Douglas Hileman Consulting LLC (DHC) helps clients with compliance with Section 1502 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Conflict Minerals” or DFCM), and risk management. DHC has worked with clients in both assurance and advisory roles.
Assurance (IPSAs): DHC has conducted Independent Private Sector Audits (IPSAs) to fulfill provisions of DFCM. DHC conducted two of the first 10 IPSAs submitted voluntarily to the SEC, and was one of only three firms based in the U.S. to do so for the 2014 reporting period. Mr. Hileman has presented on conflict minerals (emphasizing the IPSAs) at many industry conferences, webinars, and industry briefings. DHC brings unique credentials to IPSAs. Mr. Hileman worked at a Big 4 accounting firm for six years, and supported scores of financial audit procedures, as well as many Internal Audits. He holds a Certified Risk Management Assurance professional credential from the Institute of Internal Auditors. He is on the Board of the Institute of Internal Auditors (Los Angeles Chapter), and has contributed to a global IIA committee.
Assurance Readiness: Companies have found it useful to undertake a readiness exercise – a “mock IPSA Lite” – to get greater comfort on being fully prepared for an IPSA. An IPSA Readiness engagement can help companies improve their programs, align with other company business processes, and increase the clarity of their SEC filings and other conflict minerals communications. DHC conducts IPSA Readiness engagements in a manner that preserves independence, allowing the option for engagement to conduct the IPSA.
Advisory: DHC has helped clients develop conflict minerals programs to achieve compliance and to manage risks. DHC applied enterprise risk management principles to conflict minerals programs, and developed business processes and internal controls that go beyond the SEC Rule, and meet other regulatory requirements, as well as many standard requirements of customers, risk managers, and Internal Audit.
Sustainability and Non-Financial Reporting
DHC helps clients with Sustainability programs and reporting. While it is common for enterprise risk managers (ERM) to focus on financial reporting, DHC applies ERM principles to non-financial reporting. Sustainability - or Corporate Social Responsibility (CSR), as many companies call it – is closely related to operations, business strategy. Industry standards and customers create compliance requirements, and many NGOs and industries expect external reporting. In fact, DHC has published articles and provided training contending that Sustainability and ERM are essentially the same thing – just using different terms.
Sustainability/ NFR is such a broad area that it is a challenge for Clients to identify where programs lag, where they are exposed to risk, or where they need help. DHC has provided value in ways including:
Write a Client’s first Sustainability report (co-sourced with Client staff)
Develop CSR reporting strategy, and draft a Client’s CSR report
Provide CSR briefing to functional leaders who have been identified as content owners for CSR report
Assess Sustainability report relative to peer companies, management expectations, emerging practices, and risks
Assess systems, controls, and accuracy of information in Client’s Sustainability report
Lead a fraud assessment for systems supporting programs for Sustainability reporting
Douglas has provided written comments to the International integrated Reporting Commission on the Integrated Reporting <IR> framework, and on assurance for <IR>. He has followed developments in Sustainability Accounting Standards Board (SASB), Carbon Disclosure Project (CDP), several industry initiatives for non-financial programs, and Sustainability requirements of major companies.
Enterprise Risk Management
The COSO Enterprise Risk Management framework builds upon the COSO Internal Controls framework, which is a standard framework for internal controls in financial reporting. The COSO ERM framework includes four categories of risk: compliance; operations; [external] reporting; and business strategy. It includes eight components for management of risk. The COSO framework can apply to any type of risk.
Increasingly, risks do not fit neatly into a single category. For example, contractual requirements with customers and suppliers pose risks in all four risk categories. DHC approaches engagements with a broad perspective on risk. We can help companies doing organization-wide risk assessment, or focused risk assessments. Our skills are as scalable as the COSO ERM framework itself.
Compliance and Risk Management
We help clients address the challenges posed by compliance and risk management. in these and other areas.
Environmental laws and regulations touch many aspects of company operations. They can limit an organization’s ability to expand operations, or trigger obligations if facilities are relocated or shut down. Environmental liabilities must be accounted for on balance sheets, and can be subject to review by financial auditors. Environmental regulations call for extensive documentation. In the U.S., laws provide for substantial enforcement penalties, which was a key driver for many environmental auditing programs.
Many environmental compliance and auditing programs were created in the 1980s or 1990s. They have not kept pace with changing business models, different compliance drivers, software or technologies, or business risks of non-compliance. DHC has worked with clients on compliance management and documentation systems, evaluation of supporting software, design of compliance business processes, and integration of compliance requirements into operations. DHC has also served various quality assurance roles, including compliance training, auditor training, shadowing client environmental audit teams, formalizing a risk-based approach to environmental compliance monitoring, and internal and external reporting of environmental compliance and management performance.
DHC has experience in Safety program management and auditing. DHC’s experience in Operations has helped clients achieve greater value in Safety programs.
It is a common practice is for companies to purchase Safety handbooks or training materials, and to implement them “off the shelf” for their organizations. DHC notes that this has some inherent problems – for one, no two companies (or facilities) are identical. Companies have their own culture, organizational structure, and policies. Work forces differ by location – not just from geography, but perhaps by the composition of the work force (full-time or temporary, in-house or contractor, etc.).
DHC led an engagement to revise a Safety Policies & Procedures Manual for an organization with over 60 facilities. DHC envisioned and led an engagement that served as a review of completeness of including all OSHA requirements, adding modules and content for additional risk areas, establishing a common format for safety policies and guidance, differentiating between regulatory requirements and company policy, and enlisting a cross-functional team to verify current practice and feasibility of proposed changes. The effort also provided professional growth for the Client’s Safety staff and the cross-functional team, and yielded a work product that serves as the basis for a revised Safety Audit program.
Compliance and risk management are not a point in time; they are a journey. ISO, COSO, and Federal Sentencing Guidelines (FSG) are widely used as frameworks or management systems to address compliance or risk management. Requirements can change with new laws or regulations; they can also change as the nature of the business or operations change.
DHC has experience with many management frameworks, including standard and customized. DHC believes principles and lessons from one management system can be applied when using any other management system – or when developing programs to meet new obligations. For example, the SEC’s conflict minerals rule mentions the OECD’s Due Diligence guidelines as a framework for managing upstream risks in sourcing minerals from conflict-affected areas. Most affected companies dutifully followed the requirements of the OECD guidelines. DHC worked with clients to map the OECD parameters against other leading frameworks. We identified gaps, and designed and implemented a conflict minerals program with additional features. For example, DHC clients formalized training (an element of ISO management systems) and features of communications and reporting (a component of COSO enterprise risk management). Over the next few years, many companies realized they needed additional rigor in these areas; DHC’s client enjoyed the benefit of the thoughtful initial design.
Supply Chain/Value Chain
Companies still want quality, timely delivery, and price from their suppliers. But that’s no longer the end of the story. Companies require more of supplies to meet their own regulatory requirements (conflict minerals, human trafficking, and restrictions on raw materials), industry standards or codes (safe work practices), customer requirements, or other criteria.
DHC supports clients with new or emerging issues. DHC also helps clients consolidate legacy “silo programs” into more comprehensive programs, working on systems and controls to ensure complete, accurate, and relevant information is compiled and provided to appropriate stakeholders.