Governance, Risk and Compliance

Structured and Integrated approach of the management processes to evaluate, control and monitor events, be those risk or opportunities.

Governance And Risk Culture

Management and governance solutions for the Risk Management process and risk culture development:

  • Risk Management governance and processes maturity diagnosis;
  • Proposition of governance and risk management models and principles: methodology structures, area attributions, definition of roles and responsibilities;
  • Policy and Manual designs and Risk Management forms;
  • Case studies and risk benchmarking;
  • Risk Management workshops, training and communication plan. 

Risk Assessment

Methodologies to implement and execute the stages of Risk Management and Opportunities of different natures and categories:

  • Corporate Risks (Strategic; Regulatory Compliance; Financial and Operational)
  • ESG - Environmental Social and Corporate Governance
  • Health, Safety, Environment & Communities (HSEC)
  • Project Risks
  • Application of risk analysis and assessment tools:
    • Bowtie Risk Analysis
    • FMEA - Failure Mode and Effect Analysis
    • HAZOP - Hazard and Operability Study
    • Cause x Effect Diagram, SWOT, Delphi
  • Recording and reporting risks
    • Risk Matrix;
    • Risk Dictionary,
    • Management Presentations.

Project Governance and Risk Management

The risk management applied to projects uses technical requirements observed in ABNT NBR ISO 31000:2018, in the ERM - COSO model and in The Practice Standard for Risk Management (PMI®) standards, in addition to the consolidated good market practices and know-how of the HECT team.

  • Application of mathematical models for risk analysis
    • BOWTIE - schematic way of evaluating a risk focusing on the barriers (or controls) between the causes and the risk, and the risk and its consequences.
    • Risk assessment worksheet - identification of risks, their causes and impacts, controls (preventive, detective and corrective) and probability, impact and risk level calculations.
    • HAZOP - Hazard and Operability Study: qualitative analysis of process routes (equipment and systems) that can cause damage to facilities, people and the environment.
    • FMEA / FMECA - Analysis of Failure Modes, their Effects and Criticality: analysis of failures in the system, subsystems and/or components to reduce risk and define actions.
    • Monte Carlo Analysis: identification of the impact of risks for different scenarios (scenario simulations (what-if)), alternatives in the design of schedules.

Peer Reviewed Risks

The Peer Review process consists of a critical, qualitative and quantitative analysis of the results of risk assessments by professionals specializing in Risk Management. With the objective of verifying the results of risk assessments, through the use of methodologies and good practices in Corporate Risk Management as a reference, it includes:

  • Verification of documental and methodological compliance;
  • Quality of data and information contained in the evaluation documents;
  • Clear description of risk and scenarios;
  • Critical analysis of risk assessment parameters (Probability, Impact and others);
  • Critical analysis of risk treatment strategies.

Control Verification and Audit

Standardized and coordinated approach to risk management and internal control processes, with the application of methodologies based on the relationship of Risk Management (ERM COSO 2018) with the internal control system (COSO I – Internal Control integrated framework) and, with references to the IIA - The Institute of Internal Auditors Three Line Model[1].

  • Integration between Risk Management and Internal Control methodologies;
  • Mapping of internal controls and preparation of a control matrix;
  • Control test drawings;
  • Evaluation and application of control tests;
  • Control environment indicators.
[1] IIA 2020 THREE LINE MODEL – Utilizes the IIA The Institute of Internal Auditors Three Lines of Defense.

Hect offers consulting services in Crisis Management, adopting of the best market practices and aligning with the principal international standards and references.

  • Application of methodologies for identification and treatment of potential crisis events in the corporation:
    • Mapping and analysis of processes and the value chain; identification of critical activities, equipment and processes and points of vulnerability.
    • Definition of strategies Crisis preparedness plans;
  • Business Impact Analysis (BIA):
    • Mapping of critical risks materialization impacts;
    • Definition of downtime objectives (RTO and MTPD) of operations;
    • Definition of recovery priorities.
    • Business Continuity Plan and Critical Activities Recovery Plan:
    • Definition of impact recovery measures within predetermined deadlines;
    • Definition of roles and responsibilities and monitoring criteria for the response of disruptive incidents;
    • Training and simulations with interested parties.

Application of methodologies based on Risk Management, while adopting the best market practices, enables the development of customized products for Compliance and Integrity management.

  • Compliance Risk Matrix
    • Evaluation of the company's business profile;
    • Analysis and evaluation of the Risk Matrix;
    • Risk Matrix Maturity Report.
  • Compliance and Integrity Programs
    • Code of Ethics and Conduct
    • Corruption and fraud prevention policies
    • Identification and treatment of conflicts of interest
    • Compliance management policies and procedures
    • Offering and receiving gifts and hospitality;
  • Donations, sponsorships and social investments;
    • Management of the whistleblower channel;
    • Compliance Committee;
    • Due diligence of third parties;
    • Application of disciplinary measures;
  • Outsourcing - Compliance Officer and Whistleblower Channel;
    • Management and monitoring of the Compliance Program
    • Whistleblower Channel Management
    • Review of policies and procedures
    • Development of indicators
    • Reports to Senior Management
    • Internal and external communication plan
    • Trainings
  • Compliance, ethics and integrity training and communication
    • Preparation of training materials and booklets
    • Definition of the communication plan and content preparation for internal and external public
    • Preparation and conduction of training programs and application of training for different public
  • Automation of compliance controls in an ERP system;
    • Process mapping and specification for developing compliance controls in ERP systems (Enterprise Resource Planning);
    • Test monitoring;
    • Development approval.

Compliance audits and certifications

Hect's compliance team can help verify the maturity of the compliance and integrity processes, as well as assist in preparing the company for certification processes.

  • Verification of conformity of the Compliance Program regarding regulatory and legal requirements;
  • Compliance and Integrity Program Maturity Diagnosis
  • Preparation for ISO 37001:2016 certification and ISO 19600:2015 guidelines - Anti-Corruption Systems Management
  • Preparation for obtaining the Pro Ethical Company seal

Detailed research to identify risks and red flags related to Third Parties, carried out by a team composed of specialized professionals who are able to analyze and process the data, conduct investigative research and effectively communicate their findings in specific reports and executive summaries.

Background check

  • Support in the identification of business transactions that require the background check.
  • Know Your Partner / Know Your Supplier / Know Your Costumer / Know Your Employee
  • Research focused on business partners, suppliers, customers and employees, searching for information for risk assessment involving the relationship between the parties.
  • Search for data and information about third parties, including:
    • Legal Proceedings;
    • Administrative processes;
    • Public authority registrations;
    • Sanctions applied.
  • Development of a matrix and assessment of the degree of risk that the third party represents for the company.
  • Proposal of controls for business transactions that represent relevant business risks.

Third-party media and image search

  • Searches for information in various platforms, including:
    • Adverse media checks;
    • Politically exposed people;
    • Related parties;
  • Third party reputational risk assessment
  • Preparation of a report indicating mitigation controls to monitor reputational risks.

Hect offers verification services of the operational and legal conformity of structures and processes, providing the client a clear and objective view of the conformity of processes within their requirements through simple and structured tools. The products are customized according to the specific needs of each customer and structure or process analyzed.  

Mapping and verification of the processes legal and operational conformity

Based on the compliance verification, Hect guides the customer on the necessary actions for the necessary adjustments to the processes and guarantee of compliance.

  • Characterization of the process or structure;
  • Identification of technical and operational requirements (laws, standards, regulations, manuals, expert recommendations and compliance to best market practices.
  • Verification of conformity through testing.
  • Compliance indicators and dashboards - preparation of dashboards with the results of assessments and compliance monitoring tools.

Compliance of geotechnical structures

Requirement mapping and application of compliance tests on geotechnical structures. The assessments include legislation in the three spheres of government, standards (environmental bodies, technical standards), ordinances (ANM, ANA, etc.), general regulations, operational requirements (operating manuals, customer internal standards), as well as recommendations of experts and national and international best practices of the market.    

Integrated vision, personalized risk-based approach, led by a multidisciplinary team.   Does your company hold customers, employees or suppliers’ personal data? If you answered "yes" to any of these, regardless of the sector in which you work, then you need to comply with Law No. 13.709/2018 - LGPD. The LGPD aims to harmonize the rules and guidelines for the processing of personal data, focusing on the privacy of the data subject and maximizing transparency between companies and citizens. Therefore, it is essential to implement the Personal Data Security and Privacy Management Program, so as to ensure legal compliance in addition to avoiding damages such as sanctions, fines, publicizing infringements and suspension of the database. The conscious and strategic adaptation to the LGPD does not affect the company's productivity nor is it an impediment to carrying out activities. Compliance with legislation allows the generation of value for the company, increasing credibility and competitiveness. Learn about our solutions!

Compliance Diagnosis and Risk Mapping

  • Mapping the flow of personal data in the company;
  • Identification of legal and regulatory principles applicable to data processing according to segment and sector;
  • Development of an information security and data privacy risk matrix aligned with the company's objectives;
  • LGPD Compliance Report:
    • Recommendations regarding identified non-compliance situations;
    • Prioritization in dealing with privacy risks.

Preparation of the Privacy Management Program

Supervision and coordination of the implementation plan of the Personal Data Security and Privacy Management Program, through:

  • Design of Privacy Management Policies and Procedures:
    • Consent Management
    • Contract Management
    • Rights-holder Management
    • Incident notifications and response plan
    • Cookie Management
  • Design and support in the Program Governance Management;
  • Uphold the Privacy by design and Privacy by default principles;
  • Privacy management training and communication
    • Preparation of training content and materials;
    • Development of a communication and content plan, aimed at internal and external audiences;
    • Application of personalized training for employees, suppliers, third parties and Senior Management.

Training with diverse content through a theoretical and practical approach conducted by trained professionals with real-world experience in the topics.  

Risk Management

Backed by the best governance and risk management standards and methodologies such as ERM COSO | ISO 31000:2018 | ISO 9000:2015 | Three Lines IIA Model, we offer qualification and training that allow a better understanding of risk mapping and identification, elaboration of risk matrixes, risk analysis and assessment and definition of risk mitigation strategies and controls.

  • Risk Management and Internal Controls fundamentals and methodologies
  • Application of risk analysis and assessment tools: Bowtie, FMEA, among others
  • Practical activities to incorporate Risk Management into the business management routine
  • Communication actions and risk culture development (positive agenda and routine management rituals)

Compliance and Integrity

In accordance with the legislation and best standards of compliance and integrity management: ISO 37001 / ISO 19600 | Law No. 12846 / Decree 8420 | FCPA | UK Bribery Act, we offer qualification and training aimed at identifying and assessing corruption and fraud risks, managing the Compliance and Integrity Program, Compliance Officer function for different audiences:

  1. Top Management (“tone from the top”)
  2. Compliance Officer: job skills and knowledge
  3. Operation: development of the compliance and integrity culture in the various operational functions of the organization

Our services