Professional Documents
Culture Documents
CH Clarity On Compliance en
CH Clarity On Compliance en
CH Clarity On Compliance en
Compliance
The future of compliance
June 2016
12
Generating added value
Moving beyond
(the cost of)
compliance
20
Third party risk
Don't get
bitten by third
party risk
40
Sustainability
A new core
competence
for compliance?
46
20 40 16
12 24
Clarity on Compliance
CONTENT
Clarity on
Compliance
E D I TO R I A L 32
Private matters: Putting data protection
3 Keeping up with the future of compliance on the board agenda
4 Media headlines 36
The insider threat – Compliance risks from
within your organization
44 INTERVIEW
INTERVIEW
16
Employees – Managing the risk Sustainability and compliance –
of unacceptable behavior A natural match?
Tim Lindon, Philip Morris International Peter Herrmann, Actelion Pharmaceuticals Ltd
24 INTERVIEW
52 Compliance – A priority for life sciences
Commodities trading – Keeping pace with
regulatory changes in a fast-moving industry
Brian Lewis, Gunvor Group Ltd 56 Pinboard
1
Clarity on Compliance
E D I TO R I A L
Keeping up
with the future
of compliance Philippe Fleury
Partner, Head of Forensic, KPMG Switzerland
The challenges facing compliance officers specialists. Crucially, what in the past was
appear to grow year by year: a huge rise in too often seen as a police function is being
the number and complexity of regulations, positioned as a true business partner.
more rigorous enforcement by authorities,
and societies that are increasingly intolerant Throughout these changes, technology can
of unethical behavior. Compliance officers play a key role in managing compliance
are expected to more effectively prevent programs. Using data analytics, for example,
compliance incidents from happening and, can enable improvements by providing useful
in the worst case, detect and deal with them compliance metrics and monitoring tools
promptly. And to do so while compliance that allow an organization to measure the
resources are constantly questioned, and effectiveness of its compliance programs and
often reduced. monitor the emergence of compliance issues.
The role of compliance is also expanding The potential damage from non-compliance is
as it becomes generally better understood, still very high and compliance officers cannot
however. Traditionally confined to regulatory take their eyes off the ball. This publication
and legal compliance, it is moving towards covers some leading compliance practices and
a flexible definition that also covers ethical shares insights into building an even more
standards, sustainability and much more. effective compliance function. We trust you
Against this background, compliance functions find it useful and we would be pleased to
are transforming their structures and the discuss with you how your organization is
skills they deploy. Large centralized teams approaching the future of compliance.
are giving way to decentralized operations
that make it easier to embed compliance
throughout an organization. As central
compliance departments shrink, this once
generalist function is being staffed with Philippe Fleury
3
MEDIA HEADLINES
10.6.2015
Misconduct in financial
markets: Greater
responsibility for individual
bankers
4. November 2015
Understanding
business culture:
soft factors in
corporate success
11.1.2016
HANDELSZEITUNG | 19.2.2016
Sensitive
data in Corruption:
foreign Dutch company pays
hands massive fine
4
Clarity on Compliance
HANDELSZEITUNG | 9.3.2016
Hacker attacks:
The threat is global
4.11.2015
Bribery: Fighting
corruption is a matter
for the bosses
5
How effective
is your
compliance
function?
With the continuing rise of new regulations, extra-territorial
application of national law and progressive enforcement by
authorities, organizations have responded by creating compliance
management systems (CMS). While a lot of effort goes into
sustaining CMS, one key question remains: How can an
organization demonstrate to stakeholders that its CMS is
effective and efficient in addressing compliance risks?
6
Clarity on Compliance
7
In the past, the term compliance was usually narrowed down
to an adherence to relevant legislation. Today, it has a broader
meaning that includes any relevant rules, policies and ethical
standards that might be important to both today’s legal
requirements and societal expectations as well as upcoming
ones. This extended understanding of what compliance
comprises poses a challenge to the compliance function
and its objectives. How can the organization adhere to
all relevant requirements? How can it demonstrate effective
and efficient compliance as part of its daily business
operations? What should be considered ‘relevant’ for the
CMS going forward?
Compliance officers are somewhat The most effective way of determining 3. Company-wide
challenged by so-called “double-edged the optimal level of compliance is implementation:
circumstances”. If compliance within to use a consistent methodology Ensure that the compliance
a company proves to be effective – in the form of a compliance requirements are incorporated
that is, the organization adheres to management system (CMS) that into business processes.
the law and its internal policies and allows for a coherent development
procedures, including the Code of and assessment of the compliance 4. Training and guidance:
Conduct and imposed standards – measures in terms of design, Provide effective awareness
the compliance officer usually faces implementation and operational training to employees so that
questions around the necessity of effectiveness. Such a CMS applies they understand their roles and
time and resource investments. If, a systematic approach that is responsibilities.
however, adherence to requirements comprehensible to all stakeholders
shows signs of ineffectiveness involved, focuses on the key 5. Assessment:
that can ultimately result in serious compliance risks that matter to the Conduct recurring
regulatory breaches, then the firm organization, and allows for an reviews within the organization
as a whole might face material efficient and effective implementation in order to assess the effectiveness
financial and reputational losses. as well as sustainability. of compliance measures and
ensure that responsibilities and
This leads to the question of how 1. Define requirements: requirements are met.
to effectively balance investments Outline the regulatory obligations
in a compliance organization – and assert the responsibilities 6. Remediation:
including a set of policies and of the organization regarding these Take corrective actions and
standards and the need to maintain requirements. update the compliance
speed, agility and flexibility towards management system as deemed
the markets. In other words: The 2. Conduct risk assessment necessary.
compliance organization’s challenge and response:
is to determine if its compliance Identify and assess
efforts are appropriate in relation the relevant key compliance risks
to the risks that the organization and define mitigating strategies,
is prepared to bear. e.g. defining compliance
requirements and designing
effective controls.
8
Clarity on Compliance
Choosing the right CMS standard • Fundamentals of effective • IDW Assurance Standard: Principles
While certain regulators have compliance management; for the Proper Performance of
provided CMS guidance in relation published by economiesuisse and Reasonable Assurance Engagements
to established regulatory require- SwissHoldings2; defines general Relating to Compliance Management
ments, they tend to be developed principles as to how good compliance Systems (IDW AssS 980);
with a single, specific regulatory management should be applied published by The Institut der
topic in mind – e.g. the Resource by organizations as part of good Wirtschaftsprüfer in Deutschland
Guide on the Foreign Corrupt Practices corporate governance principles. e.V. (Institute of Public Auditors in
Act (FCPA)1. It either proves to be Germany, Incorporated Association) –
overwhelming in terms of volume and • ISO standard 19600 – IDW; standard that was set by the
complexity, or it focuses too narrowly Compliance management systems; German audit associations to
on one specific regulatory aspect, published by the International prescribe how an external auditor
while not touching on other Organization for Standardization – should assess the CMS of an
compliance topics and how these ISO; general guidelines on how audit client.5
should be incorporated into the to implement and maintain a
CMS. compliance framework.3
1
https://www.justice.gov/sites/default/files/criminal-fraud/legacy/2015/01/16/guide.pdf
2
http://www.economiesuisse.ch/sites/default/files/downloads/compliance_e_web.pdf
3
http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=62342
4
http://www.coso.org/guidance.htm
5
https://shop.idw-verlag.de/product.idw;jsessionid=0EF687DF46D4D29654C72186046592A0?product=20205
9
Too much choice? The seven Compliance framework (e.g. policies 5. Compliance organization:
essential elements of a good CMS and procedures) provide guidance Organizational structure of the CMS
While these compliance frameworks to the organization; Key CMS is defined and includes formal
might vary in terms of methodology, objectives are aligned with corporate definition and approval of roles and
they all have the common objective strategy and goals (e.g. growth, responsibilities; adequate availability
to embed compliance effectively development of new business; of dedicated compliance resources
and efficiently into the organization’s seeking new or alternative business is ensured in order to make the CMS
business processes. By doing that opportunities etc.). effective throughout the organization.
they allow for a better mitigation
of key compliance risks and thus make 3. Compliance risks: Group risk 6. Compliance communication:
sure the CMS is an effective part assessment and risk management Reporting lines to escalate compliance
of the organization’s corporate is aligned to corporate goals; CMS risks including allegations or
governance. Notably, the following is developed based on the key indications about possible offences
seven key elements are usually part compliance risks derived from the are defined; program to ensure
of a good compliance framework:6 risk assessment; identification of adequate and recurring training for
compliance risks is done under target groups is in place; a formal
1. Compliance culture: Clear consideration of compliance response process to ensure
commitment by leadership (‘tone-at- objectives; introduction of systematic bottom-up feedback is defined.
the-top’); compliance culture is procedures for risk identification
embedded within the organization and reporting has an especial focus 7. Monitoring and improvement:
(e.g. company values); leadership on emerging risks. Process for recurring monitoring
style on compliance is consistent at all of the CMS’s effectiveness is
organizational levels (‘walk the talk’); 4. Compliance program: Policies established, including reporting
design and set-up of the compliance designed to mitigate compliance channels to address weaknesses;
supervisory board and committees is risks are documented and rolled out measures in the event of non-
defined. throughout the organization; training is compliance are taken promptly and
provided and tailored to the needs communicated throughout the
2. Compliance objectives: Applicable of stakeholders; compliance-related organization; responsibilities of
compliance requirements (laws documentation is readily available to leadership for maintaining an effective
and regulations) are identified and all relevant stakeholders. compliance system including
incorporated into the CMS; remediation of non-compliance
issues is clear.
3 Compl
risks
iance
2 Compl iance
objectives 4 Compl iance
program
Compliance
Management
1 Compl
culture
iance System
5 Compl iance
organization
7 Monitoring and
improvement
6 Compl iance
communication
6
This is in line with the structure of the IDW PS 980
10
Clarity on Compliance
Independent assessment:
A useful exercise
Despite the fact that it is the
In order for an organization to
effectively meet the increasing num-
ber of internal and external complian-
Increasing
compliance function’s responsibility
to design and maintain a CMS, it
ce requirements,
it is necessary to have a proper compliance
requirements
cannot be emphasized enough that CMS in place. Numerous
the effective application of the CMS frameworks provide guidance
instruments (e.g. controls, guidelines, as to how such a CMS should
policies etc.) is the sole duty of the
business. To make sure that the
business is fully aware of its role and
be designed and developed,
implemented and sustained.
Having a robust CMS in place
call for an
at the same time provides adequate
assurance to key stakeholders
is only the first step, however.
As with the development of effective and
efficient CMS
(e.g. board of directors, executive new legislations, the CMS should be
management) it can be useful for a considered as an evolving
compliance function to mandate an framework that needs to be
independent assurance function to constantly assessed in terms
provide an ‘outside view’ – such as the of adequacy of covered key
internal audit function or an external compliance risks, the effective
service provider. Such a function application by the business and
can give an independent and fresh the efficient use of resources. Regular
perspective on how the CMS is reviews and independent assess-
adopted within the organization ments can help ensure
and assurance if it continues to be that what was best practice in the or-
fit for purpose. ganization yesterday, remains
so today and will stand the test
The organization can greatly benefit of time in the future.
from such assessments to identify
possible gaps, provide an opinion as
to how it is implemented and applied
or benchmark the CMS against good
practice. It can also benefit the
compliance officer by demonstrating
to stakeholders the compliance
function’s capabilities in managing
an efficient and effective CMS, or if
more resources are required to fill
identified gaps. Finally, it can serve
an organization’s leadership to
demonstrate that the CMS is
appropriate and possible incidents
did not arise due to missing
policies or because insufficient
actions were taken to enforce
suitable compliance measures.
11
Moving beyond
(the cost of)
compliance
12
Clarity on Compliance
13
Many organizations find themselves spending increasing time
on ongoing monitoring and analysis of regulatory changes. The
growing internal cost of compliance is considered to be an urgent
problem2 for 69 percent of compliance executives. And 75 percent
of Europe-based companies predict compliance costs will increase
significantly in 2016.3 Now is a good time to take a long hard look
at your internal compliance model. In particular to ask whether it is
efficient in closing the gaps in risk coverage and whether you are
leveraging its potential in strategic decision-making. In short, are
you turning your compliance activities into a competitive advantage?
With more than 60 percent of such as financial services, it often faster and more efficient response
compliance direct costs relating to involves a large team of dedicated to problems. Moving towards
headcount, finding a practical and compliance officers. decentralization can help address silo
cost-effective structure is a priority for • Decentralized: Compliance is mentality and bring together risk
many corporations. This can be tricky embedded in existing functions management, business understanding
in an area where no single solution such as finance or human and aspects of legal and compliance
fits all. Some small and medium sized resources. Compliance activities expertise. However, limited central
organizations raise a valid question: are carried out locally with limited compliance involvement can create a
“Do we need a compliance function central oversight, resulting in lack of monitoring and strategic
at all?” A recent publication from very limited direct compliance oversight and may affect the function’s
economiesuisse Swiss Holding headcount cost. independence from the business.
emphasizes how there is no single • Hybrid: Responsibilities for some
uniform concept for an efficient compliance activities are delegated Global, diverse operations are moving
compliance organization, giving the within the organization, but to more hybrid compliance structures,
example of how small corporations oversight and ultimate responsibility which provide the business with a
introduce simple but effective are borne centrally (and regionally, better combination of compliance
compliance measures such as if the corporation is a large insight into, and oversight of, local
demonstrating appropriate ethical multinational). This is increasingly operations. They can also be more
behavior from the leadership, a common, as are ‘shared’ effective in embedding a compliance
clear segregation of duties and responsibilities where designated culture across the various parts of the
communication that reinforces the employees act in both operational business and achieving greater cost
company’s fundamental values. and compliance capacities. effectiveness due to the creation of
dual roles at an operational level.
To centralize or decentralize? While the fully centralized structure Compliance officers’ roles become
Larger organizations meanwhile can be perceived as being ‘safer’, we more strategic / advisory to the
adopt more formalized structures and note it is falling out of favor – perhaps business, monitoring regulations and
functions but must decide whether in part because it promotes the view using data analytics to drive the
a centralized, decentralized or hybrid that compliance is the responsibility design and execution of compliance
structure is optimal for their needs: of a single department rather than programs at an operational level.
• Centralized: The compliance the broader organization. By contrast,
function retains direct control over a decentralized compliance structure Turning compliance into a
all compliance-related activities and ensures that compliance roles competitive advantage
execution of controls. A common are closer to operations, raising It is increasingly important in these
structure in highly regulated sectors awareness of risks and allowing a resource-constrained times to ensure
1
Be Fast and Right in 2016: Key Imperatives for Compliance and Legal Executives, CEB 2015
2
Be Fast and Right in 2016: Key Imperatives for Compliance and Legal Executives, CEB 2015
3
Top 5 Compliance Trends Around the Globe in 2016, Thomson Reuters
4
http://www.iso.org/iso/home/news_index/news_archive/news.htm?refid=Ref2040
14
Clarity on Compliance
15
Employees – Managing the
risk of unacceptable behavior
Tim Lindon, Chief Compliance Officer at Philip Morris
International in Lausanne, Switzerland discusses
the importance of understanding human behavior
when leading a compliance function, and the
role of data analytics to support this task, in an
interview with Philippe Fleury.
16
Clarity on Compliance
“Regulatory
issues are
simply too
vast to
be handled
by the
compliance
department
alone.”
KPMG: What led you to compliance How has your role changed over
after a broad career in litigation and
corporate law?
the past five years?
I was lucky. I inherited a compliance
".. simplifying our
Tim Lindon: Becoming a Chief program that was very strong and well Code of Conduct –
Compliance Officer was not part of my
career plan. In fact, when I started at
developed and I work for a company
where integrity and compliance is which we now
Philip Morris the role didn’t even
exist. But looking back at my 25 years
ingrained in the business. So I had to
enhance, rather than create, the call our Guidebook
in the company, it’s definitely been the
most challenging and rewarding
program. However, I wanted - and in
fact we needed - to start doing some
for Success –
position I’ve held here. My legal things differently to stay contemporary reducing its length
background allowed me to understand
the risks facing the company but it
and move forward. The greatest
change was in how the compliance by half and
was still a significant transition to go
from a legal role to running a global
program is perceived throughout the
business. Changing the perception highlighting its
function. I hadn’t anticipated how
different the roles are. In a legal role,
from it being a function responsible
for enforcing rules, to a state where connection to
no matter how senior you are, you
spend most of your time responding to
compliance is everyone’s
responsibility and truly embedded in
our business."
clients’ needs and legal developments. the business. We made it easier, rather
Compliance is similar to other than more complex, for people to
functions in that you are developing comply. We improved transparency, as
strategies and managing a function. the more transparent compliance is,
Law is a good background for it the more likely people will comply.
but does not have a monopoly on
the necessary characteristics – How can you make it easier against a
understanding the business, being background of increasing regulations?
respected for trust and integrity, Through understanding employees’
demonstrating leadership skills and needs first and foremost. What are
knowing how to get things done are their questions and concerns? Writing
the key elements for making a materials and developing trainings that
strong Chief Compliance Officer. address specific concerns rather than
17
“Particularly
in compliance,
more resources
do not guarantee
a better program.”
trying to cover every eventuality. We globalization of risks. In the area of Personally I’m very skeptical about
started revising and simplifying our anti-corruption, for example, it’s not many compliance KPIs. The ones I’ve
Code of Conduct - which we now call about complying only with US law but seen often measure mostly the
our Guidebook for Success – reducing also with new laws in the UK, Brazil number of trainings and the number of
its length by half and highlighting its and elsewhere. Regulatory issues incidents. A compliance program is
connection to our business. We made are simply too vast to be handled by not designed to produce numbers but
it very specific to what people need to the compliance department alone, a strong culture; a culture that’s going
know, and explained why we have so the keys risks are managed by the to prevent misconduct. To measure
certain rules and where they can go to functions with the most expertise. For effectiveness, we carry out a
find more information. We put it on an example, the Operations Department comprehensive company-wide ethics
app so it was accessible. Overall, we is the owner of our Environmental and compliance survey every two to
use a behavioral approach to reducing Health and Safety program. The three years. Over 28,000 employees
misconduct, working to understand other challenge that is a focus of responded to the last one. You need
how employees actually react to compliance departments is increased to recognize there are pockets of
ethical dilemmas. More rules are not pressure. The pace of change has strengths in your program, and
the route to being more effective. picked up, competition is more global different cultures and managers where
While a strong moral tone is essential, and employees often face more there might be issues. A broad survey
you don’t need to preach to people. pressure. This can lead individuals to can take the temperature of different
You try to work peer-to-peer to sometimes forget their ethical functions and countries and then
understand how business proposals obligations in the heat of the moment, compare them, as well as help to
might go wrong if people behave so one of the challenges is again not to understand trends over time. The most
certain ways under pressure. Really, have more rules but to consider human important KPI is the strength of your
you become a psychologist as well behavior and how to reinforce a culture, and it’s crucial to have a
as a business advisor. certain conduct. We adjust trainings to robust way of measuring this.
avoid giving employees the answers
Which key compliance challenges right away but to put them in a What are your views on the use of data
are you focused on right now? pressured situation to see how they analytics in monitoring the
As at most large companies, the adapt. We also look to ensure that effectiveness of compliance programs,
greatest compliance challenges come trainings are not done remotely but by and how do you use data in your own
from increased regulations and their supervisors to be more immediate role?
globalization. Overall, there is no and effective. Data analytics is both the future of
doubt that in many areas – whether compliance and an important area of
privacy, the environment, anti- What constitutes an effective concern. Increasingly, big data is
corruption or competition – risks are compliance program and how do you showing up everywhere in the
increasing due to a greater number of measure its effectiveness at Philip company from corporate audit to HR.
complex regulations and the rapid Morris? Compliance has a role in making sure
18
Clarity on Compliance
“A compliance
program is not
designed to
produce numbers
but a strong
culture; a culture
that’s going
to prevent
misconduct.”
that the right data are used, and that What is your advice to mid-sized and this can usually be done with a
both privacy laws and employees companies, NGOs and governmental handful of people; but whether you are
are respected. Big data and data agencies that feel the need to set up a a global or a mid-sized organization,
analytics have enormous potential compliance organization but are afraid the message can get seriously diluted
for compliance but it doesn’t require of the high costs involved? with distance. I would invest in at least
massive investment. It’s something One size doesn’t fit all and particularly one full time person close to each
that every company can do. At a in compliance, more resources do not major business unit and in many
minimum, companies should be guarantee a better program. My first geographies rather than a larger central
analyzing the number, type and suggestion is that the more staff. It’s easier to reinforce your
geographic locations of their cases. responsibilities that can be assigned to message.
If this is tied to your human resources the ongoing business, the better. In a
system it produces all sorts of mid-sized organization that’s looking What does the future hold for
interesting analyses that can raise red to save resources I would seriously compliance functions and compliance
flags and help prevent incidents in consider an approach that focuses on officers?
other jurisdictions. The second use of keeping it simple, making the I think that compliance in the next five
data analytics is to capture the root compliance function visible, and years will increasingly become a
causes of misconduct and to be able to understanding the people and the distinct profession. The challenge will
understand and share them. Last year, organization. Taking a behavioral be, first of all, to enhance the core
we mandated that anyone who carries approach will save resources because skills needed for people who want to
out a compliance investigation must it allows you to understand your make their career in compliance, while
do an analysis at the end of it. What do organization and to focus on where are at the same time finding outstanding
they believe were the root causes, the the greatest risks and how people talent within the organization that
external and internal influences, the might react to changes in the wants to come to the function for two
behavioral factors, the organizational organization. Regulatory authorities in or three years before returning to
factors? We then begin to see the links. the US Department of Justice and their areas and becoming life-long
Data analytics is the future because it elsewhere don’t necessarily expect ambassadors for compliance.
is one of the answers to the business companies to demonstrate they are Data analytics will definitely make
need to anticipate compliance issues. making huge financial investments or compliance easier and help us to
But it doesn’t have to be a massive that they have extensive rules to cover anticipate issues.
undertaking - it just has to involve every area comprehensively. Rather
using your basic data in a way that that they have an approach that is best The future of the compliance role is
helps you to understand root causes in tailored to the size and the issues of not necessarily more rules but in
order to predict and control the organization. This ties with not doing more to understand employee
misconduct. needing a large central organization. behavior – working with it, rather than
You need to centralize training, against it.
communications and risk assessment
19
20
Clarity on Compliance
Don't get
bitten by third
party risk
With more than one-third of businesses1 failing to formally
identify high-risk third parties, many potential compliance
perils go unchecked. To what extent do third parties pose a
threat to your business?
21
Third party compliance risk management is one
of the biggest challenges facing companies.
More than one-third of businesses do not formally
identify high-risk third parties, and many more
do not actively use the processes they have in place.2
Compliance violations by business partners can
harm your company, and ignorance of compliance
risks is not a valid argument when dealing with
law enforcement agencies. Is your business at risk?
In today’s international business connection with these vendors • The US Foreign Corrupt Practices
environment, companies typically and failed to ensure sufficient Act (FCPA): “the FCPA prohibits
deal with a multitude of business and appropriate support for the corrupt payments made through
partners such as vendors, joint-venture selling and marketing expenses third parties or intermediaries.”6
partners and sales agents. Knowing submitted by these vendors.”4 It is unlawful to make a payment
the people with whom you are doing to a third party, while knowing that
business is critical when assessing What you don’t know can hurt you all or a portion of the payment
your business risks and, increasingly, Organizations that fail to evaluate will go directly or indirectly to a
your compliance risks. business partners adequately – to foreign official. The term 'knowing'
know who they are and how they includes conscious disregard and
Exposed by association operate –- expose themselves to deliberate ignorance.
Authorities and the public at large reputational and operational risks,
expect high standards of integrity government inquiry, financial penalties The UK Bribery Act and FCPA both
from businesses. A compliance and even criminal liability. Two proscribe that organizations should
incident at one of your business prominent pieces of anti-bribery and apply risk-based due diligence
partners can have substantial corruption (ABC) legislation specifically procedures on third parties who
repercussions for your own company. refer to an organization’s accountability perform or will perform services
Research shows that third parties for third party involvement in bribes: for or on their behalf. Appropriate
are involved in more than 75 percent • The UK Bribery Act: “A commercial processes and policies can reduce
of corruption cases.3 A global organization will be liable to the threat posed by third parties
pharmaceutical manufacturer, for prosecution if a person associated and should therefore be high on any
example, recently agreed to pay with it bribes another person board agenda. To achieve the right
USD 25 million to settle a U.S. intending to obtain or retain balance between resources
Securities and Exchange Commission business or an advantage in the dedicated to due diligence and the
(SEC) case that claimed payments conduct of business for that level of assurance your organization
had been made through third party organization. A person associated wants to achieve, a risk-based approach
event planning and travel companies with a commercial organization is should prioritize resources on the
to Chinese government officials in defined as a person who ‘performs highest risk targets. Four essential
connection with pharmaceutical services’ for or on behalf of the steps in any third party risk
sales. According to the SEC: “Among organization. This person can be management (TPRM) system include:
other things… [the company] failed an individual or an incorporated
to conduct proper due diligence in or unincorporated body.”5
1
Anti-Bribery and Corruption: Rising to the challenge in the age of globalization, KPMG in Switzerland, 2015
2
Anti-Bribery and Corruption: Rising to the challenge in the age of globalization, KPMG in Switzerland, 2015
3
OECD Foreign Bribery Report, OECD, 2014
4
https://www.sec.gov/litigation/admin/2016/34-77431.pdf
5
The Bribery Act 2010 – Guidance
6
FCPA U.S. Foreign Corrupt Practices Act By the Criminal Division of the U.S. Department of Justice
and the Enforcement Division of the U.S. Securities and Exchange Commission
22
Clarity on Compliance
Environmental
regulation violations
or human rights
abuses in your supply
chain are among the
wide range of other
issues that can also
hurt your organization
On 21 April 2015, a broad coalition of
Swiss civil society organizations working
in human rights, development and
Four essential steps to mitigate third party risks environmental protection launched the
‘Responsible Business Initiative’.
1 Identifying relevant third 3 Conducting an appropriate level According to the initiative, “Swiss-based
parties: The inventory of third parties of integrity due diligence: firms will be liable for human rights
with whom you do business might You might subject low-risk third abuses and environmental violations
be large and outdated. A good first parties to desktop due diligence. caused abroad by companies under
step is a structured approach to For high risk, or where there their control. This provision will enable
eliminate third parties that are no is a lack of publicly available victims of human rights violations and
longer relevant to your business. information, a full in-country due environmental damage to seek redress
diligence may be required. in Switzerland. Companies who haven’t
2 Managing the onboarding process complied with their due diligence
and risk assessment: Each third 4 Ongoing monitoring of third obligations will be held accountable in
party poses a different level of risk. parties: As things can change, front of Swiss Courts.”
A useful approach is to categorize you should periodically reassess
relevant third parties into high, third parties to ensure ongoing The initiative was launched after the
medium and low risk. This might be compliance, taking into account Swiss lower chamber of parliament
determined by country of operation, the risk rating of the third party. dismissed a motion for increased
industry sector or the nature of Such assessment could include corporate accountability, after having
the business (e.g. commodity risk) providing compliance training initially accepted it. If 100,000 signatures
conducted together. to third parties and on-site audits, have been gathered by 21 October
among other activities. 2016 to support the initiative, it will be
submitted to Swiss voters through a
referendum.
It’s time to invest in prevention In an environment of heightened
A weak TPRM system is a significant regulatory scrutiny and increasingly
gap that urgently needs filling. complex global business
Failure to conduct adequate due arrangements, your awareness
diligence blinds you to potential of people and companies acting on
misconduct that could give rise to your behalf is critical. Implementing
serious consequences. Even if you the right sized third party risk
conduct business in good faith, management system can deliver
you can come under suspicion – substantial benefits to your
or incur a legal liability – through organization. It can give you a
association with a particular entity. competitive business advantage,
Should you be subjected to an lower your risk exposure and
investigation, effective and reduce the complexity of business
documented measures that show relations in high-risk countries or
your efforts to comply with legislation industries.
may reduce or eliminate sanctions.
23
Commodities trading – Keeping
pace with regulatory changes
in a fast-moving industry
Brian Lewis, Group Compliance Officer at Gunvor,
discusses compliance for commodities traders
with Philippe Fleury.
24
Clarity on Compliance
25
KPMG: What led you to work in
compliance and how does your
current environment differ from
where you worked previously?
Brian Lewis: As with most compliance
professionals I know, I never set out
to have a career in compliance. I was
working in banking during a time
of great changes, prior to the financial
crisis and in 2010, I saw an
opportunity to move to a trading
house. Not least the culture, the agility
in getting things done and the
pragmatism in delivering. You are not
constrained by having to go through
25 committees, which is important, as
commodities trading is a fast-moving
market that is in the process of
maturing; implementing changes and
embedding compliance ownership and
responsibility within the operations is
key to ensure the industry keeps its
agility and response to the market.
This is how I see compliance should
work, and therefore working for a
trading company has been fantastic.
26
Clarity on Compliance
into a relentless
with illegal practices? At the where the authorities and expectations
beginning, the big thing was risk and are heading, it’s about individual
27
Applying data
analytics to
compliance
It is tempting to see thorough data analytics as being too
time consuming and complex for the pressured
compliance officer. But given the sheer volume of data
held by the average organization, can you afford to
ignore its potential value for your compliance activities?
28
Clarity on Compliance
Gaining useful insights from the data are analyzed overall and by categories Better use of data also increases
held throughout your organization such as high-risk countries or the quality of information with which
can be a mammoth task. Even once individuals. Indicators of potential the compliance officer can work.
you’ve collected the appropriate violations are identified such as The data gathered through auditing
data, the challenge is how to create unexpected activity peaks and and monitoring activities – as
value from them. In an era of tougher unusual activities that may need well as information held in silos in
regulatory sanctions, however, could further investigation. Similarly, the various operating functions
data analytics work harder to support patterns can more readily be – are invaluable sources of possible
your compliance efforts? identified that suggest hidden improvement. They can help deliver
relationships between organizations, better control of compliance risks
Although a large organization typically individuals and/or bank accounts. by enabling insights into the
stores a huge amount of information, It’s hard to imagine this being even correct application of regulations,
it is rare for these data to be remotely possible with a manual as well as judging the riskiest areas
systematically utilized for compliance or outdated analytical approach. where potentially serious issues
purposes. Yet, as regulators increase can arise.
their levels of scrutiny and potential Better and more efficient compliance
sanctions, firms are missing out Data analytics can allow the The uses of a compliance dashboard
on a mine of useful information that compliance officer to spend more Compiling this range of compliance-
could feed into their compliance time on tasks that generate relevant information can be made
activities – thereby also missing the greater value. For instance, in easier through the use of a single
opportunity to mitigate risks through the interpretation of data where dashboard. The type of information
early detection. the compliance officer can add on this dashboard is usually referred
value by utilizing expertise to set to as `non financial risk` to describe
Of course, collecting data is only the data against the context of regulatory the specific character of the
beginning. Once the mechanics of requirements, compliance risks dashboard compared to more
how to collect them are addressed, and the organization’s unique risk general business intelligence
you must make sure you’re drawing tolerance. solutions.
worthwhile conclusions from them.
In short, the challenge is how to turn
data into useful insights.
of potential
about unknown risks? How should and error-prone manual work
these be tackled when so much by automating data collection
information is flowing around and analysis of data
the organization? This is where
data analytics comes into its
own – applying advanced statistical
compliance greater number of insights
•
by analyzing all data, not just
methods based on real-time,
continuous monitoring and analysis benefits a sample
is therefore
of both structured and unstructured earlier insights to counter
•
data. In global finance, for instance, potentially adverse situations
compliance data analytics is through real-time detection
often used to meet regulatory
requirements by strengthening
internal anti-money laundering
significant, and prediction of trends,
patterns and anomalies.
29
Stage 0
No central system where
Risk
risk assessments or assessments
Control testing
controls (testing results) are in spreadsheets
results in
maintained.
spreadsheets
Stage 0
Stage 1
Stage 2
Quantification of non
of risk
and controls
with GRC
tooling
Optimization
of risk data in
financial risk based on GRC tooling
Internal Rating Based
(IRB) modeling methods
(loss distribution approach).
Stage 2
Stage 3
Design and development of
Non Financial Risk
Dashboards in GRC tooling
and on mobile solutions
Non Financial Risk
(i.e. iPad)
Dashboards (tablet
compatible).
Stage 3
Action tracking
Stage 4
Development of real time
Non Financial Risk
Dashboards enriched
with real-time information
dashboards
Stage 4
Source: KPMG Switzerland
30
Clarity on Compliance
https://www.treasury.gov/resource-center/sanctions/CivPen/Pages/2015.aspx
UK Financial Conduct Authority (FCA):
2
http://www.fca.org.uk/firms/being-regulated/enforcement/fines/2015-fines
31
Private
matters:
Putting data
protection
on the board
agenda
32
Clarity on Compliance
33
December 2015 marked the European Commission’s agreement
on the General Data Protection Regulation (GDPR), which will
affect all organizations that deal with the personal data of EU citizens.
Organizations have some serious compliance homework to do if
they are to be fully prepared before enforcement of the GDPR starts
in early 2018.
Data protection regulation has been amounting to tens of millions of monitor and follow up on data breaches
around for decades, but the GDPR dollars are not the exception. will lead to higher fines and are
makes adequate data protection and likely to have negative reputational
corresponding governance systems 2. Data breach notification consequences.
significantly more important. This obligation
new legislation is the most impactful The GDPR introduces to every 3. Data Protection by Design
change in privacy and data protection organization an obligation to report Organizations are already required to
regulation yet and should be treated data breach notifications. Organizations have implemented appropriate technical
as a board agenda item at every must notify the respective supervisory and organizational measures to protect
organization. Here are four very authority within 72 hours after personal data. Under the GDPR, they
good reasons why. becoming aware of a data breach will now need to demonstrate that
that requires notification. In the measures are continuously reviewed
1. Higher sanctions for case of a data breach with high and updated. In addition, there is a
non-compliance privacy risks, affected data subjects requirement to be able to demonstrate
Failure to comply with one or more must be informed without delay. that appropriate measures are included
provisions of the GDPR may lead to This obligation means organizations in the design of processing operations
fines as high as EUR 20 million or must have appropriate processes and that by default, personal data are
4 percent of global annual turnover. and technology in place to monitor, processed only where necessary. In
This marks a radical shift from the follow up on and ideally prevent connection with this, organizations
limited sanctions under the old EU data breaches. While many must carry out a Data Protection
data protection regime, where the organizations have invested heavily Impact Assessment on the envisaged
financial risks were consequently in enhancing information security processing operations where proces-
immaterial to most large over recent years, not all have the sing is likely to lead to high privacy
organizations. The GDPR brings full set of required safeguards in risks. Simply updating standard policies
sanctions more into line with EU place. Under the new regulatory for data protection compliance will not
competition laws, where fines requirements, failure to adequately suffice and it is no longer acceptable
34
Clarity on Compliance
These are
only four
reasons why
the GDPR
should be a
for data protection compliance to be
treated as an afterthought. Data
when processors are used in the chain
of personal data processing, liability main board
protection must be a core consideration
when developing new solutions and
services. This will lead to situations
for correctly deleting all personal data
lies in principle with the data controller.
This means organizations are generally
agenda item
where the launch of certain products responsible for finding and erasing
or services is deliberately postponed relevant personal data related to the The regulation presents many
until data protection risks are resolved data subject concerned – both within more. In short, the GDPR moves
and the privacy of consumers can the own organization and at any third data protection to the core of
be guaranteed. The Data Protection by parties with which the personal business activities. Management’s
Design requirements truly cover a data have been shared. For many challenge is to not only adapt policy
broader sense of data protection. organizations it demands the frameworks to the new regulation,
introduction of improvements to but to implement effective data
4. Data lifecycle management achieve the highest standards of protection controls throughout
The GDPR enhances the right of the data governance and personal data the organization – and, crucially,
data subject to have all its personal lifecycle management. at companies with which data are
data removed on request. In addition, shared.
35
36
Clarity on Compliance
The insider
threat:
Compliance
risks from
within your
organization
History has proved time and again that the most
devastating attacks originate from inside an
organization. The causes can be a range of
intentional or unintentional acts. Is your organization
safe from third party risks and your own employees?
37
It is an uncomfortable fact of life A credible threat requires all three
that the people we trust may of the following ingredients to be
sometimes represent the greatest present. An opportunity must exist in
danger. Employees and third parties terms of failures in controls or
have routine access to our most processes. The motivation must be
precious information, financial and there, perhaps encouraged by
technical assets. They operate headcount reduction, work pressures
our information systems and know or financial distress. And there must
how to manipulate them. They might be an attitude that the organizational
even be privy to protective security culture is negative or employees are
measures, giving them an excellent treated badly, resulting in a sense of
insight into gaps and loopholes. damaged trust. Environments in which
Together, these factors make the costs are being aggressively managed
insider threat particularly potent. down can contribute to these
When addressing human weakness, ingredients. Corporate culture plays
organizational approaches are a big role, particularly if the culture is
generally only responsive. A reaction that business ethics have no place:
your technology
solutions excessively emphasize Insider threats are far more difficult
technology. to assess, as they are less
technology-based than external
to determine:
intentional (fraud) or unintentional in this field.
(accident or negligence), insider threats
can lead to the loss of intellectual Greater threats in the 21st Century
was to do this
human resource management company costs. From a security
(absence of a fair appraisal process, perspective, however, it can cause
no career development planning, a loss of control over sensitive
how could
and laptops – is increasingly common,
blurring the lines between business
and private use as well as causing
detect it?” 1
The Wall Street Journal, 26 August 2002
38
Clarity on Compliance
39
Sustainability
40
Clarity on Compliance
A new core
competence for
compliance?
Corporate sustainability has come a long
way since it was only a ‘nod’ to green
issues. It is now a core element of how
we do business. As its importance has
grown, so have stakeholders’ expectations.
Does your organization treat sustainability
as a key compliance issue?
41
Encompassing Sustainability impacts almost every
aspect of an organization’s operations.
2. Legislation is intensifying
Relevant legislation is becoming both
a broad range of It has matured from being an isolated broader and deeper. From the revision
topic that concerned ‘green’ issues of the Swiss Company Law which
social, environmental such as applying a ‘recycle’ label to foresees a quota of 30 percent female
and economic topics, product packaging, to being an area board members to the Responsible
that influences supply chain Business Initiative that would oblige
sustainability can mean management, product development, Swiss businesses to conduct
A spotlight on pharmaceuticals
The European Federation of For pharmaceutical businesses,
Pharmaceutical Industries and key compliance questions nowadays
Associations (EFPIA) has recognized include:
that interactions between the • What payments or transfers of
industry and healthcare professionals values to healthcare professionals
can create potential conflicts of or healthcare organizations is your
interest. It has introduced a ‘Code organization involved in, and how
on Disclosure of Transfers of Value do you capture and report them?
from Pharmaceutical Companies • Are you aware of transparency
to Healthcare Professionals and requirements for each jurisdiction in
Healthcare Organizations’ that sets which you operate?
out minimum standards to be • How are you raising awareness
adhered to by all 33 EFPIA member of policies and procedures within
associations, which are also required your organization?
to incorporate the disclosure code • How are you monitoring and
into their national codes. anticipating the evolving regulatory
landscape?
42
Clarity on Compliance
Sustainability
4. Transparency through publications Greater transparency leads to
Sustainability reports and information greater compliance risks
in annual reports further enhance In a self-perpetuating cycle,
commitments and transparency on
performance. Reporting on key
companies that claim high
sustainability standards will be held practices
across the
sustainability topics is now standard to them by stakeholders – especially
in most industries. The KPMG Survey where products are promoted partly
of Corporate Responsibility Reporting on the basis of sustainable attributes.
2015 shows that 74 of the 100 largest
companies in Switzerland report on
sustainability issues. The majority of
If the company is found to be failing,
the response from investors and
customers can be swift and
organization
these apply the Global Reporting
Initiative’s (GRI) Reporting Guidelines,
damning.
and the supply
chain are
which include several indicators that Those that are required by law
relate to compliance. Many companies to ensure their products comply
– including in the pharmaceutical with environmental standards
industry, for example – report on the
number of non-compliance incidents
with regulations and voluntary
are especially susceptible to adverse
publicity and even investigation
by relevant authorities. False
expanding the
codes concerning marketing and
advertising.
sustainability claims can give rise
to potentially severe publicity. compliance
The EU Directive on Non-Financial
Reporting is expected to result in
Witness recent high profile cases
of non-compliant emissions testing
in the automotive industry.
officer’s remit
around 6,000 of Europe’s largest
companies reporting on environmental, Integrating sustainability to outside
their own
social, human rights, employee, and compliance
anti-bribery and anti-corruption As the definition of sustainability
matters. Corporate responsibility continues to widen, it is becoming
reporting has become de facto
legislated even where it is not yet
officially regulated.
an increasingly central concern
of the compliance function. It is
imperative for compliance officers
to tackle the subject head on,
organization
This gives rise to a whole new raft
setting up suitable goals and
of internal and external monitoring
policies to ensure the organization
requirements. Compliance functions
and its employees act appropriately.
are being drawn further into the
world of sustainability. How long
before sustainability forms part
of a compliance officer’s job
description?
43
Sustainability
and compliance –
A natural match?
Almost all major compliance violations stem
from human behavior. As stakeholder scrutiny
of businesses conduct intensifies, are you
confident that you can adequately identify,
manage, mitigate and report on conduct
risks? Peter Herrmann, Group Compliance
Officer at Actelion, shares his insights
into the alignment between compliance
and sustainability.
44
Clarity on Compliance
45
Unacceptable
conduct:
Assessing
and managing
the risks
46
Clarity on Compliance
47
Human behavior is such a significant source of compliance risk
that financial regulators have declared conduct risk one of the
highest regulatory priorities. As enforcement activity is stepped up
and stakeholders express growing intolerance of poor corporate
attitudes, firms are paying dearly for employees’ misconduct.
But what precisely is conduct risk and how can it be managed
effectively?
The lack of a universal definition of conduct risk can cause confusion;
for example, 81 percent of financial services firms globally are unclear
about what it is and how to deal with it.1 Yet, conduct risk can be generally
described as closely relating to the corporate culture, whereby individuals’
poor attitudes and behaviors cause designed systems and controls to fail.
1
Thomson Reuters, ACCELUS; CONDUCT RISK REPORT 2014/15, p. 3.
48
Clarity on Compliance
1. Clarity of standards
8. Enforcement 2. Role
modeling
90 %
80 % 85 %
75 %
65 % 70 %
60 %
7. Comfort in reporting 3. Enabling
misconduct environment
6. Openness to
discuss dilemmas
4. Employee's support
of integrity
5. Transparency
Source: KPMG Switzerland
1. Clarity of standards: The degree to which policies and 3. Enabling environment: The degree to which
procedures are accurate, specific to the organization and an organization’s business targets correspond to
complete, so employees understand what is expected in predetermined values and principles.
terms of ethical conduct. Do employees have the appropriate time and resources
Regulators have highlighted the need to document how to reach their business targets while also fulfilling their
conduct risk is managed. This includes the definition compliance responsibilities?
of what the desired behavior entails. The result should Example of management information: Review of
be clarity over policies, procedures, systems and compliance incidents to see if the root causes can be
controls, including clarity among employees regarding linked to time or budget constraints.
what the organization stands for and what is considered
(in)appropriate behavior.
4. Employees’ support of integrity: The degree to
Example of management information: Survey or audit which employees personally endorse integrity and
data on employees’ awareness of specific compliance desired behavior within the organization.
rules. Measuring employees’ motivation for doing the right
thing and upholding compliance standards is essential
2. Role modeling (“tone from the top”): The degree to be able to make any claim about the organization’s
to which the board and management set a good culture.
example for the organization and its employees.
Example of management information: Employee
Regulators expect boards to lead by example, including
satisfaction survey, or a dedicated ‘integrity culture’
communicating and demonstrating proper behavior.
survey could provide further insights.
Senior management must send the right message
in terms of culture and governance.
5. Transparency: The degree to which conduct and its
Example of management information: Approval scores of implications are visible within the organization.
the board and top management in employee satisfaction If bad or good conduct is visible in the organization
surveys compared to the benchmark. it might spark copycat behavior. A high level of
transparency makes it more likely to change undesirable
50
behavior.
Clarity on Compliance
y of standards
Clarit
t Ro
en le
m
em
od
rc
fo
el
En
in
g
Comf isconduct ting
environment
ort in repor
E n a bl i n g
m
y
dis
rit
Op u ss
nt s'
eg
f i ee
c
en d
e
oy
il e s s pl o
n
m to Emort
m p
as up
s
Transparency
Example of management information: Employee survey Example of management information: Compare the
asking about compliance violations, which could number of reports per 1,000 employees with a country
be simultaneously used as a conduct risk assessment. or industry benchmark. Also use the employee survey
to assess trust in the existing reporting procedures.
6. Openness to discuss dilemmas: The degree to which
employees feel they can openly discuss ethical dilemmas 8. Enforcement: The degree to which irresponsible,
within the organization. unethical or illegal conduct is sanctioned and
Employees should feel confident to raise questions positive behavior rewarded.
and seek support in difficult situations. Any fear of talking Employees need to assume responsibility for their
openly about ethical dilemmas will adversely affect behavior and must consistently be held accountable
culture. for their actions. This includes a fair enforcement
Example of management information: Specific process at all levels, including adequate corrective
questions in an employee survey. actions in case of misconduct.
The cultural element of enforcement relates
7. Comfort in reporting misconduct: The degree to to how much initiative is taken to apply this.
which employees feel comfortable raising concerns Example of management information: Review
over potential misconduct without fear of retaliation. data on enforcement actions and compare these
An organization should provide dedicated reporting with the number of reported compliance violations.
channels that allow confidential or even anonymous
communication outside of the traditional hierarchy with
supervisors or specific functions. Most organizations
have a formal reporting structure, but it is a question
of how low is the threshold for employees to actually
report a concern. Encouraging them to speak up
requires more than the mere existence of a reporting
mechanism.
51
Compliance –
A priority for
life sciences
As the level of fines and settlements
increases, and as authorities show a growing
willingness to pursue both corporations
and their senior executives, does every
member of your senior management team
treat the avoidance of compliance failures
as a top agenda item?
52
Clarity on Compliance
53
Not a week goes by without a drug or medical device company
hitting the headlines for alleged infringement of the law.
Only recently, the public learned that a US biopharmaceutical
company faced a USD 4 million fine for fraud. In addition,
the US SEC sought to ban three of its former executives from
leadership positions in any company going forward after
they allegedly misled investors regarding the safety of a key
cancer drug. Compliance is becoming an increasingly
personal matter.
Cases such as this demonstrate Risks at home and abroad The impact on life sciences
clearly how authorities – particularly We often hear about companies Prosecution can result in damage
in the US – are actively enforcing laws being prosecuted by the US and to both profits and reputations. In
to the extent that they do not hesitate UK authorities, yet penalties in a nutshell, shortcomings in a
to punish individuals as well as issuing Switzerland can also be severe. compliance organization can heavily
severe penalties to the company. Art. 102 Swiss Criminal Code (SCC) impact a company’s financials. In
This is true not only in fraud cases states that if a felony is committed addition to hefty fines and settlements
but also for bribery or where potential in a corporation and if it is not (which have increased considerably
infringements of anti-trust or data possible to attribute this act to any in recent years), costs incurred in
protection provisions are identified. specific natural person due to an connection with the defense of
inadequate organization, then the such allegations have reached an
It comes as no surprise that the life felony is attributed to the corporation unprecedented scale. And this does
sciences sector is under particular – in which case such corporation not even include potential liability
scrutiny. Pharmaceuticals is a multi- is liable to a fine not exceeding claims by users of defective products,
billion dollar industry where product CHF 5 million. This is what happened which may arise from a failure of
safety and pricing profoundly affect to Alstom some years ago. The internal compliance organizations to
the end user. Its businesses operate company was handed a fine of oversee the integrity of research,
in a highly regulated market dealing CHF 2.5 million and had to pay marketing and manufacturing. On
with patients and patient health, compensation of CHF 36.4 million top of the severe financial penalties,
handling highly sensitive patient for violating these provisions in a the reputation of both the company
information that is governed by data bribery case. The prosecutor stated and senior managers can suffer
protection legislation in all major in his reasoning that said company when patients and shareholders
jurisdictions. Scrutiny is enhanced had failed to take necessary and become aware of alleged corporate
by the fact that government health reasonable organizational measures wrongdoing.
programs are the main buyers of to prevent bribery of foreign public
pharmaceuticals and medical devices. officials.
54
Clarity on Compliance
The duty
of the board
of directors
is broad
It includes responsibility for
ensuring that compliance operates
effectively in the organization,
and that any breaches of laws
or standards are identified and
dealt with swiftly. Failure to do so
can have severe repercussions,
and not only for the business itself.
Senior management take note:
in assessing where responsibility
A question of responsibility The board of directors must imple- lies, enforcement authorities
All this makes it imperative for any ment the respective regulations – are increasingly dissatisfied with
life sciences corporation and its senior such as a code of conduct or a code holding only the corporate entity
executives to take compliance and of ethics – enforcing these throughout to account.
ethics seriously. Management must the group and even along the supply
demonstrate genuine efforts to chain. There is a further obligation
establish an effective compliance to review the compliance organization
program to mitigate risks related to regularly, applying established
bribery, anti-trust and data protection. processes and putting in place regular
Senior managers bear the ultimate controls and severe consequences
responsibility for this task in if infringements are detected. In this
Switzerland as in other parts of the regard, ensuring the timely reporting
world. Determining a corporation’s of major incidents taking place in
organization is a non-transferable lower management functions is
and inalienable duty of the board of central.
directors. This includes implementing
a compliance program that is in
accordance with legislation as well
as recognized industry standards.
Further, the compliance program must
be appropriate to the size, complexity
and risk profile of the corporation.
55
P I N B OA R D
Latest issues
Trading
An industry under the spotlight
April 2016
April 2016
n • Ann
itio iv
Ed e
10 th
y
rs
A n n i ve r s a r
ary
Clarity on Clarity on
Edition
•
on
•A
nn
iti i ve
rsary Ed
22
Meet the tourism leaders
Heads of major Swiss tourism bodies
share insights into the current and
future states of the industry
26
Activity and outlook by sector
A sector-by-sector review of M&A in
2015 and expectations for 2016
68
Swiss deals in 2015
Summary of transactions announced
in 2015 involving Swiss buyers, sellers
or targets
August 2015
Clarity on
kpmg.ch/clarity-on
KPMG Apps
kpmg.ch/apps
56
Clarity on Compliance
I M P R I N T A N D C O N TAC T S
Print
GfK PrintCenter, Hergiswil
Pictures
Shutterstock
PERFO RMAN CE
neutral
printed matter
No. 01-14-569853 – www.myclimate.org
© myclimate – The Climate Protection Partnership
Articles may only be republished by written permission of the publisher and quoting the source
“KPMG’s Clarity on Compliance”.
The information contained herein is of a general nature and is not intended to address the circumstances of any particular
individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received, or that it will continue to be accurate in the future. No one should act on
such information without appropriate professional advice after a thorough examination of the particular situation. The scope of
any potential collaboration with audit clients is defined by regulatory requirements governing auditor independence.
© 2016 KPMG AG is a subsidiary of KPMG Holding AG, which is a member of the KPMG network of independent firms
affiliated with KPMG International Cooperative (“KPMG International”), a Swiss legal entity. All rights reserved.
Clarity on Compliance
kpmg.ch/compliance