1Convercent © 2016. All Rights Reserved.

HOW WELL DOYOU KNOW YOUR RISK PROFILE?Manage risk exposure across the entire organization

A resource

2Convercent © 2016. All Rights Reserved.

With insights from

KATIE SMITH, EVP, Chief Compliance Officer, Convercent

RONNIE KANN, Executive Vice President and Program Development at Ethics & Compliance Initiative (ECI)

STEPHEN MARTIN, Partner, Arnold & Porter

3Convercent © 2016. All Rights Reserved.

TABLE OF CONTENTS

61094INTRODUCTION

8 STRATEGIES TOWARD AN INTEGRATED APPROACH TO RISK ASSESSMENT

ONGOING MONITORINGAND RE-ASSESSING

KEEP YOUR EAR TO THE GROUND

EXPERT INSIGHT

WRAPPING UP

7

1112ABOUT CONVERCENT

4Convercent © 2016. All Rights Reserved.

INTRODUCTION

Risk assessments are the foundation upon which [High Quality Compliance and Ethics Programs] are built. Every organization has a unique risk profile based on industry, history, maturity, marketing and more.

- 2016 Ethics & Compliance Initiative, Blue Ribbon Report

5Convercent © 2016. All Rights Reserved.

This short guide, exclusively offered to the ECI community, will explain different strategies to help you learn the steps necessary toward an integrated approach to improve your organization’s ability to identify and address risk on a sustainable and effective basis.

Deloitte deems a risk assessment as “the third ingredient to a world-class ethics and compliance program.” Yet, only 40 percent – less than half – of companies do not perform annual compliance risk assessments, a study conducted by Deloitte and Compliance Week found.

“Conducting regular risk assessments is a best practice in any ethics and compliance program, not only in the eyes of the government and regulators but in running a high quality business,” says Ronnie Kann, Executive Vice President, Ethics & Compliance Initiative (ECI). “Take a good, hard look at your operations and assess and see what could potentially pose an ethics and compliance risk to your organization. Don’t take the chance of letting ethics and compliance risks go unmanaged and negatively affect your organization’s financial, operational, or reputational good standing.

On the positive side, effective risk management can be a source of competitive business advantage for your organization.”

Potential risks that may live in your organization right now • Strengths or weaknesses of organizational culture

• Employee willingness or fear to report

• Regulatory risks

• Gaining a bad reputation

• Fiscal credit

• Disruptive technology risks

• Legal risk

• IT infrastructure

• Cyber security

• Social media channels

• Failures, breaches or near- misses

Before reading further, take some time to identify what risks you may be facing right now. Rank them on a severity scale of 1-5 where 1 is low risk and 5 is high risk. Prioritize accordingly, and apply the following strategies to help mitigate and better manage them.

When done correctly and diligently managed, risk assessments enable an organization to gauge the significance of identified risks. They can empower leaders to develop risk response plans focused on the organization’s most critical threats and opportunities. However, it is not uncommon for risk assessments to not live up to their hype and miss the company’s goal all together.

6Convercent © 2016. All Rights Reserved.

KEEP YOUR EAR TO THE GROUND

Take a cue or two from the latest headlines. When something big hits like corruption or fraud or money

laundering, ask yourself how that situation affects your company. For example, does it mean there would be

heightened regulatory scrutiny or would it impact your supply chain? Ask yourself: what are you doing right now

to mitigate that risk?

Just because a crisis happens in a different industry doesn’t mean you can’t learn a valuable lesson from it and apply

those learnings to your own risk assessment process. If you have a plan in place, that doesn’t necessarily mean you’re

done. This guide will go into further detail around this, but a solid risk assessment process is one that is re-evaluated

on a periodic basis, and the news headlines are a great reminder to do so.

7Convercent © 2016. All Rights Reserved.

It may seem like having this perfectly laid out and highly effective compliance program is as simple as following the rules. If everyone did what they were supposed to do, your job would be easy. Yet, humans are not that simple and the ways in which misconduct occurs is never predictable, which is why creating a good plan from the beginning is crucial. Having a strong foundation on which you operate from your program will increase its strengths and raise awareness while, albeit subconsciously at times, to your employees.

This is one of the most important lessons in this short guide: if your employees see misconduct occur and they don’t know where to go or who to speak to or what ways they can bring the misconduct to light, they will likely not report it. Consider asking them outright after a training or a big organizational shift. This shift gives them an easy “out” to report misconduct and a straightforward approach for you to avoid a risky situation from forming. Having the “out of sight and out of mind” behavior active in your organization suffocates your compliance and ethics program. If your employees see compliance and ethics values posted throughout the office or the helpline number and different communication channels to find more information, they will know what to do when misconduct occurs.

1 IMPLEMENT A CENTRAL PLATFORM If you’re like most organizations, your compliance program is managed through a dozen different systems like Sharepoint, Excel, email, LMS and so on. Each system has a different user interface, vendor and data location and format – all making it difficult to bring the information together. A cohesive compliance management solution can solve this problem.

What you are missing without it: Integration

One central dashboard to monitor progress and results between related areas, like your risks, the policies and training courses that address that risk and any hotline reports that

relate to the risk.

Benefits: + Holistic program view + Adding context to data makes it more actionable + Fewer vendors and solutions to manage

2 LINK INITIATIVES TO RISK What do you do with your risk assessment results? Hopefully, you build your program around your risks. Linking initiatives to risks allows your tools and data to work together to address risks, and prioritizes initiatives and incidents related to your most severe risks.

What you are missing without it: Risk Mitigation Verification and measurement of how effectively your policies, procedures, training and controls address your risks.

Benefits: + Create a truly risk-based compliance program+ Foster and demonstrate continuous program improvement+ Prioritize resources based on risk severity

3 CONNECT INCIDENTS TO INITIATIVES Linking incidents and disclosures to your policies and training initiatives can help you understand where these efforts are working or falling short.

What you are missing without it: Clarity A holistic view of your compliance program, and the ability

Improve your organization’s ability to identify and address risk

8 STRATEGIESTOWARD AN INTEGRATED APPROACH

TO RISKASSESSMENT

Benefits:+ Paint a complete picture of compliance effectiveness with all program data in a single location+ Enhance agility and responses with on-demand data access

4 ENHANCE COMMUNICATIONConveying company expectations and standards, sending training reminders, soliciting disclosures and feedback – all of these are critical for the success of your risk and compliance program. Technology can not only help you easily scale efforts to your global employees and third parties, but also provide an accessible audit trail of your efforts.

What you are missing without it: Engagement Interaction and engagement with the organization at large is a key component of establishing and maintaining a top-down culture of ethics.

Benefits:+ Automatically alert employees when they are due for training+ Solicit relationship disclosures that may present conflicts + Solicit employee feedback through surveys+ Ensure ongoing communication of compliance priorities

5 MONITOR PROGRAM RESULTS No matter how robust your compliance program, you cannot realistically prevent ALL compliance risk events. For those incidents that do slip through the cracks, rapid response is critical for protecting your organization. This is only possible through continuous, effective monitoring of compliance-related information as it comes in.

What you are missing without it: Responsiveness The ability to identify emerging risks and hot spots as they come into view, and the opportunity to respond rapidly to address the threats before they spread or escalate.

Benefits:+ Rapidly respond to issues + Spot trends to help you understand where program improvements are needed

6 AUTOMATE REPORTING

Anyone who has prepared compliance reports knows how tedious it is to manually pull together and analyze data, particularly if it’s coming from disconnected systems. For time-constrained compliance professionals, automating the reporting process can mean the difference between a thorough, thoughtful analysis and a fragmented report.

What you are missing without it: Effective Oversight It’s much harder for senior leaders and executives to fulfill their oversight obligations when their reports lack data-driven analysis and insight.

Benefits:+ Reduces tedium of manual data collection and report prep+ Reduces reporting errors and inconsistencies + Enables report standardization and data consistency

7 IMPROVE RECORD KEEPINGJust because we’re using technology, doesn’t mean we can forget about diligent record-keeping. Used effectively, technology can dramatically ease the burden, challenges, risks and inconsistencies of record-keeping.

What you are missing without it: Documentation An easily accessible and searchable trail of your efforts provides an affirmative defense when things go wrong.

Benefits:+ Will help provide a defense against litigation and penalties

8 EXTEND YOUR REACHWe live in a mobile world. If we can use our smartphones to remotely control our air conditioning at home, shouldn’t we be able to access and submit compliance information using our mobile devices, too? Unfortunately, that’s not always the case.

What you are missing without it: Scalability Remote, international and front-line employees are harder to reach, which can limit the scale, buy-in and effectiveness of your initiatives.

Benefits: + Enhances reach and scale of your program+ Useful for reaching employees and third parties without computer access

8

9Convercent © 2016. All Rights Reserved.

EXPERT INSIGHTWe recently sat down with Stephen Martin, Partner at Arnold & Porter, who focuses his practice on global compliance matters, risk assessment and management. As a former Federal prosecutor and current member of the Convercent Advisory Board, Martin brings a wealth of knowledge in the area of risk assessment.

Q: What doesan effective risk assessment look like? Why is it important for a compliance officer to take the time to conduct one? Where do they even begin?

STEPHEN: When you think about it from a risk standpoint, it’s really about understanding: 1. What is your business engaged in around the world?

2. What activities? 3. How are you conducting your business?

Financial risk, everybody understands. Operational risk, companies are really good at. The two areas that they often struggle are compliance risk and reputational risk. They may understand the key ones but they may not see all of the laws or other regulations that would apply or how they’re going to be impacted. Then there is dramatic reputational risk.

When you think about risk assessments, the Department of Justice and the SEC [Securities Exchange Commission], as an example, say your program should be risk-based. If you think about it proactively, that’s the best place to start to truly understand what you’re doing as a compliance officer. It’s also the key requirement from

the government standpoint.

You want to understand either the risk profile or conduct more in-depth risk assessments, understand the compliance program and how effective it really is. You can do them in very narrow areas like bribery and corruption or data protection or privacy or antitrust. You can do them in specific countries. I travel all over the world and do these in tough places where you have challenging concerns, whether it’s Southeast Asia or Brazil or Russia or China. You could do them in regions of the country. You could do them at the headquarters or enterprise-level.

There are multiple ways that you can conduct these risk assessments, but the idea is that you have an ongoing process to be thinking about risk and how it’s impacting your business and then building your compliance program based on those findings.

10Convercent © 2016. All Rights Reserved.

You can never let your guard down or put your awareness and alertness in danger or risk it being pulled in a different direction or become deprioritized.

Build into your week or month’s management strategy checkpoints in which you monitor progress and evaluate the plan itself. Have a set of goals or milestones associated with each checkpoint. If the process is moving slower than you anticipated or you failed to meet one of your milestones, gather key players together sooner rather than later to evaluate the cause.

• Did tone at the top fall off?

• Is the new training effort not resonating with employees?

• Did you simply not allot enough time?

Rather than fixating on the missed goal, identify the roadblock and create an action plan to address it and get back on track.

Similar to parenting, when the house is suddenly quiet with children in the house – it’s cause for alarm.

RISK AWARECULTURE

EDUCATION& TRAINING

DISCIPLINE/ENFORCEMENT

ASSESSMENT &MONITORING

TALENTMANAGEMENT

TONE ATTHE TOP

VISION &ROADMAP

OWNERSHIP & ACCOUNTABILITY

ONGOING MONITORING ANDRE-ASSESSING

11Convercent © 2016. All Rights Reserved.

WRAPPING UP

When designing and building your risk conscious culture, don’t forget that some risks are good risk.Being innovative and suggesting changes shouldn’t be discouraged – they’re key components of your company’s success. Sustaining a meaningful and successful risk-conscious culture helps employees at every level distinguish between acceptable risks and potentially harmful actions.

The Ethics and Compliance Institute reminds us that one of the most important characteristics of a high quality compliance

program is that “responsibility for risk is shared across the organization, as leaders assume ownership for the ongoing identification and mitigation of risks that relevant to their areas.” Being cognizant of how risk may change or manifest over time will allow you as a highly aware compliance professional to see any early warning signs for surfacing issues.

Get to know your risk profile like the back of your hand, and stay on top of it even when at times you have competing priorities. Forgetting to conduct regular and routine risk check-ins could mean the downfall to your entire program. Protect your organization, your program and your hard work.

12Convercent © 2016. All Rights Reserved.

ABOUT CONVERCENT

Convercent’s risk-based global compliance solution enables the design, implementation and measurement of an e ective compliance program. Delivering an intuitive user experience with actionable executive reporting, Convercent integrates the management of corporate compliance risks, cases, disclosures, training and policies.

With hundreds of customers in more than 130 countries—including Philip Morris International, CH2M Hill and Under Armour — Convercent’s award-winning GRC solution safeguards the financial and reputational health of your company. Convercent is backed by Azure Capital, Sapphire Ventures, Tola Capital, Mantucket Capital and Rho Capital Partners, and based in Denver, Colorado with offices in London, will revolutionize your company’s compliance program.