1

How to Assess and Mitigate the Risk of Misconduct Occurring and 

Not Being Reported

Presented by:Chip Jones

Kathy Cooper Franklin

Brad Siciliano

October 15, 2012

Earl M. “Chip” Jones, IIILittler Mendelson, P.C.Dallas Office(214) 880-8115EJones@littler.com

Presented by:

Katherine Cooper FranklinLittler Mendelson, P.C.Seattle Office(206) 381-4900KFranklin@littler.com

Bradley SicilianoLittler Mendelson, P.C.New York Office(212) 471-4478BSiciliano@littler.com

2

Littler at a Glance

• Littler is the world's largest law firm exclusively devoted to representing management in employment and labor law matters. 

• Compliance and Ethics Practice Group

– Investigations

– Designing incident management systems

– Program Development and Evaluation

– Analyzing Risk

– Policy and Procedure Development

– Training and Education

– Legal research

3

WHY WORRY ABOUT UNREPORTED MISCONDUCT MORE TODAY?

Enterprise Risk Management

3

In the Wake of RecentCorporate Scandal…

“In today’s regulatory environment, it’s virtually impossible to violate the rules. ...it’s impossible for a violation to go undetected, certainly not for a considerable period of time.”

— Bernie Madoff, 2007

• 2011 Maritz Employee Engagement Survey finds:

– 25% of employees report less trust in management than 2010

– Only 10% say they trust management to make the right decision 

in times of uncertainty

– Only 14% believe their company’s leaders are ethical and honest

– Only 7% believe senior management’s 

actions are consistent with their words

Employee Mistrust of Management:Survey Says…

4

The Disconnect

“Senior Executives consistently have a higher perception of their companies’ culture than other employees”

Compliance & Ethics Leadership Council, August 2011

The Whistleblower:  Who, Where and Why? 

• In 2011, 45% of U.S. employees said they had observed misconduct in the previous 12 months– Approximately two‐thirds of those who observed misconduct reported it

• Eighteen percent of employees who report misconduct ever choose to report externally (i.e., either initially or as a subsequent report)– Of those who report externally, 84% said they did so only after trying to report 

internally first

• Seventy‐two percent of employees who believe their companies reward ethical conduct chose to report misconduct– Only 57% of employees who did not see ethical conduct rewarded in their 

company chose to report 

5

2012: The Year of the Bounty Hunter

WHAT IS ENTERPRISE RISK MANAGEMENT?

Enterprise Risk Management

6

How to Succeed

The underlying premise of ERM is that every entity exists to provide value for its stakeholders.  All entities face uncertainty, and the challenges for management is determine how much uncertainty to accept as it strives to grow stakeholder value.

ERM – Integrated Framework, COSO, Sept. 1994.

Competitive strategy is "a combination of the ends (goals) for which the firm is striving and the means (policies) by which it is seeking to get there.“

“What is Strategy?” Michael Porter, Harvard Business Review, 1996

Choose a Framework

A process ... applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of objectives. ERM – Integrated Framework, COSO, Sept. 1994.

Deloitte ISO 31000 COSO

7

Or Create Your Own 

Financial

Reputation

Go to Jail

Measure

Assess

Prioritize

Federal Sentencing Guideline Assessment

Operational

Strategic Risks

Define Your Risk Appetite

Tier 1 Tier 2 Tier 3Provide resources to

mitigate and/or install internal

controls

Identified improvements can be

made with existing resources

Risks are tolerable but will manage risks

with a continuous improvement focus

8

Make It a System

Risk Council

Executive Team

Audit Committee

Annual Initiatives

Results and Plans

Council meets 2‐4 times per year to update risk inventory and radar, review status reports, and discuss emerging risks.  Council updates Executive Team as necessary but at least once per year.  

Chief compliance officer updates Audit Committee each quarter on KPIs and Tier 1 activities and annually on FSG self assessment.  

Compliance objectives built into annual performance management plans

Measure performance consistent with the way business success is measured

Risk Council absorbs results of operations, new strategic plans, industry events, etc. to annually refresh risk inventory, radar,  and mitigation plans.

How Does It Work?

BUSINESS OBJECTIVE RISK

Expand to Eastern Europe Corruption

Accurate financial forecasts Pre‐booking revenue

Lower cost of debt Rate‐fixing  (LIBOR)

9

Pre‐Booking Sales

Culture

Incentives

Reporting

Testing

Controls

Policy

Autonomy

Harm

Sales quota and month over months growth driven organization with senior management  led by former sales people.

None

High level review of aggregate numbers as part of the audit process.

Credit department monitors accounts receivable aging and credit lines.  Sales department manages returns.

General policy language but no detailed procedures

Sales manager only approval needed if product is available and order is within customers credit line.  

Compensation heavily tied to hitting monthly sales targets.  Compensation not impacted by returns, chargebacks or aged receivables.

Silo‐ed reporting structure through each departments’ management.

History

Inflated bonuses and commissions; misrepresent company performance; excess returns; customer annoyance; inaccurate forecasts.

Training None

Corruption

Culture

Incentives

Reporting

Testing

Controls

Policy

Autonomy

Harm

New markets have reputation for corruption

None identified inside the organization

None

Facilitation payments permitted and no legal review required

General policy language but no detailed procedures

Additional research and investigation required.

Company is making a big investment to expand in high risk countries

Speaking up is discouraged

History

Severe criminal penalties and sanctions

Training Ineffective “check the box” training

10

Interest Rate Setting (LIBOR)

Culture

Incentives

Reporting

Testing

Controls

Policy

Autonomy

Harm

Extremely competitive.  

Recent mortgage loan crisis demonstrated excessive risk taking

None

None

No policy related to the submission of data.

We have only 1 seat on 16 member committee that submits rates.  

Could impact equity‐based compensation.

Several claims of retaliation have been made

History

Harm would be significant if other banks colluded in submitting data.

Training None

Risk Inventory

Severity

Likelihood

Tier 11. Misconduct Not Being Reported2. Risk B3. Risk C

Tier 21. Pre‐booking revenue2. FCPA Violations3. Sharing data with peers

Tier 34. Risk X5. Risk Y6. Risk Z

11

Step One:  Know Your Risk Profile

What Happens When Key People Are Unaware of the Risk Profile

12

What Happens When Key People Are Unaware of the Risk Profile

Step Two:  Mitigate the Risk:  Establish Reporting and Incident 

Management System

13

Internal Reports of Misconduct:  Who, Where and Why? 

• In 2011, 45% of U.S. employees said they had observed misconduct in the previous 12 months– Approximately two‐thirds of those who observed misconduct reported it

• Eighteen percent of employees who report misconduct ever choose to report externally (i.e., either initially or as a subsequent report)– Of those who report externally, 84% said they did so only after trying to report 

internally first

• Seventy‐two percent of employees who believe their companies reward ethical conduct chose to report misconduct– Only 57% of employees who did not see ethical conduct rewarded in their 

company chose to report 

25

Supervisors Receive Majorityof 1st Reports 

56% Your Supervisor

26% Higher Management

6% Other

5% Hotline/Help Line

5% Other Responsible Person Including Ethics Officer

3% Someone Outside Your Company

26

14

1. Effective Report and

Intake Procedures

2. Speak up training for manager &

employees

3. Notificationprotocol

4. Effective investigation

protocol – including training for

investigators

5. Effective remedial measures and

appropriate way to track and communicate discipline before it

occurs

6. Reporting and

Communication

27

Step Three:  Mitigate the Risk:  Internal Controls, Testing and 

Auditing

15

Pre Booking Sales

• Separation of Duties

• Purchase Order:  – Follow sales transaction end 

to end.

• Return Authorizations:– Work backwards

• Bills of Lading– 3 days before the end of the 

close

• Credit– Aging Reports

– Extending credit terms

Anti‐corruption

• Expense Reports

• Foreign Consultant/Supplier Contracts

• Due Diligence

• Background Checks

• Recent Hires 

• Marketing Expenditures

• Intercompany Transfers

• Accounts Payable

• Compliance Certifications

16

“LIBOR” Situations

• Understand the process

• Clear policy and procedures

• Fiduciary disclosures– Trade group involvement

– Industry “best practice” projects

– Multi‐employer situations

• Email & communication reviews

• Establish firewalls

Step Four:  Mitigate the Risk:  Make Culture a Strategic Priority

17

How Do You Deal With This Behavior?

Assess Your Culture

• Cultural surveys

• Benchmark reporting

• Exit interviews

• Conduct a program review

• Determine stakeholder 

communication preferences 

and expectations

• Identify opportunities to drive 

program awareness: training, 

communication and internal 

marketing

18

Train Managers to Encourage “Speaking Up”  by…

• Welcoming the complaint or report (with words and body language)

• Break down hierarchical reporting habits

• Taking the time to listen

• Active listening, asking questions

• Showing the employee they care

• Understanding of importance of contacting compliance immediately

• Letting the employee know what is going to happen and that you will follow up with the employee

• Being professional, respectful, and thankful

• Retaliation will not be tolerated

Reporting Rates Rise When Ethical Commitment is Perceived to be Stronger

0102030405060708090

Weak or Weak‐Leaning Ethical Culture

Strong or Strong‐Leaning Ethical Culture

19

• Some CEOs, execs and Board Members hate the word

• The language and branding shift  away from compliance and toward integrity / “doing the right thing”; sell the vision

• Explicit and concrete examples help:– Responsibility or rules ‐Will people take personal responsibility to address issues, or is it the job of somebody else?

– Candor or quiet ‐Will people speak up if they see questionable business conduct?

– Accountability or acquiescence ‐What happens to great performers who violate the Code?

A Conversation About Culture

The Training Value Proposition

Catch misconduct early

Empower potential reporters and give them an alternative to the government

Send the employer’s message

Help create an ethical culture

Establish legal defenses

20

The Training Trend

• Post Dodd‐Frank, increased employee communication and training is expected by 74% of respondents ‐ 83% at publicly traded companies 

• Increased manager communication and training about handling allegations of wrongdoing is expected by 66% of respondents ‐ 72% at publicly traded companies 

Survey, Society for Corporate Compliance and Ethics (SCCE)and Health Care Compliance Association (HCCA), July 2011

Solutions

• Policies

– Not just stand alone

– Not cookie cutter

– Not tucked away

• Training

– Not just a one time event

– Don’t limit to ethics training 

– Work on solving problems in your actual environment, not whether a situation violates the policy

– Practice ethical response – project yourself

– Require thinking about how decisions really made

21

Questions?

How to Assess and Mitigate the Risk of

Misconduct Occurring and Not Being Reported

Earl M. “Chip” Jones, IIILittler Mendelson, P.C.

Dallas Office(214) 880-8115

EJones@littler.com

Katherine Cooper FranklinLittler Mendelson, P.C.

Seattle Office(206) 381-4900

KFranklin@littler.com

Bradley SicilianoLittler Mendelson, P.C.

New York Office(212) 471-4478

BSiciliano@littler.com