’s Compliance Program Well Designed?
2. Is the Corporation’s Compliance Program Being Implemented Effectively?
3. Does the Corporation’s Compliance Program Work in Practice?

The High-level Topics

1. Risk Assessment
2. Policies and Procedures
3. Training and Communications
4. Confidential Reporting Structure and Investigation Process
5. Third Party Management
6. Mergers and Acquisitions (M&A)
7. Commitment by Senior and Middle Management
8. Autonomy and Resources
9. Incentives and Disciplinary Measures
10. Continuous Improvement, Periodic Testing, and Review
11. Investigation of Misconduct
12. Analysis and Remediation of Any Underlying Misconduct

Under each of the above topics, the 2019 Guidance sets forth multiple sample questions that prosecutors are likely to ask during an investigation. A few examples are:

• Risk Assessment: Risk Management ProcessWhat methodology has the company used to identify, analyze, and address the particular risks it faced?
• Training and Communications: Risk Based Training What training have employees in relevant control functions received?
  • Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred?
• Confidential Reporting Structure and Investigation Process: Effectiveness of the Reporting MechanismDoes the company have an anonymous reporting mechanism, and, if not, why not?
  • How is the reporting mechanism publicized to the company’s employees?
  • Has it been used?
  • How has the company assessed the seriousness of the allegations it received
  • Has the compliance function had full access to reporting and investigative information?
• Mergers and Acquisitions (M&A): Process Connecting Due Diligence to Implementation What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process
  • What has been the company’s process for implementing compliance policies and procedures at new entities?
• Commitment by Senior and Middle Management: Conduct at the Top How have senior leaders, through their words and actions, encouraged or discouraged compliance, including the type of misconduct involved in the investigation?
  • What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts?
  • How have they modelled proper behavior to subordinates?
  • Have managers tolerated greater compliance risks in pursuit of new business or greater revenues?
  • Have managers encouraged employees to act unethically to achieve a business objective, or impeded compliance personnel from effectively implementing their duties?
• Continuous Improvement, Periodic Testing, and Review: Internal AuditWhat is the process for determining where and how frequently internal audit will undertake an audit, and what is the rationale behind that process?
  • How are audits carried out?
  • What types of audits would have identified issues relevant to the misconduct
  • Did those audits occur and what were the findings?
  • What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis?
  • How have management and the board followed up?
  • How often does internal audit conduct assessments in high-risk areas?
• Continuous Improvement, Periodic Testing, and Review: Properly Scoped Investigation by Qualified PersonnelHow has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented?

Some Other Points of Focus

• Compliance must adopt a risk-based approach (See Closing Thoughts below).
• Compliance must have appropriate processes for the submission of complaints, and processes to protect whistleblowers.
• The word “resource” appears 21 times in the Guidance, so I am certain that if your organization is not properly resourced that will more likely than not be a problem.
• Compliance must have independent access to the Board and Audit Committee.
• Compliance needs to be integrated with other functions like internal audit, and depending on structure, the legal function. 
• Compliance must adopt strong third-party controls.

The 2019 Guidance seeks to understand how the organization approaches compliance and then what worked and what didn’t.  So, one might consider reading both the old and new Guidance to understand how the evaluation of an organization’s compliance programs has changed.

If you are going to have your organization’s compliance program evaluated and you should!

The new General Data Protection Regulation (GDPR) came in to force from 25 May 2018.

  They are a significant upgrade to the existing Data Protection regulations that have been in place since 1998. The upgrade is required to meet the new developments in data use over the past 20 years. Simple examples are the use of cookies that track internet viewing habits or supermarket loyalty cards that record purchases.

The aim of data use by businesses is to target advertising more efficiently. However, data users have not always explained how this works or allowed individuals to opt out. There is also a secondary market for this data where details are bought and sold without

the knowledge of the individual. So the

new regulations set more explicit duties for organisations that use personal data and that includes just about everyone.

This guide sets out the scope of the new GDPR regime and explains the practical steps that should be taken to ensure compliance.

Who is affected? 

All organisations are affected if they  collect personal data.

Personal data is any record that identifies an individual through name, address, or other contact details. This is a wide definition and shows why everyone needs to have an awareness of GDPR and how it affects their organisation.

The impact of GDPR will depend on the nature of the personal data held and why the organisation holds it. There are legal grounds for holding data and businesses that are already compliant with existing data protection law will have a head start in meeting the new rules.

Any organisation active in direct marketing should already follow data protection law. However, the new rules are more demanding so a number of organisations will have to consider data protection for the first time. For example, there are specific rules for records of children and vulnerable people so the education and health sectors are a particular focus.

The Regulator 

The Information Commissioner’s Office (ICO) was set up in 1984.

It upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals

in response to concerns about direct marketing. It has evolved over time and has acquired the ability to issue large fines. Several companies have been under scrutiny for large scale data breaches, including T-mobile and Superdrug. Its remit covers all marketing channels including mail, telephone and email. There are two legally distinct areas of activity; Data Protection and the Privacy and Electronic

Communications Regulations.

Enforcement and fines

GDPR has raised the existing ceiling for fines to €20,000,000 or 4% of worldwide turnover, whichever is

greater. Fines have been levied on Google at €50million (£44m) for a privacy violation,issued by the French data protection authority in January 2019.

Fines can be levied where:

•An organisation is actively misusing the data and, as the bar on compliance is being raised, previous practice cannot be relied upon 

•There is a failure to maintain adequate controls against misuse or data loss. Data can be lost through hacking of websites or theft of IT equipment and a fine will follow if adequate precautions have not been taken

•If individual rights are not protected and that individual complains to the ICO.

Every organisation needs to understand their responsibilities under GDPR and then take steps to make sure they are

compliant by 25 May 2018 and beyond. We recommend addressing these six, simple, key issues: