Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2019
May


2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: Category: compliance know-how
Feb 14, 2018

In this episode, Matt Kelly and I go into the weeds on the fascinating subject relating to the intersection of compliance and technology: AI and hotlines. Matt blogged on and podcasted with Scott LaVictor, CEO of Neighborhood Watch for Corporations. His firm has been developing an app to help employees report harassment in a way that is secure and anonymous for them, but useful for compliance officers. We explore how this phone app can assist the compliance practitioner by using technology to overcome the inherent tension in an anonymous reporting system where the reporter may desire anonymity while the CCO wants and needs as much information as possible. 

The hotline app example would seem to incorporate several of these concepts starting with an incredible ease of use as a phone app. But the AI features allow it to inquire directly from the reporter additional information which will be important to the compliance professional. We discussed the following example from Matt’s blog post; “an employee might call a telephone hotline and leave a recorded message, “I saw my boss bribing some guy $500 the other day!” An app could be programmed to ask: 

  • What is your boss’s title?
  • Had he met with the other person before?
  • What time of day did the meeting happen? 

We also discuss why if there was one technology tool for compliance to be bullish about it is AI. There is an obvious cost savings but more importantly there is the opportunity for more effective compliance risk management simultaneously with greater business efficiencies. All of this will lead to more profitability that the compliance function can point to going forward. This can include overseeing routine transactions, answering routine questions and extracting data from documents can be moved to a more efficient and useful platform. 

For additional reading and listening, see 

Matt’s blog post and podcast

Better Whistleblower Reporting

 

Tom’s blog posts

Using AI in Compliance-Introduction

Using AI in Compliance-Design Challenges

Using AI in Compliance-Implementation Challenges

Using AI in Compliance-AI Projects for Compliance

Jan 31, 2018

I hope you have enjoyed this 31-day series on how to design, create and implement a best practices compliance program. These blog posts and podcasts over the past 13 months will form the basis of my next book The Complete Compliance Handbook which will be published by Compliance Week in April, 2018. It will be the most up-to-date handbook for every compliance practitioner, including the most recent Department of Justice pronouncements on what constitutes a best practices compliance program, in the FCPA Corporate Enforcement Policy and the Evaluation of Corporate Compliance Programs. I know you will find it useful.

I next want to take a deep dive and exploration of the levels of due diligence. Due diligence is generally recognized in three levels: Level I, Level II and Level III. Each level is appropriate for a different level of corruption risk. The key is for you to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.

Under the Evaluation of Corporate Compliance Programs (Evaluation) it states in Prong 10. Third Party Management: Risk-Based and Integrated ProcessesHow has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? 

The question becomes how do you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach of varying levels of due diligence is the appropriate analysis to take going forward.

A three-step approach was discussed favorably in Opinion Release 10-02. In this Opinion Release, the Department of Justice (DOJ) discussed the due diligence that the requesting entity performed. This Opinion Release sets out a clear break which every compliance practitioner should use in considering an appropriate level of due diligence to engage with your third-party risk management process or when considering the level of due diligence required on a potential business venture partner. I break due diligence down into three stages: Level I, Level II and Level III. A very good description of the three levels of due diligence was presented by Candice Tal in an article entitled “Deep Level Due Diligence: What You Need to Know”.

Level I

First level due diligence typically consists of checking individual names and company names through several hundred Global Watch lists comprised of anti-money laundering (AML), anti-bribery, sanctions lists, coupled with other financial corruption and criminal databases. These global lists create a useful first-level screening tool to detect potential red flags for corrupt activities. It is also a very inexpensive first step in compliance from an investigative viewpoint. Tal believes that this basic Level I due diligence is extremely important for companies to complement their compliance policies and procedures; demonstrating a broad intent to actively comply with international regulatory requirements.

Level II

Level II due diligence encompasses supplementing these Global Watch lists with a deeper screening of international media, typically the major newspapers and periodicals from all countries plus detailed internet searches. Such inquiries will often reveal other forms of corruption-related information and may expose undisclosed or hidden information about the company; the third party’s key executives and associated parties. I believe that Level II should also include an in-country database search regarding the third party. Some of the other types of information that you should consider obtaining are country of domicile and international government records; use of in-country sources to provide assessments of the third party; a check for international derogatory electronic and physical media searches, you should perform both English and foreign-language repositories searches on the third party, in its country of domicile, if you are in a specific industry, using technical specialists you should also obtain information from sector specific sources.

Level III

This level is the deep dive. It will require an in-country ‘boots-on-the-ground’ investigation. I agree with Tal that a Level III due diligence investigation is designed to supply your company “with a comprehensive analysis of all available public records data supplemented with detailed field intelligence to identify known and more importantly unknown conditions. Seasoned investigators who know the local language and are familiar with local politics bring an extra layer of depth assessment to an in-country investigation.” Further, the “Direction of the work and analyzing the resulting data is often critical to a successful outcome; and key to understanding the results both from a technical perspective and understanding what the results mean in plain English.  Investigative reports should include actionable recommendations based on clearly defined assumptions or preferably well-developed factual data points.”

But more than simply an investigation of the company, critically including a site visit and coupled with onsite interviews, Tal says that some other things you investigate include “an in-depth background check of key executives or principal players. These are not routine employment-type background checks, which are simply designed to confirm existing information; but rather executive due diligence checks designed to investigate hidden, secret or undisclosed information about that individual.” Tal believes that such “Reputational information, involvement in other businesses, direct or indirect involvement in other law suits, history of litigious and other lifestyle behaviors which can adversely affect your business, and public perceptions of impropriety, should they be disclosed publically.” 

Further, you may need to engage a foreign law firm, to investigate the third party in its home country to determine their compliance with its home country’s laws, licensing requirements and regulations. Lastly, and perhaps most importantly, you should use a Level III to look the proposed third party in the eye and get a firm idea of his or her cooperation and attitude towards compliance as one of the most important inquiries is not legal but based upon the response and cooperation of the third party. More than simply trying to determine if the third party objected to any portion of the due diligence process or did they object to the scope, coverage or purpose of the Foreign Corrupt Practices Act (FCPA); you can use a Level III to determine if the third party is willing to stand up with you under the FCPA and are you willing to partner with the third party?

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions into your program. The Level I, II & III trichotomy appears to have the greatest favor and one that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags you should do so. And do not forget to Document Document Document all your due diligence. 

Three Key Takeaways

  1. A Level I due diligence should be only used where there is a low risk of corruption.
  2. A Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to clear.
  3. Level III due diligence is deep dive, boots on the ground investigation.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 30, 2018

We previously considered the Prong in the Evaluation of Corporate Compliance Programs which was not present in the Ten Hallmarks of an Effective Compliance Program; that being root cause analysis. This addition was also carried forward as a requirement in the Department of Justice’s new FCPA Corporate Enforcement Policy. I want to consider how you should utilize the results of a root cause analysis in remediating a compliance program. 

Under Prong 1 Analysis and Remediation of Underlying Misconduct, the Evaluation stated: 

Remediation – What specific changes has the company made to reduce the risk that the same or similar issues will not occur in the future? What specific remediation has addressed the issues identified in the root cause and missed opportunity analysis? The new Department of Justice (DOJ) FCPA Corporate Enforcement Policy brought forward this requirement for a root cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;”. 

I begin with the question of who should perform the remediation; should it be an investigator or an investigative team which were a part of the root cause analysis? I put this question to well-known fraud expert Jonathan Marks, a partner at Marcum LLP who believes the key is both “independence and objectivity”. It may be that an investigator or investigative team is a subject matter expert and “therefore more qualified to get that particular recourse.” Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.

 

Ben Locwin considered it from the ‘blame’ angle, when he wrote “Simply ‘cataloguing’ and ‘assigning cause’ to a defect or error is not compliance. Compliance presumes systems and processes are designed to adhere to regulatory pronouncements. Selecting ‘human error’ from a dropdown list and assigning it as root cause means that user is accountable for having thoroughly investigated the causal factors of the error or defect, identifying and determining which root causes(s) are most likely, according to the preponderance of evidence, to have been associated with the defect. This means the person selecting the root cause has actually performed 5 Whys, fishbone diagram analysis, human factors analysis, fault tree analysis, and/or many other tools for actually determining root cause(s).” 

Locwin went on to state that it is “unlikely that the real cause of the deviation was human error, it makes sense to adopt the lean manufacturing principle of a no-blame culture. Use an error as an opportunity for elevating your company’s problem-solving processes; don’t think of it as an annoyance that must be rapidly misclassified and pushed into the deviation process black box.

This means not blaming some individuals and terminating them but actually fixing the broken compliance systems which allowed the violation in the first place.” 

As required under the Evaluation, from the regulatory perspective, the critical element is how did you use the information you developed in the root cause analysis. Literally every time when you see a problem as a compliance officer, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis that you can bring real value and real solutions to your compliance programs.

 

The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Identify current and future needs for organizational improvement. Your solution should be repeatable, step-by-step processes, in which one process can confirm the results of another. By focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event you will have a much more robust solution in place. This is because the solution(s) are more effectively when accomplished through a systematic process with conclusions backed up by evidence. 

Three Key Takeaways

  1. An effective system of internal controls provides reasonable assurance of achievement of the company’s objectives, relating to operations, reporting and compliance.
  2. There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.
  3. For an anti-corruption compliance program, you can use the Ten Hallmarks of an Effective Compliance Program as your guide to test against. 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 30, 2018

Welcome to Episode 9 of Compliance Man Goes Global podcast of FCPA Compliance Report International Edition. In this episode, we will focus on things, which actually could kill compliance in the organization. We will explore this matter in a plain language so to say and in the simple game form. Moreover, to make the podcast handy and more appealing we attach respective illustration from the Compliance Man illustrated series, created by Timur Khasanov-Batirov. 

For those of our listeners who are not aware about our format, in each podcast, we take two typical concepts or more accurately misconceptions from in-house compliance perspective. We check out if these concepts work at emerging jurisdictions. For each podcast, we divide roles with Timur, a practitioner who focuses on embedding compliance programs at high-risk markets. One of us will advocate the concept identifying pros. The second compliance man will provide arguments finding cons and trying to convince audience that that we face a pure myth. As a result, we hopefully will be able to come up with some practical solutions for in-house compliance practitioners.

Myth #1 Absence of support from top management could kill compliance as a concept in the organization. Tim, would you agree with this statement? 

Tim Khasanov-Batirov: I think we should define whom we consider a top management and what we mean by support. If we start with a question of top management, I would think that there is no need to expect appreciation or kind attitude to compliance from everyone among senior management. It will never happen. You obviously want to have an understanding of what you have been doing among your company’s decision-makers. Still it does not lead to full support in everything a compliance officer is proposing. I believe it is about values. If key stakeholders appreciate integrity and compliance that something which really matters for compliance officer.   

 

The second question is about support. Based on my practice there is no way to have daily support from everyone in the organization. If compliance person maintains good working relations with employees from different levels of corporate hierarchy, that makes operationalization of compliance program more effective. What is your opinion, Tom? 

Tom:  A couple of things come to my mind, Tim: First and foremost, There are several key issues why top management support is more than simply critical, it is mandatory. It is senior management that sets the priority of a company and if they are not committed to compliance and ethics, everyone in the organization will understand it. I often provide the example of Regional VP who said the following: If I violate the Code of Conduct, I may or may not be caught; If I violate the Code of Conduct and am caught, I may or may not be disciplined; If I miss my numbers for two quarters I will be fired. If senior manage focuses only on numbers, that will be communicated throughout the organization. 

Yet another key issue I would like to touch upon is the question of trust. When a compliance officer is promoting a compliance initiative across the organization, they could be successful if employees embrace it. He has to demonstrate that they have being doing right thing rather than just executing corporate compliance requirements. You can achieve this result if people trust you. If there is no trust neither senior management, nor employees will support compliance. What must a compliance officer should do to get trust? Just be risk oriented, try to suggest ethical solutions to achieve business tasks, be open-minded, and feel interested in corporate processes. In other words, you must operationalize compliance to make it a part of the very DNA of your organization. You have to become a trustworthy partner in order to get the level of support required for effective execution of the corporate compliance program.   

Myth #2. Bad corporate culture can kill Compliance in the organization. Tim, will you agree with this concept?

Tim: I agree that culture of non-compliance could kill the compliance idea in the organization. I believe that no matter if it is a big corporation or a small firm the culture starts from the CEO. There is always someone in the organization who is not a fan of compliance. It is fine, unless CEO himself does not support ethics. In this case, you have no chance to survive. In our attached issue of the Compliance Man illustrated series, we have depicted challenges, which compliance professionals face. However, in my view issues like decrease of the department’s headcount or budget are something, which cannot stop compliance officer.       

Tom: I believe that strong ethical culture is a key factor for building a solid compliance program. From practical perspective, I think surveying personnel about their attitude towards integrity could give you a real picture about state of culture in your organization. Another point to mention is the necessity to understand views of managers who due to their job responsibilities pose compliance risks, those in high-risk positions. This may be heads of construction or procurement teams as they interact with governmental officials. In ideal scenario, they share your values or at least strictly follow respective compliance procedures. In the worst case your efforts in embedding compliance program could be diminished by ignorance from actors which play critical role in its effectiveness.   

Thus, as key takeaways from today discussion, which is inspired by famous Unstoppable video of Sia, I think we can mention the following:

  • A compliance officer should be ready to overcome difficulties at all stages of compliance program execution. The best way to do it is to obtain trust from key stakeholders, win minds and hearts for compliance and never give up. Just be unstoppable.

Tom Fox and Tim Khasanov-Batirov are here for you. Join us for the next episode of Compliance Man Go Global episode of FCPA Compliance Report International Edition. Let’s bust more corporate compliance myths with us.

Jan 29, 2018

One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action. Under Prong 1 Analysis and Remediation of Underlying Misconduct, the Evaluation stated: 

 Root Cause AnalysisWhat is the company’s root cause analysis of the misconduct at issue? What systemic issues were identified? Who in the company was involved in making the analysis?  

 Prior IndicationsWere there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed?  

The new Department of Justice (DOJ) FCPA Corporate Enforcement Policy brought forward this requirement for a root cause analysis with the following language: “Demonstration of thorough analysis of causes of underlying conduct (i.e., a root cause analysis) and, where appropriate, remediation to address the root causes;”. 

The site Thwink.org has defined root cause analysis as “The purpose of root cause analysis is to strike at the root of a problem by finding and resolving its root causes. Root cause analysis is a class of problem solving methods aimed at identifying the root causes of problems or events. ... The practice of root cause analysis is predicated on the belief that problems are best solved by attempting to correct or eliminate root causes, as opposed to merely addressing the immediately obvious symptoms.” 

Well known fraud investigator Jonathan Marks, has noted, has noted a root cause analysis “is a research based approach to identifying the bottom line reason of a problem or an issue; with the root cause not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” 

Marks also contrasted a root cause analysis with an investigation. He noted, “in an investigation we are try to either prove or disprove an allegation.” This means that in a compliance investigation you may be trying to prove or disprove certain transactions could form the basis of a corrupt payment or bribe by garnering evidence to either support or refute specific allegation or allegations. You do not assess blame and that is the point where a root cause should follow to determine how the compliance failure occurred or was allowed to occur. 

There is no one formula for performing a root cause analysis. An approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the site iSixSigma.com believes this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “5 Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.” 

Yet another approach was suggested by risk management expert Ben Locwin in an article entitled, "Human Error" Deviations: How You Can Stop Creating (Most Of) Them”. It is the “Fishbone Diagram”, also known as the “Ishikawa diagram” for its progenitor, Kaoru Ishikawa, if because it looks like the skeleton of a fish. Locwin noted that “You put the problem statement at the “head” of the fish, and the causal factor categories as the “ribs” (remember, fish have cartilage, not bone, so these categories can be adjusted to suit your needs). By having a working group list causal factors under each category, you begin to develop a visual of how many things could contribute to your main effect (the problem statement).” 

The bottom line is there are multiple ways to perform a root cause analysis. However, it is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer which is provided to you, as you might in an internal investigation. Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they're doing.”

Three Key Takeaways

  1. A root cause analysis is now required if you have a reportable compliance failure.
  2. There is no one process for performing a root cause analysis. You should select the one which works for you and follow it.
  3. To properly perform a root cause analysis, you need these trained professionals who really understand what they're doing. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

 

Jan 28, 2018

Your company has just made its largest acquisition ever and your Chief Executive Officer (CEO) says that he wants you to have a compliance post-acquisition integration plan on his desk in one week. Where do you begin? Of course, you think about the 2012 FCPA Guidance language which stated, “pre-acquisition due diligence, however, is normally only a portion of the compliance process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.” You also recall that the 2012 Guidance did not have the time lines established in the previous enforcement actions involving Johnson & Johnson (J&J) and Data Systems & Solutions LLC and the Opinion Release 08-02, the Halliburton Opinion Release. Yet you do remember the FCPA M&A Box Score Summary of Opinion Release and enforcement actions regarding M&A issues.

You are also aware of the language from the Evaluation of Corporate Compliance Programs about mergers and acquisitions (M&A), which reads under Prong 11, Mergers and Acquisitions:

Integration in the M&A ProcessHow has the compliance function been integrated into the merger, acquisition, and integration process? 

Process Connecting Due Diligence to ImplementationWhat has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities? 

Yet many compliance professionals struggle with is how to perform these post-acquisition compliance integrations. An article from the Harvard Business Review, entitled “Two Routes to Resilience”, Clark Gilbert, Matthew Eyring and Richard Foster wrote about business transformation which speak directly to the compliance practitioner to help create post-acquisition integration game plan.

Anyone who has gone through a large merger or acquisition knows how terrifying it can be for the individual employee. Many people, particularly at the acquired company will be fearful of losing their jobs. This fear, mis-placed or well-founded, can lead to many difficulties in the integration process. The creation of a Compliance Capabilities Exchange process which allows “the two organizations to live together and share strengths” and will coordinate “the two transformational efforts so that each gets what it needs and is protected from [unwanted] interference by the other.” There are five steps in this process.

  1. Establish Compliance Leadership. While this may be the “simplest step but also the one most open to abuse.” The process should be run by just a few top people, the Chief Executive Officer, Chief Financial Officer and Chief Compliance Officer of the acquiring company and a similar counter-part from the acquired company.
  2. Identify the compliance resources the two organizations can or need to share. Hopefully the acquiring organization will have some idea of the state of the compliance program before the deal is closed. It may be that there is some or all of a minimum best practices compliance program in place.
  3. Create Compliance Capability Exchange Teams. In many “synergy efforts, everyone is expected to think about ways resources might be shared.” Senior leadership should create compliance teams by assigning a small number of people from both entities with the responsibility of allocating resources used in the integration project.
  4. Protect Boundaries. This one is tricky as employees from the former target may not want to move forward with the integration; for fear of losing their jobs or some other reason. There may be internal disputes as to which group may handle an issue going forward. Once again, the Leadership Team must step in and referee disputes decisively if required.
  5. Scale up and promote the new compliance program. It is important to celebrate and promote the new entity to both the acquiring company, others in the company and even external stakeholders. It is important that markets and others in the same or similar industry see this evolution and growth.

The bottom line is that you must train the newly acquired employees, reevaluate third parties under your company standards, and conduct compliance audits on new business units. This process should be based your pre-acquisition due diligence and risk assessment. Moreover, the Justice Department and SEC clearly view both the pre-and post-acquisition phases of mergers and acquisitions as tied together in a unidimensional continuum. If  pre-acquisition due diligence is not possible, you should the requirements and time frames laid out in Opinion Procedure Release No. 08-02, so as was noted in the 2012 FCPA Guidance, “pursuant to which companies can nevertheless be rewarded  if they choose to conduct thorough post-acquisition FCPA due diligence.

Three Key Takeaways

  1. Planning is critical in the post-acquisition phase.
  2. Build upon what you learned in pre-acquisition due diligence.
  3. You literally need to be ready to hit the ground running when a transaction closes. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 27, 2018

A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue—with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability.” While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the 2012 FCPA Guidance focused many compliance practitioners for the need to engage in robust pre-acquisition due diligence.

Under Prong 11. Mergers and Acquisitions; there were a series of queries which tied together how pre-acquisition due diligence and post-acquisition integration. Due Diligence ProcessWas the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What has been the M&A due diligence process generally? 

The pre-acquisition process was then tied to post-acquisition with the following: Process Connecting Due Diligence to ImplementationWhat has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures at new entities? 

The 2012 FCPA Guidance emphasized the pre-acquisition phase and the Evaluation took a deeper dive into the need for the compliance component of your mergers and acquisition regime to begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.

The next step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

There are multiple red flags which could be raised in this process, which would warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breach of policies and procedures. Obviously, a target which is in financial difficulty would bear closer scrutiny from the compliance perspective. Structurally, if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors level, this could present issues. From the CCO perspective, if the position did not have Board access, CEO access or if there were not regular reports to the Board, it could present an issue for compliance. Conversely if there were frequent requests to waive policies, management over-ride of compliance controls or no consistent consequence management for violations; it could present clear red flags for further investigation.

Three Key Takeaways

  1. The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward.
  2. Periodically review your M&A due diligence protocol.
  3. If red flags appear in pre-acquisition due diligence, they should be cleared.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 26, 2018

One of the new areas articulated in the Evaluation of Corporate Compliance Programs was around payments and payroll. For the both the compliance professional and the corporate payroll function, there is a significant role for a corporate payroll function in the operationalization of a corporate compliance program.

It is found in Prong 4, “Operational Integration”, which is the section that includes who is responsible for integrating your policies and procedures throughout your organization, what internal controls are in place and specific inquiries into the role of the company payment system in any Foreign Corrupt Practices Act (FCPA) violation and how oversight is dedicated in your organization. The questions posed are, “Payment Systems – How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?” This is immediately followed by an equally important set of questions, “Approval/Certification Process – How have those with approval authority or certification responsibilities in the processes relevant to the misconduct known what to look for, and when and how to escalate concerns? What steps have been taken to remedy any failures identified in this process?” Finally, the questions around payment systems are proceeded by the following, “Controls – What controls failed or were absent that would have detected or prevented the misconduct? Are they there now?” 

Taken together, these three groups of questions may not seem particularly new, innovative or even something different from what payroll currently does for an organization. However, the Evaluation, with its emphasis on the operationalization of a corporate compliance program, clearly demonstrates the role of payroll in compliance. The Evaluation requires that payroll not only form a part of any best practices compliance program but when it comes to the specific subject matter expertise (SME), payroll is on the front lines of any attempts to prevent, detect and then remediate anti-corruption compliance violations.

This means that not only can payroll be one of the compliance function’s strongest corporate allies, the role of payroll, by its nature, works to operationalize compliance. This is because to implement the appropriate internal controls around compliance, payroll must know the specific requirements of the FCPA, know what kinds of issues are likely to come up that might create a risk of bribery and corruption, all leading to an understanding of the appropriate compliance internal controls to implement around payroll and payments.

This is most particularly true around offshore payments, which are generally defined as payments made to a location other than the home domicile of the party or the location where the services where delivered. If a Tunisian agent who performs services in Dubai asks for payment in a location other than Dubai or Tunisia, that would qualify as an offshore payment. If you train people who are in payroll on this issue, they may well pick up the phone, and notify compliance when they see a request for payment in a geographic location separate and apart from one of the two standard payment venues. Those are the types of communications, when properly documented, that demonstrate your compliance program is operationalized into the fabric of the organization.

The role of global payroll in FCPA compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes in violation of the FCPA must come from somewhere. Unfortunately, one of those places is out of payroll. All Chief Compliance Officers need to sit down with his or her head of payroll, have them explain the role of payroll, then review the internal controls in place to see how they facilitate the goals of compliance. From that review, you can then determine how to use payroll to help to operationalize your compliance program.

The Department of Justice has now provided its clearest statement on how it expects a company to actually do compliance going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from FCPA violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process, which should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well suited corporate discipline to provide this first level of oversight and controls. 

Three Key Takeaways

  1. Payroll can be a key prevent and detect control.
  2. The Evaluation specified the tying of the corporate compliance function to the corporate payroll function?
  3. Offshore payments remain a key indicium for a red flag.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 25, 2018

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance (Guidance), under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program (Hallmarks), the focus was articulated by the title Oversight, Autonomy, and Resources. When it came to the corporate compliance function the Guidance simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

This Hallmark was significantly expanded in both the Department of Justice’s (DOJ’s) Evaluation of Corporate Compliance Programs (Evaluation) and the new FCPA Corporate Enforcement Policy (Policy). The Evaluation made the following query about the CCO position: 

  1. Autonomy and Resources 

Compliance Role – Was compliance involved in training and decisions relevant to the misconduct? Did the compliance or relevant control functions (e.g., Legal, Finance, or Audit) ever raise a concern in the area where the misconduct occurred?  

Empowerment – Have there been specific instances where compliance raised concerns or objections in the area in which the wrongdoing occurred? How has the company responded to such compliance concerns? Have there been specific transactions or deals that were stopped, modified, or more closely examined as a result of compliance concerns?  

Funding and Resources – How have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made?  

The Evaluation added one new set of queries based upon the evolution of corporate compliance programs since 2012. 

Outsourced Compliance Functions – Has the company outsourced all or parts of its compliance functions to an external firm or consultant? What has been the rationale for doing so? Who has been involved in the decision to outsource? How has that process been managed (including who oversaw and/or liaised with the external firm/consultant)? What access level does the external firm or consultant have to company information? How has the effectiveness of the outsourced process been assessed? 

In the Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program:

  1. The resources the company has dedicated to compliance;
  2. The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
  3. The authority and independence of the compliance function and the availability of compliance expertise to the board;
  4. The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and
  5. The reporting structure of any compliance personnel employed or contracted by the company.

Funding and Resources

You will now have to justify your corporate compliance spend. This means at a minimum you will have to meet some general industry standard. If a corporation tries to low-ball both the pay to compliance professionals and the dollar and head count made available to a compliance function, it will not be viewed positively. Also noted in the Evaluation, a company must be prepared to defend any request for compliance resources which are turned down. Now such blanket management will be penalized.

Role of Compliance and Empowerment

More than simply throwing money at the compliance function (as if that would ever happen) the DOJ is now inquiring into how the compliance and its recommendations are treated. If there is business unit over-ride of compliance decisions, there must be an auditable decision trail. This, of course, is anathema to corporate executives who do not want to put themselves at risk.

Outsourcing of Compliance

This area of compliance practice has arisen largely since the articulation of the Hallmarks in the Guidance. While this might make sense from a cost perspective, it can be largely problematic if it is not managed properly. Rarely do outsiders have the same access as corporate employees, particularly a function as important as compliance. Here a company must not only have a rationale in place, which will largely be cost-savings; a company must also have a mechanism in place to assess, on an ongoing basis, any outsourced compliance function. This will be beyond the reach of probably 99% of the companies engaged in such outsourcing.

The Evaluation and Policy both demonstrate the continued evolution in the thinking of the DOJ around the compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically and the compliance profession more generally. The more the DOJ talks about the independence of, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.

Three Key Takeaways

  1. How is compliance treated in the budget process?
  2. Has your compliance function had any decisions over-ridden by senior management?
  3. Beware outsourcing of compliance as any such contractor must have access to company documents and personnel.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 23, 2018

One of the critical elements found in the Evaluation of Corporate Compliance Programs (Evaluation) is the need to use the information you obtain, whether through risk assessment, root cause analysis, investigation, hotline report or any other manner to remediate the situation which allowed it to arise. In an interview with Matt Kelly on the Radical Compliance podcast, former Department of Justice (DOJ) Compliance Counsel Hui Chen has said about the Evaluation, “We wanted people to see that we put a lot of emphasis on evidence and data. Don’t just tell us that you have a hotline. Show us how you know it’s working and how you’re using the information that you gain from these hotlines. When you say you have a great compliance portal, don’t just show us screenshots of it. Show us the hit rates and how you use that data to help you refine how you communicate with your audience.”

The same was true for the requirement of strong leadership by senior management and tone from the top. Chen related, “If you tell us you have a strong, talented top, show us what concrete actions your leaders have taken personally to demonstrate that. It’s not just some words that they say” but show the evidence. (Here please note the three most important things in compliance still matter: Document, Document, and Document).

Chen emphasized the Evaluation is not simply to be used or even considered as a checklist. It is designed to have Chief Compliance Officers (CCOs) and compliance professionals think about their compliance programs by asking questions. She explained, “Questions invite people to think. I like to call them evaluation questions. My goal is really to get people to really think about what they’re doing, what is the goal they’re trying to accomplish, how are they going to measure the results, how do they know it’s working. I’m a big fan of asking questions. The result of that, I’m hoping is that people really get to think about what they’re doing and why they’re doing it and how do they know that they’re successful at it.”

The Evaluation stated, under Prong 9 Continuous Improvement, Periodic Testing and Review, the following:

Evolving UpdatesHow often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? 

One of the questions for the compliance practitioner is how to put into practice these requirements laid out in the Evaluation and expounded on by Chen in her remarks about it. It was detailed in a chapter in an eBook, entitled “Planning for Big Data - A CIO’s Handbook to the Changing Data Landscape, by the O’Reilly Radar Team. The chapter was authored by Alistair Croll, entitled “The Feedback Economy. Croll believes that big data will allow innovation through the “feedback economy”. This is a step beyond the information economy because you are using the information that you have generated and collected as a source of information to guide you going forward. Information itself is not the greatest advantage but using it to make your business more agile, efficient and profitable is the greatest advantage.

Croll draws on military theory to illustrate his concept of a feedback loop. It is the OODA loop, which stands for observe, orient, decide and act. This comes from military strategist John Boyd who realized that combat “consisted of observing your circumstances, orienting yourself to your enemy’s way of thinking and your environment, deciding on a course of action and then acting on it.” Croll believes that the success of OODA is in large part “the fact it’s a loop” so that the results of “earlier actions feedback into later, hopefully wiser, ones.” This should allow combatants to “get inside their opponent’s loop, outsmarting and outmaneuvering them” because the system itself learns. For the CCO, this means that if your company can collect and analyze information better, you can act on that information faster.

Croll believes one of the greatest impediments to using this OODA feedback loop is the surplus of noise in the data; “We need to capture and analyze it well, separating the digital wheat from the digital chaff, identifying meaningful undercurrents while ignoring meaningless flotsam. To do this we need to move to more robust system to put the data into a more usable format.” Croll moves through each of the steps in how a company collects, analyzes and acts on data.

The first step is data collection where the challenge is both the sheer amount of data coming in and its size. Once the data comes in it must be ingested and cleaned. If it comes into your organization in an unstructured format, you will need to cut it up and put into the correct database format for use. Croll touches on the storage component of where you place the data, whether in servers or on the cloud.

A key insight from Croll is the issue of platforms, which are the frameworks used to crunch large amounts of data more quickly. His key insight is to break up the data “into chunks that can be analyzed in parallel” so the data can be considered and acted upon more quickly. Another technique he considers is “to build a pipeline of processing steps, each optimized for a particular task.”

Another important component is machine learning and its importance in the data supply chain. Croll observes, “we’re trying to find signal within the noise, to discern patterns. Humans can’t find signal well by themselves. Just as astronomers use algorithms to scan the night’s sky for signals, then verify any promising anomalies themselves, so too can data analysts use machines to find interesting dimensions, groupings or patterns within the data. Machines can work at a lower signal-to-noise ratio than people.”

Yet Croll correctly notes that as important as machine learning is in big data collection and analysis, there is “no substitute for human eyes and ears.” However, for many business leaders, displaying the data is most difficult because it is not generally in a readable form. It is important to portray the data in more visual style to help convey the “dozens of independent data sources” into navigable 3D environments.

Of course, having all this data is of zero use unless you act on it. Big data can be used in a wide variety of decision making, from employment evaluations around hiring and firing decisions, to strategic planning, to risk management and compliance programs. But it does take a shift in compliance thinking to use such data. It advocates “fast, iterative learning.” Big data allows you to make a quicker assessment of the impact of measured risks.

Croll ends his chapter by noting that the “big data supply chain is the organizational OODA loop.” But unlike the OODA loop, it is more than simply about the loop and plugging information as you move through it. He believes “big data is mostly about feedback”; that is, obtaining the impact of the risks you have accepted. For this to work in compliance, a company’s compliance discipline needs to both understand and “choose a course of action based upon the results, then observe what happens and use that information to collect new data or analyze things in a different way. It’s a process of continuous optimization”.

Whether you consider the OODA loop or the big data supply chain feedback, this process, coupled with the data that is available to you, should facilitate a more agile and directed business. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of innovation, I do not know what does.

The bottom line for every CCO is that your compliance is dynamic not static. You must continually review, refine and update your compliance program based upon new information made available to you. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of innovation, I do not know what does. 

Three Key Takeaways

  1. Innovation can come through a new way to think about and use data going forward.
  2. The OODA loop stands for observe, orient, decide and act.
  3. Always remember with machine learning and analysis, there is no substitute for human eyes and ears.

 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 22, 2018

In the Evaluation, Under Prong 9 Continuous Improvement, Periodic Testing and Review, it stated “Control TestingHas the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How are the results reported and action items tracked? What control testing has the company generally undertaken? 

Fortunately, the COSO 2013 Internal Controls Framework considered assessing compliance internal controls. In its Illustrative Guide, entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (‘the Illustrative Guide’), COSO laid out its views on “how to assess the effectiveness of its internal controls”. It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured post. First, each of the five components are present and functioning. Second, are the five components “operating together in an integrated approach”. One of the most critical components of the COSO Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls. 

As the COSO 2013 Framework was designed to apply to a wider variety of corporate entities, your audit should be designed to test your compliance internal controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward.

The Illustrative Guide suggests using a four-pronged approach in your assessment. (1) Make an overall assessment of your company’s system of compliance internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.” (2) There should be a component evaluation. Here you need to more deeply evaluate any deficiencies that you may turn up and whether or not there are any compensating compliance internal controls. (3) Assess whether each principle of your compliance internal controls is present and functioning. The task here is determine if a deficiency exists and it so what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis.

Another way to think through the approach is through a component evaluation which rolls up the results of the component’s principle evaluations and allows a re-evaluation of the severity of any deficiency in your compensating controls. Lastly, an overall Effectiveness Assessment that would look at whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment.

The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It went onto define ‘major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” Having a major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.”

Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For objective criteria such as written policies in categories as laid out in the FCPA 2012 Guidance, (the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments), if you do not have such controls; it would preclude management from “concluding that the entity has met the requirements for effective internal controls in accordance with the Framework.” Fortunately such a standard is easily met. 

However, if there are no objective criteria, as laid out in the FCPA 2012 Guidance, to evaluate your company’s compliance internal controls, what steps should you take? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.”

The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, Document feature is critical in any best practices anti-corruption or anti-bribery compliance program. With the Illustrative Guide COSO has given the compliance practitioner a very useful road map to begin an analysis into your company’s internal compliance controls. When the SEC comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the FCPA’s internal controls provisions.

Three Key Takeaways

  1. An effective system of internal controls provides reasonable assurance of achievement of the company’s objectives, relating to operations, reporting and compliance.
  2. There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.
  3. For an anti-corruption compliance program, you can use the Ten Hallmarks of an Effective Compliance Program as your guide to test against.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 22, 2018

Today I visit with James Shields, the Creative Director for Twist and Shout Communications, a UK company which creates training video using comedy as the touchstone. You can check out a selection of the company’s offerings on its sight, Tuesday’s with Bernie. I visit with Shields about the creative process his company uses, how comedy can translate across a wide variety of cultures and language to be an effective training tool. The company has found that comedy generates a visceral reaction, a reaction based on feeling rather than intellect. Because of this reaction, employees are more interested and more engaged in compliance training; all of which makes it more effective. 

The company believes that both culture and behavioral change is an emotional process, not just ‘training’, and internal communication done properly can change a culture. Whether the subject is as dull as anti-corruption compliance or as fundamental as transformational change in the business, comedy will make employees sit up and take notice. They believe that by focusing on humor, the training will help break down both the individual training against compliance training as well as work to strengthen the overall corporate culture.

But more than simply stand-alone videos, the company seeing compliance training as a process. From the creative side the process includes an integrated story line which will engage employees, third parties and other relevant stakeholders. Shields also believes that putting comedy into context is important – the audience needs to relate to what they are seeing on screen so the environment and characters should feel familiar. That is when the message feels authentic and resonates much more strongly.

Finally Shields and the company have put together an entire training campaign structure. Why don’t you think about your training like you would a movie or other marketing campaign. They lay it out in White Paper entitled, “Engaging the YouTube Generation which you should definitely check out.

Jan 21, 2018

Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs which listed three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions.

Internal AuditWhat types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?

Control TestingHas the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How are the results reported and action items tracked? What control testing has the company generally undertaken? 

Evolving UpdatesHow often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? 

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. 

Three Key Takeaways

  1. Your compliance program should be continually evolving.
  2. Monitoring and auditing are different, yet complimentary tools for continuous improvement.
  3. DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 20, 2018

There is nothing like an internal whistleblower report about a FCPA violation, the finding of such an issue or (even worse) a subpoena from the DOJ to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check.

The DOJ Evaluation of Corporate Compliance Programs focuses on this question in Prong 7 with the following: Response to InvestigationsWhat has been the process for responding to investigative findings? You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. Russ Berland, the Chief Compliance Officer at Dematic Inc., has noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.”

You need to explain the costs to the Board and senior management. The bottom line is that your return on investment here is going to be very high if you put the resources into remediation and it do this well. This is easier with the information that was provided in the 2017 FCPA Corporate Enforcement Policy as it demonstrated how much discount a company can receive below the minimum range of the US Sentencing Guidelines for remediation.

Dan Chapman, former CCO at Parker Drilling and Cameron International, also believes that costs must be adequately discussed to set proper expectations. These include both direct and, even more importantly, indirect costs to the company. He noted that “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “everything stops to focus on the investigation.” This indirect cost comes largely through the time commitment of senior management, because “if senior management has to commit 20% of their time, that’s 20% that’s not going towards revenue generating, shareholder value protecting activities.”

You can explain the upside of compliance and do that in a manner that juxtaposes the cost. Chapman said you could mention things such as, “If you have clear policies and people know what to do, think how much easier your life would be. Instead of having to make calls and figure it out on your own every single time, you had clear policy.” The same types of arguments come into play in areas generally considered the purview of Human Resources (HR), i.e. recruiting and retention.

While there will be a desire by some folks to not give out any information about the investigation until it is completed and there is a final report, you must resist this at all costs. If the results of the investigation are not made available to you as the CCO or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because, “you’re just going off suppositions and guesses.”

He advocates there be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed.

Such an approach can also be a recipe for disaster. First, and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the 2017 FCPA Corporate Enforcement Policy. Moreover, the executive attention will have dissipated, or, as Berland notes, “When you’ve got the energy, use it.”

Three Key Takeaways

  1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.
  2. Be aware of how your investigation can impact and even inform your remediation efforts.
  3. How do you deal with the dreaded ‘where else’ question?

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 19, 2018

Focusing on investigations under Prong 7 in the Evaluation it stated, Properly Scoped Investigation by Qualified PersonnelHow has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented? Moreover, with the advent of the SEC Whistleblower Program, courtesy of Dodd-Frank, it is imperative that a company quickly and efficiently investigate all hotline reports. This means you need an investigation protocol in place so that the entire compliance function is on the same page and knows what to do.

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hot-line, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties, once an allegation is made. This allows the Compliance Department to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.

Indeed, the SEC considers a variety of factors around giving credit to corporate investigations including: Did management, the board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm?

In a presentation by Jay Martin, Vice President, Chief Compliance Officer (CCO) and the Senior Deputy Counsel for Baker Hughes Incorporated and Jacki Trevino, Senior Consultant, Advisory Services at SAI Global entitled, “FCPA Compliance Best Practices: Success Stories of Robust and Effective Anti-Corruption Compliance Programs in High Risk Markets” they discussed the specifics of an investigation protocol.

Step 1: Opening and Categorizing the Case. This first step, to categorize a compliance violation. You should notify the relevant individuals, including those on your investigation team and any senior management members under your notification protocols. Step 1 should be accomplished in one to three days after the allegation comes into compliance.

Step 2: Planning the Investigation. After assembling your investigation team, determine the required investigation tasks. These would include document review and interviews. If hard drives need to be copied or documents put on hold or sequestered in any way, this should also be planned out at this time. Step 2 should be accomplished with another one to three days.

Step 3: Executing the Investigation Plan. Under this step, the investigation should be completed. Step 3 should be accomplished in one to two weeks.

Step 4: Determining Appropriate Follow-Up. At this step, the preliminary investigation should be completed and you are ready to move into the final phases. This group would decide on the appropriate disciplinary steps or other actions to take. Step 4 should be completed in one day to one week.

Step 5: Closing the Case. Under this final step, communicate the investigation results to the stakeholders and complete the case report.   

Three Key Takeaways

  1. A written protocol, created before an investigation is a key starting point.
  2. Create specific steps to follow so there will be full transparency and documentation going forward.
  3. Consistency in approach is critical.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 18, 2018

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward.

Internal Reporting

The 2012 FCPA Guidance had as clear, concise and short a statement about hotlines as any other requirement found in Ten Hallmarks of an Effective Compliance Program. It stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.”

The Evaluation reinforced this language with the following found under Prong 7, Confidential Reporting and Investigation, Effectiveness of the Reporting MechanismHow has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information? 

But more than simply hotlines, companies have to make real efforts to listen to employees. But you must spend time working on this issue. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.

What are some of the best practices for a hotline? I would suggest that you start with at least the following:

  1. Availability-your reporting mechanism can be easily accessed by your entire employee base. This may require more than one tool, such as telephone report, internet reporting and other mechanisms.
  2. Anonymity-there must be a manner to make reports anonymously if the reporter so desires.
  3. Escalation-you must have a protocol or mechanism to take any reports up the chain if they warrant being heightened within the organization.
  4. Follow-Up­-there must be a sufficient follow up protocol to make sure any reported events is receiving the warranted attention. There should also be a way to deep the incident reporter informed as to the progress of the matter within your investigative protocol.  
  5. Oversight-there should levels of review within your organization on reports which come into your organization. This would include senior compliance department staff, senior company management and up to the Board of Directors.

In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

Triaging Claims

Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a compliance problem. One of the things that this is important in making an initial determination of whether to bring in outside counsel to head up an investigation. It is also important in a determination of the resources that you may want or need to commit to a problem. You literally need to “kick the tires” of any allegations or information so that you know the circumstances in front of you before you make the decision going forward. You can do this through a robust triage process.

Jonathan Marks, a partner at Marcum LLP has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, what will be the types of evidence you will need to consider going forward. Finally, before selecting a triage solution you should understand what tools are available, including both forensic and human, to complete the investigation.

Three Key Takeaways

  1. The DOJ and SEC put special emphasis on internal reporting lines.
  2. Test your hotline on a regular basis to make sure it is working.
  3. Have an investigation protocol in place before the call comes in so you will be ready to go and not required to scramble to create a protocol.

Having both a robust internal reporting system and triage of such reports is critical in a best practices compliance program. 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Internal Reporting

The 2012 FCPA Guidance had as clear, concise and short a statement about hotlines as any other requirement found in Ten Hallmarks of an Effective Compliance Program. It stated, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.”

The Evaluation reinforced this language with the following found under Prong 7, Confidential Reporting and Investigation, Effectiveness of the Reporting MechanismHow has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information? 

But more than simply hotlines, companies have to make real efforts to listen to employees. But you must spend time working on this issue. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.

What are some of the best practices for a hotline? I would suggest that you start with at least the following:

  1. Availability-your reporting mechanism can be easily accessed by your entire employee base. This may require more than one tool, such as telephone report, internet reporting and other mechanisms.
  2. Anonymity-there must be a manner to make reports anonymously if the reporter so desires.
  3. Escalation-you must have a protocol or mechanism to take any reports up the chain if they warrant being heightened within the organization.
  4. Follow-Up­-there must be a sufficient follow up protocol to make sure any reported events is receiving the warranted attention. There should also be a way to deep the incident reporter informed as to the progress of the matter within your investigative protocol.  
  5. Oversight-there should levels of review within your organization on reports which come into your organization. This would include senior compliance department staff, senior company management and up to the Board of Directors.

In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

Triaging Claims

Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a compliance problem. One of the things that this is important in making an initial determination of whether to bring in outside counsel to head up an investigation. It is also important in a determination of the resources that you may want or need to commit to a problem. You literally need to “kick the tires” of any allegations or information so that you know the circumstances in front of you before you make the decision going forward. You can do this through a robust triage process.

Jonathan Marks, a partner at Marcum LLP has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, what will be the types of evidence you will need to consider going forward. Finally, before selecting a triage solution you should understand what tools are available, including both forensic and human, to complete the investigation.

Three Key Takeaways

  1. The DOJ and SEC put special emphasis on internal reporting lines.
  2. Test your hotline on a regular basis to make sure it is working.
  3. Have an investigation protocol in place before the call comes in so you will be ready to go and not required to scramble to create a protocol.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 17, 2018

In this episode Matt Kelly and I take a deep dive into a fascinating paper from Harvard Business School. Boris Groysberg and George Serafeim, worked with a global recruitment firm to study more than 2,000 executive-level job placements from 2004 to 2011, examining a wide range of job placements and pay data since 2004. They found that the stigma of listing a discredited company on your resume, even if you had nothing to do with the misconduct there, leads recruiters at your next employer to pay you less.

Some of the numbers Groysberg and Serafeim calculated:

  • Overall, executives with a restatement in their past received a salary 4.6 percent lower than those without one;
  • Executives with a restatement in their recent past saw an even larger discount: 5.6 percent; and the professors defined “recently” as within the last nine years;
  • Executives specifically in the finance function saw a 9.9 percent discount compared to others without a tainted work history.

We consider the long-term salary effects by reference to tables put together my Matt which show how such an initial reduction would impact your overall compensation on a 15 year basis.

It’s not news that listing tainted employer on your LinkedIn profile can harm your career. This study, however, is one of the first that tries to quantify exactly how much that “stigma effect” can harm your salary career on a go-forward and long-term basis. It is yet another way to convince senior executives and other colleagues that a strong compliance program matters: misconduct at the company can trim the salary offer those people might get at their next job — by 4.6 percent or more, apparently. executive’s career in dollar terms.

For more on the topic see Matt Kelly’s blog post The Salary Penalty for Misconduct

For more reading, see the article by Sarafeim and Groyberg, Does Financial Misconduct Affect the Future Compensation of Alumni Managers?

Jan 17, 2018

The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the lifecycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance. It is also an area the DOJ specifically articulated in Evaluation that companies need to consider.

In an issue of Supply Chain Management Review in an article by Mark Trowbridge, entitled “Put it in Writing: Sharpening Contracts Management to Reduce Risk and Boost Supply Chain Performance”, provided useful insights into the management of the third party relationship. While the focus of the article was having a strategic approach to contracts management, the author’s “five ways to start professionalizing your approach to outsourcing contracts” provide an excellent manner to consider steps in the management of third party relationships. To achieve these goals, I have revised Trowbridge’s prescriptions from suppliers to third parties.

Consolidate Third Parties but Retain Redundancy-It is incumbent that consolidation in your third-party relationships to a smaller number to “yield better cost leverage.” From the compliance perspective, it also should make the entire third-party lifecycle easier to manage, particularly steps 1-4.

Keep Tabs on Subcontracted Work- If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third-party relationship has your approved compliance terms and conditions in their contracts with their subcontractors.

Make Sure Your Company is Legally Protected-This is where your compliance terms and conditions will come into play. One of the things that I advocate is a full indemnity if your third party violates the FCPA and your company is dragged into an investigation because of the third party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract.

Keep Track of Your Third Parties’ Financial Stability-This is one area that is not usually discussed in the compliance arena around third parties but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third-party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward red flag that is raised in such circumstances.

Formalize Incentives for Third Party Performance-One of the key elements for any third-party contract is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third party. If you have a long-term stable relationship with a third party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance.

Auditing Third Parties-Auditing of third parties is critical to any best practices compliance program and an important tool in operationalizing your compliance program. This is a key manner in which a company can manage the third-party relationship after the contract is signed and one which the government will expect you to engage in going forward.

Managing your third-parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four step in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins.

Three Key Takeaways

  1. Have a strategic approach to third party risk management.
  2. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing.
  3. Managing the relationship is where the real work begins.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 16, 2018

As every compliance practitioner is well aware, third parties still present the highest risk under the Foreign Corrupt Practices Act (FCPA). The Department of Justice Evaluation of Corporate Compliance Programs devotes an entire prong to third party management. It begins with the following:

Risk-Based and Integrated ProcessesHow has the company’s third-party management process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes? 

Appropriate ControlsWhat was the business rationale for the use of the third parties in question? What mechanisms have existed to ensure that the contract terms specifically described the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?  

This first set of queries clearly specifies the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance process must have a process for the full life cycle of third party risk management. There are five steps in the life cycle of third party risk management, which will fulfill the DOJ requirements laid out in the 10 Hallmarks of an Effective Compliance Program and the Evaluation. 

  1. Business Justification and Business Sponsor;
  2. Questionnaire to Third Party;
  3. Due Diligence on Third Party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing. 

Step 1 - Business Justification

The first step breaks down into two parts: 

  1. Business Sponsor
  2. Business Justification 

The purpose of the Business Justification is to document the satisfactoriness of the business case to retain a third party. The Business Justification should be included in the compliance review file assembled on every third party at the time of initial certification and again if the third-party relationship is renewed. It is mandatory this document be filled out and completed by the Business Sponsor, who will be the primary contract with the third-party for the life of the business relationship. 

Step 2 - Questionnaire

The term ‘questionnaire’ is mentioned several times in the 2012 FCPA Guidance. It is generally recognized as one of the tools that a company should complete in its investigation to better understand with whom it is doing business. I believe that this requirement is not only a key step but also a mandatory step for any third party that desires to do work with your company. I tell clients that if a third party does not want to fill out the questionnaire or will not fill it out completely that you should not walk but run away from doing business with such a party. 

One thing that you should keep in mind is that you will likely have pushback from your business team in making many of the inquiries listed above. However, my experience is that most proposed agents that have done business with US or UK companies have already gone through this process. Indeed, they understand that by providing this information on a timely basis, they can set themselves apart as more attractive to US businesses. 

Step 3 - Due Diligence

Most compliance practitioners understand the need for a robust due diligence program to investigation third parties, but have struggled with how to create an inventory to define the basis of risk of each foreign business partner and thereby perform the requisite due diligence. Getting your arms around due diligence can sometimes seem bewildering for the compliance practitioner. 

The purpose is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company from engaging in bribery and corruption on their behalf. Due diligence acts as both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. Further both operate as compliance internal controls. 

After you have completed Steps 1-3; then evaluated and documented your evaluation, you are ready to move onto to Step 4 - the contract. In the area of compliance terms and conditions, the FCPA Guidance intones “Additional considerations include payment terms and how those payment terms compare to typical terms in that industry and country, as well as the timing of the third party’s introduction to the business.” This means that you need to understand what the rate of commission is and whether it is reasonable for the services delivered. If the rate is too high, this could be indicia of corruption as high commission rates can create a pool of money to be used to pay bribes. If your company uses a distributor model in its sales side, then it needs to review the discount rates it provides to its distributors to ascertain that the discount rate it warranted. 

Step 4 - The Contract

You must evaluate the information and show that you have used it in your process. If it is incomplete, it must be completed. If there are Red Flags, which have appeared, these red flags must be cleared or you must demonstrate how you will manage the risks identified. In others words you must Document, Document and Document that you have read, synthesized and evaluated the information garnered in Steps 1-3. As the DOJ and SEC continually remind us, a compliance program must be a living, evolving system and not simply a ‘Check-the-Box’ exercise. 

Step 5 - Management of the Relationship

The Evaluation specified the importance of this final step when it stated: Management of RelationshipsHow has the company considered and analyzed the third party’s incentive model against compliance risks? How has the company monitored the third parties in question? How has the company trained the relationship managers about what the compliance risks are and how to manage them? How has the company incentivized compliance and ethical behavior by third parties

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go downhill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship. The Evaluation clearly is focused on several key components that you need to evaluate and then re-evaluate during the pendency of the relationship. Incentivizing through compensation issues, training and ongoing monitoring through oversight and auditing are all key tools that the DOJ expects you to use going forward after the contract is signed. The bottom line is that all the work you have done in Steps 1-4 will not be for naught and that you will have a compliant anti-corruption relationship with your third party going forward. 

Final Thoughts 

I continually give my mantra of compliance, which is Document, Document, and Document. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program. As you sit at your desk pondering whether this assignment given to you by the CCO is a career-ending dead-end; you should take heart because there is clear and substantive guidance out there which you can draw upon. 

Three Key Takeaways 

  1. Use the full 5-step process for 3rd party management.
  2. Make sure you have BD involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives. 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 15, 2018

After you complete your risk assessment, you must then translate it into a risk profile, as Rick Messick has noted, to estimate where bribery is likely occur, so prevention efforts will be properly targeted. Ben Locwin explained, in “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”, “Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses.” This makes the evaluation of your risk assessment a key element in your compliance regime.

William C. Athanas, in an article entitled “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, posited that companies assume that Foreign Corrupt Practices Act (FCPA) violations follow a “bell-curve distribution, where the majority of employees are responsible for the majority of violations.” However, Athanas believed that the distribution pattern more closely follows a “hockey-stick distribution, where a select few…commit virtually all violations.” Athanas concludes by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick”, to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as “intensive training sessions or focused analysis of key financial transactions -- on those individuals with the opportunity and potential inclination to violate the statute.” This focus will provide companies the greatest “financial value and practical worth of compliance efforts.”

David Lawler, in Frequently Asked Questions in Anti-Bribery and Corruption”, suggested that you combine the scores or analysis you obtained from the corruption markers you review; whether it is the Department of Justice (DOJ) list or those markers under the UK Bribery Act. From there, create a “rudimentary risk-scoring system that ranks the things to review using risk indicators of potential bribery. This ensures that high-risk exposures are done first and/or given more time. As with all populations of this type, there is likely to be a normal or ‘bell curve’ distribution of risks around the mean. So 10-15% of exposure falls into the relative low-risk category; the vast majority 70-80% into the moderate-risk category; and the final 10-15% would be high risk.”

In an article entitled “Improving Risk Assessments and Audit Operations” author Tammy Whitehouse focused on how one company, Timken Co., created a risk matrix to evaluate risks determined by the company’s risk assessment. At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used to continuously monitoring risk going forward. However, you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the approach set forth by the DOJ from the 2012 FCPA Guidance, through the Evaluation of Corporate Compliance Programs (Evaluation), up to the FCPA Corporate Enforcement Policy (Policy). I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

Three Key Takeaways 

  1. Even after you complete your risk assessment, you must evaluate those risks for your company.
  2. The DOJ and SEC are looking for a well-reasoned approach on how you evaluate your risk.
  3. Create a risk matrix and force rank your risks.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

Jan 15, 2018

In this podcast, I visit Jonathan Marks, a partner at Marcum LLP on how to perform a root cause analysis and it uses in the remediation phase of a best practices compliance program. One new and different item was laid out in the Evaluation of Corporate Compliance Program, supplementing the Ten Hallmarks of an Effective Compliance Program from the 2012 FCPA Guidance. This was the performance of a root cause analysis for any compliance violation which may led to a self-disclosure or enforcement action. 

Jonathan Marks, notes a root cause analysis “is a research based approach to identifying the bottom line reason of a problem or an issue; with the root cause not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.”

We also consider how to use a risk assessment because under the Evaluation, the critical element is how did you use the information you developed in the root cause analysis. Literally every time when you see a problem as a compliance officer, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis that you can bring real value and real solutions to your compliance programs.

We tie these requirement from the Evaluation of Corporate Compliance Programs together. You must not only perform the root cause analysis but use the information you obtain to inform your compliance program going forward. As much care as you put into performing your root cause analysis should be put into using the findings for remediation.

Jan 14, 2018

One cannot really say enough about risk assessments in the context of an anti-corruption programs. Since at least 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessment which measure the likelihood and severity of possible FCPA violations the manner in which you should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.”

This language was supplemented in the 2017 in both the Evaluation and the new FCPA Corporate Enforcement Policy. Under Prong 4 of the Evaluation, Risk Assessments, the following issues were raised: Risk Management ProcessWhat methodology has the company used to identify, analyze, and address the particular risks it faced? Manifested RisksHow has the company’s risk assessment process accounted for manifested risks? In the FCPA Corporate Enforcement Policy it stated, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment”.

The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company. The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.

Rick Messick laid out the four steps of a risk assessment as follows: “First, all conceivable forms of corruption to which the organization, the activity, the sector, or the project might be exposed is catalogued.  Second, an estimate of how likely it is that each of the possible forms of corruption will occur is prepared and third an estimate of the harm that will result if each occurs is developed.  The fourth step combines the chances of occurrence with the probability of its impact to produce a list of risks by priority.”

What Should You Assess?

In 2011, the DOJ concluded three FCPA enforcement actions which specified factors which a company should review when making a Risk Assessment. The three enforcement actions, involving the companies Alcatel-Lucent, Maxwell Technologies and Tyson Foods all had common areas that the DOJ indicated were compliance risk areas which should be evaluated for a minimum best practices  compliance program. In both Alcatel-Lucent and Maxwell Technologies, the Deferred Prosecution Agreements listed the seven following areas of risk to be assessed, which are still relevant today.

  1. Geography-where does your Company do business.
  2. Interaction with types and levels of Governments.
  3. Industrial Sector of Operations.
  4. Involvement with Joint Ventures.
  5. Licenses and Permits in Operations.
  6. Degree of Government Oversight.
  7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

All of these factors were reiterated in the 2012 FCPA Guidance which stated, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.

One of the questions that I hear most often is how does one actually perform a risk assessment. Mike Volkov has suggested a couple of different approaches in his article, “Practical Suggestions for Conducting Risk Assessments.” In it Volkov differentiates between smaller companies which might use some basic tools such as “personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices” from larger companies. Such larger companies may use these basic techniques but may also include a deeper dive into high risk countries or high-risk business areas. If your company’s sales model uses third party representatives, you may also wish to visit with those parties or persons to help evaluate their risks for bribery and corruption would might well be attributed to your company.

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.

Three Key Takeaways 

  1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.
  2. The DOJ will now consider both your risk assessment methodology for identifying risks and gathered evidence.
  3. You should base your compliance program on your risk assessment.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 13, 2018

In the Department of Justice’s Evaluation of Corporate Compliance Programs, Prong 8 Incentive and Disciplinary Measures it states: Incentive System Consistent Application – Have the disciplinary actions and incentives been fairly and consistently applied across the organization? In the FCPA Corporate Enforcement Policy it states, “Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred”.

Under Hallmark Six of the Ten Hallmarks of an Effective Compliance Program it states:

In addition to evaluating the design and implementation of a compliance program throughout an organization, enforcement of that program is fundamental to its effectiveness. A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.

However, I believe that the 2012 FCPA Guidance’s best practices are more active than the ‘stick’ of employee discipline to make a compliance program effective and I believe that it also requires a ‘carrot’. This requirement is codified in the US Sentencing Guidelines with the following language, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.”

One of the areas which Human Resources can operationalize your compliance program is to ensure that discipline is handed out fairly across an organization and to those employees who integrate such ethical and compliant behavior into their individual work practices going forward. This is more than financial incentives for ethical behavior but institutional objectivity for your employees.

Institutional objectivity comes from procedural fairness. This is one of the things that will bring credibility to your compliance program. Today it is called the Fair Process Doctrine and this Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in processes involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by, processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in two areas of your Compliance Program is critical for you, as a compliance specialist or for your Compliance Department, to have credibility with the rest of the workforce. Finally, it is yet another way to more fully operationalize your compliance program.

Administration of Discipline

One area where the Fair Process Doctrine is paramount is in the administration of discipline after any compliance related incident. Discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

Similarly and as was re-emphasized in the FCPA Corporate Enforcement Policy, there must be real consequences to employee who violate your compliance program. If the regulators come knocking and you have not disciplined any company employees for Code of Conduct or compliance program violations in multiple years, the DOJ and SEC will conclude pretty quickly you are not serious about compliance. Fair process means that you must discipline those who engage in compliance violations no matter what their position is with the organization.

Employee Promotions

In addition to the area of discipline which may be administered after the completion of any compliance investigation, you must also place compliance firmly as a part of ongoing employee evaluations and promotions. If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates, and rewards, employees upon. I have often heard the (anecdotal) tale about some Far East Region Manager which goes along the following lines “If I violated the Code of Conduct I may or may not get caught. If I get caught I may or may not be disciplined. If I miss my numbers for two quarters, I will be fired”. If this is what other employees believe about how they are evaluated and the basis for promotion, you have lost the compliance battle.

Internal Investigations

The third area the Fair Process Doctrine is critical in, is around internal company investigations. If your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the investigation process will be fair.

This fairness has several components. One would be the use of outside counsel, rather than in-house counsel to handle the investigation. Moreover, if company uses a regular firm, it may be that other outside counsel should be brought in, particularly if regular outside counsel has created or implemented key components which are being investigated. Further, if the company’s regular outside counsel has a large amount of business with the company, then that law firm may have a very vested interest in maintaining the status quo. Lastly, the investigation may require a level of specialization which in-house or regular outside counsel does not possess.

An often-overlooked role of any CCO or compliance professional is to help provide employees procedural fairness. If your compliance function is seen to be fair in the way it treats employees, in areas as varied as financial incentives, to promotions, to uniform discipline meted out across the globe; employees are more likely to inform the compliance department when something goes array. If employees believe they will be treated fairly, it will go a long way to more fully operationalizing your compliance program.

Three Key Takeaways

  1. The DOJ and SEC have long called for consistent application in both incentives and discipline.
  2. The Fair Process Doctrine ensures employees will accept results they may not like.
  3. Inconsistent application of discipline will destroy your compliance program credibility.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 12, 2018

One of the areas that many companies have not paid as much attention to in their compliance programs is compensation. However, the DOJ and SEC have long made clear that they view monetary structure for compensation, rewarding those employees who do business in compliance with their employer’s compliance program, as one of the ways to reinforce the compliance program and the message of compliance. As far back as 2004, the then SEC Director of Enforcement, Stephen M. Cutler, said “[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it.” The 2012 FCPA Guidance stated the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership.”

This same concept around compensation and incentives was brought forward in the Evaluation under Prong 8, Incentives and Disciplinary Measures, where it stated, “Incentive SystemHow has the company incentivized compliance and ethical behavior? How has the company considered the potential negative compliance implications of its incentives and rewards? Have there been specific examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations?

A Harvard Business Review (HBR) article, entitled “The Right Way to Use Compensation, discussed a company’s design and redesign of its employee’s compensation system to help drive certain behaviors. The piece’s subtitle indicated how the company fared in this technique as it read, “To shift strategy, change how you pay your team.” The article lays out a framework for the Chief Compliance Officer or compliance practitioner to operationalize compensation as a mechanism in a best practices compliance program.

As your compliance program matures and your strategy shifts, “it’s critical that the employees who bring in the revenue-the sales force-understand and behave in ways that support the new strategy. The sales compensation system can help ventures achieve that compliance.” The prescription for you as the compliance practitioner is to revise the incentive system to focus your employees on the goals of your compliance program. This may mean that you need to change the incentives as the compliance programs matures; from installing the building blocks of compliance to burning anti-corruption compliance into the DNA of your company.

There are three key questions you should ask yourself in modifying your compensation structure. First, is the change simple? Second, is the changed aligned with your company values? Third, is the effective on behavior immediate due to the change?

Simplicity

Keep the compensation plan simple and even employee KISS, keep it simple sir, when designing your program. If you do not do so, your employees might fall back on old behaviors that worked in the past. Roberge notes, “It should be extraordinarily clear which outcomes you are rewarding.” The simplest way to incentive employees is to create metrics that they readily understand and are achievable in the context of the compliance program. This can start with attending Code of Conduct and compliance program training. Next might be a test to determine how much of that training was retained. It could be follow up, online training. It could mean instances of being a compliance champion in certain areas, whether with your employee base or third-party sales force.

Alignment

As the CCO or compliance practitioner, you need to posit the most important compliance goal your entity needs to achieve. From there you should determine how your compensation program can be aligned with that goal. The beauty of this alignment is that it works with your sales force throughout the entire sales cycle. If your sales channel is employee based then their direct compensation can be used for alignment. However, such alignment also works with a third-party sales force such as agents, representatives, channel ops partners and even distributors. You can even introduce clawbacks, which would come into play at some point in the future for who might violate your compliance program.

Immediacy

Finally, under immediacy, it is important that such structures be put in place “immediately” but in a way that incentives employees. As a part of immediacy, there must be sufficient communication with your employee. In the world of employee compensation incentives, there should be transparency as to the expectations.

A panel at Compliance Week 2016, entitled “The Unsolvable Problem: Performance, Pay, Pressure and Misconduct”, focused on variable compensation. The panel had some interesting thoughts around compensation, including the amount of your variable compensation relative to risk; What does your discretionary bonus program consist of? Is it corporate performance based? Group performance based? Only personal, i.e. eat what you kill? Or is it some combination of all of the above?

The panel provided three examples of which might lead to compliance failures. (1) Lofty goals but no direction for employees on how to get there; (2) A paucity of communication between management and line employees, meaning there was raw fear from employees to inform their immediate supervisor of bad news. Conversely, it could be the supervisors who do not want to hear such bad news; and (3) If your company has singular focus on numbers, meaning that is the single judge of your worth as an employee. Answering some of these questions if they arise can help you to understand the design of incentive plans and allow monitoring of incentive plans to identify underlying links that may arise through compliance violations. 

Obviously, the power of a compensation plan to motivate salespeople not only to sell more but to act in ways that support your company’s business model and overall culture and values. For the compliance practitioner one of the biggest reasons is to first change a company’s culture to make compliance more important but to then burn it into the fabric of your organization. But you must be able to evolve in your thinking and professionalism as a compliance practitioner to recognize the opportunities to change and then adapt your incentive program to make the doing of compliance part of your company’s everyday business process. 

Three Key Takeaways

  1. The DOJ and SEC have long advocated compensation as a way to motivate employees into ethical and compliant behaviors.
  2. Keep the compliance aspects of your compensation structure simple and easy for your employees to understand.
  3. Have full transparency in the framework of your compensation structure.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 11, 2018

The communication of your anti-corruption compliance program, both through training and message, is something that must be done on a regular basis to ensure its effectiveness. The FCPA Guidance explains, “Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.”

One of the key goals of any Foreign Corrupt Practices Act (FCPA) compliance program is to train employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. Beginning in the fall of 2016 through the announcement of the FCPA enforcement Pilot Program, the DOJ began to talk about whether you have determined the effectiveness of your training. This continued with the 2017 Evaluation of Corporate Compliance Programs where they asked, “How has the company measured the effectiveness of the training?” This point has bedeviled many compliance professionals yet is now a key metric for the government in evaluating compliance training.

Also raised in the Evaluation was the focus of your training programs, where the DOJ inquired into whether your training was “tailored” for the audience. The Evaluation, In Prong 6, Training and Communication, asked, in part: Risk-Based TrainingWhat training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred? What analysis has the company undertaken to determine who should be trained and on what subjects? 

This adds two requirements. The first is that you must assess your employees for risk to determine the type of training you might need to deliver. This means that you should risk rank your employees. Obviously, the sales force would be the highest risk but there may be others which are deserving of high risk training as well. From your risk ranking, you need to then develop training tailored for the risks those employees will face.

The key going forward is that you have thoughtfully created your compliance training program. Not only in the design but who receives it, all coupled with backend determination of effectiveness. Finally, all of this must be documented. In Prong 6, Training and Communication, of the Evaluation it read, in part: 

Form/Content/Effectiveness of Training – Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training?

Most companies have not considered this issue, the effectiveness of their compliance program. I would suggest that you start at the beginning of an evaluation and move outward. This means starting with attendance, which many companies tend to overlook. You should determine that all senior management and company Board members have attended compliance training. You should review the documentation of attendance and confirm this attendance. Make your department or group leaders accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program. 

Joel Smith, the founder of Inhouse Owl, a training services provider, considered an analysis of return on investment (ROI) for compliance training. He advocated performing an assessment to determine ethics and compliance training ROI to demonstrate that by putting money and resources into training, a compliance professional can not only show the benefits of ethics and compliance training but also understand more about what employees are getting out of training (i.e. effectiveness). The goal is to create a measurable system that will identify the benefits of training, such as avoiding a non-compliance event such as a violation of the FCPA. I have adapted his concepts on ROI to focus on compliance training effectiveness.

Smith’s model uses four factors to help determine ROI for your ethics and compliance training, which are: (1) Engagement, (2) Learning, (3) Application and Implementation, and (4) Business Impact. These same four factors can be used to determine compliance training effectiveness.

  1. Figure out what you want to measure. Before you ever train an employee, you should have a goal in mind. What actions do you want employees to take? What risks do you want them to avoid? In compliance training, you want them to avoid non-ethical and non-compliant actions that would lead to potential violations. Your goal is to train employees to follow your Code of Conduct and your compliance program policies and procedures so you avoid liability related to actions.
  2. Were employees satisfied with the training? What is their engagement? The next step is to get a sense of whether employees feel that the training you provided is relevant and targeted to their job. If it’s not targeted, employees will likely not be committed to changing risky behavior. One way to obtain such data is through a post-training survey. This should give you insight into determining if employees thought the training was beneficial and effective in answering their questions and concerns.
  3. Did employees actually learn anything? A critical part of any employee training is the assessment. You must know whether they actually learned anything during training. You can collect this data in a number of ways, but for compliance training, the best way is to measure pre- and post-training understanding over time. Basically, each time you train an employee, measure comprehension both before and after training.
  4. Are employees applying your training? A survey should be used to determine employee application and their implementation of the training topics. To do so, you must conduct surveys to understand whether they ceased engaging in certain risky behaviors or better yet understand how to conduct themselves in certain risky situations. These surveys can provide a good sense of whether the training has been effective.

The beauty of using surveys is that it provides feedback on not simply the compliance training to determine effectiveness but a much wider variety of areas for your compliance program. These surveys can provide critical information on the state of your compliance program and provide substantive feedback for further inclusion back into your compliance program. Testing your program and using that information in a feedback loop is another key component of a best practices compliance program.

The importance of determining effectiveness of your compliance program is now enshrined by the DOJ in its Evaluation. The Evaluation demonstrates the DOJ wants to see evidence of the effectiveness of your compliance program. This is something that many Chief Compliance Officers and compliance professionals struggle to determine. Both the simple guidelines suggested and the more robust assessment and calculation provide you with a start to fulfill the Evaluation but you will eventually need to demonstrate the effectiveness of your compliance training going forward.

Three Key Takeaways

  1. You must demonstrate you have measured the effectiveness of your compliance training?
  2. The DOJ is clearly moving into requiring a demonstration of effectiveness of compliance training.
  3. You should be moving towards a model of demonstrating compliance training ROI to validate full operationalization of your compliance training. 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

1 « Previous 3 4 5 6 7 8 9 Next » 19