Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2019
May


2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: Category: compliance know-how
Mar 23, 2017

The Evaluation, in Prong 10, Third Part Management asks, “What was the business rationale for the use of the third party in question?” This question is one of the most basic tools to operationalize your compliance program and should form the basis of your third party risk management process. 

It is common sense that you should have a business rationale to hire or use a third party. If that third party is in the sales chain of your international business it is important to understand why you need to have a particular third party representing your company. This concept is enshrined in the FCPA Guidance, which says “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the ser­vices to be performed.” 

The Internal Revenue Service (IRS) also considers a business rationale to be an important part of any best practices anti-corruption compliance regime. Clarissa Balmaseda, a special agent in charge of Internal Revenue Service (IRS) criminal investigation, speaking at a presentation, said that the lack of business rationale to be a Red Flag, indeed the IRS views such lack of business rationale as possible indicia of corruption. With the Department of Justice; Securities and Exchange Commission and IRS all noting the importance of a business rationale, it is clear this is something you should use to operationalize your compliance program. 

But the business rationale also provides your company the opportunity to help drive compliance into the fabric of your everyday operations. This is done by requiring the employee who prepares the business rationale to be the Business Sponsor of that third party. The Business Sponsor can provide the most direct means of communication to the third party and can be the point of contact for compliance issues.

Tyco International takes this approach in its Seven Step Process for Third Party Qualification. Tyco breaks the first step into two parts, which include: 

  1. Business Sponsor - Initially identify a business sponsor or primary contact for the third party within your company. This requires not only business unit buy-in but business unit accountability for the business relationship and puts the onus on each stakeholder to more fully operationalize this portion of your compliance program.
  2. Business Rationale - The Business Sponsor should then articulate a commercial reason to initiate or continue to work with the third party. You need to determine how this third party will fit into your company’s value chain and whether they will become a strategic partner or will they be involved in a one-off only transaction?

So what should go into your Business Rationale? At the most basic level, you should craft a document, which works for both you as the compliance practitioner and the business folks in your company. There are some basic concepts which include the following. You need the name and contact information for both the Business Sponsor and the proposed third party. You need to inquire into how the Business Sponsor came to know about the third party because it is Red Flag is a customer or government representative points you towards a specific third party. You should inquire into what services the third party will perform for your company, the length of time and compensation rate for the third party. You will also need an explanation of why this specific third party should be used as opposed to an existing or other third party, is such were considered. All this information should be written down and then signed by the Business Sponsor. 

Another way to think about this issue is by considering the competence of foreign business partner to provide services to your organization. Such considerations would include a review of the qualifications of the third party candidate for subject matter expertise, the resources to perform the services for which they are being considered and identifying the third party’s expected activities for your company.  More detailed inquiries include requiring the relevant business unit which desires to obtain the services of any third party to provide you with a business rationale including current opportunities in territory, how the candidate was identified and why no currently existing third party relationships can provide the requested services. Your next inquiry should focus on the terms of the engagement, including the commission rate, the term of the agreement, what territory may be covered by the agreement and if such relationship will be exclusive. 

Remember, the purpose of the Business Rationale is to document the satisfactoriness of the business case to retain a third party.  The Business Rationale should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed. As explained by the Tom Fox Mantra for compliance, this means Document Document Document.    

Three Key Takeaways

  1. You should always have a business reason for using a third party which is articulated by the business folks, not compliance.
  2. A Business Sponsor is the key relationship going forward in operationalizing your compliance program through the life of the third-party relationship with your company.
  3. Always remember to Document Document Document. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 22, 2017

From the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs: 

  1. Autonomy and Resources 

Stature – How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions?  

Experience and Qualifications – Have the compliance and control personnel had the appropriate experience and qualifications for their roles and responsibilities?  

While the DOJ’s stated position that it does not concern itself with whether the CCO reports to the General Counsel (GC) or reports independently, but it is more concerned about whether the CCO has the voice to go to the Chief Executive Officer (CEO) or Board of Directors directly, without going through the GC first. Even if the answer were yes, the DOJ would want to know if the CCO has ever exercised that right. Yet the Evaluation comes as close to any time previously in articulating a DOJ policy that the CCO be independent of the GC’s office. Therefore, if your CCO still reports up through the GC, you must have demonstrable evidence of both CCO independence and actual line of sight authority to the Board.

With the operationalization of compliance, the DOJ wants to know if the if business unit of a company is responsible for at least a part of compliance. Put in the manner of the Evaluation, is compliance operationalized within your organization? An interesting angle is the real problem for a CCO if compliance is not embedded into the business; that problem is that the CCO simply becomes a policeman, telling the business unit what it cannot do. Or as I would say, being Dr. No from the Land of No.

Here are some questions you should consider in evaluating this prong. First and foremost, is the CCO a part of the senior management or the C-Suite? Is the CCO part of regular meetings of this group? Who can terminate the CCO; is it was the CEO, the Audit Committee of the Board or does CCO termination require approval of the entire Board? Most importantly, could a person under investigation or even scrutiny by the CCO fire the CCO? If the answer is yes, the CCO clearly does not have requisite independence. 

Additional questions to consider are (a) Who can over-rule a decision by a CCO within an organization?  and (b) Who is making the decisions around salary and compensation for the CCO? Is it the CEO, the GC, the Audit Committee of the Board or some other person or group? 

An evolution in thinking by the DOJ is looking at turnover rates, as this is not something the DOJ has previously focused upon. For any company which simply lays off its entire compliance function and rolls it into the legal department; how do you think that would appear to the DOJ if it came knocking to investigate a potential FCPA violation? 

Also to be considered is the compensation, both in salary and benefits paid to the CCO and compliance practitioners within an organization. In the FCPA Pilot Program, under Prong 3, Remediation, the DOJ said it would consider “How a company's compliance personnel are compensated and promoted compared to other employees”. This was carried forward in the Evaluation so you will need to consider benchmarked studies or other evidence of an appropriate level of pay for a corporate compliance function. 

Finally, what resources have been made available to the compliance function. This would include both monetary budget for operationalization but also head count resources. One might hope the days have long since pasted when companies would come into the DOJ and plead the compliance function ‘only’ had $100,000; $200,000 or you name the figure in resources; to be met with the prosecutor’s question “What was your annual spend on yellow-sticky note pads?” When the inevitable response was considerably more than the entire compliance budget, the prosecutor’s response was something along the lines of “Which is more mission critical for complying with the law?” 

Another evolution in the DOJ’s thinking was in experience and qualifications for the compliance function. In the Pilot Program, Prong 3 was the following, “The quality and experience of the compliance personnel such that they can understand and identify the transactions identified as posing a potential risk”. This has been broadened to “Have the compliance and control personnel had the appropriate experience and qualifications for their roles and responsibilities?” 

The Evaluation demonstrates the continued evolution in the thinking of the DOJ around the CCO position and the compliance function. Their articulated inquiries can only strengthen the CCO position specifically and the compliance profession more generally. The more the DOJ talks about the independence of, coupled with resources being made available and authority concomitant with the CCO position, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations. 

Three Key Takeaways

  1. How can you show compliance really has a seat at the senior executive table?
  2. What are the professional qualifications of your CCO and compliance team?
  3. What are the resources made available to your compliance function? 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

 

Mar 21, 2017

Prong 6, Training and Communication, of the Justice Department’s Evaluation of Corporate Compliance Programs reads, in part: 

Form/Content/Effectiveness of Training – Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training? 

Most companies have not considered this issue, the effectiveness of their compliance program. I would suggest that you start at the beginning of an evaluation and move outward. This means starting with attendance, which many companies tend to overlook. You should determine that all senior management and company Board members have attended compliance training. You should review the documentation of attendance and confirm this attendance. Make your department, or group leaders, accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program. 

One of the key goals of any  compliance program is to train company employees in awareness and understanding of the law; your specific company compliance program; and to create and foster a culture of compliance. In their book, entitled “Foreign Corrupt Practices Act Compliance Guidebook: Protecting Your Organization from Bribery and Corruption”, Martin T. Biegelman and Daniel R. Biegelman provide some techniques which  can be used to begin evaluate ethics and compliance training. 

The authors encourage post-training measurement of employees who participated. A general assessment of those trained on the FCPA and your company’s compliance program is a starting point. They list five possible questions as a starting point for the assessment of the effectiveness of your FCPA compliance training: 

  1. What does the FCPA stand for?
  2. What is a facilitation payment and does the company allow such payments?
  3. How do you report compliance violations?
  4. What types of improper compliance conduct would require reporting?
  5. What is the name of your company’s Chief Compliance Officer? 

The authors set out other metrics, which can be used in the post-training evaluation phase. They point to any increase in hotline use; are there more calls into the compliance department requesting assistance or even asking questions about compliance. Is there any decrease in compliance violations or other acts of non-compliance? 

What if you want to take you post-training analysis to a higher level and begin a more robust consideration of the effectiveness of compliance training through an analysis of return on investment (ROI)? Joel Smith, the founder of Inhouse Owl, a training services provider, advocates performing an assessment to determine ethics and compliance training ROI to demonstrate that by putting money and resources into training, a compliance professional can not only show the benefits of ethics and compliance training but also understand more about what employees are getting out of training (IE., effectiveness). The goal is to create a measurable system that will identify the benefits of training, such as avoiding a non-compliance event such as a violation of the FCPA. Smith admits that calculating compliance ROI is very difficult as ethical and compliance behavior is an end-goal and of itself - not necessarily one that everyone feels should be subject to a ROI calculation. 

Smith noted, “it is extremely difficult to isolate the training effect to calculate what costs you avoided due solely to your ethics and compliance training. Although each organization will have a unique ROI measurement due to unique training objectives, it is possible to use a general formula to calculate ethics and compliance training ROI.” 

Smith’s model uses four factors to help determine the ROI for your ethics and compliance training, which are: (1) Engagement, (2) Learning, (3) Application and Implementation, and (4) Business Impact. These four factors are answered through posing the following questions. 

  1. Figure out what you want to measure. Before you ever train an employee, you should have a goal in mind. What actions do you want employees to take? What risks do you want them to avoid? In the FCPA, you want them to avoid non-ethical and non-compliant actions that would lead to FCPA violations. So your goal is to train employees to follow your Code of Conduct and your compliance program policies and procedures so you avoid liability related to actions. Therefore the benefit to calculate for ROI purposes is the total amount saved by the company because employees now understand not to engage in unethical and non-compliant conduct around bribery and corruption. 
  1. Were employees satisfied with the training? What is their engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job. If it’s not targeted, employees will likely not be committed to changing risky behavior. Smith believes you can get data on employee engagement through a quick post-training survey. Although this factor does not produce a quantitative number to use in the ROI calculation, it will help you isolate and qualify the training benefit. 
  1. Did employees actually learn anything? Smith believes that a critical part of any employee training is the assessment. If you want to understand the “benefit” of training employees, you must know whether they actually learned anything during training. You can collect this data in a number of ways, but for compliance training, the best way is to measure pre and post training understanding over time. Basically, each time you train an employee, measure comprehension both before and after training. 
  1. Are employees applying your training? Smith says that for this point you will need to conduct a survey to determine employee application and their implementation of the training topics. To do so, you must conduct employee surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations. These surveys can provide a good sense of whether the training has been effective. 
  1. What’s the quantitative business impact of your training? At this point you are ready to determine the numerical business impact of your ethics and compliance training. Smith has an approach he calls the “Best Guess” approach. Smith believes there are two parts to the business impact calculation: (1) the benefit calculation and (2) the isolation calculation. Smith provided five questions he would pose. 
  1. How often could a noncompliance event occur?
  2. How much revenue would be involved?
  3. What is the profit margin on the revenue?
  4. What are the other costs?
  5. What are the noncompliance hard costs? 

The next step is to isolate the benefits of training so that you properly attribute the ROI to the ethics and compliance training. To make this determination, you need to know at a minimum (1) whether employees understood the training and (2) whether employees are applying the training. This information must be compared with other factors, namely: (1) the effects of any other company initiatives involving anti-corruption, (2) employee attitudes regarding the topic and training, and (3) any business factors such as decreasing/increasing international revenue, macro-economic trends, etc. that may contribute to avoidance of a noncompliance event. From these calculations, you should then apply a percentage of the benefit to the training. Here Smith suggests 25%. 

  1. ROI: bringing it all together. Now it is time to calculate the ROI. Here I turn to the formula as laid out on Smith’s company website: “Total FCPA Noncompliance Costs Avoided - Total FCPA Training Program Costs  ÷Total FCPA Training Program Costs ($20,000) x 100=ROI”. Smith concludes by noting, “Even though calculating training benefits is often difficult and imprecise, it’s incredibly important to make an attempt to quantify training ROI” to demonstrate not only effectiveness but also “so you can show business people the incredible effect that engaging training can have on the bottom line.” 

The importance of determining effectiveness and the evaluation of your ethics and compliance program is now enshrined by the Department of Justice (DOJ) in its Evaluation. The Evaluation is the first formal step taken by the DOJ to demonstrate it wants to see the effectiveness of your compliance program. This is something that many Chief Compliance Officers (CCOs) and compliance professionals struggle to determine. Both the simple guidelines suggested and the more robust assessment and calculation laid out by Smith provide you with a start to fulfill the Evaluation but you will eventually need to demonstrate the effectiveness of your compliance training going forward.

Three Key Takeaways

  1. You must demonstrate you have measured the effectiveness of your compliance training?
  2. The DOJ is clearly moving into requiring a demonstration of effectiveness of compliance training.
  3. You should be moving towards a model of demonstrating compliance training ROI to validate full operationalization of your compliance training.

 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 21, 2017

In this inaugural episode of the FCPA Compliance Report-International Edition, I have Carlos Ayres, a partner in Madea, Ayres and Sarubbi in Sao Paulo. We discuss an  interesting development from the Odebrecht corruption scandal, federal prosecutors in Brazil and ten other countries recently announced they had agreed to cooperate in ongoing investigations surrounding the company. The Odebrecht case involved bribery and corruption allegations reaching multiple countries throughout the Americas. Now reports indicate that officials from Brazil, Argentina, Chile, Colombia, the Dominican Republic, Panama, Mexico, Peru and even the notoriously corrupt Venezuela, along with the European nation of Portugal, have agreed to “start a combined task force with bilateral and multilateral investigative teams to coordinate a probe” of the company. We also discuss recent reports which indicate show companies in Brazil are taking this approach in response to the country’s more aggressive enforcement against endemic corruption in commercial businesses. This is partly in response to the allegations and investigations brought forward by Operation Car Wash and the attendant Odebrecht anti-corruption enforcement action. Jorge Abrahão, president of Brazil’s Ethos Institute, a corporate social responsibility organization said “We are witnessing a big change in Brazil—there is an understanding in society now that whoever doesn’t take the issues of corruption and transparency seriously will not have a place in the market in the future.

For More Information on these topics see my blog posts:

  1. A South American Response to Corruption
  2. Companies now doing compliance in Brazil

Carlos Ayres can be reached via email at carlos.ayres@maedaayres.com.

Mar 17, 2017

Another way to operationalize compliance is to have oversight moved out into regions. Such an approach can more effectively ensure employee and third party compliance with your Code of Conduct throughout a organization by integrating compliance into every aspect of a Company’s functions and generating the necessary information to continuously improve your compliance program. Such a regional compliance committee can operate on multiple planes to fully operationalize compliance in a company, augment existing internal controls and make the company a more efficient and profitable entity.

The formation of a regional compliance committee works to operationalize compliance through the creation of more direct ownership, accountability, and valuable transparency of your compliance regime.  This moves compliance down into all levels of the company’s operations.  This approach also significantly improves consistency of compliance execution and helps to ensure that all a company’s business objectives are achieved in a legally compliant fashion. Such a regional compliance committee can advise and provide information and insights to the CCO, receive compliance information from the corporate compliance function for the relevant region regarding applicable compliance requirements, industry standards, your Code of Conduct, as well a corporate compliance program as it relates to a region. A regional compliance committee should not have primary responsibility for internal investigations can report up any known compliance issues to the corporate compliance department.

A regional compliance committee is designed to promote clear and frequent compliance-related communication on related matters throughout the region and strengthen the company’s compliance culture.  It is valuable to the overall performance of the corporate compliance program within the region. It allows compliance topics to be more thoroughly discussed at regularly occurring operational meeting they have communication structures designed to facilitate communication up the chain and down the chain; allowing the CCO to have a more direct set of ‘eyes and ears’ closer to the ground. Finally, a regional compliance committee give the compliance function greater visibility within the organization because compliance has been moved further into the middle and lower levels of the organization daily.

Authority and Responsibility

There are multiple delineated responsibilities for a regional compliance committee. Some of these responsibilities can include:

  • Assisting in identifying not only potential legal and compliance risks in the region but also reputational risks your company.
  • Establishment of goals and metrics to measure against these legal and compliance goals in the region.
  • Exercising oversight of the implementation and effectiveness of the company’s compliance program in the region. Additionally, to make recommendations to the CCO and suggest improvements to the compliance practices in the region.
  • Reviewing and monitoring implementation of your Code of Conduct in the region and assisting in the identification of best practices, alternative strategies and local initiatives to enhance the compliance program.
  • Assuring to the CCO and the senior leaders of operations that compliance goals and requirements are both established and communicated across the region.
  • Advise management of its assessment of the corporate compliance program, ethics and compliance risks in the region and steps taken to both manage and lessen such risks.
  • Reviewing the hotline complaints and other information to assure that appropriate steps are taken to modify the corporate compliance program to reduce identified ethics and compliance risks in the region.

The formation of a regional compliance committee operationalizes compliance into the region where the business operates. This sort of approach follows the Department of Justice mandate, articulated in the Evaluation for companies to move the doing of compliance down into the business of the organization. The make-up a regional compliance committee, while including legal and compliance representatives, is also populated by representatives from other disciplines within the global organization. This allows a fuller, richer and more holistic approach to not only compliance advice but reviews consistent with the Evaluation’s mandate of shared commitment by other functional disciplines within an organization.

It also adds a dimension not discussed nearly as often in the compliance profession as it should be going forward. The accountability and oversight down to the regional level and the compliance monitoring, reviewing, assessing and recommending will provide additional endorsements up through the organization that it is doing compliance. In compliance, it is execution where the rubber meets the road. This is the functional definition of operationalizing compliance.  

Three Key Takeaways

  1. A regional compliance committee works to more fully operationalize compliance.
  2. A regional compliance committee, properly staffed, evidences the shared commitment to compliance as required under the Evaluation.
  3. A regional compliance committee is a two-way communications avenue, both inbound and outbound.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 16, 2017

The operationalization of your compliance programs means how deeply is compliance integrated into the function of your company. Today, I want to consider another way to operationalize compliance through the Compliance Oversight Committee.

The Compliance Oversight Committee sits between the CCO and the Board’s compliance committee. The role of this Compliance Oversight Committee is to provide oversight and review of high risk issues such as third party approvals and renewals, requests for payments from third parties and significant gift, travel and entertainment requests from employees. This committee’s oversight demonstrates not only a shared committee to compliance as required under the Justice Department’s Evaluation of Corporate Compliance Programs but also fulfills the requirement for engaged senior management oversight as a part of a company’s management of risk.

As far back as January 2005, in the Deferred Prosecution Agreement (DPA) entered into between the Department of Justice (DOJ) and the Monsanto Company, it provided for “the establishment and maintenance of a committee to supervise the review of (I) the retention of any agent, consultant, or other representative for purposes of business development or lobbying in a foreign jurisdiction”, or a Compliance Oversight Committee. The scope of this Compliance Oversight Committee was not fleshed out in the DPA. While many have focused on the Compliance Oversight Committee to monitor agents and other third party business representatives, the role of the Compliance Oversight Committee should be broader than simply the issues of third party agents and representatives. A major purpose of a Compliance Oversight Committee is to act as redundant backup to the books and records internal controls systems, designed to prevent and detect violations of a company’s compliance program.

It should be clear the role of the Compliance Oversight Committee is not to substitute its judgment for that of the CCO but rather to provide another level of review to make sure nothing slips through the cracks which might expose the company to unwanted risk. This can begin with a clear, written charter that sets out the functionality, goals, and parameters of the group. Moreover, the Compliance Oversight Committee should be reviewed on a periodic basis to determine usefulness and effectiveness.

To this end, the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual (2016 ed.) suggests the following language in its proposed form of Compliance Committee Charter:

The compliance officer shall have ultimate responsibility for operating the compliance program, with the support and assistance of the compliance committee. The committee shall consist of ### members, representative of each major department or area. The committee may appoint ad hoc members, each to serve at the pleasure of the committee, to assist and advise the committee in carrying out this charter. While the ad hoc members of the committee are not entitled to vote on matters formally considered by the committee, the ad hoc members shall be entitled to call a meeting of the committee and, further, to have any matter included on the agenda of any meeting of the committee. The committee shall designate the proper manner for calling meetings and the setting of agendas thereto.

Who should be on an Oversight Committee?

The Monsanto DPA provides guidance on this point by stating, “The majority of the committee shall be comprised of persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transaction.” This indicates that senior management should be involved in the Compliance Oversight Committee. It also indicates that more than one department should be represented on the Compliance Oversight Committee. This would include senior representatives from the Accounting (or Finance) Department, Compliance & Legal Departments, IT, Finance and Business Unit Operations. The bottom line is that the CCO should chair a committee of peers/senior level officers who are in a position to make decisions and marshal resources.

What Should the Oversight Committee Review?

There are a variety of approaches that a Compliance Oversight Committee can assume. It can dive down deeply ‘into the weeds’ for transactions which the company has identified as high risk. This can be the review of agents or other representatives in high risk areas or transactions in high risk countries. The Compliance Oversight Committee can use techniques such as continuous controls monitoring to identify any outliers of payments or other indicia of financial information which would warrant additional investigations. In addition to this remedial review, the Compliance Oversight Committee should review all payments requested by agents and representatives to assure such payment is within the company guidelines and is warranted by the contractual relationship with the company. Lastly, the Compliance Oversight Committee should review company sales or business development requests to provide compensation and, as appropriate, reimbursement for gifts, travel and entertainment of foreign governmental officials. 

The oversight of Foreign Business Partners is one of the key mechanisms that a company can use to prevent and detect any violation of its own Code of Ethics and Compliance and the Foreign Corrupt Practices Act (FCPA). The proper structure of the Compliance Oversight Committee and its full engagement with all aspects of a company’s relationship with a Foreign Business Partner is one of the areas that the DOJ will look for in a successful FCPA compliance program.

However, it is incumbent that each Compliance Oversight Committee should be designed to review the highest risks to your organization. If your company’s highest compliance risk is third party relationships, you should focus your compliance committee resources on that issue. My recommendation is that a company should incorporate both a pre-execution function and a post-execution management function in overseeing the full relationship with any third party. While this would most necessarily focus on FCPA compliance, there should also be a commercial component to this function. The Compliance Oversight Committee should therefore review all documents relevant to the five-step lifecycle management of third parties.

Conclusion

The Compliance Oversight Committee is a key tool which can be utilized by a company to manage its risks. The books and records component of internal controls is one level of prevention and detection. The review by a Compliance Department for requests for travel for and gifts and entertainment to foreign governmental officials and the lifecycle management of third parties is also an important step in the prevention process. However, the Compliance Oversight Committee is another step which operationalizes compliance and should be employed by companies as an additional protection against any type of compliance and ethics violation slipping through the cracks to become a much larger problem down the road. Companies should implement a Compliance Oversight Committee and review the systems they have in place to detect risky conduct.  

Three Key Takeaways

  1. The Justice Department has long suggested an approach of operationalizing compliance through greater senior management oversight.
  2. A Compliance Oversight Committee allows for an increased set of eyeballs on your highest risk compliance risks.
  3. A Compliance Oversight Committee acts as another control mechanism for a best practices compliance program.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 15, 2017

 

Today I want to explore in some detail the first Objective in the COSO 2013 Framework-the Control Environment as a path to operationalize your compliance program. This Objective lays out five steps you can take to put the responsibility on function corporate disciplines to imbue compliance into the fabric of an organization. 

A.        Control Environment 

Rittenberg said this “sets the tone for the implantation and operation of all other components of internal control. It starts with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees.” The five principles of the Control Environment object are as follows: 

Principle 1 - The organization demonstrates a commitment to integrity and ethical values.

Principle 2 - The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

Principle 3 - Management establishes with board oversight, structures, reporting lines and appropriate authorizations and responsibility in pursuit of the objectives.

Principle 4 - The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives.

Principle 5 - The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective.

Principle 1 - Commitment to integrity and ethical values 

What are the characteristics of this Principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or other baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. This requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed.

Principle 2 - Board independence and oversight 

This Principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. There should be compliance expertise at the Board level which allows it actively manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, information, compliance communications and compliance monitoring activities. Here, the Board’s Compliance Committee must demonstrate independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function. 

Principle 3 - Structures, reporting lines, authority and responsibility 

This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this Principle, you should consider all of the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally, this Principle requires establishment of the appropriate authority within the compliance function. You must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability.

Principle 4 - Attracting, developing and retaining competent individuals 

This Principle gets into the nuts and bolts of operationalizing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This Principle next turns the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. You must be able to demonstrate, through compliance policies and their implementation and operationalization a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance.

Principle 5 - Individuals held accountable 

This is the ‘stick’ Principle. A company must show that it enforces compliance accountability through its compliance structures, authorizations and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and, finally, clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This Principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated.

The COSO formulation for internal controls is a key component for any best practices compliance program; whether based upon a FCPA formulation or another anti-corruption law, such as the UK Bribery Act. Moreover, as it probably the most utilized internal controls formulation under Sarbanes-Oxley 404(b) reporting, it should be well-known to your corporate internal controls function and therefore assessable to you as a Chief Compliance Officer (CCO) or compliance professional. In addition to the Principles articulated herein the specific Points of Focus listed in the COSO 2013 Framework can provide a roadmap for testing and evidencing your compliance program in this area. You should not fail to take advantage of it.

Three Key Takeaways

  1. The COSO 2013 Framework sets out a structure which the compliance practitioner can use to put compliance into the fabric of an organization.
  2. For any public company, using the COSO Framework will allow a full response to any SOX 404(b) inquiry by regulators or auditors.
  3. The Control Environment Objective allows for not only implementation of controls but also requires individual accountability, as is set out in the Justice Department Evaluation of Corporate Compliance Programs. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

 

 

 

Mar 14, 2017

Under the Prong entitled “Policies and Procedures” subtexted Operational Integration, the Evaluation states: 

Payment Systems – How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?

While of the basic Watergate maxims has always been appropriate in any FCPA investigation, Follow The Money, the Evaluation takes payment systems and their internal controls several steps further past the detect and even investigatory precepts. There is not a set of “compliance internal controls” but rather internal controls permeating throughout an organization which creates their effectiveness. Today, we examine what are effective compliance internal controls and how the payroll function can assist in fulfilling those requirements. 

What are internal controls? 

What are internal controls in a FCPA compliance program? The starting point is the law itself, and as stated in the FCPA requires the following: 

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:

devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences …

The Department of Justice and SEC, in their 2012 FCPA Guidance, state, “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitor­ing.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.” 

The FCPA Guidance specifies that internal controls are a “critical component” of a best practices anti-corruption compliance program. This is because the design of an organization’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. A company’s compliance program should be tailored to these differences. After a company analyzes its own risk, through a risk assessment, it should design its most robust internal controls around its highest risk. 

Global Payroll Internal Controls 

Max van der Klis-Busink, in his Global Payroll Management Institute’s three-part series, entitled “Take Charge With a Global Payroll Control Framework”, laid out how to design, implement and then improve internal controls around global payroll. His article details how one can operationalize your payroll controls to answer the questions posed in the Evaluation.

There are several specific internal payroll controls which will facilitate a company operationalizing your compliance program, as required under the Evaluation. These controls help keep an eye on the money trail as the money to pay a bribe is usually hidden in some company expenditure. The four general areas of payroll control should include: (1) Segregation of duties; (2) Accountability, authorization, and approval; (3) Security of assets; and (4) review and reconciliation. 

To meet these four general goals, consider using a selection of the following controls for payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid: 

  • Audit. Have either internal or external auditors conducted an annual audit of the payroll accuracy.
  • Change authorizations. Only allow a change to an employee’s marital status, withholding allowances, or deductions if the employee has submitted a written and signed request for the company to do so. Any change request should be reviewed and approved by a manager more senior.
  • Change tracking log. If you are processing payroll in-house with a computerized payroll module, have a secure change tracking which will provide an audit trail.
  • Expense trend lines. This is your data and it is within your company somewhere. Look for changes in payroll-related expenses in the financial statements and then investigate if warranted.
  • Issue payment report to supervisors. Request supervisors review payroll summaries for correct payment amounts and unfamiliar names.
  • Restrict access to records. Prevent unauthorized access to payroll records.
  • Segregation of duties. You should never allow one person prepare the payroll, authorize it and create payments. 

The role of global payroll in FCPA compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes in violation of the FCPA must come from somewhere. Unfortunately, one of those places is out of payroll. All Chief Compliance Officers need to sit down with his or her head of payroll, have them explain the role of payroll, then you should to review the internal controls in place to see how they facilitate the goals of compliance. From that review you can then determine how to use payroll to help to operationalize your compliance program. 

Three Key Takeaways

  1. The Evaluation focuses your preventive prong on payroll, supplementing the prior focus on detection controls.
  2. You still need internal controls around payroll to ‘follow the money’.
  3. Do not forget upgrading and updating payroll controls. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 13, 2017

 

If there is one over-riding theme from the recently released Evaluation of Corporate Compliance programs it is that a corporate compliance program must be operationalized. Indeed that is the theme of this month’s series of podcasts. Another way to think about operationalization is the connectedness of compliance throughout an organization. In an article from the Harvard Business Review (HBR), entitled “How Smart, Connected Products are Transforming Companies”, by Michael E. Porter and James E. Heppelmann, focused on the new products. It provided some interesting insights into both the interconnectedness of processes and structures, which apply to the compliance practitioner going forward. I call it “connected compliance.” It provides another mechanism for you to consider in operationalizing your compliance program.

 

Process in Connected Compliance

 

Processes are being reshaped by the data which is now available and more “intense coordination among [corporate] functions is now required.” Regarding structures, the authors believe, “new forms of cross-functional collaboration and entirely new functions are emerging.”

 

Obviously compliance is a business process. Yet it should also be a continuous process. The data from a wide variety of sources should be used to track the types of risk that compliance professionals must manage. This begins with third parties. Continuous monitoring of third party watch lists seems almost pedestrian now yet many companies do not understand they have a continuing obligation to understand who they are doing business with, even after the contract is signed. Put simply, due diligence once every two years is a recipe for trouble. But this type of information should not only be limited to third parties’ in your sales business. You should also consider your exposure from your customers.

 

However, what if a large part of your company is exposed to the financial risk of a corrupt company slowing down its business? If you are in the auto supply business or even the software industry, have you considered how much of your business is at risk through your relationship with a company like Volkswagen (VW)? Most Foreign Corrupt Practices Act (FCPA) risk analysis considers corruption risks involving third parties in the sales arena or vendors that come in through the Supply Chain, now, based upon the VW, Petrobras or you name the scandal, you may need to know the corruption propensity of your  customers as well.   

Finally, connected compliance will help make people, materials, energy, plant and equipment far more productive, and the repercussions for business processes will be felt throughout the economy. The authors’ state, “We will see a whole new era of “lean.” Data flowing to and from products will allow product use and activities across the value chain to be streamlined in countless new ways.” For the compliance practitioner, waste will be cut or eliminated. Connected compliance will also allow a compliance solution to be delivered when certain thresholds are met, rather than according to a schedule. New data analytics will lead to previously unattainable efficiency improvements and allow you to do more business in compliance going forward. 

Structures in Connected Compliance 

Just as processes have evolved in connected compliance, so do structures. The classical organizational approach combines “two basic elements: differentiation and integration. Dissimilar tasks, such as sales and engineering, need to be “differentiated,” or organized into distinct units. At the same time, the activities of those separate units need to be “integrated” to coordinate and align them.” Connected compliance will have a major impact on both differentiation and integration in your company going forward.

 

This structural changes means that compliance will be integrated into diverse functional units of the company such as manufacturing, logistics and SC, sales and finance. This integration across functional units will occur through the business unit leadership team and through the design of formal processes for connected compliance with multiple units having roles.

This sounds quite like operationalizing compliance, exactly as specified by the DOJ in the Evaluation document. However connected compliance gives you the means and methods to think through how to accomplish this goal. You will have to coordinate between and across multiple functions within your organization. It will require the critical function of not only data management but also data analysis. What does it all mean?

Such an approach will require “dedicated data groups that consolidate data collection, aggregation, and analytics, and are responsible for making data and insights available across functions and business units.” Once again the compliance function is uniquely situated to be at the fulcrum of this connectedness. But more importantly, you already have this information inside your organization but most usually the compliance function does not have visibility into the data. Compliance must find the tools and processes to cut through the siloed nature of corporate information. 

It is through connected compliance that all groups within a company will become responsible for compliance. The integration of this data into compliance is still viewed as cutting edge; nonetheless companies have this data, structured within their own ERP systems. Connected compliance will allow senior management to view information to make the business more efficient and allow a company to take more risk because the risks will be managed more effectively. 

Three Key Takeaways

  1. Connected compliance is the inter-relatedness of interconnectedness of compliance processes and structures.
  2. Compliance should be ongoing and a continuous process.
  3. Compliance must use data analytics tools to cut through the siloed nature of corporate data.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 10, 2017

Operationalizing your compliance program can take many shapes and forms. Using the entire risk management process to embed your compliance program within the contours of your organization is an important, key step as it will allow you to have full visibility of your compliance risks through a longer life cycle. Forecasting allows you to consider your business strategy and wed the risks you can foresee. Risk assessments allow you to evaluate and measure known risks. Risk-based monitoring allows you to monitor both the compliance risks you and detect those you do not know, on an ongoing basis. 

I think there are several key lessons to be considered by any Chief Compliance Officer (CCO) or compliance practitioner. The first is the process around risk management. Most compliance practitioners understand the need for a risk assessment as it is articulated as Hallmark No. 4 of the Ten Hallmarks of an Effective Compliance Program. From the FCPA Guidance, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” In addition to this business case, the FCPA Guidance also specified the enforcement reasons for performing a risk assessment, “DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not pre­vent an infraction in a low risk area because greater atten­tion and resources had been devoted to a higher risk area.” The DOJ Evaluation of Corporate Compliance Programs builds on this. 

Yet as compliance evolves and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal prophylactic, but as a business process. Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of your business. Locwin noted that companies should be able to say with some degree of authority, “We think the following will happen in the next three months, six months, twelve months, twenty-four months, is really something that the businesses try to wrap their heads around in such a way that they can shunt resources where they think is appropriate in order to meet these future demands.” 

By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks. 

Risk-based monitoring follows on from the issues that your risk assessment identified as your highest risks. Locwin said, “Risk-based monitoring tends to look at things on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.” 

All of these three tools tie back into process management and process improvement. Locwin stated, “There’s always this balance between what’s actually important for our business or for proper execution, versus what’s actually going on in the whole process. If you’re not measuring at a high enough resolution, you’re not capturing a lot of the environmental, market force, external factors that probably are of high leverage to your operations in business that you just don’t know about.” 

Locwin tied them together with the following example, “There’s a 30% chance of this abject market failure happening, this product fails, this restaurant site contaminates people, this product doesn’t ship before Christmas, this phone explodes.” If you knew that in advance, the executive committee probably almost everywhere would say, “We have to act, and act now.” That’s where the rubber meets the road and you’ve got to forecast and a contingency in place. A lot of times, there isn’t that level of forecasting done in advance to say, “We think there’s this 30% chance of it occurring, therefore not only do we need a strong contingency plan, but we should expect to have to use it in Quarter 2. It’s right there sitting on everybody’s dashboard all the time.”

In other words, it comes down to execution. This means you have to use the risk management tools available to you and when a situation arises, you remediate when required. This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into process loop. From this, you will develop continuous feedback and continuous improvement. 

I have gone through this in some detail to emphasize the business process nature that compliance has evolved into as a corporate discipline. By using these techniques, the CCO or compliance practitioner makes the business run more efficiently and at the end of the day, more profitably. The more you can bring these types of insight to a Chief Executive, the more you demonstrate how compliance adds to the bottom line and is not simply a cost center. 

Three Key Takeaways

  1. The risk management process is an important backbone of operationalizing compliance.
  2. You should be able monitor and measure both known and unknown risks.
  3. All of these steps help a business to run more efficiently and more profitably. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 9, 2017

I continue my discussion of operationalizing your compliance program through the risk management process by considering risk-based monitoring. I continue this series based upon interviews with Ben Locwin, Director of Global R&D at BioGen and an operational strategist in pharma and healthcare, to explore risk forecast, risk assessment and risk monitoring for the compliance profession. 

Locwin said, “Risk-based monitoring is really about continuous, ongoing monitoring for those things which provide the most potential future risk to you. In other words, instead of a static risk registry that may come in part with forecasting, where you would say, “We’re trying to anticipate these risks.” By using risk-based monitoring to review issues on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.” 

The problem for many companies is they are siloed in not only their data but also in the systems. Locwin explained that because of the disparity of data systems, “They may not be tracking rigorous, quantified information all the time.” He cited to an example from the pharmaceutical world where a company could well have 50 worldwide sites where a drug product is being tested. Some patients receive a placebo and some patients receive the medication being tested. As data comes in you begin to note patterns in certain patients and groups, which might actually point towards a variety of testing errors by physicians administering the test. 

Through the use of risk-based monitoring, you can begin to see things in “almost real-time, time-based trends of real data that you can then jump on and try to make adjustments before things get really wacky.” The implications to the compliance practitioner? Having access to information around sales, the sales process and corporate largess in things from Corporate Social Responsibility (CSR) work to gifts, travel and entertainment to conferences for customers and end users. Through the use of such risked-based monitoring a compliance professional would have the opportunity see trends developing which could allow an intervention for a prescriptive solution which could prevent an issue from becoming a Foreign Corrupt Practices Act (FCPA) violation.

Yet Locwin cautioned that compliance professionals should guard against bias. In an article by Locwin, entitled “Be Careful When Appraising Industry Trends”, he stated, “Social media has rapidly accelerated the agility with which the public can change allegiance and direction. It used to be that when information dissemination was slower and more compartmentalized within regions and market segments, that the market resistance to fluctuation was more robust. Now well-placed advertising, social commentary, or public response to corporate missteps can swirl into a maelstrom of market changes within hours that is agnostic to region or market segment.” 

In today’s world, the speed at which reputational damage reigns out can overwhelm a corporation’s ability to respond. Here one might consider Wells Fargo and how fast the situation spun out of control for them after its $185MM fine was announced. It is through the use of risk-based monitoring, which allows for this almost real-time input, that a response to a forecasted, assessed or even unassessed risk can be developed. In the compliance world, such tools could be brought to bear when considering not only the expense side of such areas as gifts, travel and entertainment but also sales side data. This could be internal company data on its own salesforce and also information developed from or concerning your third-party sales team. 

In Locwin’s primary world of pharmaceutical testing and product development, the need for such real-time information can be more critical. Yet through the development of these techniques as compliance tools, the compliance profession can add value to an organization through the use of risk-based monitoring. With the plethora of data on where and how corruption is likely to occur, coupled with meaningful sales and expense data, the compliance professional should be able to move from detect to prevent to prescriptive compliance solutions to prevent legal violations.

 Finally, the beauty of all these techniques is that they are tools that can make companies more efficient and, at the end of the day, more profitable. They also move compliance into the fabric and DNA of an organization or in the terminology of the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs, operationalize compliance. The DOJ has made clear what it expects around the risk management process. You need to develop your response now. 

Three Key Takeaways

  1. Risk-based monitoring is a follow on from forecasting and risk assessments in the risk management process.
  2. Risk based monitoring can provide real-time feedback and input from your operationalized compliance program.
  3. Use risk-based monitoring to cut through corporate siloes. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 8, 2017

The DOJ Evaluation of Corporate Compliance Programs states:

  • Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faced?
  • Information Gathering and Analysis – What information or metrics has the company collected and used to help detect the type of misconduct in question? How has the information or metrics informed the company’s compliance program?

I continue my exploration of the risk management process by focusing today on risk assessments. One cannot really say enough about the role of risk assessment in compliance programs. Each time you hear a regulator talk about compliance programs, it starts along the lines of you cannot manage your FCPA risk without first determining what your company’s risk is; and to determine that compliance risk, the process you should utilize comes through a risk assessment.

We previously considered forecasting. The differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As Ben Locwin has explained, “What you’re trying to do then is decide on how you would address these. Risk assessments should create your risk registry. Those items which are most consequential for your organization, whatever it happens to be.”

Within the context of an anti-corruption compliance program, you are trying to make adjustments based on the risks of violation of the law, out in the marketplace. For instance, in a compliance forecast, third-party risk should be considered at the top of your ordinal list of risk and you should consider a multitude of factors such as the operating procedures, processes and systems and training. Of course, the execution of that process is a critical component as well.

All these things, to some degree, should appear in a risk assessment for the organization. Meaning, at the corporate level, what happens if you change products or sell into a new geographic area which is perceived to be more high-risk? There should be a risk assessment node which has a component that notes these changes so that you can adapt as necessary. Locwin stated, “The risk assessment itself is designed to be able to elevate these, and if something does happen, the next step would be to take appropriate course of action to address any of those risks.”

An example which illustrates the differences between forecasting and a risk assessment, yet how the two are complimentary. This winter when I began purchasing hot coffee products from Starbuck, as opposed to the cold drinks I buy during the hotter parts of the year, I discovered that baristas’ no longer put sleeves on coffee cups but now require you to ask for one. The second time I had to ask for a sleeve, I inquired from the barista why I had to do so. She replied that corporate had changed the policy for environmental reasons and that she could only provide a sleeve at the specific request of the customer. When I pointed out that it slowed the line down and was much less efficient in the delivery of Starbuck’s coffee, she replied, “You're absolutely right. I hate it. Would you please email Starbucks and tell them of your dissatisfaction?”

I will let Locwin pick it up from here, “what you’ve put your finger on is the crux of the balance of forecasting versus risk assessment. They’re two very different things, but at the same time, as they weave through time, they interchange. For example, Starbucks would potentially say, “We forecast that consumers are going to be more concerned about paper use, sleeves, the economic costs to the world, of extra paper waste and things. We’re going to, in certain locations, let’s say across Texas, we’re going to pilot that we don’t give out sleeves unless they’re asked for.” In their risk assessment, which I can tell you didn’t change from that forecast, what they then should have had was a commensurate line item which said, “If consumers start to have a problem with what’s being done at these locations, our immediate contingency plan is to do the following, to strip it away immediately, full stop, so that every cup gets a sleeve, so that they’re not slowing down lines, consumers say you heard us immediately, and then the organization is back on track.”

Their forecast plans something, the risk assessment should have had countermeasures to address, and instead if they didn’t have this in place, they’re going to have to wait until they start to have a Twitter feed that blows up… The risk assessment model should say, “Then we will do the following.” Really they don’t have the capability in a lot of cases to measure the effect of this and immediately course correct. It’s probably going to be a month, two months, four months before they start to get wind of this in a consistent way to say, “Texas was dissatisfied by this change and same in our pilot in Wisconsin. Let’s stop not giving out sleeves… Then eventually that starts to dissipate and they get rid of this whole new silly paradigm.”

Locwin’s point was that your risk assessment can help to inform your response to FCPA violation, corporate crisis or even (in my opinion) the misstep of requiring Starbucks customers to ask for sleeves for their coffee purchases. In another article by Locwin, entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”, he noted, “knowledge is power”. He went on to add, “Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we’ve classified them correctly. With a good understanding of each of these, we’re in a much better position to speak about the quality of our businesses.”

Three Key Takeaways

  1. The Evaluation put renewed emphasis on risk assessments.
  2. Risk assessments logically follow and are complimentary to forecasting.
  3. The risk assessment output allows you to prioritize your response with plan funding and deliver resources in a risk management solution.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 8, 2017

The Justice Department Fraud Section recently revamped its website and it is quite an upgrade. I do not know when the Fraud Section did this update but as with the Evaluation of Corporate Compliance Programs document, it certainly was a soft launch. It appears the new site compiles several disparate sources of Fraud Section and Justice Department information into one website. Also, there looks to my eye to be some information posted on the Fraud Section website for the first time. In short, it is an excellent and most welcomed resource.

A quick review of the site has a slide show of recent Justice Department resolutions scrolling across the screen. Go down to the bottom of the screen and you will see two very interesting documents, a 2015 and 2016 Fraud Section Year in Review. The FCPA Unit section includes such information as prior enforcement actions, Opinion Releases, other anti-corruption treaties and resources. There is also a list of Fraud Section leadership.

However, the Fraud Section is made up of more than simply the FCPA unit and there are tabs for the following Health Care Fraud and Securities and Financial Fraud. Most interesting to me was the tab for the Strategy, Policy and Training Unit, which I have to admit, did not know was a part of the Fraud Section. The opening page for this Unit provides a description of its work. It is as wide ranging as international coordination and interaction with foreign prosecutors and investigators. 

This new website revamp is a most welcomed resource for the compliance community. While it may be viewed as simply a compilation of other sites and locations within the greater Justice Department website by some; I believe the vast majority of compliance practitioners will find it a most welcomed compilation and resource.

Mar 7, 2017

At its heart, every business tries to plan for its future. It is a critical aspect of any management of any organization, non-profits, privately owned for profits and, of course, publicly traded companies. It is important that management be able to set out what it opines will happen in the next three, six, twelve and twenty-four months. Noted health care process expert Ben Locwin has said this “is really something that the businesses try to wrap their heads around in such a way that they can shunt resources where they think is appropriate in order to meet these future demands. Forecasting really at its heart is an educated guess and really as much as it becomes a reliable model more so and less so a guess, is based on the quality of the input data.” It is a process through which you are attempting to “prognosticate what the future will bring to you”. Unfortunately, forecast models are only as good as the data which are put into them or the GIGO (Garbage In, Garbage Out) Principal.

Three Key Takeaways

  1. Risk management is a process and forecasting is the first step in that process.
  2. GIGO and the only constant is change.
  3. Forecasters must always remember that more than one outcome is possible.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 7, 2017

In this Part III to a three part podcast series, I visit with noted risk management expert, Ben Locwin on risk-based monitoring as a adjunct to forecasting and risk assessments. We discuss how to accomplish it and how to integrate into your overall monitoring and feedback loops. We conclude with a stitching together of the risk management process. For More Information see my five part blog series on the Risk Management Process. 

1. Forecasting

2. Risk Assessments

3. Risk-Based Monitoring

4. White Noise and Interpreting Data

5. What does it all mean?

 

Mar 6, 2017
  1. Analysis and Remediation of Underlying Misconduct

Root Cause Analysis – What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis? 

A root cause analysis should be a method to learn more about your business process and what went wrong so that the systems and process itself can be changed because there is a thinking in the field which basically centers around the theme of, unless you have changed the process, then you're going to keep getting similar or the same results. The process is going to deliver whatever it delivers, whether that be right, wrong, or indifferent. Until you change the process and the systems, you can basically expect that you're going to have some sort of output that is going to repeat itself over and over again. Finding blame does not necessarily help and really you want to get deeper into those root causes. The reason it is monikered “root cause analysis”, is to emphasize the need to drill down below the superficial pieces of the framework to fix, and into the things that are actually driving the outcomes and the behaviors.

Three Key Takeaways

  1. The DOJ Evaluation mandates a root cause analysis.
  2. You cannot have a culture of blame for a root cause analysis to be effective.
  3. Always remember CAPA.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 3, 2017

Yesterday I began a two-part series on the Department of Justice (DOJ’s) “Evaluation of Corporate Compliance Programs” (Evaluation) posted on the Fraud Section in February. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner.

Three Key Takeaways

  1. This DOJ Evaluation provides clear guidance on the expectations of government regulators regarding what your program should consist of, how it should be effected and where you need to go down the road. It is also a valuable teaching tool as you can lay out for your Board and senior management the clear requirements for any best practices compliance program.
  2. The document also re-emphasizes that you should listen when the DOJ communicate their expectations around compliance. Beginning with the initial public remarks of Hui Chen and comments by former Assistant Attorney General Leslie Caldwell in November 2015, through the announcement of the FCPA Pilot Program in April 2016 and subsequent public remarks by Caldwell, Sally Yates and Daniel Kahn, the DOJ has consistently articulated the need for the operationalization of a corporate compliance program. Indeed, one can draw a straight-line from Caldwell’s November 2015 remarks at the SIFMA Compliance and Legal Society New York Regional Seminar where she presented the requirements to operationalize compliance in discussing compliance program metrics.
  3. Any company which simply puts a paper program in place, whether it is certified or not, and then sits back on its collective hands, is in for a very rude awakening if it comes before the DOJ in an investigation or enforcement action. For it is in operationalization of your compliance program that the DOJ will give credit to a functioning compliance program.

 This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Mar 2, 2017

The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on operationalizing your compliance program as the questions posed are designed to test how far down your compliance program is incorporated into the very DNA and fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program over the past 18 months and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation.

Three Key Takeaways

  1. The Evaluation follows a consistent theme of DOJ pronouncement over the past 18 on to operationalize your compliance program.
  2. There is one new area with a focus on root cause analysis and risk assessments.
  3. There is a greater consideration of how the CCO is treated and viewed within an organization.
Mar 1, 2017

In this episode Matt Kelly and myself take a deep dive into SOX 404(b), what it requires and how companies comply with the reporting requirements set out in this statute. We consider the recent announcements from Congressman Jeb Hensarling to amend this section to exempt companies under the $500MM who wish to go public from its reporting requirements. We consider the corporate and audit response currently in place for 404(b) and how this response is now well embedded in not only corporate controls but also in reporting. We discuss the importance of internal controls over the time frame since the enactment of SOX and how any change may not be well received by institutional investors and private equity funders.

For a more detailed discussion, see Matt’s blog post entitled, “Tale of Sound & Fury: The 404(b) Debate”.

Mar 1, 2017

Last month, the Department of Justice (DOJ) very quietly released a document, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), on the Fraud Section website. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. The document has one clear theme that I will be exploring this month—you must operationalize your compliance program.

The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Once again, I detect the hand of DOJ Compliance Counsel Hui Chen in not only helping the DOJ to understand what constitutes an effective compliance program but also providing solid information to the greater compliance community on this score.

 

Three Key Takeaways

  1. The DOJ Evaluation requires you to operationalize your compliance program.
  2. The DOJ Evaluation makes clear compliance is a business process.
  3. The DOJ Evaluation is significant for what it does not focus on, legal solutions or even legal language.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Feb 28, 2017

I end my One Month to a Better Board series with a discussion from the recently released Justice Department Evaluation of Corporate Compliance Programs as it relates to a Board of Directors. In an area of inquiry entitled, “Oversight” the DOJ asked three basic questions which we have explored throughout this series. The questions presented by the DOJ were:

  1. What compliance expertise has been available on the board of directors?
  2. Have the board of directors held executive or private sessions with the compliance function?
  3. What types of information has the board of directors examined in their exercise of oversight in the area in which the misconduct occurred?

In addition to specifically stating that a Board of Directors must have a compliance subject matter expert going forward, it opines there should be a Board level committee dedicated to compliance as well. I have previously explored questions a Board should ask a Chief Compliance Officer (CCO). Today I want to focus some attention on questions by a Board of Directors around the Compliance Committee itself. To facilitate the answers to these DOJ questions, I have ended this series with a list of 20 questions below which reflect the oversight role of directors. These are questions which the Board should ask of both senior management and the Board itself. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary.

The comments summarize the most current thinking on the issues and the practices of leading organizations. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization.

Part I: Understanding the Role and Value of the Compliance Committee

  1. What are the Compliance Committee’s responsibilities and what value does it bring to the board?
  2. How can the Compliance Committee help the board enhance its relationship with management?
  3. What is the role of the Compliance Committee?

Part II: Building an Effective Compliance Committee

  1. What skill sets does the Compliance Committee require?
  2. Who should sit on the Compliance Committee?
  3. Who should chair the Compliance Committee?

Part III: Directed to the Board

  1. What is the Compliance Committee’s role in building an effective compliance program within the company?
  2. How can the Compliance Committee assess potential members and senior leaders of the company’s compliance program?
  3. How long should directors serve on the Compliance Committee?
  4. How can the Compliance Committee assist directors in retiring from the board?

Part IV: Enhancing the Board’s Performance Effectiveness

  1. How can the Compliance Committee assist in director development?
  2. How can the Compliance Committee help the board chair sharpen the board’s overall performance focus?
  3. What is the Compliance Committee’s role in board evaluation and feedback?
  4. What should the Compliance Committee do if a director is not performing or not interacting effectively with other directors?
  5. Should the Compliance Committee have a role in chair succession?
  6. How can the Compliance Committee help the board keep its mandates, policies and practices up-to-date?

Part V: Merging Roles of the Compliance Committees

  1. How can the Compliance Committee enhance the board’s relationship with institutional shareholders and other stakeholders?
  2. What is the Compliance Committee’s role in CCO succession?
  3. What role can the Compliance Committee play in preparing for a crisis, such as the discovery of a sign of a significant compliance violation?
  4. How can the Compliance Committee help the board in deciding CCO pay, bonus and resources made available to the corporate compliance function?

Three Key Takeaways

  1. The DOJ Evaluation of Corporate Compliance Program requires active Board of Director engagement around compliance.
  2. Board communication on compliance is a two-way street; both in bound and out bound.
  3. Has the Board built an effective Board Compliance Committee?
Feb 28, 2017

This podcast considers the differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As Locwin explained, “What you’re trying to do then is decide on how you would address these. Risk assessments will percolate to the top of the list, your risk registry. Those items which are most consequential for your organization, whatever it happens to be. Again, just like forecasting, risk assessments apply to every organization.”

 Within the context of an anti-corruption compliance program, you are trying to make adjustments based on the risks of violation of the law, out in the marketplace. For instance, in a compliance forecast, third-party risk should be considered at the top of your ordinal list of risk and you should consider a multitude of factors such as the operating procedures, processes and systems and training. Of course, the execution of that process is a critical component as well.

 

Feb 27, 2017

There are three core areas upon which Directors should focus their attention regarding to help establish and maintain an effective compliance program. They are: (1) structure, (2) culture and (3) risk management.

Structural Questions

This area consists of questions which will aid in determining the fundamental sense of a company’s overall compliance program. The questions should begin with the basics of the program through to how the program operates in action. Some of the structural questions Board members should ask are the following.

  • Who oversees the operation of the program?
  • What is in the Code of Conduct? Is each Board member aware of corporate standards and procedures?
  • How are complaints being received?
  • Who conducts investigations and acts on the results?
  • What corporate resources are being devoted to the compliance and ethics program?
  • How much money is allocated to the program?
  • What types of training is required? How effective is it?
  • Have any compliance failures been detected? If so, how was such detection made?
  • If a company’s compliance program is less mature, what are the charter compliance documents?
  • If a company’s compliance program is more mature, there should be queries regarding the roles of the General Counsel vs. a Chief Compliance Officer. What is the CCO reporting structure?

Cultural Questions

This area of inquiry should focus on the culture of the organization regarding compliance. Board members should have an understanding of what message is being communicated not only from senior management but also middle management. Equally important, the Board needs to understand what message is being heard at the lowest levels within the company. Some of the cultural questions Board members should ask are the following.

  • When did the company last conduct a survey to measure the corporate culture of compliance?
  • Is it time for the company to resurvey to measure the corporate culture of compliance?
  • If a survey is performed, what are the results? Have any deficiencies been demonstrated? If so, what is the action plan going forward to remedy such deficiencies?
  • Did any compliance investigations arise from a cultural problem?
  • Regardless of any survey results, what can be done to improve the culture of compliance within the company?
  • If there were any acquisitions, were they analyzed from a compliance culture perspective?
  • Are there any M&A deals on the horizon, have they been reviewed from the compliance perspective?

Risk Management Questions

Board members need to understand the company’s process being used to identify emerging risks, their evaluation and management. Such risk analysis would be broader than simply a compliance risk assessment and should be tied to other broader corporate matters.

  • What is the risk assessment process?
  • How effective is this risk assessment process? Is it stale?
  • Who is involved in the risk assessment process?
  • Does the risk assessment process take into account any new legal or compliance best practices developments?
  • Are there any new operations that pose substantial compliance risks for the company?
  • Is the company tracking enforcement trends? Are any competitors facing enforcement actions?
  • Has the company moved into any new markets which impose new or additional compliance risks?
  • Has the company developed any new product or service lines which change the company’s risk profile?

Three Key Takeaways

  1. A Board of Directors should inquire into the structural component of the compliance program as it will aid in determining the fundamental sense of a company’s overall compliance program.
  2. Cultural questions should be asked to garner an understanding of what message is being communicated not only from senior management but also middle management.
  3. Risk management questions should be asked to understand the company’s process being used to identify emerging risks, their evaluation and management.
Feb 24, 2017

Where does “Tone at the Top” start. With any public and most private US companies, it is at the Board of Directors. But what is the role of a company’s Board in FCPA compliance? We start with several general statements about the role of a Board in US companies. First a Board should not engage in management but should engage in oversight of a CEO and senior management. The Board does this through asking hard questions, risk assessment and identification.

In a recent White Paper, entitled “Risk Intelligence Governance-A Practical Guide for Boards” the firm of Deloitte & Touche laid out six general principles to help guide Boards in the area of compliance risk governance. I have adapted them for the Board role around compliance.

  1. Define the Board’s Role-there must be a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities.
  2. Foster a culture of compliance risk management-all stakeholders should understand the compliance risks involved and manage such risks accordingly.
  3. Incorporate compliance risk management directly into a strategy-oversee the design and implementation of compliance risk evaluation and analysis.
  4. Help define the company’s appetite for compliance risk-all stakeholders need to understand the company’s appetite or lack thereof for compliance risk.
  5. Execute the compliance risk management process-the compliance risk management process should maintain an approach that is continually monitored and had continuing accountability.
  6. Benchmark and evaluate the compliance process-compliance systems need to be installed which allow for evaluation and modifying the compliance risk management process for compliance as more information becomes available or facts or assumptions change. 

All of these factors can be easily adapted to FCPA compliance and ethics risk management oversight. Initially it must be important that the Board receive direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s Chief Compliance Officer to either the Audit Committee or the Compliance Committee. This commentator recommends that a Board create a Compliance Committee as the Audit Committee may more appropriately deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information the Board can give oversight to any modifications to managing FCPA risk that should be implemented.

There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the Securities and Exchange Commission (SEC) desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Reg SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company which fails to make it to fines, penalties or profit disgorgement.

Three Key Takeaways

  1. The Board’s role is to keep really bad things from happening to a Company.
  2. There are six general areas the point can inquire into and lead from.
  3. SEC Reg SK 407 may put greater scrutiny on Boards.
Feb 23, 2017

In this final five days of my One Month to a Better Board series, I will look at inquiries and questions a Board can take to help the organization actually do compliance going forward. I begin with an exploration of how can a Board work to incorporate the compliance function into a long-term business strategy of the organization. A Board can do so by engaging with the Chief Compliance Officer and compliance function through having a strong Board which is committed to doing business ethically and incompliance with anti-corruption laws such as the FCPA and engaging actively with the CCO and compliance function. This post will begin a discuss of various tools and techniques a Board can use and engage to move to this level of engagement.

The first point is to develop a framework for incorporating compliance into your long-term strategy. This framework draws from the State Street Global Advisors’ strategy for sustainability and adapts it to compliance. To set up the framework for evaluation of the compliance function is a three-step process, which you can use to determine how comprehensive you compliance program is as a starting point.

Step 1-has the company identified the compliance issues relevant to the Board?

Step 2-has the company assessed and incorporated those compliance issues into its long-term strategy?

Step 3-has the company communicated its approach to compliance and the influence of those factors on its overall strategy?

From this initial inquiry you can move into some specific questions that the Board can use to determine the overall state of your company’s compliance program. First a Board can work to identify compliance issues material to your organization. This can be accomplished with compliance related key performance indicators, which a Board should then prioritize to elevate their impact on compliance. A Board should consider these through the life-cycle of a business line or geographic sales area. Next the Board should work to move compliance into both the long-term strategy for the company and also have the CCO detail the long-term strategy for the compliance function.

Drawing from the February release Justice Department Evaluation of Corporate Compliance Programs (Evaluation), the Board should actively work to incorporate compliance into the long term capital allocation of the company. Obviously the earlier the investment the better as it brings benefits such as benefits through brand differentiation, lowering the risk profile of the company and improving nimbleness in market responses 

The Board should oversee the incorporate of KPIs into senior management performance evaluations and compensation. Once again building upon the Evaluation which asks how the company monitors its senior leadership’s behavior and how senior leadership modelled proper behavior to subordinates, the Board should make certain systems are in place to quantify or measure performance related to compliance issues, should establish performance goals against which they measure compliance achievement and finally disclose to shareholders the material compliance issues that drive compensation, the specific goals or performance targets that

management has to achieve and report on the actual performance against established goals to justify compensation payouts.

Finally the Board should work to communicate the influence of compliance factors on overall corporate strategy by demonstrating how compliance was integrated into the business. Not only is this good from a business perspective and shareholder expectation but also as the DOJ Evaluation makes clear what the government expects is the operationalization of compliance going forward.

These general factors will lead us into more specific questions that a Board can pose as we continue one month to a better board for a best practices compliance program.

Three Key Takeaways

  1. Having a long term strategy is critical.
  2. What is the Board’s framework for assessing compliance?
  3. Create KPIs to measure senior management’s actions around compliance.
1 « Previous 13 14 15 16 17 18 19 Next » 19