Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories, including:
Innovation can come in various forms for an organization. Innovation can appear in a structural form. You can move compliance more deeply into your organization with new or different structures. One I have seen have success is a compliance committee more closely tied to the geographic market in the field, or the Regional Compliance Committee.
Two of the most common compliance focused committees are those at the Board level and those which sit between the CCO and the Board, usually consisting of senior executives such as members of a company’s executive leadership team. However, a Regional Compliance Committee can will help the corporate compliance function to more effectively ensure employee and business partner engagement with compliance by integrating compliance into every aspect of functions and generating the necessary information to continuously improve the overall compliance function. A Regional Compliance Committee can also operate on multiple planes to fully operationalize compliance in a company, augment the internal controls and make the company a more efficient and profitable entity.
Most companies have a Board Committee dedicated to ethics and compliance or something like a Board Audit Committee which the CCO will report into. Once again, there are many companies with senior executives populating another level of oversight with a compliance committee between the CCO and the Board. A Regional Compliance Committee, formed at the regional level, helps to create more direct ownership, accountability, and valuable transparency. This moves compliance down into all levels of a company’s operations. This approach also significantly improves the consistency of compliance execution, and helps to ensure that all of business objectives are achieved in a legally compliant fashion. A Regional Compliance Committee does not have primary responsibility for internal investigations but is charged with reporting any known compliance issues to the CCO.
A Regional Compliance Committee can provide clear and frequent compliance-related communication on related matters throughout the region, strengthening a company’s compliance culture. It allows compliance topics to be more thoroughly discussed at regularly occurring operations meetings. A Regional Compliance Committee can have communication structures designed to facilitate communication up the chain and down the chain. This allows a CCO to have a more direct set of eyes and ears closer to the ground. Finally, the Committees give the compliance function greater visibility within the organization because compliance has been moved further into the middle and lower levels of the organization on a daily basis.
One of the key elements of the Committees are their makeup, which is market centric. A Regional Compliance Committee should include some or all of the following: (a) the Vice President of the region; (b) the regional Ethics and Compliance Director; (c) the regional Legal and Compliance Director; (d) the regional HR Director; (e) the regional Finance Director; (f) the regional Trade Compliance Director; (g) the regional Supply Chain Director; (g) the regional Sales Director and (h) senior representatives of Operations in the market. This composition of the Regional Compliance Committee, coupled with their structures, allow compliance to be fully operationalized into the Company’s global organization.
Authority and Responsibility
There are multiple possible responsibilities for a Regional Compliance Committee. Some of these possible responsibilities include:
The innovation represented by the formation of a Regional Compliance Committee operationalizes compliance into a company’s operations where the business operates. This sort of approach follows the Department of Justice mandate, articulated in the Department’s Evaluation of Corporate Compliance Programs for companies to move the doing of compliance down into the business of the organization, or operationalize compliance. The make-up of a Regional Compliance Committee, while including compliance representatives, is also populated by representatives from other disciplines within the global organization. This allows a fuller, richer and more holistic approach to not only compliance advice.
It adds a dimension not often seen or even discussed in the compliance profession. The accountability and oversight down to the regional level and the compliance monitoring, reviewing, assessing and recommending that is deemed to be necessary will provide additional endorsements up through the organization that it is actually doing compliance. In compliance, it is execution where the rubber meets the road. A Regional Compliance Committee can provide your compliance program a unique structure to perform these functions.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
Much has been written on hiring a new CCO. As with the hiring of other senior executives, such as a CEO or CFO, there can be specific questions about challenges the candidate has faced in prior engagements. For the CCO position having one who has literally been through the wars, usually in the form of an extensive Foreign Corrupt Practices Act (FCPA) investigation or enforcement action, is a critical inquiry. In most instances, Boards will want a candidate who can lead the company through the situation currently faced.
But what about hiring at a level below the CCO? Most companies take the best athlete approach, hiring the most well rounded candidate with a varied background. However an article in the Harvard Business Review (HBR) Idea Watch column, entitled “When Hiring Execs, Context Matters Most”, reported on a new CEB study which “suggests that companies will be more successful if they consider the particular leadership context when hiring for every level. Instead of taking on generalists trained to meet any management test, the researchers say, firms should use an assessment system that identifies candidates whose personality attributes and experience are custom-tailored to the contextual challenges of the position.”
Basically, CEB came up with a quantitative approach, looking at 27 different contexts around projects, challenges and issues. From this list they, “assessed leaders’ personality attributes, tracked relevant experience, and solicited opinions about behavior, performance, and effectiveness from supervisors and direct reports.” The research team “also coded 60 variables that inform context, such as whether the job involves a high degree of uncertainty, requires managing a geographically dispersed team, or calls for cost cutting.” From this they ran data analytics and “worked to understand why some leaders succeeded while others underperformed, the biggest factor that emerged was how well a leader’s personality, skills, and experience meshed with the specific challenges of the job.”
Some of the challenges which included the following areas are well familiar to the compliance practitioner: leading global or cross-cultural teams; transforming a high-conflict culture; leading an organization through a merger or acquisition, operating a corporate function with high resource constraints; growing through innovation; growing the function through cost competitiveness; and managing a broad portfolio of products and services.
The bottom line is that the more challenges a leader will face, the more difficult their job will become and the success rate will inevitably drop. Yet the article suggests that the context of experience may well be a key indicator. But it moves beyond simply hiring, noting “For example, if success in a leadership role is context-specific, and if the context is apt to change quickly in a fast-moving business environment, firms might need to move leaders in and out of roles quickly. Awareness of contextual challenges can also change the way a company approaches development.” Jean Martin of CEB was quoted “Once you recognize how well-suited leaders are to the context in which they’re about to be placed, you can use that information to drive much more specific investments in development and find ways to coach people to account for the greatest areas of mismatch.”
This approach also allows you to get to the granular level of team projects. The article said that companies could use such techniques to “revise responsibilities, streamline goals and objectives or try and solve a particular problem”. A company could also use this method to consider its internal bench strength, focusing on who could assist the compliance function in rolling out a new initiative or even a new compliance innovation. The piece ended with a few thoughts on the best athlete approach. It suggested a term called ““spiky,” meaning that they excelled at a few specific capabilities but were not above average in all. “Chasing managerial agility instead of allowing for specialization is ineffective,” the researchers concluded.”
HBR also included an interview with a company which had utilized this analytical approach, Adecco Group, a Zurich based workforce solutions entity. The company’s global head of talent strategy and development, Courtney Abraham, was interviewed. As much as they tried the company inevitably fell back on a non-analytical approach; i.e. using intuition in the hiring process. Mostly, Abraham felt such an approach did not deliver consistent results.
While Adecco did not use the full 27 context approach suggested in the CEB study, they did develop its own 6 “most important challenges some will face in a new role and compare them to candidate’s skills, competencies, motivations and runaways.” This allowed the decision to move away from the gut level to one of a “shared language” among those evaluating the talent.
An interesting side effect and one not expected by Adecco was that the data often led to an internal candidate who was not “next in line” for a promotion. It allowed internal promotion with “eyes wide open” to a candidate’s strengths and areas where they needed additional development. It also has implications for development as employees have a better understanding of their weaknesses and what gaps they may need to fill. Abraham stated, “we can use onboarding and development to actively coach and support them.” Internal hires bring the benefit of having already bought into and have been a part of the company culture and “they understand our business, the people and the competitive landscape.”
The use of data can help a compliance professional identify internal candidates to move a corporate compliance program forward. This can also give a company a boost by bringing non-compliance professionals into the compliance realm which will allow them to more fully operationalize compliance if they return to a more traditional business unit role.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
Another innovation is to put your compliance program at the center of corporate strategy. An article in the Harvard Business Review (HBR) by Frank Cespedes, entitled “Putting Sales at the Center of Strategy”, discussed how to connect management’s new sales plans with the “field realities.” Referencing the well-known Sam Waltonism that “There ain’t many customers at headquarters”; Cespedes believes that “If you and your team can’t make the crucial connections between strategy and sales, then no matter how much you invest in social media or worry about disruptive innovations, you may end up pressing for better execution when you actually need a better strategy or changing strategic direction when you should be focusing on the basics in the field.”
This can be a critical problem when operationalizing compliance because operationalizing compliance is usually perceived as a top-down exercise. The reality that the employee base that must execute the compliance strategy is not often considered. Even when there are comments from employees on compliance initiatives they are often derisively characterized as ‘push-back’ and not considered in moving the compliance effort forward.
Communicate the Strategy
It can be difficult for an employee base to implement a strategy that they do not understand. Even with a companywide training rollout, followed by “a string of e-mails from headquarters and periodic reports back on results. There are too few communications, and most are one-way; the root causes of underperformance are often hidden from both groups.” Here Cespedes’ insight is that clarification is a leadership responsibility and in the compliance function that means the Chief Compliance Officer (CCO) or other senior compliance practitioner. Moreover, if the problem is that employees do not understand how to function within the parameters of the compliance program, then there is a training problem and that is the fault of the compliance department. I once was subjected to a PowerPoint of 268 slides, which lasted 7.5 hours, about my company’s compliance regime. To say this was worse than useless was accurate. The business guys were all generally asleep one hour into the presentation as we went through the intricacies of the books and records citations to the FCPA. The training was a failure but it was not the fault of the attendees. If your own employees do not understand your compliance program that is your fault.
Continually improve your compliance productivity
Why not do the incentivize productivity around compliance? Work with your Human Resources (HR) department to come up with appropriate financial incentives. Many companies have ad hoc financial awards, which they present to employees to celebrate and honor outstanding efforts. Why not give out something like that around doing business in compliance? Does your company have, as a component of its bonus compensation plan, a part dedicated to compliance and ethics? If so, how is this component measured and then administered? There is very little in the corporate world that an employee notices more than what goes into the calculation of their bonuses. HR can, and should, facilitate this process by setting expectations early in the year and then following through when annual bonuses are released. With the assistance of HR, such a bonus can send a powerful message to employees regarding the seriousness with which compliance is taken at the company. There is nothing like putting your money where your mouth is for people to stand up and take notice.
Improve the human element in your compliance program
This is another area where HR can help the compliance program. More than ongoing assessment of employees for promotion into leadership positions, here HR can assist on the ground floor. HR can take the lead in asking questions around compliance and ethics in the interview process. Studies have suggested that certainly Gen Y & Xers appreciate such inquiries and want to work for companies that make such business ethics a part of the discussion. By having the discussion during the interview process, you can not only set expectations but you can also begin the training process on compliance.
However, this approach should not end when an employee is hired. HR can also assist your compliance efforts by tracking employees through their company career to identify those who perform high in any compliance metric. This can also facilitate the delivery on more focused compliance training to those who may need it because of changes on compliance risks during their careers.
Make your compliance strategy relevant
Cespedes notes, “Most C-suite executives know these value-creation levers, but too few understand and operationalize the sales factors that affect them.” In the sales world, this can translate into a reduction in assets to underperforming activities. This is all well and good but such actions must be coupled with an understanding of why sales might be underperforming in certain areas. In the compliance realm, this translates into two concepts, ongoing monitoring and risk assessment. Ongoing monitoring can allow you to move from a simple prevent mode to a more prescriptive mode; where you can uncover violations of your company’s compliance program before they become full blown FCPA violations. By using a risk assessment, you can take the temperature of where and how your company is doing business and determine if new products or service offerings increase your compliance risks.
Above all, you need to get out and tell the compliance story. Louis D’Amrosio was quoted for the following, “You have to repeat something at least 10 times for an organization to fully internalize it.” If there is a disconnect between your compliance strategy and how your employee base is implementing or even interpreting that strategy, get out of the office and go out to the field. But you need to do more than simply talk you also need to listen. By doing so, can help to align your company’s compliance strategy with both the delivery and in the field.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
The top compliance roundtable podcast is back with a wealth of new topics.
For Matt Kelly’s posts on SEC and Chairman Clayton, see the following:
2. Mike Volkov considers the intersection of anti-corruption compliance and anti-trust compliance in connection with the role of the Chief Compliance Officer.
For Mike Volkov’s post on the intersections on anti-corruption and anti-trust compliance, see the following:
The members of the Everything Compliance panel include:
How can you change the perceptions around compliance in your organization? With the Justice Department requirement, set out in the Evaluation of Corporate Compliance Programs, to more fully operationalize your compliance program, do you as a CCO struggle with operations buy-in? I thought about those questions and others when I read an article in the MIT Sloan Management Review, entitled “Learning the Art of Business Improvisation”, by Edivandro Carlos Conforto, Eric Rebentisch, and Daniel Amaral. In this article the authors explore the issue of improvisation and write that while it “may seem to be spontaneous, but managers can foster it in innovation projects through the deliberate development of certain processes and capabilities.” For what improvisation really comes down to is the ability to “create and implement a new or unplanned solution in the face of an unexpected problem or change.”
Compliance is certainly one area that requires such flexibility because of the ever-changing business conditions that exist in today’s multinational organizations subject to the Foreign Corrupt Practices Act (FCPA). Novartis announced its South Korean subsidiary was under criminal investigation for allegations of paying bribes to physicians, this less than 60 days after agreeing to a FCPA enforcement action which involved payment of a $25 million dollar fine for the actions of its Chinese subsidiaries.
Whether deliberately or not, compliance must improvise. Such compliance “Improvisation can foster problem solving, creativity, and innovation, and it is becoming a requirement for many organizations. Although improvisation might seem to be spontaneous and intuitive, to do it well requires the development of disciplined and deliberate processes and capabilities. Managers working in dynamic, fast-paced, and highly innovative project environments should develop and refine capabilities in these three areas to create a project environment that will enhance a team’s improvisation competencies - ultimately with an eye toward improving project results and innovation.”
There are three general areas which a company can improve upon to help advance its abilities to adapt and change. They are (1) Build a culture that recognizes and views changes positively. (2) Create the right team structure and project environment. (3) Provide management practices and tools that facilitate improvisation.
Under this first prong, innovation can come from teams that have a “positive attitude toward dealing with and accepting ambiguity and project changes.” Not surprisingly, this does not come from top down leadership but allowing “higher level of autonomy in making decisions.” Further, the farther out from the corporate office, the more “teams should be empowered to make decisions locally, be informed about and willing” to take make changes and provide enhanced compliance risk management, and not overly fear potential failure.
Clearly the ability to make changes requires a robust compliance regime to begin with. However, having such a system in place, particularly through internal controls, allows a compliance department to “help them to reduce uncertainty more quickly and effectively learn from their experiences. Teams equipped with a broad array of tools and techniques can use them to respond to different types of challenges. The focus should be on helping teams anticipate and recognize changing circumstances and make more rapid and accurate decisions.”
The second prong ably demonstrates that a key to making improvisation work is that you have good communication between the compliance function and business unit. This is not a new concept and communications runs two ways. If the business unit sees the Chief Compliance Officer (CCO) as Dr. No from the Land of No, they will not likely be calling for assistance. Yet compliance does not always know what business opportunities arise without that information so they cannot craft appropriate risk management solutions. Weekly interactions between leaders and key stakeholders are good first step.
Perhaps counter-intuitively, the authors also note that smaller teams appear to have more and better success. The “greater levels of improvisation in smaller teams that displayed more self-directing and self-organizing characteristics, such as being responsible for monitoring and updating the status of their activities and deliverables.” This can allow the compliance department to play a key oversight and support role “on the aggregated information and on more strategic issues related to the project.”
Under the final prong, it is shown that “teams with greater improvisation characteristics were more likely to use agile management approaches, techniques, and tools. In fact, teams that embraced an agile approach were nine times more likely to have high levels of improvisation compared with teams that used a more traditional (waterfall) approach.” This means that not only will a command and control structure not be able to move as quickly and efficiently but also you need to operate at a level of sophistication beyond simply spreadsheets.
Moreover, “The agile methods we observed in the teams with higher levels of improvisation included iterative development, supported by recurring delivery of higher-value deliverables; constant interactions between stakeholders and the project team; the use of visual tools to collaboratively manage the project with team members; and active involvement with the client and/or user in the development process.”
The ability to be agile is an important component of any best practices compliance program. The need to respond to business changes is always paramount. Yet there is no end to the variety of corrupt schemes engaged in by company employees. The Novartis matter in South Korea allegedly involved bribery through excessive payments for articles published in medical journals. Just as the bribery and corruption scandals involving GlaxoSmithKline PLC (GSK) and others in China demonstrate new and creative ways to put pots of money together to pay bribes, the Novartis issues may show another area that bears compliance scrutiny. A compliance function must be ready to adapt.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this episode, Matt Kelly returns to his journalism roots with a live report from TEC 2017, the Workiva user conference. We discuss some of the hot topics at the conference including possible repeal or modification of SOX sections 404 and 302. We consider how internal controls around financial reporting intersect with compliance internal controls and how SOX reporting has elevated effective compliance internal controls as required under the FCPA. We also discuss document and information security and the concept of a single source of truth. We take a deep dive into the subject in the areas of audit trails for documentation in an FCPA investigation and in the upcoming SEC requirements around CEO Pay Ratio Reporting.
For more insights, see Matt’s blog post SOX Compliance: Do Better Than a ‘C’ Grade
If it is not clear already this month, innovation does not simply come from a technical or even service perspective but can improve your compliance program from a wide variety of perspectives. We have considered a variety of issues related to innovation. Now we consider how you think through a compliance related issue as an innovation.
Every compliance practitioner recognizes the prevent, find and fix tripartite approach to compliance. Many compliance practitioners believe that if you can move your program from one focused on detection to one focused on prevention, you have not only a more robust program but also one which is more fully operationalized as it would be closer to the ground and the front lines of employees.
Data and its analysis can be used in both approaches. Further data can be used in both approaches for multiple approaches to doing compliance. It can be used to simply stop behavior. However, data and data analytics can be used to further training, education and communication around compliance. The question becomes, which is better: real-time monitoring or right-time monitoring?
Consider the critique that monitoring of gifts, travel and entertainment (GTE) is always going to be 30-60 days behind the actual real-time event because it will take an employee 30 days to input their expenses into the system, have a supervisor approve it, and it goes to accounts payable for input. Does such a critique defeat a best practices compliance program which is dedicated to moving from simply a detect prong to a prevent prong?
However, an innovation can occur from how you consider the problem. So instead of a real-time review focus, consider a ‘right-time’ review focus. Patrick Taylor, President and CEO of Oversight Systems says the way to think through the issue is “What is the right time for the analysis?” He detailed the situation where your company has a corporate card program, or you use a corporate credit card. Through those mechanisms, you should be able to access those feeds every day from your card vendor, from your bank or card issuer. If you had that quantum and quality of information, there might well be certain things worth looking for. The classic example might be somebody spends some money at an adult entertainment establishment that masquerades as a restaurant because I may want to reprimand that employee or that behavior immediately.
Yet if your company uses an expense reporting system like a Concur or Pro River; the expenses can be previewed while they are in process; that is, before they are paid by your organization. It might be perhaps even before the employee’s manager approves the expenses. There could be a rash of information and data to look for at that time to give the manager a heads up to take a bit of a deeper dive into the expense report.
Finally, there are some GTE expense which are best looked at with the longer-term view. This could include expenses reports used to try to influence employee behavior. As a compliance professional, you are better off demonstrating a pattern of questionable or abusive expense-related items, as opposed to nagging one-off expenses report entries. Further there may be situations where there are literally bursts of activity which I would like to let pass by before trying to download that analysis. The question for the compliance professional is “What do I have, right?” Obviously, you cannot perform the analysis before you have data. The question you must work through is when do you have the data and then what is the right time to do any particular kind of analysis of that data? Because it may not always be the "real-time" when I found, when I've got it. Be much more concerned about what's the "right" time.
By thinking about what you are attempting to accomplish through your monitoring, it can help to inform your compliance program going forward, usually in a variety of ways. In the GTE example discussed in this piece, if you want to move to something closer to real-time monitoring, you will need to move towards the corporate credit card model, with real-time viewing of the purchases on the card. From there you can make a preliminary assessment if you want or need to use that data from the compliance perspective. Moreover, you should never forget that a much longer right-time review and perspective can be equally valuable for many of your other business processes going forward.
It is this final point, which makes clear the power of operationalizing your compliance program. If you put the architecture of compliance closest to those in the field who are literally on the front lines of your organization you should be able to obtain the data nearest to the customer. That data can be sliced and diced in a variety of ways which allow incorporate back into your continuous learning loop (OODA feedback loop) so that you can determine the most efficient business process going forward. When compliance can wed its prevent, find and fix mandate with overall business process performance, it can make a company more efficient and more profitable.
Three Key Takeaways
I welcome you to a new series entitled Compliance Man Goes Global podcast of Compliance Report-International Edition. I am joined by Tim Khasanov-Batirov, a compliance practitioner who focuses on high risk markets for 17 years. In each podcast, we take two typical concepts or more-probably misconceptions from in-house compliance conventional wisdom. We check out if these concepts work in emerging jurisdictions. For each podcast, we divide roles with one of us advocating the particular concept identifying pros; the other will provide arguments finding cons. Tim will conclude each concept with some practical solutions for in-house compliance practitioners for high-risk emerging markets.
Today we explore the following two concepts:
Corporate Concept #1. We have detailed policies in the HQ. We deployed those policies at our subs located in emerging markets. We will be just fine.
Corporate Concept #2. If there is a compliance person located at high risk market we could significantly mitigate our corporate compliance risks.
Innovation can come in form of new ideas or simply fresh ways to consider old problems. The idea of how to use the information available to a CCO is one that can be explored through different avenues. One of the most interesting, originated in the dogfights from World War II. The insights gained were instrumental in the US military’s swift victory in the First Gulf War.
It was detailed in a chapter in an eBook, entitled “Planning for Big Data - A CIO’s Handbook to the Changing Data Landscape”, by the O’Reilly Radar Team. The chapter was authored by Alistair Croll, entitled “The Feedback Economy”. Croll believes that big data will allow innovation through the “feedback economy”. This is a step beyond the information economy because you are using the information that you have generated and collected as a source of information to guide you going forward. Information itself is not the greatest advantage but using that information to make your business more agile, efficient and profitable is your greatest advantage.
Croll draws on military theory to illustrate his concept of a feedback loop. It is the OODA loop, which stands for observe, orient, decide and act. This comes from military strategist John Boyd who realized that combat “consisted of observing your circumstances, orienting yourself to your enemy’s way of thinking and your environment, deciding on a course of action and then acting on it.” Croll believes that the success of OODA is in large part “the fact it’s a loop” so that the results of “earlier actions feedback into later, hopefully wiser, ones.” This should allow combatants to “get inside their opponent’s loop, outsmarting and outmaneuvering them” because the system itself learns. For the CCO, this means that if your company can collect and analyze information better, you can act on that information faster.
Croll believes one of the greatest impediments to using this OODA feedback loop is the surplus of noise in our data; that “We need to capture and analyze it well, separating the digital wheat from the digital chaff, identifying meaningful undercurrents while ignoring meaningless flotsam. To do this we need to move to more robust system to put the data into a more usable format.” Croll moves through each of the steps in how a company collects, analyzes and acts on data.
The first step is data collection where the challenge is both the sheer amount of data coming in and its size. Once the data comes in it must be ingested and cleaned. If it comes into your organization in an unstructured format, you will need to cut it up and put into the correct database format for use. Croll touches on the storage component of where you place the data, whether in servers or on the cloud.
A key insight from Croll is the issue of platforms, which are the frameworks used to crunch large amounts of data more quickly. His key insight is to break up the data “into chunks that can be analyzed in parallel” so the data can be considered and acted upon more quickly. Another technique he considers is “to build a pipeline of processing steps, each optimized for a particular task.”
Another important component is machine learning and its importance in the data supply chain. Croll observes, “we’re trying to find signal within the noise, to discern patterns. Humans can’t find signal well by themselves. Just as astronomers use algorithms to scan the night’s sky for signals, then verify any promising anomalies themselves, so too can data analysts use machines to find interesting dimensions, groupings or patterns within the data. Machines can work at a lower signal-to-noise ratio than people.”
Yet Croll correctly notes that as important as machine learning is in big data collection and analysis, there is “no substitute for human eyes and ears.” Yet for many business leaders, displaying the data is most difficult because it is not generally in a readable form. It is important to portray the data in more visual style to help convey the “dozens of independent data sources” into navigable 3D environments.
Of course having all this data is of zero use unless you act on it. Big data can be used in a wide variety of decision making, from employment decisions around hiring and firing decision, to strategic planning, to risk management and compliance programs. But it does take a shift in compliance thinking to use such data. It advocates “fast, iterative learning.” Big data allows you to make a quicker assessment of the impact of measured risks.
Croll ends his chapter by noting that the “big data supply chain is the organizational OODA loop.” But unlike the OODA loop, it is more than simply about the loop and plugging information as you move through it. He believes “big data is mostly about feedback”; that is, obtaining the impact of the risks you have accepted. For this to work in compliance, a company’s compliance discipline needs to both understand and “choose a course of action based upon the results, then observe what happens and use that information to collect new data or analyze things in a different way. It’s a process of continuous optimization”.
Whether you consider the OODA loop or the big data supply chain feedback, this process, coupled with the data that is available to you should facilitate a more agile and directed business. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of innovation, I do not know what does.
Three Key Takeaways
To my mind the most significant and important book that every Chief Compliance Officer (CCO), General Counsel (GC) and compliance practitioner needs to read is The Chickenshit Club by Pulitzer Prize winning author Jesse Eisinger. It puts together for the first time, the story and timeline of how the Justice Department (DOJ) devolved from the group of prosecutors who convicted felons from the late 90s and early 00s financial scandal such as Enron and WorldCom, to the group which did not even bother to attempt to prosecute high ranking executives after the 2008 financial meltdown.
In this episode, I interview with book author, Jesse Eisinger and Paul Pelletier, a key source for the book. The interview is fascinating and I urge you to take a listen for both the substance and the interplay between Eisinger and Pelletier. We discuss the genesis of the book, what happened between Enron and 2008 which led to no prosecutions and conclude with both Eisinger and Pelletier's proposals to get the DOJ back on track as the nation's trial lawyers.
For the Everything Compliance podcast recording reviewing The Chickenshit Club, click here.
Finally and most importantly, to purchase a copy of The Chickenshit Club, click here.
Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including:
Next we consider superforecasting and its use by a compliance function. Imagine that as a Chief Compliance Officer (CCO), you could create a team which might well dramatically improve your company’s compliance and risk forecasting ability, but to do so you would be required to expose just how unreliable the professional corporate forecasters have been? Could you do so and, more importantly, would you do so? Most generally this is the predictive capability that organizations have used. However, the new “superforecasting” movement, led by Philip E. Tetlock and others, has been gaining strength to help improve this capability.
The concepts around superforecasting came of age after the intelligence failures leading up to the Iraq War. This led to the founding of the Good Judgment Project, which had as key component a multi-year predictive tournament, which was a series of gaming exercises pitting amateurs against professional intelligence analysts. The results of the Good Judgment Project was presented in a recent Harvard Business Review (HBR) article, by Tetlock and Paul J. H. Schoemaker, entitled “Superforecasting: How to Upgrade Your Company’s Judgment”. The authors had three general observations. First “talented generalists can outperform specialists in making forecasts.” Second, “carefully crafted training can enhance predictive acumen.” Third, “well-run teams can outperform individuals.”
To move to superforecasting, the authors laid out four precepts. The first is to find the sweet spot, which is somewhere between predictions that are “entirely straight-forward or seemingly impossible.” They note the sweet spot “that companies should focus on is forecasts for which some data, logic, and analysis can be used but seasoned judgment and careful questioning also play key roles. Predicting the commercial potential of drugs in clinical trials requires scientific expertise as well as business judgment.” I find the same to be true in compliance where “Assessors of acquisition candidates draw on formal scoring models, but they must also gauge intangibles such as cultural fit, the chemistry among leaders, and the likelihood that anticipated synergies will actually materialize.”
Next is to train for good judgment. This requires employees to learn the basics in such techniques as probability concepts, the definition of what is to be predicted and an understanding of numerical probabilities. As cognitive biases are widely know to skew judgment, companies need to raise awareness for this issue to arise. Finally, training to understand the psychology behind such biases narrowed predictive domains.
Next is to build the right kind of teams. The initial thing to realize is the importance of the composition of the team. The authors found that “cautious, humble, open-minded, analytical - and good with numbers. In assembling teams, companies should look for natural forecasters who show an alertness to bias, a knack for sound reasoning, and a respect for data.” Equally critical is that the “forecasting teams be intellectually diverse. At least one member should have domain expertise (a finance professional on a budget forecasting team, for example), but nonexperts are essential too - particularly ones who won’t shy away from challenging the presumed experts. Don’t underestimate these generalists.” Clearly your compliance superforecasting team should draw from the diversity within your organization not only in discipline but in temperament as well.
After the composition is considered, the authors move to “diverging, evaluating and converging.” The authors suggest “a successful team needs to manage three phases well: a diverging phase, in which the issue, assumptions, and approaches to finding an answer are explored from multiple angles; an evaluating phase, which includes time for productive disagreement; and a converging phase, when the team settles on a prediction. In each of these phases, learning and progress are fastest when questions are focused and feedback is frequent.”
The final component of composition is trust as there must be trust among your team members to facilitate good outcomes. This might also be understood that if the superforecasters demonstrate the errors or miscalculations of others in the group, not only will they be protected by senior management but their work will be defended. The authors note, “Few things chill a forecasting team faster than a sense that its conclusions could threaten the team itself.”
You then have to “track performance and give feedback” as the authors believe that it is essential to track the prediction outcomes and provide timely feedback to improve forecasting going forward. This also has the added benefit of providing an audit trail so that a company can learn from both the good and bad predictions. This leads to the authors’ next insight, which, in the process, is critical.
Such a feedback loop in the compliance sphere could lead to some of the following questions being posed: What information might others have that you don’t that might affect the compliance risk? What cognitive traps might skew your judgment on this transaction or risk? Why do you believe the company can safely navigate this compliance risk?
Answers to these and other questions can provide insight into not only specific predictions but also the process by which a team moved forward so that it can be replicated, in the future through an audit trail. [Think Document Document Document.] Also, “Well-run audits can reveal post facto whether forecasters coalesced around a bad anchor, framed the problem poorly, overlooked an important insight, or failed to engage (or even muzzled) team members with dissenting views. Likewise, they can highlight the process steps that led to good forecasts and thereby provide other teams with best practices for improving predictions.”
Like any innovation, there must be a commitment from senior management on moving forward. There must be data available both internally and research conducted externally with auditable trails on judgments, underlying assumption and data sources. The keys to success include frequent, precise predictions and measuring accuracy of predictions for comparison with real-world events. Nevertheless, such an exercise might well be exactly what a compliance function should do going forward. It might give the company enough information to take such a seemingly risky business move, when the prediction shows the risk was lower than the ‘experts’ said. Yet the authors end on this note, “But companies will capture this advantage only if respected leaders champion the effort, by broadcasting an openness to trial and error, a willingness to ruffle feathers, and a readiness to expose “what we know that ain’t so” in order to hone the firm’s predictive edge.”
Three Key Takeaways
One of the key things the Department of Justice (DOJ) has consistently communicated is the importance of operationalizing rather than having a paper compliance program in place. The Department of Justice’s Evaluation of Corporate Compliance Programs (Evaluation) made clear that to receive credit in any Foreign Corrupt Practices Act (FCPA) enforcement action, you must fully operationalize your compliance program in the remediation phase.
All of this was driven home to me in an article I read in the Harvard Business Review (HBR), entitled “Disruptive Innovation?”, by Clayton M. Christensen, Michael E. Raynor and Rory McDonald. The authors were concerned that many of the commentary around the phrase ‘disruptive innovation’ were “in danger of losing their usefulness because they’ve become misunderstood and misapplied.” To answer this critique, the authors revisited the central tenets to the theory and how it had developed over the past 20 years. In doing so they detailed three key elements of disruption theory, which I have adapted to the compliance context.
The first is that compliance is a process. While this may seem as about the most self-evident statement one can make, as late as last week, I was contacted by someone who wanted an ‘off the shelf’ compliance package. They wanted me to do a couple of interviews of senior management and they put in some canned software program so they could claim they had a compliance program.
This attitude demonstrates the continuing battle the DOJ and Securities and Exchange Commission (SEC) face when communicating their expectations around compliance programs. Compliance programs should evolve as business risks change. Just as disruptive innovation tends to focus on process, your compliance program should focus on your overall business process to be successful.
The second key point is that Compliance 3.0 is very different from compliance programs of the past decade. As compliance programs have matured and the structural changes brought about in the Compliance 2.0 model, as articulated by Donna Boehme and others, we have now moved on to Compliance 3.0 where compliance is put into the fabric of an organization. The compliance function is moving from a solutions shop where all compliance functions are centered in the legal or compliance department to a process function where the front line business team can use technology and other tools to operationalize compliance. DOJ Compliance Counsel spoke to this concept in her recent remarks around how well a company would operationalize compliance by incorporating the business functions inputting to compliance around appropriate internal controls. The authors point to new business models as disruptive and I think this concept translates into how compliance can be burned into the DNA of an organization rather than simply sitting in the corporate headquarters in the US.
The third point is that not all disruptive innovations succeed. Here the authors write that disruption is only one step in both the creative and growth process. Throughout their article, they discuss Uber in the context of a disruptive business. However, Uber uses the smart phone platform, coupled with a superior rider experience as a part of its business model. For the compliance practitioner, I think the key concept is what SCCE President Roy Snell says are the three goals of any compliance program; to prevent, find and fix issues. You could also plug in here McNulty’s Maxims (What did you do to prevent it? What did you do to detect it? What did you do after you found out about it?).
This is why any successful compliance program should have multiple levels of oversight built into it. If something does slip through, a level of oversight should be in place to review it and hopefully prevent it. Consider the BHP Billiton’s FCPA enforcement action. It involved gifts, travel and entertainment around the 2008 Beijing Olympics. The issue was not that foreign officials were feted at the event. The issue that got the company into trouble was that they did not perform proper oversight over their carefully crafted program. A similar issue was seen in the Lily FCPA enforcement action where charitable donations were approved by an oversight committee without any substantive review and distributor commission rates were approved outside the standard range without appropriate review.
Disruption innovation has come to the compliance arena. One of the best examples is Louis Sapirman, the Chief Compliance Officer (CCO) at Dun & Bradstreet, who has incorporated not only social media tools but also the concepts of two-way communications into his company’s compliance program. Another is the use of your own company’s data to facilitate a straight line of sight by a CCO or compliance practitioner into transactions needing more detailed reviews from the compliance perspective.
As many compliance practitioners are lawyers, we are naturally reticent to embrace such change. However, I think the pronouncements of the DOJ this year have made it even clearer of the need for continued evolution of anti-corruption compliance going forward. Disruptive innovation can be one of the techniques to get your compliance program to that desired location.
Three Key Takeaways
The top compliance roundtable podcast is back with a wealth of new topics. Stayed tuned to the end where there are some great rants in this edition.
For the Cordery Compliance client alert and podcast on the topic see the following:
Jay Rosen brings a detailed discussion of voluntary monitoring and contrasts it with the ISO 37001 standard. Jay rants on the Patriots lose in their season opener.
For Jay Rosen’s posts see the following:
The members of the Everything Compliance panel include:
Design thinking is another innovation which can help the Chief Compliance Officer (CCO) move forward in a cutting-edge manner to make a compliance program not only more robust but also operationalize it into the fabric of the company. Such a mechanism would help to drive compliance into the operational nature of a company, which is where the latest pronouncement from the Department of Justice (DOJ), in their Evaluation of Corporate Compliance Program suggest a company should take their compliance regime.
Design Thinking can bring innovation in a number of ways to your compliance program. Jon Kolko discussed this innovation in a Harvard Business Review (HBR) article entitled “Design Thinking Comes of Age”. Kolko’s insight that, “the approach, once used primarily in product design, is now infusing corporate culture” is one that any CCO or compliance practitioner can use in redesigning your compliance program for your internal customers, i.e. your employees and third parties that may fall under your compliance program. All of these groups have a user experience in doing compliance that may be complex and interactive. You need to design a compliance infrastructure to the way people work so that doing compliance becomes burned into the DNA of a workforce.
The first component of design thinking is to focus on the users’ experience with compliance. Kolko stated that designers need to focus on the “emotional experience” of the users; he explained that this concerns the “(… desires, aspirations, engagement, and experience) to describe products and users. Team members discuss the emotional resonance of a value proposition as much as they discuss utility and product requirements.” For the compliance function, this could be centered on the touch points the employee base has with the compliance function and that this should be “designed around the users’ needs rather internal operating efficiencies.”
The next step is to create something design thinkers use called “design artifacts”. While this is usually thought of as a physical item they can also be “spreadsheets, specifications, and other documents that have come to define the traditional organizational environment.” Their use is critical because “They add a fluid dimension to the exploration of complexity, allowing for nonlinear thought when tackling nonlinear problems.” Whatever the compliance practitioner may use, Kolko said, “design models are tools for understanding. They present alternative ways of looking at a problem.”
The next step is to “develop prototypes to explore potential solutions.” In others words, build a part of your system and test it from the users’ perspective. Here the author quoted innovation expert Michael Schrage for the following, “Prototyping is probably the single most pragmatic behavior the innovative firm can practice.” I think this is because “the act of prototyping can transform an idea into something truly valuable” through use, interaction and testing. Simply put, prototyping is seen as a better way to communicate ideas and obtain feedback.
While it may initially sound antithetical to the CCO or compliance practitioner, a key component for design thinking is a tolerance for failure. I realize that initially it may appear that you cannot have failure in your compliance program but when you consider that design thinking is an iterative process it becomes more palatable. Kolko quoted Greg Petroff, the chief experience officer at GE software, about how this process works at GE, “GE is moving away from a model of exhaustive product requirements”, adding “Teams learn what to do in the process of doing it, iterating, and pivoting.”
However design thinkers must “exhibit thoughtful restraint” when moving forward so that they can have deliberate decisions about what processes should not do. This means that if a compliance process is too complicated or requires too many steps for the business unit employee to successful navigate, you may need to pull it back. I like the manner in which Kolko ends this section by stating that sometimes you lead with “constrained focus.”
Kolko ended his article by noting three challenges he sees in implementing design thinking, which I believe apply directly to the CCO or compliance practitioner. First is that there must be a willingness to accept more ambiguity, particularly in the immediate expectation, for a monetary return on investment. A more functional or better compliance system design may not immediately yield some type of cost savings but it may be baked into the overall compliance experience. Second, a company must be willing to embrace the risk that comes from transformation. There is no way to guarantee the outcome so the company leaders need to be willing to allow the compliance function to take some chances in directions not previously gone. Third is the resetting of expectations as design does not solve problems but rather “cuts through complexity” to deliver a better overall compliance experience. This in turn will make the company a better-run organization.
Kuldeep Singh, writing in the SCCE magazine Compliance and Ethics, in an article entitled “Design Thinking: Creating an ethics-based compliance governance solution”, helped to put some flesh on these concepts. I found a key insight from Singh was that rather than simply concluding that violations of anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA) were engaged in by bad actors, it is rather good people doing bad things such as engaging in bribery and corruption.
Using design thinking to improve your compliance regime by building from the ground up rather than a legalistic top-down approach favored by most lawyers. For Singh, it all starts with the employees, not simply the problem. So you begin by asking questions, lots of questions. From this point he suggests that you formulate the proposed solution as a “problem statement”.
From this point, you are ready to begin brainstorming to come up with some solutions. There are four steps Singh lays out. First is to “state the problem to be solved with enough clarity of specificity.” The second is to “identify the objectives of the problem solution.” The third step is to “generate alternative solutions and create a list of alternatives prior to having a group discussion.” And finally, you end with collectively generating alternative solutions.
The final step is to test the proposed solutions, or as Singh puts it “test, test, prototype and test again.” The key is to avoid prejudgments so he advises to “let the tester interpret the prototype” and obtain their feedback. It is incumbent to iterate through the process multiple times, which allows you to narrow the scope of the solution and to “move from working on broad concepts to nuanced details.”
Singh puts this design thinking protocol to use to help create a more effective ethics and compliance training model. He uses employees to provide the initial input to improve its effectiveness and relevance to the front line employees. The compliance team then implements several proposed solutions until the most operative one or ones becomes apparent. These are then rolled out companywide for better and more effective compliance training. As the entire process is documented, when the regulators, such as the DOJ or Securities and Exchange Commission (SEC), come knocking, you will have the ability to not only explain your training but also demonstrate its effectiveness.
Three Key Takeaways
I believe one of the most significant innovations in compliance will come through the incorporation of blockchain into compliance. I see great value propositions for the compliance function. Mike Volkov has noted, “The key to blockchain is creating a secure environment among multiple actors in which the actors can record events and transactions in real time in shared ledgers. These ledgers are immutable, meaning they cannot be modified, and secure from potential hacking or modification. Blockchain users can receive real-time reports of activities without having to rely on post hoc reports. As a consequence, a specific user can flag potential red flags early, almost in real time, when events occur based on specific settings they establish for monitoring blockchain events.”
A more detailed exploration of the use of blockchain was presented in an article in the MIT Sloan Management Review, entitled “How Blockchain Will Change Organizations”, where authors Don Tapscott and Alex Tapscott speculate that the transformations which blockchain may facilitate in the corporate world could lead to some truly revolutionary modifications in key businesses processes.
How could blockchain have such a dramatic impact on compliance? First is the explanation of what blockchain might mean as a tool in business process. The authors explained that in a business transaction, you cannot email money as you can a document so a company must “use intermediaries to establish trust and maintain integrity. Banks, governments, and in some cases big technology companies have the ability to confirm identities so that we can transfer assets; the intermediaries settle transactions and keep records. For the most part, intermediaries do an adequate job, with some notable exceptions. One concern is that they use servers that are vulnerable to crashes, fraud, and hacks.”
The authors then go on to ask, “What would happen if there were an internet of value where parties to a transaction could store and exchange value without the need for traditional intermediaries?” The answer is that blockchain provides a transparent method to verify and approve transactions that is encrypted. Not only would this lower transaction costs and perhaps even barriers to doing business but also allow greater expansion of business into new geographic areas, through the use of previously external resources which were prohibitively expensive. Think of the possibilities in compliance for the supply chain and vertical integration.
There are several specific areas where the value from blockchain could enhance the operationalization of compliance into the fabric of a company. In Human Resources (HR) and Procurement “Blockchain will enable organizations requiring specialized talent and capabilities to obtain better information about potential contractors and partners than many traditional recruitment and procurement methods offer.” This means that with a potential third party business partner’s consent, a company will have access to a cache of information that is known to be correct because it has been uploaded, stored, and managed on a highly secure, distributable database. Such potential business partners would not be able to misrepresent their capabilities after such information has entered on the blockchain. The authors also note that “Tampering with data after the fact wouldn’t be possible: It would involve taking over the entire blockchain, a nearly impossible task.”
This is made even more powerful in the area of financial reporting. Typically, a search is “horizontal (across the web) and vertical (within particular websites). What you find can be out-of-date or inaccurate in other ways. On a blockchain, though, there’s a third dimension: sequence. In addition to being able to obtain a historical picture of the company since it was incorporated, you can see what has occurred in the last few minutes.” The authors correctly note, “The opportunity to search a company’s complete record of value will have profound implications for transparency as it brings to light off-book transactions and hidden accounts. People responsible for records and reports will be able to create filters that allow stakeholders to find what they are searching for at the press of a button. Companies will be able to create transaction ticker tapes and dashboards, some for internal use”. This would be extremely helpful in the difficult vetting of third parties around financial information.
In the sales realm, blockchain could be most helpful in understanding who you are doing business with and, more particularly, if the company is a state-owned enterprise. The same information you would consider about potential third parties sales agents would be available from customers. Obviously this would be critical in any Foreign Corrupt Practices Act (FCPA) analysis but it could also pay big results in anti-money laundering (AML) compliance. As the authors note, “sellers won’t have to incur the cost of establishing trust — thus they can facilitate transactions that would have been risky or might not have been possible otherwise.” Finally, there could be a data security plus as “blockchains will eliminate the cost of warehousing data and protecting other people’s data from security breaches.”
There are two specific areas where I see blockchain directly impacting the compliance profession. The first is with third parties. Volkov has stated, “a company could maintain immutable records of its due diligence process for a specific third party or a specific regulatory requirement. Due diligence delays would be eliminated by providing immediate and real-time and immediate access to the data, collection of information from potential third parties, and analysis of the information. A compliance officer could expedite the entire verification and validation process.”
The second area where blockchain provides a potential game changer is contracts, specifically around compliance terms and conditions. As the authors explain, “Blockchains facilitate contracting in both the short and long term. Through smart contracts — software that, in effect, mimics the logic of contracts with guaranteed execution, enforcement, and payments — companies will be able to automate the terms of agreement. This means that if a company develops contract programs to run on blockchain, it can incorporate the required compliance term and conditions and with blockchain, it can trigger alerts and ensure compliance This could be expanded to include compliance training, annual certification, or another ongoing obligation.
The authors conclude that blockchain could help alleviate some of the more egregious scandals seen, beginning back with Enron and up through Volkswagen (VW) and Wells Fargo. They believe that blockchain could help to “codify ethics and integrity into the circuitry of the enterprise, or reduce the moral hazard that too often sees management gambling with shareholder capital. Through smart contracts under blockchain, shareholders will be able to enforce the commitments executives make. Companies can specify relationships and state specific outcomes and goals so that everyone understands what the respective parties have signed up to do and whether those things are actually getting done.”
This final points sounds to me quite a bit like operationalizing compliance. It will be interesting to see when the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) will begin to comment on blockchain as a part of a best practices compliance program.
Three Key Takeaways
In this episode, Roy Snell and I have a wide ranging discussion on the SCCE's Compliance and Ethics Institute. Roy reviews its history and how it became the largest annual event for the compliance professional. He talks about some of the highlights over the years and hits on some of the highlights for the 2017 event.
You can find out more information on the event at the SCCE website, by clicking here.
In “Compliance and Continuous Improvement”, John Nocero discussed the concept of Kaizen or continuous improvement in compliance. He explained, “Loosely translated, Kaizen means change for the better. It has been utilized successfully by a variety of organizations in healthcare, psychotherapy, government and other industries to help develop long-term competitive strategies, improve operational practices and stay viable. When you think about it further, this principle has even more direct application to the compliance practitioner. In today’s environment in which we work, being a compliance practitioner is like setting yourself on fire at the beginning of the day and trying to put it out by day’s end. We fight fires. We want to be able to control the fire that is burning within ourselves – by learning how to handle the difficult conversation before it occurs, or anticipating how we will act when someone challenges our knowledge or authority.”
The company Graphic Products explains on their website, “Kaizen works by reducing waste (muda) and eliminating work processes that are overly difficult (muri). As a lean business practice, Kaizen succeeds when all employees look for areas to improve and provide suggestions based on their observations and experience. Generally, these suggestions are for small changes that incrementally change the business for the better.” They suggest a four-step approach, which they call “Plan-Do-Check-Act (PDCA).”
Under the Plan prong, you “define the problem and develop potential solutions.” Under the Do prong, you next move to “implementing the best solution.” During the Check prong you should “evaluate results to see if the solution worked.” Under the Act prong, you have one of two options: (A) If the solution you implemented succeeded, you work to standardize it and then implement it across the organization. (B) However if the solution did not work, you should return to the planning stage and start again. The site notes that using “PDCA to implement changes ensures that there is a continuous cycle in place to monitor changes and to continue to improve upon them.”
Copenhagen Compliance suggest another approach in their e-newsletter entitled “Using the Kaizen Approach to Risk Management by the Audit Committee”. They say, “Understanding the current nature of a risk is a precondition for a determining your risk appetite and providing a risk response.” It is therefore incumbent that you take the necessary “time, resources and expertise to have a closer look at individual risks and understand what a risk management means to the various department heads and divisions.”
Using the small workshop format to determine and consider the different levels of risk, they propose you should start with the following questions:
The answers you deliver to these queries should provide you with a detailed analysis and more insight into both the order and magnitude of the compliance risks your company faces going forward. However Copenhagen Compliance then suggests a second step where you review the risks from a difference perspective. You should begin by using the results of the first exercise to take a look at a couple of different areas. First you should consider “the different causes and the circumstances that focus on the processes or events that precede a risk occurrence.” From there you should “list the different causes and the circumstances that focus on the processes or events that precede a cause of the risk.” The data you develop in this second phase “will provide valuable insights to determine the risk appetite, effective responses to optimize the management of risks with focus on Risk identification” which are embedded in the way you are doing business.
Marty Ellen, the Chief Financial Officer (CFO) at Dr. Pepper, discussed these theoretical underpinnings in a Wall Street Journal (WSJ) article, entitled “How Dr Pepper Cuts Cost. And Then Cuts Costs Some More”, by Mike Esterl. At Dr. Pepper, Kaizen events are known as “Rapid Continuous Improvement” or RCI. Ellen said, “RCI is about taking the existing baseline and improving it by finding the waste. It starts with walking the entire process. We call it “going to gemba,” which is Japanese for going to see how the work is done. The goal is always to shorten cycle times. You would be surprised. You put a bunch of people in a room to describe how a process works, and they don’t all agree with each other - and they all work on the same process.”
For the Chief Compliance Officer (CCO) or compliance practitioner, the most interesting take-away from the article was that Ellen has successfully used the process not only in manufacturing processes but also in internal controls and financial processes such as accounts payable. Moreover, using RCI is not about cutting jobs but making the internal processes more efficient. So if you can reduce costs in compliance by being more efficient in the process it sounds like a win for all concerned.
Three Key Takeaways
In this episode, I visit with Alex Tsigutkin, founder and CEO of AxiomSL and Varun Singhal – Senior Vice President Product Management, AxiomSL. AxiomSL a global leader in risk data management and regulatory reporting solutions for the financial industry, including banks, broker dealers, asset managers and insurance companies. Its unique enterprise data management (EDM) platform delivers data lineage, risk aggregation, analytics, workflow automation.
We discuss data lineage, which is quickly becoming a top line concern and challenge for data managers in financial services. In the past, data lineage—generation of a trail of information that tracks the use and custody of data as it travels throughout the enterprise—was primarily a concern for niche internal projects, usually run by reporting teams. A combination of closer oversight by prudential regulators and rising global standards around data governance, itself, has rapidly led many financial institutions to become more interested in how to do this on a broader level. The implications to and applications for the anti-corruption compliance profession are significant for transparency and accountability in data for sales, third party sales agents and payments, data flow in an organization and vendors in the Supply Chain. You can find out more about AxiomSL and data lineage by checking out their website, by clicking here.
One of the most constant things that I have observed in my 10+ years of practice in the compliance space is its constant evolution. Compliance techniques and practices, which were considered cutting edge when I began, have moved to standard fare and are now largely minimum practices. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have mirrored this evolution in not only how they view compliance programs but also in their own enforcement regimes and protocols. Today I want to consider agile innovations methods for your compliance program.
According to a Harvard Business Review (HBR) article “Embracing Agile”, by Darrell K. Rigby, Jeff Sutherland and Hirotaka Takeuchi, agile methodologies “involve new values, principles, practices and benefits and are a radical alternative to command-and control-style management.” It is accomplished by taking employees “out of their functional silos and putting them in customer-focused multidisciplinary teams”. As the customers of the compliance function are the company’s employees, I think the transition can be made.
One of the most basic problems is that business executives basically understand only enough about agile to be dangerous but they do not understand the comprehensive approach that needs to be taken. This means that senior management will continue to the same management practices that in fact work to undermine the agile process. The authors suggest the solution is that executives learn the basics of the agile process and understand the conditions in which it does or does not work. They should begin with a small team and project and let the operation spread organically.
Some of the right conditions for the success of an agile initiative in the compliance arena are as follows. You should have the right market environment for the project. This means you need to have your internal customers involved and allow feedback to change any proposed solution. You must be willing to innovate, particularly if there are complex compliance problems involved. You will need to break down the solutions into digestible junks, which may actually change the scope but through cross-functional employee collaboration, you can have appropriate creative breakthroughs.
Digestible junks will allow you have incremental developments, which can be tested and then rolled out for use by your employee base. As your internal customers use the innovations, the work cycles can be broken down further so both testing and innovation can continue unabated. This allows a continual feedback loop so that late changes in the innovation can be managed and incorporated going forward. Finally, if there are interim mistakes, it can be a valuable source of lessons learned going forward.
An example might be around compliance training, a topic oft-times commented upon as rote and something employees simply have to get through. Some commentators have characterized such training as a basic ‘tick the box’ exercise simply to get government credit. While such commentary fails to understand the benefits of communication through training, it does point up the issue of the stiltedness of compliance training.
An approach to this might be to put together an agile team to look at training so that compliance could create topical training, in a few days to respond to market or other conditions, separated out by the challenges met in various product lines or geographic areas. This innovation can include budgets as well, making your compliance function more cost effective through innovation.
Another concept is to start small and let the word spread. This is antithetical to many large companies that “launch change programs as massive efforts” largely because the project sponsors feel that if they do not do so, the rest of the company will divine that the effort is not really supported by senior management and respond accordingly. However, the authors suggest “agile might spread to another function, with the original practitioners acting as coaches. Each success seems to create a group of passionate evangelists who can hardly wait to tell others in the organization how well agile works.”
The C-Suite has a role as well by practicing agile at the top of the organization so not only could senior management provide new techniques through an agile exercise, they could learn how to support more fully the compliance function which might engage in an agile review. “Senior executives who come together as an agile team and learn to apply the discipline to these activities achieve far-reaching benefits. Their own productivity and morale improve. They speak the language of the teams they are empowering. They experience common challenges and learn how to overcome them. They recognize and stop behaviors that impede agile teams. They learn to simplify and focus work. Results improve, increasing confidence and engagement throughout the organization.”
There are three succinct benefits. First by having senior management involved in an agile exercise, it would allow them to “catch up with the troops” and to reprioritize their efforts going forward to be better aligned with the real-time nature of agile. Second, it allows a speedier corporate transition as it can allow the employees to know if management is in tune with what the employees care about going forward. Finally, it can present clear alignment of departments and functions on a common vision. I can think of no greater strength for the compliance function to rely upon. This can be used to expose senior managers to break out of their “silos in today’s overspecialized organizations-for general management roles.”
The authors conclude by noting the need to destroy barriers to agile. They list five pointers. First “get everyone on the same page” which they believe is the key responsibility of management. Second is not to change structures but to change roles so that internal company disciplines “can learn to work together simultaneously, rather than separately and sequentially.” Next is to name only one boss for each decision as in the agile operating model it must be “crystal clear” who can make the final decision. Penultimately, your agile exercise should focus on teams not individuals because it is the team’s collective intelligence that brings the power to an agile exercise. Finally, lead with questions not orders. Here the authors cite to General George S. Patton, who “famously advised leaders never to tell people how to do things: “Tell them what to do, and they will surprise you with their ingenuity.””
The agile exercise will probably not work in a compliance function under the thumb of the corporate legal department, as innovation is typically not in the remit of legal. However for a compliance function that desires to bring new and unexpected ways of doing compliance to your organization, going through an agile exercise might be just the thing to move compliance into the very DNA of your organization.
Three Key Takeaways
After a two week absence, Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories which happened while we were off, including:
What will be the role of Artificial Intelligence (AI) in compliance going forward? LawTech had disrupted the legal profession and how it is reshaping many areas of private practice. I found the article had multiple implications for the compliance function. Indeed, I believe there will be a ComTech industry lurking down the road.
Obviously, document review is one area where ComTech would be most useful. There are many companies who provide key word searches and these same concepts translate readily into the compliance world through massive database searches for key words, such as an ongoing email review through email sweeps. The concept is straightforward; at regular intervals, you sweep through your company email database for identified key words that can be flagged for further investigation, if required. Such a sweep is not limited to anti-corruption compliance but any of the risk factors identified for your company.
The objective of this approach is to find the evidence of a compliance breakdown by sweeping systems to uncover items that may contain real issues. From here, you can assess and prioritize, by checking and verifying if an issue needs investigating and focusing on the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities. AI can help you to perform all of this more cheaply and efficiently.
Soon compliance will be pushed more to the forefront in anti-money laundering (AML). As banking institutions continue to tighten and strengthen AML controls, criminals and other nefarious actors will move into non-financial corporations to move money for the simple reason that such robust controls required in the financial and financial services world are not generally required in the non-financial corporate world. Non-financial corporations should have robust AML controls in place and one of the requirements for any best practices AML policy is to “Know Your Customer” (KYC). AI will allow a more robust KYC approach.
Another area where compliance is often left behind is in the arena of Mergers and Acquisitions (M&A). Since the 2012 FCPA Guidance, the focus of compliance in M&A has been more and more on the pre-acquisition phase of a deal. Often the compliance function is either brought in at the last minute and does not have the time to perform adequate compliance due diligence or there is an overwhelming amount of data to be reviewed and the resources available (or made available) to the compliance function is woefully inadequate. AI can help in this area. There are companies which have software that allows thousands of documents to be reviewed in the M&A context.
The review could include such issues as whether third party sales representatives have the requisite background due diligence in the files, their status and commission rates paid. There could be a review of top sales and business developments folks in high-risk regions, correlated with a gift, travel and entertainment analysis. Finally, you could consider sales in high risk regions or even sales spikes from low risk areas from the compliance perspective.
A prime example of where AI can assist the compliance function is with third parties in the Supply Chain arena. Every multi-national has literally thousands of vendors. Getting a handle on those is always a challenge simply because of the numbers involved. Using AI, a compliance practitioner can immediately identify vendors that present anti-corruption compliance or other risks to an organization. Once again, having led an effort to list out all employer’s vendors by hand to begin the risk ranking process, I can personally attest to the greater efficiencies AI can bring to the exercise.
There is yet another set of AI tools which can review contracts to see if any specific types of clauses are non-standard. It would seem a relatively easy software coding exercise to adapt such products to compliance clauses. This type of approach could also be used for non-standard governance clauses in joint venture (JV) or other types of partnerships agreements. Having once been assigned the task of reading all my employer’s JV agreements (87) and third party sales agents contracts (211) from across the globe and recalling the amount of time it took to do so; I can personally attest again to the greater efficiencies we are considering through the use of AI.
This example also points to one of the key disadvantages to AI and ComTech going forward. In past years, it was through document review and the detailed reading of documents and cases that many junior lawyers were trained. In my experience, reading all those JV agreements and third party sales agents’ agreements gave me a very good education in contract language and what positions were more and less favorable to each party. This is how many young associates were trained in law firms. This very practical method of training will eventually go away.
This final example also points to one of the key limitations of ComTech. While it might have helped to have AI review the JV agreements and third party sales agents’ contracts, it only could identify non-standard contract language. Unfortunately, since most of the agreements and contracts were bespoke they were uniformly non-standard. Further, the assignment I was given required an analysis of each non-standard contract so the judgment of a human was required. Even as AI becomes more sophisticated, the judgment of a professionally trained compliance practitioner is still required to validate the areas flagged by AI as anomalies.
Gary Kasparov recognized this after his loss to IBM’s Big Blue in a chess match. In a review of his recent book Deep Thinking-Where Artificial Intelligence Ends and Human Creativity Begins, it noted that Kasparov “recognized that computers do well what humans do badly and vice versa, suggesting a useful complementarity.” Moreover, “he argues that humans are often fallible, finding patterns in randomness and correlations where none exist. Computers can help us be more objective and amplify our intelligence. Technological progress can never be stopped even if it should be better managed.” Kasparov even formulated his own theorem, which he calls “Kasparov’s Law” and it reads, “Weak human + machine + better process is superior to strong human + machine + inferior process.”
There have always been technological innovations which help make co mpliance disciplines run more efficiently, more smoothly and more profitably. AI is simply another step in this line of technological developments. There is certainly no reason to be afraid of using it. Given the disruption which has impacted the legal profession through LawTech; disruption is not far behind in the compliance world through ComTech.
Three Key Takeaways
In this episode, I visit with Rakhi Kumar, the Managing Director, Head of ESG Investing and Asset Stewardship for State Street Global Advisors (SSGA) on the firm’s recent white paper entitled, “SSGA’s Perspective On Effective Climate Change Disclosure”. While the white paper focused more specifically on climate impact and climate risk to businesses in the energy and mineral extractive industry, it set out a protocol which every Board of Directors can use for a wide variety of risks, including compliance risk.
We consider the purpose & methodology of SSGA’s white paper. We take a deep dive into the four areas of how a Board can better position climate change risk:
We then consider the SSGA approach in the context of a broader risk management process through the exploration of such issues as
In this episode, Matt Kelly and I take a deep dive into the good, bad and ugly of Hurricane Harvey for the compliance professional. We discuss what lessons may be drawn from the storm and its aftermath for the greater compliance, ERM and business communities and the need to take a much greater holistic approach to the consideration of your risk management strategy. We end with some thoughts on the travails of Salt Lake City nurse Alex Wubbels who was arrested for obeying the law in refusing to take blood from an unconscious patient. We consider her plight from the compliance perspective.
For more on Hurricane Harvey and its aftermath see the following:
Matt Kelly’s piece Corporate Ethics, and Glitches, in Houston
Tom Fox’s pieces
For Matt’s piece on the arrest of Nurse Wubbels, click here.