Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: Category: compliance know-how
Jul 9, 2018

In this five part podcast series, I will be taking a deep dive into health care monitoring and how the pro-active use of a health care monitor can positively impact all stakeholders in the healthcare industry: the regulators, the health care industry and the consumers of health care services, the public. I am joined in this exploration with two individuals from Affiliated Monitors, Inc. (AMI), the sponsor of this series. The first is Catherine A. Keyes, Vice President of Operations and the second is Jesse Caplan is Managing Director of Corporate Oversight. In this first episode, I visit with Jesse Caplan to introduce the use of an independent integrity monitor in the healthcare sector and explain how such a monitor can increase value.

Independent integrity monitoring can be particularly valuable and important in the healthcare sector because in many way healthcare is the perfect storm for significant compliance risks, but also has a greater opportunity to mitigate those risks. Using an independent third-party compliance expert or monitor can be one strategy to help mitigate risks.

Healthcare occupies a unique space in the American business world. First of all is the size of the healthcare industry as it accounts for almost 20% of our economy. Moreover a very large portion and an ever growing portion of that money comes from the taxpayers, federal programs like Medicare, Medicaid, the VA and state funded programs. When you have lots of money being spent in a particular industry, there is always the potential for fraud, waste and abuse. Now overlay this with the public money involved, there is the potential for a False Claims Act or government action, civility or criminally. Finally, the healthcare industry is highly regulated, with most, if not, all healthcare providers, whether individuals or organizations, licensed by the state, either by a Board or state agency and some might even be licensed or certified by federal authorities.

Not every healthcare organization has a good handle on either the effectiveness of their compliance program or the compliance culture of their organization. Independent integrity monitoring can proactively assess compliance programs and culture, identify potential areas of compliance risk. Furthermore they can help mitigate or limit the adverse consequences of violations and help persuade regulators to look more favorably on an organization. 

By using an independent compliance expert to do a proactive assessment of a compliance and ethics program and culture, a healthcare organization can get a lot of value by assessing not just whether the organization has a compliance program that appears to meet all the elements of an effective compliance program but the monitor can come in and actually assess whether that program truly is effective. The assessment can identify the ethical culture of the organization, detect gaps, make recommendations to remediate those gaps and provide the organization with a particular level of comfort that the structure of the program is truly effective and that the culture of the organization is such that compliance has been embraced by the workforce throughout the organization from the top to the bottom.

In the second instance, where there is a compliance issue and the organization has the government looking at it, bringing in an independent compliance monitor can help demonstrate to the government that any compliance violations are not indicative of a systematic problem with the compliance program or the ethical culture of the company. It can show the problems have been remediated. Through monitoring, the government can feel comfortable that the organization is going to be a compliant organization going forward. Using an independent integrity monitor can help an organization avoid more severe sanctions, such as license suspension or even exclusion from a government healthcare program.

There is also value to the government of approving a monitoring relationship in a matter they are involved in. Governments and healthcare regulators want to ensure, above all, that patients and healthcare consumers receive high quality and safe care, that taxpayer money is efficiently and well spent, and that there is a healthcare industry environment and culture of compliance, transparency, and quality. An independent monitor can help the company meet these objectives and provide assurance to the government that the compliance risks have been addressed.

An independent integrity monitor can work with the government to ensure compliance with an oversight requirement, such as a Corporate Integrity Agreement (CIA) or other resolution agreement. Yet an independent compliance monitor typically is going to be an expert in compliance and ethics. The healthcare industry is incredibly complex. Hospitals have many different regulations with which they must comply, which are different from regulators under which a health insurance company must comply, which, again, are different from a medical device company. These are but some of the challenges that an independent compliance monitor needs to have expertise on. The independent monitor can come in and do a proactive assessment, identify gaps in particular areas, such as HIPPA (Health Insurance Portability and Accountability Act of 1996) privacy, data security, compliance program and internal controls.

Next up, how proactive assessments can enhance healthcare ethics and compliance programs and culture.

For more information on how an independent monitor can help improve your healthcare entity's ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Jul 9, 2018

In this five-part podcast series, I am taking a deep dive into healthcare monitoring and how the pro-active use of a healthcare monitor can positively impact all stakeholders in the healthcare industry: the regulators, the healthcare industry and the consumers of health care services, the public. I am joined in this exploration with two individuals at Affiliated Monitors, Inc. (AMI), the series sponsor, Catherine A. Keyes, Vice President of Operations, and Jesse Caplan, Managing Director of Corporate Oversight. In this Episode 2, I visit with Caplan on the significance of proactive assessment in healthcare ethics and compliance program in determining culture.

Caplan noted that not every healthcare participant has a good handle on how effective their compliance program is and whether the culture of the organization is such that compliance risks are likely to be timely identified, mitigated and remediated.  However an independent integrity monitor can help healthcare participants to do a thorough pro-active assessment of a healthcare organization’s ethics and compliance program and culture.

An independent compliance expert can bring a fresh set of eyes to any organization or entity. Such an expert can provide several valuable inputs to any organization including: demonstrating to the Board organization’s ethical culture and effective compliance program; identify gaps or weaknesses in the compliance program when a healthcare organization has a problem, for instance, a compliance problem where the government gets involved; provide recommendations for remediations demonstrate to government regulators the seriousness and effectiveness of the organizations compliance program; educating an organization’s workforce; and, finally, sending a strong positive message throughout the entire organization that they take compliance very seriously and expects the workforce to take it seriously as well.

There are multiple ways to conduct a pro-active assessment of an organization’s ethics and compliance program and AMI selects the style and techniques which best fit the situation. Caplan noted some of these techniques can include areview of applicable policies and procedures, whether the organization has a hotline which is use and compliance training.However, Caplan emphasized such techniques can only get you so far.

This means you need to also perform an assessment of compliance program effectiveness by a variety of mechanisms such as determining if the compliance policies and procedures are effectively implemented, whether staff are familiar with and truly understand their compliance obligations and even whether they feel they can communicate compliance and ethical concerns or questions without fear of adverse consequences.   

We next turned to how to make such an assessment. Here Caplan noted there are several ways to do so. It can include interviews with individual employees, focus groups with larger numbers of employees, visits to not only the corporate headquarters but also remote company locations and, of course, the analysis of all relevant data. He provided an example where AMI would test a hotline and how, when complaints come in, they are actually handled. Such testing would use all these techniques including employee interviews, focus groups meetings and review of data on hotline complaints and case closure rates and data.  

A proactive assessment can be used in times simply beyond when an organization may have a reason to believe that it has an ethics or compliance problem. It can be used when there is a change in leadership and the new leadership team wants to see more precisely where they may be on the ethics and compliance scale. It can also be used when there is a major acquisition or a healthcare provider establishes new business units or even goes into new markets.

In some situations an independent evaluation team may be called to work collaboratively with others such as outside counsel. It all starts with the value of the pro-active assessment that they are independent and unbiased which gives them  greater credibility with stakeholders.  However, the organization and evaluation team can and should work collaboratively to develop the work plan and target potential risk areas. There should also be collaboration in deciding findings and recommendations of the assessment to be communicated. All of this helps to provide an independent, unbiased proactive assessment of a compliance and ethics programs and can make the organization stronger and the workforce more engaged in compliance.

One of the key differences in healthcare as opposed to perhaps the energy or tech sector or another commercial enterprise, is that the government and the regulators would prefer not to exclude healthcare providers from the healthcare industry. This means even if a healthcare provider has a compliance issue, the government and regulators may be loathed to deliver an ultimate sanction and put a healthcare provider out of business. Access to quality healthcare providers is a continuing issue within the industry and particularly for government programs like Medicaid. One of the reasons is that not every healthcare provider is willing to participate in Medicaid programs and, particularly for vulnerable populations, there can be an inadequate number of healthcare providers available to treat those populations. This means from a public policy perspective, whether it is the federal government or state government departments of public health, they all want to have as many quality providers as possible so people and the patients have adequate access to those services.

This can sometimes run up against the tension of healthcare providers in those areas of medical services who have run into difficulties that could pose a threat to patients and the public or could pose a threat to the public financing by misusing or abusing the funds that are being paid. This means that the government or regulators must be comfortable that the problems an organization has have been remediated and will be addressed so that those issues will not arise going forward. If using an independent integrity monitor can help the government by meeting these two objectives of both quality providers and providing sufficient access for its citizens, it is a win for all involved.

Next up, using independent integrity monitoring in licensing and disciplinary proceeding.

For more information on how an independent monitor can help improve your healthcare entity's ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Jul 9, 2018

In this five-part podcast series, I am taking a deep dive into healthcare monitoring and how the pro-active use of a healthcare monitor can positively impact all stakeholders in the healthcare industry: the regulators, the healthcare industry and the consumers of healthcare services, the public. I am joined in this exploration with two individuals at Affiliated Monitors, Inc. (AMI), the sponsor of this series, Catherine A. Keyes, Vice President of Operations, and Jesse Caplan, Managing Director of Corporate Oversight. In this third episode, I visit with Keyes to discuss how an independent integrity monitor can be used in healthcare licensing and disciplinary proceedings.

I started off by asking Keyes about the situation where a state Medicaid Fraud Control Unit finds a provider billing for an unusually high number of patients or procedures per day. Through an investigation, the state unit finds poor documentation that looks like fraud. How can an independent integrity monitor serve as an overall part of a resolution? Keyes noted that initially such a settlement will allow the provider or clinic to continue to practice, which is important for Medicaid providers. Keeping a Medicaid practice open is often very important in some areas, where there are very few Medicaid providers, so having a Medicaid provider remain open is important, not just for the person whose business it is, but also in the community. Keeping or bringing up such a healthcare provider to professional standards is also important. Finally, it is critical all the way around to keeping pressure on the provider to make the promised changes to fix the system and it protects the public by bringing the provider in line with professional standards.

We next discussed the scenario where someone makes a complaint to a licensing board, the complaint is investigated, and the licensing board finds, among other things, that the practitioner’s patient records lack basic elements: for example, adequate notes about treatments. Keyes noted that oftentimes a complaint is made to a state regulatory agency, a licensing board, for example. It might be a dental board, it might be a medical board, it might be a chiropractic board. Most of these licensing boards have regulations that say what minimally should be included in patient records. And this is the standard you would hope that any kind of a medical provider is recording in writing. This is critical  for a patient’s medical care going forward.

Here Keyes believes that an independent integrity monitor can be an excellent option as it allows the healthcare provider to continue to practice while providing prompt feedback to the agency about whether the healthcare provider is making promised changes. This is because a straight suspension may hit the pocketbook without helping the provider make meaningful change.

Yet there is an equal if not greater benefit to the healthcare provider as the independent integrity monitor can provide tailored advice about how to bring the practice up to professional standards. Keyes provided a simple yet straight-forward example, “I once saw the difference between having a chiropractor’s friend act as a monitor and write an overly simplistic report – “the charts look fine” – and the in-depth feedback given by professional monitors: “the history of present illness needs to be more complete, including info about the effectiveness of other treatments received”.”

I asked Keyes about using an approach of an independent integrity monitor in a current situation such as the opioid crisis. She said that such use could allow an independent integrity monitor to track prescriptions and prescribers of opioids and other drugs. She said that as part of a multi-pronged approach to the opioid abuse issue, many states are looking to see who their high prescribers are and whether these are legitimate practices or just pill mills. A monitor can help a provider to put policies and procedures in place to (a) assess the underlying need for pain medication; (b) determine whether someone is actually taking the medications; (c) refer to other specialists for supplemental care: physical therapy, acupuncture, pain clinics; and (d) appropriately terminate care of patients who appear to be getting prescriptions primarily to re-sell the pills.

Yet the benefits do not end there as monitoring, as part of settlement agreement, could require the provider to reduce the number of pain patients and the quantity of pills prescribed over a certain period. An independent integrity monitor can keep the regulators informed as most state agencies do not have the staff available to track compliance with the details of such an agreement. Independent monitoring is paid for by the licensee. Such use of a monitor also works to protect the public by bringing the professional in line with national standards for assessment, treatment and follow-up of pain patients. Finally, using a monitor can allow the provider to remain open and demonstrate their commitment to improved practice. Healthcare providers are quick learners and, in some cases, putting a structured program in place is a relief.

Next up, using monitors in administrative proceedings not related to discipline and licensing issues.

For more information on how an independent monitor can help improve your healthcare entity's ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Jul 9, 2018

In this five-part podcast series, I am taking a deep dive into healthcare monitoring and how the pro-active use of a healthcare monitor can positively impact all stakeholders in the healthcare industry: the regulators, the healthcare industry and the consumers of health care services, the public. I am joined in this exploration with two individuals at Affiliated Monitors, Inc. (AMI), the sponsor of this series, Catherine A. Keyes, Vice President of Operations, and Jesse Caplan, Managing Director of Corporate Oversight. In this episode, I visit with Keyes to discuss how an independent integrity monitor can be used in non-disciplinary administrative proceedings.

The first scenario is around hospital conversions. Many states have laws in place to protect the public’s interest when a not-for-profit hospital is sold to a for-profit entity. The state’s Attorney General or Department of Health may impose conditions on the new entity, in some cases to prevent it from simply “flipping” the hospital and extracting the dollar value of the goodwill that was invested by the state when it was not-for-profit.

Hospitals started by charitable or religious organizations may have been acquired or approached by for-profit entities who might be interested in acquiring them. States are concerned that they simply want these healthcare institutions snapped up, so the states want to make sure that the interest of the public are really protected. There are multiple interests that the public has when a not-for-profit entity is bought by a for-profit entity; including things like making sure that the for-profit entity will exist as a healthcare provider for a reasonable period of time, they are good neighbors, that they pay taxes and if there were charities that were in place, those charities continue.

When such a conversion occurs, the purchaser may agree to a wide variety of conditions, such maintaining certain services, making capital improvements, expanding in certain areas, meeting certain public health standards (for immunizations, treatment standards, coordination of care) and addressing certain public health priorities, such as opioid overdose risks or area-specific issues like Lyme disease. An independent integrity monitor may engage in some or all of the following: review of money to be sure it is spent according to conditions; review of policies, procedures, contracts, training materials; review of assignment of assets,  e.g. donations that were earmarked for a purpose that is no longer possible; visits to the hospital to see if certain programs are functioning, to see if services are being offered as agreed-upon; interviews with staff to see how medical requirements are being met; and review of charts to see whether processes are being followed. In short there are wide variety of conditions which be in place or which the state or regulators want visibility into and a monitor can provide that visibility.

A monitor can also consider other factors, which may seem to less healthcare related but could impact a conversion. There might be an agreement for capital improvements, for example, there might be total dollar amounts to be invested, dollar amounts per year or there might be dollar amounts over a span of time. It could all depend on what the long-term plans are for the acquirer. As an acquirer typically does not make a lot of capital improvements in the first year, a regulator would need a monitor in place for some period of time to make sure the investments are made and  the money spent is actually going on capital improvements. There could be ancillary agreements such as participation in and sponsoring of community activities or education, all of which need to be monitored.

A monitor can drill down into whether the healthcare provider put out advertisements about those kinds of things and see if the public and the person or persons involved actually attended them. Another area often seen is around charitable assets, where a donor may have made a bequeath to a hospital for a specific purpose. If the specific purpose is no longer available; for instance, if it was for a hospital wing that is getting closed down and not being used for the kind of care that it was set up for, those assets might be reassigned.

A second area could be granting of licenses or Certificate of Need and the conditions that a state may impose. This could be for a new hospital, a renewal or some other healthcare facility where the state really wants to have some continued oversight. Keyes explained that while it is not substantively different than the acquisition realm, it is more quantitatively different. There may be a smaller set of conditions, that have been agreed upon. An example might be a Certificate of Need associated with the purchase of a large piece of equipment which might change the dynamics around a facility.

An independent integrity monitor extends the capability of the state agencies and regulators, it allows them to confirm that the entities are meeting the conditions. A monitor can review the paper trail indicating that the agreed-upon processes are in place and can help to keep a healthcare provider’s compliance program on a schedule, so that it does not slip too far down the list of company priorities.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Jul 9, 2018

Over this five-part podcast series, I have been taking a deep dive into healthcare monitoring and how the pro-active use of a healthcare monitor can positively impact all stakeholders in the healthcare industry: the regulators, the healthcare industry and the consumers of healthcare services, the public. I have been joined in this exploration by two individuals at Affiliated Monitors, Inc. (AMI), the sponsor of this series. They were Jesse Caplan, Managing Director of Corporate Oversight, and Catherine Keyes, Vice President of Operations. Today, I conclude the series with Caplan on using independent integrity assessment and monitoring to limit adverse consequences.

Many compliance practitioners in the healthcare space (and those in commercial space) often ask if an independent integrity review and monitoring be helpful where an organization may have reason to believe it has an actual or potential compliance problem but has not yet been subject to an enforcement action or a Corporate Integrity Agreement (CIA)  imposed by the government. There are several reasons this is particularly true in the healthcare space. He noted that the government expects, in fact demands, that healthcare organizations self-report certain types of compliance violations. He provided some examples such as overpayments healthcare providers may have received from the government, or false or fraudulent claims that they have billed the government and certain types of privacy breaches.

Caplan believes that using an independent compliance expert can be useful in dealing with the government enforcement agency and convincing that agency to look more favorably where severe sanctions might otherwise be imposed. An independent integrity monitor can be helpful to a healthcare organization where they may have compliance violations. It can even be true with current healthcare issues such as the opioid crisis and excessive opioid prescribing.

Moreover, this is where an independent integrity monitor can be very useful when the organization thinks they have a problem. A monitor can be brought in to assess the compliance program, make recommendations for improvements and then be available to monitor the remedial recommendations as they are implemented. If an organization makes a self-disclosure or if the government comes and investigates the company, they can use the fact that they have used an independent integrity monitor to assess the compliance program and, equally importantly, themselves and they will continue to use the monitor to ensure continued compliance.

By using an independent integrity assessment, an organization can demonstrate to the government entity that the problems with the company’s compliance regime are not endemic or structural but more of an isolated incident. This can help to provide confidence to the public that they can continue to operate safely and in compliance and provide assurance to the government and regulators that it can continue to participate in the government programs with little fear of having those violations reoccur. This can have a very large impact on what types of action the government or regulator will take.

The bottom line in healthcare regulation is that government enforcement and regulatory agencies would prefer not to exclude important healthcare providers who have compliance issues. Their goal to ensure access to sufficient quality providers is a constant challenge for healthcare policymakers. Regulators generally agree that the best solution is to have providers with compliance issues remediate their problems and implement a sustainable and effective ethical compliance program. By engaging an independent compliance expert and monitor can provide the government with confidence that organization has remediated and will be an effective, compliant participant.

We conclude this episode with a few of Caplan’s thoughts on how an independent integrity monitor could have impacted two matters widely in the public eye. They are the matter of Theranos, Inc. and the opioid crisis. With regards to Theranos, a wide variety of stakeholders could have requested a truly independent come in and assess compliance at the company. It could have been the Board of Directors, the Securities and Exchange Commission (SEC), state or federal healthcare regulators or even third parties who were looking to do joint ventures with the company. Such an assessment might have saved many jobs, investments, careers and reputations.

In the opioid crisis, an independent monitor could have done the assessment around large numbers of drugs being prescribed by one doctor or prescribed to be delivered through one pharmacy. But the analysis could have gone much deeper by focusing on the corporate compliance programs, their implementation and training. It could have also looked at those who spoke up by using the hotline or other internal reporting mechanisms.

All of this means that an independent integrity monitor in the healthcare space can be used in a variety of ways and through a variety of mechanisms.

For more information on how an independent monitor can help improve your healthcare entity's ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Jul 5, 2018

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly and I take a deep dive back into the proposed changes to the SEC Whistleblower program in light of Digital Realty Trust and the new administration.

The major proposed changes include the following:

  1. More bounty payments for smaller settlements;
  2. A cap on the top end awards of $30 million, no matter how great the settlement;
  3. Requirement that for the purposes of Dodd-Frank Whistleblower anti-retaliation protection, any information must be submitted in writing; and
  4. A widening of the SEC’s discretion to award whistleblower claims based on public information using independent evaluation and analysis.

We unpack of all these points and consider the implications for corporate compliance programs.

For more reading: see Matt’s piece On SEC Whistleblower Reforms

Jul 2, 2018

In this episode I visit with Shawn Rogers, Lead Counsel, Compliance Training and Communications at General Motors. Rogers was brought in to beef up the company’s compliance training after the ignition switch scandal. He talks about his design, creation and implementation of a tailored and focused compliance training program. Some of the highlights include:

  • The guiding principles for GM compliance training: trust and respect.
  • The differences between risk-based training versus check-the-box training.
  • Demonstrating how a risk-based training program benefits GM.
  • The legacy challenges for GM in compliance training and how this new approach responded to these challenges.
  • The influencing factors for GM compliance training.
  • The Risk-Based Training Program Architecture at GM.
  • The GM Compliance Training Strategy.
  • An explanation of where compliance training fit into the overall GM compliance training culture.
  • How GM tailors its training for high-risk employees.
  • How GM demonstrates compliance training effectiveness.

For more interview with Shawn Rogers see the article in Compliance Week, click here.

Jun 25, 2018

In this episode, I visit with John Warren, Vice President and General Counsel at Association of Certified Fraud Examiners and Andi McNeal, Director of Research at ACFE. In this podcast we discuss:

  • What is the Report to the Nations?
  • How long has ACFE been releasing it?
  • Have the trends been consistent over the past 10 years?
  • Owners/execs account for small percentage of losses but have a median loss of $850K;
  • Corruption was the most common scheme in every global region;
  • Median losses are far greater when fraudsters collude;
  • Data monitoring/analysis and surprise audits were correlated with the largest reduction in fraud loss, what does that mean for detection and prevention?
  • Considerations from the Corruption Section in the Report;
  • What were the top red flags in corruption cases? Do these differ from other types of fraud?
  • What are the industries or business sectors with highest proportion of corruption cases?
  • One of the most significant set of findings seems to be the behavioral aspects of fraud. Do those same aspects appear in corruption cases? If so, can more traditional behavioral risk detection or prevention techniques be brought to the structural solutions used to fight corruption?

The ACFE report to the Nations is an excellent reference tool for all compliance practitioner to show where fraudsters explode weak points.  It also has important data around corruption and from this information you can make your compliance program more robust around these areas which can be exploited.

To download a copy of the Report to the Nations, click here.

Jun 18, 2018

In this episode, I visit with Kristy Grant-Hart, founder of Spark Compliance Consulting and author of now three books in the compliance arena. We discuss her most recent book “How to Have a Wildly Successful Career in Compliance", which will be released on Amazon.com on June 19. For those of you who have seen Kristy speak you know she is high energy and very passionate about compliance and the compliance profession. She channels that energy and passion into her latest book. In this podcast we discuss:

  • Why she wrote this book?
  • Why the winding career of a compliance professional so important?
  • Why it more important for women to “Ask for it?” around salary/comp/promotions?
  • Why moving up the corporate ladder more like climbing a jungle gym?
  • Why understanding the numbers and business plan so important to a compliance professional?
  • How does one raise their profile in the compliance profession?
  • Why is collaboration so important for a compliance professional and a corporate compliance function?

Kristy is the author of two prior books on compliance, How to Be a Wildly Effective Compliance Officerand Wildly Strategic Compliance Officer Workbook. Both are must reads for compliance professionals. Her latest entry gives solid tips and point-by-point steps on how to have a successful career in the compliance field. But it is more than simply Kristy’s thoughts as she interviewed compliance professionals from literally across the globe on how they have become wildly successful.

Yet there is one thing about the book that I think makes it most useful for every compliance practitioner out there. It is that the book works on multiple levels and for multiple stakeholders. Obviously, it is targeted and works for the compliance practitioner but it also works for a CCO who is thinking about working with senior management and a Board of Directors. Further it works on a compliance program level, with many of Kristy’s tips translating into compliance program best practices.

Finally Kristy tackles head on the issue of women succeeding in the compliance profession. She writes this chapter with clear-eyed focus; not ranting or raving but giving women the tools, they need to succeed in the compliance profession and in the greater corporate world. I found this chapter so powerful I bought a copy for my 21-year-old daughter to help prepare her for your professional career after she graduates from college.

To purchase a copy of How to Have a Wildly Successful Career in Complianceon Amazon.com, click here.

For more information on Kristy’s books, check out her site, Compliance Kristy by clicking here.

Finally for more information on Kristy’s consulting company, Spark Compliance Consulting, click here.

Jun 11, 2018

In this episode, I visit with Rick Pearl, the Global Corporate Responsibility Officer and Vice President of Corporate Citizenship at State Street Corp. We discuss the 2017 State Street Corporation, Corporate Responsibility Report. Some of the highlights include:

  • Qs from section on Risk Culture and Compliance at State Street and its portfolio companies;
  • What are the three lines of compliance defense?
  • Should there be a risk committee at the Board level?
  • What is find once, fix many? How does SSGA implement this?
  • What is Ethical Decision-Making Framework and how does SSGA train on it?
  • How does SSGA use supplier assessment strategies?
  • What is SSGA’s Responsible sourcing programs?
  • What is SSGA’s internal governance program allowing for multilevel assessment of vendors and service providers globally?
  • What is SSGA’s Innovation for Value Creation?

Here are the links to State Street’s Corporate Responsibility Report and overview. 

Report- 

http://www.statestreet.com/values/corporate-responsibility.html

Overview- 

http://www.statestreet.com/content/dam/statestreet/documents/values/CR_Overview_Final.pdf

Jun 6, 2018

In this episode, Matt Kelly and I take a deep dive into the issue of two factor authentication of cloud-based solutions and the intersection with compliance. While it may not appear as obvious, when you consider such preventative controls as authentication at log-in as a risk management strategy, the compliance angle becomes more clear. Two factor authentication is a current response to the risk of data breach through hacking. It requires a policy, training on that policy, coupled with communications and the ongoing monitoring of strategy.

When you couple all the above you can see the role compliance will play going forward. As with any best practices compliance program, it all starts with a risk management strategy. Begin with forecasting on whether you will use any cloud-based apps (you do), then move to a risk assessment follow up with risk-based monitoring. It all starts with the nuts and bolts of compliance and continues throughout the process.

Matt Kelly’s piece Let’s All Freak Over Cloud Apps, Security

Jun 4, 2018

Today, I begin a five-part series on Suspension and Debarment, with Rodney A. Grandon, Managing Director at Affiliated Monitors, Inc., (AMI) the sponsor of this series. During a 27-year career with the US military and government, Grandon served as the Air Force’s Suspending and Debarring Official as well as a wide variety of other functions which gives him subject matter expertise into issues surrounding this topic. Over the next five podcasts I will be exploring several topics with Grandon including:

Part 1-Introduction to Suspension and Debarment;

Part 2-What is the difference between Suspension and Debarment?

Part 3-What is the convergence between Suspension & Debarment and the FCPA?

Part 4-What is a present responsibility determination?

Part 5-Remedies and Compliance in Suspension and Debarment.

The series begins with introduction to suspension and debarment.

On the GSA website, it states, “The suspension and debarment process protects the federal government from fraud, waste and abuse by using a number of tools to avoid doing business with non-responsible contractors. Suspensions, Proposals for Debarment, and Debarments are the most widely known tools as these actions are visible to the public”.

More generally, suspension and debarment are not civil or criminal matters resulting in a penalty being imposed on a particular party. Suspension and Debarment is an administrative matter. In a civil or criminal matter, the Department of Justice (DOJ) takes the lead in those actions which are contested litigated matters, with civil and criminal rules around evidence and procedure.  While suspension and debarment have evidentiary and procedural considerations, they are much more informal. Grandon noted the rules basically say they should be as informal as it as is practicable under the circumstances.

Grandon also reiterated another key difference is the lack of a penalty. Suspension and debarment do not result in a penalty. In fact, the regulations make it very clear. They are used “only as a proactive protective measure, basically to protect the government’s interests from contractors that either don’t have the capability to perform or to provide the goods and services to be a suitable a business partner with the federal government.”

A final major distinction between a civil or criminal matter and suspension and debarment is they  are within the hands of the given agency, as opposed to the DOJ or a US Attorney’s offices who have the lead in civil criminal actions. Conversely,  when it comes to suspension and debarment, those actions are distributed across the various federal agencies. Each agency has its own Suspending and Debarring officials. Grandon noted they “have a lot of discretion that they can exercise in this process.”

I next inquired about the remedy of suspension and debarment itself: what is the process the government would go through to reach the point where they might invoke one of the remedies? Grandon noted the key in suspension and debarment is to protect the government’s interest. This means “when information is identified within the agency that a given contractor lacks the integrity or we suspect lacks integrity to be a good business partner for the government, or if a contractor fails to perform; the action an agency will begin to develop is a record of the issues involved.” There are a variety of tools an agency will use to develop a record including coordinating resources from the acquisition community, the investigators within the agency and the suspension and debarment community, which in most cases also has a responsibility for the agencies, fraud coordination or fraud remedies program.

The basic flow begins with the information to establish whether or not there is evidence that triggers a cause for the action and if there is evidence, then the decision can be made by the Suspending and Debarring official to initiate that action. Grandon noted, “information flow leads to whether or not to initiate the action. In the case of a suspension, the focus is usually on a matter that is still being investigated, as suspension is a temporary solution.” Debarment is more permanent.

Grandon concluded by noting that suspension and debarment, while being technically different, effectively impose the same conditions on the contractor that is the subject for the action. It is that the contractor is excluded from competing for or receiving award of federal contracts, federal grants and other federal financial assistance. The remedy of suspension and debarment can be very devastating. Grandon specifically said it has been “referred to as a potential death sentence for companies that are dependent on federal dollars for their revenues.” Yet that is not the basis for a decision which is “whether or not there’s a need to protect the government’s interest.”

Tomorrow we take up the differences between suspension and debarment.

Jun 4, 2018

I continue  a five-part series on Suspension and Debarment, with Rodney A. Grandon, Managing Director at Affiliated Monitors, Inc., (AMI) the sponsor of this series. During a 27-year career with the US military and government, Grandon served as the Air Force’s Suspending and Debarring Official as well as a wide variety of other functions which gives him subject matter expertise into issues surrounding this topic. During the series I will be exploring several topics with Grandon including:

Part 1-Introduction to Suspension and Debarment;

Part 2-What is the difference between Suspension and Debarment?

Part 3-What is the convergence between Suspension & Debarment and the FCPA?

Part 4-What is a present responsibility determination?

Part 5-Remedies and Compliance in Suspension and Debarment.

In this episode, we discuss some of the key differences between a suspension and a debarment.

Recalling that on the GSA website, it states, “The Suspension and Debarment process protects the federal government from fraud, waste and abuse by using a number of tools to avoid doing business with non-responsible contractors. Suspensions, Proposals for Debarment, and Debarments are the most widely known tools as these actions are visible to the public”; A suspension is used when there is an immediate need. It is a temporary measure; there is a twelve-month limit, which can be extended for another six months. A debarment is for a specific term but is generally not longer than three years.  

Grandon noted a “suspension is to essentially take steps to protect the government’s interest from a contractor that is believed to be unsuitable as a business partner, until more of the facts can be assembled. Generally, the investigation is underway and there is a need to take protective steps before all the information has been fully gathered.” Grandon emphasized the temporary nature of a suspension while debarment is seen as more permanent, even with the limit of the term.  

Procedurally, a suspension requires notes at the time that a party is entered into the exclusive parties list on the System of Acquisition Management (SAM). A notice letter is issued to the contractor advising that the government has initiated the suspension, the factual basis for the suspension and the rights and procedures available to the respondent as it relates to the suspension. The notice usually indicates the exclusion is effective immediately.

A suspension is effective throughout the Executive Branch of the Federal government and applies to procurement and non-procurement programs. A suspended party cannot present offers or be awarded new contracts or contract renewals. Further, offers will not be solicited from, contracts will not be awarded to and existing contracts will not be renewed or otherwise extended, further subcontracts requiring Government approval will not be approved for a suspended company by any agency in the Executive Branch of the Federal government, unless the head of the agency taking the contracting action or a designee states, in writing, the compelling reason for continued business dealings between you and the agency.

A suspension prevents a company from conducting business with the federal government as an agent or representative of other contractors or of participants in Federal assistance programs, nor can they act as an individual surety to other Government contractors. It also prevents any such companies from being subcontractors to approved or at least non-suspended contractors. Finally, all affiliations of a suspended entity with a company doing business will be examined.

A debarment begins with notice of a proposed debarment and again the party is put into SAM on the exclusion list. A notice is sent out at the same time advising the party that they have been excluded from federal contracting under the procurement role. Once again, a debarment is temporary, is usually three years in length and is based upon a preponderance of the evidence, usually a conviction.

Another commentator has noted that suspension and debarment “essentially eliminate a company’s access to future government revenue, the consequences can be devastating. A company is not only excluded from future government contracts and subcontracts, it is also rendered ineligible for, among other things, federal grants, loans, and subsidies. In addition, the collateral consequences that stem from S&D can be equally, if not more, destructive. A suspended or debarred company may be precluded from contracting with state and local governments, foreign governments, or international organizations (such as the World Bank). A company may also lose its government security clearances and licenses. The reputational damage caused by the suspension or debarment may harm a company’s commercial interests as well.” Indeed, Grandon noted, “It can be very devastating in many cases and it has been referred to as a potential death sentence for companies that are dependent on federal dollars for their revenues.”

Some of the reasons for a suspension or debarment can include commission of fraud, embezzlement, theft, forgery, bribery, falsification or destruction of records, making false statements, tax evasion, violating Federal criminal laws, receiving stolen property or an unfair trade practice. A basis can also be if a company fails to perform the contract and, most interestingly, if a contractor knowingly fails “to disclose violation of criminal law”. The bottom line is suspension and debarment can strike fear into the heart of any federal government contractor.

Tomorrow we take up the convergent between the Foreign Corrupt Practices Act (FCPA) and suspension and debarment.

Jun 4, 2018

I continue a five-part series on Suspension and Debarment, with Rodney A. Grandon, Managing Director at Affiliated Monitors, Inc., (AMI) the sponsor of this series. During a 27-year career with the US military and government, Grandon served as the Air Force’s Suspending and Debarring Official as well as a wide variety of other functions which gives him subject matter expertise into issues surrounding this topic. During the series I will be exploring several topics with Grandon including:

Part 1-Introduction to Suspension and Debarment;

Part 2-What is the difference between Suspension and Debarment?

Part 3-What is the convergence between Suspension & Debarment and the FCPA?

Part 4-What is a present responsibility determination?

Part 5-Remedies and Compliance in Suspension and Debarment.

Today, we discuss some of the convergence between the Foreign Corrupt Practices Act (FCPA) and suspension and debarment. The bottom line is that conduct which violates the FCPA can become the basis for a suspension or debarment, even if the conduct is outside a contract with the Federal government.

Debarment may be based on actions so serious or compelling that it affects the present responsibility of the contractor or subcontractor. Grandon noted, “there is some fairly broad language as to what the basis for a suspension and debarment can be.” This means that in the context of anti-corruption laws, it can be the basis of a suspension or debarment, further meaning that under the FCPA, the conduct to incur a violation does not require actual bribery or corruption. It can be “bad record keeping associated with that and the context of engagements with foreign officials, the activity that would generally fall outside the realm of a public contract or subcontract. From the suspension and debarment perspective, it is critical to recognize here that the standard definition for contractor issues from the rule does not require that the entity actually has a contract in place.”

In the context of suspension and debarment, Grandon noted, “It’s just simply that they may have a contract or may compete at some point for a contract that they may become a contractor, so essentially any business activity that provides goods or services that the federal government may be interested in acquiring potentially could fall within the definition of contract. When one considers the FCPA, practically any business would fall within that definition of contractor. These sanctions are not limited to contractors that have existing contracts and they are not limited to misconduct that occurs in the context of a federal contract. In my experience, I have dealt with several matters involving violations of the FCPA activity that was clearly outside the scope of a federal contract or subcontract, but where the conduct was committed by a very large federal contractors.”

Another angle to the convergence of FCPA and suspension and debarment was raised by two authors, then South Texas College of Law student Nicholas J. Wagoner and Professor Drury D. Stevenson in a piece entitled “FCPA Sanctions: Too Big to Debar?”, where they posited the question: “Are certain private contractors too big to debar?” Their conclusion is “It appears so” and the authors stated, “The federal government is too dependent on a particular set of large, private-sector corporations for equipment and services. In addition to the virtual immunity from debarment enjoyed by these firms when they violate the FCPA, the fines imposed for engaging in foreign corrupt practices comprise a tiny fraction of the potential revenue generated by lucrative contracts with the U.S. and foreign states. When discounted by the low probability of detection, these sanctions are far too low to deter unlawful activity.” One solution raised by the authors for the issues regarding fines and penalties for companies which violate the FCPA, is debarment and suspension. They urge that debarment would be a significant deterrent for US government contractors and would “increase compliance with the FCPA.” The authors also suggest that the threat of debarment as a penalty would increase self-disclosure without any increased enforcement efforts if companies received the “meaningful reward” of a lesser penalty through self-disclosure.

Grandon reiterated that a wide variety of conduct can form the basis of a suspension or debarment. It can by “any fraud or criminal offense in the context of obtaining, attempting to attain, forming a public contract or subcontract that is within the scope of antitrust statutes, violations, whether federal or state embezzlement, theft forgery, ossification or destruction of records, false statements, tax evasion, violating basically any federal law.”

He concluded with the concept of “present responsibility, which is not defined anywhere on the regulatory structure. It is left to the discretion of the agency suspending or debarring and, in most cases, that official is going to look back at it.” The basic question asked will be “is there a reason to be concerned about the integrity of that contractor? And that gets us into a fairly deep dive of the ethics and compliance program.”

Tomorrow we take up the issue of present responsibility.

Jun 4, 2018

I continue a five-part series on Suspension and Debarment, with Rodney A. Grandon, Managing Director at Affiliated Monitors, Inc.,  the sponsor of this series. During a 27-year career with the US military and government, Grandon served as the Air Force’s Suspending and Debarring Official as well as a wide variety of other functions which gives him subject matter expertise into issues surrounding this topic. During this series we are exploring several topics, including:

Part 1-Introduction to Suspension and Debarment;

Part 2-What is the difference between Suspension and Debarment?

Part 3-What is the convergence between Suspension & Debarment and the FCPA?

Part 4-What is a present responsibility determination?

Part 5-Remedies and Compliance in Suspension and Debarment.

Today, we discuss present responsibility and its determination.   

Grandon began by stating that present responsibility has become sort of a “buzzword. It’s the underlying basis for action involving excluding a party from the federal marketplace through suspension or department.” Unfortunately, the phrase itself is not defined anywhere in the regulatory structure. This means its determination comes “down to the discretion of the federal officials who have been empowered to exercise the suspension and debarment authority.”

Yet even with this lack of a statutory or regulator definition, Grandon noted “there are some common factors and guidelines out there that can help the compliance community understand some of the elements of suspension and debarment, as they relate to this issue.” He went on to explain this meant “when an action is initiated, it is generally based on facts that trigger one of the causes that are set forth in the regulations, notwithstanding the fact that the evidence establishes the cause and which in most cases there’s generally no dispute that the cause has been proven by the appropriate burden of evidence.”

As with most processes there is a shifting burden of proof. First, “the evidentiary burden falls to the government. Once that burden is satisfied by the appropriate level of evidence, then the burden shifts to the contractor to establish it as personally responsible.” At this point a contractor, facing suspension or debarment, could look to Federal Acquisition Regulation (FAR) 9.406-1for guidance.

What does that mean? the FAR notes the following:

(a)It is the debarring official’s responsibility to determine whether debarment is in the Government’s interest. The debarring official may, in the public interest, debar a contractor for any of the causes in 9.406-2, using the procedures in 9.406-3. The existence of a cause for debarment, however, does not necessarily require that the contractor be debarred; the seriousness of the contractor’s acts or omissions and any remedial measures or mitigating factors should be considered in making any debarment decision. Before arriving at any debarment decision, the debarring official should consider factors such as the following:

(1)Whether the contractor had effective standards of conduct and internal control systems in place at the time of the activity which constitutes cause for debarment or had adopted such procedures prior to any Government investigation of the activity cited as a cause for debarment.

(2)Whether the contractor brought the activity cited as a cause for debarment to the attention of the appropriate Government agency in a timely manner.

(3)Whether the contractor has fully investigated the circumstances surrounding the cause for debarment and, if so, made the result of the investigation available to the debarring official.

(4)Whether the contractor cooperated fully with Government agencies during the investigation and any court or administrative action.

(5)Whether the contractor has paid or has agreed to pay all criminal, civil, and administrative liability for the improper activity, including any investigative or administrative costs incurred by the Government, and has made or agreed to make full restitution.

(6)Whether the contractor has taken appropriate disciplinary action against the individuals responsible for the activity which constitutes cause for debarment.

(7)Whether the contractor has implemented or agreed to implement remedial measures, including any identified by the Government.

(8)Whether the contractor has instituted or agreed to institute new or revised review and control procedures and ethics training programs.

(9)Whether the contractor has had adequate time to eliminate the circumstances within the contractor’s organization that led to the cause for debarment.

(10)Whether the contractor’s management recognizes and understands the seriousness of the misconduct giving rise to the cause for debarment and has implemented programs to prevent recurrence.

From Grandon’s perspective, it all “starts at the top with effective standards of conduct and internal controls at the time that misconduct occurred. Second, did the contractor disclose in this conduct to the government? Third has a contractor investigated the matters and made those results available to the government?, has the contractor cooperated with the government in terms of trying to work through the various challenges and the various remedies associated within this conduct?, and, finally, has the contractor taken appropriate corrective action taken?” Such corrective actions include “disciplinary action, and assessment of internal controls, policies and procedures that were designed to either prevent or identify a misconduct and what can be done to strengthen that process is the contract or willingly embracing the problem and pursuing an appropriate resolution.”

Tomorrow we conclude with the topics of remedies and compliance.

Jun 4, 2018

I conclude my five-part series on Suspension and Debarment, with Rodney A. Grandon, Managing Director at Affiliated Monitors, Inc., (AMI) the sponsor of this series. During his 27-year career with the US military and government, Grandon served as the Air Force’s Suspending and Debarring Official as well as a wide variety of other functions which gives him subject matter expertise into issues surrounding this topic. Over this series, we have explored several topics, including:

Part 1-Introduction to Suspension and Debarment;

Part 2-What is the difference between Suspension and Debarment?

Part 3-What is the convergence between Suspension & Debarment and the FCPA?

Part 4-What is a present responsibility determination? and

Part 5-Remedies and Compliance.

Today, we conclude the series with a discussion of remedies and compliance in suspension and debarment.

Grandon began by observing that the defense community largely led the process of putting together an effective ethics and compliance programs. “There were defense industry initiatives where the contractors get together and talk about what it takes to promote ethics and compliance and the defense industry been doing this for years.” This led Grandon to find, that non-governmental commercial industries were not as far along as defense industries.

However, Grandon believes there has “been a tremendous growth and understanding that ethics and compliance is critical for any company, whether it’s in the defense sector, the commercial sector, as companies have become more willing to do what is necessary to build these compliance programs, to try to instill within their workforce, appropriate standards of conduct, articulate clear expectations for employee behaviors and then understanding that there are consequences that flow from this. They worked hard to create cultures that allow communications to go up from the bottom of the workforce and down from the top of the workforce.”

In his experience, it all starts with the appropriate “tone at the top”. This is because “Integrity is critical for the company. Not simply to avoid problems, but it’s important to be honest with your customers and your stakeholders. All of this is absolutely critical.” While it is Grandon’s sense that initially “the defense community led this; the commercial community has as swiftly moved to catch up with this.”

We then turned to remedies where Grandon noted, “federal agencies, particularly within the Department of Defense, look to coordinate fraud remedies.” He said where there is an “indication of misconduct within the government contract or with involving a government contractor fairly broadly defined, there’s a focus on identifying and coordinating remedies, whether they be criminal, civil, administrative, to include suspension department or contractual in almost every one of these cases is at some point going to be an analysis.”

The key analysis is “going to come down to the integrity of that contractor. What does it have in place to achieve compliance within its business operations?” There is going to be a focus on the question of whether the contractor can be “trusted to get it right?” In the final analysis, the question will be “is there evidence to support the cause for the action?”

Grandon then walked through the next steps which would turn on the present responsibility determination. He said, “the inquiry goes to whether or not the contractor is presently responsible. This will make the focus on ethics and compliance and those companies that embrace their principles are going to have an advantage and be much better position.” Grandon emphasized that it is critical that companies take these challenges “so that they have ethics and compliance programs, that they test and make sure that those programs and those efforts are achieving the type of results that are expected in terms of employee behavior, in terms of good communication throughout the organization.”

In the realm of suspension and debarment, government agencies are increasingly requiring independent corporate monitors as part of their settlement agreements with organizations facing suspension, debarment or criminal prosecution. Grandon believes that an imposed monitorship can actually be an opportunity for a company. He said, “Usually these agreements are in place for roughly three years, but they give the contractor an opportunity to more holistically look at its operations and assess what it needs to do to truly build a strong ethics and compliance program. In most cases, the government will require the contractor which has entered into the administrative agreements, to hire an outside independent monitor to assess whether or not it is achieving those objectives. This creates this opportunity for companies to demonstrate the ability to be responsible, to continue to participate in the federal marketplace, while that trust relationship involving the contractors, integrity is continuing to be established.” This process also allows  contractors to “gain themselves a tremendous advantage in any of these sanctions reviews, civil, criminal or suspension and debarment, by having in place a strong commitment to ethics and compliance, solid training programs they are willing to test programs and stay on top of their risk profile.”

Grandon related that while he was a Suspending and Debarring Officer, he often required monitors as a part of an agreement. He said, “The Monitor is not there to be an advocate. The Monitor there is to be an independent and objective set of eyes and ears for the regulator, for the government. There has to be an arm’s length relationship between that monitor and the contractor. That’s not to say it’s antagonistic and it never should be a gotcha proposition. You know, where the monitor is, is trying to, I know through trickery or otherwise, put the contractor into an awkward situation.”

Grandon concluded by noting, “independence, objectivity of good business sense, the Monitor must understand how businesses operate, what are the challenges associated with a very diverse workforce. A monitor has to be able to take in all of these different considerations and at the end of the day be reasonable.”

I hope you have enjoyed this five-part series on suspension and debarment.

May 29, 2018
  1. Financial Incentives for Compliance

One of the areas that many companies have not paid as much attention to in their compliance programs is compensation. However, the DOJ and SEC have long made clear that they view monetary structure for compensation, rewarding those employees who do business in compliance with their employer’s compliance program, as one of the ways to reinforce the compliance program and the message of compliance. As far back as 2004, former SEC Director of Enforcement Stephen M. Cutler noted that integrity, ethics and compliance needed to be part of promotion, compensation and evaluation processes: “At the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it.” 

The 2012 FCPA Guidance stated the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership.”

2. The Fair Process Doctrine

One of the areas which Human Resources can operationalize your compliance program is to ensure that discipline is handed out fairly across an organization and to reward those employees who integrate such ethical and compliant behavior into their individual work practices going forward. In addition to providing a financial incentive for ethical behavior, it also provides a sense of institutionalobjectivity. Institutional objectivity comes from procedural fairness and is one of the things that will bring credibility to your compliance program. 

Today, that kind of objectivity is called the Fair Process Doctrine, which recognizes that there are fair procedures, not arbitrary ones, in processes involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by processes and procedures that are perceived as fair. As you incorporate the Fair Process Doctrine in your compliance program, there are three key areas to focus on.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here.

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.


May 29, 2018

As every compliance practitioner is well aware, third-parties still present the highest risk under the FCPA. The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to third-party management. It begins with the following: 

How has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? 

What was the business rationale for the use of the third-parties in question? What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?  

This first set of queries clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance process must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements laid out in the 10 Hallmarks of an Effective Compliance Program and the Evaluation. They are:   

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third-party;
  3. Due Diligence on Third-party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third-parties After Contract Signing.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here.

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.


May 29, 2018

Hallmark Nine of Ten Hallmarks of an Effective Compliance Program, as articulated in the 2012 FCPA Guidance, states: "a good compliance program should constantly evolve."

Keeping track of external and internal events which may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events which drive changes within a company (i.e., a company reorganization or major acquisition). 

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the U.S. Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs. 

The 2012 FCPA Guidance made clear that each company should assess and manage its risks. It specifically noted that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and SEC consider when evaluating a company’s compliance program in any FCPA investigation. This is why a “check the box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges. 

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here.

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

 

May 29, 2018

In the context of mergers and acquisitions under the FCPA, in a near perfect example of the Howard Sklar maxim that ‘water is wet” the 2012 FCPA Guidance stated “mergers and acquisitions present both risks and opportunities. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue—with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability.” While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the 2012 FCPA Guidance focused many compliance practitioners for the need to engage in robust pre-acquisition due diligence.

Under Prong 11. Mergers and Acquisitions; there were a series of queries which tied together how pre-acquisition due diligence and post-acquisition integration. Due Diligence ProcessWas the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What has been the M&A due diligence process generally? 

The pre-acquisition process was then tied to post-acquisition with the following: Process Connecting Due Diligence to ImplementationWhat has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities? 

May 29, 2018

One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action. Under Prong 1-Analysis and Remediation of UnderlyingMisconduct, the Evaluation states: 

What is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?  

Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?  

The new Department of Justice (DOJ) FCPA Corporate Enforcement Policy brought forward this requirement for a root cause analysis with the following language: 

Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes. 

Initially you need to understand the difference between a root cause analysis and a risk assessment. Obviously, you would perform a root cause analysis after an incident occurs so to that extent it is reactive rather than proactive. The site Thwink.org has defined root cause analysis as:

The purpose of root cause analysis is to strike at the root of a problem by finding and resolving its root causes. Root cause analysis is a class of problem solving methods aimed at identifying the root causes of problems or events. ... The practice of root cause analysis is predicated on the belief that problems are best solved by attempting to correct or eliminate root causes, as opposed to merely addressing the immediately obvious symptoms.

Well known fraud investigator Jonathan Marks, in an interview with the author, defines a root cause analysis “is a research based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.”

May 21, 2018

Leadership’s Conduct at the Top 

Under the Evaluation of Corporate Compliance Programs, Prong 2, it states: 

Senior and Middle Management

Conduct at the Top – How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modelled proper behavior to subordinates? 

Moving Compliance Tone Down Through an Organization 

  • Muddle in the middle
  • Tone at the bottom 

The Board and Operationalizing Compliance 

What is the role of a company’s Board of Director as laid out in the Evaluation of Corporate Compliance Programs?In an area of inquiry entitled, “Oversight” the DOJ asked three basic questions. Under Prong 2, Senior and Middle Management, the Evaluation posed three questions directed at the Board, OversightWhat compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?  

  • Compliance Committee on the Board
  • Compliance Expertise on the Board
  • Compliance Oversight by the Board

There are some specific areas of inquiry by a Board of Directors around the compliance. I have adapted 20 questions which reflect the oversight role of directors. These are questions which the Board should ask of both senior management and the Board itself. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

 

May 21, 2018

The Code of Conduct 

What is the value of having a Code of Conduct? 

“First and foremost, the standards of conduct demonstrate the organization’s overarching ethical attitude and its “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” They go on to state, “The code is meant for all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. This includes management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” 

The substance of your Code of Conduct should be tailored to your company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. Your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it. 

Policies and Procedures

There are numerous reasons to put some serious work into your compliance policies and procedures. They are certainly a first line of defense when the government comes knocking. The 2012 FCPA Guidance made clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” 

The Evaluation of Corporate Compliance Programs builds up on the requirements articulated in the 2012 FCPA Guidance. Under Prong 4, Policies and Procedures, there are two parts: Design and Accessibility and Operational Integration. This Part A has the following components. 

Designing Compliance Policies and ProceduresWhat has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out? 

 Applicable Policies and ProceduresHas the company had policies and procedures that prohibited the misconduct? How has the company assessed whether these policies and procedures have been effectively implemented? How have the functions that had ownership of these policies and procedures been held accountable for supervisory oversight? The Evaluation then goes on to ask about both accessibility and effectiveness of the compliance policies and procedures by stating, 

The specific written policies and procedures required for a best practicescompliance program are well known and long established. The 2012 FCPA Guidance stated, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation for conduct in your company. Procedures are the documents that implement these standards of conduct. 

Internal Controls and Compliance

What specifically are internal controls in a compliance program? Internal controls are not only the foundation of a company but are also the foundation of any effective anti-corruption compliance program. 

The DOJ and SEC, in the 2012 FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.” 

This was supplemented in the Evaluation of Corporate Compliance Programs with the following:

ControlsWhat controls failed or were absent that would have detected or prevented the misconduct? Are they there now? 

The whole concept of internal controls is that companies need to focus on where the risks are, whether they be compliance risks or other, and they need to allocate their limited resources to putting controls in place that address those risks, and in the compliance world, of course, your two big risks are the assets or resources of a company. Not just cash but inventory, fixed assets etc., being used to pay a bribe, and then the second big element would be diversion of company assets, such as unauthorized sales discounts or receivables and write offs, which are used to pay a bribe. 

There are four significant controls that I would suggest the compliance practitioner implement initially. They are: (1) Delegation of Authority (DOA); (2) Maintenance of the vendor master file; (3) Contracts with third parties; and (4) Movement of cash / currency.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here.

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

 

May 21, 2018

CCO Authority and Independence 

The role of the Chief Compliance Officer (CCO) has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance, under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program, the focus was articulated by the title of the Hallmark, Oversight, Autonomy, and Resources. 

The DOJ’s Evaluation of Corporate Compliance Programs, made the following query about the CCO position: Prong3. Autonomy and Resources  

Stature– How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions?  

Autonomy Have the compliance and relevant control functions had direct reporting lines to anyone on the board of directors? How often do they meet with the board of directors? Are members of the senior management present for these meetings? Who reviewed the performance of the compliance function and what was the review process? Who has determined compensation/bonuses/raises/hiring/termination of compliance officers? Do the compliance and relevant control personnel in the field have reporting lines to headquarters? If not, how has the company ensured their independence?  

In the Policy, the DOJ laid out additional factors around CCO authority:  

  1. The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
  2. The authority and independence of the compliance function and the availability of compliance expertise to the board;
  3. The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and
  4. The reporting structure of any compliance personnel employed or contracted by the company.  

This new language would seem to signal the death knell for the dual GC/CCO role. 

Compliance Function in an Organization 

Autonomy and Resources 

Compliance Role – Was compliance involved in training and decisions relevant to the misconduct? Did the compliance or relevant control functions (e.g., Legal, Finance, or Audit) ever raise a concern in the area where the misconduct occurred?  

Empowerment – Have there been specific instances where compliance raised concerns or objections in the area in which the wrongdoing occurred? How has the company responded to such compliance concerns? Have there been specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns?  

Funding and Resources – How have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made?  

The Evaluation added one new set of queries based upon the evolution of corporate compliance programs since 2012. 

Funding and Resources 

You will now have to justify your corporate compliance spend. 

You now have to justify your compliance budget request denials. 

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

 

 

May 21, 2018

How to Perform a Risk Assessment 

One cannot really say enough about risk assessments in the context of an anti-corruption programs. Since at least 1999, in the Metcalf & Eddyenforcement action, the DOJ has said that risk assessment which measure the likelihood and severity of possible FCPA violations the manner in which you should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” 

This language was supplemented in the 2017 in both the Evaluation and the new FCPA Corporate Enforcement Policy. Under Prong 4 of the Evaluation, Risk Assessments, the following issues were raised: Risk Management ProcessWhat methodology has the company used to identify, analyze, and address the particular risks it faced?Manifested RisksHow has the company’s risk assessment process accounted for manifested risks?In the FCPA Corporate Enforcement Policy it stated, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment”. 

What Should You Assess? 

  1. Geography-where does your Company do business.
  2. Interaction with types and levels of Governments.
  3. Industrial Sector of Operations.
  4. Involvement with Joint Ventures.
  5. Licenses and Permits in Operations.
  6. Degree of Government Oversight.
  7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration. 

How Do You Evaluate a Risk Assessment? 

LIKELIHOOD

Likelihood Rating

Assessment

Evaluation Criteria

1

Almost Certain

High likely, this event is expected to occur

2

Likely

Strong possibility that an event will occur and there is sufficient historical incidence to support it

3

Possible

Event may occur at some point, typically there is a history to support it

4

Unlikely

Not expected but there’s a slight possibility that it may occur

5

Rare

Highly unlikely, but may occur in unique circumstances

 ‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY

Priority Rating

Assessment

 Evaluation Criteria

1-2

Severe

Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans

3-4

High

Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans

5-7

Significant

8-14

Moderate

15-19

20-25

Low

Trivial

Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups. 

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used to continuously monitoring risk going forward.  However, you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

To purchase a copy of The Complete Compliance Handbook on Amazon.com click here

To purchase an autographed copy of The Complete Compliance Handbook from the author click here.

 

1 « Previous 1 2 3 4 5 6 7 Next » 18