Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: March, 2017
Mar 15, 2017

In this episode, Matt Kelly and I take a deep dive into a dramatic 48 hours in the life of the FCPA last week, which portends the trend of continued FCPA enforcement. It included the announcement by Kevin Blanco, acting assistant attorney general for the Criminal Division, who speaking at the American Bar Association’s annual white collar crime conference of the extension of the FCPA Pilot Program; the retort by Secretary of State Rex Tillerson to President Trump on the power of the FCPA for US companies doing business overseas, the Justice Department brief and oral argument in the Hoskins appeal where the DOJ continued to press for an expansive view of FCPA jurisdiction as originally preferred by the Obama DOJ; and finally we discuss the summary of all US attorneys by the Trump administration and Matt's proffers an interesting theory on why Preet Bharara was fired.

For more reading, see Matt's piece on Radicalcomplinance.com entitled, "FCPA: Pilot Program Extended, and Much More".

Mar 14, 2017

Under the Prong entitled “Policies and Procedures” subtexted Operational Integration, the Evaluation states: 

Payment Systems – How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?

While of the basic Watergate maxims has always been appropriate in any FCPA investigation, Follow The Money, the Evaluation takes payment systems and their internal controls several steps further past the detect and even investigatory precepts. There is not a set of “compliance internal controls” but rather internal controls permeating throughout an organization which creates their effectiveness. Today, we examine what are effective compliance internal controls and how the payroll function can assist in fulfilling those requirements. 

What are internal controls? 

What are internal controls in a FCPA compliance program? The starting point is the law itself, and as stated in the FCPA requires the following: 

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:

devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences …

The Department of Justice and SEC, in their 2012 FCPA Guidance, state, “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitor­ing.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.” 

The FCPA Guidance specifies that internal controls are a “critical component” of a best practices anti-corruption compliance program. This is because the design of an organization’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. A company’s compliance program should be tailored to these differences. After a company analyzes its own risk, through a risk assessment, it should design its most robust internal controls around its highest risk. 

Global Payroll Internal Controls 

Max van der Klis-Busink, in his Global Payroll Management Institute’s three-part series, entitled “Take Charge With a Global Payroll Control Framework”, laid out how to design, implement and then improve internal controls around global payroll. His article details how one can operationalize your payroll controls to answer the questions posed in the Evaluation.

There are several specific internal payroll controls which will facilitate a company operationalizing your compliance program, as required under the Evaluation. These controls help keep an eye on the money trail as the money to pay a bribe is usually hidden in some company expenditure. The four general areas of payroll control should include: (1) Segregation of duties; (2) Accountability, authorization, and approval; (3) Security of assets; and (4) review and reconciliation. 

To meet these four general goals, consider using a selection of the following controls for payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid: 

  • Audit. Have either internal or external auditors conducted an annual audit of the payroll accuracy.
  • Change authorizations. Only allow a change to an employee’s marital status, withholding allowances, or deductions if the employee has submitted a written and signed request for the company to do so. Any change request should be reviewed and approved by a manager more senior.
  • Change tracking log. If you are processing payroll in-house with a computerized payroll module, have a secure change tracking which will provide an audit trail.
  • Expense trend lines. This is your data and it is within your company somewhere. Look for changes in payroll-related expenses in the financial statements and then investigate if warranted.
  • Issue payment report to supervisors. Request supervisors review payroll summaries for correct payment amounts and unfamiliar names.
  • Restrict access to records. Prevent unauthorized access to payroll records.
  • Segregation of duties. You should never allow one person prepare the payroll, authorize it and create payments. 

The role of global payroll in FCPA compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes in violation of the FCPA must come from somewhere. Unfortunately, one of those places is out of payroll. All Chief Compliance Officers need to sit down with his or her head of payroll, have them explain the role of payroll, then you should to review the internal controls in place to see how they facilitate the goals of compliance. From that review you can then determine how to use payroll to help to operationalize your compliance program. 

Three Key Takeaways

  1. The Evaluation focuses your preventive prong on payroll, supplementing the prior focus on detection controls.
  2. You still need internal controls around payroll to ‘follow the money’.
  3. Do not forget upgrading and updating payroll controls. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 13, 2017

 

If there is one over-riding theme from the recently released Evaluation of Corporate Compliance programs it is that a corporate compliance program must be operationalized. Indeed that is the theme of this month’s series of podcasts. Another way to think about operationalization is the connectedness of compliance throughout an organization. In an article from the Harvard Business Review (HBR), entitled “How Smart, Connected Products are Transforming Companies”, by Michael E. Porter and James E. Heppelmann, focused on the new products. It provided some interesting insights into both the interconnectedness of processes and structures, which apply to the compliance practitioner going forward. I call it “connected compliance.” It provides another mechanism for you to consider in operationalizing your compliance program.

 

Process in Connected Compliance

 

Processes are being reshaped by the data which is now available and more “intense coordination among [corporate] functions is now required.” Regarding structures, the authors believe, “new forms of cross-functional collaboration and entirely new functions are emerging.”

 

Obviously compliance is a business process. Yet it should also be a continuous process. The data from a wide variety of sources should be used to track the types of risk that compliance professionals must manage. This begins with third parties. Continuous monitoring of third party watch lists seems almost pedestrian now yet many companies do not understand they have a continuing obligation to understand who they are doing business with, even after the contract is signed. Put simply, due diligence once every two years is a recipe for trouble. But this type of information should not only be limited to third parties’ in your sales business. You should also consider your exposure from your customers.

 

However, what if a large part of your company is exposed to the financial risk of a corrupt company slowing down its business? If you are in the auto supply business or even the software industry, have you considered how much of your business is at risk through your relationship with a company like Volkswagen (VW)? Most Foreign Corrupt Practices Act (FCPA) risk analysis considers corruption risks involving third parties in the sales arena or vendors that come in through the Supply Chain, now, based upon the VW, Petrobras or you name the scandal, you may need to know the corruption propensity of your  customers as well.   

Finally, connected compliance will help make people, materials, energy, plant and equipment far more productive, and the repercussions for business processes will be felt throughout the economy. The authors’ state, “We will see a whole new era of “lean.” Data flowing to and from products will allow product use and activities across the value chain to be streamlined in countless new ways.” For the compliance practitioner, waste will be cut or eliminated. Connected compliance will also allow a compliance solution to be delivered when certain thresholds are met, rather than according to a schedule. New data analytics will lead to previously unattainable efficiency improvements and allow you to do more business in compliance going forward. 

Structures in Connected Compliance 

Just as processes have evolved in connected compliance, so do structures. The classical organizational approach combines “two basic elements: differentiation and integration. Dissimilar tasks, such as sales and engineering, need to be “differentiated,” or organized into distinct units. At the same time, the activities of those separate units need to be “integrated” to coordinate and align them.” Connected compliance will have a major impact on both differentiation and integration in your company going forward.

 

This structural changes means that compliance will be integrated into diverse functional units of the company such as manufacturing, logistics and SC, sales and finance. This integration across functional units will occur through the business unit leadership team and through the design of formal processes for connected compliance with multiple units having roles.

This sounds quite like operationalizing compliance, exactly as specified by the DOJ in the Evaluation document. However connected compliance gives you the means and methods to think through how to accomplish this goal. You will have to coordinate between and across multiple functions within your organization. It will require the critical function of not only data management but also data analysis. What does it all mean?

Such an approach will require “dedicated data groups that consolidate data collection, aggregation, and analytics, and are responsible for making data and insights available across functions and business units.” Once again the compliance function is uniquely situated to be at the fulcrum of this connectedness. But more importantly, you already have this information inside your organization but most usually the compliance function does not have visibility into the data. Compliance must find the tools and processes to cut through the siloed nature of corporate information. 

It is through connected compliance that all groups within a company will become responsible for compliance. The integration of this data into compliance is still viewed as cutting edge; nonetheless companies have this data, structured within their own ERP systems. Connected compliance will allow senior management to view information to make the business more efficient and allow a company to take more risk because the risks will be managed more effectively. 

Three Key Takeaways

  1. Connected compliance is the inter-relatedness of interconnectedness of compliance processes and structures.
  2. Compliance should be ongoing and a continuous process.
  3. Compliance must use data analytics tools to cut through the siloed nature of corporate data.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 13, 2017

In this episode, I have back John Champion, one-half of the podcast duo going through every Star Trek TV episode and movie at missionlogpodcast.com. Today, I visit with John on his reflections on the 50th anniversary of Star Trek, what Star Trek was like both with and post Gene Roddenberry, our differences over the TNG episode Relics and John's upcoming conference appearance. Check out John and his partner Key Ray, each week at missionlogpodcast.com

Mar 12, 2017

In this episode, I visit with Morrison and Forrester partner James Koukios, on the firm's publication "Top Ten International Anti-Corruption Developments for January 2017.

 

Mar 10, 2017

In this episode, Jay Rosen reports live from the ABA White Collar Conference at the Fontainebleau Hotel in Miami.  In addition to providing his insights on the highlights of the conference and the buzz around the new Justice Department Evaluation of Corporate Compliance Programs document released in February, we discuss:

  1. Adam Davidson’s piece in the New Yorker Magazine entitled, “Donald Trump’s Worst Deal which looks at a Trump organization transaction in Azerbaijan which raises both FCPA and sanctions issues.
  2. The newly revamped Justice Department’s Fraud Section’s website.
  3. Highlight the rollout of the International Association of Independent Certified Monitors’ (IAICM) new website.
  4. Review the week’s FCPA related issues.
  5. Take a deep dive into the blockbuster trade announced between the Houston Texans and Cleveland Browns where the Texans sent their starting QB and a second round pick to the Browns for a fourth round pick in return (who says Texans are not great horse-traders!)
  6. Jay previews his weekend report.
  7. Tom reports on a talk about 3rd party ROI at the upcoming Third-Party Risk Management & Oversight Summit, on March 20 & 21 at the Princeton Club in New York City. Listeners to this podcast will receive a 15% discount off of the regular price of the event. To take advantage of this offer enter the Code CMP 161. For more information on the event, check out the website by clicking here

Jay Rosen new contact information: 

Jay Rosen, CCEP

Vice President, Business Development

Monitoring Specialist 

Affiliated Monitors, Inc.

Mobile (310) 729-6746

Toll Free (866)-201-0903

JRosen@affiliatedmonitors.com

Mar 10, 2017

Operationalizing your compliance program can take many shapes and forms. Using the entire risk management process to embed your compliance program within the contours of your organization is an important, key step as it will allow you to have full visibility of your compliance risks through a longer life cycle. Forecasting allows you to consider your business strategy and wed the risks you can foresee. Risk assessments allow you to evaluate and measure known risks. Risk-based monitoring allows you to monitor both the compliance risks you and detect those you do not know, on an ongoing basis. 

I think there are several key lessons to be considered by any Chief Compliance Officer (CCO) or compliance practitioner. The first is the process around risk management. Most compliance practitioners understand the need for a risk assessment as it is articulated as Hallmark No. 4 of the Ten Hallmarks of an Effective Compliance Program. From the FCPA Guidance, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” In addition to this business case, the FCPA Guidance also specified the enforcement reasons for performing a risk assessment, “DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not pre­vent an infraction in a low risk area because greater atten­tion and resources had been devoted to a higher risk area.” The DOJ Evaluation of Corporate Compliance Programs builds on this. 

Yet as compliance evolves and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal prophylactic, but as a business process. Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of your business. Locwin noted that companies should be able to say with some degree of authority, “We think the following will happen in the next three months, six months, twelve months, twenty-four months, is really something that the businesses try to wrap their heads around in such a way that they can shunt resources where they think is appropriate in order to meet these future demands.” 

By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks. 

Risk-based monitoring follows on from the issues that your risk assessment identified as your highest risks. Locwin said, “Risk-based monitoring tends to look at things on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.” 

All of these three tools tie back into process management and process improvement. Locwin stated, “There’s always this balance between what’s actually important for our business or for proper execution, versus what’s actually going on in the whole process. If you’re not measuring at a high enough resolution, you’re not capturing a lot of the environmental, market force, external factors that probably are of high leverage to your operations in business that you just don’t know about.” 

Locwin tied them together with the following example, “There’s a 30% chance of this abject market failure happening, this product fails, this restaurant site contaminates people, this product doesn’t ship before Christmas, this phone explodes.” If you knew that in advance, the executive committee probably almost everywhere would say, “We have to act, and act now.” That’s where the rubber meets the road and you’ve got to forecast and a contingency in place. A lot of times, there isn’t that level of forecasting done in advance to say, “We think there’s this 30% chance of it occurring, therefore not only do we need a strong contingency plan, but we should expect to have to use it in Quarter 2. It’s right there sitting on everybody’s dashboard all the time.”

In other words, it comes down to execution. This means you have to use the risk management tools available to you and when a situation arises, you remediate when required. This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into process loop. From this, you will develop continuous feedback and continuous improvement. 

I have gone through this in some detail to emphasize the business process nature that compliance has evolved into as a corporate discipline. By using these techniques, the CCO or compliance practitioner makes the business run more efficiently and at the end of the day, more profitably. The more you can bring these types of insight to a Chief Executive, the more you demonstrate how compliance adds to the bottom line and is not simply a cost center. 

Three Key Takeaways

  1. The risk management process is an important backbone of operationalizing compliance.
  2. You should be able monitor and measure both known and unknown risks.
  3. All of these steps help a business to run more efficiently and more profitably. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 9, 2017

I continue my discussion of operationalizing your compliance program through the risk management process by considering risk-based monitoring. I continue this series based upon interviews with Ben Locwin, Director of Global R&D at BioGen and an operational strategist in pharma and healthcare, to explore risk forecast, risk assessment and risk monitoring for the compliance profession. 

Locwin said, “Risk-based monitoring is really about continuous, ongoing monitoring for those things which provide the most potential future risk to you. In other words, instead of a static risk registry that may come in part with forecasting, where you would say, “We’re trying to anticipate these risks.” By using risk-based monitoring to review issues on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.” 

The problem for many companies is they are siloed in not only their data but also in the systems. Locwin explained that because of the disparity of data systems, “They may not be tracking rigorous, quantified information all the time.” He cited to an example from the pharmaceutical world where a company could well have 50 worldwide sites where a drug product is being tested. Some patients receive a placebo and some patients receive the medication being tested. As data comes in you begin to note patterns in certain patients and groups, which might actually point towards a variety of testing errors by physicians administering the test. 

Through the use of risk-based monitoring, you can begin to see things in “almost real-time, time-based trends of real data that you can then jump on and try to make adjustments before things get really wacky.” The implications to the compliance practitioner? Having access to information around sales, the sales process and corporate largess in things from Corporate Social Responsibility (CSR) work to gifts, travel and entertainment to conferences for customers and end users. Through the use of such risked-based monitoring a compliance professional would have the opportunity see trends developing which could allow an intervention for a prescriptive solution which could prevent an issue from becoming a Foreign Corrupt Practices Act (FCPA) violation.

Yet Locwin cautioned that compliance professionals should guard against bias. In an article by Locwin, entitled “Be Careful When Appraising Industry Trends”, he stated, “Social media has rapidly accelerated the agility with which the public can change allegiance and direction. It used to be that when information dissemination was slower and more compartmentalized within regions and market segments, that the market resistance to fluctuation was more robust. Now well-placed advertising, social commentary, or public response to corporate missteps can swirl into a maelstrom of market changes within hours that is agnostic to region or market segment.” 

In today’s world, the speed at which reputational damage reigns out can overwhelm a corporation’s ability to respond. Here one might consider Wells Fargo and how fast the situation spun out of control for them after its $185MM fine was announced. It is through the use of risk-based monitoring, which allows for this almost real-time input, that a response to a forecasted, assessed or even unassessed risk can be developed. In the compliance world, such tools could be brought to bear when considering not only the expense side of such areas as gifts, travel and entertainment but also sales side data. This could be internal company data on its own salesforce and also information developed from or concerning your third-party sales team. 

In Locwin’s primary world of pharmaceutical testing and product development, the need for such real-time information can be more critical. Yet through the development of these techniques as compliance tools, the compliance profession can add value to an organization through the use of risk-based monitoring. With the plethora of data on where and how corruption is likely to occur, coupled with meaningful sales and expense data, the compliance professional should be able to move from detect to prevent to prescriptive compliance solutions to prevent legal violations.

 Finally, the beauty of all these techniques is that they are tools that can make companies more efficient and, at the end of the day, more profitable. They also move compliance into the fabric and DNA of an organization or in the terminology of the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs, operationalize compliance. The DOJ has made clear what it expects around the risk management process. You need to develop your response now. 

Three Key Takeaways

  1. Risk-based monitoring is a follow on from forecasting and risk assessments in the risk management process.
  2. Risk based monitoring can provide real-time feedback and input from your operationalized compliance program.
  3. Use risk-based monitoring to cut through corporate siloes. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 9, 2017

In this episode, I visit with New Yorker reporter Adam Davidson, who penned an article in the New Yorker which looked at a hotel deal between the Trump organization and a family of Politically Exposed Persons (PEPs) in Azerbaijan. Davidson talks about what intrigued him about the story, his reporting and most troubling, the PEPs alleged ties to funding from the Iranian Revolutionary Guard. It is a cautionary tale about major construction project in countries with a high perception of corruption, the need to understand who your business partners are and the source of their funding. The article is Donald Trump's Worst Deal.  

Mar 8, 2017

The DOJ Evaluation of Corporate Compliance Programs states:

  • Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faced?
  • Information Gathering and Analysis – What information or metrics has the company collected and used to help detect the type of misconduct in question? How has the information or metrics informed the company’s compliance program?

I continue my exploration of the risk management process by focusing today on risk assessments. One cannot really say enough about the role of risk assessment in compliance programs. Each time you hear a regulator talk about compliance programs, it starts along the lines of you cannot manage your FCPA risk without first determining what your company’s risk is; and to determine that compliance risk, the process you should utilize comes through a risk assessment.

We previously considered forecasting. The differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As Ben Locwin has explained, “What you’re trying to do then is decide on how you would address these. Risk assessments should create your risk registry. Those items which are most consequential for your organization, whatever it happens to be.”

Within the context of an anti-corruption compliance program, you are trying to make adjustments based on the risks of violation of the law, out in the marketplace. For instance, in a compliance forecast, third-party risk should be considered at the top of your ordinal list of risk and you should consider a multitude of factors such as the operating procedures, processes and systems and training. Of course, the execution of that process is a critical component as well.

All these things, to some degree, should appear in a risk assessment for the organization. Meaning, at the corporate level, what happens if you change products or sell into a new geographic area which is perceived to be more high-risk? There should be a risk assessment node which has a component that notes these changes so that you can adapt as necessary. Locwin stated, “The risk assessment itself is designed to be able to elevate these, and if something does happen, the next step would be to take appropriate course of action to address any of those risks.”

An example which illustrates the differences between forecasting and a risk assessment, yet how the two are complimentary. This winter when I began purchasing hot coffee products from Starbuck, as opposed to the cold drinks I buy during the hotter parts of the year, I discovered that baristas’ no longer put sleeves on coffee cups but now require you to ask for one. The second time I had to ask for a sleeve, I inquired from the barista why I had to do so. She replied that corporate had changed the policy for environmental reasons and that she could only provide a sleeve at the specific request of the customer. When I pointed out that it slowed the line down and was much less efficient in the delivery of Starbuck’s coffee, she replied, “You're absolutely right. I hate it. Would you please email Starbucks and tell them of your dissatisfaction?”

I will let Locwin pick it up from here, “what you’ve put your finger on is the crux of the balance of forecasting versus risk assessment. They’re two very different things, but at the same time, as they weave through time, they interchange. For example, Starbucks would potentially say, “We forecast that consumers are going to be more concerned about paper use, sleeves, the economic costs to the world, of extra paper waste and things. We’re going to, in certain locations, let’s say across Texas, we’re going to pilot that we don’t give out sleeves unless they’re asked for.” In their risk assessment, which I can tell you didn’t change from that forecast, what they then should have had was a commensurate line item which said, “If consumers start to have a problem with what’s being done at these locations, our immediate contingency plan is to do the following, to strip it away immediately, full stop, so that every cup gets a sleeve, so that they’re not slowing down lines, consumers say you heard us immediately, and then the organization is back on track.”

Their forecast plans something, the risk assessment should have had countermeasures to address, and instead if they didn’t have this in place, they’re going to have to wait until they start to have a Twitter feed that blows up… The risk assessment model should say, “Then we will do the following.” Really they don’t have the capability in a lot of cases to measure the effect of this and immediately course correct. It’s probably going to be a month, two months, four months before they start to get wind of this in a consistent way to say, “Texas was dissatisfied by this change and same in our pilot in Wisconsin. Let’s stop not giving out sleeves… Then eventually that starts to dissipate and they get rid of this whole new silly paradigm.”

Locwin’s point was that your risk assessment can help to inform your response to FCPA violation, corporate crisis or even (in my opinion) the misstep of requiring Starbucks customers to ask for sleeves for their coffee purchases. In another article by Locwin, entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”, he noted, “knowledge is power”. He went on to add, “Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we’ve classified them correctly. With a good understanding of each of these, we’re in a much better position to speak about the quality of our businesses.”

Three Key Takeaways

  1. The Evaluation put renewed emphasis on risk assessments.
  2. Risk assessments logically follow and are complimentary to forecasting.
  3. The risk assessment output allows you to prioritize your response with plan funding and deliver resources in a risk management solution.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 8, 2017

The Justice Department Fraud Section recently revamped its website and it is quite an upgrade. I do not know when the Fraud Section did this update but as with the Evaluation of Corporate Compliance Programs document, it certainly was a soft launch. It appears the new site compiles several disparate sources of Fraud Section and Justice Department information into one website. Also, there looks to my eye to be some information posted on the Fraud Section website for the first time. In short, it is an excellent and most welcomed resource.

A quick review of the site has a slide show of recent Justice Department resolutions scrolling across the screen. Go down to the bottom of the screen and you will see two very interesting documents, a 2015 and 2016 Fraud Section Year in Review. The FCPA Unit section includes such information as prior enforcement actions, Opinion Releases, other anti-corruption treaties and resources. There is also a list of Fraud Section leadership.

However, the Fraud Section is made up of more than simply the FCPA unit and there are tabs for the following Health Care Fraud and Securities and Financial Fraud. Most interesting to me was the tab for the Strategy, Policy and Training Unit, which I have to admit, did not know was a part of the Fraud Section. The opening page for this Unit provides a description of its work. It is as wide ranging as international coordination and interaction with foreign prosecutors and investigators. 

This new website revamp is a most welcomed resource for the compliance community. While it may be viewed as simply a compilation of other sites and locations within the greater Justice Department website by some; I believe the vast majority of compliance practitioners will find it a most welcomed compilation and resource.

Mar 7, 2017

At its heart, every business tries to plan for its future. It is a critical aspect of any management of any organization, non-profits, privately owned for profits and, of course, publicly traded companies. It is important that management be able to set out what it opines will happen in the next three, six, twelve and twenty-four months. Noted health care process expert Ben Locwin has said this “is really something that the businesses try to wrap their heads around in such a way that they can shunt resources where they think is appropriate in order to meet these future demands. Forecasting really at its heart is an educated guess and really as much as it becomes a reliable model more so and less so a guess, is based on the quality of the input data.” It is a process through which you are attempting to “prognosticate what the future will bring to you”. Unfortunately, forecast models are only as good as the data which are put into them or the GIGO (Garbage In, Garbage Out) Principal.

Three Key Takeaways

  1. Risk management is a process and forecasting is the first step in that process.
  2. GIGO and the only constant is change.
  3. Forecasters must always remember that more than one outcome is possible.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 7, 2017

In this Part III to a three part podcast series, I visit with noted risk management expert, Ben Locwin on risk-based monitoring as a adjunct to forecasting and risk assessments. We discuss how to accomplish it and how to integrate into your overall monitoring and feedback loops. We conclude with a stitching together of the risk management process. For More Information see my five part blog series on the Risk Management Process. 

1. Forecasting

2. Risk Assessments

3. Risk-Based Monitoring

4. White Noise and Interpreting Data

5. What does it all mean?

 

Mar 6, 2017
  1. Analysis and Remediation of Underlying Misconduct

Root Cause Analysis – What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis? 

A root cause analysis should be a method to learn more about your business process and what went wrong so that the systems and process itself can be changed because there is a thinking in the field which basically centers around the theme of, unless you have changed the process, then you're going to keep getting similar or the same results. The process is going to deliver whatever it delivers, whether that be right, wrong, or indifferent. Until you change the process and the systems, you can basically expect that you're going to have some sort of output that is going to repeat itself over and over again. Finding blame does not necessarily help and really you want to get deeper into those root causes. The reason it is monikered “root cause analysis”, is to emphasize the need to drill down below the superficial pieces of the framework to fix, and into the things that are actually driving the outcomes and the behaviors.

Three Key Takeaways

  1. The DOJ Evaluation mandates a root cause analysis.
  2. You cannot have a culture of blame for a root cause analysis to be effective.
  3. Always remember CAPA.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 3, 2017

Jay Rosen and I dedicate the entire episode to the FUBAR surrounding the Oscar ceremony where the Best Picture award was given to the wrong picture. We consider the control failures around the incident, look at it from a compliance program perspective, consider the failures in light of the new Justice Department Evaluation of Corporate Compliance Programs and conclude with the lessons to be learned for the compliance practitioner from the entire fiasco.  

For some additional reading see, Jay’s piece on Linkedin, “David vs. Goliath; Ethics & Compliance Lessons to be Learned from the Oscars” and Matt Kelly look at the control failures and other issues in his blog post on Radical Compliance, “And the Oscar for Control Failures Goes to…”

Jay Rosen new contact information:

Jay Rosen, CCEP

Vice President, Business Development

Monitoring Specialist

Affiliated Monitors, Inc.

Mobile (310) 729-6746

Toll Free (866)-201-0903

JRosen@affiliatedmonitors.com

Mar 3, 2017

Yesterday I began a two-part series on the Department of Justice (DOJ’s) “Evaluation of Corporate Compliance Programs” (Evaluation) posted on the Fraud Section in February. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner.

Three Key Takeaways

  1. This DOJ Evaluation provides clear guidance on the expectations of government regulators regarding what your program should consist of, how it should be effected and where you need to go down the road. It is also a valuable teaching tool as you can lay out for your Board and senior management the clear requirements for any best practices compliance program.
  2. The document also re-emphasizes that you should listen when the DOJ communicate their expectations around compliance. Beginning with the initial public remarks of Hui Chen and comments by former Assistant Attorney General Leslie Caldwell in November 2015, through the announcement of the FCPA Pilot Program in April 2016 and subsequent public remarks by Caldwell, Sally Yates and Daniel Kahn, the DOJ has consistently articulated the need for the operationalization of a corporate compliance program. Indeed, one can draw a straight-line from Caldwell’s November 2015 remarks at the SIFMA Compliance and Legal Society New York Regional Seminar where she presented the requirements to operationalize compliance in discussing compliance program metrics.
  3. Any company which simply puts a paper program in place, whether it is certified or not, and then sits back on its collective hands, is in for a very rude awakening if it comes before the DOJ in an investigation or enforcement action. For it is in operationalization of your compliance program that the DOJ will give credit to a functioning compliance program.

 This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 2, 2017

The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on operationalizing your compliance program as the questions posed are designed to test how far down your compliance program is incorporated into the very DNA and fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program over the past 18 months and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation.

Three Key Takeaways

  1. The Evaluation follows a consistent theme of DOJ pronouncement over the past 18 on to operationalize your compliance program.
  2. There is one new area with a focus on root cause analysis and risk assessments.
  3. There is a greater consideration of how the CCO is treated and viewed within an organization.
Mar 2, 2017

One event which promises to be most excellent is the upcoming Third-Party Risk Management & Oversight Summit, on March 20 & 21 at the Princeton Club in New York City. I will be attending and speaking at the event and I hope that you can join me. I have had the previously had the opportunity to do a podcast with the Event Chair, Melissa Evans, Lead Quality Systems, Supply Chain Management, Royal Caribbean Cruises (Episode 307). Today I visit with  Forrest Deegan, the Chief Ethics and Compliance Officer for Abercrombie & Fitch.

Forrest detailed How to Perform an ROI analysis of a third-party program for both the sales and supply chain side of things, drawing from his experience at A&F. He related some of the costs for getting it wrong in the short-term, along with smart money investments and cost-cutting ideas and then provided some insight into the cost-benefit analysis on A&F third-party programs.

The best part is listeners to this podcast will receive a discount to the event. You can receive a 15% discount off the regular price by entering the Code CMP 161. For more information on the event, check out the website by clicking here.

Mar 1, 2017

In this episode Matt Kelly and myself take a deep dive into SOX 404(b), what it requires and how companies comply with the reporting requirements set out in this statute. We consider the recent announcements from Congressman Jeb Hensarling to amend this section to exempt companies under the $500MM who wish to go public from its reporting requirements. We consider the corporate and audit response currently in place for 404(b) and how this response is now well embedded in not only corporate controls but also in reporting. We discuss the importance of internal controls over the time frame since the enactment of SOX and how any change may not be well received by institutional investors and private equity funders.

For a more detailed discussion, see Matt’s blog post entitled, “Tale of Sound & Fury: The 404(b) Debate”.

Mar 1, 2017

Last month, the Department of Justice (DOJ) very quietly released a document, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), on the Fraud Section website. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. The document has one clear theme that I will be exploring this month—you must operationalize your compliance program.

The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Once again, I detect the hand of DOJ Compliance Counsel Hui Chen in not only helping the DOJ to understand what constitutes an effective compliance program but also providing solid information to the greater compliance community on this score.

 

Three Key Takeaways

  1. The DOJ Evaluation requires you to operationalize your compliance program.
  2. The DOJ Evaluation makes clear compliance is a business process.
  3. The DOJ Evaluation is significant for what it does not focus on, legal solutions or even legal language.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

« Previous 1 2