Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2019
May


2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: January, 2018
Jan 31, 2018

In this episode Matt Kelly and myself take a deep dive into the weeds of the recent remarks by Neomi Rao, head of the Office for Information and Regulatory Affairs (OIRA), the Administration’s top regulatory review office outlining ambitious plans for more deregulation in 2018 — including efforts to sweep independent federal agencies into her purview and to crack down on the “sub-regulatory” guidance that corporate compliance professionals consume all the time. The talk was given before the Brookings Institute and she touted the 2 for 1 kill order for new regulations the Administration heralded last year and claimed that over 1500 planned regulations had been pulled from review.

For the compliance practitioner, this may all be much ado about nothing or more simply Rao and the Administration is simply Waiting for Godot to arrive as both the SEC and regulations relevant to military, national security, or foreign policy are exempt. New regulations required by statute are exempt.is exempt from the guillotine of which Rao speaks. However, it does cause one to ponder if the 2012 FCPA Guidance and 2017 Evaluation of Corporate Compliance Programs would have been released under this new system of hari-kari.

Matt and I explore the differences be proposing to repeal two rules but not actually repeal them as those proposed repeals must go through the usual public comment and review process. We also discuss how the Administration approach hurts businesses by removing a source of practical guidance from the general public. Think about how the business community clamored prior to 2012 for specific guidance from both the SEC and Justice Department on what constituted a best practices compliance program. Finally, we consider if there is a positive effect at all for business and the American public not be given guidance by the government.

For more information see Matt Kelly’s post Regulatory Czar Eyes Agency Guidance

Jan 31, 2018

I hope you have enjoyed this 31-day series on how to design, create and implement a best practices compliance program. These blog posts and podcasts over the past 13 months will form the basis of my next book The Complete Compliance Handbook which will be published by Compliance Week in April, 2018. It will be the most up-to-date handbook for every compliance practitioner, including the most recent Department of Justice pronouncements on what constitutes a best practices compliance program, in the FCPA Corporate Enforcement Policy and the Evaluation of Corporate Compliance Programs. I know you will find it useful.

I next want to take a deep dive and exploration of the levels of due diligence. Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is for you to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.

Under the Evaluation of Corporate Compliance Programs (Evaluation) it states in Prong 10. Third Party Management: Risk-Based and Integrated ProcessesHow has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? 

The question becomes how do you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.

A three-step approach was discussed favorably in Opinion Release 10-02. In this Opinion Release, the Department of Justice (DOJ) discussed the due diligence that the requesting entity performed. This Opinion Release sets out a clear break which every compliance practitioner should use in considering an appropriate level of due diligence to engage with your third-party risk management process or when considering the level of due diligence required on a potential business venture partner. I break due diligence down into three stages: Level I, Level II and Level III. A very good description of the three levels of due diligence was presented by Candice Tal in an article entitled “Deep Level Due Diligence: What You Need to Know”.

Level I

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering (AML), anti-bribery, sanctions lists, coupled with other financial corruption and criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.

Level II

Level II due diligence encompasses supplementing these Global Watch lists with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company; the third party’s key executives and associated parties. I believe that Level II should also include an in-country database search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources.

Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation. I agree with Tal that a Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.” Further, the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English.  Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.”

But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publically.” 

Further, you may need to engage a foreign law firm, to investigate the third party in its home country to determine their compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use a Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the Foreign Corrupt Practices Act (FCPA); you can use a Level III to determine if the third party is willing to stand up with you under the FCPA and are you willing to partner with the third party?

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II & III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to Document Document Document all your due diligence. 

Three Key Takeaways

  1. A Level I due diligence should be only used where there is a low risk of corruption.
  2. A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to clear.
  3. Level III due diligence is deep dive, boots on the ground investigation.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 30, 2018

Welcome to Episode 9 of Compliance Man Goes Global podcast of FCPA Compliance Report International Edition. In this episode, we will focus on things, which actually could kill compliance in the organization. We will explore this matter in a plain language so to say and in the simple game form. Moreover, to make the podcast handy and more appealing we attach respective illustration from the Compliance Man illustrated series, created by Timur Khasanov-Batirov. 

For those of our listeners who are not aware about our format, in each podcast, we take two typical concepts or more accurately misconceptions from in-house compliance perspective. We check out if these concepts work at emerging jurisdictions. For each podcast, we divide roles with Timur, a practitioner who focuses on embedding compliance programs at high-risk markets. One of us will advocate the concept identifying pros. The second compliance man will provide arguments finding cons and trying to convince audience that that we face a pure myth. As a result, we hopefully will be able to come up with some practical solutions for in-house compliance practitioners.

Myth #1 Absence of support from top management could kill compliance as a concept in the organization. Tim, would you agree with this statement? 

Tim Khasanov-Batirov: I think we should define whom we consider a top management and what we mean by support. If we start with a question of top management, I would think that there is no need to expect appreciation or kind attitude to compliance from everyone among senior management. It will never happen. You obviously want to have an understanding of what you have been doing among your company’s decision-makers. Still it does not lead to full support in everything a compliance officer is proposing. I believe it is about values. If key stakeholders appreciate integrity and compliance that something which really matters for compliance officer.   

 

The second question is about support. Based on my practice there is no way to have daily support from everyone in the organization. If compliance person maintains good working relations with employees from different levels of corporate hierarchy, that makes operationalization of compliance program more effective. What is your opinion, Tom? 

Tom:  A couple of things come to my mind, Tim: First and foremost, There are several key issues why top management support is more than simply critical, it is mandatory. It is senior management that sets the priority of a company and if they are not committed to compliance and ethics, everyone in the organization will understand it. I often provide the example of Regional VP who said the following: If I violate the Code of Conduct, I may or may not be caught; If I violate the Code of Conduct and am caught, I may or may not be disciplined; If I miss my numbers for two quarters I will be fired. If senior manage focuses only on numbers, that will be communicated throughout the organization. 

Yet another key issue I would like to touch upon is the question of trust. When a compliance officer is promoting a compliance initiative across the organization, they could be successful if employees embrace it. He has to demonstrate that they have being doing right thing rather than just executing corporate compliance requirements. You can achieve this result if people trust you. If there is no trust neither senior management, nor employees will support compliance. What must a compliance officer should do to get trust? Just be risk oriented, try to suggest ethical solutions to achieve business tasks, be open-minded, and feel interested in corporate processes. In other words, you must operationalize compliance to make it a part of the very DNA of your organization. You have to become a trustworthy partner in order to get the level of support required for effective execution of the corporate compliance program.   

Myth #2. Bad corporate culture can kill Compliance in the organization. Tim, will you agree with this concept?

Tim: I agree that culture of non-compliance could kill the compliance idea in the organization. I believe that no matter if it is a big corporation or a small firm the culture starts from the CEO. There is always someone in the organization who is not a fan of compliance. It is fine, unless CEO himself does not support ethics. In this case, you have no chance to survive. In our attached issue of the Compliance Man illustrated series, we have depicted challenges, which compliance professionals face. However, in my view issues like decrease of the department’s headcount or budget are something, which cannot stop compliance officer.       

Tom: I believe that strong ethical culture is a key factor for building a solid compliance program. From practical perspective, I think surveying personnel about their attitude towards integrity could give you a real picture about state of culture in your organization. Another point to mention is the necessity to understand views of managers who due to their job responsibilities pose compliance risks, those in high-risk positions. This may be heads of construction or procurement teams as they interact with governmental officials. In ideal scenario, they share your values or at least strictly follow respective compliance procedures. In the worst case your efforts in embedding compliance program could be diminished by ignorance from actors which play critical role in its effectiveness.   

Thus, as key takeaways from today discussion, which is inspired by famous Unstoppable video of Sia, I think we can mention the following:

  • A compliance officer should be ready to overcome difficulties at all stages of compliance program execution. The best way to do it is to obtain trust from key stakeholders, win minds and hearts for compliance and never give up. Just be unstoppable.

Tom Fox and Tim Khasanov-Batirov are here for you. Join us for the next episode of Compliance Man Go Global episode of FCPA Compliance Report International Edition. Let’s bust more corporate compliance myths with us.

Jan 30, 2018

We previously considered the Prong in the Evaluation of Corporate Compliance Programs which was not present in the Ten Hallmarks of an Effective Compliance Program; that being root cause analysis. This addition was also carried forward as a requirement in the Department of Justice’s new FCPA Corporate Enforcement Policy. I want to consider how you should utilize the results of a root cause analysis in remediating a compliance program. 

Under Prong 1 Analysis and Remediation of Underlying Misconduct, the Evaluation stated: 

Remediation – What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future? What specific remediation has addressed the issues identified in the root cause and missed opportunity analysis? The new Department of Justice (DOJ) FCPA Corporate Enforcement Policy brought forward this requirement for a root cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;”. 

I begin with the question of who should perform the remediation; should it be an investigator or an investigative team which were a part of the root cause analysis? I put this question to well-known fraud expert Jonathan Marks, a partner at Marcum LLP who believes the key is both “independence and objectivity”. It may be that an investigator or investigative team is a subject matter expert and “therefore more qualified to get that particular recourse.” Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.

 

Ben Locwin considered it from the ‘blame’ angle, when he wrote “Simply ‘cataloguing’ and ‘assigning cause’ to a defect or error is not compliance. Compliance presumes systems and processes are designed to adhere to regulatory pronouncements. Selecting ‘human error’ from a dropdown list and assigning it as root cause means that user is accountable for having thoroughly investigated the causal factors of the error or defect, identifying and determining which root causes(s) are most likely, according to the preponderance of evidence, to have been associated with the defect. This means the person selecting the root cause has actually performed 5 Whys, fishbone diagram analysis, human factors analysis, fault tree analysis, and/or many other tools for actually determining root cause(s).” 

Locwin went on to state that it is “unlikely that the real cause of the deviation was human error, it makes sense to adopt the lean manufacturing principle of a no-blame culture. Use an error as an opportunity for elevating your company’s problem-solving processes; don’t think of it as an annoyance that must be rapidly misclassified and pushed into the deviation process black box.

This means not blaming some individuals and terminating them but actually fixing the broken compliance systems which allowed the violation in the first place.” 

As required under the Evaluation, from the regulatory perspective, the critical element is how did you use the information you developed in the root cause analysis. Literally every time when you see a problem as a compliance officer, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis that you can bring real value and real solutions to your compliance programs.

 

The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Identify current and future needs for organizational improvement. Your solution should be repeatable, step-by-step processes, in which one process can confirm the results of another. By focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event you will have a much more robust solution in place. This is because the solution(s) are more effectively when accomplished through a systematic process with conclusions backed up by evidence. 

Three Key Takeaways

  1. An effective system of internal controls provides reasonable assurance of achievement of the company’s objectives, relating to operations, reporting and compliance.
  2. There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.
  3. For an anti-corruption compliance program, you can use the Ten Hallmarks of an Effective Compliance Program as your guide to test against. 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 29, 2018

One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action. Under Prong 1 Analysis and Remediation of Underlying Misconduct, the Evaluation stated: 

 Root Cause AnalysisWhat is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?  

 Prior IndicationsWere there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?  

The new Department of Justice (DOJ) FCPA Corporate Enforcement Policy brought forward this requirement for a root cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;”. 

The site Thwink.org has defined root cause analysis as “The purpose of root cause analysis is to strike at the root of a problem by finding and resolving its root causes. Root cause analysis is a class of problem solving methods aimed at identifying the root causes of problems or events. ... The practice of root cause analysis is predicated on the belief that problems are best solved by attempting to correct or eliminate root causes, as opposed to merely addressing the immediately obvious symptoms.” 

Well known fraud investigator Jonathan Marks, has noted, has noted a root cause analysis “is a research based approach to identifying the bottom line reason of a problem or an issue; with the root cause not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” 

Marks also contrasted a root cause analysis with an investigation. He noted, “in an investigation we are try to either prove or disprove an allegation.” This means that in a compliance investigation you may be trying to prove or disprove certain transactions could form the basis of a corrupt payment or bribe by garnering evidence to either support or refute specific allegation or allegations. You do not assess blame and that is the point where a root cause should follow to determine how the compliance failure occurred or was allowed to occur. 

There is no one formula for performing a root cause analysis. An approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the site iSixSigma.com believes this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “5 Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.” 

Yet another approach was suggested by risk management expert Ben Locwin in an article entitled, "Human Error" Deviations: How You Can Stop Creating (Most Of) Them”. It is the “Fishbone Diagram”, also known as the “Ishikawa diagram” for its progenitor, Kaoru Ishikawa, if because it looks like the skeleton of a fish. Locwin noted that “You put the problem statement at the “head” of the fish, and the causal factor categories as the “ribs” (remember, fish have cartilage, not bone, so these categories can be adjusted to suit your needs). By having a working group list causal factors under each category, you begin to develop a visual of how many things could contribute to your main effect (the problem statement).” 

The bottom line is there are multiple ways to perform a root cause analysis. However, it is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer which is provided to you, as you might in an internal investigation. Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they're doing.”

Three Key Takeaways

  1. A root cause analysis is now required if you have a reportable compliance failure.
  2. There is no one process for performing a root cause analysis. You should select the one which works for you and follow it.
  3. To properly perform a root cause analysis, you need these trained professionals who really understand what they're doing. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

 

Jan 28, 2018

Your company has just made its largest acquisition ever and your Chief Executive Officer (CEO) says that he wants you to have a compliance post-acquisition integration plan on his desk in one week. Where do you begin? Of course, you think about the 2012 FCPA Guidance language which stated, “pre-acquisition due diligence, however, is normally only a portion of the compliance process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.” You also recall that the 2012 Guidance did not have the time lines established in the previous enforcement actions involving Johnson & Johnson (J&J) and Data Systems & Solutions LLC and the Opinion Release 08-02, the Halliburton Opinion Release. Yet you do remember the FCPA M&A Box Score Summary of Opinion Release and enforcement actions regarding M&A issues.

You are also aware of the language from the Evaluation of Corporate Compliance Programs about mergers and acquisitions (M&A), which reads under Prong 11, Mergers and Acquisitions:

Integration in the M&A ProcessHow has the compliance function been integrated into the merger, acquisition, and integration process? 

Process Connecting Due Diligence to ImplementationWhat has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities? 

Yet many compliance professionals struggle with is how to perform these post-acquisition compliance integrations. An article from the Harvard Business Review, entitled “Two Routes to Resilience”, Clark Gilbert, Matthew Eyring and Richard Foster wrote about business transformation which speak directly to the compliance practitioner to help create post-acquisition integration game plan.

Anyone who has gone through a large merger or acquisition knows how terrifying it can be for the individual employee. Many people, particularly at the acquired company will be fearful of losing their jobs. This fear, mis-placed or well-founded, can lead to many difficulties in the integration process. The creation of a Compliance Capabilities Exchange process which allows “the two organizations to live together and share strengths” and will coordinate “the two transformational efforts so that each gets what it needs and is protected from [unwanted] interference by the other.” There are five steps in this process.

  1. Establish Compliance Leadership. While this may be the “simplest step but also the one most open to abuse.” The process should be run by just a few top people, the Chief Executive Officer, Chief Financial Officer and Chief Compliance Officer of the acquiring company and a similar counter-part from the acquired company.
  2. Identify the compliance resources the two organizations can or need to share. Hopefully the acquiring organization will have some idea of the state of the compliance program before the deal is closed. It may be that there is some or all of a minimum best practices compliance program in place.
  3. Create Compliance Capability Exchange Teams. In many “synergy efforts, everyone is expected to think about ways resources might be shared.” Senior leadership should create compliance teams by assigning a small number of people from both entities with the responsibility of allocating resources used in the integration project.
  4. Protect Boundaries. This one is tricky as employees from the former target may not want to move forward with the integration; for fear of losing their jobs or some other reason. There may be internal disputes as to which group may handle an issue going forward. Once again, the Leadership Team must step in and referee disputes decisively if required.
  5. Scale up and promote the new compliance program. It is important to celebrate and promote the new entity to both the acquiring company, others in the company and even external stakeholders. It is important that markets and others in the same or similar industry see this evolution and growth.

The bottom line is that you must train the newly acquired employees, reevaluate third parties under your company standards, and conduct compliance audits on new business units. This process should be based your pre-acquisition due diligence and risk assessment. Moreover, the Justice Department and SEC clearly view both the pre-and post-acquisition phases of mergers and acquisitions as tied together in a unidimensional continuum. If  pre-acquisition due diligence is not possible, you should the requirements and time frames laid out in Opinion Procedure Release No. 08-02, so as was noted in the 2012 FCPA Guidance, “pursuant to which companies can nevertheless be rewarded  if they choose to conduct thorough post-acquisition FCPA due diligence.

Three Key Takeaways

  1. Planning is critical in the post-acquisition phase.
  2. Build upon what you learned in pre-acquisition due diligence.
  3. You literally need to be ready to hit the ground running when a transaction closes. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 27, 2018

In this special Supplemental edition Jay Rosen reports on Friday’s SCCE Southern California Regional Compliance and Ethics Conference. The topics he highlights are: 

  1. GDPR update by Megan Duffy and Dominique Shelton.
  2. Engaging your Board of Directors by Malissia Clinton and Dixie Johnson.
  3. How compliance training has morphed, and marketing and communication are now more impactful than training alone by Marsh Ershaghi-Hames.
  4. High risk FCPA Markets by Brian Michael, Tedra Foster and Julie Myers Wood.
  5. The networking and breadth of the attendees.
  6. Jay gives a full report on LinkedIn, review by clicking here.
Jan 27, 2018

A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue—with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability.” While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the 2012 FCPA Guidance focused many compliance practitioners for the need to engage in robust pre-acquisition due diligence.

Under Prong 11. Mergers and Acquisitions; there were a series of queries which tied together how pre-acquisition due diligence and post-acquisition integration. Due Diligence ProcessWas the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What has been the M&A due diligence process generally? 

The pre-acquisition process was then tied to post-acquisition with the following: Process Connecting Due Diligence to ImplementationWhat has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities? 

The 2012 FCPA Guidance emphasized the pre-acquisition phase and the Evaluation took a deeper dive into the need for the compliance component of your mergers and acquisition regime to begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

There are multiple red flags which could be raised in this process, which would warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breach of policies and procedures. Obviously, a target which is in financial difficulty would bear closer scrutiny from the compliance perspective. Structurally, if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors level, this could present issues. From the CCO perspective, if the position did not have Board access, CEO access or if there were not regular reports to the Board, it could present an issue for compliance. Conversely if there were frequent requests to waive policies, management over-ride of compliance controls or no consistent consequence management for violations; it could present clear red flags for further investigation.

Three Key Takeaways

  1. The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward.
  2. Periodically review your M&A due diligence protocol.
  3. If red flags appear in pre-acquisition due diligence, they should be cleared.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 26, 2018

In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

  1. The government indicts 5 KPMG partners and one former PCAOB professional for tipping the firm off from upcoming reviews of KPMG audits. Matt Kelly discusses in Radical Compliance. Francine McKenna reports in MarketWatch. Tom considers the matter in the FCPA Compliance Blog. Tammy Whitehouse asks if audit results should be restated in Compliance Week. Finally go into the weeds with Tom and Matt Kelly in Compliance into the Weeds, Episode 67.
  2. Mike Volkov suggests that CCOs renew Corporate Vows to the Chief Compliance Offi
  3. Dick Cassin considers whether employees are measuring up to the aspirations set in their corporate Code of Conduct, in the FCPA Blog. Taking a AI angle, Sam Rubenfeld reports how Accenture uses bots to bring it Code of Conduct to employees, in the WSJ Risk and Compliance Journal.
  4. Jonathan Marks write about the Board of Directors Guide to FCPA Compliance, in his Board and Fraud
  5. Is your compliance function a part of your pre-acquisition M&A team? Henry Cutter explores this issue in the Wall Street Journal Risk and Compliance Report.
  6. Eric Newcomer and Brad Stone have a terrifying yet story you cannot put down about the fall of Travis Kalanick. They report in Bloomberg Business Week.
  7. Vince Walden writes about preventing fraud, enhancing compliance using digital twins. His article appears in Fraud-Magazine.com.
  8. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program, sponsored this month by Convercent. In January, I bring together the entire year of compliance program best practices with 31 days to a more effective compliance program. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  9. Tom announces his next Compliance Master Class, sponsored by Marcum LLP. It will be held on February 12 & 13 at Marcum’s offices in Miami, FL. More information or a copy of the agenda, or to register, will be available on my website, FCPA Compliance Report or at Marcum LLP.
  10. Join Tom at the SCCE Utilities and Energy Conference in DC on February 4-7. For registration and information click
Jan 26, 2018

One of the new areas articulated in the Evaluation of Corporate Compliance Programs was around payments and payroll. For the both the compliance professional and the corporate payroll function, there is a significant role for a corporate payroll function in the operationalization of a corporate compliance program.

It is found in Prong 4, “Operational Integration”, which is the section that includes who is responsible for integrating your policies and procedures throughout your organization, what internal controls are in place and specific inquiries into the role of the company payment system in any Foreign Corrupt Practices Act (FCPA) violation and how oversight is dedicated in your organization. The questions posed are, “Payment Systems – How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?” This is immediately followed by an equally important set of questions, “Approval/Certification Process – How have those with approval authority or certification responsibilities in the processes relevant to the misconduct known what to look for, and when and how to escalate concerns? What steps have been taken to remedy any failures identified in this process?” Finally, the questions around payment systems are proceeded by the following, “Controls – What controls failed or were absent that would have detected or prevented the misconduct? Are they there now?” 

Taken together, these three groups of questions may not seem particularly new, innovative or even something different from what payroll currently does for an organization. However, the Evaluation, with its emphasis on the operationalization of a corporate compliance program, clearly demonstrates the role of payroll in compliance. The Evaluation requires that payroll not only form a part of any best practices compliance program but when it comes to the specific subject matter expertise (SME), payroll is on the front lines of any attempts to prevent, detect and then remediate anti-corruption compliance violations.

This means that not only can payroll be one of the compliance function’s strongest corporate allies, the role of payroll, by its nature, works to operationalize compliance. This is because to implement the appropriate internal controls around compliance, payroll must know the specific requirements of the FCPA, know what kinds of issues are likely to come up that might create a risk of bribery and corruption, all leading to an understanding of the appropriate compliance internal controls to implement around payroll and payments.

This is most particularly true around offshore payments, which are generally defined as payments made to a location other than the home domicile of the party or the location where the services where delivered. If a Tunisian agent who performs services in Dubai asks for payment in a location other than Dubai or Tunisia, that would qualify as an offshore payment. If you train people who are in payroll on this issue, they may well pick up the phone, and notify compliance when they see a request for payment in a geographic location separate and apart from one of the two standard payment venues. Those are the types of communications, when properly documented, that demonstrate your compliance program is operationalized into the fabric of the organization.

The role of global payroll in FCPA compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes in violation of the FCPA must come from somewhere. Unfortunately, one of those places is out of payroll. All Chief Compliance Officers need to sit down with his or her head of payroll, have them explain the role of payroll, then review the internal controls in place to see how they facilitate the goals of compliance. From that review, you can then determine how to use payroll to help to operationalize your compliance program.

The Department of Justice has now provided its clearest statement on how it expects a company to actually do compliance going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from FCPA violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process, which should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well suited corporate discipline to provide this first level of oversight and controls. 

Three Key Takeaways

  1. Payroll can be a key prevent and detect control.
  2. The Evaluation specified the tying of the corporate compliance function to the corporate payroll function?
  3. Offshore payments remain a key indicium for a red flag.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 25, 2018

In this episode I visit again with Rakhi Kumar, the Managing Director, Head of ESG and Asset Stewardship at State Street Global Advisors. We discuss the firm’s role in advocating for greater Board of Director Diversity. With a campaign which began with the ‘Fearless Girl” statue in Wall Street, to pushing companies in the US, UK, England, Canada and Japan to include more female candidates at the Board of Director level; SSGA continues to be a leading advocate for a wide variety of Board level ESG issues. 

We discuss Kumar’s role as an asset manager for SSGA, why Board’s should seek both racial and gender diversity and the results SSGA has seen to-date. She also discusses five questions laid out by SSGA State Street President and COO Ron O’Hanley, for companies to use in thinking through how to improve gender diversity at the Board level. He gave this information at a speech to the fourth biennial Breakfast of Corporate Champions hosted by the Women’s Forum of New York on November 14, 2017. 

First, are you assessing unconscious gender bias in the director search and nomination process? And if you think your company is the exception on this issue, you probably haven’t spent enough time examining it. 

Second, are your companies actively assessing the current level of gender diversity within your management ranks? It’s not only about the board. Are you keeping diversity metrics around the percentage of new hires, managers and executives? 

Third, are you acting on those metrics? Are you establishing goals to enhance gender diversity on the board and within senior management? Are you tying those goals to business scorecards, performance and other key metrics? 

Fourth, do you have “diversity champions” on the board and within management? I don’t mean token figureheads — but leaders who are engaged on this issue and who support the initiatives to meet these goals. 

Fifth, is gender diversity something your company actively communicates about to employees, shareholders and the broader public? The conversation about gender diversity in the boardroom shouldn’t be confined to the boardroom. 

For additional information on SSGA’s Board gender diversity efforts, see the following: 

SSGA Report: Q3 Stewardship Activity Report 

Expanding the Call for Board Gender Diversity, speech by Ron O’Hanley

SSGA White Paper: Gender Intelligence: Bridging the Gap with Research, Science and Relevance

Jan 25, 2018

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance (Guidance), under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program (Hallmarks), the focus was articulated by the title Oversight, Autonomy, and Resources. When it came to the corporate compliance function the Guidance simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

This Hallmark was significantly expanded in both the Department of Justice’s (DOJ’s) Evaluation of Corporate Compliance Programs (Evaluation) and the new FCPA Corporate Enforcement Policy (Policy). The Evaluation made the following query about the CCO position: 

  1. Autonomy and Resources 

Compliance Role – Was compliance involved in training and decisions relevant to the misconduct? Did the compliance or relevant control functions (e.g., Legal, Finance, or Audit) ever raise a concern in the area where the misconduct occurred?  

Empowerment – Have there been specific instances where compliance raised concerns or objections in the area in which the wrongdoing occurred? How has the company responded to such compliance concerns? Have there been specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns?  

Funding and Resources – How have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made?  

The Evaluation added one new set of queries based upon the evolution of corporate compliance programs since 2012. 

Outsourced Compliance Functions – Has the company outsourced all or parts of its compliance functions to an external firm or consultant? What has been the rationale for doing so? Who has been involved in the decision to outsource? How has that process been managed (including who oversaw and/or liaised with the external firm/consultant)? What access level does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed? 

In the Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program:

  1. The resources the company has dedicated to compliance;
  2. The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
  3. The authority and independence of the compliance function and the availability of compliance expertise to the board;
  4. The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and
  5. The reporting structure of any compliance personnel employed or contracted by the company.

Funding and Resources

You will now have to justify your corporate compliance spend. This means at a minimum you will have to meet some general industry standard. If a corporation tries to low-ball both the pay to compliance professionals and the dollar and head count made available to a compliance function, it will not be viewed positively. Also noted in the Evaluation, a company must be prepared to defend any request for compliance resources which are turned down. Now such blanket management will be penalized.

Role of Compliance and Empowerment

More than simply throwing money at the compliance function (as if that would ever happen) the DOJ is now inquiring into how the compliance and its recommendations are treated. If there is business unit over-ride of compliance decisions, there must be an auditable decision trail. This, of course, is anathema to corporate executives who do not want to put themselves at risk.

Outsourcing of Compliance

This area of compliance practice has arisen largely since the articulation of the Hallmarks in the Guidance. While this might make sense from a cost perspective, it can be largely problematic if it is not managed properly. Rarely do outsiders have the same access as corporate employees, particularly a function as important as compliance. Here a company must not only have a rationale in place, which will largely be cost-savings; a company must also have a mechanism in place to assess, on an ongoing basis, any outsourced compliance function. This will be beyond the reach of probably 99% of the companies engaged in such outsourcing.

The Evaluation and Policy both demonstrate the continued evolution in the thinking of the DOJ around the compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically and the compliance profession more generally. The more the DOJ talks about the independence of, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.

Three Key Takeaways

  1. How is compliance treated in the budget process?
  2. Has your compliance function had any decisions over-ridden by senior management?
  3. Beware outsourcing of compliance as any such contractor must have access to company documents and personnel.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 24, 2018

The role of the Chief Compliance Officer (CCO) has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance, under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program, the focus was articulated by the title of the Hallmark, Oversight, Autonomy, and Resources. In it the 2012 FCPA Guidance focused on the whether the CCO held senior management status and had a direct reporting line to the Board; stating “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively. Adequate autonomy generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors.”

This Hallmark was significantly expanded in both the Evaluation of Corporate Compliance Program (Evaluation) and the new FCPA Corporate Enforcement Policy (Policy). Over the next two blog posts, I will be considering how the Department of Justice (DOJ) has increased the prestige, authority and role of both the CCO and corporate compliance function.

The DOJ’s Evaluation of Corporate Compliance Programs, made the following query about the CCO position: 

  1. Autonomy and Resources 

Stature – How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions? 

 Autonomy Have the compliance and relevant control functions had direct reporting lines to anyone on the board of directors? How often do they meet with the board of directors? Are members of the senior management present for these meetings? Who reviewed the performance of the compliance function and what was the review process? Who has determined compensation/bonuses/raises/hiring/termination of compliance officers? Do the compliance and relevant control personnel in the field have reporting lines to headquarters? If not, how has the company ensured their independence? 

In the Policy, the DOJ laid out additional factors around CCO authority: 

  1. The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
  2. The authority and independence of the compliance function and the availability of compliance expertise to the board;
  3. The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and
  4. The reporting structure of any compliance personnel employed or contracted by the company.

There is a new requirement for compliance “independence”. The DOJ has not taken a position on whether a General Counsel (GC) can also be the CCO. However, this new language would seem to signal the death knell for the dual GC/CCO role. It may also signal the larger issue that the CCO should have a separate reporting line to the Board, apart from through the GC. While the DOJ’s stated position that it does not concern itself with whether the CCO reports to the GC or reports independently, it is more concerned about whether the CCO has the voice to go to the Chief Executive Officer (CEO) or Board of Directors directly not via the GC. Even if the answer were yes, the DOJ would want to know if the CCO has ever exercised that right. Yet the Evaluation comes as close to any time previously in articulating a DOJ policy that the CCO be independent of the GC’s office. Therefore, if your CCO still reports up through the GC, you must have demonstrable evidence of both CCO independence and actual line of sight authority to the Board.

The Evaluation and the Policy build upon the 10 Hallmarks of an Effective Compliance Program and demonstrate the continued evolution in the thinking of the DOJ around the CCO position and the compliance function. Their articulated inquiries can only strengthen the CCO position specifically and the compliance profession more generally. The more the DOJ talks about independence, coupled with resources being made available and authority concomitant with the CCO position, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance positions in their organizations.

Three Key Takeaways

  1. How can you show compliance really has a seat at the senior executive table?
  2. What are the professional qualifications of your CCO?
  3. Does your CCO have true independence to report directly to the Board of Directors? 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 24, 2018

In this episode, I visit with Andi Simon, the Principal of Simon Consulting and author of On the Brink: A Fresh Lens to Take Your Business to New Heights. Simon is a corporate anthropologist and works with corporations to improve culture and effect change. In this episode we discuss how Simon’s background gives her a unique insight into corporate culture and how that insight informs the work of Simon Associates. She discusses why she wrote On the Brink and how leaders can use it to effect cultural change, bring businesses greater success and drive profits. Andi details her six steps for changing culture in an organization.

Simon noted that “In a corporate setting, leaders espouse values, beliefs and expectations so people know what to do and how to get it done. Everything is fine until something begins to change and that culture must change, too.” Simon suggests any business facing the need for a culture change should try these six steps:

  • Step 1:Ask what your culture is today. Simon suggests thinking about what you value in terms of six key areas: dominant characteristics; organizational leadership; management of employees; the glue that holds the organization together; strategic emphases; and criteria of success. 
  • Step 2: Ask what it should be tomorrow? Consider what you want your culture to become. Should it be less controlling and more empowering? More results oriented or more collegial? Do rules “rule” or are you open for new ideas and empowered staff members?
  • Step 3:Tell a story. With you staff, tell a story about what the culture is today. “Let them all create a visualization of how you get things done now,” Simon says.
  • Step 4:Visualize tomorrow. What will tomorrow’s culture feel like? How will you get things done? Will people be enabled to make decisions and risk making mistakes? “Frame this with stories,” Simon says. “They are how the brain takes data and makes sense out of it.” 
  • Step 5:Create pilot experiments. Through these experiments you can get people to see how the new culture is actually going to feel when they live it. “Set up some small win situations for your folks to test it out,” Simon says. “Think of this as if it is improvisation with good rehearsal time. You are asking people to change what they value, their beliefs and their behaviors. That’s not easy and it’s full of risk.”
  • Step 6:Celebrate. People need symbols and they need to celebrate and share experiences. “You need to seriously think about which rituals you will no longer do and which new ones you will introduce,” Simon says. “Be careful, though. Things that didn’t seem important can be very sacred to people when you are taking them away.”

Andi Simon, author of On the Brink: A Fresh Lens to Take Your Business to New Heights, is a corporate anthropologist, award-winning author and trained practitioner in Blue Ocean Strategy® (www.simonassociates.net). She is the founder and CEO of Simon Associates Management Consultants, designed over a decade ago to help companies use the tools of anthropology to better adapt to changing times. Simon also is a public speaker and an Innovation Games facilitator and trainer. 

Jan 24, 2018

In this episode Matt Kelly and I take a deep dive into the absolutely stunning indictment of five former partners or employees of KPMG and one former employee at the Public Company Oversight Accounting Board (PCAOB). Last spring, KPMG dismissed the following: David Middendorf, KPMG’s then-national managing partner for audit quality and professional practice, Thomas Whittle, KPMG’s then-national partner-in-charge for inspections and David Britt, KPMG’s banking and capital markets group for lured the following former professionals from the PCAOB: Brian Sweet, Cynthia Holder and Jeffrey Wada, all certified public accountants with promises of jobs at the accounting firm in exchange for stolen information. Sweet did not make the cut was not hired.

Apparently these three were offered jobs if they provided KPMG with information on the PCAOB’s planned reviews of certain KMPG audits of specific public companies. The six were charged with conspiracy and wire fraud, alleging they repeatedly used stolen confidential regulator information to subvert KPMG’s regulatory inspection process. Even more troubling is the report that Middendorf, Whittle and Britt pressured Holder and Wada to continue providing the information or their jobs were in jeopardy.

All of these six are now facing criminal indictments. We explore what all of this might mean for KPMG, the PCAOB and the SEC. Can KPMG audits be trusted going forward? What type of culture existed that allowed this type of behavior to occur and continue for over two years before it was internally reported. Who else at KPMG knew or should have known about this conduct? What audits are now suspect? What happens if KPMG is found guilty at trial or accepts a guilty plea? Can it continue to perform audits?

Turning to the PCAOB, does it have a revolving door problem? Should it prevent its professionals from going to auditors? How does it assure such confidential information does not walk about the door? For SEC, what is the appropriate sanction against KPMG given the senior partner involvement? Is the SEC investigating other audit firms?

For more reading see Matt Kelly’s blog post Six Charged in PCAOB Inspections Leak

For additional reading see Francine McKenna’s article in MarketWatch KPMG indictment suggests many who weren’t charged knew regulator data was stolen

Jan 23, 2018

In this episode I visit with Damon Brenner, partner at Control Risks on the 2018 Control Risk Map. He details some of the company’s findings in the document entitled RiskMap 2018. Jonathan Wood, Director at Control Risks will present to the Greater Houston Business and Ethics Roundtable on the Risk Map this coming Thursday, 25th January, from 8-10 AM at the offices of Marathon Oil, here in Houston. For more information click here.

It is one of the definitive forecast of political and security risk across the globe in the coming year. The top five listed risks for 2018 were: 

  1. North Korea - While Control Risks believes war on the Korean peninsula is unlikely, the paths of escalation are clear, de-escalation is harder to plot. The search is on for the least bad option, but it’s not clear what that is. The risks of miscalculation and accidental escalation are the highest they’ve been since North Korean leader Kim Jong-un assumed power.
  2. Large scale cyber-attacks targeting infrastructure - 2017 was the year of large-scale but random disruptive attacks. Control Risks believes that 2018 will see the likes of WannaCry, NotPetya and BadRabbit recur, but in a more powerful, targeted and disruptive manner. National infrastructure systems are particularly at risk.
  3. Protectionism policy of the Republican administration - Control Risks believes there is a low likelihood but if does occur, it will likely be a high impact, but the threat is there: in a year of mid-term elections, NAFTA negotiations fail to make enough headway, the administration pulls the US out of NAFTA and the WTO, and goes after China on trade, causing profound disruption to international commerce.
  4. The big power rivalry in the Middle East - Control Risks believes that across the region, the combination of an ambitious Saudi Arabia and assertive Iran informs and inflames conflicts and enmities in Syria, Lebanon, Iraq and Yemen and between Israel and the Palestinian Territories. Control Risks does not believe these two countries will go to war.
  5. Personalized leadership - Astride the business risk landscape is a collection of assertive world leaders who rely on nationalism and, to varying degrees, populism. Prone to capricious decision-making, they find foreign companies convenient targets. More than ever, knowing the mind of the person at the top is essential.

Each of these areas has full reports dedicated to them and available for download. Further, the Risk Map is broken down by region. The main map covers the countries of the world and provides regional nuance within and across national borders. The Maritime, Kidnap and Travel Risk maps give further insights into Control Risks areas of specialist expertise. In short all of this information is available for any compliance professional for use in helping to assess your annual risks going forward. It is a visual, data and information feast for anyone interested in global risk, in a wide variety of areas.

If you are in the Houston area, the Greater Houston Business and Ethics Roundtable (GHBER) is privileged to have Control Risks present its 2018 Risk Map at our first meeting of the year, this coming Thursday, 25th January, from 8-10 AM at the offices of Marathon Oil, here in Houston. Our presenter will be Control Risks Director, Jonathan Wood, the author of the White Paper on the Number 1 listed risk of the Global Powder Keg, including North Korea. Wood leads Control Risks’ Global Issues practice, on global political, operational, security and integrity risks to multinational organizations in the oil and gas, mining, insurance, financial services, retail, construction and technology sectors. His subject matter expertise encompasses geopolitics, global governance, economic development and transnational security issues. He leads Control Risks’ analysis of transnational terrorism, single-issue direct action, and geopolitics. In short, Wood knows his stuff and he can further educate all who attend the GHBER meeting.

If you are in Houston, I hope you can join us. The information Control Risks makes available is worth it. For more information on the GHBER meetings, featuring Jonathan Wood of Control Risks, go the GBHER website.

Jan 23, 2018

One of the critical elements found in the Evaluation of Corporate Compliance Programs (Evaluation) is the need to use the information you obtain, whether through risk assessment, root cause analysis, investigation, hotline report or any other manner to remediate the situation which allowed it to arise. In an interview with Matt Kelly on the Radical Compliance podcast, former Department of Justice (DOJ) Compliance Counsel Hui Chen has said about the Evaluation, “We wanted people to see that we put a lot of emphasis on evidence and data. Don’t just tell us that you have a hotline. Show us how you know it’s working and how you’re using the information that you gain from these hotlines. When you say you have a great compliance portal, don’t just show us screenshots of it. Show us the hit rates and how you use that data to help you refine how you communicate with your audience.”

The same was true for the requirement of strong leadership by senior management and tone from the top. Chen related, “If you tell us you have a strong, talented top, show us what concrete actions your leaders have taken personally to demonstrate that. It’s not just some words that they say” but show the evidence. (Here please note the three most important things in compliance still matter: Document, Document, and Document).

Chen emphasized the Evaluation is not simply to be used or even considered as a checklist. It is designed to have Chief Compliance Officers (CCOs) and compliance professionals think about their compliance programs by asking questions. She explained, “Questions invite people to think. I like to call them evaluation questions. My goal is really to get people to really think about what they’re doing, what is the goal they’re trying to accomplish, how are they going to measure the results, how do they know it’s working. I’m a big fan of asking questions. The result of that, I’m hoping is that people really get to think about what they’re doing and why they’re doing it and how do they know that they’re successful at it.”

The Evaluation stated, under Prong 9 Continuous Improvement, Periodic Testing and Review, the following:

Evolving UpdatesHow often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? 

One of the questions for the compliance practitioner is how to put into practice these requirements laid out in the Evaluation and expounded on by Chen in her remarks about it. It was detailed in a chapter in an eBook, entitled “Planning for Big Data - A CIO’s Handbook to the Changing Data Landscape, by the O’Reilly Radar Team. The chapter was authored by Alistair Croll, entitled “The Feedback Economy. Croll believes that big data will allow innovation through the “feedback economy”. This is a step beyond the information economy because you are using the information that you have generated and collected as a source of information to guide you going forward. Information itself is not the greatest advantage but using it to make your business more agile, efficient and profitable is the greatest advantage.

Croll draws on military theory to illustrate his concept of a feedback loop. It is the OODA loop, which stands for observe, orient, decide and act. This comes from military strategist John Boyd who realized that combat “consisted of observing your circumstances, orienting yourself to your enemy’s way of thinking and your environment, deciding on a course of action and then acting on it.” Croll believes that the success of OODA is in large part “the fact it’s a loop” so that the results of “earlier actions feedback into later, hopefully wiser, ones.” This should allow combatants to “get inside their opponent’s loop, outsmarting and outmaneuvering them” because the system itself learns. For the CCO, this means that if your company can collect and analyze information better, you can act on that information faster.

Croll believes one of the greatest impediments to using this OODA feedback loop is the surplus of noise in the data; “We need to capture and analyze it well, separating the digital wheat from the digital chaff, identifying meaningful undercurrents while ignoring meaningless flotsam. To do this we need to move to more robust system to put the data into a more usable format.” Croll moves through each of the steps in how a company collects, analyzes and acts on data.

The first step is data collection where the challenge is both the sheer amount of data coming in and its size. Once the data comes in it must be ingested and cleaned. If it comes into your organization in an unstructured format, you will need to cut it up and put into the correct database format for use. Croll touches on the storage component of where you place the data, whether in servers or on the cloud.

A key insight from Croll is the issue of platforms, which are the frameworks used to crunch large amounts of data more quickly. His key insight is to break up the data “into chunks that can be analyzed in parallel” so the data can be considered and acted upon more quickly. Another technique he considers is “to build a pipeline of processing steps, each optimized for a particular task.”

Another important component is machine learning and its importance in the data supply chain. Croll observes, “we’re trying to find signal within the noise, to discern patterns. Humans can’t find signal well by themselves. Just as astronomers use algorithms to scan the night’s sky for signals, then verify any promising anomalies themselves, so too can data analysts use machines to find interesting dimensions, groupings or patterns within the data. Machines can work at a lower signal-to-noise ratio than people.”

Yet Croll correctly notes that as important as machine learning is in big data collection and analysis, there is “no substitute for human eyes and ears.” However, for many business leaders, displaying the data is most difficult because it is not generally in a readable form. It is important to portray the data in more visual style to help convey the “dozens of independent data sources” into navigable 3D environments.

Of course, having all this data is of zero use unless you act on it. Big data can be used in a wide variety of decision making, from employment evaluations around hiring and firing decisions, to strategic planning, to risk management and compliance programs. But it does take a shift in compliance thinking to use such data. It advocates “fast, iterative learning.” Big data allows you to make a quicker assessment of the impact of measured risks.

Croll ends his chapter by noting that the “big data supply chain is the organizational OODA loop.” But unlike the OODA loop, it is more than simply about the loop and plugging information as you move through it. He believes “big data is mostly about feedback”; that is, obtaining the impact of the risks you have accepted. For this to work in compliance, a company’s compliance discipline needs to both understand and “choose a course of action based upon the results, then observe what happens and use that information to collect new data or analyze things in a different way. It’s a process of continuous optimization”.

Whether you consider the OODA loop or the big data supply chain feedback, this process, coupled with the data that is available to you, should facilitate a more agile and directed business. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of innovation, I do not know what does.

The bottom line for every CCO is that your compliance is dynamic not static. You must continually review, refine and update your compliance program based upon new information made available to you. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of innovation, I do not know what does. 

Three Key Takeaways

  1. Innovation can come through a new way to think about and use data going forward.
  2. The OODA loop stands for observe, orient, decide and act.
  3. Always remember with machine learning and analysis, there is no substitute for human eyes and ears.

 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 22, 2018

In the Evaluation, Under Prong 9 Continuous Improvement, Periodic Testing and Review, it stated “Control TestingHas the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How are the results reported and action items tracked? What control testing has the company generally undertaken? 

Fortunately, the COSO 2013 Internal Controls Framework considered assessing compliance internal controls. In its Illustrative Guide, entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (‘the Illustrative Guide’), COSO laid out its views on “how to assess the effectiveness of its internal controls”. It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured post. First, each of the five components are present and functioning. Second, are the five components “operating together in an integrated approach”. One of the most critical components of the COSO Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls. 

As the COSO 2013 Framework was designed to apply to a wider variety of corporate entities, your audit should be designed to test your compliance internal controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward.

The Illustrative Guide suggests using a four-pronged approach in your assessment. (1) Make an overall assessment of your company’s system of compliance internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.” (2) There should be a component evaluation. Here you need to more deeply evaluate any deficiencies that you may turn up and whether or not there are any compensating compliance internal controls. (3) Assess whether each principle of your compliance internal controls is present and functioning. The task here is determine if a deficiency exists and it so what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis.

Another way to think through the approach is through a component evaluation which rolls up the results of the component’s principle evaluations and allows a re-evaluation of the severity of any deficiency in your compensating controls. Lastly, an overall Effectiveness Assessment that would look at whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment.

The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It went onto define ‘major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” Having a major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.”

Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For objective criteria such as written policies in categories as laid out in the FCPA 2012 Guidance, (the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments), if you do not have such controls; it would preclude management from “concluding that the entity has met the requirements for effective internal controls in accordance with the Framework.” Fortunately such a standard is easily met. 

However, if there are no objective criteria, as laid out in the FCPA 2012 Guidance, to evaluate your company’s compliance internal controls, what steps should you take? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.”

The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, Document feature is critical in any best practices anti-corruption or anti-bribery compliance program. With the Illustrative Guide COSO has given the compliance practitioner a very useful road map to begin an analysis into your company’s internal compliance controls. When the SEC comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the FCPA’s internal controls provisions.

Three Key Takeaways

  1. An effective system of internal controls provides reasonable assurance of achievement of the company’s objectives, relating to operations, reporting and compliance.
  2. There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.
  3. For an anti-corruption compliance program, you can use the Ten Hallmarks of an Effective Compliance Program as your guide to test against.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 22, 2018

Today I visit with James Shields, the Creative Director for Twist and Shout Communications, a UK company which creates training video using comedy as the touchstone. You can check out a selection of the company’s offerings on its sight, Tuesday’s with Bernie. I visit with Shields about the creative process his company uses, how comedy can translate across a wide variety of cultures and language to be an effective training tool. The company has found that comedy generates a visceral reaction, a reaction based on feeling rather than intellect. Because of this reaction, employees are more interested and more engaged in compliance training; all of which makes it more effective. 

The company believes that both culture and behavioral change is an emotional process, not just ‘training’, and internal communication done properly can change a culture. Whether the subject is as dull as anti-corruption compliance or as fundamental as transformational change in the business, comedy will make employees sit up and take notice. They believe that by focusing on humor, the training will help break down both the individual training against compliance training as well as work to strengthen the overall corporate culture.

But more than simply stand-alone videos, the company seeing compliance training as a process. From the creative side the process includes an integrated story line which will engage employees, third parties and other relevant stakeholders. Shields also believes that putting comedy into context is important – the audience needs to relate to what they are seeing on screen so the environment and characters should feel familiar. That is when the message feels authentic and resonates much more strongly.

Finally Shields and the company have put together an entire training campaign structure. Why don’t you think about your training like you would a movie or other marketing campaign. They lay it out in White Paper entitled, “Engaging the YouTube Generation which you should definitely check out.

Jan 21, 2018

Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs which listed three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions.

Internal AuditWhat types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?

Control TestingHas the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How are the results reported and action items tracked? What control testing has the company generally undertaken? 

Evolving UpdatesHow often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? 

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. 

Three Key Takeaways

  1. Your compliance program should be continually evolving.
  2. Monitoring and auditing are different, yet complimentary tools for continuous improvement.
  3. DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 20, 2018

There is nothing like an internal whistleblower report about a FCPA violation, the finding of such an issue or (even worse) a subpoena from the DOJ to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check.

The DOJ Evaluation of Corporate Compliance Programs focuses on this question in Prong 7 with the following: Response to InvestigationsWhat has been the process for responding to investigative findings? You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. Russ Berland, the Chief Compliance Officer at Dematic Inc., has noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.”

You need to explain the costs to the Board and senior management. The bottom line is that your return on investment here is going to be very high if you put the resources into remediation and it do this well. This is easier with the information that was provided in the 2017 FCPA Corporate Enforcement Policy as it demonstrated how much discount a company can receive below the minimum range of the US Sentencing Guidelines for remediation.

Dan Chapman, former CCO at Parker Drilling and Cameron International, also believes that costs must be adequately discussed to set proper expectations. These include both direct and, even more importantly, indirect costs to the company. He noted that “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “everything stops to focus on the investigation.” This indirect cost comes largely through the time commitment of senior management, because “if senior management has to commit 20% of their time, that’s 20% that’s not going towards revenue generating, shareholder value protecting activities.”

You can explain the upside of compliance and do that in a manner that juxtaposes the cost. Chapman said you could mention things such as, “If you have clear policies and people know what to do, think how much easier your life would be. Instead of having to make calls and figure it out on your own every single time, you had clear policy.” The same types of arguments come into play in areas generally considered the purview of Human Resources (HR), i.e. recruiting and retention.

While there will be a desire by some folks to not give out any information about the investigation until it is completed and there is a final report, you must resist this at all costs. If the results of the investigation are not made available to you as the CCO or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because, “you’re just going off suppositions and guesses.”

He advocates there be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed.

Such an approach can also be a recipe for disaster. First, and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the 2017 FCPA Corporate Enforcement Policy. Moreover, the executive attention will have dissipated, or, as Berland notes, “When you’ve got the energy, use it.”

Three Key Takeaways

  1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.
  2. Be aware of how your investigation can impact and even inform your remediation efforts.
  3. How do you deal with the dreaded ‘where else’ question?

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 19, 2018

In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

  1. Are CCOs at risk? Indeed is should the entire compliance industry be running for cover. Adam Dobrik explores explore in GIR. Court Golumbic explores in “The Big Chill”: Personal Liability and the Targeting of Financial Sector Compliance Officers” in the NYU Compliance and Enforcement Blog.
  2. Tom and Mike Volkov argue the new FCPA Corporate Enforcement Policy has ended, once and for all, the debate around amending the FCPA to add a compliance defense. See Tom’s article in Compliance Week Magazine and listen to Mike Volkov’s podcast.
  3. The FCPA will be with us for years to come, argues Jaclyn Jaeger in her Compliance Week piece, “How the FCPA withstands the test of time
  4. Teva Pharmaceuticals resolves bribery case with Israel authorities. Chiam Gelfand reports in a guest post on the FCPA Blog.
  5. Ben DiPietro considers whether AI will have machine executable rules, in the Wall Street Journal Risk and Compliance Report.
  6. Roy Snell publishes a heartfelt letter to retiring Pat Kelly, the FBI Integrity and Compliance Officer in the SCCE Blog.
  7. Matt Kelly explore the salary misconduct penalty in two posts on his Radical Compliance blog, The Salary Penalty for Misconduct and More Thoughts. Matt & I explored the issue on the most recent episode of Compliance into the Weeds.
  8. Jonathan Marks explains why skepticism is an auditor friend in Skepticism – a Weapon to Fight Fraud in his Board and Fraud blog.
  9. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program, sponsored this month by Convercent. In January, I bring together the entire year of compliance program best practices with 31 days to a more effective compliance program. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  10. Tom announces his next Compliance Master Class, sponsored by Marcum LLP. It will be held on February 12 & 13 at Marcum’s offices in Miami, FL. More information or a copy of the agenda, or to register, will be available on my website, FCPA Compliance Report or at Marcum LLP.
  11. Join Tom and Dun & Bradstreet CCO Louis Sapirman for a SCCE Webinar on 360-Degrees of Compliance Communication. Registration and information is available here.
  12. Jay is too worried about Tom Brady’s hand to get out a weekend report. Should he be? Jacob Feldman reports in Sports Illustrated.
  13. We preview this week’s NFL playoffs.
Jan 19, 2018

Focusing on investigations under Prong 7 in the Evaluation it stated, Properly Scoped Investigation by Qualified PersonnelHow has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented? Moreover, with the advent of the SEC Whistleblower Program, courtesy of Dodd-Frank, it is imperative that a company quickly and efficiently investigate all hotline reports. This means you need an investigation protocol in place so that the entire compliance function is on the same page and knows what to do.

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hot-line, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties, once an allegation is made. This allows the Compliance Department to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.

Indeed, the SEC considers a variety of factors around giving credit to corporate investigations including: Did management, the board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm?

In a presentation by Jay Martin, Vice President, Chief Compliance Officer (CCO) and the Senior Deputy Counsel for Baker Hughes Incorporated and Jacki Trevino, Senior Consultant, Advisory Services at SAI Global entitled, “FCPA Compliance Best Practices: Success Stories of Robust and Effective Anti-Corruption Compliance Programs in High Risk Markets” they discussed the specifics of an investigation protocol.

Step 1: Opening and Categorizing the Case. This first step, to categorize a compliance violation. You should notify the relevant individuals, including those on your investigation team and any senior management members under your notification protocols. Step 1 should be accomplished in one to three days after the allegation comes into compliance.

Step 2: Planning the Investigation. After assembling your investigation team, determine the required investigation tasks. These would include document review and interviews. If hard drives need to be copied or documents put on hold or sequestered in any way, this should also be planned out at this time. Step 2 should be accomplished with another one to three days.

Step 3: Executing the Investigation Plan. Under this step, the investigation should be completed. Step 3 should be accomplished in one to two weeks.

Step 4: Determining Appropriate Follow-Up. At this step, the preliminary investigation should be completed and you are ready to move into the final phases. This group would decide on the appropriate disciplinary steps or other actions to take. Step 4 should be completed in one day to one week.

Step 5: Closing the Case. Under this final step, communicate the investigation results to the stakeholders and complete the case report.   

Three Key Takeaways

  1. A written protocol, created before an investigation is a key starting point.
  2. Create specific steps to follow so there will be full transparency and documentation going forward.
  3. Consistency in approach is critical.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 18, 2018

In this episode, the top compliance roundtable podcast is back with a look at some of the top FCPA, compliance and data privacy/data security issues from 2017 and how they inform what will be the top such issues in 2018. 

  1. Jay Rosen considers the new Justice Department FCPA Corporate Enforcement Policy and what it will mean for compliance practitioners and compliance programs in 2018 and beyond. 

For Jay Rosen’s post on the new FCPA Corporate Enforcement Policy, see the following:

Jay Rosen’s Most Significant FCPA Event from 2017 - FCPA Corporate Enforcement Policy (or a 5 Min History of How We Got From There to Here)

  1. Jonathan Armstrong looks a fascinating couple of cases working their way through the English courts, the Morrison and Carphone Warehouse cases. They each have very interesting angles including the reliability of audit staff, liability of the employer for an employee’s criminal and individual criminal liability in the data breach situation.

For Cordery Compliance’s posts touching on these cases, see the following:

Client Alert: Morrisons Data Breach Litigation Succeeds

Client Alert: Carphone Warehouse fined under data breach

  1. Matt Kelly returns to his vendor management soapbox to explore the intersection of FCPA compliance and data security. He considers some of the top data security breaches of 2017, the SEC response from the regulator perspective and most importantly the business response, both up and down the Supply Chain.

For Matt Kelly’s post on this topic, see the following:

Microchip Meltdowns and Vendor Risk

  1. Tom Fox sits in for Mike Volkov this week. Tom discusses the continued internationalization of anti-corruption investigations and enforcement which began in earnest in 2016. He details some of the notable cases, including the Rolls-Royce matter, Keppel Offshore, SBM Offshore and the Telia case and explores what these enforcement actions may portend for compliance practitioners and compliance programs going forward. 

For Tom Fox’s post on the continued internationalization of anti-bribery/anti-corruption enforcement, see the following: 

DOJ-Aggressive International Anti-Corruption Enforcement to Continue

Rants follow at the end. 

The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
Jan 18, 2018

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward.

Internal Reporting

The 2012 FCPA Guidance had as clear, concise and short a statement about hotlines as any other requirement found in Ten Hallmarks of an Effective Compliance Program. It stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.”

The Evaluation reinforced this language with the following found under Prong 7, Confidential Reporting and Investigation, Effectiveness of the Reporting MechanismHow has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information? 

But more than simply hotlines, companies have to make real efforts to listen to employees. But you must spend time working on this issue. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.

What are some of the best practices for a hotline? I would suggest that you start with at least the following:

  1. Availability-your reporting mechanism can be easily accessed by your entire employee base. This may require more than one tool, such as telephone report, internet reporting and other mechanisms.
  2. Anonymity-there must be a manner to make reports anonymously if the reporter so desires.
  3. Escalation-you must have a protocol or mechanism to take any reports up the chain if they warrant being heightened within the organization.
  4. Follow-Up­-there must be a sufficient follow up protocol to make sure any reported events is receiving the warranted attention. There should also be a way to deep the incident reporter informed as to the progress of the matter within your investigative protocol.  
  5. Oversight-there should levels of review within your organization on reports which come into your organization. This would include senior compliance department staff, senior company management and up to the Board of Directors.

In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

Triaging Claims

Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a compliance problem. One of the things that this is important in making an initial determination of whether to bring in outside counsel to head up an investigation. It is also important in a determination of the resources that you may want or need to commit to a problem. You literally need to “kick the tires” of any allegations or information so that you know the circumstances in front of you before you make the decision going forward. You can do this through a robust triage process.

Jonathan Marks, a partner at Marcum LLP has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, what will be the types of evidence you will need to consider going forward. Finally, before selecting a triage solution you should understand what tools are available, including both forensic and human, to complete the investigation.

Three Key Takeaways

  1. The DOJ and SEC put special emphasis on internal reporting lines.
  2. Test your hotline on a regular basis to make sure it is working.
  3. Have an investigation protocol in place before the call comes in so you will be ready to go and not required to scramble to create a protocol.

Having both a robust internal reporting system and triage of such reports is critical in a best practices compliance program. 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Internal Reporting

The 2012 FCPA Guidance had as clear, concise and short a statement about hotlines as any other requirement found in Ten Hallmarks of an Effective Compliance Program. It stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.”

The Evaluation reinforced this language with the following found under Prong 7, Confidential Reporting and Investigation, Effectiveness of the Reporting MechanismHow has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information? 

But more than simply hotlines, companies have to make real efforts to listen to employees. But you must spend time working on this issue. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.

What are some of the best practices for a hotline? I would suggest that you start with at least the following:

  1. Availability-your reporting mechanism can be easily accessed by your entire employee base. This may require more than one tool, such as telephone report, internet reporting and other mechanisms.
  2. Anonymity-there must be a manner to make reports anonymously if the reporter so desires.
  3. Escalation-you must have a protocol or mechanism to take any reports up the chain if they warrant being heightened within the organization.
  4. Follow-Up­-there must be a sufficient follow up protocol to make sure any reported events is receiving the warranted attention. There should also be a way to deep the incident reporter informed as to the progress of the matter within your investigative protocol.  
  5. Oversight-there should levels of review within your organization on reports which come into your organization. This would include senior compliance department staff, senior company management and up to the Board of Directors.

In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

Triaging Claims

Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a compliance problem. One of the things that this is important in making an initial determination of whether to bring in outside counsel to head up an investigation. It is also important in a determination of the resources that you may want or need to commit to a problem. You literally need to “kick the tires” of any allegations or information so that you know the circumstances in front of you before you make the decision going forward. You can do this through a robust triage process.

Jonathan Marks, a partner at Marcum LLP has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, what will be the types of evidence you will need to consider going forward. Finally, before selecting a triage solution you should understand what tools are available, including both forensic and human, to complete the investigation.

Three Key Takeaways

  1. The DOJ and SEC put special emphasis on internal reporting lines.
  2. Test your hotline on a regular basis to make sure it is working.
  3. Have an investigation protocol in place before the call comes in so you will be ready to go and not required to scramble to create a protocol.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

1 2 3 Next »