Employment Law Summit - PowerPoint PPT Presentation

Employment Law Summit

Risk Assessment – Benefits & Pitfalls

Kirsten Hotchkiss, SVP Employment Law & Compliance

Duleep Thomas, SVP – General Auditor

• Employment Law & Risk Assessment
• Forms of Risk Assessments
• Interdependencies of Risk Assessments
• Risk Assessments at Wyndham Worldwide
• Global Business Risk Assessment
• Fraud Risk Assessment
• Accounting Risk Assessments
• Compliance Risk Assessments
• Benefits of Risk Assessments
• Limitations, Constraints & Challenges
• Critical Success Factors
• Legal Matters

• Introduction
• Basic components of compliance and ethics program and similarity to employment law concepts
• COSO FRAMEWORK
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring, Compliance and Remediation

Risk Assessments could take several forms. Following are some of the more common forms:

• GLOBAL BUSINESS RISK ASSESSMENT - Business Objectives focused; typically done as part on an overall risk management program
• FRAUD RISK ASSESSMENT – Focused on fraud schemes & scenarios and controls; typically performed as part of the overall control assessment program
• FINANCIAL REPORTING RISK ASSESSMENT – Controls over Financial Reporting; performed by auditors as part of the inherent and control risk assessment
• COMPLIANCE RISK ASSESSMENT – Compliance with laws and regulations; performed by the Compliance groups as part of an overall compliance effectiveness program

• Cross and interdependencies exist within risks identified in the various risk assessments
• Important to understand and recognize the significance of these interdependencies
• Risk Assessment efforts should be coordinated in order to be efficient and effective
• Should be components of an overall Governance, Risk & Compliance program

The following is a snapshot of the various risk assessments performed at Wyndham Worldwide:

• Global Business Risk Assessment
• Collaboratively performed by the Compliance Group and Internal Audit
• Now owned by Senior leadership at business units – periodic updates
• Fraud Risk Assessment
• Collaboration between Finance, Information Technology and Internal Audit
• Now owned by business units – linked to SOX control sets
• Financial Reporting Risk Assessment
• Collaboration between Controllers and Auditors
• Drives audit strategy
• Compliance Risk Assessment
• Led by Compliance teams
• Part of compliance strategy

We will be discussing some of these Risk Assessments……..

The Global Business Risk Assessment entailed the following steps:

• Buy-in from senior leadership across the enterprise
• Structured interviews
• Functions/Responsibilities
• Business Objectives & Initiatives
• Risks & Controls (rated for significance and likelihood)
• Monitoring Groups involved
• Key Performance Indicators
• Confirmation from interviewees
• Compilation of results
• Risk Themes – ranking – Composite Risk Profile, by business unit
• Detailed Risk Narratives
• Observations by Functional Areas
• Presentation and hand-off to business units
• Presentation to the Audit Committee
• Next steps
• Recalibration – by business units
• Periodic updates by business unit

The following 19 risk themes (listed alphabetically) and associated definitions were developed as part of this effort:

The Fraud Risk Assessment entailed the following steps:

• Initial Diagnostics of various components of the Anti Fraud Program & Controls
• Inventory of existing initiatives
• Evaluation of effectiveness of current efforts
• Assessment of coordination between the various current efforts
• External benchmarking
• Issuance of a refined anti-fraud policy, approved by the Compliance Governance Board
• Conduct of a formal Fraud Risk Assessment
• Training of constituents
• Compilation of Schemes & Scenarios, rated by significance and likelihood
• Linkage to control activities compiled as part of our SOX program
• Development of “risk themes” and related taxonomy
• Presentation to the Audit Committee
• Next steps
• Focus on response strategies; expand on potential schemes and scenarios
• Periodic updates by business units

The following 10 risk themes (listed alphabetically) and associated definitions were developed as part of this effort:

• A more granular approach to compliance with specific laws, less focus on financial controls
• Target specific business process and practice owners
• Target specific legal risk areas, for example:
• Foreign Corrupt Practices Act
• OFAC
• Wage and Hour
• EEO/FE Practices
• Privacy and PCI

• Global Business Risk Assessment
• Over 50 key business leaders interviewed across the enterprise
• Over 400 observations captured
• 19 themes of risks identified
• Risk themes plotted on a Heat Map
• Basis for management follow up and audit plan
• Will be utilized by business unit management as part of strategic planning process
• Fraud Risk Assessment
• Corporate personnel and all business units at key locations participated
• Risk inventory (schemes and scenarios) compiled at business unit level
• 10 themes of risk identified
• Risk themes plotted on Heat Map
• Basis for management follow up and audit plan and for SOX scoping process
• Will be utilized by business management to refine response strategies, as appropriate

Risk ID # 3

Risk ID # 1

3, 4, 14, 16, 18

Risk ID # 8

3, 4, 6

Risk ID # 4

7, 24

Risk ID # 2

2, 13, 25, 28

Risk ID # 9

22

Risk ID # 6

2, 5, 9, 20, 21, 22,

23,27, 30

Risk ID # 5

12, 14, 26

Risk ID # 10

3, 4, 6, 8, 11, 12,

20, 23, 24

Risk ID # 12

29

Risk ID # 7

1, 7, 10, 15, 16, 17,

18, 19, 22, 25, 26

Risk ID # 14

3, 4, 6, 23

Risk ID # 11

13

HIGH

HIGH

Risk ID # 16

Risk ID # 13

Risk ID # 16

Risk ID # 15

Risk ID # 18

21, 24, 28

Risk ID # 19

MEDIUM

LOW

• Most effective if managed and executed as part of an overall Governance, Risk & Compliance program
• Ensures engagement of the entire organization in the risk management efforts of the enterprise
• Provides a basis for monitoring the effectiveness of the various controls within the organization
• Several other benefits, include, but are not limited to:
• Creates risk awareness
• Structured risk assessment and aggregation
• Facilitates prioritization and focus
• Input for the Strategic Plan
• Development of the audit plan
• Linkage to control activities – part of the SOX program

• Breadth of participation – needs to have more depth in order to develop meaningful action steps
• Depends on culture of the organization – participants have to be forthcoming
• Currency of the information – manual compilation is tedious and may not yield current info.
• First effort may not yield a full and complete inventory of risks – training within the organization
• May not be effective or efficient unless all risk assessment efforts are coordinated

• Buy-in of senior leadership
• Engagement and coordination with other Monitoring Groups
• Automation – currency of information
• Follow-up by key constituents – prioritization through ‘funneling’ of risks

• Privilege
• Confidentiality
• Risk Acceptance vs. non-compliance