I believe one of the most significant innovations in compliance will come through the incorporation of blockchain into compliance. I see great value propositions for the compliance function. Mike Volkov has noted, “The key to blockchain is creating a secure environment among multiple actors in which the actors can record events and transactions in real time in shared ledgers. These ledgers are immutable, meaning they cannot be modified, and secure from potential hacking or modification. Blockchain users can receive real-time reports of activities without having to rely on post hoc reports. As a consequence, a specific user can flag potential red flags early, almost in real time, when events occur based on specific settings they establish for monitoring blockchain events.”
A more detailed exploration of the use of blockchain was presented in an article in the MIT Sloan Management Review, entitled “How Blockchain Will Change Organizations”, where authors Don Tapscott and Alex Tapscott speculate that the transformations which blockchain may facilitate in the corporate world could lead to some truly revolutionary modifications in key businesses processes.
How could blockchain have such a dramatic impact on compliance? First is the explanation of what blockchain might mean as a tool in business process. The authors explained that in a business transaction, you cannot email money as you can a document so a company must “use intermediaries to establish trust and maintain integrity. Banks, governments, and in some cases big technology companies have the ability to confirm identities so that we can transfer assets; the intermediaries settle transactions and keep records. For the most part, intermediaries do an adequate job, with some notable exceptions. One concern is that they use servers that are vulnerable to crashes, fraud, and hacks.”
The authors then go on to ask, “What would happen if there were an internet of value where parties to a transaction could store and exchange value without the need for traditional intermediaries?” The answer is that blockchain provides a transparent method to verify and approve transactions that is encrypted. Not only would this lower transaction costs and perhaps even barriers to doing business but also allow greater expansion of business into new geographic areas, through the use of previously external resources which were prohibitively expensive. Think of the possibilities in compliance for the supply chain and vertical integration.
There are several specific areas where the value from blockchain could enhance the operationalization of compliance into the fabric of a company. In Human Resources (HR) and Procurement “Blockchain will enable organizations requiring specialized talent and capabilities to obtain better information about potential contractors and partners than many traditional recruitment and procurement methods offer.” This means that with a potential third party business partner’s consent, a company will have access to a cache of information that is known to be correct because it has been uploaded, stored, and managed on a highly secure, distributable database. Such potential business partners would not be able to misrepresent their capabilities after such information has entered on the blockchain. The authors also note that “Tampering with data after the fact wouldn’t be possible: It would involve taking over the entire blockchain, a nearly impossible task.”
This is made even more powerful in the area of financial reporting. Typically, a search is “horizontal (across the web) and vertical (within particular websites). What you find can be out-of-date or inaccurate in other ways. On a blockchain, though, there’s a third dimension: sequence. In addition to being able to obtain a historical picture of the company since it was incorporated, you can see what has occurred in the last few minutes.” The authors correctly note, “The opportunity to search a company’s complete record of value will have profound implications for transparency as it brings to light off-book transactions and hidden accounts. People responsible for records and reports will be able to create filters that allow stakeholders to find what they are searching for at the press of a button. Companies will be able to create transaction ticker tapes and dashboards, some for internal use”. This would be extremely helpful in the difficult vetting of third parties around financial information.
In the sales realm, blockchain could be most helpful in understanding who you are doing business with and, more particularly, if the company is a state-owned enterprise. The same information you would consider about potential third parties sales agents would be available from customers. Obviously this would be critical in any Foreign Corrupt Practices Act (FCPA) analysis but it could also pay big results in anti-money laundering (AML) compliance. As the authors note, “sellers won’t have to incur the cost of establishing trust — thus they can facilitate transactions that would have been risky or might not have been possible otherwise.” Finally, there could be a data security plus as “blockchains will eliminate the cost of warehousing data and protecting other people’s data from security breaches.”
There are two specific areas where I see blockchain directly impacting the compliance profession. The first is with third parties. Volkov has stated, “a company could maintain immutable records of its due diligence process for a specific third party or a specific regulatory requirement. Due diligence delays would be eliminated by providing immediate and real-time and immediate access to the data, collection of information from potential third parties, and analysis of the information. A compliance officer could expedite the entire verification and validation process.”
The second area where blockchain provides a potential game changer is contracts, specifically around compliance terms and conditions. As the authors explain, “Blockchains facilitate contracting in both the short and long term. Through smart contracts — software that, in effect, mimics the logic of contracts with guaranteed execution, enforcement, and payments — companies will be able to automate the terms of agreement. This means that if a company develops contract programs to run on blockchain, it can incorporate the required compliance term and conditions and with blockchain, it can trigger alerts and ensure compliance This could be expanded to include compliance training, annual certification, or another ongoing obligation.
The authors conclude that blockchain could help alleviate some of the more egregious scandals seen, beginning back with Enron and up through Volkswagen (VW) and Wells Fargo. They believe that blockchain could help to “codify ethics and integrity into the circuitry of the enterprise, or reduce the moral hazard that too often sees management gambling with shareholder capital. Through smart contracts under blockchain, shareholders will be able to enforce the commitments executives make. Companies can specify relationships and state specific outcomes and goals so that everyone understands what the respective parties have signed up to do and whether those things are actually getting done.”
This final points sounds to me quite a bit like operationalizing compliance. It will be interesting to see when the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) will begin to comment on blockchain as a part of a best practices compliance program.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this episode, I visit with Alex Tsigutkin, founder and CEO of AxiomSL and Varun Singhal – Senior Vice President Product Management, AxiomSL. AxiomSL a global leader in risk data management and regulatory reporting solutions for the financial industry, including banks, broker dealers, asset managers and insurance companies. Its unique enterprise data management (EDM) platform delivers data lineage, risk aggregation, analytics, workflow automation.
We discuss data lineage, which is quickly becoming a top line concern and challenge for data managers in financial services. In the past, data lineage—generation of a trail of information that tracks the use and custody of data as it travels throughout the enterprise—was primarily a concern for niche internal projects, usually run by reporting teams. A combination of closer oversight by prudential regulators and rising global standards around data governance, itself, has rapidly led many financial institutions to become more interested in how to do this on a broader level. The implications to and applications for the anti-corruption compliance profession are significant for transparency and accountability in data for sales, third party sales agents and payments, data flow in an organization and vendors in the Supply Chain. You can find out more about AxiomSL and data lineage by checking out their website, by clicking here.
In “Compliance and Continuous Improvement”, John Nocero discussed the concept of Kaizen or continuous improvement in compliance. He explained, “Loosely translated, Kaizen means change for the better. It has been utilized successfully by a variety of organizations in healthcare, psychotherapy, government and other industries to help develop long-term competitive strategies, improve operational practices and stay viable. When you think about it further, this principle has even more direct application to the compliance practitioner. In today’s environment in which we work, being a compliance practitioner is like setting yourself on fire at the beginning of the day and trying to put it out by day’s end. We fight fires. We want to be able to control the fire that is burning within ourselves – by learning how to handle the difficult conversation before it occurs, or anticipating how we will act when someone challenges our knowledge or authority.”
The company Graphic Products explains on their website, “Kaizen works by reducing waste (muda) and eliminating work processes that are overly difficult (muri). As a lean business practice, Kaizen succeeds when all employees look for areas to improve and provide suggestions based on their observations and experience. Generally, these suggestions are for small changes that incrementally change the business for the better.” They suggest a four-step approach, which they call “Plan-Do-Check-Act (PDCA).”
Under the Plan prong, you “define the problem and develop potential solutions.” Under the Do prong, you next move to “implementing the best solution.” During the Check prong you should “evaluate results to see if the solution worked.” Under the Act prong, you have one of two options: (A) If the solution you implemented succeeded, you work to standardize it and then implement it across the organization. (B) However if the solution did not work, you should return to the planning stage and start again. The site notes that using “PDCA to implement changes ensures that there is a continuous cycle in place to monitor changes and to continue to improve upon them.”
Copenhagen Compliance suggest another approach in their e-newsletter entitled “Using the Kaizen Approach to Risk Management by the Audit Committee”. They say, “Understanding the current nature of a risk is a precondition for a determining your risk appetite and providing a risk response.” It is therefore incumbent that you take the necessary “time, resources and expertise to have a closer look at individual risks and understand what a risk management means to the various department heads and divisions.”
Using the small workshop format to determine and consider the different levels of risk, they propose you should start with the following questions:
The answers you deliver to these queries should provide you with a detailed analysis and more insight into both the order and magnitude of the compliance risks your company faces going forward. However Copenhagen Compliance then suggests a second step where you review the risks from a difference perspective. You should begin by using the results of the first exercise to take a look at a couple of different areas. First you should consider “the different causes and the circumstances that focus on the processes or events that precede a risk occurrence.” From there you should “list the different causes and the circumstances that focus on the processes or events that precede a cause of the risk.” The data you develop in this second phase “will provide valuable insights to determine the risk appetite, effective responses to optimize the management of risks with focus on Risk identification” which are embedded in the way you are doing business.
Marty Ellen, the Chief Financial Officer (CFO) at Dr. Pepper, discussed these theoretical underpinnings in a Wall Street Journal (WSJ) article, entitled “How Dr Pepper Cuts Cost. And Then Cuts Costs Some More”, by Mike Esterl. At Dr. Pepper, Kaizen events are known as “Rapid Continuous Improvement” or RCI. Ellen said, “RCI is about taking the existing baseline and improving it by finding the waste. It starts with walking the entire process. We call it “going to gemba,” which is Japanese for going to see how the work is done. The goal is always to shorten cycle times. You would be surprised. You put a bunch of people in a room to describe how a process works, and they don’t all agree with each other - and they all work on the same process.”
For the Chief Compliance Officer (CCO) or compliance practitioner, the most interesting take-away from the article was that Ellen has successfully used the process not only in manufacturing processes but also in internal controls and financial processes such as accounts payable. Moreover, using RCI is not about cutting jobs but making the internal processes more efficient. So if you can reduce costs in compliance by being more efficient in the process it sounds like a win for all concerned.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
What will be the role of Artificial Intelligence (AI) in compliance going forward? LawTech had disrupted the legal profession and how it is reshaping many areas of private practice. I found the article had multiple implications for the compliance function. Indeed, I believe there will be a ComTech industry lurking down the road.
Obviously, document review is one area where ComTech would be most useful. There are many companies who provide key word searches and these same concepts translate readily into the compliance world through massive database searches for key words, such as an ongoing email review through email sweeps. The concept is straightforward; at regular intervals, you sweep through your company email database for identified key words that can be flagged for further investigation, if required. Such a sweep is not limited to anti-corruption compliance but any of the risk factors identified for your company.
The objective of this approach is to find the evidence of a compliance breakdown by sweeping systems to uncover items that may contain real issues. From here, you can assess and prioritize, by checking and verifying if an issue needs investigating and focusing on the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities. AI can help you to perform all of this more cheaply and efficiently.
Soon compliance will be pushed more to the forefront in anti-money laundering (AML). As banking institutions continue to tighten and strengthen AML controls, criminals and other nefarious actors will move into non-financial corporations to move money for the simple reason that such robust controls required in the financial and financial services world are not generally required in the non-financial corporate world. Non-financial corporations should have robust AML controls in place and one of the requirements for any best practices AML policy is to “Know Your Customer” (KYC). AI will allow a more robust KYC approach.
Another area where compliance is often left behind is in the arena of Mergers and Acquisitions (M&A). Since the 2012 FCPA Guidance, the focus of compliance in M&A has been more and more on the pre-acquisition phase of a deal. Often the compliance function is either brought in at the last minute and does not have the time to perform adequate compliance due diligence or there is an overwhelming amount of data to be reviewed and the resources available (or made available) to the compliance function is woefully inadequate. AI can help in this area. There are companies which have software that allows thousands of documents to be reviewed in the M&A context.
The review could include such issues as whether third party sales representatives have the requisite background due diligence in the files, their status and commission rates paid. There could be a review of top sales and business developments folks in high-risk regions, correlated with a gift, travel and entertainment analysis. Finally, you could consider sales in high risk regions or even sales spikes from low risk areas from the compliance perspective.
A prime example of where AI can assist the compliance function is with third parties in the Supply Chain arena. Every multi-national has literally thousands of vendors. Getting a handle on those is always a challenge simply because of the numbers involved. Using AI, a compliance practitioner can immediately identify vendors that present anti-corruption compliance or other risks to an organization. Once again, having led an effort to list out all employer’s vendors by hand to begin the risk ranking process, I can personally attest to the greater efficiencies AI can bring to the exercise.
There is yet another set of AI tools which can review contracts to see if any specific types of clauses are non-standard. It would seem a relatively easy software coding exercise to adapt such products to compliance clauses. This type of approach could also be used for non-standard governance clauses in joint venture (JV) or other types of partnerships agreements. Having once been assigned the task of reading all my employer’s JV agreements (87) and third party sales agents contracts (211) from across the globe and recalling the amount of time it took to do so; I can personally attest again to the greater efficiencies we are considering through the use of AI.
This example also points to one of the key disadvantages to AI and ComTech going forward. In past years, it was through document review and the detailed reading of documents and cases that many junior lawyers were trained. In my experience, reading all those JV agreements and third party sales agents’ agreements gave me a very good education in contract language and what positions were more and less favorable to each party. This is how many young associates were trained in law firms. This very practical method of training will eventually go away.
This final example also points to one of the key limitations of ComTech. While it might have helped to have AI review the JV agreements and third party sales agents’ contracts, it only could identify non-standard contract language. Unfortunately, since most of the agreements and contracts were bespoke they were uniformly non-standard. Further, the assignment I was given required an analysis of each non-standard contract so the judgment of a human was required. Even as AI becomes more sophisticated, the judgment of a professionally trained compliance practitioner is still required to validate the areas flagged by AI as anomalies.
Gary Kasparov recognized this after his loss to IBM’s Big Blue in a chess match. In a review of his recent book Deep Thinking-Where Artificial Intelligence Ends and Human Creativity Begins, it noted that Kasparov “recognized that computers do well what humans do badly and vice versa, suggesting a useful complementarity.” Moreover, “he argues that humans are often fallible, finding patterns in randomness and correlations where none exist. Computers can help us be more objective and amplify our intelligence. Technological progress can never be stopped even if it should be better managed.” Kasparov even formulated his own theorem, which he calls “Kasparov’s Law” and it reads, “Weak human + machine + better process is superior to strong human + machine + inferior process.”
There have always been technological innovations which help make co mpliance disciplines run more efficiently, more smoothly and more profitably. AI is simply another step in this line of technological developments. There is certainly no reason to be afraid of using it. Given the disruption which has impacted the legal profession through LawTech; disruption is not far behind in the compliance world through ComTech.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
We previously considered how artificial intelligence (AI) can be used as business advantage for compliance. However, the power of AI can also extend the more traditional functions of prevention, detection and remediation. The first way is in simply the mass amount of data which could inundate a compliance practitioner. Many compliance practitioners are overwhelmed about the amount of data available to them and do not know how or even where to begin.
Patrick Taylor, President and CEO of Oversight Systems, Inc. has noted that AI allows the compliance practitioner to understand the “subtle clues in that pattern of activity that will clue me in to take a different look”. He likened to seeing a pattern in “raked leaves” which allows you to then step in and take a deeper and broader look at an issue, either through an audit or investigation. This is where compliance practitioner can step back and literally keep an eye on the big picture and longer term as opposed to just the immediate numbers and information in front of them. It may also be the best hope for finding that kind of systemic fraudulent behavior.
This speaks to one of the difficult issues for the compliance practitioner, which is what does all the information mean? Consider the example of GlaxoSmithKline (GSK) in China. The Chinese business unit employees were working en masse to create fraudulent reimbursable invoices, inflating the cost of industry events to create a pool of money to pay bribes. They would stage an event around a drug product, or service in a hotel. They would inflate the hotel charge 20% above the actual costs and submit the entire amount to the corporate office for reimbursement. In some cases, GSK employees would submit invoices for events which never took place.
Now layer on top of these deceptions, in China, there is a rampant sale of fake receipts. For every Marriott the Chinese business unit utilized, personnel they could buy an official Marriott receipt, which showed the price that was paid and it was a backup documentation for the auditor to look at on that expense report. Finally, there was the illegal sale of official Chinese government real tax stamps to tier on another level of complexity.
Taylor said that AI would provide you the opportunity to detect even this type of massive and systemic fraud because, statistically those charges would not make sense. Taylor said the reason this type of fraud can be so difficult to detect and prevent is the charges were on credit cards, so recorded and there was paper documentation to back up the charges. Standard modalities of detection will not assist the compliance practitioner. You just know that something does not make sense. AI allows a compliance professional to gather and compute statistics across a wide variety of customers and situations; such as geographic and time dimensions.
Using these two data points, you can analyze what is a reasonable amount to spend at a hotel or other venue. But also includes such variables as the time of year as some cities have tremendous seasonality in their hotel charges. Yet others do not and indeed there may even be zero variability in transportation cost across seasons. AI allows you to pull geographic, time, type of expense and even specific vendors statistics for a big-picture analysis.
In a broader manner, consider all the data points in the lifecycle of any business transaction which produce data analytics for a compliance practitioner. When Business Development (BD) initially makes a call on a potential customer; when a request for proposal (RFP) comes into an organization; when the response is formulated with pricing and proposed discounts; during any subsequent contract negotiations; post-contract obligations for travel and training; and continued business development contacts with a customer.
Each of these steps could provide data, which taken singularly might not raise any red flags or even be outside company specifications, but taken as a whole it might be a transaction which would lend itself to compliance oversight. Starting with the BD representative, what was the spend on gifts, meals and entertainment (GTE)? Even if that information is not available to the compliance department it is available from employee reimbursement requests so it can be used to take an appropriate business deduction from the Internal Revenue Service (IRS). From the Foreign Corrupt Practices Act (FCPA) perspective, is the BD representative entertaining a foreign government official under the Act? If so, what is the aggregate spending by any one such government official over a 12-month period by one BD representative? What is the BD spend on one particular state owned enterprise official by several company BD representatives? Has there been any travel involved to tour company facilities? If so, what was the aggregate spend and was it correlated with other GTE spends?
Moving on to any contract negotiations which might take place, were any discounts offered outside the standard discount range? If so were these discounts properly vetted through the internal company process? Was this process documented and was there senior management sign-off in place? Did the customer suggest the use of any third parties as suppliers to the prime contract? Were there any charitable donations requested by the customer? Were there any charitable donations made during any part of this process or within 12 months after a successful contract negotiation? Was the contract properly vetted by all required internal processes: by management, legal, and compliance?
If the business function was successful in concluding the contract; did it specify any travel for the customer? How about ongoing training and if so where and for how long? Was there a specification of business class or above travel accommodations? Has any required compliance or FCPA training been delivered to third parties involved in the contract? Was there any Corporate Social Responsibility (CSR) requirement going forward? Does compliance have visibility into this or does is go through a company charitable donation group or committee?
These are but some of the data points which could be inputted and analyzed to determine if any compliance issues arose. But they would also provide the company with a wealth of information on its internal efficiencies around sales and their corresponding processes. Obviously, AItion holds both promise and challenge for CCOs. However, when a compliance function embraces the use of AI and embraces this human and technological approach for forecasting and risk assessments and then keeps improving their risk management techniques, it will create a sustainable strategic business, compliance and intelligence advantage over its competition.
Three Key Takeaways
Next we consider the introduction of Artificial Intelligence (AI) into the compliance profession. A few pieces claimed AI is revolutionary and would change the face of compliance. Well I have some news for such pontificators, technology has been involved in compliance since the profession began in earnest with the implementation of the US Sentencing Guidelines in 1992. One thing is certain however and that is technology that will improve the efficiency of compliance and will assist in the operationalization of compliance into fabric of every business which embraces it.
A recent article in MIT Sloan Management Review, entitled “Building a More Intelligent Enterprise”, by Paul J. H. Schoemaker and Phillip E. Tetlock explored how businesses could “blend technology-enabled insights with a sophisticated understanding of human judgment, reasoning, and choice” which will provide to them “an advantage over their rivals”. The compliance professional who incorporates the techniques they advocate into their organization’s compliance program will not only move their compliance program forward but also make their company run more efficiently and, at the end of the day, more profitably.
The reason is not simply that AI can make compliance more effective and more efficient but “in the knowledge economy, strategic advantages will increasingly depend on a shared capacity to make superior judgments and choices.” AI is a step which weds the human interaction and experiences with the data which is available to every company - its own internal information which is most generally sitting in siloed verticals and not being used. This data can “provide the foundation for operations research, forecasting models” when using AI. When you couple this data with the “growing understanding of human judgment, reasoning, and choice” which has provided insights in what humans do well or poorly; you can pair the best of these two seemingly disparate incongruities.
The authors suggest that you use this strategy in an area which will have the greatest benefit for your company, stating, “The starting point for becoming an intelligent enterprise is learning to allocate analytical effort where it will most pay off — in other words, being strategic about which problems you decide to tackle head-on. The sweet spot for intelligent enterprises is where hard data and soft judgment can be productively combined.” For the compliance professional, this translates to your greatest risk area. Consider the possibility that you could identify through forecasting what your highest risk might be, then use AI to more efficiently and accurately assess the risk and finally tie both an AI technology solution with compliance subject matter expertise (SME) to manage the risk going forward.
The key in such a scenario is in aiding the compliance practitioner to avoid judgmental “biases that often distort human information processing and by recognizing the precarious assumptions on which statistical models sometimes rest, the analytical whole can occasionally become more than the sum of its parts.” This means you should critically look at a variety of factors around where your compliance risks lie. Most compliance practitioners only rely on the Transparency International-Corruptions Perceptions Index (TI-CPI) for a country’s corruption rating. While the TI-CPI is a good starting point, it is only that. A compliance analysis that an area is high, medium or even low risk does not consider the starting assumption using the TI-CPI. Moreover, because this Index has been used so long, compliance professionals are biased towards and do not seek out other data which might provide a more nuanced approach.
Another technique which I have been involved with is known as boot-strapping. Here a group of SMEs would develop a model of possible risks which could be assessed with large amounts of data or other inputs. By modeling the experts’ knowledge in risk areas, you could develop not only a more comprehensive forecast and assessment of risk but it would also be more consistent, which would greatly help in your planning and risk management.
The authors reported researchers who asked a group of corn experts to rate 500 ears of corn to predict their eventual prices in the marketplace, using a variety of factors. “The researchers then created a simple scoring model based on cues that judges claimed were most important in driving their own predictions. Both the judges and the researchers expected the simple additive models to do much worse than the predictions of seasoned experts. But to everyone’s surprise, the models that mimicked the judges’ strategies nearly always performed better than the judges themselves.” Most of the factors were subjective but that did not stop the model from being more efficient. The authors believe the boot-strapping model “remains one of the most compelling demonstrations of the potential benefits of combining the powers of models and humans, including the value of expert intuition.”
Boot-strapping is the most straight-forward use of this type of technology, as it is “a simple input-output approach to modeling expertise without delving into process models of human reasoning.” Now consider how boot-strapping can be augmented by AI technologies “that allow for more complex relationships among variables drawn from human insights or from mining big datasets.”
These are but some of the data points which could be inputted and analyzed to determine if any compliance issues arose. But they would also provide the company with a wealth of information on its internal efficiencies around sales and their corresponding processes. The authors conclude by noting, “the cognitive-science revolution holds both promise and challenge for business leaders.” However, when a compliance function embraces the use of AI and embraces this human and technological approach for forecasting and risk assessments and then keeps improving their risk management techniques, it will create a sustainable strategic business, compliance and intelligence advantage over its competition.
Three Key Takeaways
Welcome to the September edition of my yearlong podcast series of One Month to a More Effective Compliance Program. In the month of September, I will be focusing on innovation in compliance. I will look at innovation from a variety of angles including AI and ComTech, structural innovations, tools and tactics and innovation in leadership. At this end of September, you will have a number of solid ideas you can use to move your compliance program forward.
I begin this month by considering the starting point, which is an innovation strategy. In the most recent Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs) issued by the Department of Justice they all include an element along the following strictures, “The Company will conduct periodic reviews and testing of its anti-corruption compliance code, policies, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and the Company’s anti-corruption code, policies, and procedures, taking into account relevant developments in the field and evolving international and industry standards.”[Emphasis supplied]. This means that the DOJ expects innovation in your compliance program to keep up with evolving international and industry standards. This requires you to implement an innovation strategy.
All of this means you should begin with an innovation strategy for your compliance program. Gary P. Pisano, in an article in the Harvard Business Review (HBR), entitled “You Need an Innovation Strategy” discussed such an approach. He began by stating the problem that many companies face is that “innovation remains a frustrating pursuit.” The key to success is something that every CCO or compliance practitioner should take to heart; which is, a compliance practitioner must be able to lay out an innovation strategy for compliance that details the efforts will support the overall business strategy. This means creating an innovation strategy for compliance that will create value for customers of compliance, IE., employees, third parties and customer, show how the company will capture that compliance value going forward and finally which types of compliance innovation to pursue.
First, some basic definitions useful for the compliance practitioner to think through innovation in the compliance function. Pisano defined a “strategy is nothing more than a commitment to a set of coherent, mutually reinforcing policies or behaviors aimed at achieving a specific competitive goal.” If you have a good strategy, it can promote alignment among diverse groups in a company, help to clarify objectives and priorities and guide your focus on those objectives. It can also be modified as necessary and with sufficient feedback.
There are several questions you need to consider in connecting innovation to strategy. Initially, how will innovation create value for the customers of compliance; IE., your employees and relevant third parties? Your innovation can make compliance faster, easier, quicker, nimbler and so on. Focus on that creation of value going forward. Pisano’s next question was “How will the company capture a share of the value its innovations generate?” He suggests companies think through how to “keep their own position in the [compliance] ecosystem strong” through innovation. Next what types of innovation will allow the company to create and capture value, and what resources should each type receive, such as a change in technology and a change in a business process. Both are equally valid.
Obviously senior management has a key role around innovation in compliance, as innovation can be driven downward or backward if there is not sufficient management support. This means not only must there be sufficient resources allocated but management must also incentivize the business units to proceed with implementing the innovations. Another area where senior management is critical is with making trade-offs.
The author noted there are four essential tasks in creating and implementing an innovation strategy. Task 1 is to “answer the question “How are we expecting innovation to create value for customers and for our company?” and then explain that to the organization.” Task 2 “is to create a high-level plan for allocating resources to the different kinds of innovation.” Task 3 is “to manage trade-offs. Because every function will naturally want to serve its own interests, only senior leaders can make the choices that are best for the whole company.” Finally, task 4 dovetails with what almost every DOJ or speaker from the Securities and Exchange Commission (SEC) I have ever heard say when they talk about the basics of any best practices compliance program. It is that both compliance and innovation strategies must evolve. Pisano wrote that every innovation “strategy represents a hypothesis that is tested against the unfolding realities of markets, technologies, regulations, and competitors. Just as product designs must evolve to stay competitive, so too must innovation strategies. Like the process of innovation itself, an innovation strategy involves continual experimentation, learning, and adaptation.”
You must recognize that your compliance program will have to be innovative. Start with a strategy which has senior management buy-in and support, then move to implement. Finally use data in a feedback loop to fine tune your innovations. Innovation in compliance is one of the key differences between those who advocate static compliance standards embodied in a written compliance program and those who advocate an operationalized compliance program is that the latter creates an active, vibrant and effective compliance program. That is the bottom line for innovation.
Three Key Takeaways
In the August edition of One Month to More Effective Continuous Improvement I have considered some of the techniques to create continuous improvement in your compliance program.
Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its chapter 5 Guiding Principles of Enforcement industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs (Evaluation) lists three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions.
You should keep track of external and internal events which may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events which drive changes within a company, i.e. a company reorganization or major acquisition. This type of review appears to be similar to the DOJ advocacy of ongoing risk assessments. The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, effective compliance programs, meaning those that do not simply exist on paper, but are operationalized will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”
Continuous improvement requires that monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
One technique that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.
Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.
Over the month of August I have presented a variety of specific tools and techniques for the compliance practitioner to utilize. They include financial audit, the culture audit, continuous controls monitoring, various risk management strategies which can become continuous monitoring. The tools are both quantitative and qualitative. Pick and choose the right tools for your company’s business and compliance profile.
Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The 2012 FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”
Three Key Takeaways
A big shout out and thank you to this month’s sponsor Affiliated Monitors. They use a variety of the tools and techniques I have described over the month in their services. I hope you will check them out. For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
Continuous improvement also requires you to consider the backbone of your compliance program, your written Code of Conduct, policies and procedures. Under Prong 9, in the Department of Justice’s Evaluation of Corporate Compliance Programs, it states, Evolving Updates – How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?
Moreover, under Prong 4, the Evaluation considers not only the design of your Code of Conduct but its accessibility with a variety of questions and factors. These include what was considered for your Code of Conduct, how the Code improvement was implemented, whether the gatekeepers were consulted and most importantly whether they bought into the entire process. Finally, is your Code accessible to all employees.
I thought about this updating in the context of your best practices compliance program. The cornerstone of any such compliance program is recognized to be your Code of Conduct. But a Code of Conduct should not be a static document. It needs to evaluated and updated as circumstances warrant. Yet such updating should not be performed in an ad hoc manner. As intoned in the 2012vFCPA Guidance, your compliance program should be thoughtful and well considered. In “Six steps for revising your company’s Code of Conduct”, Anne Marie Logarta and Ruth Ward discussed how you should think through the updating of your Code of Conduct.
After evaluating these initial issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. If you decide to move forward the authors have a six-point guide that should assist you in making your revision process successful.
Your company’s highest level must give the mandate for a revision to a Code of Conduct. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”
A cross-functional working group should head up your effort to revise your Code of Conduct. They suggest that this group include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.
From this large group, Code of Conduct topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. It is incumbent you create a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”
The backbone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” Technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.
In addition to this use of technology in drafting your Code of Conduct revision, you should determine if your Code of Conduct will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code will only be available in hard copy.
You must translate your Code of Conduct into appropriate local languages. This is particularly important if your Code is pre-2012, when the FCPA Guidance came out and made clear that translation into local languages was a minimum of a best practices compliance program. The key is that “your employees have the same understanding of the company’s Code-no matter the language.” The Evaluation also makes this requirement for accessibility mandatory.
A roll-out is always critical because it “is important that the revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” Your company should use the full panoply of tools available to it to publicize your revised Code of Conduct. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide meeting where the new or revised Code is rolled out across the company all in one day. Recent pronouncements from the Department of Justice (DOJ) have suggested that testing the knowledge of employees on the Code is becoming more important. However, the bottom-line, as with all thing compliance-related, is Document, Document and Document. However you deliver the new or revised Code of Conduct, you must document that each employee receives it and understands it.
If you set realistic expectations you should be able to stay on deadline and stay within your budget. They state, “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.
If you are a compliance practitioner, I urge you to look at your company’s Code of Conduct, policies and procedures. If your Code is pre-2012, you need to update sooner rather than later and consider what the FCPA Guidance says about a best practices Code of Conduct. With the new information presented by the DOJ you need to consider how you can measure how well your employees are retaining it as well. It is far better to review and update if appropriate than wait for a massive Foreign Corrupt Practices Act (FCPA) investigation to go through the process.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
A Program Manager in a Power Plant Process group told me about the ‘Mock Audit’ that his company performs in its power plants across the country. He explained that his industry is heavily regulated at both the state and federal level. Power plants are subject to numerous levels of oversight including various ISO standards to which they must comply. ISO is the International Organization for Standardization and it develops and publishes International Standards for various industries and organization.
The ISO 9000 standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer’s requirements, and that quality is consistently improved. One of the components of ISO 9000 compliance is an internal audit to check how a quality management system is working. But, for the utility industry, there are additional, more formal audits by various state and federal regulatory bodies, including both North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC). In other words, the utility industry is subject to numerous rules and regulations which require compliance audits.
To help prepare for these formal internal and external audits, his company employs the Mock Audit. In the Mock Audit, his team will go through the factors which will be reviewed in a formal audit at a power plant. But the thing that struck me was that he said that when goes into a plant, he tells the plant personnel “we all wear the same color shirt” and by this he means they are all on the same team, trying to achieve the same goal of doing business in compliance with the rules and regulations that the power industry is required to operate under. Coming from the energy service industry, the ‘color of one’s shirt’ is a powerful concept. I worked at Halliburton which is known as “Big Red”. Halliburton’s competitor, Schlumberger, is known as “Big Blue”. Once in an employment interview someone asked me if I could work under a person who came from “Big Blue” and I knew instantly what they meant.
The Mock Audit is a mechanism by which a compliance team can go into a facility and not only try to determine what might need remediation but, equally importantly, help the employees in that facility to move towards greater compliance. The team members who perform these Mock Audits are not lawyers but are engineers or other process focused team members. These Mock Audits help to uncover gaps that need closing before any of the regulatory mandated audits by external audit teams. As this Program Manager explained to me, they are a powerful compliance tool.
I thought about this concept of the Mock Audit in the context of continuous improvement under the Foreign Corrupt Practices Act (FCPA). Typically such monitoring and annual assessments are done by lawyers. One thing that I think we as lawyers bring to this process too often is an adversarial relationship. It sometimes feels and sounds like we are trying to find a violation or something wrong regarding a company’s compliance program. We are not there to try and help employees learn from their mistakes (if any) and we do not present ourselves as ‘wearing the same color shirt’. While there certainly is a fine line that must be trod in monitoring and annual assessments, if the compliance practitioner could adopt a bit of the tone of the Mock Audit it might open things up for a more useful and constructive exercise going forward. This is not to say that a more formal compliance audit should be conducted with such a tone, as it is a different type of activity. But, just as the Mock Audit is there to uncover any gaps and help fill those gaps, monitoring or annual assessments can also be used to help close compliance gaps before a biennial formal compliance audit. So what are some of the steps that a compliance practitioner can take?
I once worked in a corporate legal department where the attitude was very much ‘us against them’. The legal department was viewed as the last bastion between the business guys doing something to put the company at risk. The attitude was not cooperative at all. I would suggest that even if the legal department feels like it has to maintain that attitude, the compliance department is not required to have that attitude, at least not all the time. Just as my new found colleague from the utility industry can help power plant employees to do their work more in compliance with the rules and regulations that they are required to follow, the compliance department can work with employees rather than simply dictate the rules which are to be followed. An annual assessment is the perfect opportunity to learn more about a region or group’s compliance challenges and how those challenges are being met and might be met going forward. But it will not work if it starts out with the us against them or I am here to get you attitude. You have to wear the same color shirt and be on the same team.
One of the more constant complaints that I have heard from business unit folks is that compliance did not share the results of any assessments or audits with them. Not only was there no transparency at the end of the process but there seemed to be no simple desire for local participation or input to resolve any outstanding issues uncovered. So another step I gleaned from the Mock Audit is to review any assessment ﬁndings with the senior management team of the group or area being assessed. If warranted, the management team from the group or area reviewed should be a part of any corrective action plan that addresses a specific gap in compliance. You can use this opportunity to demonstrate that the overall goal is to drive towards compliance and that use of local input may be one of the best paths to positive change over the long term. As with anything, else if people feel like they have input into the process, they will be more likely invested to make sure the process succeeds. When you return to the corporate office you can collaborate with the group or region until issues are fully addressed.
The 2012 FCPA Guidance made clear that compliance audits, with actionable remediation plans, are a key component of any effective compliance program. The concept of the Mock Audit is one that can facilitate continuous improvement. As it is a process designed to help your employees do business in a more compliant manner it is a tool that should not be overlooked.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
Compliance does not exist in a time-warp vacuum, with programs living in 1977 when the first major anti-corruption legislation, the Foreign Corrupt Practices Act was passed. The law has advanced since that time, as has compliance and society as well. One of the ways that you can engage in continuous improvement for your compliance program is based upon the two-way use of social media. Social media can be used not only to communicate with your employee base but also for your employee base to communicate with you, most particularly if you are prepared to listen.
For every CCO or compliance practitioner, you have multiple audiences. First and foremost is your employee base but there can be third parties, shareholder or other stakeholders. One of the key insights of several business leaders I have studied is the art of listening. In an article in the MIT Sloan Management Review, entitled “How Twitter Users Can Generate Better Ideas”, authors Salvatore Parise, Eoin Whelan and Steve Todd postulated that “New research suggests that employees with a diverse Twitter network – one that exposes them to people and ideas they don’t already know – tend to generate better ideas.” Their research led them to three interesting findings: (1) “Overall, employees who used Twitter had better ideas than those who didn’t.”; (2) In particular, there was a link between the amount of diversity in employees’ “Twitter networks and the quality of their ideas.”; and (3) Twitter users who combined idea scouting and idea connecting were the most innovative.
I do not think the first point is too controversial or even insightful as it simply confirms that persons who tend have greater curiosity tend to be more innovative. The logic is fairly straightforward, as the authors note, “Good ideas emerge when new information received is combined with what a person already knows.” In today’s digitally connected world, the amount of information in almost any area is significant. What the authors were able to conclude is that through the use of Twitter, “the potential for accessing a divergent set of ideas is greater.”
However it was the third finding that I thought could positively impact the compliance profession, the role of the Idea Scout and the Idea Connector. An idea scout is “an employee who looks outside the organization to bring in new ideas. An idea connector, meanwhile, is someone who can assimilate the external ideas and find opportunities within the organization to implement these new concepts.” For the compliance practitioner, the ability to “identify, assimilate and exploit new [compliance] ideas” is the key takeaway. However to improve your compliance innovation, “you need to maintain a diverse network while also developing your assimilation and exploitation skills.”
For the compliance practitioner, Twitter can be “described as a ‘gateway to solution options’ and a way to obtain different perspectives and to challenge one’s current thinking.” Interestingly the authors found that “It’s not the number of people you follow on Twitter that matters; it’s the diversity within your Twitter network.” The authors go on to state, “Diversity of employee’s Twitter network is conductive to innovation.” Typically an Idea Scout will “identify external ideas from experts and resources on Twitter.” Clearly the compliance practitioner can take advantage of experts with the anti-corruption compliance field but there is perhaps an equally rich source of innovation from those outside this arena.
An interesting approach was what the authors called the “breadcrumb” approach to finding innovation leaders and thought-provokers. It entailed a “period of “listening” to colleagues and industry leaders who are on the platform - including what they are tweeting about, who they are following and replying to on the platform, who is being retweeted often”. So with most good leadership techniques the first key is to listen.
Equally important to this Idea Scout is the Idea Connector, who is putting the disparate strands from Twitter’s 140 character tweets together. For the compliance function, this will be someone who identifies compliance best practices or other information from Twitter ideas, can then put them together and direct the information to the relevant company stakeholders. Finally, such a person can “Curate Twitter ideas and matches them with company resources needed to implement them.”
Here the authors listed a variety of ways an Idea Connector can use Twitter. One user said, “I try to sift through all the Twitter content from my network and look for trends and relationships between topics. I put my analysis and interpretation on it. I feel that’s where my value-add is.” Another method is to focus on analytics and one user “filtered specific subsets of the topic for different stakeholders” at his company. Another method was to create “social dashboards or company blogs based on the insight” received thought Twitter. Interesting, one of the key requirements for successfully mining Twitter was in finding ways to share its content “since many employees, especially baby-boomers don’t use the platform themselves.” Conversely by mining information from Twitter and presenting it, this can allow these ‘technologically challenged’ older employees to ascertain how they can target millennial’s.
But as much as these concepts can move a CCO or compliance practitioner to innovation in a compliance program, it can also foster additional information through the following of your own employees. It is well known that Twitter can facilitate greater communication to and between the compliance function and its customer base, aka the company employees. However the authors also point to the use of Twitter to enable this same type of innovation because it “is different than email and other forms of information sources in that it enables continuous engagement”.
Twitter was created to allow people to connect with one and other and communicate about their activities. However the marketing potential was immediately seen and used by many companies. Now a deeper understanding of its use and benefits has developed. For the compliance practitioner one thing you want to consider is to align your Twitter and great social media strategy with your compliance strategy; match your Twitter strategy to your compliance strategy.
Twitter can be powerful tool for the compliance practitioner, as it allows you to both listen and communicate. It is one of the only tools that can work both inbound for you to obtain information and insight and in an outbound manner as well; where you are able to communicate with your compliance customer base, your employees. You should work to incorporate one or more of the techniques listed herein to help you burn compliance into the DNA fabric of your organization through continuous improvement.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”
Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.
Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.
Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. Many compliance practitioners understand you should be checking in routinely with local Finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.
Yet ongoing monitoring is not limited to the financial component of compliance. Another approach to review emails as both a preventative and detection program through the technique of email sweeps. The concept is straightforward; at regular intervals you can sweep through your company email database for identified key words that can be flagged for further investigation, if required. The beauty of this approach is that does not require an extensive eDiscovery software tool or license purchase. It can be accomplished generally in two days or less. Also it is not limited to anti-corruption compliance but any of the risk factors identified for your company.
The objective of this approach is to ‘find the smoke’ which may be the evidence of a compliance breakdown (and related fire) by sweeping through emails is to uncover those that may contain real issues. From this starting point, you can assess and prioritize, by checking and verifying that there are issues worth investigating. From here you can identify the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities.
In addition to the cost effectiveness of this approach, in that you are only paying for the services when you need them and as they are delivered, this approach satisfies the Tom Fox mantra of Document, Document, and Document because everything you have done can be verified and audited. Finally, as the regulators continue to evolve in their understandings and appreciation of a best practices compliance program, you will evolve your compliance program to a new level of detection that could well allow you to have a more robust prevent mode. When your compliance program has a strong prevent prong, it can be the most effective to stave off anything issues from becoming Foreign Corrupt Practices Act (FCPA) violations.
Continuous improvement through continuous monitoring will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is a continuously evolving organism, just as your company is continually improving its business processes. The FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”
Three Key Takeaways
Continuous improvement can take many ways, shapes and forms. Typically, when it comes to third-party risks, a Chief Compliance Officer (CCO) or compliance professional will consider the ownership structure to see if there is any involvement by a government official or employee of a state-owned enterprise, or a close friend or family member. There may also be inquiry into knowledge of anti-corruption legal regimes such as the Foreign Corrupt Practices (FCPA) and compliance programs. Other information about criminal and legal history and references, both professional and commercial, may also be required. Hopefully these indicia are reviewed and updated on a regular basis.
One thing that is most generally not considered is the financial health of the third party. It turns out such an oversight may have some significantly ramifications for an accurate picture of a third party. The financial health of third parties as not only a key metric but also a key due diligence tool which allows a more robust assessment prior to contract signing and in managing the relationship after the contract has been signed.
A third party which is in a weakened financial position can come back to damage your business in a variety of ways. Obviously, a company which is under financial strain is more susceptible to cutting corners to obtain business. You can almost begin to see the fraud triangle forming at this point and a rationalization for committing a FCPA violation forming in the mind of a third party.
But it is more than simply being open to potentially illegal conduct such as violating the FCPA to get business. James Gellert, CEO of RapidRatings has noted, “Cyber security is, obviously, a hot topic for everybody. A company that, at the beginning of a working relationship, maybe onboarding or the due diligence procurement event, one may do a series of checks from a compliance and info security perspective and that company looks fine, it gets green lit and it comes on board as a supplier. Over time, if that company is weakening in its financial condition, the chances are likely that they are going to begin under-investing in maintaining the quality of their cyber security program. In a case like that, over time, a company partner of that firm is taking increased risks for cyber security breach, because that company is weakening but because they’re not managing the financial condition of it on an ongoing basis, they’ve missed a leading indicator of that cyber security problem and when that problem actually hits, it’s too late, it’s effecting revenue, it’s effecting reputation, it’s effecting all sorts of things.”
A database of financial health is important because “traditional risk management has focused more on protecting downside risk and detecting downside risk is being able to understand where a company or a partner exists on a spectrum of risks that can be from poor to really good, and that means a user of our data is in a position to be able to do more than just protect from a company’s failing for one reason or another, but be able to align with the strongest partners and that creates resiliency and a third party ecosystem”.
This is considering your third parties in much broader manner which allows a more robust assessment of their strengths and weaknesses. The financial health of a third party may tell you how well that third party will perform. Such information can be useful to you for business planning, particularly around strategic risk. Understanding the financial viability of third parties, be they traditional vendors, business partners, or even fourth parties, can help you meet your compliance requirements, maintain operational stability, through the avoidance of business disruption and support business continuity initiatives. Even better, you can cut through siloes to develop risk management strategies across multiple business functions.
This moves compliance into the business process cycle, creates greater efficiencies and at the end of the day, more profitability. This type of approach allows the compliance function to demonstrate solid return on investment going forward. It also allows compliance to cut through many corporate siloes including such disciplines as business development, supply chain or procurement, manufacturing and finance.
Continuous improvement through monitoring of ongoing financial health is a tool where technological solutions can have an impact. Understanding the financial viability of third parties can help the compliance practitioner meet the Department of Justice (DOJ) requirement to more fully operationalize a compliance program. It can also lead to more and better operational stability and with that ever-sought increase in corporate profitability. As compliance moves into the business process, this type of review should become part of your compliance toolkit going forward.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at http://www.affiliatedmonitors.com/.
There are multiple areas in the Department of Justice’s Evaluation of Corporate Compliance Programs which intersect with the area of continuous improvement. In addition to Prong 9. Continuous Improvement, Periodic Testing and Review; under Prong 1 Analysis and Remediation of Underlying Misconduct is found the following: Prior Indications – Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed? This also ties to the 2012 FCPA Guidance made clear that compliance audits, with actionable remediation plans, are a key component of any effective compliance program. Another way to do achieve these multiple and intersecting goals is through voluntary monitoring. when I recently visited with Vincent DiCianni, President and Founder of Affiliated Monitors, Inc. and Eric Feldman, Senior Vice President (SVP) and Managing Director, Corporate Ethics and Compliance Programs also at Affiliated Monitors, Inc. about their views on voluntary monitoring.
According Feldman, voluntary monitoring is an approach where a company “uses the services of an independent monitor to find out how their program is working and to be able to use that data with government regulators and law enforcement to demonstrate their due diligence in creating and continuously improving their corporate ethics and compliance program.” There are at least two different types of voluntary monitoring. Feldman articulated the first as “reactive proactivity” which is the situation where a company determines it has a potential compliance violation and they bring in an independent monitor to address the issue.
The genesis for this type of monitoring is some event, such as a whistleblower report, internal report or investigation or detect control picking up information which warrants additional investigation. Feldman provided a couple of examples. The first might be “where one business unit has a problem and they're worried about the other business units and they want to get an assessment.” Another situation could be there is a problem in a sector or “industry and they know that that industry is being scrutinized by law enforcement or the regulators and they fully expect the regulators or law enforcement to be coming in and looking at them.” Yet another area could be in a geographic area such as China or another high-risk region.
DiCianni noted there is a second type of voluntary monitorship. It is where a company wants a true independent “to come in to test the quality of the program to see how impactful” the company’s compliance program is operating. It could assess a variety of issues, such as the compliance internal controls to test their benchmarking of a company’s compliance program. In this type of voluntary monitorship, the examiner is not focusing on one issue or region as laid out in the first example but it is broader.
Moreover, it allows a true independent to perform the assessment as DiCianni noted, “it's very difficult for companies and for compliance officers and their teams to self-assess the strength of their programs. They just have difficulty doing that. It’s just not an easy thing for them to get their hands on, how good a job am I doing? By having an independent come in with no skin in the game, with complete objectivity, neutrality, no judgements, or pre-judging the work, looking at the company’s program, the quality of the program, the makeup of the team, the organizational structure, where it’s placed. All of those kinds of things are parts of this voluntary approach.”
The benefits of both types of voluntary monitoring are multifold. It certainly helps to meet the Control Testing requirement found in the Evaluation. The 2012 FCPA Guidance stated, “An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas.” This type of approach can provide benefits if a company finds itself in FCPA hot water, as both the DOJ and Securities Exchange Commission (SEC) “will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines.” Yet the Guidance intones a business reason for the use of such techniques as voluntary monitoring when it stated, “Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”
Feldman pointed out yet another reason for such a proactive approach. It can create an administrative record, which a company can use to demonstrate it has remedied the problems. Equally important it establishes the company is maintaining its commitment to doing business in compliance. The key is the independence of the monitoring personnel so they can present an accurate, unbiased opinion.
He presented the example of a company which had been debarred by the US government and needed to demonstrate an acceptable level of compliance to get off the debar list. He and his team performed a baseline assessment and from there developed a remediation plan, which the company implemented. After six months or so, he and his team came back to assess the progress made by the company. From this follow-up assessment, they generated a report which was used in a submission to the government which essentially noted, “We are now ready to be a responsible contractor as defined by the federal acquisition regulations and we propose an administrative agreement with continued monitored that would move it from voluntary monitoring over to mandatory monitoring for the next three years.”
Voluntary monitoring is an excellent technique through which a company can engage in continuous improvement. Nonetheless it has many other benefits as well, including regulatory and evidence in a criminal investigation if needed under anti-corruption laws such as the FCPA. The bottom line is that all those scenarios might justify a company to engage a voluntary monitorship to come in and do a complete ethics and compliance and cultural assessment or audit of their organization.
Three Key Takeaways
Another mechanism for continuous improvement of your compliance program is through risk-based monitoring. Under Prong 5 of the DOJ’s Evaluation of Corporate Compliance Programs, is the following topic and question Manifested Risks – How has the company’s risk assessment process accounted for manifested risks? I found this to focus as much on continuous improvement as it did with risk assessment through the emphasis on the risks which established and demonstrated by the organization. In other words, were you monitoring the risk that you have not only identified but also have revealed themselves to your organization.
I visited with Ben Locwin, Director of Global R&D at BioGen and an operational strategist in pharma and healthcare, to consider risk-based monitoring and how it helps to facilitate continuous improvement in a compliance program. Locwin said, “Risk-based monitoring is really about continuous, ongoing monitoring for those things which provide the most potential future risk to you. In other words, instead of a static risk registry that may come in part with forecasting, where you would say, “We’re trying to anticipate these risks.” By using risk-based monitoring to review issues on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.”
The problem for many companies is they are siloed in not only their data but also in the systems. Locwin explained that because of the disparity of data systems, “They may not be tracking rigorous, quantified information all the time.” He cited to an example from the pharmaceutical world where a company could well have 50 worldwide sites where a drug product is being tested. Some patients receive a placebo and some patients receive the medication being tested. As data comes in you begin to note patterns in certain patients and groups, which might actually point towards a variety of testing errors by physicians administering the test.
Through the use of risk-based monitoring, you can begin to see things in “almost real-time, time-based trends of real data that you can then jump on and try to make adjustments before things get really wacky.” The implications to the compliance practitioner? Having access to information around sales, the sales process and corporate largess in things from Corporate Social Responsibility (CSR) work to gifts, travel and entertainment to conferences for customers and end users. Through the use of such risked-based monitoring a compliance professional would have the opportunity see trends developing which could allow an intervention for a prescriptive solution which could prevent an issue from becoming a Foreign Corrupt Practices Act (FCPA) violation.
Yet Locwin cautioned that compliance professionals should guard against bias. In an article by Locwin, entitled “Be Careful When Appraising Industry Trends”, he stated, “Social media has rapidly accelerated the agility with which the public can change allegiance and direction. It used to be that when information dissemination was slower and more compartmentalized within regions and market segments, that the market resistance to fluctuation was more robust. Now well-placed advertising, social commentary, or public response to corporate missteps can swirl into a maelstrom of market changes within hours that is agnostic to region or market segment.”
In today’s world, the speed at which reputational damage reigns out can overwhelm a corporation’s ability to respond. Here one might consider Wells Fargo and how fast the situation spun out of control for them after its $185MM fine was announced. It is through the use of risk-based monitoring, which allows for this almost real-time input, that a response to a forecasted, assessed or even unassessed risk can be developed. In the compliance world, such tools could be brought to bear when considering not only the expense side of such areas as gifts, travel and entertainment but also sales side data. This could be internal company data on its own salesforce and also information developed from or concerning your third-party sales team.
In Locwin’s primary world of pharmaceutical testing and product development, the need for such real-time information can be more critical. Yet through the development of these techniques as compliance tools, the compliance profession can add value to an organization through the use of risk-based monitoring. With the plethora of data on where and how corruption is likely to occur, coupled with meaningful sales and expense data, the compliance professional should be able to move from detect to prevent to prescriptive compliance solutions to prevent legal violations.
Finally, the beauty of all these techniques articulated by Locwin is that they are tools that can make companies more efficient and, at the end of the day, more profitable. They also move compliance into the fabric and DNA of an organization or in the words of Hui Chen, the former DOJ Compliance Counsel, operationalize compliance. Her intonation to operationalize compliance speaks use of a wide variety of tools to input information so you can continuously improve your compliance program. Risk-based monitoring is certainly one mechanism to obtain information and feed it back into your compliance program in both the prevent and detect prongs.
Three Key Takeaways
Determining effectiveness has been on my mind in large part since the release of the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (Evaluation). Obviously the new by-word from the Evaluation is operationalization but a key in determining operationalization is determining your compliance program effectiveness. I put that question to Vincent DiCianni, CEO and founder of Affiliated Monitors and Eric Feldman, SVP of Affiliated Monitors recently.
Feldman began by explaining that you need to consider both outcomes and outputs. Outcomes will show you the results of specific actions, such as investigations and conclusions to them. DiCianni added that the numbers are attractive because they can form a “straight line” about your compliance program is function. Yet DiCianni cautioned the numbers only give you one view of a compliance program. You also need to consider the qualitative side of the equation.
This is where outputs are equally important as the form the qualitative portion of determining compliance program effectiveness. More importantly you cannot conflate the two. Feldman explained that hotline data is good example, so if your number of hotline reports drops dramatically, the company may well believe their compliance program is effective. However, Feldman cautioned this could be a tenuous conclusion “because just as easily one could conclude that your culture has taken a turn for the worse, that employees are afraid of retaliation, they don't have faith and trust in the anonymity of your hotline system and therefore they're just not reporting, but things are still going on. In fact, there may be more activity going on”.
Some important consideration are such softer measures as how employees feel about whether the company is committed to a speak-up culture. Feldman noted that by interviewing employees, you can determine if they feel “comfortable going to their managers and if their managers are involved, going to upper level management, Ethics and Compliance Office, or a corporate reporting hotline if and when they see misconduct, or do they mind their own business and look the other way because they're afraid something will happen to them?” The best way to make that determine is through in person interviews.
Another key way to determine if you have any effective compliance program is to see if there is a correlation about what a company says on paper on its vision, mission and values around compliance. Here a key metric is performance incentives, bonuses, promotions and assignments. Feldman explained you must ascertain if the financial packages are based solely on hitting your numbers “or are there elements that balance out the financial measures with ethical measures, integrity measures. For example, is a manager is effectively disseminating the ethics message and building an ethical culture in his or her work group and are they rated on that in a performance appraisal, that should be part of their bonus system.”
One valuable resource to assist the compliance practitioner in this task is entitled “Measuring Compliance Program Effectiveness: A Resource Guide”, and was issued by the Health Care Compliance Association (HCCA) and the Department of Health and Human Services, Office of Inspector General (OIG) in March 2017. Although it was publicly released after the Justice Department Evaluation, it was drafted prior to that documents release and hence did not have the benefit of the DOJ’s thinking on measuring compliance program effectiveness.
The document is an excellent resource on not only “what to measure” but equally important “how to measure” the seven elements of a compliance program as detailed in the US Sentencing Guidelines. While the focus is towards the health care industry, the concepts are broad enough for any industry or compliance practitioner to use to determine the effectiveness of their compliance program. Did I mention the cost - it is available at no charge on the OIG website.
Once again, although focused on health care compliance, the Resource Guide is practical for the non-health care compliance professional. Further, it ties into many of the concepts articulated in the Evaluation. For example, in the Evaluation, Prong 2. Senior and Middle Management, the following questions appear under the heading Oversight – What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?
In the Evaluation under Prong 3. Autonomy and Resources, the following questions appear under the heading Funding and Resources – How have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made?
These are a just couple of examples of how a compliance professional can begin to think through the questions laid out by the DOJ in its Evaluation. Moreover, by using the Resource Guide, you will be able to more fully determine the operationalization of your compliance program. The stated purpose is to give compliance professionals “as many ideas as possible, be broad enough to help any type of organization, and let the organization choose which ones best suit its needs.” Yet it is decidedly not a checklist but rather allows any Chief Compliance Officer (CCO) to assess the effectiveness (and operationalization) of their program.
It also allows the tailoring and measurement of how you manage your company’s risks. As the Resource Guide states, “The frequency of use of any measurement should be based on the organization’s risk areas, size, resources, industry segment, etc. Each organization’s compliance program and effectiveness measurement process will be different.”
DiCianni concluded by emphasizing the need for both a quantitative and qualitative approach to measuring compliance program effectiveness. Numbers are important but they only tell part of the equation. He stated, “Both are very important, but I think without having consideration of both sides of the equation, I do not will obtain a full understanding of how effective compliance program is in its operation.”
Three Key Takeaways
I continue my discussion of continuous improvement using big data in a best practices compliance program, with some thoughts on how to use it going forward. In an eBook, entitled “Planning for Big Data - A CIO’s Handbook to the Changing Data Landscape”, by the O’Reilly Radar Team, featured a chapter by Alistair Croll, entitled “The Feedback Economy” which informs today’s discussion.
Croll believes that big data will allow continuous improvement through the “feedback economy”. This is a step beyond the information economy because you are using the information that you have generated and collected as a source of information to guide you going forward. Information itself is not the greatest advantage but using that information to prevent, detect and remediate in a compliance program is going forward.
Croll draws on military theory to illustrate his concept of a feedback loop. It is the OODA loop, which stands for observe, orient, decide and act. This comes from military strategist John Boyd who realized that combat “consisted of observing your circumstances, orienting yourself to your enemy’s way of thinking and your environment, deciding on a course of action and then acting on it.” Croll believes that the success of OODA is in large part “the fact it’s a loop” so that the results of “earlier actions feedback into later, hopefully wiser, ones.” This should allow combatants to “get inside their opponent’s loop, outsmarting and outmaneuvering them” because the system itself learns. For the Chief Compliance Officer (CCO) or compliance practitioner this means that if your compliance program is able to collect and analyze information better, you can act on that information faster.
Croll believes one of the greatest impediments to using this OODA feedback loop is the surplus of noise in our data; that “We need to capture and analyze it well, separating the digital wheat from the digital chaff, identifying meaningful undercurrents while ignoring meaningless flotsam. To do this we need to move to more robust system to put the data into a more usable format.” Croll moves through each of the steps in how a company collects, analyzes and acts on data.
The first step is data collection where the challenge is both the sheer amount of data coming in and its size. Once the data comes in it must be ingested and cleaned. If it comes into your organization in an unstructured format, you will need to cut it up and put into the correct database format for use. Croll touches on the storage component of where you place the data, whether in servers or on the cloud.
A key insight from Croll is the issue of platforms, which are the frameworks used to crunch large amounts of data more quickly. His key insight is to break up the data “into chunks that can be analyzed in parallel” so the data can be considered and acted upon more quickly. Another technique he considers is “to build a pipeline of processing steps, each optimized for a particular task.”
Another important component is machine learning and its importance in the data supply chain. Croll observes, “we’re trying to find signal within the noise, to discern patterns. Humans can’t find signals well by themselves. Just as astronomers use algorithms to scan the night’s sky for signals, then verify any promising anomalies themselves, so too can data analysts use machine learning to find interesting dimensions, groupings or patterns within the data. Machines can work at a lower signal-to-noise ratio than people.”
Yet Croll correctly notes that as important as machine learning is in big data collection and analysis, there is “no substitute for human eyes and ears.” Yet for many CCOs or compliance practitioners, displaying the data is most difficult because it is not generally in a readable form. To say lawyers are not as proficient as other corporate types in excel or similar tools would be to state the obvious, yet that is about as sophisticated as many practitioners can get. It is important to portray the data in more visual style to help convey the “dozens of independent data sources” into navigable 3D environments.
Of course having all this data is of zero use unless you act on it. Big data can be used in a wide variety of decision making, from employment decisions around hiring and firing decision, to strategic planning, to risk management and compliance programs. But it does take a shift in compliance thinking to use such data. Once again lawyers are particularly ill suited to consider such information for reasons as diverse as training and temperament. This is yet another reason why compliance has evolved to Compliance 2.0, Compliance 3.0 and beyond. Big data allows you to make a quicker assessment of the impact of measured risks. It advocates “fast, iterative learning.”
Croll ends his chapter by noting that the “big data supply chain is the organizational OODA loop.” But unlike the OODA loop, it is more than simply about the loop and plugging information as you move through it. He believes “big data is mostly about feedback”; that is, obtaining the impact of the risks you have accepted. For this to work in compliance, a company’s compliance discipline needs to both understand and “choose a course of action based upon the results, then observe what happens and use that information to collect new data or analyze things in a different way. It’s a process of continuous optimization”.
The three prongs of any best practices compliance program are prevent, detect and remedy. Whether you consider the OODA loop or the big data supply chain feedback, this process, coupled with the data that is available to you should facilitate a more agile and directed compliance program. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of continuous improvement, I do not know what does.
Three Key Takeaways
In 2015, the Securities and Exchange Commission (SEC) announced resolution of a Foreign Corrupt Practices Act (FCPA) enforcement action involving the Hitachi Ltd (Hitachi). There were several interesting aspects to this enforcement action and plenty of lessons to be learned by the compliance practitioner going forward. This enforcement action also presented one of the clearest cases for keeping track of current events for continuous improvement I have seen.
Perhaps the most interesting aspect of the Hitachi matter is that it involved bribery of a political party, the African National Congress (ANC). This portion of the enforcement action stands as a stark reminder that political parties are covered by the FCPA just the same as government officials. The FCPA Guidance states: “The FCPA’s anti-bribery provisions apply to corrupt payments made to (1) “any foreign official”; (2) “any foreign political party or official thereof ”; (3) “any candidate for foreign political office”; or (4) any person, while knowing that all or a portion of the payment will be offered, given, or promised to an individual falling within one of these three categories.” Although the statute distinguishes between a “foreign official,” “foreign political party or official thereof,” and “candidate for foreign political office,” the term “foreign official” in this guide generally refers to an individual falling within any of these three categories.
The bribery schemes themselves were notable only for their blantantness. Andrew J. Ceresney, Director of the SEC’s Enforcement Division, said in the SEC Press Release “Hitachi’s lax internal control environment enabled its subsidiary to pay millions of dollars to a politically-connected front company for the ANC to win contracts with the South African government. Hitachi then unlawfully mischaracterized those payments in its books and records as consulting fees and other legitimate payments.” Moreover, according to the Complaint:
The enforcement action does point up the oft-times difficulty in providing corporate social responsibility and distinguishing it from outright corruption in certain countries. As noted in an article in the Wall Street Journal businesses “operating in South Africa are encouraged to take on black business partners under the ANC’s policy of black economic empowerment (BEE), intended to redress economic imbalances created by apartheid.” Yet, critics claim that there is a “blurred line between business and politics in the awarding of state tenders” in South Africa. However, the ANC front group was charged “only approximately $190, 819 stake which returned to it over $5MM in “dividends” and another $1MM in a “success fee” for contracts to Hitachi worth “about $5.6bn.”
This case demonstrates the need for a CCO to keep track of current events. It does not mean you must read the biggest newspapers on a daily basis, although that certainly would help. You must rely on your business folks on the ground to keep track in the changes of personnel of joint ventures or other local partnerships. Moreover, there are several automated due diligence services which literally provide daily updates on a wide variety of persons and individuals who might change positions in a government or move from the public sector to the private sector or back.
In many under-developed countries, there is a relatively small group of well-educated technocrats who move back and forth from the government to the private sector and back. They are also often involved in political parties. So today’s private might be tomorrow’s Politically Exposed Person (PEP) or indeed may have been yesterday’s PEP. This requires you to navigate carefully as these are most usually jurisdictions which are high-risk for corruption.
For the compliance practitioner, the Hitachi SEC enforcement action provides a valuable reminder that the FCPA covers more than foreign government officials and officials of state owned enterprises. Political parties are also covered so that if part of your corporate social responsibility includes payments to political party front groups, your company could get into FCPA hot water. Yet it also means you will need to keep abreast of just who your counter-parties during the entire course of your commercial relationship. This means keeping up with current events is a must and can facilitate continuous improvement.
Three Key Takeaways
Another mechanism to facilitate continuous improve comes from ideas around risk assessments. Both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) make clear the need for a risk assessment to inform your compliance program. I believe that most, if not all CCOs and compliance practitioners understand this well-articulated need. The FCPA Guidance could not have been clearer when it stated, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” While many compliance practitioners have difficulty getting their collective arms about what is required for a risk assessment and then how precisely to use it; the FCPA Guidance makes clear there is no ‘one size fits all’ for about anything in an effective compliance program.
One type of risk assessment can consist of a full-blown, worldwide exercise, where teams of lawyers and fiscal consultants travel around the globe, interviewing and auditing. Of course, this can be a notoriously expense exercise. However, if there is one thing that I learned as a lawyer, which also applies to the compliance field, it is that you are only limited by your imagination. So using the FCPA Guidance’s no ‘one size fits all’ proscription, I would submit that is also true for risk assessments. You might try assessing other areas annually, through a more limited focused risk assessment, literally while staying at your desk and not traveling away from your corporate headquarters.
The idea comes from Jan Farley, the Chief Compliance Officer at Dresser-Rand and he calls it the ‘Desktop Risk Assessment’. I think it is an excellent tool for continuous improvement. Moreover, it is a tool you can employ at little to no cost by you or your compliance team and on an ongoing basis. It is something you can use as often as quarterly, semi-annually or annually. Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:
There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.
This list is not intended to be a complete list of items, you can pick and choose to form some type of Desktop Risk Assessment but hopefully you can see some of the areas you can assess. My suggestion is that you try identifying and focusing on core compliance components in your organization. Obviously there are probably a million things you could fix. However, you cannot fix everything, so you must make a decision about your primacies, and then act on them. A Desktop Risk Assessment may well help you to do so.
If you perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years or so, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. Do not forget that the FCPA Guidance ends its section on risk with the following, “When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” By using the Desktop Risk Assessment, you can answer any regulator who asks what have you done to manage the risks in your company, by using the resources and tools that were available to you.
Three Key Takeaways
Continuous improvement requires that you not only audit and monitor but also that you test your controls. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. Finally, under Prong 9 of the Evaluation of Corporate Compliance Programs, under the area of Control Testing, it asks the following question: What control testing has the company generally undertaken? Controls testing is key component enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
A review plan is an excellent tool for the compliance practitioner because it provides a method for the ongoing evaluation of policies and sets forth a manner to communicate and train on any changes that are implemented. More than simply staying current, this approach will help provide the dynamics that the DOJ continually talks about in keeping your program fresh. Lastly, such a review plan can also guide the compliance practitioner in creating an ongoing game plan for continuous improvement.
As the COSO 2013 Internal Controls Framework provides a roadmap to test your controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing testing and evaluation” program going forward.
First are some general definitions that you need to consider in your evaluation. A compliance internal control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.” A compliance internal control is functioning if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”
COSO suggests a four-pronged approach in your testing, which I have adapted for the compliance practitioner. (1) Make an overall test of your company’s controls. This should include an analysis of whether each control is present and functioning and they are operating together in an integrated manner. (2) There should be a control component evaluation to determine if any control deficiency is found you can move to see if there are any compensating controls. (3) Test whether each control furthers the legal or business requirement you are trying to meet and then determine if a deficiency exists, what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis for continued improvement.
Another way to think through testing could be to consider the controls to affect the principle and would allow internal control deficiencies to be noted along with an initial review of the control failure. The next step would be to roll up the results of the evaluations. Next would be a re-evaluation of the severity of any deficiency in the context of compensating controls. Lastly, an overall testing allows you to consider if the controls are operating together in an integrated manner. This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could test if your internal controls were up to the new situations or needed adjustment.
Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have at a minimum the categories of policies laid out in the FCPA 2012 Guidance, this could be deemed a control failure (The Guidance states the following policies should exist: on “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments”).
If there are no objective criteria, as laid out in the FCPA 2012 Guidance, to evaluate your company’s compliance internal controls, what steps should you take? COSO suggests that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.” The key is to document the reasoning of the boundaries and then follow them.
This Document, Document, and Document feature is critical in any best practices anti-corruption or anti-bribery compliance program whether based upon the FCPA, UK Bribery Act or some other regulation. When the SEC comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the both SOX 404 requirements and the FCPA’s internal controls provisions. Finally, it provides a way to continuously improve your controls.
Three Key Takeaways
Today I consider a fraud audit by using data analytics to help detect or prevent bribery and corruption where the primary sales force used by a company are its FCPA and Chinese domestic law, involved China based employees defrauding their company by using false expense reports to create a pot of money to use as a slush fund to pay bribes. Here you can think back to the Eli Lilly FCPA enforcement action from 2012 up to the 2014 GlaxoSmithKline Plc (GSK) problems as examples of where employees used their expense accounts not for personal use but for greater corporate malfeasance.
Joe Oringel, co-Founder and co-Principal of Visual Risk IQ, related case studies where his organization used data analysis to review employee expense reports and how that experience can be used to formulate the same type of fraud analysis for a CCO or compliance practitioner. Also of this can be used as ongoing monitoring to facilitate continuous improvement of your compliance program.
One common technique fraudsters use is to split larger purchases across multiple smaller transactions, so their organization has designed their data analytics queries to detect such split transactions. An example might be where procurement cards (P-cards) are used for certain low dollar-value expenses. If a company has a procurement card limit for employees in their organization, which is $3,000 for a single transaction and $10,000 in aggregate spend for a single month; it would want to identify any use of P-cards for larger dollar transactions used for inappropriate or illegal purchases.
Contrast this with the problem of split payments. This is the situation where a single invoice is divided and the full amount of the payment is made in two or more simultaneous transactions, all done by different types of internal corporate payments. The key is to understand where the invoices are coming from and if only one vendor or supplier, investigate who is splitting the payments and why.
Another area to focus on using data analytics is gift, travel and entertainment (GTE), to identify out-of-policy expense reports and out-of-compliance expenses. Here the biggest issue is “double dipping”. This means an expense is recorded once on a T&E report and then a second time on another expense report or a P-card charge or other type of expense. These are examples that can be uncovered with data with analytics and from there you can move to determine if they might be an intentional, as opposed to an unintentional, mistake.
In the case of double dipping, a key is to look for the same airfare or hotel or meals, perhaps being reported on multiple employees’ T&E expense reports. An example might be where an employee takes another employee out for a business meal; they pay for the meal on one expense report. Then separately a coworker records the meal, same day, same city, and claims that employee as one of their attendees. We find these sorts of situations with our analytics, and these are clear examples of suspicious transactions that ought to be discussed with both employees”
Other examples of double dipping include duplicate transactions between meals and per diem allowances, or mileage and company vehicles or rental cars. These are all things that can be identified with data analytics that are very difficult for an individual approver to see on a single expense report. The reason is that when you are tasked with approving an employee’s expense report, the reviewer most often has single report in front of themselves for review. This makes it difficult to recall who would have submitted a report one or two months ago, and it’s very possible that somebody submitted an airplane ticket when the ticket was purchased, and then six weeks later when they took the trip, that air expense could be reported a second time.
This same issue could arise with P-card purchases if you have an approver considering a single $2,500 purchase who approves that purchase on Monday and then again on Friday. Yet had those two transactions been on the same day, more than the employee’s spending limit, the approver might not have approved both, but because they were submitted on different dates, it may well appear to the approver they were two separate transactions. With data analytics, you can aggregate those multiple trip or P-card reports into a single report, to help a reviewer or an approver determine whether the transactions meet employees’ policies, both individually and in the aggregate.
This double dipping technique led to two anti-bribery compliance enforcement actions. One in the US involving Eli Lily and a second in China involving the US pharmaceutical entity GSK. So the risk is real and by using ongoing data monitoring you might not only get ahead of the legal violation but you would have a much more efficient business process going forward.
Three Key Takeaways
What is organizational culture? Eric Feldman, SVP at Affiliated Monitors has said it comprises the mission, vision and values of an organization. A similar way to consider it might be as a company’s values, visions, norms and beliefs. Whichever way you define it or look at it, corporate culture affects how groups within a company interact with each other. A key inquiry is whether the corporate incentive structure supports the articulated beliefs of a company. How does one measure or audit these articulations?
Jose Tabuena in an article entitled, “Can You Audit Corporate Culture” said that “an important feature of a good culture is that the majority of employees can be positively influenced by values and environments that reinforce strong company values. Such a climate arises when the workforce believes that certain forms of ethical reasoning and behavior are expected norms for decision making. The ethical climate of an organization serves many useful functions in organizations. It helps employees identify ethical issues and address those issues by giving answers to “What should I do?” when faced with an ethical dilemma.” The oft-used corporate tactic to blame the ubiquitous ‘rogue employee’ is an “attempt to deny the flaws in the system and the culture that spawned the bad acts in the first place.”
Some of the techniques for measurement include employee interviews, focus groups and employee surveys to measure corporate culture. This is because through “identifying cultural strengths and areas needing improvement, a cultural assessment can guide the creation of communications plans and culture-building initiatives that are tailored to the company's needs. In many cases, an effective strategy may be to target weak spots while simultaneously anchoring the overall message to positive values already strongly shared across the organization.” It is important to understand that corporate culture will not be uniform across geographies, functional areas or operating systems. But this can be useful in comparing the results.
Feldman noted some of the key areas of concern in a culture audit are the following
Operation Stresses. These can greatly influence a company's culture, making it periodically necessary to determine whether the company is on track. If your CEO says that your only goal is the make your numbers, that is an operation stress to hit the target goal and the implicit message is that you must do so by any means possible. Internal audits and other forms of evaluation and measurement allow for course correction and reinforcement as needed.
Retaliation. There is nothing more toxic in the workplace than the fear of raising your hand to report an issue and facing retaliation. It is also a harbinger of other negative cultural factors such as specific or even general distrust of management. Here you should consider whether employees are willing to address matters with their immediate supervisor or to use the compliance hotline and what would happen if they reported misconduct can be meaningful. An even better approach would be to measure a company on how issues are reported and ultimately addressed. A final test is the work place promotion and incentive history of internal whistleblowers going forward in the employment tenure with the organization.
Compensation and Incentives. Basically, does the compensation scheme and promotion to management consider compliance as a key indicia as employee promotion, compensation and incentive programs can convey positive cultural messages. Consider that Wal-Mart, after it began its years-long FCPA investigation in 2012, began basing a portion of compensation for top executives on the company's ability to meet compliance goals. If executives do not meet their compliance objectives, they risk having their annual bonuses reduced. Therefore, one measure to incentivizing compliance is the degree to which ethical business practices have been factored into executive-level performance evaluations and/or compensation criteria. This can be leveraged down into the organization as well.
Senior Management Tone. You should question employee turnover and retention such for information. Through employee interviews, he believes that one can ascertain whether the turnover rate is attributed to organizational transition or stress stemming from management's philosophy and operating style, which might include such things as inappropriate compensation packages, unreasonable sales goals, requirements, etc.
HR Employee Lifecycle. It is important that a company actively recruit new hires based on its mission, vision and values of an organization and reinforce these when people join the company. All of this can be done through a rigorous hiring process, which incorporates a company’s ethical values into the process. But it does not stop at the hiring and onboarding process. It should occur during every Human Resources touchpoint in the employee lifecycle, during reviews and evaluations, consideration for promotion and even at departure. You will need to review the records of employees who have had poor compliance evaluations in the past years and determine whether those employees had appropriate qualifications relative to their job descriptions. The review should be performed with an eye toward ascertaining whether the company's hiring and promotion practices appropriately noted compliance qualifications, skill set, and delegated authority to their formal position and job description.
Companies must have a high-performance corporate culture for doing business ethically. One of the ways to do so is through the culture audit. It can also be a powerful tool for continuous improvement going forward. Find out what your employees are saying about your corporate mission, vision and values and most importantly remediate if those mission, vision and values are found wanting.
Three Key Takeaways
In my last corporate position, my company was at the cutting edge because we required compliance related audits for vendors in the supply chain. This was cutting edge in 2007-08. However, now an audit for adherence to compliance requirements has become a standard best practice in the management of business relationships with third party vendors which work with a company through the supply chain. In several settlements of enforcement actions through both Deferred Prosecution Agreements (DPA) and Non-Prosecution Agreements (NPA), in the 2012 FCPA Guidance, the Department of Justice (DOJ) and most recently in the Evaluation of Corporate Compliance Programs; made it clear that a best practices FCPA compliance program includes the right to conduct audits of the books and records of its suppliers to ensure compliance. Many companies have yet to begin their audit process for FCPA compliance on vendors in their supply chain. I find this to be a missed opportunity from both the compliance perspective and greater business efficiency.
Initially it should be noted that a company must obtain the right to audit for compliance in its contract with any third-party vendor in the supply chain. Such an audit right should be a part of a company’s standard terms and conditions. A sample clause could include language such as the following:
The vendor shall permit, upon the request of and at sole discretion of the Company, audits by independent auditors acceptable to Company, and agree that such auditors shall have full and unrestricted access to, and to conduct reviews of, all records related to the work performed for, or services or equipment provided to, Company, and to report any violation of any of the United States Foreign Corrupt Practices Act, UK Bribery Act or any other applicable laws and regulations, with respect to:
In Industrial Engineer Magazine, in an article entitled, “Dynamic Changes” authors Tariq Aldowaisan and Elaf Ashkanani discussed the audit program utilized by the Kuwait National Petroleum Company (KNPC) for its supply chain vendors. Although the focus of these audits is not to review FCPA compliance, the referenced audits are designed to detect and report incidents of non-compliance, which would also be the goal of a FCPA compliance audit. Utilizing ISO 19011 as the basis to set the parameters of an audit, the authors define an audit as a “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” The authors list three factors, which they believe contribute to a successful audit: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited. More simply, the action steps for the process can be described as one to (1) capture the data; (2) analyze the data; and (3) report on the data.
There is no one specific list of transactions or other items which should be audited, however some of the audit best practices would suggest the following:
This list is not exhaustive. For instance, there could be an audit focus on internal controls or segregation of duties. Any organization which audits a business partner in its supply chain should consult with legal, audit, financial and supply chain professionals to determine the full scope of the audit and a thorough and complete work plan should be created based upon all these professional inputs. After an audit, an audit report should be issued. This audit report should detail incidents of non-compliance with the compliance program and recommendations for improvements. Any reported incidents of non-compliance should reference the basis of any incidents of non-compliance such as contractual clauses, legal requirement or company policies.
Three Key Takeaways
Today I visit with Timur Khasanov-Batirov. Tim is a compliance practitioner with focus at high-risk markets and author of practical guide “Integrity Corp. 50 Tips for Your Compliance Program in the Post-Soviet States”. Timur has worked in compliance, legal, consulting, and corporate governance roles in Russia, Uzbekistan, the United States, Kazakhstan, and Ukraine. He has successfully launched and supervised execution of compliance programs for global and local businesses in the mining, energy, and pharmaceutical industries.
Tim has also recently released the first two installments of Compliance Man the first graphic novel of a compliance practitioner. You can find out more about Tim on his firm’s website, Complianceinpostussr.com.
We look at the former Soviet Union states, one of the most interesting region for Compliance professionals. we will touch 10 hot questions on corporate ethics in this region. Tim answers the following questions
1: Can we define this region as a single territory for the Compliance program structuring?
2: What regulatory trends should be taken in consideration by compliance practitioners in charge of this geography?
3: What is the biggest challenge in embedding corporate Compliance program in this region?
4: Do you have any practical recommendations as to “dissemination of integrity” among personnel locally?
5: Is it legally permissible to deploy our FCPA/UKBA programs in the countries of the region?
6: What is the most effective way to deliver training in this part of the world?
7: If there are any important things to remember when imposing penalties for misconduct on local personnel?
8: Do people on the ground appreciate compliance & ethics efforts?
Most Chief Compliance Officers (CCOs) and compliance practitioners understand the need for continuous controls monitoring. Whether it be as a part of your overall monitoring of third parties, employees, or to test the overall effectiveness of internal controls and compliance, controls monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied to controls monitoring, they may not be as aware of how to engage in the process. Put another way, how do you develop a methodology for building a controls monitoring process that yields sustainable, repeatable results?
I recently put that question to one of the leaders in the field, Joe Oringel, co-founder and principal at Visual Risk IQ. He explained that their firm has a five-step process. The five steps are (1) Brainstorm, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.
Under this step, the controls monitoring specialist, subject matter expert (SME), such as one on the Foreign Corrupt Practices Act (FCPA) or other anti-corruption law, and the compliance team members sit down and go through a multi-item list to better understand the objectives and set the process going forward. The brainstorming session will include planning the monitoring objectives and understanding the data sources available to the team. Understanding relationships between the monitoring objectives and data sources is essential to the monitoring process. During brainstorming, the company’s risk profile and its existing internal controls should be reviewed and discussed. Finally, there should be a selection of the controls monitoring queries and a prioritization thereon. This initial meeting should include company representatives from a variety of disciplines including compliance, audit, IT, legal and finance departments, sales and business development may also need to be considered for this initial brainstorming session.
Acquire and Map Data
The second step is to obtain the data. There may be a need to discuss security considerations, whether or how to redact or mask sensitive data, and ensure files are viewable only by team members with a “need to know”. Balancing, which consists of comparing the number of records, checksums, and controls totals between the source file (as computed by the file export) and then re-calculated number of records, checksums, and control totals (as computed by a file import utility). Balancing is performed to make sure that no records are dropped or somehow altered, and that the files have integrity. Somewhat related is making sure that the version of the files used is the “right” one. For example if you are required to obtain year-end data year-end close could be weeks after the closing entries have been actually recorded, depending on the departments engaged in the year end processes.
Types of systems of record could include Enterprise Resource Planning (ERP) data from multiple controls processing systems, including statistics on numbers and locations of vendors, brokers and agents. You may also want to consider watch lists from organizations such as the Office of Foreign Asset Control (OFAC), the Transparency International - Corruption Perceptions Index (TI-CPI), lists of Politically Exposed Persons (PEPs) or other public data source information. Some of the data sources include information from your vendor master file, general ledger journals, payment data from accounts payable, P-cards or your travel and entertainment system(s). You should also consider sales data and contract awards, as correlation between spending and sales as these may be significant. Finally, do not forget external data sources such as your third-party controls. All data should initially be secured and then transmitted to the controls monitoring tool. Of course, you need to take care that your controls monitoring tool understands and properly maps this data in the form that is submitted.
This is where the FCPA SME brings expertise and competence to assist in designing the specific queries to include in the controls monitoring process. It could be that you wish to focus on the billing of your third parties; your employee spends on gifts, travel and entertainment or even petty cash outlays. From the initial results that you receive back you can then refine your queries and filter your criteria going forward. Some of the queries could include the following:
Analyze and Report
In this process step, you are now ready to begin substantive review and any needed research of potential exceptions and reporting results. Evaluating the number of potential exceptions and modifying queries to yield a meaningful yet manageable number of potential exceptions going forward is critical to long-term success. You should prioritize your initial results by size, age and source of potential exception. Next you should perform a root cause analysis of what you might have uncovered. Finally at this step you can prioritize the data for further review through a forensic review. An example might be if you look at duplicate payments or vendor to employee conflicts. Through such an analysis you determine if there were incomplete vendor records, whether duplicate payments were made and were such payments within your contracts terms and conditions.
Refine and Sustain
This is the all-important remediation step. You should use your root cause analysis and any audit information to recalibrate your compliance regime as required. At this step you should also apply the lessons you have learned for your next steps going forward. You should refine, through addition or deletion of your input files, thresholds for specific queries, or other query refinements. For example, if you have set your dollar limits so low that too many potential exceptions resulted for a thoughtful review, you might raise your dollar threshold for monitoring. Conversely if your selected amount was so low that it did not generate sufficient controls, you could lower your parameter limits. Finally, you can use this step to determine the frequency of your ongoing monitoring.
If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of controls monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show any regulators who might come knocking.
Three Key Takeaways