Global Featured Wired

Trekking Through Compliance-Episode 78 – All Our Yesterdays

FCPA Compliance & Ethics -

In this episode of Trekking Through Compliance, we consider the episode All Our Yesterdays which aired on March 14, 1969 and Star Date 5943.7. Story Synopsis On a mission to evacuate the population of the lone planet Sarpedon before its sun super-novas, Spock, Kirk and McCoy beam down to investigate why sensors indicate no humanoid life [...]

The post Trekking Through Compliance-Episode 78 – All Our Yesterdays appeared first on Compliance Report.

Remarks before the 38th Government-Business Forum on Small Business Capital Formation

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by Hester M. Peirce, U.S. Securities and Exchange Commission, on Saturday, August 17, 2019 Editor's Note: Hester M. Peirce is a Commissioner at the U.S. Securities and Exchange Commission. This post is based on her recent remarks before the 38th Government-Business Forum on Small Business Capital Formation, available here. The views expressed in this post are those of Ms. Pierce and do not necessarily reflect those of the Securities and Exchange Commission or its staff.

Thank you, Martha [Miller]. It is wonderful to be here in Omaha. Thank you to all the participants in today’s program. Dean [Anthony] Hendrickson, thank you for welcoming us to Creighton University’s Heider College of Business. It is a beautiful facility that reflects the thriving economic region in which it sits.

I remember my first trip to Nebraska about twenty years ago. I was driving through the state and was just stunned by its Great Plains beauty. Since then, Nebraska has always been one of my favorite states, although I have not had many opportunities to visit. I am therefore happy to be back to talk about capital formation in the Silicon Prairie.

Reading Martha’s introduction to today’s forum deepened my affinity for Nebraska because I learned that the Reuben sandwich—my favorite—has its origins here. I understand, however, that there is a competing origin story that says the Reuben was invented in New York City. [1] The dueling sandwich origin narrative is a fitting theme for a discussion of capital formation. There will always be competition for capital, and too often New York claims capital that could have been put to good use right here in Omaha.


What the Capital One Hack Means for Boards of Directors

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by John Reed Stark, John Reed Stark Consulting LLC, on Saturday, August 17, 2019 Editor's Note: John Reed Stark is President at John Reed Stark Consulting LLC. This post is based on his memorandum.

Another day, another data breach. This time at Capital One, the fifth largest credit card issuer in the United States.

Specifically, on July 29, 2019, FBI agents arrested Paige A. Thompson on suspicion of downloading nearly 30 GB of 100 million Capital One Financial Corp credit applications from a rented cloud data server. The FBI says Capital One learned about the theft from a July 17, 2019, email stating that some of its leaked data was being stored for public view on the software development platform Github. That Github account was for a user named “Netcrave,” which includes the resume and name of Paige A. Thompson. According to the FBI, Thompson also used a public Meetup group under the alias “erratic,” where she invited others to join a Slack channel named “Netcrave Communications.”

KrebsOnSecurity actually entered the open Netcrave Slack channel on July 30, 2019, and reviewed a June 27, 2019 commentary Thompson, which listed various databases she found by hacking into improperly secured Amazon cloud accounts, suggesting that Thompson may also have exfiltrated tens of gigabytes of data belonging to other major corporations.


Daily Compliance News: August 17, 2019-the up in smoke edition

FCPA Compliance & Ethics -

AUGUST 17, 2019 BY TOM FOX In today’s edition of Daily Compliance News: GE shares tank 11% after Markopolos report. (FT) Corporate governance (or lack thereof) at WeWork. (FT) Avianca notifies DOJ of potential FCPA violations. (WSJ) Up in smoke? FBI seeks info on corruption in cannabis industry. (Forbes)

The post Daily Compliance News: August 17, 2019-the up in smoke edition appeared first on Compliance Report.

Is Three a Crowd in GRC?

Risk Management Magazine -

As a theory, combining governance, risk management and compliance seems to make perfect sense, especially given Open Compliance and Ethics Group’s definition of GRC as “the integrated collection of capabilities that enables an organization to reliably achieve objectives, address uncertainty and act with integrity.” In GRC terms, these three areas (or “pillars”) form an organization’s fortification against potential surprises. Harmonizing these interconnected, and occasionally redundant, processes across the three functions appears to match business objectives of enabling efficiencies—especially when audit deadlines are tight and the ability to attain and maintain certifications and attestations may be at risk. While integrating the activities of these three functions is a recognized best practice, actually integrating the three functional areas into one unit is relatively new. The practice appears to be growing in popularity, possibly stemming from a desire to comply with regulatory requirements. Is such an arrangement right for your organization, and if so, how can it be done successfully?

The Pillars of GRC

Governance describes the leadership approach to devising control mechanisms and structures that ensure the strategy, direction and overall hierarchy of an organization are effective in enabling the business to achieve its goals. Corporate boards and executive teams typically focus on governance, specifically, definition and communication of corporate control, key policies, enterprise risk management, regulatory and compliance management, and oversight (i.e., ethical and/or legal committees).

Risk management means the process and discipline of assessing risk in order to make more informed decisions and to implement measures for balancing an organization’s desired levels of risk and reward. It involves identifying, analyzing, measuring, modifying or responding to and monitoring risk to the organization. Areas of risk under consideration may include uncertainties related to enterprise-wide processes and their respective effects, such as financial, operational, IT, brand/reputation and privacy. The process of assessing risk, when done effectively, is key in enabling the business to meet functional and strategic objectives, and to make logical decisions based on factual data and analyses.

Compliance is the act of conforming to stated requirements. Requirements could be internally mandated or determined by business-specific regulations and/or laws. Often, companies must meet multiple regulations at one time, which can be taxing on teams, budget and other resources. Developing a consistent, repeatable process to achieve and maintain compliance is vital to reducing the burden.

The Benefits of GRC Integration
There are certainly benefits to having the three GRC pillars connected. As mentioned, there are interdependencies among the groups, and housing them together can improve process efficiency, streamline requests to the wider organization, align processes and tools, and provide consistent communications. In some organizations, the risk management pillar (program or team) may not even exist without an explicit compliance requirement.

Organizations across various industries are grappling with the number of regulatory and contractual requirements that are contingent on providing evidence of formalized risk management practices. Regulatory compliance requirements are extensive, and seem to be expanding year over year.

For example, the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) 27001, 27017, and 27018 certifications take into account risk management practices, program and implementation within an Information Security Management System (ISMS). Certification may be elusive if demonstrable risk management practices are lacking.

The Payment Card Industry (PCI), the Federal Risk and Authorization Management Program (FedRamp), Statement on Standards for Attestation Engagements (SSAE) 18 and Service Organizational Control (SOC1-3) also have risk management requirements to ensure that organizations are adequately identifying, assessing and modifying risk in a formalized and documented manner.

These requirements are not be taken lightly as the implications can be significant. For retailers, it can mean the difference between being able to accept credit card transactions or not. For publicly traded companies, it can mean the difference in investor perceptions whether to buy stock or not. For borrowers, it can mean the difference in credit agency ratings and loan costs.

With the three pillars working together, the ability to share information, provide and/or document required audit evidence, as well as report gaps, exceptions, deviations and non-conformities, provides a natural kinship for documenting that an organization fulfill its legal and regulatory commitments.

Potential Challenges
While alignment in these three areas holds a number of advantages, there are also some distinct disadvantages to combining governance, risk and compliance functions into a single unit. Counterintuitively, perhaps, including risk management in the mix may actually derail value available through a stand-alone risk management function. Can a GRC unit, in fulfilling its governance and compliance mission, serve or hurt the fundamental purpose of risk management? Or does risk management get lost in the crowd?

The fundamental purpose of a risk management function is inherently different from that of compliance or governance. The function’s purpose is build competencies within the organization to identify, analyze, measure, recommend modification solutions, monitor and report on risks to the organization with the intention of driving informed decision-making from both a tactical and strategic level as the main objective.

From a governance and compliance perspective, audits, control reviews and gap assessments are the means to meet the minimum requirement of regulatory frameworks and, as a result, “pass” the requirements as the main objective. The lenses and approaches are entirely different.

The atmosphere of a compliance audit can be tense and contentious since the stakes for failing may be high.   Compliance officers may coach people on how to respond to questions, what evidence to provide, and how to keep the audit focused on components known to be in compliance. A need-to-know level of information typically establishes who sees what to avoid unnecessary investigations or uncover something that could compromise the organization’s ability to attain or maintain certification.

In contrast, the tone and atmosphere of a risk assessment should be relaxed, open and inviting. Teams should be encouraged to be completely transparent in order to help identify issues or risks in their areas of operation and/or expertise. There is no passing or failing in risk management. Every assessment brings the organization closer to understanding points of potential vulnerability or inability to meet critical objectives. In truly risk-and-objective centric cultures, leadership will invite and encourage risk reporting and support teams who bring areas of concern to light. Organizational teams that are involved in both audits and risk assessments, implemented by a GRC group, may unfortunately equate the two, which can lead to a number of problems and points of confusion.

Although control sets at times form a baseline for risk analysis, identifying risk in an organization involves much more than ensuring that the organization complies with a specific set of controls. Known controls, while important, may not address underlying or emerging risk issues. The overlap of the control and risk environments is not always apparent to others in the organization, especially when compliance audits and risk assessments touch on the same or similar control areas. This may lead teams, particularly with regard to information security, to feel as if they are in never-ending audit loop, with the same questions asked repeatedly. The differentiations between compliance and risk objectives are important to articulate: An organization can be compliant under various regulations and standards without being fully secure, and no organization is ever free of risk. Risk assessments, when done properly, deliver a deeper understanding of changing environments and evolving uncertainties.

Risk assessments involve interviews, questionnaires, data analysis, scenario exercises and other mechanisms by which risk management professionals delve into root causes that can adversely affect the business. Risk assessments inform decision-makers and responsible personnel of a range of possible outcomes that may or may not fall within the organization’s tolerance levels. These assessments may reveal vulnerabilities or emerging risks that are unaddressed by either regulations or standards. The assessments lead to decisions about which controls are needed, scope of deployment (either fully or partially), and how effective the controls are in modifying current and future risk. While complementary to governance and compliance assessments, the purpose and views within risk assessments are separate and distinct.

Combining governance, risk and compliance can also oversimplify each pillar’s functions in the eyes of organizational leaders and lead to confusion as to where in the organization each function actually belongs. While organizations typically embed a GRC unit within an existing shared services group, such as information security, information technology, legal or finance, the unique aspects of each pillar can make this single unit difficult to place effectively.  Governance has strong ties with policy teams, legal, internal audit and human resource functions. Compliance, contract management, legal and security share certain interdependencies. Risk management, especially enterprise risk management, ideally interacts with all enterprise-wide functional and operational domains, products, physical locations, assets and teams in scope.

As such, integrating the risk management function within a strategy-focused group would unlock the full value of the function by all levels of the organization. Separated from the regulatory environment, the risk management program could be more effective and utilized as designed while still enabling the governance and compliance arms to meet their respective requirements. Risk leaders provide unique strategic insight, consultation, reporting, training and communication specific to driving a risk-aware culture as opposed to a purely compliant culture.

Evaluating the Effectiveness of Integration
How do you know which approach to GRC is right for your business or company? Sometimes trial and error is the best method when it comes to determining what will work and what will not. Chances are, your business has already made that decision and you as the risk leader must evaluate how effective it is. Here are some questions to ask yourself (and your teams):

  • Where are identified risks reported in the organization, and are the right people reviewing the findings? What happens after a risk assessment reveals the worth of the program. If the organization’s board, executive leadership or senior leaders responsible for owning the risks actually use the assessment insights to inform their decisions and take action in modifying risks, there is a good chance the program is working as intended. However, if risk management is not integrated into the activities of the organization or acted upon, it is possible the risk management program is perceived as merely a “check-the-box” exercise.
  • Are the business unit’s or company’s strategic objectives influenced by the results of your risk assessments? Risk assessments should not only spur serious review and tangible actions, should also be used to inform overall, strategic decisions. If that is not the case, it could be that the assessments focus at a micro level as opposed to influencing the bigger picture. On the other hand, it might be that the connection between risk management and strategy is not apparent to the leadership team.
  • What is the risk culture of the organization? If the culture of the organization is not risk-and-objective centric, meaning risk is not a key driver in decision-making, strategy or day-to-day activities by teams, there may be an education or awareness gap in integrating risk assessment results and findings into the bigger picture. Because risk management can mean many things to many people, there must be a focused, clearly communicated methodology and associated education to the organization in order for assessments to mean something to your risk owners and teams. When that is not the case, it is quite difficult to gain credibility and be included in decision-making.
  • How integrated are the functions of governance, risk and compliance? Jeopardizing the intended synergy would likely be unproductive if the three pillars are closely connected, work in lockstep on performing routine assessments and evaluations, use the same tooling and/or workflow to complete tasks, and approach achieving functional business objectives the same way. If the pillars work together but are often at odds, overlapping work or generating confusion among external support teams, staying integrated yet separated might be a better strategy.
  • Do other internal teams understand the purpose of the risk management function or program? One of the main struggles to combining the functions of GRC within one unit is the perception to those outside the group that it is one large conglomerate—and often equated with compliance or audit, rather than the three separate functional areas. This speaks to the risk culture of the organization as well, but when others understand that risk management is a strategic as well as a tactical activity, there is less work to do on the educational front, and the full value of risk management emerges. When risk management’s purpose is misunderstood or not understood at all, it may be best to break away from the GRC model and clearly state definitive, separate objectives so the internal teams can more clearly, and effectively, interact with the risk management function.

There may be other ways to tell whether a GRC combination is or is not working, but thinking about these questions can be helpful in jumpstarting the conversation and formulating a solid justification for making changes if necessary. While GRC as a single unit serves a specific efficiency purpose—and can work in some instances—there is a clear distinction between the missions and lenses used by risk management and the other pillar areas that can become subdued or “buried” when the functions are combined.

In your organization, what is the view of GRC? Is a GRC unit experienced as a cohesive team with three clearly delineated purposes, or is it seen as a crowd clamoring for time and attention? Perhaps now is the time to examine the emerging practice of combining the functions of governance, risk and compliance into a single unit, and determine whether (or not) such an arrangement would work for your organization. Regardless of the approach, creating distinct charters for each of the management areas of governance, risk and compliance may avoid confusion and misalignment among the functions themselves.


Trekking Through Compliance-Episode 77 – The Savage Curtain

FCPA Compliance & Ethics -

In this episode of Trekking Through Compliance, we consider the episode The Savage Curtain which aired on March 17, 1969 and Star Date 5906.4. Story Synopsis While scanning planet Excalbia, Spock detects strange readings which seem to indicate the presence of carbon cycle life forms. Because of the planet’s molten surface, the reading are discarded as [...]

The post Trekking Through Compliance-Episode 77 – The Savage Curtain appeared first on Compliance Report.

This Week in FCPA-Episode 167 – the Good-bye and Hello edition

FCPA Compliance & Ethics -

Jay kisses good-bye to the Red Sox season and says hello to the Patriots title defense. Tom enjoys the Astros having  one of the best records in baseball. Together they are back  to discuss some of this week’s top compliance and ethics stories which caught their collective eyes. Should compliance lead the data privacy charge? [...]

The post This Week in FCPA-Episode 167 – the Good-bye and Hello edition appeared first on Compliance Report.

Everything You Wanted to Know About Monitors But Were Afraid To Ask: Part V-Cost Issues When Hiring a Monitor

FCPA Compliance & Ethics -

This week, over a five-part podcast series, we have considered some of the basic questions around monitors and monitorships. I have been joined in this exploration by Jay Rosen, the Vice President of Business Development and Monitoring Specialist at Affiliated Monitors, Inc. who is the sponsor of this podcast series. In this series we introduced [...]

The post Everything You Wanted to Know About Monitors But Were Afraid To Ask: Part V-Cost Issues When Hiring a Monitor appeared first on Compliance Report.

W-Z Video: 18 Steps as Muscle Memory

Loss Prevention Media -

Not every time we sit down to talk to someone are we necessarily going to use the W-Z method. But when we do, we should be prepared to talk through every step of the W-Z method, which means all 18. We should also be prepared to hit each component of each step. The W-Z method has very clear and defined principles behind the approach, and it’s very useful when it’s used together.

ORC Ring’s Take Valued at $500K; 5 Arrested

Loss Prevention Media -

Westchester County police in New York arrested five people Wednesday who are accused of stealing thousands of dollars in merchandise from TJ Maxx and other retail stores in recent months. They were taken into custody in Mount Vernon, Queens and the Bronx, and stolen property valued at more than $100,000 was seized. Several vans and […]

US Customs Seizes $3.4M in Fake Luxury Brands

Loss Prevention Media -

The US Customs and Border Protection (CBP) reported a seizure of 5,300 counterfeit goods at LAX yesterday, which would have totaled up to $3,475,000 at their genuine retail value combined. Several popular fashion brands were infringed upon within the fake product, including apparel and accessories labeled as coming from Gucci, Nike, Louis Vuitton, Hermès, Fendi […]

Fraudster Called ‘Consumer’s Worst Nightmare’ Gets 57 Months in Prison

Loss Prevention Media -

A 25-year-old Fishers woman was sentenced to 57 months in prison after admitting she used identities of others to get credit cards for fraudulent use. Arielle Wilkerson’s crimes began in 2012, according to United States Attorney Josh Minkler. She pleaded guilty to charges that she “used the identities of victims throughout the United States to […]

Suspect Assaults Police Officer; Leads Foot Pursuit after Shoplifting

Loss Prevention Media -

The Virginia Beach Police Department arrested a man Wednesday after a shoplifting incident at Walmart. According to police, officers were called to a shoplifting case at 8:48 PM. When police responded to the Walmart at 2021 Lynnhaven Parkway, they learned about a man in the business concealing merchandise. The man fled the business as police […]

Days after Sheriff Calls Retailer’s Security ‘Poor.’ Company Officials Meet with Police Leaders

Loss Prevention Media -

After an armed robbery at the Eldersburg Walmart in Maryland led the Carroll County sheriff to harshly criticize Walmart’s security policies, he and other local law enforcement representatives will meet with corporate Walmart officials to try to find solutions. Crime data obtained by the Times showed that local police are often called to Walmarts in […]

Audit Committee Disclosure in Proxy Statements—2019 Proxy Review

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by Leeann Arthur, Krista Parsons, and Robert Lamm, Deloitte LLP, on Friday, August 16, 2019 Editor's Note: Leeann Arthur is a senior manager, Krista Parsons is a managing director, and Robert Lamm is an independent senior advisor, all at the Center for Board Effectiveness, Deloitte LLP. This post is based on their Deloitte memorandum.

In recent years, the role of the audit committee—and, in particular, its oversight of the independent auditor—has been subject to increased scrutiny from regulators, investors, and other stakeholders. The independent auditor is critical to maintaining confidence in the reliability of financial information and, ultimately, in the proper functioning of the capital markets. Increasingly, investors also look to the independent auditor to provide insights that support sound, well-informed financial decisions. With changes to the auditor’s reporting model that went into effect this year, and the imminent requirement to identify critical audit matters (CAMs), transparency around the audit committee’s interactions with the independent auditor is even more essential.

Now in its fifth year, Deloitte’s observations and analysis of trends in audit committee disclosures in the proxy statements of S&P 100 [1] companies reflect moderate increases in disclosure in certain areas of frequent focus by regulators and investors.

In 2019, certain disclosures relating to the independent auditor increased. A greater percentage of S&P 100 companies disclosed that the audit committee evaluates the independent auditor, the reasons why the committee decided to reappoint the independent auditor, and the tenure of the independent auditor. More audit committees also disclosed that they discussed the scope and plan for the audit with the independent auditor. While some other voluntary disclosures appear to have plateaued, these modest increases may have been in preparation for the new and upcoming regulatory requirements previously discussed.


Recent Application of Caremark: Oversight Liability

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by Jason J. Mendro, Andrew S. Tulumello, and Jason H. Hilborn, Gibson, Dunn & Crutcher LLP, on Friday, August 16, 2019 Editor's Note: Jason J. Mendro and Andrew S. Tulumello are partners and Jason H. Hilborn is an associate at Gibson, Dunn & Crutcher LLP. This post is based on a Gibson Dunn memorandum by Mr. Hilborn, Mr. Mendro, Mr. Tulumello, Elizabeth A. IsingGillian McPhee and Ronald O. Mueller. This post is part of the Delaware law series; links to other posts in the series are available here.

In a recent decision applying the famous Caremark doctrine, the Delaware Supreme Court confirmed several important legal principles that we expect will play a central role in the future of derivative litigation and that serve as important reminders for boards of directors in performing their oversight responsibilities. In particular, the Delaware Supreme Court held that a claim for breach of the duty of loyalty is stated where the allegations plead that “a board has undertaken no efforts to make sure it is informed of a compliance issue intrinsically critical to the company’s business operation.”

Although the case addressed extreme facts that will have no application to most mature corporations, the plaintiffs’ bar can be expected to attempt to weaponize the decision. With all the benefits that hindsight provides, derivative plaintiffs will more frequently contend that a board lacked procedures to monitor “central compliance risks” that were “essential and mission critical.” The Supreme Court’s decision reinforces that directors need to implement controls that enable them to monitor the most serious sources of risk, and may even caution in favor of a special discussion each year around critical risks.


Weekly Roundup: August 9–15, 2019

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by the Harvard Law School Forum on Corporate Governance & Financial Regulation, on Friday, August 16, 2019 Editor's Note: This roundup contains a collection of the posts published on the Forum during the week of August 9–15, 2019. 5 Steps for Tying Executive Compensation to Sustainability
Posted by Blair Jones and Seymour Burchman, Semler Brossy Consulting Group, LLC, on Friday, August 9, 2019 Tags:  Cleveland, Kondo, and Capital: Remarks before the American Chamber of Commerce
Posted by Hester M. Peirce, U.S. Securities and Exchange Commission, on Friday, August 9, 2019 Tags:  Finalized Volcker Rule Amendments
Posted by V. Gerard Comizio and Nathan S. Brownback, Fried, Frank, Harris, Shriver & Jacobson LLP, on Saturday, August 10, 2019 Tags:  Net-Zero By 2050: Investor Risks in the Context of Deep Decarbonization of Electricity Generation
Posted by Eli Kasargod-Staub and Kimberly Gladman, Majority Action, on Saturday, August 10, 2019 Tags:  Building a Sustainable and Competitive Economy: An Examination of Proposals to Improve Environmental, Social, and Governance Disclosures
Posted by Paul S. Atkins, Patomak Global Partners, LLC, on Sunday, August 11, 2019 Tags:  Managing Legal Risks from ESG Disclosures
Posted by David R. Woodcock, Amisha S. Kotte, and Jonathan D. Guynn, Jones Day, on Monday, August 12, 2019 Tags:  Adoption of CSR and Sustainability Reporting Standards: Economic Analysis and Review
Posted by Hans Bonde Christensen (University of Chicago), Luzi Hail (University of Pennsylvania), and Christian Leuz (University of Chicago), on Monday, August 12, 2019 Tags:  Best Practice Principles for Shareholder Voting, Research & Analysis
Posted by Danielle A.M. Melis, BPP Group, on Monday, August 12, 2019 Tags:  Female Board Power and Delaware Law
Posted by Nate Emeritz, Wilson Sonsini Goodrich & Rosati, on Tuesday, August 13, 2019 Tags:  Modernization of Regulation S-K
Posted by William H. Hinman, U.S. Securities and Exchange Commission, on Tuesday, August 13, 2019 Tags:  Bebchuk & Hirst Article on Index Funds Wins Fernández de Araoz Award on Corporate Finance
Posted by Tami Grozwald-Ozery (Harvard Law School), on Tuesday, August 13, 2019 Tags:  The Governance Implications of the Equifax and Facebook Settlements
Posted by Michael W. Peregrine, McDermott Will & Emery LLP, on Wednesday, August 14, 2019 Tags:  Inventor CEOs
Posted by Emdad Islam (Monash University) and Jason Zein (University of New South Wales), on Wednesday, August 14, 2019 Tags:  Non-Employee Director Pay Practices
Posted by Bill Reilly, Pearl Meyer & Partners, LLC, on Wednesday, August 14, 2019 Tags:  SEC Enforcement in Financial Reporting and Disclosure: 2019 Mid-Year Update
Posted by David Woodcock, Shamoil T. Shipchandler, and Joan E. McKown, Jones Day, on Thursday, August 15, 2019 Tags:  More than Money: Venture Capitalists on Board
Posted by Natee Amornsiripanitch (Yale University), Paul A. Gompers (Harvard Business School), and Yuhai Xuan (University of Illinois), on Thursday, August 15, 2019 Tags:  A New Milestone for Board Gender Diversity
Posted by Cydney S. Posner, Cooley LLP, on Thursday, August 15, 2019 Tags: 

4 Global entity management trends to watch

Ethical Boardroom Feeds -

By Antonio Soler – Vice President and Head of Global Services, CT Corporation



An increase in global activity has led many organisations to step up efforts to address multinational legal, regulatory and contractual compliance. Expanding global regulations and a heightened focus on multi-jurisdictional scrutiny and transparency have raised the compliance stakes.

While today’s professionals may understand the importance of proactively managing their legal entities, it’s not uncommon to see global organisations struggle to effectively handle legal entity and corporate compliance tasks, particularly at the local level. The reason for this is simple: global regulations are changing in fundamental ways and at an accelerated pace.

Data protection laws drive expanded regulatory responsibilities

Global entity management presents notable challenges that are applicable to almost any organisation. Laws and regulations often vary widely between jurisdictions and the global regulatory landscape is eternally dynamic. New laws are passed and existing laws are expanded, amended or repealed on a near-constant basis.

Know your customer (KYC) laws are one example of a rapidly evolving set of policies. These security regulations serve as a critical tool for preventing money laundering, bribery and other financial crimes. Changes to data protection laws worldwide (the EU’s General Data Protection Regulation [GDPR] and Canada’s Personal Information Protection and Electronic Documents Act [PIPEDA], for example) have also been keeping compliance officers busy. GDPR rules mean that businesses must make major adjustments to the way they gather, store and manage personal data.

These laws were once the sole province of tightly regulated organisations and jurisdictions. That’s changed and the expansion of KYC and other compliance mechanisms has grown to include multiple jurisdictions and many types of non-regulated entities.

As another example, companies in the Cayman Islands are now required by law to adhere to international standards and commitments when maintaining and filing beneficial ownership data. These commitments include policies designed to prevent money laundering, tax evasion and terrorism financing.

These laws were adopted with the goal of facilitating better information exchange between Cayman Islands’ entities and global regulatory and tax authorities. Failure to file beneficial ownership information can lead to a company being struck off the register or having its assets vested with the government, as well as facing additional financial sanctions.

Heightened risk of enforcement and penalties drives new business requirements

The old ways of doing business are quickly changing, particularly in the arena of global enforcement. Multinational firms can find themselves a target of enhanced compliance enforcement, as foreign tax authorities have learned that it is often easier to collect penalty and interest payments from larger organisations. Some foreign tax authorities have created dedicated teams that specialise in pursuing action against legal entities of the foreign direct investment variety.

As enforcement activity has increased, so have penalties for non-compliance. Common risks of non-compliance in all regulated industries include admonition notices, financial penalties, ceding supervision and control to local authorities and even shutting down the business. Such sanctions can lead to serious financial or operational harm while also opening an organisation to reputational damage.

Individual criminal liability is also a possibility. Consider the following scenario. Most US firms name senior management as directors of overseas entities. Assume that a director is situated in a country with a punitive posture toward non-compliance (Brazil, France, Italy etc). If that organisation has a delinquent tax issue that hasn’t been resolved locally, the director may be arrested when entering the country – even if that director had no prior knowledge of the non-compliance. Even more troubling, the director may have their own personal assets seized, under some circumstances.

For senior management staff who are acclimated to operating behind the veil of US corporate culture, this kind of introduction to an overseas posting is very close to a nightmare scenario.

This type of extreme action is rare and doesn’t happen in every country, but organisations should still take steps to prevent any corporate non-compliance issues that can trigger an enforcement penalty.

Why real-time data and insights are critical

Data has become the lifeblood of almost every modern organisation, and almost every department within an organisation is itching for greater reporting that provides access to actionable information. Master data management, or an updated central repository of documents and data, is a prerequisite for keeping various organisational functions working synergistically.

“Integrating the latest entity management software into compliance management is the key driver for delivering results quickly and efficiently”

This synergy is especially critical between tax and legal departments, as facilitating smooth and open collaboration between these two departments is key for staying compliant. Adding new global entities to the mix can make existing processes more cumbersome.

Integrating the latest entity management software into compliance management is the key driver for delivering results quickly and efficiently. The right software solutions can provide insight into corporate structures for each jurisdiction; furnish accurate, real-time data for departmental use and foster collaboration with executives on business strategy, risk aversion, mergers and acquisitions, and so on.

Pairing technology with expertise helps mitigate corporate compliance risk and reduce costs.

It is incumbent upon organisations expanding overseas, who may work with multiple providers, to maintain visibility into what’s happening in every region, with every provider. This is no small task. Complex legal and regulatory regimes, multi-territory agreements, the varying quality of data and language issues can all make managing this process quite challenging. It also opens the organisation up to significant non-compliance enforcement risks.

The solution to this problem, thankfully, is straightforward – more control and visibility into global compliance obligations. Technology plays a key role in providing this control, visibility and scalability.

Still, the appropriate tech is half of the equation. A combination of technology, service and content is the true killer app for managing compliance. The process of staying compliant is evolving into more of a strategic partnership scenario, as organisations seek trusted partners to help manage compliance demands. These trusted partners can offer flexible, customised solutions that are purpose-built to support an organisation’s unique needs, wherever they operate.

Organisations are also seeking trusted partners who can provide true, on-the-ground expertise and support. As local conditions change at a rapid pace, it’s essential that a partner can provide timely updates and the critical context necessary to understand and react to these local changes. These services, combined with a scalable technology solution that provides central visibility and helps ensure compliance at the local level, are the key. This solution must also cover all points in the entity lifecycle, from incorporation, to ongoing annual compliance demands and any situational compliance needs arising unexpectedly.

Working with a partner that can provide an integrated compliance solution that merges technology and expertise, can lower costs, introduce greater flexibility and allow organisations to access a broader pool of talented global workers. Local advisors and service providers play an integral role in creating new legal entities, recruiting and training both senior managers and operational staff and supporting administrative functions. It should also be noted that an outsourced solution can work as a complement to existing internal compliance operations.

Overall, with the right strategic partner in place, today’s organisations can boost their bottom line while also introducing greater efficiencies and productivity. The key is finding a partner who offers not only the technology, but also the critical expertise.

Before global services are integrated, however, legal departments need to improve internal processes and determine the optimal technology to implement. The right software solution can create significant new efficiencies by automating many non-essential or low-value tasks and providing an opportunity to reduce workloads.

In many cases, finding this solution means working with a trusted outside partner
– one who can help promote efficiency and standardisation while also allowing the legal department to demonstrate its value across the organisation.

The future of global entity management

Non-compliance presents certain risks for organisations, including reputational harm, financial penalties, personal liability and administrative dissolution. In order to avoid these traps, it’s essential to stay vigilant when pursuing global expansion by anticipating common compliance issues before they arise.

Ultimately, the right partner should employ a triple-level approach: content, technology and service. One or two of these elements is not sufficient. Just as a triangle is dependent on having three connected planes, an optimal regulatory compliance partnership relies on having these three components in place.

Global compliance management may be growing more complex by the day. But the right partner, which delivers on content, technology and service, can help organisations become more efficient, minimise compliance risks and focus on the core business mission, all without being distracted by lingering compliance issues.


About the Author:

Antonio Soler is the Head of Global for Wolters Kluwer’s CT Corporation, the leading provider of registered agent services, incorporation services, and legal compliance professional services. With over 20 years of entity management experience, Antonio has extensive global expertise and experience helping drive businesses and law firms to succeed throughout the world. Antonio regularly writes articles, speaks at events and provides media commentary about international compliance and corporate governance.

Global Rise of Collective Investor Actions Significant Risk for Companies

Corporate Compliance Insights -

Mechanisms for shareholder class-action lawsuits are being developed around the globe. Dechert attorneys David Kistenbroker, Joni Jacobsen and Angela Liu offer insights on what legal and compliance departments can do to shield their organizations from litigation risk. Stakes continue to grow in investor litigation around the globe, and companies must continue to prepare for the […] The post Global Rise of Collective Investor Actions Significant Risk for Companies appeared first on Corporate Compliance Insights.

(This is only a summary. Click on the headline to view the entire article at Corporate Compliance Insights and participate in the discussion.)


Subscribe to Hong Kong Loss Prevention Association 香港防損協會 aggregator - Global Featured Wired

HKLPA (@the_hklpa) Tweets

RT @7Lenses: Leaders honoring the Character Lens demonstrate honesty, integrity, and trustworthiness. #BusinessEthics #csr 2 months 1 week ago
RT @ComplianceXprts: #Drones reduce costs, increase responsiveness and reduce risks for workers providing reconnaissance work in respons… 8 months 3 weeks ago
RT @LPmag: Making the Most of Loss Prevention Resources 10 months 1 week ago
RT @leadingincontxt: #Ethical #leaders seek mutual good. #csr #leadership #culture 10 months 1 week ago
RT @IBEUK: * New IBE Blog * IBE's researcher, Linn Byberg, asks how you interview for #ethics. It's not just a question of et… 10 months 2 weeks ago
RT @LPmag: The future of facial recognition technology will see increased demand and a growing market. 10 months 2 weeks ago 1 year 3 weeks ago
RT @leadingincontxt: How do we help young people become #ethical #leaders? #culture 1 year 2 months ago
RT @SecurityInsured: The latest Security Insured News! #cybersecurity #edmonton 1 year 2 months ago
RT @IBEUK: Let #GDPR test your ethical temperature. Communicate the importance of the ethical usage of personal data, the atti… 1 year 2 months ago