Risk Roundup for March and April 2019
Risk Roundup for March and April 2019
Our May Risk Roundup lassos two major incidents in the public arena that occurred in the spring. Then it’s into the world of audit and compliance for two significant developments with ramifications for the corporate world going forward.
Boeing 737 Max and grounding of planes
Ethiopian Airlines Flight 302 crashed shortly after takeoff on March 10th, killing all 157 people aboard. The crash investigation quickly focused on the aircraft’s complex control system, which was also the cause of another plane crash. Airlines grounded the 737 Max. Boeing later admitted to knowing about a problem with its 737 Max jets a year before the plane was involved in accidents. The FAA stated the problem was “low risk” but also noted it would have been helpful if Boeing had issued a bulletin. From a risk management perspective, it calls for reviewing processes, controls, policies and FAA standards.
According to the CDC, measles was eliminated in the US in 2000. Nearly 20 years later, it’s back with a vengeance. From January 1 to April 26, 704 cases were reported, the highest number of cases since 1994. How did it happen? Typically, a traveler contracts measles and brings it home, infecting an unvaccinated community. Vaccination is a hotly debated issue. What’s the best way forward that manages the public health risk but also protects people’s privacy and wishes?
Auditors trade in pinstripes for prison stripes
A former KPMG partner and a former Public Company Accounting Oversight Board (PCAOB) member were convicted of conspiring to steal secret board schedules, so the accounting firm could better prepare audits to be inspected by the regulator. This case connects to an earlier one, where six KPMG executives and PCAOB employees were charged. It’s not always about paying a fine for white collar rule breaking. It’s also more frequently about doing time for wrongdoing for things like falsifying disclosures.
Justice Dept updates guidance on corporate compliance
On the last day of April, the Criminal Division of the Department of Justice dropped a doozy. It issued updated guidance for corporate compliance programs. The guidance indicates that a well-designed program on paper may be viewed as unsatisfactory unless it is effectively implemented, especially with respect to identifying and remediating misconduct. DOJ also stressed the importance of conducting a robust risk assessment. The DOJ guidance is what prosecutors look for when evaluating corporate compliance programs. A good rule of thumb is to follow this guidance with your program. It might just curry favor with DOJ prosecutors.
This edition of Risk Roundup highlights the need for a robust compliance and risk management team. It also points to the importance of a strong internal audit program, which is apropos given May is International Internal Audit Awareness Month. We’ll be back in July with a roundup of top risks from May and June.
NSCC members face a new compliance requirement: cybersecurity confirmation. It sounds easy, complete a form, but risk is high. Here’s guidance.
Compliance departments are seriously challenged these days. As business swirls in response to COVID-19, compliance has taken a back seat. That can lead to trouble—violations, fines or both—due to missing deadlines. Management, in a questionable move, may ask compliance to do something taboo. Instead of reading a half empty glass post designed to help compliance deal with these challenges, they instead get a half full glass post that is brimming with optimism for compliance’s role during COVID-19.
COVID-19 has pushed several risk disciplines into the spotlight, including business continuity, third party risk, cybersecurity, and data privacy. We’ll explore each one and deliver advice and guidance.