This episode is dedicated to the Justice Department’s Evaluation of Corporate Compliance Programs, which was released in February. In this episode, Jay Rosen and Jonathan Armstrong provide next insight. Listen to last week’s Episode 8 for commentary from Matt Kelly and Mike Volkov.
For Jay Rosen’s post see, Still in the Enforcement Business and Evaluation of Corporate Compliance Programs
For the Cordery Compliance article see the following, US Department of Justice on Evaluation of Corporate Compliance : how does it compare to UK Bribery Act 2010?
For Mike Volkov’s posts on the Evaluation see the following:
Under the Dark of Night, DOJ Moves the Compliance Ball;
DOJ’s Compliance Program Evaluation: the Role of the CCO;
DOJ Compliance Expectations Concerning Training, Internal Investigations and Audits
For Tom Fox’s posts on these topics see the following:
New DOJ Evaluation-Valuable Document for the Compliance Practitioner, Part I; and
New DOJ Evaluation-Valuable Document for the Compliance Practitioner,
For Matt Kelly’s posts see the following:
Fresh FCPA Guidance from the Justice Department; and
Deeper Dive into new DoJ Compliance Guidance
The members of the Everything Compliance panel include:
From the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs:
Stature – How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions?
Experience and Qualifications – Have the compliance and control personnel had the appropriate experience and qualifications for their roles and responsibilities?
While the DOJ’s stated position that it does not concern itself with whether the CCO reports to the General Counsel (GC) or reports independently, but it is more concerned about whether the CCO has the voice to go to the Chief Executive Officer (CEO) or Board of Directors directly, without going through the GC first. Even if the answer were yes, the DOJ would want to know if the CCO has ever exercised that right. Yet the Evaluation comes as close to any time previously in articulating a DOJ policy that the CCO be independent of the GC’s office. Therefore, if your CCO still reports up through the GC, you must have demonstrable evidence of both CCO independence and actual line of sight authority to the Board.
With the operationalization of compliance, the DOJ wants to know if the if business unit of a company is responsible for at least a part of compliance. Put in the manner of the Evaluation, is compliance operationalized within your organization? An interesting angle is the real problem for a CCO if compliance is not embedded into the business; that problem is that the CCO simply becomes a policeman, telling the business unit what it cannot do. Or as I would say, being Dr. No from the Land of No.
Here are some questions you should consider in evaluating this prong. First and foremost, is the CCO a part of the senior management or the C-Suite? Is the CCO part of regular meetings of this group? Who can terminate the CCO; is it was the CEO, the Audit Committee of the Board or does CCO termination require approval of the entire Board? Most importantly, could a person under investigation or even scrutiny by the CCO fire the CCO? If the answer is yes, the CCO clearly does not have requisite independence.
Additional questions to consider are (a) Who can over-rule a decision by a CCO within an organization? and (b) Who is making the decisions around salary and compensation for the CCO? Is it the CEO, the GC, the Audit Committee of the Board or some other person or group?
An evolution in thinking by the DOJ is looking at turnover rates, as this is not something the DOJ has previously focused upon. For any company which simply lays off its entire compliance function and rolls it into the legal department; how do you think that would appear to the DOJ if it came knocking to investigate a potential FCPA violation?
Also to be considered is the compensation, both in salary and benefits paid to the CCO and compliance practitioners within an organization. In the FCPA Pilot Program, under Prong 3, Remediation, the DOJ said it would consider “How a company's compliance personnel are compensated and promoted compared to other employees”. This was carried forward in the Evaluation so you will need to consider benchmarked studies or other evidence of an appropriate level of pay for a corporate compliance function.
Finally, what resources have been made available to the compliance function. This would include both monetary budget for operationalization but also head count resources. One might hope the days have long since pasted when companies would come into the DOJ and plead the compliance function ‘only’ had $100,000; $200,000 or you name the figure in resources; to be met with the prosecutor’s question “What was your annual spend on yellow-sticky note pads?” When the inevitable response was considerably more than the entire compliance budget, the prosecutor’s response was something along the lines of “Which is more mission critical for complying with the law?”
Another evolution in the DOJ’s thinking was in experience and qualifications for the compliance function. In the Pilot Program, Prong 3 was the following, “The quality and experience of the compliance personnel such that they can understand and identify the transactions identified as posing a potential risk”. This has been broadened to “Have the compliance and control personnel had the appropriate experience and qualifications for their roles and responsibilities?”
The Evaluation demonstrates the continued evolution in the thinking of the DOJ around the CCO position and the compliance function. Their articulated inquiries can only strengthen the CCO position specifically and the compliance profession more generally. The more the DOJ talks about the independence of, coupled with resources being made available and authority concomitant with the CCO position, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this episode I visit with Susan Divers from LRN on the firm's 2016 Ethics and Compliance Program Effectiveness Report. Highlights include:Why did LRN do the report? What did it hope to determine? A summarization of its key findings. Why a focus on structural elements of a compliance program is no longer sufficient. Why a check the box analysis not adequate for judging program effectiveness. Finally the new focus on on ethical culture and behavior and why answering questions around “level of trust” is so critical. For a full copy of the report, you can download it here.
Prong 6, Training and Communication, of the Justice Department’s Evaluation of Corporate Compliance Programs reads, in part:
Form/Content/Effectiveness of Training – Has the training been offered in the form and language appropriate for the intended audience? How has the company measured the effectiveness of the training?
Most companies have not considered this issue, the effectiveness of their compliance program. I would suggest that you start at the beginning of an evaluation and move outward. This means starting with attendance, which many companies tend to overlook. You should determine that all senior management and company Board members have attended compliance training. You should review the documentation of attendance and confirm this attendance. Make your department, or group leaders, accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.
One of the key goals of any compliance program is to train company employees in awareness and understanding of the law; your specific company compliance program; and to create and foster a culture of compliance. In their book, entitled “Foreign Corrupt Practices Act Compliance Guidebook: Protecting Your Organization from Bribery and Corruption”, Martin T. Biegelman and Daniel R. Biegelman provide some techniques which can be used to begin evaluate ethics and compliance training.
The authors encourage post-training measurement of employees who participated. A general assessment of those trained on the FCPA and your company’s compliance program is a starting point. They list five possible questions as a starting point for the assessment of the effectiveness of your FCPA compliance training:
The authors set out other metrics, which can be used in the post-training evaluation phase. They point to any increase in hotline use; are there more calls into the compliance department requesting assistance or even asking questions about compliance. Is there any decrease in compliance violations or other acts of non-compliance?
What if you want to take you post-training analysis to a higher level and begin a more robust consideration of the effectiveness of compliance training through an analysis of return on investment (ROI)? Joel Smith, the founder of Inhouse Owl, a training services provider, advocates performing an assessment to determine ethics and compliance training ROI to demonstrate that by putting money and resources into training, a compliance professional can not only show the benefits of ethics and compliance training but also understand more about what employees are getting out of training (IE., effectiveness). The goal is to create a measurable system that will identify the benefits of training, such as avoiding a non-compliance event such as a violation of the FCPA. Smith admits that calculating compliance ROI is very difficult as ethical and compliance behavior is an end-goal and of itself - not necessarily one that everyone feels should be subject to a ROI calculation.
Smith noted, “it is extremely difficult to isolate the training effect to calculate what costs you avoided due solely to your ethics and compliance training. Although each organization will have a unique ROI measurement due to unique training objectives, it is possible to use a general formula to calculate ethics and compliance training ROI.”
Smith’s model uses four factors to help determine the ROI for your ethics and compliance training, which are: (1) Engagement, (2) Learning, (3) Application and Implementation, and (4) Business Impact. These four factors are answered through posing the following questions.
The next step is to isolate the benefits of training so that you properly attribute the ROI to the ethics and compliance training. To make this determination, you need to know at a minimum (1) whether employees understood the training and (2) whether employees are applying the training. This information must be compared with other factors, namely: (1) the effects of any other company initiatives involving anti-corruption, (2) employee attitudes regarding the topic and training, and (3) any business factors such as decreasing/increasing international revenue, macro-economic trends, etc. that may contribute to avoidance of a noncompliance event. From these calculations, you should then apply a percentage of the benefit to the training. Here Smith suggests 25%.
The importance of determining effectiveness and the evaluation of your ethics and compliance program is now enshrined by the Department of Justice (DOJ) in its Evaluation. The Evaluation is the first formal step taken by the DOJ to demonstrate it wants to see the effectiveness of your compliance program. This is something that many Chief Compliance Officers (CCOs) and compliance professionals struggle to determine. Both the simple guidelines suggested and the more robust assessment and calculation laid out by Smith provide you with a start to fulfill the Evaluation but you will eventually need to demonstrate the effectiveness of your compliance training going forward.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this inaugural episode of the FCPA Compliance Report-International Edition, I have Carlos Ayres, a partner in Madea, Ayres and Sarubbi in Sao Paulo. We discuss an interesting development from the Odebrecht corruption scandal, federal prosecutors in Brazil and ten other countries recently announced they had agreed to cooperate in ongoing investigations surrounding the company. The Odebrecht case involved bribery and corruption allegations reaching multiple countries throughout the Americas. Now reports indicate that officials from Brazil, Argentina, Chile, Colombia, the Dominican Republic, Panama, Mexico, Peru and even the notoriously corrupt Venezuela, along with the European nation of Portugal, have agreed to “start a combined task force with bilateral and multilateral investigative teams to coordinate a probe” of the company. We also discuss recent reports which indicate show companies in Brazil are taking this approach in response to the country’s more aggressive enforcement against endemic corruption in commercial businesses. This is partly in response to the allegations and investigations brought forward by Operation Car Wash and the attendant Odebrecht anti-corruption enforcement action. Jorge Abrahão, president of Brazil’s Ethos Institute, a corporate social responsibility organization said “We are witnessing a big change in Brazil—there is an understanding in society now that whoever doesn’t take the issues of corruption and transparency seriously will not have a place in the market in the future.
For More Information on these topics see my blog posts:
Carlos Ayres can be reached via email at carlos.ayres@maedaayres.com.
The Justice Department Evaluation of Corporate Compliance Programs states the following around training:
Risk-Based Training – What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred? What analysis has the company undertaken to determine who should be trained and on what subjects?
I thought about the requirement for tailored training and how this leads to operationalizing your compliance program. Consider the current best practices to tailor your compliance training. It is through a risk ranking system of employee job duties or positions which is usually done by someone from the corporate compliance function reviewing lists of employees and then matching up their job duties, focusing on those involved in international operations which have foreign government or state owned enterprise touchpoints. Most usually it targets employees involved in sales.
However, this type of analysis does not fully tie the calculus of FCPA touchpoints to the full panoply of the prevent, detect and remediate mandates of an operationalized compliance program. There are innumerable employees in every corporation who could be employed in the detect prong and who are generally not being engaged as a part of compliance backstop.
Typically, high-risk employees have FCPA training annually. However numerous studies have shown that more focused, indeed tailored, training can be more effective. Imagine the scenario where a high-risk employee is traveling to west Africa, which they book through the corporate travel portal. Unless the employee notifies compliance of this travel it is highly unlikely the compliance department would know about such travel.
Now imagine a corporate algorithm which could connect the dots of a high-risk employee, traveling to a high-risk country on a high-risk assignment. The current practice, in tech speak, is single-tenant software hosting, i.e. one piece of software available at a time with no continuity between corporate functions. Now envision a more multi-tenanted, Software as a Service (SaaS), approach where a company’s information is available through a single application, rather than having the information diluted through multiple applications. If a company is not using multi-tenancy, it may be hosting or supporting thousands of single-tenant information systems and cannot aggregate information across the corporate base and extract knowledge from large data sets as every corporate discipline may be housed on a different server and possibly a different version of software. This allows large and, more importantly, disparate data to be constantly fed into a single system where compliance can move more quickly and efficiently.
Now consider our high-risk employee, traveling to a high-risk country on a high-risk assignment. When they book the travel, compliance could read the information and then deliver a tailored compliance training reminder. There need not a be referral to the compliance department who might call and ask the employee where they are going and what the business purpose, who they are meeting, etc. Communications and training would be delivered to the employee’s computer via email or other delivery mechanism. It could be as simple as a reminder about the FCPA, the company’s Code of Conduct and anti-corruption compliance program around facilitation payments. Yet it could be as sophisticated as the RESIST training which provides specific procedures to resist solicitations requests or even extortion demands, by referencing a company anti-corruption polices; its policies on facilitation payments and even corporate policies for employees. You could even add a list of potential responses such as an immediate response to the bribe-solicitor and reference to internal company reporting for assistance.
Of course, there would be an audit trail for all of this, which helps to satisfy the Document, Document, and Document component of your compliance program. Never forget the Justice Department specifically mentioned compliance reminders as one of the seven reasons Morgan Stanley received a declination back in 2012. This means when the government comes knocking you will have evidence of tailored training delivered to employees. Finally, such training also operates as internal control which helps to meet the Accounting Provisions requirement of the FCPA.
Again, consider another manner of how tailored training might be used for the traveling high-risk employees, where predictive analytics which could be used in conjunction with prior expense reports of both the employee and the region. On the personnel level, tailored training could help to determine if there were any issues around large expense reimbursements or those which might show a pattern of running up to the level where preapproval is required. Tailored training could give a wide range of statistics which would allow the compliance practitioner to operationalize compliance by considering sales expenses to determine if any issues might arise. Finally, in a continuous feedback loop, a prescription solution could then be delivered to prevent an issue arising to the level of an internal Code of Conduct violation or even a FCPA violation further operationalizing compliance.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this episode Kristy Grant-Hart, author of How to be a Wildly Successful Compliance Officer joins me to debate the merits of the ISO 37001 certification. I think the process is worse than useless while Kristy believes they are a step forward.
For our additional written commentary on this issues, see Kristy's post The top five myths about ISO 37001 exposed.
For my views in opposition, see ENI Receives an ISO 37001 Certification and ENI CEO Charged with Corruption
In this episode, Jay and I have a wide-ranging discussion on the intersection of culture and ethics. We discuss:
Jay Rosen new contact information:
Jay Rosen, CCEP
Vice President, Business Development
Monitoring Specialist
Affiliated Monitors, Inc.
Mobile (310) 729-6746
Toll Free (866)-201-0903
Another way to operationalize compliance is to have oversight moved out into regions. Such an approach can more effectively ensure employee and third party compliance with your Code of Conduct throughout a organization by integrating compliance into every aspect of a Company’s functions and generating the necessary information to continuously improve your compliance program. Such a regional compliance committee can operate on multiple planes to fully operationalize compliance in a company, augment existing internal controls and make the company a more efficient and profitable entity.
The formation of a regional compliance committee works to operationalize compliance through the creation of more direct ownership, accountability, and valuable transparency of your compliance regime. This moves compliance down into all levels of the company’s operations. This approach also significantly improves consistency of compliance execution and helps to ensure that all a company’s business objectives are achieved in a legally compliant fashion. Such a regional compliance committee can advise and provide information and insights to the CCO, receive compliance information from the corporate compliance function for the relevant region regarding applicable compliance requirements, industry standards, your Code of Conduct, as well a corporate compliance program as it relates to a region. A regional compliance committee should not have primary responsibility for internal investigations can report up any known compliance issues to the corporate compliance department.
A regional compliance committee is designed to promote clear and frequent compliance-related communication on related matters throughout the region and strengthen the company’s compliance culture. It is valuable to the overall performance of the corporate compliance program within the region. It allows compliance topics to be more thoroughly discussed at regularly occurring operational meeting they have communication structures designed to facilitate communication up the chain and down the chain; allowing the CCO to have a more direct set of ‘eyes and ears’ closer to the ground. Finally, a regional compliance committee give the compliance function greater visibility within the organization because compliance has been moved further into the middle and lower levels of the organization daily.
Authority and Responsibility
There are multiple delineated responsibilities for a regional compliance committee. Some of these responsibilities can include:
The formation of a regional compliance committee operationalizes compliance into the region where the business operates. This sort of approach follows the Department of Justice mandate, articulated in the Evaluation for companies to move the doing of compliance down into the business of the organization. The make-up a regional compliance committee, while including legal and compliance representatives, is also populated by representatives from other disciplines within the global organization. This allows a fuller, richer and more holistic approach to not only compliance advice but reviews consistent with the Evaluation’s mandate of shared commitment by other functional disciplines within an organization.
It also adds a dimension not discussed nearly as often in the compliance profession as it should be going forward. The accountability and oversight down to the regional level and the compliance monitoring, reviewing, assessing and recommending will provide additional endorsements up through the organization that it is doing compliance. In compliance, it is execution where the rubber meets the road. This is the functional definition of operationalizing compliance.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
The operationalization of your compliance programs means how deeply is compliance integrated into the function of your company. Today, I want to consider another way to operationalize compliance through the Compliance Oversight Committee.
The Compliance Oversight Committee sits between the CCO and the Board’s compliance committee. The role of this Compliance Oversight Committee is to provide oversight and review of high risk issues such as third party approvals and renewals, requests for payments from third parties and significant gift, travel and entertainment requests from employees. This committee’s oversight demonstrates not only a shared committee to compliance as required under the Justice Department’s Evaluation of Corporate Compliance Programs but also fulfills the requirement for engaged senior management oversight as a part of a company’s management of risk.
As far back as January 2005, in the Deferred Prosecution Agreement (DPA) entered into between the Department of Justice (DOJ) and the Monsanto Company, it provided for “the establishment and maintenance of a committee to supervise the review of (I) the retention of any agent, consultant, or other representative for purposes of business development or lobbying in a foreign jurisdiction”, or a Compliance Oversight Committee. The scope of this Compliance Oversight Committee was not fleshed out in the DPA. While many have focused on the Compliance Oversight Committee to monitor agents and other third party business representatives, the role of the Compliance Oversight Committee should be broader than simply the issues of third party agents and representatives. A major purpose of a Compliance Oversight Committee is to act as redundant backup to the books and records internal controls systems, designed to prevent and detect violations of a company’s compliance program.
It should be clear the role of the Compliance Oversight Committee is not to substitute its judgment for that of the CCO but rather to provide another level of review to make sure nothing slips through the cracks which might expose the company to unwanted risk. This can begin with a clear, written charter that sets out the functionality, goals, and parameters of the group. Moreover, the Compliance Oversight Committee should be reviewed on a periodic basis to determine usefulness and effectiveness.
To this end, the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual (2016 ed.) suggests the following language in its proposed form of Compliance Committee Charter:
The compliance officer shall have ultimate responsibility for operating the compliance program, with the support and assistance of the compliance committee. The committee shall consist of ### members, representative of each major department or area. The committee may appoint ad hoc members, each to serve at the pleasure of the committee, to assist and advise the committee in carrying out this charter. While the ad hoc members of the committee are not entitled to vote on matters formally considered by the committee, the ad hoc members shall be entitled to call a meeting of the committee and, further, to have any matter included on the agenda of any meeting of the committee. The committee shall designate the proper manner for calling meetings and the setting of agendas thereto.
Who should be on an Oversight Committee?
The Monsanto DPA provides guidance on this point by stating, “The majority of the committee shall be comprised of persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transaction.” This indicates that senior management should be involved in the Compliance Oversight Committee. It also indicates that more than one department should be represented on the Compliance Oversight Committee. This would include senior representatives from the Accounting (or Finance) Department, Compliance & Legal Departments, IT, Finance and Business Unit Operations. The bottom line is that the CCO should chair a committee of peers/senior level officers who are in a position to make decisions and marshal resources.
What Should the Oversight Committee Review?
There are a variety of approaches that a Compliance Oversight Committee can assume. It can dive down deeply ‘into the weeds’ for transactions which the company has identified as high risk. This can be the review of agents or other representatives in high risk areas or transactions in high risk countries. The Compliance Oversight Committee can use techniques such as continuous controls monitoring to identify any outliers of payments or other indicia of financial information which would warrant additional investigations. In addition to this remedial review, the Compliance Oversight Committee should review all payments requested by agents and representatives to assure such payment is within the company guidelines and is warranted by the contractual relationship with the company. Lastly, the Compliance Oversight Committee should review company sales or business development requests to provide compensation and, as appropriate, reimbursement for gifts, travel and entertainment of foreign governmental officials.
The oversight of Foreign Business Partners is one of the key mechanisms that a company can use to prevent and detect any violation of its own Code of Ethics and Compliance and the Foreign Corrupt Practices Act (FCPA). The proper structure of the Compliance Oversight Committee and its full engagement with all aspects of a company’s relationship with a Foreign Business Partner is one of the areas that the DOJ will look for in a successful FCPA compliance program.
However, it is incumbent that each Compliance Oversight Committee should be designed to review the highest risks to your organization. If your company’s highest compliance risk is third party relationships, you should focus your compliance committee resources on that issue. My recommendation is that a company should incorporate both a pre-execution function and a post-execution management function in overseeing the full relationship with any third party. While this would most necessarily focus on FCPA compliance, there should also be a commercial component to this function. The Compliance Oversight Committee should therefore review all documents relevant to the five-step lifecycle management of third parties.
Conclusion
The Compliance Oversight Committee is a key tool which can be utilized by a company to manage its risks. The books and records component of internal controls is one level of prevention and detection. The review by a Compliance Department for requests for travel for and gifts and entertainment to foreign governmental officials and the lifecycle management of third parties is also an important step in the prevention process. However, the Compliance Oversight Committee is another step which operationalizes compliance and should be employed by companies as an additional protection against any type of compliance and ethics violation slipping through the cracks to become a much larger problem down the road. Companies should implement a Compliance Oversight Committee and review the systems they have in place to detect risky conduct.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
This episode is dedicated to the Justice Department’s Evaluation of Corporate Compliance Programs, which was released in February. In this episode, Matt Kelly and Mike Volkov provide next insight. Next week will be views from Jay Rosen and Jonathan Armstrong.
For Matt Kelly’s posts see the following:
Fresh FCPA Guidance from the Justice Department; and
Deeper Dive into new DoJ Compliance Guidance
For Mike Volkov’s posts on the Evaluation see the following:
Under the Dark of Night, DOJ Moves the Compliance Ball;
DOJ’s Compliance Program Evaluation: the Role of the CCO;
DOJ Compliance Expectations Concerning Training, Internal Investigations and Audits
For Tom Fox’s posts on these topics see the following:
New DOJ Evaluation-Valuable Document for the Compliance Practitioner, Part I; and
New DOJ Evaluation-Valuable Document for the Compliance Practitioner,
For Jay Rosen’s post see, Still in the Enforcement Business and Evaluation of Corporate Compliance Programs
The members of the Everything Compliance panel include:
Today I want to explore in some detail the first Objective in the COSO 2013 Framework-the Control Environment as a path to operationalize your compliance program. This Objective lays out five steps you can take to put the responsibility on function corporate disciplines to imbue compliance into the fabric of an organization.
Rittenberg said this “sets the tone for the implantation and operation of all other components of internal control. It starts with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees.” The five principles of the Control Environment object are as follows:
Principle 1 - The organization demonstrates a commitment to integrity and ethical values.
Principle 2 - The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Principle 3 - Management establishes with board oversight, structures, reporting lines and appropriate authorizations and responsibility in pursuit of the objectives.
Principle 4 - The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives.
Principle 5 - The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective.
What are the characteristics of this Principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or other baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. This requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed.
This Principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. There should be compliance expertise at the Board level which allows it actively manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, information, compliance communications and compliance monitoring activities. Here, the Board’s Compliance Committee must demonstrate independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function.
Principle 3 - Structures, reporting lines, authority and responsibility
This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this Principle, you should consider all of the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally, this Principle requires establishment of the appropriate authority within the compliance function. You must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability.
This Principle gets into the nuts and bolts of operationalizing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This Principle next turns the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. You must be able to demonstrate, through compliance policies and their implementation and operationalization a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance.
This is the ‘stick’ Principle. A company must show that it enforces compliance accountability through its compliance structures, authorizations and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and, finally, clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This Principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated.
The COSO formulation for internal controls is a key component for any best practices compliance program; whether based upon a FCPA formulation or another anti-corruption law, such as the UK Bribery Act. Moreover, as it probably the most utilized internal controls formulation under Sarbanes-Oxley 404(b) reporting, it should be well-known to your corporate internal controls function and therefore assessable to you as a Chief Compliance Officer (CCO) or compliance professional. In addition to the Principles articulated herein the specific Points of Focus listed in the COSO 2013 Framework can provide a roadmap for testing and evidencing your compliance program in this area. You should not fail to take advantage of it.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this episode, Matt Kelly and I take a deep dive into a dramatic 48 hours in the life of the FCPA last week, which portends the trend of continued FCPA enforcement. It included the announcement by Kevin Blanco, acting assistant attorney general for the Criminal Division, who speaking at the American Bar Association’s annual white collar crime conference of the extension of the FCPA Pilot Program; the retort by Secretary of State Rex Tillerson to President Trump on the power of the FCPA for US companies doing business overseas, the Justice Department brief and oral argument in the Hoskins appeal where the DOJ continued to press for an expansive view of FCPA jurisdiction as originally preferred by the Obama DOJ; and finally we discuss the summary of all US attorneys by the Trump administration and Matt's proffers an interesting theory on why Preet Bharara was fired.
For more reading, see Matt's piece on Radicalcomplinance.com entitled, "FCPA: Pilot Program Extended, and Much More".
Under the Prong entitled “Policies and Procedures” subtexted Operational Integration, the Evaluation states:
Payment Systems – How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?
While of the basic Watergate maxims has always been appropriate in any FCPA investigation, Follow The Money, the Evaluation takes payment systems and their internal controls several steps further past the detect and even investigatory precepts. There is not a set of “compliance internal controls” but rather internal controls permeating throughout an organization which creates their effectiveness. Today, we examine what are effective compliance internal controls and how the payroll function can assist in fulfilling those requirements.
What are internal controls?
What are internal controls in a FCPA compliance program? The starting point is the law itself, and as stated in the FCPA requires the following:
Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:
devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—
(i) transactions are executed in accordance with management’s general or specific authorization;
(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;
(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and
(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences …
The Department of Justice and SEC, in their 2012 FCPA Guidance, state, “Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.”
The FCPA Guidance specifies that internal controls are a “critical component” of a best practices anti-corruption compliance program. This is because the design of an organization’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. A company’s compliance program should be tailored to these differences. After a company analyzes its own risk, through a risk assessment, it should design its most robust internal controls around its highest risk.
Global Payroll Internal Controls
Max van der Klis-Busink, in his Global Payroll Management Institute’s three-part series, entitled “Take Charge With a Global Payroll Control Framework”, laid out how to design, implement and then improve internal controls around global payroll. His article details how one can operationalize your payroll controls to answer the questions posed in the Evaluation.
There are several specific internal payroll controls which will facilitate a company operationalizing your compliance program, as required under the Evaluation. These controls help keep an eye on the money trail as the money to pay a bribe is usually hidden in some company expenditure. The four general areas of payroll control should include: (1) Segregation of duties; (2) Accountability, authorization, and approval; (3) Security of assets; and (4) review and reconciliation.
To meet these four general goals, consider using a selection of the following controls for payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid:
The role of global payroll in FCPA compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes in violation of the FCPA must come from somewhere. Unfortunately, one of those places is out of payroll. All Chief Compliance Officers need to sit down with his or her head of payroll, have them explain the role of payroll, then you should to review the internal controls in place to see how they facilitate the goals of compliance. From that review you can then determine how to use payroll to help to operationalize your compliance program.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
If there is one over-riding theme from the recently released Evaluation of Corporate Compliance programs it is that a corporate compliance program must be operationalized. Indeed that is the theme of this month’s series of podcasts. Another way to think about operationalization is the connectedness of compliance throughout an organization. In an article from the Harvard Business Review (HBR), entitled “How Smart, Connected Products are Transforming Companies”, by Michael E. Porter and James E. Heppelmann, focused on the new products. It provided some interesting insights into both the interconnectedness of processes and structures, which apply to the compliance practitioner going forward. I call it “connected compliance.” It provides another mechanism for you to consider in operationalizing your compliance program.
Process in Connected Compliance
Processes are being reshaped by the data which is now available and more “intense coordination among [corporate] functions is now required.” Regarding structures, the authors believe, “new forms of cross-functional collaboration and entirely new functions are emerging.”
Obviously compliance is a business process. Yet it should also be a continuous process. The data from a wide variety of sources should be used to track the types of risk that compliance professionals must manage. This begins with third parties. Continuous monitoring of third party watch lists seems almost pedestrian now yet many companies do not understand they have a continuing obligation to understand who they are doing business with, even after the contract is signed. Put simply, due diligence once every two years is a recipe for trouble. But this type of information should not only be limited to third parties’ in your sales business. You should also consider your exposure from your customers.
However, what if a large part of your company is exposed to the financial risk of a corrupt company slowing down its business? If you are in the auto supply business or even the software industry, have you considered how much of your business is at risk through your relationship with a company like Volkswagen (VW)? Most Foreign Corrupt Practices Act (FCPA) risk analysis considers corruption risks involving third parties in the sales arena or vendors that come in through the Supply Chain, now, based upon the VW, Petrobras or you name the scandal, you may need to know the corruption propensity of your customers as well.
Finally, connected compliance will help make people, materials, energy, plant and equipment far more productive, and the repercussions for business processes will be felt throughout the economy. The authors’ state, “We will see a whole new era of “lean.” Data flowing to and from products will allow product use and activities across the value chain to be streamlined in countless new ways.” For the compliance practitioner, waste will be cut or eliminated. Connected compliance will also allow a compliance solution to be delivered when certain thresholds are met, rather than according to a schedule. New data analytics will lead to previously unattainable efficiency improvements and allow you to do more business in compliance going forward.
Structures in Connected Compliance
Just as processes have evolved in connected compliance, so do structures. The classical organizational approach combines “two basic elements: differentiation and integration. Dissimilar tasks, such as sales and engineering, need to be “differentiated,” or organized into distinct units. At the same time, the activities of those separate units need to be “integrated” to coordinate and align them.” Connected compliance will have a major impact on both differentiation and integration in your company going forward.
This structural changes means that compliance will be integrated into diverse functional units of the company such as manufacturing, logistics and SC, sales and finance. This integration across functional units will occur through the business unit leadership team and through the design of formal processes for connected compliance with multiple units having roles.
This sounds quite like operationalizing compliance, exactly as specified by the DOJ in the Evaluation document. However connected compliance gives you the means and methods to think through how to accomplish this goal. You will have to coordinate between and across multiple functions within your organization. It will require the critical function of not only data management but also data analysis. What does it all mean?
Such an approach will require “dedicated data groups that consolidate data collection, aggregation, and analytics, and are responsible for making data and insights available across functions and business units.” Once again the compliance function is uniquely situated to be at the fulcrum of this connectedness. But more importantly, you already have this information inside your organization but most usually the compliance function does not have visibility into the data. Compliance must find the tools and processes to cut through the siloed nature of corporate information.
It is through connected compliance that all groups within a company will become responsible for compliance. The integration of this data into compliance is still viewed as cutting edge; nonetheless companies have this data, structured within their own ERP systems. Connected compliance will allow senior management to view information to make the business more efficient and allow a company to take more risk because the risks will be managed more effectively.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this episode, I have back John Champion, one-half of the podcast duo going through every Star Trek TV episode and movie at missionlogpodcast.com. Today, I visit with John on his reflections on the 50th anniversary of Star Trek, what Star Trek was like both with and post Gene Roddenberry, our differences over the TNG episode Relics and John's upcoming conference appearance. Check out John and his partner Key Ray, each week at missionlogpodcast.com.
In this episode, I visit with Morrison and Forrester partner James Koukios, on the firm's publication "Top Ten International Anti-Corruption Developments for January 2017.
In this episode, Jay Rosen reports live from the ABA White Collar Conference at the Fontainebleau Hotel in Miami. In addition to providing his insights on the highlights of the conference and the buzz around the new Justice Department Evaluation of Corporate Compliance Programs document released in February, we discuss:
Jay Rosen new contact information:
Jay Rosen, CCEP
Vice President, Business Development
Monitoring Specialist
Affiliated Monitors, Inc.
Mobile (310) 729-6746
Toll Free (866)-201-0903
Operationalizing your compliance program can take many shapes and forms. Using the entire risk management process to embed your compliance program within the contours of your organization is an important, key step as it will allow you to have full visibility of your compliance risks through a longer life cycle. Forecasting allows you to consider your business strategy and wed the risks you can foresee. Risk assessments allow you to evaluate and measure known risks. Risk-based monitoring allows you to monitor both the compliance risks you and detect those you do not know, on an ongoing basis.
I think there are several key lessons to be considered by any Chief Compliance Officer (CCO) or compliance practitioner. The first is the process around risk management. Most compliance practitioners understand the need for a risk assessment as it is articulated as Hallmark No. 4 of the Ten Hallmarks of an Effective Compliance Program. From the FCPA Guidance, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” In addition to this business case, the FCPA Guidance also specified the enforcement reasons for performing a risk assessment, “DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area.” The DOJ Evaluation of Corporate Compliance Programs builds on this.
Yet as compliance evolves and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal prophylactic, but as a business process. Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of your business. Locwin noted that companies should be able to say with some degree of authority, “We think the following will happen in the next three months, six months, twelve months, twenty-four months, is really something that the businesses try to wrap their heads around in such a way that they can shunt resources where they think is appropriate in order to meet these future demands.”
By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks.
Risk-based monitoring follows on from the issues that your risk assessment identified as your highest risks. Locwin said, “Risk-based monitoring tends to look at things on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.”
All of these three tools tie back into process management and process improvement. Locwin stated, “There’s always this balance between what’s actually important for our business or for proper execution, versus what’s actually going on in the whole process. If you’re not measuring at a high enough resolution, you’re not capturing a lot of the environmental, market force, external factors that probably are of high leverage to your operations in business that you just don’t know about.”
Locwin tied them together with the following example, “There’s a 30% chance of this abject market failure happening, this product fails, this restaurant site contaminates people, this product doesn’t ship before Christmas, this phone explodes.” If you knew that in advance, the executive committee probably almost everywhere would say, “We have to act, and act now.” That’s where the rubber meets the road and you’ve got to forecast and a contingency in place. A lot of times, there isn’t that level of forecasting done in advance to say, “We think there’s this 30% chance of it occurring, therefore not only do we need a strong contingency plan, but we should expect to have to use it in Quarter 2. It’s right there sitting on everybody’s dashboard all the time.”
In other words, it comes down to execution. This means you have to use the risk management tools available to you and when a situation arises, you remediate when required. This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into process loop. From this, you will develop continuous feedback and continuous improvement.
I have gone through this in some detail to emphasize the business process nature that compliance has evolved into as a corporate discipline. By using these techniques, the CCO or compliance practitioner makes the business run more efficiently and at the end of the day, more profitably. The more you can bring these types of insight to a Chief Executive, the more you demonstrate how compliance adds to the bottom line and is not simply a cost center.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
I continue my discussion of operationalizing your compliance program through the risk management process by considering risk-based monitoring. I continue this series based upon interviews with Ben Locwin, Director of Global R&D at BioGen and an operational strategist in pharma and healthcare, to explore risk forecast, risk assessment and risk monitoring for the compliance profession.
Locwin said, “Risk-based monitoring is really about continuous, ongoing monitoring for those things which provide the most potential future risk to you. In other words, instead of a static risk registry that may come in part with forecasting, where you would say, “We’re trying to anticipate these risks.” By using risk-based monitoring to review issues on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.”
The problem for many companies is they are siloed in not only their data but also in the systems. Locwin explained that because of the disparity of data systems, “They may not be tracking rigorous, quantified information all the time.” He cited to an example from the pharmaceutical world where a company could well have 50 worldwide sites where a drug product is being tested. Some patients receive a placebo and some patients receive the medication being tested. As data comes in you begin to note patterns in certain patients and groups, which might actually point towards a variety of testing errors by physicians administering the test.
Through the use of risk-based monitoring, you can begin to see things in “almost real-time, time-based trends of real data that you can then jump on and try to make adjustments before things get really wacky.” The implications to the compliance practitioner? Having access to information around sales, the sales process and corporate largess in things from Corporate Social Responsibility (CSR) work to gifts, travel and entertainment to conferences for customers and end users. Through the use of such risked-based monitoring a compliance professional would have the opportunity see trends developing which could allow an intervention for a prescriptive solution which could prevent an issue from becoming a Foreign Corrupt Practices Act (FCPA) violation.
Yet Locwin cautioned that compliance professionals should guard against bias. In an article by Locwin, entitled “Be Careful When Appraising Industry Trends”, he stated, “Social media has rapidly accelerated the agility with which the public can change allegiance and direction. It used to be that when information dissemination was slower and more compartmentalized within regions and market segments, that the market resistance to fluctuation was more robust. Now well-placed advertising, social commentary, or public response to corporate missteps can swirl into a maelstrom of market changes within hours that is agnostic to region or market segment.”
In today’s world, the speed at which reputational damage reigns out can overwhelm a corporation’s ability to respond. Here one might consider Wells Fargo and how fast the situation spun out of control for them after its $185MM fine was announced. It is through the use of risk-based monitoring, which allows for this almost real-time input, that a response to a forecasted, assessed or even unassessed risk can be developed. In the compliance world, such tools could be brought to bear when considering not only the expense side of such areas as gifts, travel and entertainment but also sales side data. This could be internal company data on its own salesforce and also information developed from or concerning your third-party sales team.
In Locwin’s primary world of pharmaceutical testing and product development, the need for such real-time information can be more critical. Yet through the development of these techniques as compliance tools, the compliance profession can add value to an organization through the use of risk-based monitoring. With the plethora of data on where and how corruption is likely to occur, coupled with meaningful sales and expense data, the compliance professional should be able to move from detect to prevent to prescriptive compliance solutions to prevent legal violations.
Finally, the beauty of all these techniques is that they are tools that can make companies more efficient and, at the end of the day, more profitable. They also move compliance into the fabric and DNA of an organization or in the terminology of the Department of Justice (DOJ) Evaluation of Corporate Compliance Programs, operationalize compliance. The DOJ has made clear what it expects around the risk management process. You need to develop your response now.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this episode, I visit with New Yorker reporter Adam Davidson, who penned an article in the New Yorker which looked at a hotel deal between the Trump organization and a family of Politically Exposed Persons (PEPs) in Azerbaijan. Davidson talks about what intrigued him about the story, his reporting and most troubling, the PEPs alleged ties to funding from the Iranian Revolutionary Guard. It is a cautionary tale about major construction project in countries with a high perception of corruption, the need to understand who your business partners are and the source of their funding. The article is Donald Trump's Worst Deal.
The DOJ Evaluation of Corporate Compliance Programs states:
I continue my exploration of the risk management process by focusing today on risk assessments. One cannot really say enough about the role of risk assessment in compliance programs. Each time you hear a regulator talk about compliance programs, it starts along the lines of you cannot manage your FCPA risk without first determining what your company’s risk is; and to determine that compliance risk, the process you should utilize comes through a risk assessment.
We previously considered forecasting. The differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As Ben Locwin has explained, “What you’re trying to do then is decide on how you would address these. Risk assessments should create your risk registry. Those items which are most consequential for your organization, whatever it happens to be.”
Within the context of an anti-corruption compliance program, you are trying to make adjustments based on the risks of violation of the law, out in the marketplace. For instance, in a compliance forecast, third-party risk should be considered at the top of your ordinal list of risk and you should consider a multitude of factors such as the operating procedures, processes and systems and training. Of course, the execution of that process is a critical component as well.
All these things, to some degree, should appear in a risk assessment for the organization. Meaning, at the corporate level, what happens if you change products or sell into a new geographic area which is perceived to be more high-risk? There should be a risk assessment node which has a component that notes these changes so that you can adapt as necessary. Locwin stated, “The risk assessment itself is designed to be able to elevate these, and if something does happen, the next step would be to take appropriate course of action to address any of those risks.”
An example which illustrates the differences between forecasting and a risk assessment, yet how the two are complimentary. This winter when I began purchasing hot coffee products from Starbuck, as opposed to the cold drinks I buy during the hotter parts of the year, I discovered that baristas’ no longer put sleeves on coffee cups but now require you to ask for one. The second time I had to ask for a sleeve, I inquired from the barista why I had to do so. She replied that corporate had changed the policy for environmental reasons and that she could only provide a sleeve at the specific request of the customer. When I pointed out that it slowed the line down and was much less efficient in the delivery of Starbuck’s coffee, she replied, “You're absolutely right. I hate it. Would you please email Starbucks and tell them of your dissatisfaction?”
I will let Locwin pick it up from here, “what you’ve put your finger on is the crux of the balance of forecasting versus risk assessment. They’re two very different things, but at the same time, as they weave through time, they interchange. For example, Starbucks would potentially say, “We forecast that consumers are going to be more concerned about paper use, sleeves, the economic costs to the world, of extra paper waste and things. We’re going to, in certain locations, let’s say across Texas, we’re going to pilot that we don’t give out sleeves unless they’re asked for.” In their risk assessment, which I can tell you didn’t change from that forecast, what they then should have had was a commensurate line item which said, “If consumers start to have a problem with what’s being done at these locations, our immediate contingency plan is to do the following, to strip it away immediately, full stop, so that every cup gets a sleeve, so that they’re not slowing down lines, consumers say you heard us immediately, and then the organization is back on track.”
Their forecast plans something, the risk assessment should have had countermeasures to address, and instead if they didn’t have this in place, they’re going to have to wait until they start to have a Twitter feed that blows up… The risk assessment model should say, “Then we will do the following.” Really they don’t have the capability in a lot of cases to measure the effect of this and immediately course correct. It’s probably going to be a month, two months, four months before they start to get wind of this in a consistent way to say, “Texas was dissatisfied by this change and same in our pilot in Wisconsin. Let’s stop not giving out sleeves… Then eventually that starts to dissipate and they get rid of this whole new silly paradigm.”
Locwin’s point was that your risk assessment can help to inform your response to FCPA violation, corporate crisis or even (in my opinion) the misstep of requiring Starbucks customers to ask for sleeves for their coffee purchases. In another article by Locwin, entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”, he noted, “knowledge is power”. He went on to add, “Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we’ve classified them correctly. With a good understanding of each of these, we’re in a much better position to speak about the quality of our businesses.”
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
The Justice Department Fraud Section recently revamped its website and it is quite an upgrade. I do not know when the Fraud Section did this update but as with the Evaluation of Corporate Compliance Programs document, it certainly was a soft launch. It appears the new site compiles several disparate sources of Fraud Section and Justice Department information into one website. Also, there looks to my eye to be some information posted on the Fraud Section website for the first time. In short, it is an excellent and most welcomed resource.
A quick review of the site has a slide show of recent Justice Department resolutions scrolling across the screen. Go down to the bottom of the screen and you will see two very interesting documents, a 2015 and 2016 Fraud Section Year in Review. The FCPA Unit section includes such information as prior enforcement actions, Opinion Releases, other anti-corruption treaties and resources. There is also a list of Fraud Section leadership.
However, the Fraud Section is made up of more than simply the FCPA unit and there are tabs for the following Health Care Fraud and Securities and Financial Fraud. Most interesting to me was the tab for the Strategy, Policy and Training Unit, which I have to admit, did not know was a part of the Fraud Section. The opening page for this Unit provides a description of its work. It is as wide ranging as international coordination and interaction with foreign prosecutors and investigators.
This new website revamp is a most welcomed resource for the compliance community. While it may be viewed as simply a compilation of other sites and locations within the greater Justice Department website by some; I believe the vast majority of compliance practitioners will find it a most welcomed compilation and resource.
At its heart, every business tries to plan for its future. It is a critical aspect of any management of any organization, non-profits, privately owned for profits and, of course, publicly traded companies. It is important that management be able to set out what it opines will happen in the next three, six, twelve and twenty-four months. Noted health care process expert Ben Locwin has said this “is really something that the businesses try to wrap their heads around in such a way that they can shunt resources where they think is appropriate in order to meet these future demands. Forecasting really at its heart is an educated guess and really as much as it becomes a reliable model more so and less so a guess, is based on the quality of the input data.” It is a process through which you are attempting to “prognosticate what the future will bring to you”. Unfortunately, forecast models are only as good as the data which are put into them or the GIGO (Garbage In, Garbage Out) Principal.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this Part III to a three part podcast series, I visit with noted risk management expert, Ben Locwin on risk-based monitoring as a adjunct to forecasting and risk assessments. We discuss how to accomplish it and how to integrate into your overall monitoring and feedback loops. We conclude with a stitching together of the risk management process. For More Information see my five part blog series on the Risk Management Process.
1. Forecasting
4. White Noise and Interpreting Data