Debnath: What are the key features of an effective company-wide compliance risk assessment programme?

Durant: The key features of an effective compliance risk programme can be classified into three main areas. First, preventing breaches by having clearly written policies and procedures, along with a strong code of conduct supported by top management, an experienced dedicated compliance officer and organisational-wide training and education adapted for local laws and regulations. The second area is detection. An effective compliance programme should have reporting hotlines readily available to all staff as well as undertaking regular monitoring and auditing of the organisation in order to detect any potential breaches or areas of high risk which need to have enhanced monitoring or updated policies and procedures. The final element is corrective action. Organisations need to ensure that if a breach has been identified they take swift and decisive action to investigate, remediate and where necessary take disciplinary action.

Eastwood: An effective compliance risk assessment requires cross-functional input beyond the compliance function and should do the following. First, identify risks resulting from violations of law, regulations, codes of conduct and other standards of practice which the company might reasonably anticipate. Second, analyse, assess and prioritise these risks. Third, evaluate the suitability and effectiveness of the company’s existing controls to mitigate the identified risks. Fourth, document proposed enhancements to the company’s systems and controls. Fifth, inform the extent of resources required to manage risk and the allocation of risk-related responsibilities within the company. Sixth, be approved by senior management and the board – and thereafter operate as an important management tool with regular reports on risk mitigation plans, with processes and deliverables integrated into the business calendar throughout the year. Seventh, serve as the foundation of the company’s compliance programme. Eighth, be informed on an ongoing basis by the results of the company’s monitoring and enforcement activity. Finally, be kept under regular review so that changes and new information can be properly assessed and reviewed on at least an annual basis.

Oct-Dec 2019 Issue

Nokia Corporation

FTI Consulting

Mayer Brown