One of the more colorful compliance stories from 2020 was Commonwealth Edison, the Chicago-based public utility which paid $200 million that year to settle corruption charges. ComEd also agreed to implement a raft of compliance program improvements — and last Friday, ComEd filed its first ethics and compliance report to talk about its progress so far.
The report is great reading for ethics and compliance professionals because it goes into extensive detail across the whole of ComEd’s program, reviewing the process ComEd’s compliance team used to identify weak areas and the specific reforms ComEd either already has made or plans to make soon. If you were ever looking for a meaty case study of how a large enterprise is trying to right the ship, this 29-page report is well worth your time.
ComEd had been accused of offering lucrative lobbying contracts and no-show jobs to associates of now-former Illinois House Speaker Michael Madigan, a long-time Chicago pol and one of the most powerful Democrats in the state. In exchange, federal prosecutors said, Madigan shepherded several pieces of legislation beneficial to ComEd into law. Madigan was subsequently forced out of office and hit with bribery charges earlier this year.
In addition to that $200 million penalty, ComEd also agreed to a three-year deferred-prosecution deal that listed all the elements of a strong corporate compliance program that ComEd would need to maintain: policies & procedures, periodic review of the program, training, proper oversight, and so forth.
Now we have this first ethics and compliance report, filed with the Illinois Commerce Commission as part of ComEd’s agreement. Alas, ComEd did not post the report on its own website, and the report is a single photostat PDF that can’t easily be searched. Still, there’s a lot here. Let’s take a look.
Structure of the Compliance Program
The report begins with an executive summary that explains the structure of ComEd’s compliance function. That’s interesting unto itself, because ComEd is a subsidiary of Exelon Corp., and the ComEd compliance function is essentially a subsidiary of Exelon’s compliance function. Exelon’s chief ethics and compliance officer, Kristopher Keys, is also ComEd’s chief ethics and compliance officer; and Exelon’s deputy general counsel as well.
The ComEd compliance function is separate from ComEd’s operational governance team, and the compliance office ultimately reports into Exelon’s executive vice president of compliance, audit, and risk, David Glockner. Glockner, who joined Exelon last year as part of its settlement, reports to Exelon CEO Christopher Crane and to the audit and risk committee of Exelon’s board of directors.
From there, the ComEd report sketches out the specific duties of the ethics and compliance function, plus several other pockets of energy-industry regulatory compliance that operate independently of the ethics & compliance function. The primary duties of the ethics & compliance function are:
- Implementing and enforcing Exelon’s Code of Conduct;
- Delivering training for the code and other ethics policies;
- Operating the internal help line;
- Managing investigations of potential violations, including violations of Exelon’s Supplier Code of Conduct;
- Conducting compliance risk assessments;
- Managing compliance with interactions with public officials, which is what got ComEd into trouble in the first place.
Glockner and Keys provide quarterly reports to the audit and risk committee of Exelon’s board. The reports cover significant compliance incidents, new or pending investigations, compliance risk assessments, and other notable compliance program activities. The audit and risk committee also receive separate quarterly reports about compliance with Exelon’s policies on interacting with public officials.
Glockner and Keys also report every quarter to the boards for each of Exelon’s six subsidiaries, ComEd included. These reports seem to focus more on interactions with public officials, including requests that public officials have made for each utility and how compliance believes those issues should be addressed.
That’s a complicated structure, and there’s more I didn’t include here. Unfortunately ComEd’s report includes no charts or graphics mapping out who reports to whom, or which committee has what members who meet how often. Still, if you want an example of how a large corporation might try to build compliance oversight across its whole enterprise, the ComEd report gives you much food for thought.
The rest of the executive summary includes a list of “material changes to the compliance program” that ComEd implemented in 2021. Most were about updating policies or improving technology for better insight into compliance activities.
I was more interested in the rest of the report: six sections that explained the major components of ComEd’s compliance program and how each one works. They are:
- Financial and accounting controls;
- Ethics and compliance risk assessments;
- Communication of compliance controls and procedures;
- Senior management’s tone from the top;
- Enforcement of internal controls and Code of Conduct;
- Remediation procedures.
We could devote whole posts to each one of those bullet points above. For today, let’s look at the one that’s most important to a compliance program’s success and that’s most difficult to do well: the compliance risk assessment.
The ComEd Approach to Assessments
ComEd “substantially redesigned” its compliance risk assessment process in 2021, the report says. Traditionally, Exelon conducted an annual risk assessment that focused on 53 specific compliance risks inherent to Exelon as a large, publicly traded electric utility. After the corruption scandal, that approach needed an overhaul.
In redesigning the risk assessment process, the report said…
The ethics & compliance team sought to better identify emerging compliance risks, produce actionable information about compliance risks and controls for business teams, and drive accountability for improvements. The redesign also sought to better integrate [anti-fraud] and ERM into the compliance risk assessment process.
OK, sounds great so far. Love the pivot away from a checklist of specific risks to an emphasis on identifying emerging risks, plus that part about driving accountability for improvements. So what did ComEd do?
First, it dumped that list of 53 compliance risks in favor of nine broader “compliance domains” that would be relevant for all Exelon units, including ComEd:
- Securities regulation;
- State utilities commissions;
- Mergers and acquisitions;
- Information governance and protection;
- Environmental, health & safety;
- Human resources;
- Reliability, resilience, and security;
- Financial controls;
- Interactions with public officials.
The ethics & compliance team then convened a series of workshops that brought together executives from across the Exelon empire to discuss each domain in detail. Every domain had at least one workshop; presumably some had several workshops. (For the record, cybersecurity was discussed as part of the information governance and reliability domains.)
The workshops discussed the effectiveness of existing compliance policies, controls, and procedures, and any adjustments that might be necessary. They also discussed fraud risks, and Exelon’s anti-fraud and ERM teams participated in the workshops as well. Results of the workshops were then presented to business teams in each subsidiary, Exelon’s executive management team, and the board’s audit and risk committee.
That work all happened in 2020 and 2021. ComEd also plans to build on those efforts in 2022, the report said. First, the ComEd ethics and compliance team will review compliance risks and controls for each of those nine domains listed above, with special attention paid to changing regulatory developments, changing business operations, and compliance incidents that have happened since those workshops last year.
Second, the ethics and compliance team plan to perform even deeper evaluations of several broad compliance concerns, to see whether those issues need any new policies, or controls:
- A culture of compliance initiative ComEd launched last year;
- Workplace conduct;
- Environmental compliance;
- Health & safety compliance;
- Interactions with public officials;
- Privacy compliance ;
- Compliance training.
To a certain extent, none of those issues surprise me because they are core concerns that every compliance team should be considering every year.
I’ll close this post with one question. I would like to know how does ComEd plan to bridge the gap from compliance risk assessment to compliance report prepared for the brass?
That is, clearly the compliance team is trying to perform a comprehensive risk assessment, and we should applaud them for it. Once the team identifies ComEd’s most pressing compliance risks, then comes testing and monitoring to track the company’s compliance posture on a daily basis. Then comes summarizing and reporting that posture to the boards of both ComEd and Exelon the parent company. So how will that whole chain be built?
Anyway, that’s enough for today. We’ll probably have other posts later this week about other parts of the ComEd compliance report. It’s a rich source of information and thought for compliance professionals and we’re lucky to have it.