I believe one of the most significant innovations in compliance will come through the incorporation of blockchain into compliance. I see great value propositions for the compliance function. Mike Volkov has noted, “The key to blockchain is creating a secure environment among multiple actors in which the actors can record events and transactions in real time in shared ledgers. These ledgers are immutable, meaning they cannot be modified, and secure from potential hacking or modification. Blockchain users can receive real-time reports of activities without having to rely on post hoc reports. As a consequence, a specific user can flag potential red flags early, almost in real time, when events occur based on specific settings they establish for monitoring blockchain events.”
A more detailed exploration of the use of blockchain was presented in an article in the MIT Sloan Management Review, entitled “How Blockchain Will Change Organizations”, where authors Don Tapscott and Alex Tapscott speculate that the transformations which blockchain may facilitate in the corporate world could lead to some truly revolutionary modifications in key businesses processes.
How could blockchain have such a dramatic impact on compliance? First is the explanation of what blockchain might mean as a tool in business process. The authors explained that in a business transaction, you cannot email money as you can a document so a company must “use intermediaries to establish trust and maintain integrity. Banks, governments, and in some cases big technology companies have the ability to confirm identities so that we can transfer assets; the intermediaries settle transactions and keep records. For the most part, intermediaries do an adequate job, with some notable exceptions. One concern is that they use servers that are vulnerable to crashes, fraud, and hacks.”
The authors then go on to ask, “What would happen if there were an internet of value where parties to a transaction could store and exchange value without the need for traditional intermediaries?” The answer is that blockchain provides a transparent method to verify and approve transactions that is encrypted. Not only would this lower transaction costs and perhaps even barriers to doing business but also allow greater expansion of business into new geographic areas, through the use of previously external resources which were prohibitively expensive. Think of the possibilities in compliance for the supply chain and vertical integration.
There are several specific areas where the value from blockchain could enhance the operationalization of compliance into the fabric of a company. In Human Resources (HR) and Procurement “Blockchain will enable organizations requiring specialized talent and capabilities to obtain better information about potential contractors and partners than many traditional recruitment and procurement methods offer.” This means that with a potential third party business partner’s consent, a company will have access to a cache of information that is known to be correct because it has been uploaded, stored, and managed on a highly secure, distributable database. Such potential business partners would not be able to misrepresent their capabilities after such information has entered on the blockchain. The authors also note that “Tampering with data after the fact wouldn’t be possible: It would involve taking over the entire blockchain, a nearly impossible task.”
This is made even more powerful in the area of financial reporting. Typically, a search is “horizontal (across the web) and vertical (within particular websites). What you find can be out-of-date or inaccurate in other ways. On a blockchain, though, there’s a third dimension: sequence. In addition to being able to obtain a historical picture of the company since it was incorporated, you can see what has occurred in the last few minutes.” The authors correctly note, “The opportunity to search a company’s complete record of value will have profound implications for transparency as it brings to light off-book transactions and hidden accounts. People responsible for records and reports will be able to create filters that allow stakeholders to find what they are searching for at the press of a button. Companies will be able to create transaction ticker tapes and dashboards, some for internal use”. This would be extremely helpful in the difficult vetting of third parties around financial information.
In the sales realm, blockchain could be most helpful in understanding who you are doing business with and, more particularly, if the company is a state-owned enterprise. The same information you would consider about potential third parties sales agents would be available from customers. Obviously this would be critical in any Foreign Corrupt Practices Act (FCPA) analysis but it could also pay big results in anti-money laundering (AML) compliance. As the authors note, “sellers won’t have to incur the cost of establishing trust — thus they can facilitate transactions that would have been risky or might not have been possible otherwise.” Finally, there could be a data security plus as “blockchains will eliminate the cost of warehousing data and protecting other people’s data from security breaches.”
There are two specific areas where I see blockchain directly impacting the compliance profession. The first is with third parties. Volkov has stated, “a company could maintain immutable records of its due diligence process for a specific third party or a specific regulatory requirement. Due diligence delays would be eliminated by providing immediate and real-time and immediate access to the data, collection of information from potential third parties, and analysis of the information. A compliance officer could expedite the entire verification and validation process.”
The second area where blockchain provides a potential game changer is contracts, specifically around compliance terms and conditions. As the authors explain, “Blockchains facilitate contracting in both the short and long term. Through smart contracts — software that, in effect, mimics the logic of contracts with guaranteed execution, enforcement, and payments — companies will be able to automate the terms of agreement. This means that if a company develops contract programs to run on blockchain, it can incorporate the required compliance term and conditions and with blockchain, it can trigger alerts and ensure compliance This could be expanded to include compliance training, annual certification, or another ongoing obligation.
The authors conclude that blockchain could help alleviate some of the more egregious scandals seen, beginning back with Enron and up through Volkswagen (VW) and Wells Fargo. They believe that blockchain could help to “codify ethics and integrity into the circuitry of the enterprise, or reduce the moral hazard that too often sees management gambling with shareholder capital. Through smart contracts under blockchain, shareholders will be able to enforce the commitments executives make. Companies can specify relationships and state specific outcomes and goals so that everyone understands what the respective parties have signed up to do and whether those things are actually getting done.”
This final points sounds to me quite a bit like operationalizing compliance. It will be interesting to see when the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) will begin to comment on blockchain as a part of a best practices compliance program.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this episode, Roy Snell and I have a wide ranging discussion on the SCCE's Compliance and Ethics Institute. Roy reviews its history and how it became the largest annual event for the compliance professional. He talks about some of the highlights over the years and hits on some of the highlights for the 2017 event.
You can find out more information on the event at the SCCE website, by clicking here.
In “Compliance and Continuous Improvement”, John Nocero discussed the concept of Kaizen or continuous improvement in compliance. He explained, “Loosely translated, Kaizen means change for the better. It has been utilized successfully by a variety of organizations in healthcare, psychotherapy, government and other industries to help develop long-term competitive strategies, improve operational practices and stay viable. When you think about it further, this principle has even more direct application to the compliance practitioner. In today’s environment in which we work, being a compliance practitioner is like setting yourself on fire at the beginning of the day and trying to put it out by day’s end. We fight fires. We want to be able to control the fire that is burning within ourselves – by learning how to handle the difficult conversation before it occurs, or anticipating how we will act when someone challenges our knowledge or authority.”
The company Graphic Products explains on their website, “Kaizen works by reducing waste (muda) and eliminating work processes that are overly difficult (muri). As a lean business practice, Kaizen succeeds when all employees look for areas to improve and provide suggestions based on their observations and experience. Generally, these suggestions are for small changes that incrementally change the business for the better.” They suggest a four-step approach, which they call “Plan-Do-Check-Act (PDCA).”
Under the Plan prong, you “define the problem and develop potential solutions.” Under the Do prong, you next move to “implementing the best solution.” During the Check prong you should “evaluate results to see if the solution worked.” Under the Act prong, you have one of two options: (A) If the solution you implemented succeeded, you work to standardize it and then implement it across the organization. (B) However if the solution did not work, you should return to the planning stage and start again. The site notes that using “PDCA to implement changes ensures that there is a continuous cycle in place to monitor changes and to continue to improve upon them.”
Copenhagen Compliance suggest another approach in their e-newsletter entitled “Using the Kaizen Approach to Risk Management by the Audit Committee”. They say, “Understanding the current nature of a risk is a precondition for a determining your risk appetite and providing a risk response.” It is therefore incumbent that you take the necessary “time, resources and expertise to have a closer look at individual risks and understand what a risk management means to the various department heads and divisions.”
Using the small workshop format to determine and consider the different levels of risk, they propose you should start with the following questions:
The answers you deliver to these queries should provide you with a detailed analysis and more insight into both the order and magnitude of the compliance risks your company faces going forward. However Copenhagen Compliance then suggests a second step where you review the risks from a difference perspective. You should begin by using the results of the first exercise to take a look at a couple of different areas. First you should consider “the different causes and the circumstances that focus on the processes or events that precede a risk occurrence.” From there you should “list the different causes and the circumstances that focus on the processes or events that precede a cause of the risk.” The data you develop in this second phase “will provide valuable insights to determine the risk appetite, effective responses to optimize the management of risks with focus on Risk identification” which are embedded in the way you are doing business.
Marty Ellen, the Chief Financial Officer (CFO) at Dr. Pepper, discussed these theoretical underpinnings in a Wall Street Journal (WSJ) article, entitled “How Dr Pepper Cuts Cost. And Then Cuts Costs Some More”, by Mike Esterl. At Dr. Pepper, Kaizen events are known as “Rapid Continuous Improvement” or RCI. Ellen said, “RCI is about taking the existing baseline and improving it by finding the waste. It starts with walking the entire process. We call it “going to gemba,” which is Japanese for going to see how the work is done. The goal is always to shorten cycle times. You would be surprised. You put a bunch of people in a room to describe how a process works, and they don’t all agree with each other - and they all work on the same process.”
For the Chief Compliance Officer (CCO) or compliance practitioner, the most interesting take-away from the article was that Ellen has successfully used the process not only in manufacturing processes but also in internal controls and financial processes such as accounts payable. Moreover, using RCI is not about cutting jobs but making the internal processes more efficient. So if you can reduce costs in compliance by being more efficient in the process it sounds like a win for all concerned.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this episode, I visit with Alex Tsigutkin, founder and CEO of AxiomSL and Varun Singhal – Senior Vice President Product Management, AxiomSL. AxiomSL a global leader in risk data management and regulatory reporting solutions for the financial industry, including banks, broker dealers, asset managers and insurance companies. Its unique enterprise data management (EDM) platform delivers data lineage, risk aggregation, analytics, workflow automation.
We discuss data lineage, which is quickly becoming a top line concern and challenge for data managers in financial services. In the past, data lineage—generation of a trail of information that tracks the use and custody of data as it travels throughout the enterprise—was primarily a concern for niche internal projects, usually run by reporting teams. A combination of closer oversight by prudential regulators and rising global standards around data governance, itself, has rapidly led many financial institutions to become more interested in how to do this on a broader level. The implications to and applications for the anti-corruption compliance profession are significant for transparency and accountability in data for sales, third party sales agents and payments, data flow in an organization and vendors in the Supply Chain. You can find out more about AxiomSL and data lineage by checking out their website, by clicking here.
One of the most constant things that I have observed in my 10+ years of practice in the compliance space is its constant evolution. Compliance techniques and practices, which were considered cutting edge when I began, have moved to standard fare and are now largely minimum practices. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have mirrored this evolution in not only how they view compliance programs but also in their own enforcement regimes and protocols. Today I want to consider agile innovations methods for your compliance program.
According to a Harvard Business Review (HBR) article “Embracing Agile”, by Darrell K. Rigby, Jeff Sutherland and Hirotaka Takeuchi, agile methodologies “involve new values, principles, practices and benefits and are a radical alternative to command-and control-style management.” It is accomplished by taking employees “out of their functional silos and putting them in customer-focused multidisciplinary teams”. As the customers of the compliance function are the company’s employees, I think the transition can be made.
One of the most basic problems is that business executives basically understand only enough about agile to be dangerous but they do not understand the comprehensive approach that needs to be taken. This means that senior management will continue to the same management practices that in fact work to undermine the agile process. The authors suggest the solution is that executives learn the basics of the agile process and understand the conditions in which it does or does not work. They should begin with a small team and project and let the operation spread organically.
Some of the right conditions for the success of an agile initiative in the compliance arena are as follows. You should have the right market environment for the project. This means you need to have your internal customers involved and allow feedback to change any proposed solution. You must be willing to innovate, particularly if there are complex compliance problems involved. You will need to break down the solutions into digestible junks, which may actually change the scope but through cross-functional employee collaboration, you can have appropriate creative breakthroughs.
Digestible junks will allow you have incremental developments, which can be tested and then rolled out for use by your employee base. As your internal customers use the innovations, the work cycles can be broken down further so both testing and innovation can continue unabated. This allows a continual feedback loop so that late changes in the innovation can be managed and incorporated going forward. Finally, if there are interim mistakes, it can be a valuable source of lessons learned going forward.
An example might be around compliance training, a topic oft-times commented upon as rote and something employees simply have to get through. Some commentators have characterized such training as a basic ‘tick the box’ exercise simply to get government credit. While such commentary fails to understand the benefits of communication through training, it does point up the issue of the stiltedness of compliance training.
An approach to this might be to put together an agile team to look at training so that compliance could create topical training, in a few days to respond to market or other conditions, separated out by the challenges met in various product lines or geographic areas. This innovation can include budgets as well, making your compliance function more cost effective through innovation.
Another concept is to start small and let the word spread. This is antithetical to many large companies that “launch change programs as massive efforts” largely because the project sponsors feel that if they do not do so, the rest of the company will divine that the effort is not really supported by senior management and respond accordingly. However, the authors suggest “agile might spread to another function, with the original practitioners acting as coaches. Each success seems to create a group of passionate evangelists who can hardly wait to tell others in the organization how well agile works.”
The C-Suite has a role as well by practicing agile at the top of the organization so not only could senior management provide new techniques through an agile exercise, they could learn how to support more fully the compliance function which might engage in an agile review. “Senior executives who come together as an agile team and learn to apply the discipline to these activities achieve far-reaching benefits. Their own productivity and morale improve. They speak the language of the teams they are empowering. They experience common challenges and learn how to overcome them. They recognize and stop behaviors that impede agile teams. They learn to simplify and focus work. Results improve, increasing confidence and engagement throughout the organization.”
There are three succinct benefits. First by having senior management involved in an agile exercise, it would allow them to “catch up with the troops” and to reprioritize their efforts going forward to be better aligned with the real-time nature of agile. Second, it allows a speedier corporate transition as it can allow the employees to know if management is in tune with what the employees care about going forward. Finally, it can present clear alignment of departments and functions on a common vision. I can think of no greater strength for the compliance function to rely upon. This can be used to expose senior managers to break out of their “silos in today’s overspecialized organizations-for general management roles.”
The authors conclude by noting the need to destroy barriers to agile. They list five pointers. First “get everyone on the same page” which they believe is the key responsibility of management. Second is not to change structures but to change roles so that internal company disciplines “can learn to work together simultaneously, rather than separately and sequentially.” Next is to name only one boss for each decision as in the agile operating model it must be “crystal clear” who can make the final decision. Penultimately, your agile exercise should focus on teams not individuals because it is the team’s collective intelligence that brings the power to an agile exercise. Finally, lead with questions not orders. Here the authors cite to General George S. Patton, who “famously advised leaders never to tell people how to do things: “Tell them what to do, and they will surprise you with their ingenuity.””
The agile exercise will probably not work in a compliance function under the thumb of the corporate legal department, as innovation is typically not in the remit of legal. However for a compliance function that desires to bring new and unexpected ways of doing compliance to your organization, going through an agile exercise might be just the thing to move compliance into the very DNA of your organization.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
After a two week absence, Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories which happened while we were off, including:
What will be the role of Artificial Intelligence (AI) in compliance going forward? LawTech had disrupted the legal profession and how it is reshaping many areas of private practice. I found the article had multiple implications for the compliance function. Indeed, I believe there will be a ComTech industry lurking down the road.
Obviously, document review is one area where ComTech would be most useful. There are many companies who provide key word searches and these same concepts translate readily into the compliance world through massive database searches for key words, such as an ongoing email review through email sweeps. The concept is straightforward; at regular intervals, you sweep through your company email database for identified key words that can be flagged for further investigation, if required. Such a sweep is not limited to anti-corruption compliance but any of the risk factors identified for your company.
The objective of this approach is to find the evidence of a compliance breakdown by sweeping systems to uncover items that may contain real issues. From here, you can assess and prioritize, by checking and verifying if an issue needs investigating and focusing on the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities. AI can help you to perform all of this more cheaply and efficiently.
Soon compliance will be pushed more to the forefront in anti-money laundering (AML). As banking institutions continue to tighten and strengthen AML controls, criminals and other nefarious actors will move into non-financial corporations to move money for the simple reason that such robust controls required in the financial and financial services world are not generally required in the non-financial corporate world. Non-financial corporations should have robust AML controls in place and one of the requirements for any best practices AML policy is to “Know Your Customer” (KYC). AI will allow a more robust KYC approach.
Another area where compliance is often left behind is in the arena of Mergers and Acquisitions (M&A). Since the 2012 FCPA Guidance, the focus of compliance in M&A has been more and more on the pre-acquisition phase of a deal. Often the compliance function is either brought in at the last minute and does not have the time to perform adequate compliance due diligence or there is an overwhelming amount of data to be reviewed and the resources available (or made available) to the compliance function is woefully inadequate. AI can help in this area. There are companies which have software that allows thousands of documents to be reviewed in the M&A context.
The review could include such issues as whether third party sales representatives have the requisite background due diligence in the files, their status and commission rates paid. There could be a review of top sales and business developments folks in high-risk regions, correlated with a gift, travel and entertainment analysis. Finally, you could consider sales in high risk regions or even sales spikes from low risk areas from the compliance perspective.
A prime example of where AI can assist the compliance function is with third parties in the Supply Chain arena. Every multi-national has literally thousands of vendors. Getting a handle on those is always a challenge simply because of the numbers involved. Using AI, a compliance practitioner can immediately identify vendors that present anti-corruption compliance or other risks to an organization. Once again, having led an effort to list out all employer’s vendors by hand to begin the risk ranking process, I can personally attest to the greater efficiencies AI can bring to the exercise.
There is yet another set of AI tools which can review contracts to see if any specific types of clauses are non-standard. It would seem a relatively easy software coding exercise to adapt such products to compliance clauses. This type of approach could also be used for non-standard governance clauses in joint venture (JV) or other types of partnerships agreements. Having once been assigned the task of reading all my employer’s JV agreements (87) and third party sales agents contracts (211) from across the globe and recalling the amount of time it took to do so; I can personally attest again to the greater efficiencies we are considering through the use of AI.
This example also points to one of the key disadvantages to AI and ComTech going forward. In past years, it was through document review and the detailed reading of documents and cases that many junior lawyers were trained. In my experience, reading all those JV agreements and third party sales agents’ agreements gave me a very good education in contract language and what positions were more and less favorable to each party. This is how many young associates were trained in law firms. This very practical method of training will eventually go away.
This final example also points to one of the key limitations of ComTech. While it might have helped to have AI review the JV agreements and third party sales agents’ contracts, it only could identify non-standard contract language. Unfortunately, since most of the agreements and contracts were bespoke they were uniformly non-standard. Further, the assignment I was given required an analysis of each non-standard contract so the judgment of a human was required. Even as AI becomes more sophisticated, the judgment of a professionally trained compliance practitioner is still required to validate the areas flagged by AI as anomalies.
Gary Kasparov recognized this after his loss to IBM’s Big Blue in a chess match. In a review of his recent book Deep Thinking-Where Artificial Intelligence Ends and Human Creativity Begins, it noted that Kasparov “recognized that computers do well what humans do badly and vice versa, suggesting a useful complementarity.” Moreover, “he argues that humans are often fallible, finding patterns in randomness and correlations where none exist. Computers can help us be more objective and amplify our intelligence. Technological progress can never be stopped even if it should be better managed.” Kasparov even formulated his own theorem, which he calls “Kasparov’s Law” and it reads, “Weak human + machine + better process is superior to strong human + machine + inferior process.”
There have always been technological innovations which help make co mpliance disciplines run more efficiently, more smoothly and more profitably. AI is simply another step in this line of technological developments. There is certainly no reason to be afraid of using it. Given the disruption which has impacted the legal profession through LawTech; disruption is not far behind in the compliance world through ComTech.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this episode, I visit with Rakhi Kumar, the Managing Director, Head of ESG Investing and Asset Stewardship for State Street Global Advisors (SSGA) on the firm’s recent white paper entitled, “SSGA’s Perspective On Effective Climate Change Disclosure”. While the white paper focused more specifically on climate impact and climate risk to businesses in the energy and mineral extractive industry, it set out a protocol which every Board of Directors can use for a wide variety of risks, including compliance risk.
We consider the purpose & methodology of SSGA’s white paper. We take a deep dive into the four areas of how a Board can better position climate change risk:
We then consider the SSGA approach in the context of a broader risk management process through the exploration of such issues as
We previously considered how artificial intelligence (AI) can be used as business advantage for compliance. However, the power of AI can also extend the more traditional functions of prevention, detection and remediation. The first way is in simply the mass amount of data which could inundate a compliance practitioner. Many compliance practitioners are overwhelmed about the amount of data available to them and do not know how or even where to begin.
Patrick Taylor, President and CEO of Oversight Systems, Inc. has noted that AI allows the compliance practitioner to understand the “subtle clues in that pattern of activity that will clue me in to take a different look”. He likened to seeing a pattern in “raked leaves” which allows you to then step in and take a deeper and broader look at an issue, either through an audit or investigation. This is where compliance practitioner can step back and literally keep an eye on the big picture and longer term as opposed to just the immediate numbers and information in front of them. It may also be the best hope for finding that kind of systemic fraudulent behavior.
This speaks to one of the difficult issues for the compliance practitioner, which is what does all the information mean? Consider the example of GlaxoSmithKline (GSK) in China. The Chinese business unit employees were working en masse to create fraudulent reimbursable invoices, inflating the cost of industry events to create a pool of money to pay bribes. They would stage an event around a drug product, or service in a hotel. They would inflate the hotel charge 20% above the actual costs and submit the entire amount to the corporate office for reimbursement. In some cases, GSK employees would submit invoices for events which never took place.
Now layer on top of these deceptions, in China, there is a rampant sale of fake receipts. For every Marriott the Chinese business unit utilized, personnel they could buy an official Marriott receipt, which showed the price that was paid and it was a backup documentation for the auditor to look at on that expense report. Finally, there was the illegal sale of official Chinese government real tax stamps to tier on another level of complexity.
Taylor said that AI would provide you the opportunity to detect even this type of massive and systemic fraud because, statistically those charges would not make sense. Taylor said the reason this type of fraud can be so difficult to detect and prevent is the charges were on credit cards, so recorded and there was paper documentation to back up the charges. Standard modalities of detection will not assist the compliance practitioner. You just know that something does not make sense. AI allows a compliance professional to gather and compute statistics across a wide variety of customers and situations; such as geographic and time dimensions.
Using these two data points, you can analyze what is a reasonable amount to spend at a hotel or other venue. But also includes such variables as the time of year as some cities have tremendous seasonality in their hotel charges. Yet others do not and indeed there may even be zero variability in transportation cost across seasons. AI allows you to pull geographic, time, type of expense and even specific vendors statistics for a big-picture analysis.
In a broader manner, consider all the data points in the lifecycle of any business transaction which produce data analytics for a compliance practitioner. When Business Development (BD) initially makes a call on a potential customer; when a request for proposal (RFP) comes into an organization; when the response is formulated with pricing and proposed discounts; during any subsequent contract negotiations; post-contract obligations for travel and training; and continued business development contacts with a customer.
Each of these steps could provide data, which taken singularly might not raise any red flags or even be outside company specifications, but taken as a whole it might be a transaction which would lend itself to compliance oversight. Starting with the BD representative, what was the spend on gifts, meals and entertainment (GTE)? Even if that information is not available to the compliance department it is available from employee reimbursement requests so it can be used to take an appropriate business deduction from the Internal Revenue Service (IRS). From the Foreign Corrupt Practices Act (FCPA) perspective, is the BD representative entertaining a foreign government official under the Act? If so, what is the aggregate spending by any one such government official over a 12-month period by one BD representative? What is the BD spend on one particular state owned enterprise official by several company BD representatives? Has there been any travel involved to tour company facilities? If so, what was the aggregate spend and was it correlated with other GTE spends?
Moving on to any contract negotiations which might take place, were any discounts offered outside the standard discount range? If so were these discounts properly vetted through the internal company process? Was this process documented and was there senior management sign-off in place? Did the customer suggest the use of any third parties as suppliers to the prime contract? Were there any charitable donations requested by the customer? Were there any charitable donations made during any part of this process or within 12 months after a successful contract negotiation? Was the contract properly vetted by all required internal processes: by management, legal, and compliance?
If the business function was successful in concluding the contract; did it specify any travel for the customer? How about ongoing training and if so where and for how long? Was there a specification of business class or above travel accommodations? Has any required compliance or FCPA training been delivered to third parties involved in the contract? Was there any Corporate Social Responsibility (CSR) requirement going forward? Does compliance have visibility into this or does is go through a company charitable donation group or committee?
These are but some of the data points which could be inputted and analyzed to determine if any compliance issues arose. But they would also provide the company with a wealth of information on its internal efficiencies around sales and their corresponding processes. Obviously, AItion holds both promise and challenge for CCOs. However, when a compliance function embraces the use of AI and embraces this human and technological approach for forecasting and risk assessments and then keeps improving their risk management techniques, it will create a sustainable strategic business, compliance and intelligence advantage over its competition.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this episode, Matt Kelly and I take a deep dive into the good, bad and ugly of Hurricane Harvey for the compliance professional. We discuss what lessons may be drawn from the storm and its aftermath for the greater compliance, ERM and business communities and the need to take a much greater holistic approach to the consideration of your risk management strategy. We end with some thoughts on the travails of Salt Lake City nurse Alex Wubbels who was arrested for obeying the law in refusing to take blood from an unconscious patient. We consider her plight from the compliance perspective.
For more on Hurricane Harvey and its aftermath see the following:
Matt Kelly’s piece Corporate Ethics, and Glitches, in Houston
Tom Fox’s pieces
Hurricane Harvey - Reflections on Being Prepared
How Weather Can Bring Analytical Clarity to Compliance
How the Storms of “The Scottish Play” Inform Your Compliance Program
Holmes, the Fog of London and Root Cause Analysis
For Matt’s piece on the arrest of Nurse Wubbels, click here.
Next we consider the introduction of Artificial Intelligence (AI) into the compliance profession. A few pieces claimed AI is revolutionary and would change the face of compliance. Well I have some news for such pontificators, technology has been involved in compliance since the profession began in earnest with the implementation of the US Sentencing Guidelines in 1992. One thing is certain however and that is technology that will improve the efficiency of compliance and will assist in the operationalization of compliance into fabric of every business which embraces it.
A recent article in MIT Sloan Management Review, entitled “Building a More Intelligent Enterprise”, by Paul J. H. Schoemaker and Phillip E. Tetlock explored how businesses could “blend technology-enabled insights with a sophisticated understanding of human judgment, reasoning, and choice” which will provide to them “an advantage over their rivals”. The compliance professional who incorporates the techniques they advocate into their organization’s compliance program will not only move their compliance program forward but also make their company run more efficiently and, at the end of the day, more profitably.
The reason is not simply that AI can make compliance more effective and more efficient but “in the knowledge economy, strategic advantages will increasingly depend on a shared capacity to make superior judgments and choices.” AI is a step which weds the human interaction and experiences with the data which is available to every company - its own internal information which is most generally sitting in siloed verticals and not being used. This data can “provide the foundation for operations research, forecasting models” when using AI. When you couple this data with the “growing understanding of human judgment, reasoning, and choice” which has provided insights in what humans do well or poorly; you can pair the best of these two seemingly disparate incongruities.
The authors suggest that you use this strategy in an area which will have the greatest benefit for your company, stating, “The starting point for becoming an intelligent enterprise is learning to allocate analytical effort where it will most pay off — in other words, being strategic about which problems you decide to tackle head-on. The sweet spot for intelligent enterprises is where hard data and soft judgment can be productively combined.” For the compliance professional, this translates to your greatest risk area. Consider the possibility that you could identify through forecasting what your highest risk might be, then use AI to more efficiently and accurately assess the risk and finally tie both an AI technology solution with compliance subject matter expertise (SME) to manage the risk going forward.
The key in such a scenario is in aiding the compliance practitioner to avoid judgmental “biases that often distort human information processing and by recognizing the precarious assumptions on which statistical models sometimes rest, the analytical whole can occasionally become more than the sum of its parts.” This means you should critically look at a variety of factors around where your compliance risks lie. Most compliance practitioners only rely on the Transparency International-Corruptions Perceptions Index (TI-CPI) for a country’s corruption rating. While the TI-CPI is a good starting point, it is only that. A compliance analysis that an area is high, medium or even low risk does not consider the starting assumption using the TI-CPI. Moreover, because this Index has been used so long, compliance professionals are biased towards and do not seek out other data which might provide a more nuanced approach.
Another technique which I have been involved with is known as boot-strapping. Here a group of SMEs would develop a model of possible risks which could be assessed with large amounts of data or other inputs. By modeling the experts’ knowledge in risk areas, you could develop not only a more comprehensive forecast and assessment of risk but it would also be more consistent, which would greatly help in your planning and risk management.
The authors reported researchers who asked a group of corn experts to rate 500 ears of corn to predict their eventual prices in the marketplace, using a variety of factors. “The researchers then created a simple scoring model based on cues that judges claimed were most important in driving their own predictions. Both the judges and the researchers expected the simple additive models to do much worse than the predictions of seasoned experts. But to everyone’s surprise, the models that mimicked the judges’ strategies nearly always performed better than the judges themselves.” Most of the factors were subjective but that did not stop the model from being more efficient. The authors believe the boot-strapping model “remains one of the most compelling demonstrations of the potential benefits of combining the powers of models and humans, including the value of expert intuition.”
Boot-strapping is the most straight-forward use of this type of technology, as it is “a simple input-output approach to modeling expertise without delving into process models of human reasoning.” Now consider how boot-strapping can be augmented by AI technologies “that allow for more complex relationships among variables drawn from human insights or from mining big datasets.”
These are but some of the data points which could be inputted and analyzed to determine if any compliance issues arose. But they would also provide the company with a wealth of information on its internal efficiencies around sales and their corresponding processes. The authors conclude by noting, “the cognitive-science revolution holds both promise and challenge for business leaders.” However, when a compliance function embraces the use of AI and embraces this human and technological approach for forecasting and risk assessments and then keeps improving their risk management techniques, it will create a sustainable strategic business, compliance and intelligence advantage over its competition.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this episode, I visit with Adam Turteltaub, Vice President of Strategic Initiatives and International Programs. We discuss the upcoming 2017 Compliance and Ethics Institute, which is one of the primary education and networking event for professionals working in the Compliance and Ethics profession across all industries around the world. Sessions at the 2017 conference will offer the latest compliance information on hot topics and current events. Sessions are carefully selected and will be presented by leading experts who will explore real-world compliance issues, practical application, emerging trends, and state of the art techniques.
The CEI conference and compliance training is great for everyone in the compliance and ethics field including: Compliance Auditors, Compliance Directors, Compliance Management, Compliance Officers, Risk Managers, International Compliance, Financial Compliance, Corporate Business Ethics, Ethics Officers, Ethics Management, Compliance Lawyers, HR Management, and Human Resource Risk.
Adam and I discuss the tracks for breakout sessions and events, the pre-and post conference events and sessions you wish consider and the volunteer opportunities that are available. If you attend only one compliance and ethics event for the year, this is one for you. You can find out more information at the SCCE homepage, by clicking here.
Welcome to the September edition of my yearlong podcast series of One Month to a More Effective Compliance Program. In the month of September, I will be focusing on innovation in compliance. I will look at innovation from a variety of angles including AI and ComTech, structural innovations, tools and tactics and innovation in leadership. At this end of September, you will have a number of solid ideas you can use to move your compliance program forward.
I begin this month by considering the starting point, which is an innovation strategy. In the most recent Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs) issued by the Department of Justice they all include an element along the following strictures, “The Company will conduct periodic reviews and testing of its anti-corruption compliance code, policies, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and the Company’s anti-corruption code, policies, and procedures, taking into account relevant developments in the field and evolving international and industry standards.”[Emphasis supplied]. This means that the DOJ expects innovation in your compliance program to keep up with evolving international and industry standards. This requires you to implement an innovation strategy.
All of this means you should begin with an innovation strategy for your compliance program. Gary P. Pisano, in an article in the Harvard Business Review (HBR), entitled “You Need an Innovation Strategy” discussed such an approach. He began by stating the problem that many companies face is that “innovation remains a frustrating pursuit.” The key to success is something that every CCO or compliance practitioner should take to heart; which is, a compliance practitioner must be able to lay out an innovation strategy for compliance that details the efforts will support the overall business strategy. This means creating an innovation strategy for compliance that will create value for customers of compliance, IE., employees, third parties and customer, show how the company will capture that compliance value going forward and finally which types of compliance innovation to pursue.
First, some basic definitions useful for the compliance practitioner to think through innovation in the compliance function. Pisano defined a “strategy is nothing more than a commitment to a set of coherent, mutually reinforcing policies or behaviors aimed at achieving a specific competitive goal.” If you have a good strategy, it can promote alignment among diverse groups in a company, help to clarify objectives and priorities and guide your focus on those objectives. It can also be modified as necessary and with sufficient feedback.
There are several questions you need to consider in connecting innovation to strategy. Initially, how will innovation create value for the customers of compliance; IE., your employees and relevant third parties? Your innovation can make compliance faster, easier, quicker, nimbler and so on. Focus on that creation of value going forward. Pisano’s next question was “How will the company capture a share of the value its innovations generate?” He suggests companies think through how to “keep their own position in the [compliance] ecosystem strong” through innovation. Next what types of innovation will allow the company to create and capture value, and what resources should each type receive, such as a change in technology and a change in a business process. Both are equally valid.
Obviously senior management has a key role around innovation in compliance, as innovation can be driven downward or backward if there is not sufficient management support. This means not only must there be sufficient resources allocated but management must also incentivize the business units to proceed with implementing the innovations. Another area where senior management is critical is with making trade-offs.
The author noted there are four essential tasks in creating and implementing an innovation strategy. Task 1 is to “answer the question “How are we expecting innovation to create value for customers and for our company?” and then explain that to the organization.” Task 2 “is to create a high-level plan for allocating resources to the different kinds of innovation.” Task 3 is “to manage trade-offs. Because every function will naturally want to serve its own interests, only senior leaders can make the choices that are best for the whole company.” Finally, task 4 dovetails with what almost every DOJ or speaker from the Securities and Exchange Commission (SEC) I have ever heard say when they talk about the basics of any best practices compliance program. It is that both compliance and innovation strategies must evolve. Pisano wrote that every innovation “strategy represents a hypothesis that is tested against the unfolding realities of markets, technologies, regulations, and competitors. Just as product designs must evolve to stay competitive, so too must innovation strategies. Like the process of innovation itself, an innovation strategy involves continual experimentation, learning, and adaptation.”
You must recognize that your compliance program will have to be innovative. Start with a strategy which has senior management buy-in and support, then move to implement. Finally use data in a feedback loop to fine tune your innovations. Innovation in compliance is one of the key differences between those who advocate static compliance standards embodied in a written compliance program and those who advocate an operationalized compliance program is that the latter creates an active, vibrant and effective compliance program. That is the bottom line for innovation.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In the August edition of One Month to More Effective Continuous Improvement I have considered some of the techniques to create continuous improvement in your compliance program.
Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its chapter 5 Guiding Principles of Enforcement industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs (Evaluation) lists three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions.
You should keep track of external and internal events which may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events which drive changes within a company, i.e. a company reorganization or major acquisition. This type of review appears to be similar to the DOJ advocacy of ongoing risk assessments. The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, effective compliance programs, meaning those that do not simply exist on paper, but are operationalized will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”
Continuous improvement requires that monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
One technique that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.
Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.
Over the month of August I have presented a variety of specific tools and techniques for the compliance practitioner to utilize. They include financial audit, the culture audit, continuous controls monitoring, various risk management strategies which can become continuous monitoring. The tools are both quantitative and qualitative. Pick and choose the right tools for your company’s business and compliance profile.
Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The 2012 FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”
Three Key Takeaways
A big shout out and thank you to this month’s sponsor Affiliated Monitors. They use a variety of the tools and techniques I have described over the month in their services. I hope you will check them out. For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
Continuous improvement also requires you to consider the backbone of your compliance program, your written Code of Conduct, policies and procedures. Under Prong 9, in the Department of Justice’s Evaluation of Corporate Compliance Programs, it states, Evolving Updates – How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?
Moreover, under Prong 4, the Evaluation considers not only the design of your Code of Conduct but its accessibility with a variety of questions and factors. These include what was considered for your Code of Conduct, how the Code improvement was implemented, whether the gatekeepers were consulted and most importantly whether they bought into the entire process. Finally, is your Code accessible to all employees.
I thought about this updating in the context of your best practices compliance program. The cornerstone of any such compliance program is recognized to be your Code of Conduct. But a Code of Conduct should not be a static document. It needs to evaluated and updated as circumstances warrant. Yet such updating should not be performed in an ad hoc manner. As intoned in the 2012vFCPA Guidance, your compliance program should be thoughtful and well considered. In “Six steps for revising your company’s Code of Conduct”, Anne Marie Logarta and Ruth Ward discussed how you should think through the updating of your Code of Conduct.
After evaluating these initial issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. If you decide to move forward the authors have a six-point guide that should assist you in making your revision process successful.
Your company’s highest level must give the mandate for a revision to a Code of Conduct. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”
A cross-functional working group should head up your effort to revise your Code of Conduct. They suggest that this group include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.
From this large group, Code of Conduct topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. It is incumbent you create a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”
The backbone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” Technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.
In addition to this use of technology in drafting your Code of Conduct revision, you should determine if your Code of Conduct will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code will only be available in hard copy.
You must translate your Code of Conduct into appropriate local languages. This is particularly important if your Code is pre-2012, when the FCPA Guidance came out and made clear that translation into local languages was a minimum of a best practices compliance program. The key is that “your employees have the same understanding of the company’s Code-no matter the language.” The Evaluation also makes this requirement for accessibility mandatory.
A roll-out is always critical because it “is important that the revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” Your company should use the full panoply of tools available to it to publicize your revised Code of Conduct. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide meeting where the new or revised Code is rolled out across the company all in one day. Recent pronouncements from the Department of Justice (DOJ) have suggested that testing the knowledge of employees on the Code is becoming more important. However, the bottom-line, as with all thing compliance-related, is Document, Document and Document. However you deliver the new or revised Code of Conduct, you must document that each employee receives it and understands it.
If you set realistic expectations you should be able to stay on deadline and stay within your budget. They state, “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.
If you are a compliance practitioner, I urge you to look at your company’s Code of Conduct, policies and procedures. If your Code is pre-2012, you need to update sooner rather than later and consider what the FCPA Guidance says about a best practices Code of Conduct. With the new information presented by the DOJ you need to consider how you can measure how well your employees are retaining it as well. It is far better to review and update if appropriate than wait for a massive Foreign Corrupt Practices Act (FCPA) investigation to go through the process.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
A Program Manager in a Power Plant Process group told me about the ‘Mock Audit’ that his company performs in its power plants across the country. He explained that his industry is heavily regulated at both the state and federal level. Power plants are subject to numerous levels of oversight including various ISO standards to which they must comply. ISO is the International Organization for Standardization and it develops and publishes International Standards for various industries and organization.
The ISO 9000 standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer’s requirements, and that quality is consistently improved. One of the components of ISO 9000 compliance is an internal audit to check how a quality management system is working. But, for the utility industry, there are additional, more formal audits by various state and federal regulatory bodies, including both North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC). In other words, the utility industry is subject to numerous rules and regulations which require compliance audits.
To help prepare for these formal internal and external audits, his company employs the Mock Audit. In the Mock Audit, his team will go through the factors which will be reviewed in a formal audit at a power plant. But the thing that struck me was that he said that when goes into a plant, he tells the plant personnel “we all wear the same color shirt” and by this he means they are all on the same team, trying to achieve the same goal of doing business in compliance with the rules and regulations that the power industry is required to operate under. Coming from the energy service industry, the ‘color of one’s shirt’ is a powerful concept. I worked at Halliburton which is known as “Big Red”. Halliburton’s competitor, Schlumberger, is known as “Big Blue”. Once in an employment interview someone asked me if I could work under a person who came from “Big Blue” and I knew instantly what they meant.
The Mock Audit is a mechanism by which a compliance team can go into a facility and not only try to determine what might need remediation but, equally importantly, help the employees in that facility to move towards greater compliance. The team members who perform these Mock Audits are not lawyers but are engineers or other process focused team members. These Mock Audits help to uncover gaps that need closing before any of the regulatory mandated audits by external audit teams. As this Program Manager explained to me, they are a powerful compliance tool.
I thought about this concept of the Mock Audit in the context of continuous improvement under the Foreign Corrupt Practices Act (FCPA). Typically such monitoring and annual assessments are done by lawyers. One thing that I think we as lawyers bring to this process too often is an adversarial relationship. It sometimes feels and sounds like we are trying to find a violation or something wrong regarding a company’s compliance program. We are not there to try and help employees learn from their mistakes (if any) and we do not present ourselves as ‘wearing the same color shirt’. While there certainly is a fine line that must be trod in monitoring and annual assessments, if the compliance practitioner could adopt a bit of the tone of the Mock Audit it might open things up for a more useful and constructive exercise going forward. This is not to say that a more formal compliance audit should be conducted with such a tone, as it is a different type of activity. But, just as the Mock Audit is there to uncover any gaps and help fill those gaps, monitoring or annual assessments can also be used to help close compliance gaps before a biennial formal compliance audit. So what are some of the steps that a compliance practitioner can take?
I once worked in a corporate legal department where the attitude was very much ‘us against them’. The legal department was viewed as the last bastion between the business guys doing something to put the company at risk. The attitude was not cooperative at all. I would suggest that even if the legal department feels like it has to maintain that attitude, the compliance department is not required to have that attitude, at least not all the time. Just as my new found colleague from the utility industry can help power plant employees to do their work more in compliance with the rules and regulations that they are required to follow, the compliance department can work with employees rather than simply dictate the rules which are to be followed. An annual assessment is the perfect opportunity to learn more about a region or group’s compliance challenges and how those challenges are being met and might be met going forward. But it will not work if it starts out with the us against them or I am here to get you attitude. You have to wear the same color shirt and be on the same team.
One of the more constant complaints that I have heard from business unit folks is that compliance did not share the results of any assessments or audits with them. Not only was there no transparency at the end of the process but there seemed to be no simple desire for local participation or input to resolve any outstanding issues uncovered. So another step I gleaned from the Mock Audit is to review any assessment findings with the senior management team of the group or area being assessed. If warranted, the management team from the group or area reviewed should be a part of any corrective action plan that addresses a specific gap in compliance. You can use this opportunity to demonstrate that the overall goal is to drive towards compliance and that use of local input may be one of the best paths to positive change over the long term. As with anything, else if people feel like they have input into the process, they will be more likely invested to make sure the process succeeds. When you return to the corporate office you can collaborate with the group or region until issues are fully addressed.
The 2012 FCPA Guidance made clear that compliance audits, with actionable remediation plans, are a key component of any effective compliance program. The concept of the Mock Audit is one that can facilitate continuous improvement. As it is a process designed to help your employees do business in a more compliant manner it is a tool that should not be overlooked.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
Compliance does not exist in a time-warp vacuum, with programs living in 1977 when the first major anti-corruption legislation, the Foreign Corrupt Practices Act was passed. The law has advanced since that time, as has compliance and society as well. One of the ways that you can engage in continuous improvement for your compliance program is based upon the two-way use of social media. Social media can be used not only to communicate with your employee base but also for your employee base to communicate with you, most particularly if you are prepared to listen.
For every CCO or compliance practitioner, you have multiple audiences. First and foremost is your employee base but there can be third parties, shareholder or other stakeholders. One of the key insights of several business leaders I have studied is the art of listening. In an article in the MIT Sloan Management Review, entitled “How Twitter Users Can Generate Better Ideas”, authors Salvatore Parise, Eoin Whelan and Steve Todd postulated that “New research suggests that employees with a diverse Twitter network – one that exposes them to people and ideas they don’t already know – tend to generate better ideas.” Their research led them to three interesting findings: (1) “Overall, employees who used Twitter had better ideas than those who didn’t.”; (2) In particular, there was a link between the amount of diversity in employees’ “Twitter networks and the quality of their ideas.”; and (3) Twitter users who combined idea scouting and idea connecting were the most innovative.
I do not think the first point is too controversial or even insightful as it simply confirms that persons who tend have greater curiosity tend to be more innovative. The logic is fairly straightforward, as the authors note, “Good ideas emerge when new information received is combined with what a person already knows.” In today’s digitally connected world, the amount of information in almost any area is significant. What the authors were able to conclude is that through the use of Twitter, “the potential for accessing a divergent set of ideas is greater.”
However it was the third finding that I thought could positively impact the compliance profession, the role of the Idea Scout and the Idea Connector. An idea scout is “an employee who looks outside the organization to bring in new ideas. An idea connector, meanwhile, is someone who can assimilate the external ideas and find opportunities within the organization to implement these new concepts.” For the compliance practitioner, the ability to “identify, assimilate and exploit new [compliance] ideas” is the key takeaway. However to improve your compliance innovation, “you need to maintain a diverse network while also developing your assimilation and exploitation skills.”
For the compliance practitioner, Twitter can be “described as a ‘gateway to solution options’ and a way to obtain different perspectives and to challenge one’s current thinking.” Interestingly the authors found that “It’s not the number of people you follow on Twitter that matters; it’s the diversity within your Twitter network.” The authors go on to state, “Diversity of employee’s Twitter network is conductive to innovation.” Typically an Idea Scout will “identify external ideas from experts and resources on Twitter.” Clearly the compliance practitioner can take advantage of experts with the anti-corruption compliance field but there is perhaps an equally rich source of innovation from those outside this arena.
An interesting approach was what the authors called the “breadcrumb” approach to finding innovation leaders and thought-provokers. It entailed a “period of “listening” to colleagues and industry leaders who are on the platform - including what they are tweeting about, who they are following and replying to on the platform, who is being retweeted often”. So with most good leadership techniques the first key is to listen.
Equally important to this Idea Scout is the Idea Connector, who is putting the disparate strands from Twitter’s 140 character tweets together. For the compliance function, this will be someone who identifies compliance best practices or other information from Twitter ideas, can then put them together and direct the information to the relevant company stakeholders. Finally, such a person can “Curate Twitter ideas and matches them with company resources needed to implement them.”
Here the authors listed a variety of ways an Idea Connector can use Twitter. One user said, “I try to sift through all the Twitter content from my network and look for trends and relationships between topics. I put my analysis and interpretation on it. I feel that’s where my value-add is.” Another method is to focus on analytics and one user “filtered specific subsets of the topic for different stakeholders” at his company. Another method was to create “social dashboards or company blogs based on the insight” received thought Twitter. Interesting, one of the key requirements for successfully mining Twitter was in finding ways to share its content “since many employees, especially baby-boomers don’t use the platform themselves.” Conversely by mining information from Twitter and presenting it, this can allow these ‘technologically challenged’ older employees to ascertain how they can target millennial’s.
But as much as these concepts can move a CCO or compliance practitioner to innovation in a compliance program, it can also foster additional information through the following of your own employees. It is well known that Twitter can facilitate greater communication to and between the compliance function and its customer base, aka the company employees. However the authors also point to the use of Twitter to enable this same type of innovation because it “is different than email and other forms of information sources in that it enables continuous engagement”.
Twitter was created to allow people to connect with one and other and communicate about their activities. However the marketing potential was immediately seen and used by many companies. Now a deeper understanding of its use and benefits has developed. For the compliance practitioner one thing you want to consider is to align your Twitter and great social media strategy with your compliance strategy; match your Twitter strategy to your compliance strategy.
Twitter can be powerful tool for the compliance practitioner, as it allows you to both listen and communicate. It is one of the only tools that can work both inbound for you to obtain information and insight and in an outbound manner as well; where you are able to communicate with your compliance customer base, your employees. You should work to incorporate one or more of the techniques listed herein to help you burn compliance into the DNA fabric of your organization through continuous improvement.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”
Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.
One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.
Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.
Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. Many compliance practitioners understand you should be checking in routinely with local Finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.
Yet ongoing monitoring is not limited to the financial component of compliance. Another approach to review emails as both a preventative and detection program through the technique of email sweeps. The concept is straightforward; at regular intervals you can sweep through your company email database for identified key words that can be flagged for further investigation, if required. The beauty of this approach is that does not require an extensive eDiscovery software tool or license purchase. It can be accomplished generally in two days or less. Also it is not limited to anti-corruption compliance but any of the risk factors identified for your company.
The objective of this approach is to ‘find the smoke’ which may be the evidence of a compliance breakdown (and related fire) by sweeping through emails is to uncover those that may contain real issues. From this starting point, you can assess and prioritize, by checking and verifying that there are issues worth investigating. From here you can identify the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities.
In addition to the cost effectiveness of this approach, in that you are only paying for the services when you need them and as they are delivered, this approach satisfies the Tom Fox mantra of Document, Document, and Document because everything you have done can be verified and audited. Finally, as the regulators continue to evolve in their understandings and appreciation of a best practices compliance program, you will evolve your compliance program to a new level of detection that could well allow you to have a more robust prevent mode. When your compliance program has a strong prevent prong, it can be the most effective to stave off anything issues from becoming Foreign Corrupt Practices Act (FCPA) violations.
Continuous improvement through continuous monitoring will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is a continuously evolving organism, just as your company is continually improving its business processes. The FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
In this episode, I visit with Joe Oringel, co-founder of Visual Risk IQ, a data analytics and visualization company. They have developed a manner not only extract data but present it in a way that is very interesting very useful and very informative for a very variety of stakeholders, including Boards of Directors. He's made presentations to boards. Joe is formally trained in internal audit and he has worked with and in a wide variety of corporate positions which have allowed him to gain some very good insight into what types of information a Board of Director’s needs. We discuss the types of information that can lend itself to visualization what a Board of Directors would want, what the Board of Directors should ask for and finally what a Board of Directors would want in a dashboard of information so that it can facilitate an unstructured dialog by the Board and reporting executive.
Check out more about Joe Oringel and Visual Risk IQ by clicking here.
Continuous improvement can take many ways, shapes and forms. Typically, when it comes to third-party risks, a Chief Compliance Officer (CCO) or compliance professional will consider the ownership structure to see if there is any involvement by a government official or employee of a state-owned enterprise, or a close friend or family member. There may also be inquiry into knowledge of anti-corruption legal regimes such as the Foreign Corrupt Practices (FCPA) and compliance programs. Other information about criminal and legal history and references, both professional and commercial, may also be required. Hopefully these indicia are reviewed and updated on a regular basis.
One thing that is most generally not considered is the financial health of the third party. It turns out such an oversight may have some significantly ramifications for an accurate picture of a third party. The financial health of third parties as not only a key metric but also a key due diligence tool which allows a more robust assessment prior to contract signing and in managing the relationship after the contract has been signed.
A third party which is in a weakened financial position can come back to damage your business in a variety of ways. Obviously, a company which is under financial strain is more susceptible to cutting corners to obtain business. You can almost begin to see the fraud triangle forming at this point and a rationalization for committing a FCPA violation forming in the mind of a third party.
But it is more than simply being open to potentially illegal conduct such as violating the FCPA to get business. James Gellert, CEO of RapidRatings has noted, “Cyber security is, obviously, a hot topic for everybody. A company that, at the beginning of a working relationship, maybe onboarding or the due diligence procurement event, one may do a series of checks from a compliance and info security perspective and that company looks fine, it gets green lit and it comes on board as a supplier. Over time, if that company is weakening in its financial condition, the chances are likely that they are going to begin under-investing in maintaining the quality of their cyber security program. In a case like that, over time, a company partner of that firm is taking increased risks for cyber security breach, because that company is weakening but because they’re not managing the financial condition of it on an ongoing basis, they’ve missed a leading indicator of that cyber security problem and when that problem actually hits, it’s too late, it’s effecting revenue, it’s effecting reputation, it’s effecting all sorts of things.”
A database of financial health is important because “traditional risk management has focused more on protecting downside risk and detecting downside risk is being able to understand where a company or a partner exists on a spectrum of risks that can be from poor to really good, and that means a user of our data is in a position to be able to do more than just protect from a company’s failing for one reason or another, but be able to align with the strongest partners and that creates resiliency and a third party ecosystem”.
This is considering your third parties in much broader manner which allows a more robust assessment of their strengths and weaknesses. The financial health of a third party may tell you how well that third party will perform. Such information can be useful to you for business planning, particularly around strategic risk. Understanding the financial viability of third parties, be they traditional vendors, business partners, or even fourth parties, can help you meet your compliance requirements, maintain operational stability, through the avoidance of business disruption and support business continuity initiatives. Even better, you can cut through siloes to develop risk management strategies across multiple business functions.
This moves compliance into the business process cycle, creates greater efficiencies and at the end of the day, more profitability. This type of approach allows the compliance function to demonstrate solid return on investment going forward. It also allows compliance to cut through many corporate siloes including such disciplines as business development, supply chain or procurement, manufacturing and finance.
Continuous improvement through monitoring of ongoing financial health is a tool where technological solutions can have an impact. Understanding the financial viability of third parties can help the compliance practitioner meet the Department of Justice (DOJ) requirement to more fully operationalize a compliance program. It can also lead to more and better operational stability and with that ever-sought increase in corporate profitability. As compliance moves into the business process, this type of review should become part of your compliance toolkit going forward.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at http://www.affiliatedmonitors.com/.
In this episode, Matt Kelly and I take a deep dive into the Public Accounting Oversight Board (PCAOB). We consider the role of the PCAOB in both audit standards and internal controls for compliance. What is goodwill, goodwill impairment and how goodwill can be manipulated to create pots of money to pay bribes? We explore the question of whether there the need for a fresh look at SOX 404? We discuss the role of skepticism by auditors. We end with the forthcoming new auditor report format— the SEC is scheduled to approve that new standard regarding a new auditor report format soon and some people want the SEC to veto it. We discuss how new SEC Chair Jay Clayton may handle this by approving it by having a new PCAOB in place which takes a gentler approach to implementation.
For more information on the PCAOB, see Matt’s blog post PCAOB Overhaul Looms
For more on the intersection of compliance, audit and the PCAOB, see Tom’s four-part series with Joe Howell:
PCAOB, audits and compliance-Part I;
PCAOB, audits and compliance-Part II;
There are multiple areas in the Department of Justice’s Evaluation of Corporate Compliance Programs which intersect with the area of continuous improvement. In addition to Prong 9. Continuous Improvement, Periodic Testing and Review; under Prong 1 Analysis and Remediation of Underlying Misconduct is found the following: Prior Indications – Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed? This also ties to the 2012 FCPA Guidance made clear that compliance audits, with actionable remediation plans, are a key component of any effective compliance program. Another way to do achieve these multiple and intersecting goals is through voluntary monitoring. when I recently visited with Vincent DiCianni, President and Founder of Affiliated Monitors, Inc. and Eric Feldman, Senior Vice President (SVP) and Managing Director, Corporate Ethics and Compliance Programs also at Affiliated Monitors, Inc. about their views on voluntary monitoring.
According Feldman, voluntary monitoring is an approach where a company “uses the services of an independent monitor to find out how their program is working and to be able to use that data with government regulators and law enforcement to demonstrate their due diligence in creating and continuously improving their corporate ethics and compliance program.” There are at least two different types of voluntary monitoring. Feldman articulated the first as “reactive proactivity” which is the situation where a company determines it has a potential compliance violation and they bring in an independent monitor to address the issue.
The genesis for this type of monitoring is some event, such as a whistleblower report, internal report or investigation or detect control picking up information which warrants additional investigation. Feldman provided a couple of examples. The first might be “where one business unit has a problem and they're worried about the other business units and they want to get an assessment.” Another situation could be there is a problem in a sector or “industry and they know that that industry is being scrutinized by law enforcement or the regulators and they fully expect the regulators or law enforcement to be coming in and looking at them.” Yet another area could be in a geographic area such as China or another high-risk region.
DiCianni noted there is a second type of voluntary monitorship. It is where a company wants a true independent “to come in to test the quality of the program to see how impactful” the company’s compliance program is operating. It could assess a variety of issues, such as the compliance internal controls to test their benchmarking of a company’s compliance program. In this type of voluntary monitorship, the examiner is not focusing on one issue or region as laid out in the first example but it is broader.
Moreover, it allows a true independent to perform the assessment as DiCianni noted, “it's very difficult for companies and for compliance officers and their teams to self-assess the strength of their programs. They just have difficulty doing that. It’s just not an easy thing for them to get their hands on, how good a job am I doing? By having an independent come in with no skin in the game, with complete objectivity, neutrality, no judgements, or pre-judging the work, looking at the company’s program, the quality of the program, the makeup of the team, the organizational structure, where it’s placed. All of those kinds of things are parts of this voluntary approach.”
The benefits of both types of voluntary monitoring are multifold. It certainly helps to meet the Control Testing requirement found in the Evaluation. The 2012 FCPA Guidance stated, “An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas.” This type of approach can provide benefits if a company finds itself in FCPA hot water, as both the DOJ and Securities Exchange Commission (SEC) “will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines.” Yet the Guidance intones a business reason for the use of such techniques as voluntary monitoring when it stated, “Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”
Feldman pointed out yet another reason for such a proactive approach. It can create an administrative record, which a company can use to demonstrate it has remedied the problems. Equally important it establishes the company is maintaining its commitment to doing business in compliance. The key is the independence of the monitoring personnel so they can present an accurate, unbiased opinion.
He presented the example of a company which had been debarred by the US government and needed to demonstrate an acceptable level of compliance to get off the debar list. He and his team performed a baseline assessment and from there developed a remediation plan, which the company implemented. After six months or so, he and his team came back to assess the progress made by the company. From this follow-up assessment, they generated a report which was used in a submission to the government which essentially noted, “We are now ready to be a responsible contractor as defined by the federal acquisition regulations and we propose an administrative agreement with continued monitored that would move it from voluntary monitoring over to mandatory monitoring for the next three years.”
Voluntary monitoring is an excellent technique through which a company can engage in continuous improvement. Nonetheless it has many other benefits as well, including regulatory and evidence in a criminal investigation if needed under anti-corruption laws such as the FCPA. The bottom line is that all those scenarios might justify a company to engage a voluntary monitorship to come in and do a complete ethics and compliance and cultural assessment or audit of their organization.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
In this episode, I continue the series on leadership lessons from U.S. presidents in discussing James Monroe Virginia, who was President from 1817 to 1825. He is probably best known today for the Monroe Doctrine which was not his idea and was not known by that name until the 1850s. The life, times and Presidency of James Monroe provide many lessons for today’s business leader. I hope that you can draw inspiration and some insight from them.
Another mechanism for continuous improvement of your compliance program is through risk-based monitoring. Under Prong 5 of the DOJ’s Evaluation of Corporate Compliance Programs, is the following topic and question Manifested Risks – How has the company’s risk assessment process accounted for manifested risks? I found this to focus as much on continuous improvement as it did with risk assessment through the emphasis on the risks which established and demonstrated by the organization. In other words, were you monitoring the risk that you have not only identified but also have revealed themselves to your organization.
I visited with Ben Locwin, Director of Global R&D at BioGen and an operational strategist in pharma and healthcare, to consider risk-based monitoring and how it helps to facilitate continuous improvement in a compliance program. Locwin said, “Risk-based monitoring is really about continuous, ongoing monitoring for those things which provide the most potential future risk to you. In other words, instead of a static risk registry that may come in part with forecasting, where you would say, “We’re trying to anticipate these risks.” By using risk-based monitoring to review issues on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.”
The problem for many companies is they are siloed in not only their data but also in the systems. Locwin explained that because of the disparity of data systems, “They may not be tracking rigorous, quantified information all the time.” He cited to an example from the pharmaceutical world where a company could well have 50 worldwide sites where a drug product is being tested. Some patients receive a placebo and some patients receive the medication being tested. As data comes in you begin to note patterns in certain patients and groups, which might actually point towards a variety of testing errors by physicians administering the test.
Through the use of risk-based monitoring, you can begin to see things in “almost real-time, time-based trends of real data that you can then jump on and try to make adjustments before things get really wacky.” The implications to the compliance practitioner? Having access to information around sales, the sales process and corporate largess in things from Corporate Social Responsibility (CSR) work to gifts, travel and entertainment to conferences for customers and end users. Through the use of such risked-based monitoring a compliance professional would have the opportunity see trends developing which could allow an intervention for a prescriptive solution which could prevent an issue from becoming a Foreign Corrupt Practices Act (FCPA) violation.
Yet Locwin cautioned that compliance professionals should guard against bias. In an article by Locwin, entitled “Be Careful When Appraising Industry Trends”, he stated, “Social media has rapidly accelerated the agility with which the public can change allegiance and direction. It used to be that when information dissemination was slower and more compartmentalized within regions and market segments, that the market resistance to fluctuation was more robust. Now well-placed advertising, social commentary, or public response to corporate missteps can swirl into a maelstrom of market changes within hours that is agnostic to region or market segment.”
In today’s world, the speed at which reputational damage reigns out can overwhelm a corporation’s ability to respond. Here one might consider Wells Fargo and how fast the situation spun out of control for them after its $185MM fine was announced. It is through the use of risk-based monitoring, which allows for this almost real-time input, that a response to a forecasted, assessed or even unassessed risk can be developed. In the compliance world, such tools could be brought to bear when considering not only the expense side of such areas as gifts, travel and entertainment but also sales side data. This could be internal company data on its own salesforce and also information developed from or concerning your third-party sales team.
In Locwin’s primary world of pharmaceutical testing and product development, the need for such real-time information can be more critical. Yet through the development of these techniques as compliance tools, the compliance profession can add value to an organization through the use of risk-based monitoring. With the plethora of data on where and how corruption is likely to occur, coupled with meaningful sales and expense data, the compliance professional should be able to move from detect to prevent to prescriptive compliance solutions to prevent legal violations.
Finally, the beauty of all these techniques articulated by Locwin is that they are tools that can make companies more efficient and, at the end of the day, more profitable. They also move compliance into the fabric and DNA of an organization or in the words of Hui Chen, the former DOJ Compliance Counsel, operationalize compliance. Her intonation to operationalize compliance speaks use of a wide variety of tools to input information so you can continuously improve your compliance program. Risk-based monitoring is certainly one mechanism to obtain information and feed it back into your compliance program in both the prevent and detect prongs.
Three Key Takeaways
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
In this episode, I visit with Mike Skopets, from Miller & Chevalier on the firm’s Summer 2017 FCPA Report. We discuss the background to the Report and begin with what macro trends the firm identified. We discuss the numbers of resolutions, declinations and investigations and what they might demonstrate. We go into the Linde Gas and CDM Smith declinations with disgorgement and what these two superior decisions portend for the compliance practitioner. We consider the Kokesh decision by the US Supreme Court and what it may mean for not only FCPA enforcement but the compliance professionals decision making calculus for self-disclosure. It is a very interesting wrap up of the first six months of the FCPA world in 2017.
Miller & Chevalier’s Summer 2017 FCPA Report is available at no cost on the firm’s website. You can obtain a copy by clicking here.