Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2017
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: March, 2017
Mar 31, 2017

I conclude my One Month to Operationalizing your Compliance Program series by discussing how you can put your compliance program at the center of corporate strategy. An article in the Harvard Business Review (HBR) by Frank Cespedes, entitled “Putting Sales at the Center of Strategy”, discussed how to connect up management’s new sales plans with the “field realities.” Referencing the well-known Sam Waltonism that “There ain’t many customers at headquarters”; Cespedes believes that “If you and your team can’t make the crucial connections between strategy and sales, then no matter how much you invest in social media or worry about disruptive innovations, you may end up pressing for better execution when you actually need a better strategy or changing strategic direction when you should be focusing on the basics in the field.” 

This can be a critical problem when operationalizing compliance because operationalizing compliance is usually perceived as a top-down exercise. The reality that the employee base that must execute the compliance strategy is not considered. Even when there are comments from employees on compliance initiatives they are often derisively characterized as ‘push-back’ and not taken into account in moving the compliance effort forward. 

Communicate the Strategy 

It can be difficult for an employee base to implement a strategy that they do not understand. Even with a company wide training rollout, followed by “a string of e-mails from headquarters and periodic reports back on results. There are too few communications, and most are one-way; the root causes of underperformance are often hidden from both groups.” Here Cespedes’ insight is that clarification is a leadership responsibility and in the compliance function that means the Chief Compliance Officer (CCO) or other senior compliance practitioner. Moreover, if the problem is that employees do not understand how to function within the parameters of the compliance program, then there is a training problem and that is the fault of the compliance department. I once was subjected to a PowerPoint of 268 slides, which lasted 7.5 hours, about my company’s compliance regime. To say this was worse than useless was accurate. The business guys were all generally asleep one hour into the presentation as we went through the intricacies of the books and records citations to the FCPA. The training was a failure but it was not the fault of the attendees. If your own employees do not understand your compliance program that is your fault. 

Continually improve your compliance productivity

Why not do the incentivize productivity around compliance? Work with your Human Resources (HR) department to come up with appropriate financial incentives. Many companies have ad hoc financial awards, which they present to employees to celebrate and honor outstanding efforts. Why not give out something like that around doing business in compliance? Does your company have, as a component of its bonus compensation plan, a part dedicated to compliance and ethics? If so, how is this component measured and then administered? There is very little in the corporate world that an employee notices more than what goes into the calculation of their bonuses. HR can, and should, facilitate this process by setting expectations early in the year and then following through when annual bonuses are released. With the assistance of HR, such a bonus can send a powerful message to employees regarding the seriousness with which compliance is taken at the company. There is nothing like putting your money where your mouth is for people to stand up and take notice.  

Improve the human element in your compliance program 

This is another area where HR can help the compliance program. More than ongoing assessment of employees for promotion into leadership positions, here HR can assist on the ground floor. HR can take the lead in asking questions around compliance and ethics in the interview process. Studies have suggested that certainly Gen Y & Xers appreciate such inquiries and want to work for companies that make such business ethics a part of the discussion. By having the discussion during the interview process, you can not only set expectations but you can also begin the training process on compliance. 

However, this approach should not end when an employee is hired. HR can also assist your compliance efforts by tracking employees through their company career to identify those who perform high in any compliance metric. This can also facilitate the delivery on more focused compliance training to those who may need it because of changes on compliance risks during their careers. 

Make your compliance strategy relevant 

Cespedes notes, “Most C-suite executives know these value-creation levers, but too few understand and operationalize the sales factors that affect them.” In the sales world this can translate into a reduction in assets to underperforming activities. This is all well and good but such actions must be coupled with an understanding of why sales might be underperforming in certain areas. In the compliance realm, I think this translates into two concepts, ongoing monitoring and risk assessment. Ongoing monitoring can allow you to move from a simple prevent mode to a more prescriptive mode; where you can uncover violations of your company’s compliance program before they become full blown FCPA violations. By using a risk assessment, you can take the temperature of where and how your company is doing business and determine if new products or service offerings increase your compliance risks. 

Above all, you need to get out and tell the compliance story. Louis D’Amrosio was quoted for the following, “You have to repeat something at least 10 times for an organization to fully internalize it.” If there is a disconnect between your compliance strategy and how your employee base is implementing or even interpreting that strategy, get out of the office and go out to the field. But you need to do more that simply talk you also need to listen. By doing so, can help to align your company’s compliance strategy with both the delivery and in the field. 

Three Key Takeaways

  1. Use information from your employees to make your compliance program more productive.
  2. Use social media and other innovative techniques to communicate your compliance strategy.
  3. Operationalize Operationalize Operationalize, then Document Document Document. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 31, 2017

Show Notes for Episode 46, for the week ending March 31, the On the Road to Prague Edition 

In this episode, Jay and I have a wide-ranging discussion on operationalizing compliance through business processes. We discuss: 

  1. Why powerful people fail to stop bad behavior by their underlings. Click here for the article.
  2. Some policy management lesson, courtesy United Airlines. Click here for Matt Kelly’s article on Radical Compliance.
  3. Why you shouldn’t linger too long in the wrong compliance position. See Julie DiMauro’s blog post on the FCPA Blog.
  4. Bribe recipient in the Gerald and Patricia Green FCPA case gets 50 years in prison. See article in the FCPA Blog.
  5. Using data to operationalize your compliance program. Read Tom’s blog post, by clicking here.
  6. What the New York state Department of Financial Services new regulation on cybersecurity for financial services companies means for compliance officers. See Tom’s blog post by clicking here.
  7. Jay previews his weekend report. 

Jay Rosen new contact information: 

Jay Rosen, CCEP

Vice President, Business Development

Monitoring Specialist 

Affiliated Monitors, Inc.

Mobile (310) 729-6746

Toll Free (866)-201-0903

JRosen@affiliatedmonitors.com

Mar 30, 2017

The Evaluation of Corporate Compliance Programs, Prong 6, Incentives and Disciplinary Measures states: 

Incentive SystemHow has the company incentivized compliance and ethical behavior? How has the company considered the potential negative compliance implications of its incentives and rewards? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations?

How can you measure compliance in senior management or evaluate it for the purposes of a bonus calculation? This issue has often been difficult to sustain in a company because the compliance evaluation of whether a senior manager or company leader is often viewed as too subjective. An article entitled, “Integrating Your Compliance Programme Into the Variable Compensation of Executives, addressed these issues and concerns. 

The article was built around a case study of the Sorin Group, a healthcare multinational, and the company’s incentive program for its compliance regime. The company created such an incentive program to “influence actual behaviors, and not merely the consequences of any wrong doing that may occur.” Compliance has been made an integral part of each manager’s performance objectives. Members on the company’s Executive Leadership Team (ELT) and the other leaders of all its corporate functions and “business units are directly responsible for the culture, understanding, observance and adoption of the Sorin Code of Conduct, the Sorin United States and international compliance policies and procedures” and their respective health industry codes of practice.

Each of the different functions within the Sorin Group has adopted individual performance objectives specifically regarding compliance. The individualized “compliance objectives are agreed and documented every year for each function and senior manager, and form part of the process of continuous performance review (written reviews twice yearly) managed by Sorin’s human resources team. The responsible executive of each function or group is required to cascade each of the compliance obligations to those employees under them. This ensures that the whole company has compliance integrated into their variable remuneration.” 

The company’s evaluation process includes the staff that report to each senior executive who are interviewed by the General Counsel (GC) or other member of the compliance function “to determine their adherence to the compliance objectives.” Additionally, “An assessment is performed alongside line managers and a member of the human resources team to determine whether the obligations have been met, and to what extent.” Lastly, this same system applies to the company’s Board of Directors and Chief Executive Officer (CEO). 

The variable compensation awarded at the end of each year can be affected in two ways by this compliance evaluation. The first is for an entire group and “If a group fails to meet expectations for the specific objectives the executive and their whole team will miss out on the entire variable pay for that year.” But “If a group meets some expectations for the compliance objectives they will receive payment of the variable, with the amount dependent on the amount of objectives that have been met.” The same holds true for the individual within the group so that “if an employee fails to meet his or her compliance objectives, the whole bonus for that employee will remain unpaid.” 

Some examples of compliance obligations that are measured and evaluated include the following: 

For the ELT

  • Lead from the top – in your own conduct (lead by example) and in the decisions you take, to the resources and time you commit to compliance;
  • Facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally; and
  • Support specific initiatives from the CCO, compliance function.

 

For Department Heads

  • Demonstrate, facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally;
  • Support specific initiatives from the compliance function;
  • Ensure that all employees, agents and contractors directly or indirectly reporting to you fully complete all required training and communications in a timely manner;
  • Provide full cooperation with investigations conducted by the compliance or legal functions of any alleged violation of compliance policies;
  • Include the Chief Compliance Officer or another legal or compliance function representative in your management meetings at least twice per year, per geography;
  • Identify instances of non-compliance and support compliance monitoring and reporting systems; and
  • Partner with compliance in resolving compliance issues.

For Country Heads of Sales

  • Certify that all employees, agents and contractors directly or indirectly reporting to you have fully reported all sales and marketing interactions with all government officials or employees of state-owned enterprises in a timely manner and
  • Certify that all employees, agents and contractors directly or indirectly reporting to you have fully, promptly and accurately reported all expenses with government officials or employees of state-owned enterprises on ERP. 

The article also speaks of five things to consider when developing such a compliance incentive program.  (1) The program needs to be cascaded down the organization so that it applies to all levels in the company. (2) Include both a 360 degree review and mid-year review. (3) To truly incentive senior management, the compliance objectives should be at least 25% of the overall discretionary bonus program. (4) Do not have simply ‘tick-the-box’ incentives but include subject incentives. 

As the final item to consider, is you need to have SMART compliance objectives, which are defined as: 

  • Specific: A specific objective has a much greater chance of being accomplished than a general objective (e.g don’t just say “ensure training has been completed by your team”, say;
    • Who: who needs to be trained?
    • What: what training objectives do you want to accomplish?
    • Where: identify a location for the training
    • When: establish a time frame for the training to be completed
    • Which: identify requirements and constraints for any training
    • Why: provide specific reasons, purpose or benefits of accomplishing the training objective.
  • Measurable: Establish concrete criteria for measuring progress toward the attainment of each objective you set.
  • Aggressive but attainable: When you identify objectives that are most important to the compliance function and the relevant business, employees are more likely to see the value in making them come true.
  • Realistic: To be realistic, an objective must represent something which you are both willing and able to work toward.
  • Timely: An objective should be grounded within a timeframe. 

The article ends with some insights into lessons learned, including the following: 

  • Top down: If your ELT is truly on board you can make big leaps and not limit your compliance ambitions to incremental steps.
  • Personalize: The objectives should be more personal to each function and more granular.
  • Balance: Have qualitative judgments but couple them with concrete and - most importantly - objective and measurable key performance indicators.
  • Publicize: Talking about the real company examples of its people make the difference.
  • Be positive: Focus your company’s efforts on positive incentive behaviors. In other words, use both the stick and carrot.
  • Just do it: Stop talking the talk and start walking the walk. 

The Evaluation makes clear that the Department of Justice expects incentives to be operationalized into your compensation structure. While there may always be subjectivity built into any compensation incentive system, that does not mean financial incentives cannot be written into the evaluation of any senior management to help guide ethical business practices. 

Three Key Takeaways

  1. The Evaluation requires not only carrots around compliance but metrics to justify compensation.
  2. Provide metrics for each level of employee to hit as a part of a discretionary bonus evaluation.
  3. Up to 25% of a discretionary bonus should be based on compliance or an ethical component. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 30, 2017

In this episode I visit with Brandon Essig, a former DOJ prosecutor when the Yates Memo was released. He discusses the impact of the Yates Memo inside the DOJ and the triage that prosecutors use on cases in response. For Brandon's blog post on the topic on Linkedin, click here

Mar 29, 2017

Even with a great Tone-At-the-Top and in the middle, you cannot stop. One of the greatest challenges of a compliance practitioner is how to affect the ‘tone at the bottom’. In an article in the Spring 2012 Issue of the MIT Sloan Management Review, entitled “Uncommon Sense: How to Turn Distinctive Beliefs Into Action”, authors explored the “often overlooked, critical source of differentiation is [a] company’s beliefs” and provided techniques on how to tap into these beliefs. The authors listed seven approaches that they have used which I believe that the compliance practitioner can use to not only determine ‘Tone at the Bottom” but to impact that tone. They are as follows: 

  1. Assemble a group. You need to assemble a group of employees who are familiar with the challenges of doing business in a compliant manner in certain geographic regions. Include both long-time employees and those who are relatively new to the organization. The authors also suggest that if you have any employees who have worked for competitors or for other organizations in your industry you include them as well.
  2. Ask questions. You should ask the members of this group to articulate their basic assumptions about your compliance model, about the management model, about your company’s business model and the future of the industry in general. Ask them to do this individually and not as a group.
  3. Categorize the responses. Now comes the work by the compliance practitioner or compliance team. These assumptions will usually fall into two groups. The first is assumptions that everyone agrees upon-the common beliefs. The second is those assumptions that only a few of the participants will identify – this is what the authors call the “uncommon beliefs”.
  4. Develop tests for common beliefs. For those beliefs that are labeled common - you should consider how you know these to be true? The authors caution that simply because the group may believe that the company operates a common industry or that we “do it because it has always been done this way” is necessarily a “hard fact.” Consider what test you could perform to verify the common belief that you desire to test. The authors note that the purpose here is to “identify the ‘common nonsense’ beliefs that everyone holds that are not actually hard laws of nature.”
  5. Develop tests for uncommon beliefs. Here the authors suggest that you need to consider why some people think that these beliefs are true. What is the information or experience that they have drawn upon? Is there any way for you to test these uncommon beliefs?
  6. Reassemble the original group. You should reassemble the original group and have them consider the beliefs that were articulated by them individually in the context of your compliance model and how both your company and your industry do business. Lead a discussion that attempts to identify any assumptions or beliefs that ‘are quite possibly wrong, but worth experimenting with anyway.”
  7. List of Experiments to perform. The authors believe that the outcome of the first six steps will be “a list of possible experiments [tests] to conduct” to determine the validity of the common and uncommon beliefs. These tests can be accomplished in the regular course of business, through a special project with a special team and separate budget. You should agree on the testing process and review your testing assumptions throughout the process. This process can and should take some time so do not set yourself such a tight time frame that it cannot be fully matured.

By engaging employees at this level, you can find out not only what the employees think about the company compliance program but use their collective experience to help design a better and more effective compliance program. Employees want to do business in an ethical manner. Given the chance to engage in business the right way, as opposed to cheating; will win the hearts and minds of your employees almost all the time. By using the protocol suggested by the authors you can not only find out the effect of your company’s compliance program on the employees at the bottom but you can affect it as well. 

Mike Volkov said in an article entitled, “Mood in the Middle Versus Tone at the Top” that “Even when a company does all the right things at the senior management level, the real issue is whether or not that culture has embedded itself in middle and lower management.  A company’s culture is reflected in the values and beliefs that exist throughout the company.” To fully operationalize your compliance program, you must find a way to articulate and then drive the message of ethical values and doing business in compliance with such anti-corruption laws such as the FCPA from the top down, throughout your organization. 

Three Key Takeaways

  1. How is your compliance embedded at the bottom of your organization?
  2. Use of social media can help set the tone at the bottom.
  3. A company’s culture is reflected in the values and beliefs that exist throughout the company-make certain you assess it and use that information going forward. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 29, 2017

In this episode I visit with Jonathan Armstrong on his views on the new DOJ Evaluation of Corporate Compliance Programs. Armstrong provides a detailed analysis of some of the key differences between how compliance is operationalized in the US as opposed to the UK and EU countries. He explains how the enhanced requirements for root cause analysis, risk assessments and investigations and the supplemented requirements to tie back into the ongoing compliance monitoring and updating, could run afoul of UK and EU data protection and data privacy requirements.  He also considers what a non-US company, subject to the FCPA what should look to as a best practices compliance program to best protect the organization. Finally explores just how far does all of this go? He provides on statistic that puts a huge bow on the difficulties going forward. 

For the Cordery Compliance article see the following, US Department of Justice on Evaluation of Corporate Compliance : how does it compare to UK Bribery Act 2010?

Mar 28, 2017

The Evaluation of Corporate Compliance Programs makes clear, a company must have more than simply at good ‘Tone-at-the-Top’; it must move it down through the organization from senior management down to middle management and into its lower ranks. This means that one of the tasks of any company, including its compliance organization is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization. Adam Bryant, writing in the NYT in an article entitled, “If the Supervisors Respect Values, So Will Everyone Else”; explored this topic when he interviewed Victoria Ransom, the Chief Executive Officer (CEO) of Wildfire, a company which provides social media marketing software.

Ransom spoke about the role of senior management in communicating ethical values when she was quoted as saying “Another lesson I’ve learned as the company grows is that you’re only as good as the leaders you have underneath you. And that was sometimes a painful lesson. You might think that because you’re projecting our values, then the rest of the company is experiencing the values.” These senior managers communicate what the company’s ethics and values are to middle management. So, while tone at the top is certainly important in setting a standard, she came to appreciate that it must move downward through the entire organization. Bryant wrote that Ransom came to realize “that the direct supervisors become the most important influence on people in the company. Therefore, a big part of leading becomes your ability to pick and guide the right people.”

Ransom said that when the company was young and small they tried to codify their company values but they did not get far in the process “because it felt forced.” As the company grew she realized that their values needed to be formalized and stated for a couple of reasons. The first was because they wanted to make it clear what was expected of everyone and “particularly because you want the new people who are also hiring to really know the values.” Another important reason was that they had to terminate “a few people because they didn’t live up to the values. If we’re going to be doing that, it’s really important to be clear about what the values are. I think that some of the biggest ways we showed that we lived up to our values were when we made tough decisions about people, especially when it was a high performer who somehow really violated our values, and we took action.” These actions to terminate had a very large effect on the workforce. Ransom said that “it made employees feel like, “Yeah, this company actually puts its money where its mouth is.””

Ransom wanted to make clear to everyone what senior management considered when determining whether employees “are living up to the company culture.” The process started when she and her co-founder spent a weekend writing down what they believed the company’s values were. Then they sat down with the employees in small groups to elicit feedback. Her approach was to look for what they wanted in their employees.

  • Passion: Do you really have a thirst and appetite for your work?
  • Humility and Integrity: Treat your co-workers with respect and dignity.
  • Courage: Speak up - if you have a great idea, tell us, and if you disagree with people in the room, speak up.
  • Curiosity: They wanted folks who would constantly question and learn, not only about the company but about the industry.
  • Impact: Are you having an impact at the company?
  • Be outward-looking: Do good and do right by each other.

Ransom had an equally valuable insight when she talked about senior management and ethical values. She believes that “the best way to undermine a company’s values is to put people in leadership positions who are not adhering to the values. Then it completely starts to fall flat until you take action and move those people out, and then everyone gets faith in the values again. It can be restored so quickly. You just see that people are happier.”

What should the tone in the middle be? That is, what should middle management’s role be in the company’s compliance program? This role is critical because the majority of company employees work most directly with middle, rather than top management and consequently, they  will take their cues from how middle management will respond to a situation. Moreover, middle management must listen to the concerns of employees. Even if middle management cannot affect a direct change, it is important that employees need to have an outlet to express their concerns. Therefore your organization should training middle managers to enhance listening skills in the overall context of providing training for their ‘Manager’s Toolkit’. This can be particularly true if there is a compliance violation or other incident which requires some form of employee discipline. Most employees think it important that there be “organizational justice” so that people believe they will be treated fairly. He further explained that without organization justice, employees typically do not understand outcomes but if there is perceived procedural fairness that an employee is more likely accept a decision that they may not like or disagree with.

Employees often look to their direct supervisor to determine what the tone of an organization is and will be going forward. Many employees of a large, multi-national organization may never have direct contact with the CEO or even senior management. By moving the values of compliance through an organization into the middle, you will be in a much better position to inculcate these values and operationalizing compliance with them.

Three Key Takeaways

  1. Tone at the tops- direct supervisors become the most important influence on people in the company.
  2. Give your middle managers a Tool Kit around compliance so they can fully operationalize compliance.
  3. Organizational justice is a further way to help operationalize compliance.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 28, 2017

In this episode, we take a look at a recent speech given by NY Fed Chairman William Dudley in London where he addressed improving corporate culture. Dudley provided three recommended steps. First, a bank must decide on its purpose and core values—or, as Dudley put it, “What are you for?” Second, after this identification of purposes and values, you can measure how well the workforce is striving to achieve that purpose. Third a bank can set its incentives so employees work harder to achieve those goals. As usual, Matt and I take a deep dive into the issue of enhancing corporate culture. For more on the speech, see Matt's blog post on Radical Compliance entitled, "Great Speech About Improving Corporate Culture".

Mar 27, 2017

Under the Evaluation of Corporate Compliance Programs, Prong 2, it states:

  1. Senior and Middle Management

Conduct at the Top – How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modelled proper behavior to subordinates?

This requirement is more than simply the ubiquitous ‘tone-at-the-top’ as here the Justice Department wants to see a company’s senior leadership actually doing compliance. How can senior management operationalize compliance going forward? One of the best places to start is the article from the Harvard Business Review by Professor Lynn Paine entitled, “Managing for Organizational Integrity”. Larry Thompson, former PepsiCo Senior Vice President of Governmental Affairs, General Counsel and Secretary, discussed the work of Professor Paine in citing five factors, which he believed were critical in establishing an effective integrity program and to set the right “Tone at the Top”.

  1. The guiding values of a company must make sense and be clearly communicated.
  2. The company’s leader must be personally committed and willing to take action on the values.
  3. A company’s systems and structures must support its guiding principles.
  4. A company’s values must be integrated into normal channels of management decision-making and reflected in the company’s critical decisions.
  5. Managers must be empowered to make ethically sound decisions on a day-to-day basis.

David Lawler, in his book, Frequently Asked Questions in Anti-Bribery and Corruption  boiled it down as follows “Whatever the size, structure or market of a commercial organization, top-level management’s commitment to bribery prevention is likely to include communication of the organization’s anti-bribery stance and appropriate degree of involvement in developing bribery prevention procedures.” Lawler went on to provide a short list of points that he suggests senior management engage in to communicate the type of tone to follow an anti-corruption regime.” I had a CEO of a client, who after I described his role in operationalizing his company’s compliance program observed the following, “You want me to be the ambassador for compliance.” I immediately averred in the affirmative. The following is a list of things that a CEO can do as an ‘Ambassador of Compliance’

  • Reject a ‘do as I say, not as I do’ mentality;
  • Not just ‘talk-the-talk’ but ‘walk-the-walk’ of compliance;
  • Oversee creation of a written statement of a zero tolerance towards bribery and corruption;
  • Appoint and fully resource, with money and headcount, a Chief Compliance Officer;
  • Oversee the development of a Code of Conduct and written compliance program implementing it;
  • Ensure there are compliance metrics on all key business reports;
  • Provide leadership to middle managers to facilitate filtering of the zero tolerance message down throughout the organization;
  • Not only have a whistleblowing, reporting or speak up channel but celebrate it;
  • Keep talking about doing the right thing;
  • Make sure that you are seen providing your Chief Compliance Officer with access to yourself and the Board of Directors.

Coming at it from a different perspective, author Martin Biegelman provides some concrete examples in his book entitled, “Building a World Class Compliance Program – Best Practices and Strategies for Success”. Biegelman begins the chapter discussed in this posting with the statement “The road to compliance starts at the top.” There is probably no dispute that a company takes on the tone of its top management. In this chapter Biegelman cites to a list used by Joe Murphy of actions that a CEO can demonstrate to set the requisite tone from the Captain’s Chair of any business. The list is as follows:

  1. Keep a copy of the Constitution on your Desk. Have a dog-eared copy of your company’s Code of Conduct on your desktop and be seen using it.
  2. Clout. Make sure your compliance department has authority, influence and budget within the company. Have your Chief Compliance Officer (CCO) report directly to the Board of Directors.
  3. Make them Accountable. At Senior Executive meetings, have each participant report on what they have done to further the compliance function in their business unit.
  4. Sticks and Carrots. Have both sanctions for violation of company compliance and ethics policies and incentives for doing business in a compliant manner.
  5. Don’t do as I say, Do as I do. Turn down an expensive dinner or trip offered by a vendor. Pass on a gift that you may have received. Turn down a transaction based upon ethical considerations.
  6. Be a Student. Be seen at intra-company compliance training. Take a one or two day course or attend a compliance conference outside your organization.
  7. Award Compliance. You should recognize outstanding compliance efforts with companywide announcements and awards.
  8. The Board. Recruit a nationally known compliance expert to sit on your company’s Board and chair the audit or compliance committee.
  9. Independent Review. Obtain an independent, outside review of your company’s compliance program and report the results to the Board’s Audit Committee.
  10. Mandate that all vendors in your Supply Chain embrace compliance and ethics as a business model. If not, pass on doing business with them.
  11. Talk to others in your industry and your peers on how to improve your company’s compliance efforts.

Many companies struggle with some type of metric which can be used for upper management regarding compliance and communication of a company’s compliance values. One technique might be to require the CEO to post companywide emails or other communications once a quarter on some compliance related topic. The CEO’s direct reports would then also be required to email their senior management staff a minimum of once per quarter on a compliance topic. One can cascade this down the company as far as is practicable. Reminders can be set for each communication so that all personnel know when it is time to send out the message. If these communications are timely made, this metric has been met.

Three Key Takeaways

  1. Senior management must actually do compliance; walk-the-walk, not simply talk-the-talk.
  2. Use your CEO to talk about current events and how those ethical failures are lessons to be learned for your organization.
  3. CEO as Compliance Ambassador.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 27, 2017

In  this episode, I visit with Erica Salmon Bryne, EVP at Ethisphere on the 2017 World's Most Ethical Companies honorees. Erica goes into how the corporate compliance programs are evaluated, what the companies disclose to Ethisphere and how the winners consistently demonstrate compliance is good for business. Check out more information on Ethisphere's site by clicking here

Mar 24, 2017

 

In this episode, Jay and I have a wide-ranging discussion on why good compliance and is good for business. We discuss: 

  1. LRN Ethics and Compliance Program Effectiveness Report. Click here for Report.
  2. Ethisphere’s 2017 World’s Most Ethical Companies. Click here for Report.
  3. Why good compliance is good for business. See Tom’s blog post.
  4. Women in compliance: A key to organizational diversity. See article in the FCPA Blog.
  5. ECI Podcast: Engaging With Your Monitor: Best Practices from ECI’s Independent Monitor Benchmarking Group. To listen to the podcast, click here.
  6. Jay previews his weekend report.
  7. Tom previews a presentation he will give with Jenny O’Brien and Roy Snell at the SCCE European Ethics and Compliance Institute in AprilJay previews a presentation at the same event by Eric Feldman of Affiliated Monitors. For more information on the event, check it out by clicking here

Jay Rosen new contact information:

Jay Rosen, CCEP

Vice President, Business Development

Monitoring Specialist 

Affiliated Monitors, Inc.

Mobile (310) 729-6746

Toll Free (866)-201-0903

JRosen@affiliatedmonitors.com

Mar 24, 2017

The Department of Justice Evaluation of Corporate Compliance Programs states, in Prong 10, Third Party Relationships: 

Management of Relationships – How has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company monitored the third parties in question? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties? 

If you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA violation. Now the DOJ has explicitly adopted this approach as a key determination of whether you have operationalized your compliance program. There are several different ways that you should manage your post-contract relationship. 

Relationship Manager 

There should be a Relationship Manager for every third party which the company does business with through the sales chain. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include: 

  • Point of contact with the Third Party for all compliance issues;
  • Maintaining periodic contact with the Third Party;
  • Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
  • Submitting annual reports summarizing services provided by the Third Party;
  • Assisting the company’s compliance function with any issues with respect to the Third Party.

The Relationship Manager can be the Business Sponsor who prepared the Business Rationale discussed on Day 17. By using the Business Sponsor as the Relationship Manager, your company will further operationalize compliance by continuing to have the business unit lead the front-line relationship, communications and contact with the third party. As noted compliance commentator Scott Moritz has said, “This puts the onus on each stakeholder.”

Compliance Professional 

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such a resource. A third party may not be large enough to have its own compliance staff so any company using third party representatives should provide a dedicated resource to third parties. This will not create a conflict of interest nor are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third party. 

Third Party Oversight Committee 

A Third Party Oversight Committee further operationalizes compliance. It review all documents relating the full panoply of a third party’s relationship with a company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third party who might represent a company on the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in anti-corruption compliance, this is a manner to deliver additional management of that risk. 

After the commercial relationship has begun the Third Party Oversight Committee should monitor the third party relationship on no less than an annual basis.  This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third party. The Third Party Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance.  In addition to the above remedial review, the Third Party Oversight Committee should review all payments requested by the third party to assure such payment are within the company guidelines and are warranted by the contractual relationship with the third party. Lastly, the Third Party Oversight Committee should review any request to provide the third party any type of non-monetary compensation.  

Audit

A key tool in operationalizing the relationship with a third party post-contract is auditing the relationship. You should secured audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a base line, any audit of a third party include, at a minimum, a review of the following: 

  1. the effectiveness of existing compliance programs and codes of conduct;
  2. the origin and legitimacy of any funds paid to Company;
  3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
  4. all disbursements made for or on behalf of Company; and
  5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

Three Key Takeaways

  1. Management of the third party relationship is the key step in determining the effectiveness of your compliance program in this risk area.
  2. By using non-compliance functions, such as the Business Sponsor or Relationship Manager you more fully operationalize your compliance program.
  3. Never forget to put a second set of eyes on all third party relationships.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 23, 2017

The Evaluation, in Prong 10, Third Part Management asks, “What was the business rationale for the use of the third party in question?” This question is one of the most basic tools to operationalize your compliance program and should form the basis of your third party risk management process. 

It is common sense that you should have a business rationale to hire or use a third party. If that third party is in the sales chain of your international business it is important to understand why you need to have a particular third party representing your company. This concept is enshrined in the FCPA Guidance, which says “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the ser­vices to be performed.” 

The Internal Revenue Service (IRS) also considers a business rationale to be an important part of any best practices anti-corruption compliance regime. Clarissa Balmaseda, a special agent in charge of Internal Revenue Service (IRS) criminal investigation, speaking at a presentation, said that the lack of business rationale to be a Red Flag, indeed the IRS views such lack of business rationale as possible indicia of corruption. With the Department of Justice; Securities and Exchange Commission and IRS all noting the importance of a business rationale, it is clear this is something you should use to operationalize your compliance program. 

But the business rationale also provides your company the opportunity to help drive compliance into the fabric of your everyday operations. This is done by requiring the employee who prepares the business rationale to be the Business Sponsor of that third party. The Business Sponsor can provide the most direct means of communication to the third party and can be the point of contact for compliance issues.

Tyco International takes this approach in its Seven Step Process for Third Party Qualification. Tyco breaks the first step into two parts, which include: 

  1. Business Sponsor - Initially identify a business sponsor or primary contact for the third party within your company. This requires not only business unit buy-in but business unit accountability for the business relationship and puts the onus on each stakeholder to more fully operationalize this portion of your compliance program.
  2. Business Rationale - The Business Sponsor should then articulate a commercial reason to initiate or continue to work with the third party. You need to determine how this third party will fit into your company’s value chain and whether they will become a strategic partner or will they be involved in a one-off only transaction?

So what should go into your Business Rationale? At the most basic level, you should craft a document, which works for both you as the compliance practitioner and the business folks in your company. There are some basic concepts which include the following. You need the name and contact information for both the Business Sponsor and the proposed third party. You need to inquire into how the Business Sponsor came to know about the third party because it is Red Flag is a customer or government representative points you towards a specific third party. You should inquire into what services the third party will perform for your company, the length of time and compensation rate for the third party. You will also need an explanation of why this specific third party should be used as opposed to an existing or other third party, is such were considered. All this information should be written down and then signed by the Business Sponsor. 

Another way to think about this issue is by considering the competence of foreign business partner to provide services to your organization. Such considerations would include a review of the qualifications of the third party candidate for subject matter expertise, the resources to perform the services for which they are being considered and identifying the third party’s expected activities for your company.  More detailed inquiries include requiring the relevant business unit which desires to obtain the services of any third party to provide you with a business rationale including current opportunities in territory, how the candidate was identified and why no currently existing third party relationships can provide the requested services. Your next inquiry should focus on the terms of the engagement, including the commission rate, the term of the agreement, what territory may be covered by the agreement and if such relationship will be exclusive. 

Remember, the purpose of the Business Rationale is to document the satisfactoriness of the business case to retain a third party.  The Business Rationale should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed. As explained by the Tom Fox Mantra for compliance, this means Document Document Document.    

Three Key Takeaways

  1. You should always have a business reason for using a third party which is articulated by the business folks, not compliance.
  2. A Business Sponsor is the key relationship going forward in operationalizing your compliance program through the life of the third-party relationship with your company.
  3. Always remember to Document Document Document. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 23, 2017

This episode is dedicated to the Justice Department’s Evaluation of Corporate Compliance Programs, which was released in February. In this episode, Jay Rosen and Jonathan Armstrong provide next insight. Listen to last week’s Episode 8 for commentary from Matt Kelly and Mike Volkov.   

  1. Jay Rosen, reporting from the ABA White Collar Conference in Miami, considers the view from the vendor perspective and whether the Evaluation changes a conversation about doing compliance. He reviews the requirements for ongoing monitoring, risk assessments and root cause analysis and the need for companies to explain how something might have fallen through the cracks, leading to a FCPA incident. He points out how CCOs can test a company’s compliance systems.

For Jay Rosen’s post see, Still in the Enforcement Business and Evaluation of Corporate Compliance Programs

  1. Jonathan Armstrong provides a detailed analysis of some of the key differences between how compliance is operationalized in the US as opposed to the UK and EU countries. He explains how the enhanced requirements for root cause analysis, risk assessments and investigations and the supplemented requirements to tie back into the ongoing compliance monitoring and updating, could run afoul of UK and EU data protection and data privacy requirements. He also considers what a non-US company, subject to the FCPA what should look to as a best practices compliance program to best protect the organization. Finally explores just how far does all of this go? He provides on statistic that puts a huge bow on the difficulties going forward. 

For the Cordery Compliance article see the following, US Department of Justice on Evaluation of Corporate Compliance : how does it compare to UK Bribery Act 2010?

For Mike Volkov’s posts on the Evaluation see the following:

            Under the Dark of Night, DOJ Moves the Compliance Ball;

            DOJ’s Compliance Program Evaluation: the Role of the CCO;

            DOJ’s Compliance Program Evaluation: Risk Assessment, Policies and       Procedures and Third-Party Risk Management; and

            DOJ Compliance Expectations Concerning Training, Internal Investigations and     Audits  

For Tom Fox’s posts on these topics see the following:

            New DOJ Evaluation-Valuable Document for the Compliance Practitioner,             Part I; and

            New DOJ Evaluation-Valuable Document for the Compliance Practitioner,

            Part II

 For Matt Kelly’s posts see the following:

            Fresh FCPA Guidance from the Justice Department; and

            Deeper Dive into new DoJ Compliance Guidance  

The members of the Everything Compliance panel include:

  • Jay Rosen – Vice President of Business Development and Monitoring Specialist at Affiliated Monitors. Rosen can be reached at JRosen@AffiliatedMonitors.com.
  • Mike Volkov – One of the top FCPA commentators and practitioners around, Volkov is the Founder and Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance and former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com.
  • Jonathan Armstrong – Rounding out this distinguished panel is our UK colleague, a lawyer with Cordery Compliance in London. Armstrong can be reached at armstrong@corderycompliance.com.
Mar 22, 2017

From the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs: 

  1. Autonomy and Resources 

Stature – How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions?  

Experience and Qualifications – Have the compliance and control personnel had the appropriate experience and qualifications for their roles and responsibilities?  

While the DOJ’s stated position that it does not concern itself with whether the CCO reports to the General Counsel (GC) or reports independently, but it is more concerned about whether the CCO has the voice to go to the Chief Executive Officer (CEO) or Board of Directors directly, without going through the GC first. Even if the answer were yes, the DOJ would want to know if the CCO has ever exercised that right. Yet the Evaluation comes as close to any time previously in articulating a DOJ policy that the CCO be independent of the GC’s office. Therefore, if your CCO still reports up through the GC, you must have demonstrable evidence of both CCO independence and actual line of sight authority to the Board.

With the operationalization of compliance, the DOJ wants to know if the if business unit of a company is responsible for at least a part of compliance. Put in the manner of the Evaluation, is compliance operationalized within your organization? An interesting angle is the real problem for a CCO if compliance is not embedded into the business; that problem is that the CCO simply becomes a policeman, telling the business unit what it cannot do. Or as I would say, being Dr. No from the Land of No.

Here are some questions you should consider in evaluating this prong. First and foremost, is the CCO a part of the senior management or the C-Suite? Is the CCO part of regular meetings of this group? Who can terminate the CCO; is it was the CEO, the Audit Committee of the Board or does CCO termination require approval of the entire Board? Most importantly, could a person under investigation or even scrutiny by the CCO fire the CCO? If the answer is yes, the CCO clearly does not have requisite independence. 

Additional questions to consider are (a) Who can over-rule a decision by a CCO within an organization?  and (b) Who is making the decisions around salary and compensation for the CCO? Is it the CEO, the GC, the Audit Committee of the Board or some other person or group? 

An evolution in thinking by the DOJ is looking at turnover rates, as this is not something the DOJ has previously focused upon. For any company which simply lays off its entire compliance function and rolls it into the legal department; how do you think that would appear to the DOJ if it came knocking to investigate a potential FCPA violation? 

Also to be considered is the compensation, both in salary and benefits paid to the CCO and compliance practitioners within an organization. In the FCPA Pilot Program, under Prong 3, Remediation, the DOJ said it would consider “How a company's compliance personnel are compensated and promoted compared to other employees”. This was carried forward in the Evaluation so you will need to consider benchmarked studies or other evidence of an appropriate level of pay for a corporate compliance function. 

Finally, what resources have been made available to the compliance function. This would include both monetary budget for operationalization but also head count resources. One might hope the days have long since pasted when companies would come into the DOJ and plead the compliance function ‘only’ had $100,000; $200,000 or you name the figure in resources; to be met with the prosecutor’s question “What was your annual spend on yellow-sticky note pads?” When the inevitable response was considerably more than the entire compliance budget, the prosecutor’s response was something along the lines of “Which is more mission critical for complying with the law?” 

Another evolution in the DOJ’s thinking was in experience and qualifications for the compliance function. In the Pilot Program, Prong 3 was the following, “The quality and experience of the compliance personnel such that they can understand and identify the transactions identified as posing a potential risk”. This has been broadened to “Have the compliance and control personnel had the appropriate experience and qualifications for their roles and responsibilities?” 

The Evaluation demonstrates the continued evolution in the thinking of the DOJ around the CCO position and the compliance function. Their articulated inquiries can only strengthen the CCO position specifically and the compliance profession more generally. The more the DOJ talks about the independence of, coupled with resources being made available and authority concomitant with the CCO position, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations. 

Three Key Takeaways

  1. How can you show compliance really has a seat at the senior executive table?
  2. What are the professional qualifications of your CCO and compliance team?
  3. What are the resources made available to your compliance function? 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

 

Mar 22, 2017

In this episode I visit with Susan Divers from LRN on the firm's 2016 Ethics and Compliance Program Effectiveness Report. Highlights include:Why did LRN do the report? What did it hope to determine? A summarization of its key findings. Why a focus on structural elements of a compliance program is no longer sufficient. Why a check the box analysis not adequate for judging program effectiveness. Finally the new focus on on ethical culture and behavior and why answering questions around “level of trust” is so critical. For a full copy of the report, you can download it here

 

Mar 21, 2017

Prong 6, Training and Communication, of the Justice Department’s Evaluation of Corporate Compliance Programs reads, in part: 

Form/Content/Effectiveness of Training – Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training? 

Most companies have not considered this issue, the effectiveness of their compliance program. I would suggest that you start at the beginning of an evaluation and move outward. This means starting with attendance, which many companies tend to overlook. You should determine that all senior management and company Board members have attended compliance training. You should review the documentation of attendance and confirm this attendance. Make your department, or group leaders, accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program. 

One of the key goals of any  compliance program is to train company employees in awareness and understanding of the law; your specific company compliance program; and to create and foster a culture of compliance. In their book, entitled “Foreign Corrupt Practices Act Compliance Guidebook: Protecting Your Organization from Bribery and Corruption”, Martin T. Biegelman and Daniel R. Biegelman provide some techniques which  can be used to begin evaluate ethics and compliance training. 

The authors encourage post-training measurement of employees who participated. A general assessment of those trained on the FCPA and your company’s compliance program is a starting point. They list five possible questions as a starting point for the assessment of the effectiveness of your FCPA compliance training: 

  1. What does the FCPA stand for?
  2. What is a facilitation payment and does the company allow such payments?
  3. How do you report compliance violations?
  4. What types of improper compliance conduct would require reporting?
  5. What is the name of your company’s Chief Compliance Officer? 

The authors set out other metrics, which can be used in the post-training evaluation phase. They point to any increase in hotline use; are there more calls into the compliance department requesting assistance or even asking questions about compliance. Is there any decrease in compliance violations or other acts of non-compliance? 

What if you want to take you post-training analysis to a higher level and begin a more robust consideration of the effectiveness of compliance training through an analysis of return on investment (ROI)? Joel Smith, the founder of Inhouse Owl, a training services provider, advocates performing an assessment to determine ethics and compliance training ROI to demonstrate that by putting money and resources into training, a compliance professional can not only show the benefits of ethics and compliance training but also understand more about what employees are getting out of training (IE., effectiveness). The goal is to create a measurable system that will identify the benefits of training, such as avoiding a non-compliance event such as a violation of the FCPA. Smith admits that calculating compliance ROI is very difficult as ethical and compliance behavior is an end-goal and of itself - not necessarily one that everyone feels should be subject to a ROI calculation. 

Smith noted, “it is extremely difficult to isolate the training effect to calculate what costs you avoided due solely to your ethics and compliance training. Although each organization will have a unique ROI measurement due to unique training objectives, it is possible to use a general formula to calculate ethics and compliance training ROI.” 

Smith’s model uses four factors to help determine the ROI for your ethics and compliance training, which are: (1) Engagement, (2) Learning, (3) Application and Implementation, and (4) Business Impact. These four factors are answered through posing the following questions. 

  1. Figure out what you want to measure. Before you ever train an employee, you should have a goal in mind. What actions do you want employees to take? What risks do you want them to avoid? In the FCPA, you want them to avoid non-ethical and non-compliant actions that would lead to FCPA violations. So your goal is to train employees to follow your Code of Conduct and your compliance program policies and procedures so you avoid liability related to actions. Therefore the benefit to calculate for ROI purposes is the total amount saved by the company because employees now understand not to engage in unethical and non-compliant conduct around bribery and corruption. 
  1. Were employees satisfied with the training? What is their engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job. If it’s not targeted, employees will likely not be committed to changing risky behavior. Smith believes you can get data on employee engagement through a quick post-training survey. Although this factor does not produce a quantitative number to use in the ROI calculation, it will help you isolate and qualify the training benefit. 
  1. Did employees actually learn anything? Smith believes that a critical part of any employee training is the assessment. If you want to understand the “benefit” of training employees, you must know whether they actually learned anything during training. You can collect this data in a number of ways, but for compliance training, the best way is to measure pre and post training understanding over time. Basically, each time you train an employee, measure comprehension both before and after training. 
  1. Are employees applying your training? Smith says that for this point you will need to conduct a survey to determine employee application and their implementation of the training topics. To do so, you must conduct employee surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations. These surveys can provide a good sense of whether the training has been effective. 
  1. What’s the quantitative business impact of your training? At this point you are ready to determine the numerical business impact of your ethics and compliance training. Smith has an approach he calls the “Best Guess” approach. Smith believes there are two parts to the business impact calculation: (1) the benefit calculation and (2) the isolation calculation. Smith provided five questions he would pose. 
  1. How often could a noncompliance event occur?
  2. How much revenue would be involved?
  3. What is the profit margin on the revenue?
  4. What are the other costs?
  5. What are the noncompliance hard costs? 

The next step is to isolate the benefits of training so that you properly attribute the ROI to the ethics and compliance training. To make this determination, you need to know at a minimum (1) whether employees understood the training and (2) whether employees are applying the training. This information must be compared with other factors, namely: (1) the effects of any other company initiatives involving anti-corruption, (2) employee attitudes regarding the topic and training, and (3) any business factors such as decreasing/increasing international revenue, macro-economic trends, etc. that may contribute to avoidance of a noncompliance event. From these calculations, you should then apply a percentage of the benefit to the training. Here Smith suggests 25%. 

  1. ROI: bringing it all together. Now it is time to calculate the ROI. Here I turn to the formula as laid out on Smith’s company website: “Total FCPA Noncompliance Costs Avoided - Total FCPA Training Program Costs  ÷Total FCPA Training Program Costs ($20,000) x 100=ROI”. Smith concludes by noting, “Even though calculating training benefits is often difficult and imprecise, it’s incredibly important to make an attempt to quantify training ROI” to demonstrate not only effectiveness but also “so you can show business people the incredible effect that engaging training can have on the bottom line.” 

The importance of determining effectiveness and the evaluation of your ethics and compliance program is now enshrined by the Department of Justice (DOJ) in its Evaluation. The Evaluation is the first formal step taken by the DOJ to demonstrate it wants to see the effectiveness of your compliance program. This is something that many Chief Compliance Officers (CCOs) and compliance professionals struggle to determine. Both the simple guidelines suggested and the more robust assessment and calculation laid out by Smith provide you with a start to fulfill the Evaluation but you will eventually need to demonstrate the effectiveness of your compliance training going forward.

Three Key Takeaways

  1. You must demonstrate you have measured the effectiveness of your compliance training?
  2. The DOJ is clearly moving into requiring a demonstration of effectiveness of compliance training.
  3. You should be moving towards a model of demonstrating compliance training ROI to validate full operationalization of your compliance training.

 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 21, 2017

In this inaugural episode of the FCPA Compliance Report-International Edition, I have Carlos Ayres, a partner in Madea, Ayres and Sarubbi in Sao Paulo. We discuss an  interesting development from the Odebrecht corruption scandal, federal prosecutors in Brazil and ten other countries recently announced they had agreed to cooperate in ongoing investigations surrounding the company. The Odebrecht case involved bribery and corruption allegations reaching multiple countries throughout the Americas. Now reports indicate that officials from Brazil, Argentina, Chile, Colombia, the Dominican Republic, Panama, Mexico, Peru and even the notoriously corrupt Venezuela, along with the European nation of Portugal, have agreed to “start a combined task force with bilateral and multilateral investigative teams to coordinate a probe” of the company. We also discuss recent reports which indicate show companies in Brazil are taking this approach in response to the country’s more aggressive enforcement against endemic corruption in commercial businesses. This is partly in response to the allegations and investigations brought forward by Operation Car Wash and the attendant Odebrecht anti-corruption enforcement action. Jorge Abrahão, president of Brazil’s Ethos Institute, a corporate social responsibility organization said “We are witnessing a big change in Brazil—there is an understanding in society now that whoever doesn’t take the issues of corruption and transparency seriously will not have a place in the market in the future.

For More Information on these topics see my blog posts:

  1. A South American Response to Corruption
  2. Companies now doing compliance in Brazil

Carlos Ayres can be reached via email at carlos.ayres@maedaayres.com.

Mar 20, 2017

The Justice Department Evaluation of Corporate Compliance Programs states the following around training:

  1. Training and Communications

Risk-Based Training – What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred? What analysis has the company undertaken to determine who should be trained and on what subjects?

I thought about the requirement for tailored training and how this leads to operationalizing your compliance program. Consider the current best practices to tailor your compliance training. It is through a risk ranking system of employee job duties or positions which is usually done by someone from the corporate compliance function reviewing lists of employees and then matching up their job duties, focusing on those involved in international operations which have foreign government or state owned enterprise touchpoints. Most usually it targets employees involved in sales. 

However, this type of analysis does not fully tie the calculus of FCPA touchpoints to the full panoply of the prevent, detect and remediate mandates of an operationalized compliance program. There are innumerable employees in every corporation who could be employed in the detect prong and who are generally not being engaged as a part of compliance backstop.

Typically, high-risk employees have FCPA training annually. However numerous studies have shown that more focused, indeed tailored, training can be more effective. Imagine the scenario where a high-risk employee is traveling to west Africa, which they book through the corporate travel portal. Unless the employee notifies compliance of this travel it is highly unlikely the compliance department would know about such travel.

Now imagine a corporate algorithm which could connect the dots of a high-risk employee, traveling to a high-risk country on a high-risk assignment. The current practice, in tech speak, is single-tenant software hosting, i.e. one piece of software available at a time with no continuity between corporate functions. Now envision a more multi-tenanted, Software as a Service (SaaS), approach where a company’s information is available through a single application, rather than having the information diluted through multiple applications. If a company is not using multi-tenancy, it may be hosting or supporting thousands of single-tenant information systems and cannot aggregate information across the corporate base and extract knowledge from large data sets as every corporate discipline may be housed on a different server and possibly a different version of software. This allows large and, more importantly, disparate data to be constantly fed into a single system where compliance can move more quickly and efficiently. 

Now consider our high-risk employee, traveling to a high-risk country on a high-risk assignment. When they book the travel, compliance could read the information and then deliver a tailored compliance training reminder. There need not a be referral to the compliance department who might call and ask the employee where they are going and what the business purpose, who they are meeting, etc. Communications and training would be delivered to the employee’s computer via email or other delivery mechanism. It could be as simple as a reminder about the FCPA, the company’s Code of Conduct and anti-corruption compliance program around facilitation payments. Yet it could be as sophisticated as the RESIST training which provides specific procedures to resist solicitations requests or even extortion demands, by referencing a company anti-corruption polices; its policies on facilitation payments and even corporate policies for employees. You could even add a list of potential responses such as an immediate response to the bribe-solicitor and reference to internal company reporting for assistance.

Of course, there would be an audit trail for all of this, which helps to satisfy the Document, Document, and Document component of your compliance program. Never forget the Justice Department specifically mentioned compliance reminders as one of the seven reasons Morgan Stanley received a declination back in 2012. This means when the government comes knocking you will have evidence of tailored training delivered to employees. Finally, such training also operates as internal control which helps to meet the Accounting Provisions requirement of the FCPA.

Again, consider another manner of how tailored training might be used for the traveling high-risk employees, where predictive analytics which could be used in conjunction with prior expense reports of both the employee and the region. On the personnel level, tailored training could help to determine if there were any issues around large expense reimbursements or those which might show a pattern of running up to the level where preapproval is required. Tailored training could give a wide range of statistics which would allow the compliance practitioner to operationalize compliance by considering sales expenses to determine if any issues might arise. Finally, in a continuous feedback loop, a prescription solution could then be delivered to prevent an issue arising to the level of an internal Code of Conduct violation or even a FCPA violation further operationalizing compliance. 

Three Key Takeaways

  1. Training should all begin with risk ranking of employees.
  2. Tailored training focuses on the risk for each employee and their compliance needs.
  3. Using tailored training to operationalize compliance can provide continuous feedback. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 20, 2017

In this episode Kristy Grant-Hart, author of How to be a Wildly Successful Compliance Officer joins me to debate the merits of the ISO 37001 certification. I think the process is worse than useless while Kristy believes they are a step forward. 

For our additional written commentary on this issues, see Kristy's post The top five myths about ISO 37001 exposed.

For my views in opposition, see ENI Receives an ISO 37001 Certification and ENI CEO Charged with Corruption

Mar 17, 2017

In this episode, Jay and I have a wide-ranging discussion on the intersection of culture and ethics. We discuss: 

  1. German authorities raid at VW investigation counsel, Jones Day, offices in Germany and what it may portend for FCPA investigation. See Tom’s article on the FCPA Blog.
  2. British cycling team scandal. See Tom’s article on the FCPA Blog.
  3. Uber, culture and corporate governance. See FT article, “Crisis inside the cult of Travis”.
  4. Venezuela begins to investigate PDVSA for corruption. See article in the Wall Street Journal.
  5. Federal reserve seeks lifetime ban for JPMorgan bankers who ran the illegal ‘Sons and Daughters’ hiring program. See article in the FCPA Blog.
  6. Tom reveals an exciting new podcast, the Compliance Report-International Edition, which will premier next week. The initial episode will feature Carlos Ayers on recent anti-corruption developments in Brazil and South America.
  7. Jay previews his weekend report.
  8. Tom reports on a talk about 3rd party ROI at the upcoming Third-Party Risk Management & Oversight Summit, on March 20 & 21 at the Princeton Club in New York City. Listeners to this podcast will receive a 15% discount off of the regular price of the event. To take advantage of this offer enter the Code CMP 161. For more information on the event, check out the website by clicking here

Jay Rosen new contact information: 

Jay Rosen, CCEP

Vice President, Business Development

Monitoring Specialist

 

Affiliated Monitors, Inc.

Mobile (310) 729-6746

Toll Free (866)-201-0903

JRosen@affiliatedmonitors.com

Mar 17, 2017

Another way to operationalize compliance is to have oversight moved out into regions. Such an approach can more effectively ensure employee and third party compliance with your Code of Conduct throughout a organization by integrating compliance into every aspect of a Company’s functions and generating the necessary information to continuously improve your compliance program. Such a regional compliance committee can operate on multiple planes to fully operationalize compliance in a company, augment existing internal controls and make the company a more efficient and profitable entity.

The formation of a regional compliance committee works to operationalize compliance through the creation of more direct ownership, accountability, and valuable transparency of your compliance regime.  This moves compliance down into all levels of the company’s operations.  This approach also significantly improves consistency of compliance execution and helps to ensure that all a company’s business objectives are achieved in a legally compliant fashion. Such a regional compliance committee can advise and provide information and insights to the CCO, receive compliance information from the corporate compliance function for the relevant region regarding applicable compliance requirements, industry standards, your Code of Conduct, as well a corporate compliance program as it relates to a region. A regional compliance committee should not have primary responsibility for internal investigations can report up any known compliance issues to the corporate compliance department.

A regional compliance committee is designed to promote clear and frequent compliance-related communication on related matters throughout the region and strengthen the company’s compliance culture.  It is valuable to the overall performance of the corporate compliance program within the region. It allows compliance topics to be more thoroughly discussed at regularly occurring operational meeting they have communication structures designed to facilitate communication up the chain and down the chain; allowing the CCO to have a more direct set of ‘eyes and ears’ closer to the ground. Finally, a regional compliance committee give the compliance function greater visibility within the organization because compliance has been moved further into the middle and lower levels of the organization daily.

Authority and Responsibility

There are multiple delineated responsibilities for a regional compliance committee. Some of these responsibilities can include:

  • Assisting in identifying not only potential legal and compliance risks in the region but also reputational risks your company.
  • Establishment of goals and metrics to measure against these legal and compliance goals in the region.
  • Exercising oversight of the implementation and effectiveness of the company’s compliance program in the region. Additionally, to make recommendations to the CCO and suggest improvements to the compliance practices in the region.
  • Reviewing and monitoring implementation of your Code of Conduct in the region and assisting in the identification of best practices, alternative strategies and local initiatives to enhance the compliance program.
  • Assuring to the CCO and the senior leaders of operations that compliance goals and requirements are both established and communicated across the region.
  • Advise management of its assessment of the corporate compliance program, ethics and compliance risks in the region and steps taken to both manage and lessen such risks.
  • Reviewing the hotline complaints and other information to assure that appropriate steps are taken to modify the corporate compliance program to reduce identified ethics and compliance risks in the region.

The formation of a regional compliance committee operationalizes compliance into the region where the business operates. This sort of approach follows the Department of Justice mandate, articulated in the Evaluation for companies to move the doing of compliance down into the business of the organization. The make-up a regional compliance committee, while including legal and compliance representatives, is also populated by representatives from other disciplines within the global organization. This allows a fuller, richer and more holistic approach to not only compliance advice but reviews consistent with the Evaluation’s mandate of shared commitment by other functional disciplines within an organization.

It also adds a dimension not discussed nearly as often in the compliance profession as it should be going forward. The accountability and oversight down to the regional level and the compliance monitoring, reviewing, assessing and recommending will provide additional endorsements up through the organization that it is doing compliance. In compliance, it is execution where the rubber meets the road. This is the functional definition of operationalizing compliance.  

Three Key Takeaways

  1. A regional compliance committee works to more fully operationalize compliance.
  2. A regional compliance committee, properly staffed, evidences the shared commitment to compliance as required under the Evaluation.
  3. A regional compliance committee is a two-way communications avenue, both inbound and outbound.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 16, 2017

The operationalization of your compliance programs means how deeply is compliance integrated into the function of your company. Today, I want to consider another way to operationalize compliance through the Compliance Oversight Committee.

The Compliance Oversight Committee sits between the CCO and the Board’s compliance committee. The role of this Compliance Oversight Committee is to provide oversight and review of high risk issues such as third party approvals and renewals, requests for payments from third parties and significant gift, travel and entertainment requests from employees. This committee’s oversight demonstrates not only a shared committee to compliance as required under the Justice Department’s Evaluation of Corporate Compliance Programs but also fulfills the requirement for engaged senior management oversight as a part of a company’s management of risk.

As far back as January 2005, in the Deferred Prosecution Agreement (DPA) entered into between the Department of Justice (DOJ) and the Monsanto Company, it provided for “the establishment and maintenance of a committee to supervise the review of (I) the retention of any agent, consultant, or other representative for purposes of business development or lobbying in a foreign jurisdiction”, or a Compliance Oversight Committee. The scope of this Compliance Oversight Committee was not fleshed out in the DPA. While many have focused on the Compliance Oversight Committee to monitor agents and other third party business representatives, the role of the Compliance Oversight Committee should be broader than simply the issues of third party agents and representatives. A major purpose of a Compliance Oversight Committee is to act as redundant backup to the books and records internal controls systems, designed to prevent and detect violations of a company’s compliance program.

It should be clear the role of the Compliance Oversight Committee is not to substitute its judgment for that of the CCO but rather to provide another level of review to make sure nothing slips through the cracks which might expose the company to unwanted risk. This can begin with a clear, written charter that sets out the functionality, goals, and parameters of the group. Moreover, the Compliance Oversight Committee should be reviewed on a periodic basis to determine usefulness and effectiveness.

To this end, the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual (2016 ed.) suggests the following language in its proposed form of Compliance Committee Charter:

The compliance officer shall have ultimate responsibility for operating the compliance program, with the support and assistance of the compliance committee. The committee shall consist of ### members, representative of each major department or area. The committee may appoint ad hoc members, each to serve at the pleasure of the committee, to assist and advise the committee in carrying out this charter. While the ad hoc members of the committee are not entitled to vote on matters formally considered by the committee, the ad hoc members shall be entitled to call a meeting of the committee and, further, to have any matter included on the agenda of any meeting of the committee. The committee shall designate the proper manner for calling meetings and the setting of agendas thereto.

Who should be on an Oversight Committee?

The Monsanto DPA provides guidance on this point by stating, “The majority of the committee shall be comprised of persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transaction.” This indicates that senior management should be involved in the Compliance Oversight Committee. It also indicates that more than one department should be represented on the Compliance Oversight Committee. This would include senior representatives from the Accounting (or Finance) Department, Compliance & Legal Departments, IT, Finance and Business Unit Operations. The bottom line is that the CCO should chair a committee of peers/senior level officers who are in a position to make decisions and marshal resources.

What Should the Oversight Committee Review?

There are a variety of approaches that a Compliance Oversight Committee can assume. It can dive down deeply ‘into the weeds’ for transactions which the company has identified as high risk. This can be the review of agents or other representatives in high risk areas or transactions in high risk countries. The Compliance Oversight Committee can use techniques such as continuous controls monitoring to identify any outliers of payments or other indicia of financial information which would warrant additional investigations. In addition to this remedial review, the Compliance Oversight Committee should review all payments requested by agents and representatives to assure such payment is within the company guidelines and is warranted by the contractual relationship with the company. Lastly, the Compliance Oversight Committee should review company sales or business development requests to provide compensation and, as appropriate, reimbursement for gifts, travel and entertainment of foreign governmental officials. 

The oversight of Foreign Business Partners is one of the key mechanisms that a company can use to prevent and detect any violation of its own Code of Ethics and Compliance and the Foreign Corrupt Practices Act (FCPA). The proper structure of the Compliance Oversight Committee and its full engagement with all aspects of a company’s relationship with a Foreign Business Partner is one of the areas that the DOJ will look for in a successful FCPA compliance program.

However, it is incumbent that each Compliance Oversight Committee should be designed to review the highest risks to your organization. If your company’s highest compliance risk is third party relationships, you should focus your compliance committee resources on that issue. My recommendation is that a company should incorporate both a pre-execution function and a post-execution management function in overseeing the full relationship with any third party. While this would most necessarily focus on FCPA compliance, there should also be a commercial component to this function. The Compliance Oversight Committee should therefore review all documents relevant to the five-step lifecycle management of third parties.

Conclusion

The Compliance Oversight Committee is a key tool which can be utilized by a company to manage its risks. The books and records component of internal controls is one level of prevention and detection. The review by a Compliance Department for requests for travel for and gifts and entertainment to foreign governmental officials and the lifecycle management of third parties is also an important step in the prevention process. However, the Compliance Oversight Committee is another step which operationalizes compliance and should be employed by companies as an additional protection against any type of compliance and ethics violation slipping through the cracks to become a much larger problem down the road. Companies should implement a Compliance Oversight Committee and review the systems they have in place to detect risky conduct.  

Three Key Takeaways

  1. The Justice Department has long suggested an approach of operationalizing compliance through greater senior management oversight.
  2. A Compliance Oversight Committee allows for an increased set of eyeballs on your highest risk compliance risks.
  3. A Compliance Oversight Committee acts as another control mechanism for a best practices compliance program.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 16, 2017

This episode is dedicated to the Justice Department’s Evaluation of Corporate Compliance Programs, which was released in February. In this episode, Matt Kelly and Mike Volkov provide next insight. Next week will be views from Jay Rosen and Jonathan Armstrong.   

  1. Matt Kelly opens by considering the Evaluation as a continuation in a series of pronouncements around ‘operationalizing’ your compliance program. He discusses whether this approach consistent or different with the regulatory requirements of SEC FCPA enforcement and how would this document intersect with SEC ‘regulatory enforcement’ of the FCPA? Finally, he considers whether the Evaluation ties in at all to a control environment under either the COSO 2013 Framework or COSO ERM framework.

For Matt Kelly’s posts see the following:

            Fresh FCPA Guidance from the Justice Department; and

            Deeper Dive into new DoJ Compliance Guidance

  1. Mike Volkov discusses why the Evaluation was issued literally in the dead of night and why would the DOJ issue such a significant document with no publicity. He discusses how this might play out during an ongoing FCPA investigation with outside counsel’s interactions with the DOJ and under the Yates Memo. He considers whether the Evaluation draw anything from the Yates Memo or are they really apples and oranges and whether the Evaluation build upon the 2012 FCPA Guidance or does it supplement it.

For Mike Volkov’s posts on the Evaluation see the following:

            Under the Dark of Night, DOJ Moves the Compliance Ball;

            DOJ’s Compliance Program Evaluation: the Role of the CCO;

            DOJ’s Compliance Program Evaluation: Risk Assessment, Policies and       Procedures and Third-Party Risk Management; and

            DOJ Compliance Expectations Concerning Training, Internal Investigations and     Audits 

For Tom Fox’s posts on these topics see the following:

            New DOJ Evaluation-Valuable Document for the Compliance Practitioner,             Part I; and

            New DOJ Evaluation-Valuable Document for the Compliance Practitioner,

            Part II

For Jay Rosen’s post see, Still in the Enforcement Business and Evaluation of Corporate Compliance Programs 

The members of the Everything Compliance panel include:

  • Jay Rosen – Vice President of Business Development and Monitoring Specialist at Affiliated Monitors. Rosen can be reached at JRosen@AffiliatedMonitors.com.
  • Mike Volkov – One of the top FCPA commentators and practitioners around, Volkov is the Founder and Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance and former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com.
  • Jonathan Armstrong – Rounding out this distinguished panel is our UK colleague, a lawyer with Cordery Compliance in London. Armstrong can be reached at armstrong@corderycompliance.com.
Mar 15, 2017

 

Today I want to explore in some detail the first Objective in the COSO 2013 Framework-the Control Environment as a path to operationalize your compliance program. This Objective lays out five steps you can take to put the responsibility on function corporate disciplines to imbue compliance into the fabric of an organization. 

A.        Control Environment 

Rittenberg said this “sets the tone for the implantation and operation of all other components of internal control. It starts with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees.” The five principles of the Control Environment object are as follows: 

Principle 1 - The organization demonstrates a commitment to integrity and ethical values.

Principle 2 - The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

Principle 3 - Management establishes with board oversight, structures, reporting lines and appropriate authorizations and responsibility in pursuit of the objectives.

Principle 4 - The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives.

Principle 5 - The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective.

Principle 1 - Commitment to integrity and ethical values 

What are the characteristics of this Principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or other baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. This requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed.

Principle 2 - Board independence and oversight 

This Principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. There should be compliance expertise at the Board level which allows it actively manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, information, compliance communications and compliance monitoring activities. Here, the Board’s Compliance Committee must demonstrate independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function. 

Principle 3 - Structures, reporting lines, authority and responsibility 

This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this Principle, you should consider all of the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally, this Principle requires establishment of the appropriate authority within the compliance function. You must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability.

Principle 4 - Attracting, developing and retaining competent individuals 

This Principle gets into the nuts and bolts of operationalizing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This Principle next turns the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. You must be able to demonstrate, through compliance policies and their implementation and operationalization a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance.

Principle 5 - Individuals held accountable 

This is the ‘stick’ Principle. A company must show that it enforces compliance accountability through its compliance structures, authorizations and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and, finally, clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This Principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated.

The COSO formulation for internal controls is a key component for any best practices compliance program; whether based upon a FCPA formulation or another anti-corruption law, such as the UK Bribery Act. Moreover, as it probably the most utilized internal controls formulation under Sarbanes-Oxley 404(b) reporting, it should be well-known to your corporate internal controls function and therefore assessable to you as a Chief Compliance Officer (CCO) or compliance professional. In addition to the Principles articulated herein the specific Points of Focus listed in the COSO 2013 Framework can provide a roadmap for testing and evidencing your compliance program in this area. You should not fail to take advantage of it.

Three Key Takeaways

  1. The COSO 2013 Framework sets out a structure which the compliance practitioner can use to put compliance into the fabric of an organization.
  2. For any public company, using the COSO Framework will allow a full response to any SOX 404(b) inquiry by regulators or auditors.
  3. The Control Environment Objective allows for not only implementation of controls but also requires individual accountability, as is set out in the Justice Department Evaluation of Corporate Compliance Programs. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

 

 

 

1 2 Next »