Effective enterprise risk management requires an embedded risk-based approach, says AlixPartners’ Meaghan Schmidt.
CCBJ: What are some of the current DOJ and SEC enforcement priorities that general counsel should be aware of, and how are you seeing investigations play out?
Meaghan Schmidt: While the headlines recently have been centered on cryptocurrencies and protecting retail investors, we see the DOJ and the SEC continuing to prioritize anti-corruption enforcement, and I think that trend will continue. Related to maintaining their focus on anti-corruption, the DOJ and the SEC continue to cooperate and work with other countries as many of those increase their enforcement efforts, and I think that’s a trend that will also continue. Certainly, this cross-border coordination has been transformative to date, and I think that as more and more countries step up their enforcement game, this will continue to be an important area.
Second, regulators are increasingly looking into quarterly and year-end adjustments (revenue recognition, contingencies, accruals/reserves) and their impact on earnings per share. This activity translates into classic financial accounting fraud and earnings management investigations. I believe the rise in activity related to financial reporting matters is a direct result of the maturation of the SEC’s whistleblower programs as well as the more advanced data analytics tools that are being employed by the agencies.
Third, the DOJ and the SEC continue to focus on encouraging cooperation by companies in identifying individuals accountable for bad behavior. Within the sphere of cooperation, the DOJ’s recent “new” policy concerning the coordination of penalties imposed by more than one regulator signals the DOJ’s desire to provide increased transparency, consistency and predictability of outcomes. This should be good news for corporations facing multiple investigations into the same conduct that have self-disclosed and cooperated in a timely manner. Assuming the policy is effective, I would expect quicker and more efficient corporate resolutions.
All of this leads to a growing need for companies to extend their enterprise risk management programs.
What do you mean when you talk about “extending” global risk management programs?
Managing risk globally is difficult. Global companies, particularly those that are fast growing by acquisition, tend to have decentralized structures and disparate accounting and data management systems. This inevitably means their information is spread across a complex data landscape. As such, it is critical to broaden the reach of enterprise risk management across their organizations. We are encouraging our clients to harness the power of data to marry what’s happening in the business with compliance and legal. This can help them become more effective, efficient, consistent, and increase risk awareness across the organization. It is vital that management and the board receive accurate and relevant data to assist in their decisions. Management information and the right governance structure are important.
We also emphasize with our clients that it is critical to have a tailored risk-based approach to global risk management. They aren’t going to identify or capture everything, so companies must ensure they conduct a robust cost-benefit analysis of where they invest. You may also need to customize risk management based on how business operates in one region versus another.
What kind of enforcement activity are you seeing in other jurisdictions?
As I mentioned, some jurisdictions outside the U.S. are increasing their enforcement efforts. We’re seeing new and improved legislation initiatives in many countries, including the establishment of new regulatory bodies. As a result, I am not surprised by the increased cooperation across jurisdictions and an uptick in activity with respect to more globalization of anti-corruption enforcement. And of course, we’re seeing much action in the anti-money laundering and OFAC [Office of Foreign Assets Control] sanction space as well.
What does FCPA risk and enforcement activity look like?
FCPA [Foreign Corrupt Practices Act] risk continues to be a concern, and I expect enforcement in this area will not abate. Again, we’re seeing an increase in coordination of enforcement efforts across the globe. Recent actions remind us of the importance of companies performing third-party due diligence, establishing effective internal controls and then actually adhering to those policies and procedures.
In light of the enforcement activity we’ve seen, especially with the FCPA, I think more and more companies are recognizing the risk that comes to bear from using subcontractors and other third parties. Companies should continue to scrutinize those subcontractors and third-party relationships.
What can the general counsel or chief legal officer do to identify and prevent financial accounting fraud?
There are a few things. First and foremost, the general counsel, the chief legal officer and other legal department leaders need to coordinate with other aspects of the business on this. For example, this would include coordination with internal audit. Find out what kind of audits they’re performing. Ask questions. Are they performing any audits in financial areas? What were the findings? Are recommendations being implemented? Also, the law department should work with accounting and finance through the Form 10-K and really understand what’s being disclosed.
And it’s critical to take the whistleblower program seriously and have one that’s well understood, properly documented and appropriately elevates tips to the right stakeholders within the organization, including internal audit and the audit committee.
Often companies have whistleblower programs in place but they fail. What can law department leaders do to ensure that their programs are embraced and successful in identifying and mitigating risk in the organization?
The whistleblower program needs to be more than a “check the box” type of program. It is important to establish the right ethical culture. Employees’ confidence in whistleblower programs comes from the commitment of senior management. I’ve seen instances in which management sends a report out to the entire company that provides anonymized examples of prior whistleblower submissions and the resulting actions. I think that demonstrates that the company has a culture and a commitment to taking tips seriously.
Again, data tells a story. If the whistleblower hotline isn’t receiving tips, are there deeper issues regarding how the ethical culture of the company is viewed by its employees? Is it an issue related to language? Method of submission?
Companies will benefit from a well-thought-out customization to the whistleblower program, such as language customization. Obviously, not everybody speaks English, and important messages can get lost in translation. So having local language available on a hotline or in policies, for example, can be helpful.
In addition, having multiple methods for the submission of whistleblower tips makes it easier for people to provide tips. It can also help underscore management’s commitment and impress upon employees and potentially regulators that the company is committed to a robust program.
Finally, looking beyond identifying and mitigating risk only within the organization can have a meaningful impact. Recognition that external sources could submit tips to the company could help identify and mitigate risks. So companies may want to consider promoting their whistleblower hotline to vendors, subcontractors and other external parties.
Beyond the issue of taking a “check the box” approach, are there any other common mistakes that companies and law departments tend to make in all this?
One chronic failure that we see is that compliance and legal are often viewed as being the bad guys – the ones who always say, no, you can’t do that. They aren’t viewed as being collaborative or embedded within the business. That applies not only to whistleblower programs but also to the compliance programs that are set up to mitigate risk. I would encourage law department and compliance leaders to work with the business to demonstrate how they can add value to the business, rather than always being viewed as being the “reactive” hammer that’s going to come down.
In turn, legal and compliance need to learn the business so that a risk management process and compliance program can be designed in tandem with business objectives and strategy – so that the business is buying into a program that is embedded. The business team should help determine and own the risk of deals, customers, etc., pursuant to an established risk tolerance of the organization. When legal, compliance and the business are working together to make compliance and risk management more robust and effective, it is the business that ultimately benefits.
Meaghan Schmidt is a managing director and member of the Board of Directors at AlixPartners. She has conducted internal investigations in some of the most complex and high-profile corporate-accounting, financial-reporting, and anticorruption matters for global companies in the United States as well as in Latin America, Europe, and Asia. Meaghan is a champion for the firm’s diversity through her leadership of the Working Parents and Women Empowerment (WE Matters) Employee Resource Groups. Reach her at firstname.lastname@example.org.
Published June 1, 2018.