Glencore, Part II: Risk Assessments
Today I want to return to Glencore and the ethics and compliance progress report the company released a few weeks ago. Specifically, how did Glencore overhaul that part of the compliance program that drives so many people to exasperation — the risk assessment process?
For those who didn’t see our previous post on Glencore’s compliance report, the backstory is as follows. Glencore, a global commodities trading firm, had a massive anti-corruption settlement in 2022, which resulted in a guilty plea, more than $1 billion in criminal penalties, and two compliance monitors (which were discontinued earlier this year). The company also had to overhaul its compliance program operations, and began publishing annual progress reports on that work last year.
Earlier this month Glencore published its progress report for 2024. Our first post about the report looked at the structure and personnel of the compliance program, as well as how Glencore redesigned and rolled out a new Code of Conduct.
A good Code of Conduct is one cornerstone of the compliance program; a good risk assessment is another. So what did Glencore have to say about how it approaches the task?
We can begin with who’s in charge. Risk assessments are managed by Glencore’s central Corporate Compliance team, which is responsible for overseeing the whole compliance program worldwide. Within that corporate compliance team is a smaller Risk Assessment and Monitoring team devoted solely to, you guessed it, risk assessments and monitoring. That Risk Assessment team then coordinates with the regional compliance teams, and guides those regional teams as they perform their own more specific and locally focused assessments.
The Risk Assessment team reviews compliance risks “in a number of risk areas,” as the report says, but especially focuses on anti-corruption and bribery given the nature of Glencore’s business. Those risks are documented in an enterprise-wide risk register that’s updated as necessary.
Then the Risk Assessment Team looks inward, and also identifies “whether existing group compliance policies, standards, procedures, guidelines and training, as well as compliance resources and skillsets, effectively address the updated or newly identified risk(s).” Lovely boilerplate, and we can all grasp the basic concept; but alas, Glencore provided no specific examples.
That compliance risk assessment methodology is based upon a more fundamental enterprise risk assessment standard (from COSO, ISO, or somewhere else? The report doesn’t say), and Glencore did hire external advisers last year to benchmark its assessment process against those of peer companies. “The advisers confirmed the comprehensiveness of our process,” the company said.
Risk Assessments at Regional Level
OK, so that’s how central management gets a sense of all risks across the whole company. Glencore is still a sprawling global enterprise (150,000 employees and contractors across 35 countries and six continents), so it conducts regional risk assessments too; the regional compliance teams use the corporate compliance team’s risk register as the basis for their work.
Each regional compliance team uses a somewhat different risk assessment process depending on the exact nature of the business and facilities in that region, but all of them do take the same fundamental steps.
- Document review, such as country or sector reports, local corporate structure documents, local HR and finance policies, internal audits, and the like.
- Interviews, where regional compliance officers interview local employees about the risks in the compliance risk register to see which of those risks (anti-corruption, anti-money laundering, sanctions, and so forth) are or aren’t applicable.
- Individual risk assessment: for those risks the regional compliance officer does flag, the compliance officer “considers a number of internal and external risk factors,” and then rates the inherent risk of that office or site. The inherent risk is based on the chance of that issue occurring and the potential consequences — and critically, the potential consequences are “pre-designated” by the corporate compliance team. So nobody local can get away with saying, “Eh, no big deal if that risk does happen.”
- Identification and assessment of controls. The regional compliance officer then identifies and evaluates the controls meant to address each risk, and then documents a residual risk score to compare against that first inherent risk score.
As part of that last step, regional compliance officers need to document the controls thoroughly. As the report says, that includes…
[the control’s] classification, business process and area of application, responsibilities for execution and frequency, methods for documenting and evidencing the execution of the control, IT system(s) involved, critical configurations and settings, as well as staff training and interdependencies with other controls.
(One question I have, which Glencore does not answer: to what extent (if any) regional compliance officers use any IT to automate that documentation work!)
Each regional compliance officer documents the results of his or her local risk assessment in a master system maintained by the Corporate Compliance team. That allows the senior compliance leaders to monitor everyone’s progress on implementing necessary controls at the global level.
Lastly, each regional compliance officer must also confirm the accuracy and completeness of their local risk assessments at least once a year, so that senior compliance leaders know the risk assessments are current.
Tying It All Together
So we have a central compliance team identifying the big risks that should concern the whole enterprise; and regional compliance teams performing more site-specific assessments and control analysis around the world to be sure those risks are all kept in check appropriately. Glencore also uses a sophisticated system to log that local risk assessment work and keep central compliance command informed.
The last piece, then, is more detail about how the central compliance team works with the regional compliance teams to coordinate all that effort. The Glencore report explains that, too, in a nifty chart. See Figure 1, below.
Source: Glencore
Essentially, the process begins with the central compliance team talking to subject-matter experts on any new or evolving “issue-specific” risks. Then the central team reaches out to regional compliance officers to talk about region-specific risks, with extra interviews and attention given to those working in high-risk areas or facing complicated risk scenarios.
Then comes a review of those local risk assessments, all stored in a master system; plus reviews from ongoing monitoring and any compliance-related audits that Glencore’s internal audit team recently performed. Add another analysis of compliance concerns reported on the internal hotline — and presto, the corporate compliance time has a holistic view of all the company’s risks, which it can use to update the compliance risk assessment; and then guide the regional compliance teams on their local work.
That’s how Glencore does risk assessments, at least. Let me know what jumps out at you here or how you take a different approach! Drop me a line at [email protected] any time.