Little compliance issues that can trip you in a big way
Another compliance issue hit the news on Monday. According to USA Today, “Chevron agreed to pay $2m in fines and restitution and pleaded no contest to six charges in a fire last summer at its refinery in the San Francisco Bay Area city of Richmond that sent thousands of residents to hospitals, many complaining of respiratory problems”. The fine was in addition to $10m already paid in restitution to affected citizens, health services and others; a likely $1m fine by state safety officials; and, potential litigation by the city of Richmond.
For a company as large as Chevron (revenue of $231 billion, net income of $26 billion, and return on capital employed of 18.7%), these costs are trivial. The reputation cost is likely to be larger, as is the business disruption caused by investigations by the various federal, state and local agencies – not only as a result of the fire but at a higher continuing frequency and intensity because of the compliance failure. In fact, the failure in Richmond is likely to result in all of Chevron’s US-based operations coming under increased scrutiny for some years to come.
The charges filed by the state and local governments included failing to correct deficiencies identified by the company’s own inspectors.
As I reflect on other news stories of fires, pipeline explosions, and other man-made disasters, they always seem to include reports of prior irregularities in inspections, examinations, etc. These reports make the company look reckless, negligent, and less than diligent when it comes to compliance. Clearly, a history of compliance failures, especially failures to correct known deficiencies, only exacerbates fines and reputation damage.
So what does this mean for boards, executives, auditors, risk practitioners, and compliance professionals?
If we look at the COSO Internal Control – Integrated Framework (2013), it has a useful principle: “The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” The related points of focus are:
- Assesses Results—Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations.
- Communicates Deficiencies—Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate.
- Monitors Corrective Actions—Management tracks whether deficiencies are remediated on a timely basis.
While this points us in the right direction, asking to whom compliance issues are reported, who assesses them in terms of risk, and who monitors corrective action, the COSO guidance doesn’t include much in the way of detail.
The U.S. Federal Sentencing Guidelines provide guidance that is essential knowledge, not only to compliance professionals but also to boards, executives, risk and audit practitioners of organizations operating within the United States. In its section on “Sentencing of Organizations”, it states: The two factors that mitigate the ultimate punishment of an organization are: (i) the existence of an effective compliance and ethics program; and (ii) self-reporting, cooperation, or acceptance of responsibility”.
Every board member, senior executive, compliance, risk, and audit professional should become familiar with the requirements for an effective compliance program, outlined in “§8B2.1. Effective Compliance and Ethics Program”. Key points include:
- The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.
- High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high-level personnel shall be assigned overall responsibility for the compliance and ethics program.
- Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.
- The organization shall take reasonable steps—
- to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;
- to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and
- to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.
We need to combine the guidance from COSO and the Federal Sentencing Guidelines, add risk management techniques for understanding the related risks – especially when there potentially multiple failures, even if they are in different locations and are of quite different rules and regulations – and we can start to see what is needed:
- An effective compliance program that meets at least the minimum requirements of the Federal Sentencing Guidelines (which are not limited to the points above)
- A risk management program that works collaboratively with those responsible for compliance to ensure that compliance-related risks (including possible reputation risk, potential loss of customer confidence, and business disruption risk) are understood, assessed, and addressed
- Evaluations and responses to compliance issues that address the root cause. Too many organizations put a Band-Aid on the obvious wound without making the investment necessary to fix the underlying problem
- Processes that ensure all deficiencies, whether identified internally, as a result of internal audits or inspections, or by third parties including regulators, are reported to the appropriate managers, assessed, addressed by appropriate corrective actions, and then remediated within an appropriate timeframe. Those assessments should be updated on a regular basis as risk levels may change (for example, if there is a second compliance failure)
- Processes that ensure senior management and, as appropriate the board, are informed of all significant or potentially significant compliance failures and risks, whether the risk is being managed as desired, and whether appropriate corrective actions are being completed
How effective is your organization when it comes to ensuring it won’t be bitten by prior year compliance failures, especially failures that have not been resolved by addressing and fixing the root cause?
I welcome your views and commentary.