Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories, including:
As I end this section on innovation, I want to conclude by laying out a road map which allows a CCO or compliance practitioner to make more effective and better operationalize a corporate compliance program. With the DOJ’s Evaluation of Corporate Compliance Programs emphasis of operationalizing your compliance regime, innovation is an important tool for you to use in this journey, yet one that I believe is too often overlooked. One of the best recent roadmaps I have seen was suggested by LRN Corporation’s 2016 Ethics and Compliance Program Effectiveness Report.
The Report detailed four key findings which are symptomatic of an operationalized compliance program. Susan Divers, Senior Advisor at LRN Corporation, noted overarching theme in is that ethics and compliance “programs centered on values are more effective than ones that aren’t. A values-based approach toward shaping culture emphasizes and sets expectations, not just about what can and cannot be done according to rules, but rather what should and should not be done in alignment with core beliefs. In rules-based environments, that is, everyone’s job is to do the next thing right—to act correctly. In values based environments, in contrast, everyone’s job is to do the next right thing—to act morally.”
It is this drive to burn compliance into the DNA of an organization that fully operationalizes compliance. Think of any recent scandal, Volkswagen (VW), Wells Fargo, Valeant, Uber or you name the scandal, where if an employee had simply done the right thing instead of the illegal action, how much better off a company would have been. The four findings were:
The most effective E&C programs are embedded in business operations. Diver pointed out it is critical a company should think “about ethics and compliance and values as part of your brand.” By doing so, each level in a company will understand its role going forward, from the Board of Directors, senior management, middle management and the employee base. Moreover, the company will train, develop and promote an ethics and compliance program through each of these levels.
Susan Divers provided an insightful example, “I think if I were to use one word to characterize all of them together, it would be holistic. The first one of embedding your ethics and compliance programs in your business operations, one big piece of that is your brand. For example, Volkswagen used to have a fantastic brand. You thought of Volkswagen and you thought of basically a green car, and one that was well engineered. Now it’s a massive fraud. One headline I saw called it Hoaxwagen.”
The most successful ethics and compliance programs use a variety of channels to convert guidance into practice. An effective compliance program will communicate the corporate ethics and compliance values through multiple channels throughout the company, on an ongoing basis. This speaks not only to upward and downward communications within an organization but also inbound and outbound to the company as well. But more than simply saying there should be communication, the Report also assesses how communications occur through inquiring into the clearness and conciseness of messages and whether an organization uses more effective communication techniques such as shorter, more frequent training models or facilitated workshops as opposed to rote one hour lectures from lawyers.
Communications can be made in other, more subtle manners. Consider what are the actual behaviors that the conduct demonstrates? Divers said that at LRN, “We’re not so fond here of tone at the top. We’re more fond of actions at the top, because tone can be one thing and actions are another. Looking at whether managers’ ethical behavior counts in terms of promotion and bonuses, that’s really where the rubber meets the road in a lot of places, and that makes a huge difference. Another aspect of that is making middle managers accountable for ethics and compliance in their business, and the good programs coach people in that aspect. That’s really some of the key aspects we looked at for how you embed in business ops.”
High-performing programs proactively convert regulatory guidance into practice. I found this to be one not often enough discussed as many compliance practitioners struggle to convert DOJ pronouncements, comments or lessons learned from FCPA enforcement actions into practical guidance. The most effective compliance programs internalize such guidance from prosecutors and regulators and continuously improve. Here one might consider an example torn from the headlines: when the Wal-Mart corruption scandal in Mexico broke, I called one CCO the next day who told me he had already put a PowerPoint presentation in front of his senior management about the perils of finding your corporate name splashed across the front page of the New York Times alleging your organization of bribery and corruption.
Divers considered this finding from another perspective. She stated, “You have to look for the actual challenge the people view in the company, whether that’s sales force, or other disciplines. There in lots of different ways and in positive ways, not just negative ways. One of the things we did, which we didn’t just tell people that serious actions meant this, we looked at actual business cases where people had done the right thing and made the right choices to comply with regulations, and that’s very powerful for modeling. Another aspect of that is how you embed your Code of Conduct. Do you just put it out on the website and say, “Great, here it is. Read it,” or you have discussion? Obviously, those are more effective.”
High-performing programs spread their impact broadly, recognizing that it is the whole organization that needs to be engaged in ethics. This finding considers whether an organization has moved away from a “silo-based approach to ethics and compliance.” It did so by reviewing how the different corporate functions work as catalysts for imbuing your organization values in their specific corporate discipline. Here Divers related that “high performing programs aren’t sitting in a closet somewhere, only visited when there’s an ethics issue. High-performing programs are out there. They work across the corporation with human resources, with internal audit, with legal, and even with sales and marketing, and finance and accounting, to make sure that ethics are a part and parcel of business operations.”
This month I have reviewed a variety of innovations in compliance; from innovations in structure, use of social media tools and concepts, to new and different ways to consider your internal resources as ways to innovate in your compliance regime. The DOJ has consistently said that a compliance program must evolve. It must evolve to meet new or updated risks, new opportunities or different regulations. Innovation is one of the best ways to evolve. Finally and perhaps most importantly as a compliance practitioner, always remember that you are only limited by your imagination.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
Today, I visit with noted fraud examiner, Jonathan Marks, a partner at Marcum LLP on the relationship of the internal auditor, fraud good governance and board governance. Marks began by noting that an organization which has in place a strategically integrated governance risk management structure at the Board level has an ethical and operational backbone against which an entire business can be managed. While doing significant fraud investigations he has found that when one considers the governance, it often has a key role in the overall determination. He went on to note that corporate government is the systems and processes and organization has in place to protect the interests of the first diverse stakeholder group. Good corporate governance consists of the Board of Directors, its committees managing the legal and regulatory environment where business practices intersect all around transparently monitoring enterprise risk management.
The Board has a key role in any organization helping determine their risk profile through its oversight of management. He believes it is the Board which has ultimate responsibility of risk parameters and setting the risk profile. Moreover, from an oversight perspective the Board should be ensuring that management is not doing things which put the organization at risk. Marks stated, “We all know from the various frauds that have already occurred and have been in the newspapers and in the public eye are looked at from a siloed perspective and not looked at in the aggregate.”
A Board should ensure that management does not overstep its boundaries when management is looking at certain transactions. It is important the Board take an active role. They need to ensure that management is doing risk assessments on a regular basis. If one considers the Hewlett-Packard acquisition of Autonomy to see how the Board failed in its oversight role in the merger context by not asking the right questions or seeking enough relevant information from the CEO. More recently is the Telia FCPA enforcement action, where the Board allowed senior management, literally right up to the CEO, engage in bribery and corruption to do business in Uzbekistan.
Marks emphasized the Board’s role should be looking “at this from a fresh set of eyes and really understanding what the risks of the organization might be to help the organization better manage their risks. And the other thing the board can do is ensure that management is constantly thinking about the ways that things can actually go wrong.” This is critical when considering internal controls around fraud or even financial reporting and disclosure required under SOX.
One of the most asked questions is how much information should a fraud examiner or other provide to a Board. Marks considered it from another perspective saying, “I'm less concerned about the quantity I'm more concerned about the quality of information. For me, it is about getting the right information to the Board. A Board book filled with white noise does the Board no good. You would hope that it would not be the case but it often is.” He believes the key is to put together information that is almost surgical in approach, with very detailed information allowing Board members to assess for themselves.
It is all about good communication. From an information perspective, Marks would provide the Board the information it needs to properly assess the risk of the business. This should lead to a dialogue with them. The Board should be actively engaged and ideally would have questions back to the fraud examiner. Marks emphasized that communication includes feedback you know so you know they have not only reviewed but thought about the information you have presented.
While many compliance departments may have begun more as a command and control function, set up by lawyers to comply with anti-bribery laws such as the FCPA, UK Bribery Act or others; this type of leadership model is now becoming outmoded in today’s world. It is not that employees are interested in the ‘why’ they should do business ethically and in compliance with such laws but it is more that power is shifting inside corporations. In a HBR article, entitled “Understanding “New Power””, authors Jeremy Heimans and Henry Timms explore how leadership dynamics are changing and what companies might be able to do to harness them. I found them to have some excellent insights, which a CCO moving to CCO 2.0 or compliance practitioner might be able to garner for a compliance function.
The authors begin by noting that ‘new power’ differs from ‘old power’ in a bi-lateral dimension of intersection. This intersection is between the models used to exercise power and the values which are now embraced. It is the understanding of this shift in power, which will facilitate the compliance function moving more to the forefront of a business integration role. The new power models are fourfold. Under sharing and shaping a company is much more integrated with its customers and supply chain. Second is funding which continues this integration by adding a vertical component of funding, whether equity positions or some other type of funding. Third is producing in which “participants go beyond supporting or sharing other people’s efforts and contribute their own.” Finally, there is co-ownership, which is the most decentralized, pushing participation down to the lowest or most basic levels.
But beyond these new power systems, the authors believe that “a new set of values and beliefs is being forged. Power is not just flowing differently; people are feeling and thinking differently about it.” The authors call them “feedback loops” which “make visible the payoffs of peer-based collective action and endow people with a sense of power. In doing so, they strengthen norms around collaboration”.
The authors lay out five new values. They include the area of governance where the authors note, “new power favors informal, networked approaches to governance and decision making.” Next is in the area of collaboration where the authors believe that this new power value rewards “those who share their own ideas, spread those of others, or build on existing ideas to make them even better.” The next new value is DIO or do it ourselves. Under this value, there is a “belief in amateur culture in arenas that used to be characterized by specialization and professionalization.” Next is transparency which, while not a new concept, says that more permanent transparency between business and social lives will lead to a “response in kind from our institutions and leaders who are challenged to rethink the way they engage with their constituencies” specifically including their employee base. The final new value identified by the authors is affiliation, which means that new and younger employees are less like to “forge decades-long relationships with institutions.”
The authors have three prescriptions that I found could be useful for the CCO or compliance practitioner to incorporate into a mature and evolving compliance program moving forward. Compliance functions need to “engage in three essential tasks: (1) assess their place in a shifting power environment, (2) channel their harshest critic, and (3) develop a mobilization capacity.
Assess where you are
This prong is quite close to something compliance practitioners are comfortable with in their role, a risk assessment. However the authors suggest that the assessment be turned inward so you should assess the compliance function on this “new power compass—both where you are today and where you want to be in five years.” You can benchmark from other companies in responding to this query. Internally, you can begin this process with a conversation about new realities and how the compliance function should perform. More importantly such an assessment can help you identify the aspects of their core models and values that should not be changed.
Incorporate business unit interests
The authors note, “Today, the wisest organizations will be those engaging in the most painfully honest conversations, inside and outside, about their impact.” However, I think this question should be asked first by the CCO or compliance practitioner. For it is not only what you are doing to work with your business units but more importantly what are you doing to incorporate their concerns and suggestions into your compliance regime. If you are going to ask the business unit to be a significant partner or better yet be your business partner, you will need to have a mechanism in place to engage your business unit so there can be an inflow of input before the compliance function has an output of requirements. As the authors write, “This level of introspection has to precede any investment in any new power mechanisms” to which I would add any successful compliance function.
Mobilize your capacity
Here I suggest you consider contracted third parties and other third parties such as joint venture (JV) partners as an avenue through which the compliance function can bring greater benefits to an organization. Compliance expert Mary Jones, the former Global Industries Director of Compliance, often discusses her training of the company’s third parties and how thankful they were that when she would personally travel to their locations and put on in-person training. Her efforts to travel to their locations, spend the money required to do so not only directly strengthened Global Industries’ compliance function but created allies for her efforts by giving these suppliers the information and training they needed to comply with their customers requirements. By reaching out in this manner, Global Industries used its contracted third party suppliers to create a stronger company compliance program.
As the anti-corruption compliance profession matures, it will become more a component of a company’s business function. This means less of a lawyer’s top down mentality of do it because I said to do it, to more collaboration.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
Now consider the use of video to assist ongoing communications in a best practices compliance program. It has certainly been proven that social video can boost your company’s brand awareness and its sales. Why not consider using video to boost your compliance functions brand awareness and help spread the message of your corporate values and ethos. In an article in Inc., entitled “Everything You Need to Know About Creating Videos for Your Business (Even If You Have No Video Experience)”, it reported that Facebook now generates an “average of eight billion video views per day and YouTube reaches more 18- to 49-year olds than any cable network in the U.S.” Why not take advantage of this natural tendency to produce compliance focused content that would engage your compliance customer base – your employees.
The article provides three short guidelines to consider which are equally valid for considering communications from the compliance function. The first is to have a plan around what you want to do. This includes not only your script but also your budget. It does not have to a large high dollar production. You can shoot a video in your office, literally using your iPhone if that are all the resources you can muster. I recently attended the tech conference Collision 2017 and in the press area, there was a set up for interviews using iPhones. At the 2016 SCCE Compliance and Ethics Institute, Kortney Nordrum recorded Roy Snell and myself for a live session of our Unfair and Unbalanced podcast using an iPhone.
Another resource is your corporate media function. A great example was a CenterPoint Energy video put out in 2015 after the Volkswagen (VW) emissions-testing scandal become public. The video featured Scott Prochazka, CenterPoint Energy President and Chief Executive Officer (CEO). He used the VW scandal to proactively address culture and values at the company and used the entire scenario as an opportunity to promote integrity in the workplace. But more than simply a one-time video, the company followed up with a with an additional resource, entitled “Manager’s Toolkit – “What does Integrity mean to you?””, which managers used to facilitate discussions and ongoing communications with employees around the company’s ethics and compliance programs. The cost for the video was quite reasonable as it was produced internally.
This CenterPoint Energy example brings up another key point which is timing. Just as many CCOs used the New York Times’ breaking story on Wal-Mart’s alleged FCPA violations in Mexico back in 2012 as an opportunity to brief senior management on what can happen when your company appears on the front page of a Sunday NYT edition for FCPA violations; CenterPoint Energy used the VW emissions-testing scandal as an opportunity to not only reaffirm its own corporate values but also engage in ongoing communications.
Another key element is also built around time and it is that “short videos are good videos”. You can have a series of short videos communicating different aspects of your compliance program. It can range from short messages from your CEO, to videos of your CCO to videos of employees. Employees will always tune in when senior management speaks to them internally through a video. They want to hear from the President and a message of commitment to the culture values of doing business ethically and in compliance is always a message that will resonate with employees.
Also consider having employees in short discussions on how they may have overcome compliance challenges. Celebrate these events but do not forget their power to educate and inspire other employees. Such techniques can give your employees a peek behind the curtain, not to show the wizard has no clothes but because it makes your internal compliance function seem more authentic.
What are some of the venues you can utilize for these videos? Of course internal channels are appropriate to use. If you have an internal Twitter like function, you can post short videos that can be posted and reposted multiple times per day. If you have a tech savvy, media-friendly company you might consider an Instagram type approach, combining videos and pictures. Finally, do not forget the power of YouTube. It is one of the largest search engines behind Google and the prime location for video watching by the vast majority of folks these days.
Finally, never forget that one of the key factors listed in the Morgan Stanley Declination to Prosecute was 35 compliance reminders provided to their recalcitrant FCPA violating Managing Director Garth Peterson over seven years. These types of videos can certainly be used in a variety of ways, including as a legal defense to any FCPA investigation.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
In this Episode 2 of Compliance Man Goes Global podcast of FCPA Compliance Report International Edition, we focus on real priorities of the corporate compliance programming at high-risk markets. In each podcast, we take two typical concepts or probably misconceptions from in-house compliance reality. We check out if these concepts work at emerging jurisdictions. For each podcast, we divide roles with Tim Khasanov-Batirov, a compliance practitioner who focuses on high risk markets for 17 years and myself.
Corporate Concept #1. We have officially deployed compliance program at a high-risk market. All hallmarks are duly identified in it. I do not understand what kind of priorities I have to consider in addition to regulatory hallmarks. When enough is enough?
Tim Khasanov-Batirov: Here are my pros:
To address regulatory expectations you should have a program that is comprised of 10 Hallmarks. Here are your priorities. This is a very straightforward and in my view a very clear philosophy.
10 Hallmarks cover both legal aspects along with implementation side. If we want to find priorities for particular organization among already identified regulatory priorities we can simply choose them from 10 Hallmarks.
Attempt to perplex the framework could harm the execution of the program. I do not see any merits from practical side to distract attention of the team and to spare resources on reinventing the wheel.
Tom: OK, let me give you some examples, which probably allow you to re-think about priorities. Here are cons:
You definitely want to avoid paper compliance program. Therefore, you probably need to distinguish 10 Hallmarks from practical methods on implementing them. We can call these practical methods priorities.
The following priorities come to my mind when I think about practical side on implementation of the corporate compliance program in emerging markets. First, clear understanding by compliance personnel of how they could achieve goals prescribed by the hallmarks. Second, obtaining trust from the management by compliance team. It is vital. Third, constant engagement and cooperation with key stakeholders aimed on keeping compliance team’s eye on the ball.
Tim: I believe Compliance man referred to this topic in the first episode of the illustrated series entitled: First Things First.
Corporate Concept #2 “In real world compliance goals and priorities mismatch business needs or even prevent business from growing”. Tim, will you support this philosophy if you look at high-risk markets?
Tim: It is common place to oppose corporate compliance efforts to business growth. Moreover, this statement is a kind of vague. I strongly disagree with it. I believe compliance priorities exist on the radar of business leaders at least due to very pragmatic and even cynical reasons.
Threat of personal liability and possible negative impact on the company in case of enforcement actions.
Wish to comply with corporate rules and maintain status of a “good corporate citizen” in the company.
I also believe in scenario when compliance philosophy gets a high priority status in the in-house reality due to Compliance team’s efforts.
Tom: My concerns are the following:
As we know the main business goal is earning money. What we call compliance in certain cases is viewed by business leaders as obstacle in money making.
Sometimes top managers unfortunately are not aware about compliance risks and consequently their own duties to mitigate them. Thus, unintentionally management might ignore even basic compliance rules.
The worst-case scenario when compliance team was not able to demonstrate the ability to work in the team rather than being just bureaucratic “Dr. No” department.
Tim: As key takeaways from today discussion, I think we can mention the following ones: a compliance practitioner should implement the program based on regulatory requirements in cooperation with business leaders. To achieve this goal he or she should obtain trust from top management and get awareness (and even appreciation) of compliance activity by key stakeholders.
Join Tom Fox and Tim Khasanov-Batirov for the next episode of Compliance Man Go Global episode of FCPA Compliance Report International Edition. Join us again as we bust more corporate compliance myths.
How do you tap into your largest resource of innovation for your compliance program, which is of course your employee base? That topic was explored in an article in the MIT Sloan Management Review, “How to Catalyze Innovation In Your Organization” by Michael Arena, Rob Cross, Jonathan Sims and Mary Uhl-Bien. This article posits that companies can “fuel the emergence of new ideas by understanding and tapping the power of employee networks.”
The tenets and concepts the authors articulated provided several useful insights for a CCO or compliance professional. The first was that “companies need to create context that allows people, ideas and information to flow across different groups.” The second identifies a group of employees who operate as brokers and they create “bridges between groups” within a company. These brokers should work with “central connectors, who are well-connected in one subgroup” to form a powerful network. Finally, “when facing a problem, innovators should engage their network early on.”
Interestingly, as with the ever-dwindling myth of the rogue employee in FCPA enforcement, the authors note, “Tales of a lone inventor with a blinding insight are unhelpful myths when it comes to corporate innovation. Successful service, product, or process innovations within large, complex organizations are very much a social phenomenon.” A successful CCO will know that they need to leverage employee networks for both innovation and communications of compliance initiatives.
The authors key insight was their three divisions of social networking within an organization. They believe “A key to catalyzing emergent innovation is identifying and positioning innovators within an organization.” Moreover, it is the use of these networks which can move innovation back up to the top of an organization and communications down through a company as well.
Brokers are the group of employees which build bridges from one group to another within and outside an organization. This allows them to act as critical channels of information and ideas. Brokers offer three competitive advantages: broader access to diverse information, early access to new information, and control over the diffusion of the information. Yet more than simply acting as conduits, “Brokers facilitate this discovery process through their social connections and then determine how and when these insights can be introduced to other parts of the organization. The creation of adaptive space enables brokers to more actively connect and navigate beyond their local subgroups to explore new possibilities.”
The second group is “central connectors” who provide group cohesion for implementation of innovation and communications going forward. The authors stated, “Group cohesion represents how connected individuals are to one another within a group. A group is considered cohesive when many redundant connections exist among group members. That is, the likelihood of any individual within the group being connected to any other individual within the group is high. As a result, cohesive groups can quickly share information and generally operate with high levels of trust.” These central connectors can take an idea and move it into more disparate groups to diffuse both ideas and communications; in short it is often these central connectors who will drive an innovation to success.
While some industries and companies resist rotation for a CCO or compliance profession, it would appear the better practice is to use rotation as a catalyst for innovation and change. The authors noted one example where employees were moved between projects every three years or so which allowed knowledge to flow around more readily. The authors concluded that the company had “provided the space that enabled an active interplay between brokers and connectors.”
The final group identified by the authors are the “engergizers” who can work to “trigger the interest and engagement of others and unleash the passion necessary for bold innovations to advance.” The authors believe that many factors can drive this including “Network energy, or enthusiasm, drives diffusion, co-creation, and active engagement across the larger organization.” The energizers challenge those within a company to “think more boldly than they would within their own subgroups and creates a contagious mindset as the innovation progresses.” Finally, “Energizers are able to fully engage in interactions, inspiring others to devote more time and energy to an initiative. The reputation of an energizer spreads quickly across the network, attracting others to aggregate multiple ideas into bolder, integrated concepts that are more likely to succeed. Energizers connect with individuals who have different expertise or backgrounds. These differences can be embraced as elements essential to the creation of bolder innovation.”
Through these three differentiated groups, there are five steps around innovation for the CCO to consider going forward.
There are always pockets and groups within an organization which resist change. Often this is one of the CCOs most difficult task. Yet the authors have laid out a clear path to overcoming such resistance and it is equally applicable to moving compliance communications through an organization. By using central connectors and energizers, a CCO, the broker, can get the message of compliance moved faster, in a more complete and enthusiastic manner. Finally, this will go quite a long way towards operationalizing your compliance regime.
Three Key Takeaways
In this episode, Matt Kelly and I take a deep dive into the Telia FCPA enforcement action. It is the largest FCPA fine ever, coming in at $965MM. The breadth and scope of Telia’s illegal conduct was about as far-ranging as one could imagine. The fines and penalties certain bore this out. The bribes were specifically approved by the highest level of Telia, including senior executives and the Board of Directors. There was an explicit awareness that the bribery scheme would violate the FCPA, so the company tried to navigate its way out of potential FCPA liability. Clearly those efforts were lacking.
We discuss the blatant nature of the bribery scheme, the international investigation and enforcement effort involved, how this enforcement actions differs from other types of enforcement actions and lessons to be learned from the matter. We also consider that the company did not self-disclose but did cooperate in the investigation and provided extensive remediation. This netted the company a 25% discount off the minimum penalty as calculated under the US Sentencing Guidelines.
The resolution documents include the SEC Cease and Desist Order, the DOJ issued an Information and a Deferred Prosecution Agreement, Telia. The DOJ also issued an Information and DPA for Coscom LLC, the Telia subsidiary through which the bribery occurred and a Plea Agreement.
In a separate Press Release, Telia said in part, “The information being reported by media about the terms of the resolution is not complete. Telia Company has already announced that it has taken a provision with respect to the expected financial sanctions. It is correct that we are very close to a final resolution with all authorities (SEC, DOJ and the Dutch prosecutor), but cannot comment further at this time.” Cassin reported, “The company said in April it had adjusted its “estimate of the most likely outcome of the ongoing investigations into the company’s market entry and operations in Uzbekistan to $1 billion from $1.45 billion.””
The bribery scheme involved the company illegally buying its way into the Uzbekistan telecom market through its bribery of Gulnara Karimova, the eldest daughter of the late Uzbek President Islam Karimov. Karimova was also the bribery conduit in the VimpleCom matter, resolved in February 2016. In the Telia case Karimova parlayed her providing telecom licenses and upgrades into bribe payments of over $330MM to shell companies which she controlled.
In the DOJ Press Release, Acting US Attorney Joon H. Kim stated “Telia, whose securities traded publicly in New York, corruptly built a lucrative telecommunications business in Uzbekistan, using bribe payments wired around the world through accounts here in New York City. If your securities trade on our exchanges and you use our banks to move ill-gotten money, then you have to abide by our country’s laws. Telia and Coscom refused to do so, and they have been held accountable in Manhattan federal court today.”
The SEC Press Release stated, “Telia entered the Uzbek telecommunications market by offering and paying at least $330 million in bribes to a shell company under the guise of payments for lobbying and consulting services that never actually occurred. The shell company was controlled by an Uzbek government official who was a family member of the President of Uzbekistan and able to exert significant influence over other Uzbek officials, causing them to take official actions to benefit Telia’s business in Uzbekistan.”
For more on the Telia enforcement action, see Tom’s blog posts:
Compliance into the Weeds is a part of the Compliance Podcast Network
Linda Justice bring Nancy Drew to your side to fill all those knowledge gaps in your pursuit of clients. Using her technical background in corporate investigations, brings experience to business development, strategic management of risk and compliance. In this episode, she discusses her new consulting venture and how using a range of tactics, from strategizing with a CEO of a small company on the best go-to-market strategy, to helping a solo practitioner target and triangulate a very specific company, to working with a larger group of Partners within an organization create an underlying process and nurture multiple opportunities simultaneously. It is fascinating interview with a learn know compliance practitioner from the Bay Area.
Linda Justice can be reached at email@example.com.
Much has been written on hiring a new CCO. As with the hiring of other senior executives, such as a CEO or CFO, there can be specific questions about challenges the candidate has faced in prior engagements. For the CCO position having one who has literally been through the wars, usually in the form of an extensive Foreign Corrupt Practices Act (FCPA) investigation or enforcement action, is a critical inquiry. In most instances, Boards will want a candidate who can lead the company through the situation currently faced.
But what about hiring at a level below the CCO? Most companies take the best athlete approach, hiring the most well rounded candidate with a varied background. However an article in the Harvard Business Review (HBR) Idea Watch column, entitled “When Hiring Execs, Context Matters Most”, reported on a new CEB study which “suggests that companies will be more successful if they consider the particular leadership context when hiring for every level. Instead of taking on generalists trained to meet any management test, the researchers say, firms should use an assessment system that identifies candidates whose personality attributes and experience are custom-tailored to the contextual challenges of the position.”
Basically, CEB came up with a quantitative approach, looking at 27 different contexts around projects, challenges and issues. From this list they, “assessed leaders’ personality attributes, tracked relevant experience, and solicited opinions about behavior, performance, and effectiveness from supervisors and direct reports.” The research team “also coded 60 variables that inform context, such as whether the job involves a high degree of uncertainty, requires managing a geographically dispersed team, or calls for cost cutting.” From this they ran data analytics and “worked to understand why some leaders succeeded while others underperformed, the biggest factor that emerged was how well a leader’s personality, skills, and experience meshed with the specific challenges of the job.”
Some of the challenges which included the following areas are well familiar to the compliance practitioner: leading global or cross-cultural teams; transforming a high-conflict culture; leading an organization through a merger or acquisition, operating a corporate function with high resource constraints; growing through innovation; growing the function through cost competitiveness; and managing a broad portfolio of products and services.
The bottom line is that the more challenges a leader will face, the more difficult their job will become and the success rate will inevitably drop. Yet the article suggests that the context of experience may well be a key indicator. But it moves beyond simply hiring, noting “For example, if success in a leadership role is context-specific, and if the context is apt to change quickly in a fast-moving business environment, firms might need to move leaders in and out of roles quickly. Awareness of contextual challenges can also change the way a company approaches development.” Jean Martin of CEB was quoted “Once you recognize how well-suited leaders are to the context in which they’re about to be placed, you can use that information to drive much more specific investments in development and find ways to coach people to account for the greatest areas of mismatch.”
This approach also allows you to get to the granular level of team projects. The article said that companies could use such techniques to “revise responsibilities, streamline goals and objectives or try and solve a particular problem”. A company could also use this method to consider its internal bench strength, focusing on who could assist the compliance function in rolling out a new initiative or even a new compliance innovation. The piece ended with a few thoughts on the best athlete approach. It suggested a term called ““spiky,” meaning that they excelled at a few specific capabilities but were not above average in all. “Chasing managerial agility instead of allowing for specialization is ineffective,” the researchers concluded.”
HBR also included an interview with a company which had utilized this analytical approach, Adecco Group, a Zurich based workforce solutions entity. The company’s global head of talent strategy and development, Courtney Abraham, was interviewed. As much as they tried the company inevitably fell back on a non-analytical approach; i.e. using intuition in the hiring process. Mostly, Abraham felt such an approach did not deliver consistent results.
While Adecco did not use the full 27 context approach suggested in the CEB study, they did develop its own 6 “most important challenges some will face in a new role and compare them to candidate’s skills, competencies, motivations and runaways.” This allowed the decision to move away from the gut level to one of a “shared language” among those evaluating the talent.
An interesting side effect and one not expected by Adecco was that the data often led to an internal candidate who was not “next in line” for a promotion. It allowed internal promotion with “eyes wide open” to a candidate’s strengths and areas where they needed additional development. It also has implications for development as employees have a better understanding of their weaknesses and what gaps they may need to fill. Abraham stated, “we can use onboarding and development to actively coach and support them.” Internal hires bring the benefit of having already bought into and have been a part of the company culture and “they understand our business, the people and the competitive landscape.”
The use of data can help a compliance professional identify internal candidates to move a corporate compliance program forward. This can also give a company a boost by bringing non-compliance professionals into the compliance realm which will allow them to more fully operationalize compliance if they return to a more traditional business unit role.
Three Key Takeaways
Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories, including:
Innovation can come in various forms for an organization. Innovation can appear in a structural form. You can move compliance more deeply into your organization with new or different structures. One I have seen have success is a compliance committee more closely tied to the geographic market in the field, or the Regional Compliance Committee.
Two of the most common compliance focused committees are those at the Board level and those which sit between the CCO and the Board, usually consisting of senior executives such as members of a company’s executive leadership team. However, a Regional Compliance Committee can will help the corporate compliance function to more effectively ensure employee and business partner engagement with compliance by integrating compliance into every aspect of functions and generating the necessary information to continuously improve the overall compliance function. A Regional Compliance Committee can also operate on multiple planes to fully operationalize compliance in a company, augment the internal controls and make the company a more efficient and profitable entity.
Most companies have a Board Committee dedicated to ethics and compliance or something like a Board Audit Committee which the CCO will report into. Once again, there are many companies with senior executives populating another level of oversight with a compliance committee between the CCO and the Board. A Regional Compliance Committee, formed at the regional level, helps to create more direct ownership, accountability, and valuable transparency. This moves compliance down into all levels of a company’s operations. This approach also significantly improves the consistency of compliance execution, and helps to ensure that all of business objectives are achieved in a legally compliant fashion. A Regional Compliance Committee does not have primary responsibility for internal investigations but is charged with reporting any known compliance issues to the CCO.
A Regional Compliance Committee can provide clear and frequent compliance-related communication on related matters throughout the region, strengthening a company’s compliance culture. It allows compliance topics to be more thoroughly discussed at regularly occurring operations meetings. A Regional Compliance Committee can have communication structures designed to facilitate communication up the chain and down the chain. This allows a CCO to have a more direct set of eyes and ears closer to the ground. Finally, the Committees give the compliance function greater visibility within the organization because compliance has been moved further into the middle and lower levels of the organization on a daily basis.
One of the key elements of the Committees are their makeup, which is market centric. A Regional Compliance Committee should include some or all of the following: (a) the Vice President of the region; (b) the regional Ethics and Compliance Director; (c) the regional Legal and Compliance Director; (d) the regional HR Director; (e) the regional Finance Director; (f) the regional Trade Compliance Director; (g) the regional Supply Chain Director; (g) the regional Sales Director and (h) senior representatives of Operations in the market. This composition of the Regional Compliance Committee, coupled with their structures, allow compliance to be fully operationalized into the Company’s global organization.
Authority and Responsibility
There are multiple possible responsibilities for a Regional Compliance Committee. Some of these possible responsibilities include:
The innovation represented by the formation of a Regional Compliance Committee operationalizes compliance into a company’s operations where the business operates. This sort of approach follows the Department of Justice mandate, articulated in the Department’s Evaluation of Corporate Compliance Programs for companies to move the doing of compliance down into the business of the organization, or operationalize compliance. The make-up of a Regional Compliance Committee, while including compliance representatives, is also populated by representatives from other disciplines within the global organization. This allows a fuller, richer and more holistic approach to not only compliance advice.
It adds a dimension not often seen or even discussed in the compliance profession. The accountability and oversight down to the regional level and the compliance monitoring, reviewing, assessing and recommending that is deemed to be necessary will provide additional endorsements up through the organization that it is actually doing compliance. In compliance, it is execution where the rubber meets the road. A Regional Compliance Committee can provide your compliance program a unique structure to perform these functions.
Three Key Takeaways
The top compliance roundtable podcast is back with a wealth of new topics.
For Matt Kelly’s posts on SEC and Chairman Clayton, see the following:
2. Mike Volkov considers the intersection of anti-corruption compliance and anti-trust compliance in connection with the role of the Chief Compliance Officer.
For Mike Volkov’s post on the intersections on anti-corruption and anti-trust compliance, see the following:
The members of the Everything Compliance panel include:
Another innovation is to put your compliance program at the center of corporate strategy. An article in the Harvard Business Review (HBR) by Frank Cespedes, entitled “Putting Sales at the Center of Strategy”, discussed how to connect management’s new sales plans with the “field realities.” Referencing the well-known Sam Waltonism that “There ain’t many customers at headquarters”; Cespedes believes that “If you and your team can’t make the crucial connections between strategy and sales, then no matter how much you invest in social media or worry about disruptive innovations, you may end up pressing for better execution when you actually need a better strategy or changing strategic direction when you should be focusing on the basics in the field.”
This can be a critical problem when operationalizing compliance because operationalizing compliance is usually perceived as a top-down exercise. The reality that the employee base that must execute the compliance strategy is not often considered. Even when there are comments from employees on compliance initiatives they are often derisively characterized as ‘push-back’ and not considered in moving the compliance effort forward.
Communicate the Strategy
It can be difficult for an employee base to implement a strategy that they do not understand. Even with a companywide training rollout, followed by “a string of e-mails from headquarters and periodic reports back on results. There are too few communications, and most are one-way; the root causes of underperformance are often hidden from both groups.” Here Cespedes’ insight is that clarification is a leadership responsibility and in the compliance function that means the Chief Compliance Officer (CCO) or other senior compliance practitioner. Moreover, if the problem is that employees do not understand how to function within the parameters of the compliance program, then there is a training problem and that is the fault of the compliance department. I once was subjected to a PowerPoint of 268 slides, which lasted 7.5 hours, about my company’s compliance regime. To say this was worse than useless was accurate. The business guys were all generally asleep one hour into the presentation as we went through the intricacies of the books and records citations to the FCPA. The training was a failure but it was not the fault of the attendees. If your own employees do not understand your compliance program that is your fault.
Continually improve your compliance productivity
Why not do the incentivize productivity around compliance? Work with your Human Resources (HR) department to come up with appropriate financial incentives. Many companies have ad hoc financial awards, which they present to employees to celebrate and honor outstanding efforts. Why not give out something like that around doing business in compliance? Does your company have, as a component of its bonus compensation plan, a part dedicated to compliance and ethics? If so, how is this component measured and then administered? There is very little in the corporate world that an employee notices more than what goes into the calculation of their bonuses. HR can, and should, facilitate this process by setting expectations early in the year and then following through when annual bonuses are released. With the assistance of HR, such a bonus can send a powerful message to employees regarding the seriousness with which compliance is taken at the company. There is nothing like putting your money where your mouth is for people to stand up and take notice.
Improve the human element in your compliance program
This is another area where HR can help the compliance program. More than ongoing assessment of employees for promotion into leadership positions, here HR can assist on the ground floor. HR can take the lead in asking questions around compliance and ethics in the interview process. Studies have suggested that certainly Gen Y & Xers appreciate such inquiries and want to work for companies that make such business ethics a part of the discussion. By having the discussion during the interview process, you can not only set expectations but you can also begin the training process on compliance.
However, this approach should not end when an employee is hired. HR can also assist your compliance efforts by tracking employees through their company career to identify those who perform high in any compliance metric. This can also facilitate the delivery on more focused compliance training to those who may need it because of changes on compliance risks during their careers.
Make your compliance strategy relevant
Cespedes notes, “Most C-suite executives know these value-creation levers, but too few understand and operationalize the sales factors that affect them.” In the sales world, this can translate into a reduction in assets to underperforming activities. This is all well and good but such actions must be coupled with an understanding of why sales might be underperforming in certain areas. In the compliance realm, this translates into two concepts, ongoing monitoring and risk assessment. Ongoing monitoring can allow you to move from a simple prevent mode to a more prescriptive mode; where you can uncover violations of your company’s compliance program before they become full blown FCPA violations. By using a risk assessment, you can take the temperature of where and how your company is doing business and determine if new products or service offerings increase your compliance risks.
Above all, you need to get out and tell the compliance story. Louis D’Amrosio was quoted for the following, “You have to repeat something at least 10 times for an organization to fully internalize it.” If there is a disconnect between your compliance strategy and how your employee base is implementing or even interpreting that strategy, get out of the office and go out to the field. But you need to do more than simply talk you also need to listen. By doing so, can help to align your company’s compliance strategy with both the delivery and in the field.
Three Key Takeaways
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.
How can you change the perceptions around compliance in your organization? With the Justice Department requirement, set out in the Evaluation of Corporate Compliance Programs, to more fully operationalize your compliance program, do you as a CCO struggle with operations buy-in? I thought about those questions and others when I read an article in the MIT Sloan Management Review, entitled “Learning the Art of Business Improvisation”, by Edivandro Carlos Conforto, Eric Rebentisch, and Daniel Amaral. In this article the authors explore the issue of improvisation and write that while it “may seem to be spontaneous, but managers can foster it in innovation projects through the deliberate development of certain processes and capabilities.” For what improvisation really comes down to is the ability to “create and implement a new or unplanned solution in the face of an unexpected problem or change.”
Compliance is certainly one area that requires such flexibility because of the ever-changing business conditions that exist in today’s multinational organizations subject to the Foreign Corrupt Practices Act (FCPA). Novartis announced its South Korean subsidiary was under criminal investigation for allegations of paying bribes to physicians, this less than 60 days after agreeing to a FCPA enforcement action which involved payment of a $25 million dollar fine for the actions of its Chinese subsidiaries.
Whether deliberately or not, compliance must improvise. Such compliance “Improvisation can foster problem solving, creativity, and innovation, and it is becoming a requirement for many organizations. Although improvisation might seem to be spontaneous and intuitive, to do it well requires the development of disciplined and deliberate processes and capabilities. Managers working in dynamic, fast-paced, and highly innovative project environments should develop and refine capabilities in these three areas to create a project environment that will enhance a team’s improvisation competencies - ultimately with an eye toward improving project results and innovation.”
There are three general areas which a company can improve upon to help advance its abilities to adapt and change. They are (1) Build a culture that recognizes and views changes positively. (2) Create the right team structure and project environment. (3) Provide management practices and tools that facilitate improvisation.
Under this first prong, innovation can come from teams that have a “positive attitude toward dealing with and accepting ambiguity and project changes.” Not surprisingly, this does not come from top down leadership but allowing “higher level of autonomy in making decisions.” Further, the farther out from the corporate office, the more “teams should be empowered to make decisions locally, be informed about and willing” to take make changes and provide enhanced compliance risk management, and not overly fear potential failure.
Clearly the ability to make changes requires a robust compliance regime to begin with. However, having such a system in place, particularly through internal controls, allows a compliance department to “help them to reduce uncertainty more quickly and effectively learn from their experiences. Teams equipped with a broad array of tools and techniques can use them to respond to different types of challenges. The focus should be on helping teams anticipate and recognize changing circumstances and make more rapid and accurate decisions.”
The second prong ably demonstrates that a key to making improvisation work is that you have good communication between the compliance function and business unit. This is not a new concept and communications runs two ways. If the business unit sees the Chief Compliance Officer (CCO) as Dr. No from the Land of No, they will not likely be calling for assistance. Yet compliance does not always know what business opportunities arise without that information so they cannot craft appropriate risk management solutions. Weekly interactions between leaders and key stakeholders are good first step.
Perhaps counter-intuitively, the authors also note that smaller teams appear to have more and better success. The “greater levels of improvisation in smaller teams that displayed more self-directing and self-organizing characteristics, such as being responsible for monitoring and updating the status of their activities and deliverables.” This can allow the compliance department to play a key oversight and support role “on the aggregated information and on more strategic issues related to the project.”
Under the final prong, it is shown that “teams with greater improvisation characteristics were more likely to use agile management approaches, techniques, and tools. In fact, teams that embraced an agile approach were nine times more likely to have high levels of improvisation compared with teams that used a more traditional (waterfall) approach.” This means that not only will a command and control structure not be able to move as quickly and efficiently but also you need to operate at a level of sophistication beyond simply spreadsheets.
Moreover, “The agile methods we observed in the teams with higher levels of improvisation included iterative development, supported by recurring delivery of higher-value deliverables; constant interactions between stakeholders and the project team; the use of visual tools to collaboratively manage the project with team members; and active involvement with the client and/or user in the development process.”
The ability to be agile is an important component of any best practices compliance program. The need to respond to business changes is always paramount. Yet there is no end to the variety of corrupt schemes engaged in by company employees. The Novartis matter in South Korea allegedly involved bribery through excessive payments for articles published in medical journals. Just as the bribery and corruption scandals involving GlaxoSmithKline PLC (GSK) and others in China demonstrate new and creative ways to put pots of money together to pay bribes, the Novartis issues may show another area that bears compliance scrutiny. A compliance function must be ready to adapt.
Three Key Takeaways
In this episode, Matt Kelly returns to his journalism roots with a live report from TEC 2017, the Workiva user conference. We discuss some of the hot topics at the conference including possible repeal or modification of SOX sections 404 and 302. We consider how internal controls around financial reporting intersect with compliance internal controls and how SOX reporting has elevated effective compliance internal controls as required under the FCPA. We also discuss document and information security and the concept of a single source of truth. We take a deep dive into the subject in the areas of audit trails for documentation in an FCPA investigation and in the upcoming SEC requirements around CEO Pay Ratio Reporting.
For more insights, see Matt’s blog post SOX Compliance: Do Better Than a ‘C’ Grade
If it is not clear already this month, innovation does not simply come from a technical or even service perspective but can improve your compliance program from a wide variety of perspectives. We have considered a variety of issues related to innovation. Now we consider how you think through a compliance related issue as an innovation.
Every compliance practitioner recognizes the prevent, find and fix tripartite approach to compliance. Many compliance practitioners believe that if you can move your program from one focused on detection to one focused on prevention, you have not only a more robust program but also one which is more fully operationalized as it would be closer to the ground and the front lines of employees.
Data and its analysis can be used in both approaches. Further data can be used in both approaches for multiple approaches to doing compliance. It can be used to simply stop behavior. However, data and data analytics can be used to further training, education and communication around compliance. The question becomes, which is better: real-time monitoring or right-time monitoring?
Consider the critique that monitoring of gifts, travel and entertainment (GTE) is always going to be 30-60 days behind the actual real-time event because it will take an employee 30 days to input their expenses into the system, have a supervisor approve it, and it goes to accounts payable for input. Does such a critique defeat a best practices compliance program which is dedicated to moving from simply a detect prong to a prevent prong?
However, an innovation can occur from how you consider the problem. So instead of a real-time review focus, consider a ‘right-time’ review focus. Patrick Taylor, President and CEO of Oversight Systems says the way to think through the issue is “What is the right time for the analysis?” He detailed the situation where your company has a corporate card program, or you use a corporate credit card. Through those mechanisms, you should be able to access those feeds every day from your card vendor, from your bank or card issuer. If you had that quantum and quality of information, there might well be certain things worth looking for. The classic example might be somebody spends some money at an adult entertainment establishment that masquerades as a restaurant because I may want to reprimand that employee or that behavior immediately.
Yet if your company uses an expense reporting system like a Concur or Pro River; the expenses can be previewed while they are in process; that is, before they are paid by your organization. It might be perhaps even before the employee’s manager approves the expenses. There could be a rash of information and data to look for at that time to give the manager a heads up to take a bit of a deeper dive into the expense report.
Finally, there are some GTE expense which are best looked at with the longer-term view. This could include expenses reports used to try to influence employee behavior. As a compliance professional, you are better off demonstrating a pattern of questionable or abusive expense-related items, as opposed to nagging one-off expenses report entries. Further there may be situations where there are literally bursts of activity which I would like to let pass by before trying to download that analysis. The question for the compliance professional is “What do I have, right?” Obviously, you cannot perform the analysis before you have data. The question you must work through is when do you have the data and then what is the right time to do any particular kind of analysis of that data? Because it may not always be the "real-time" when I found, when I've got it. Be much more concerned about what's the "right" time.
By thinking about what you are attempting to accomplish through your monitoring, it can help to inform your compliance program going forward, usually in a variety of ways. In the GTE example discussed in this piece, if you want to move to something closer to real-time monitoring, you will need to move towards the corporate credit card model, with real-time viewing of the purchases on the card. From there you can make a preliminary assessment if you want or need to use that data from the compliance perspective. Moreover, you should never forget that a much longer right-time review and perspective can be equally valuable for many of your other business processes going forward.
It is this final point, which makes clear the power of operationalizing your compliance program. If you put the architecture of compliance closest to those in the field who are literally on the front lines of your organization you should be able to obtain the data nearest to the customer. That data can be sliced and diced in a variety of ways which allow incorporate back into your continuous learning loop (OODA feedback loop) so that you can determine the most efficient business process going forward. When compliance can wed its prevent, find and fix mandate with overall business process performance, it can make a company more efficient and more profitable.
Three Key Takeaways
I welcome you to a new series entitled Compliance Man Goes Global podcast of Compliance Report-International Edition. I am joined by Tim Khasanov-Batirov, a compliance practitioner who focuses on high risk markets for 17 years. In each podcast, we take two typical concepts or more-probably misconceptions from in-house compliance conventional wisdom. We check out if these concepts work in emerging jurisdictions. For each podcast, we divide roles with one of us advocating the particular concept identifying pros; the other will provide arguments finding cons. Tim will conclude each concept with some practical solutions for in-house compliance practitioners for high-risk emerging markets.
Today we explore the following two concepts:
Corporate Concept #1. We have detailed policies in the HQ. We deployed those policies at our subs located in emerging markets. We will be just fine.
Corporate Concept #2. If there is a compliance person located at high risk market we could significantly mitigate our corporate compliance risks.
Innovation can come in form of new ideas or simply fresh ways to consider old problems. The idea of how to use the information available to a CCO is one that can be explored through different avenues. One of the most interesting, originated in the dogfights from World War II. The insights gained were instrumental in the US military’s swift victory in the First Gulf War.
It was detailed in a chapter in an eBook, entitled “Planning for Big Data - A CIO’s Handbook to the Changing Data Landscape”, by the O’Reilly Radar Team. The chapter was authored by Alistair Croll, entitled “The Feedback Economy”. Croll believes that big data will allow innovation through the “feedback economy”. This is a step beyond the information economy because you are using the information that you have generated and collected as a source of information to guide you going forward. Information itself is not the greatest advantage but using that information to make your business more agile, efficient and profitable is your greatest advantage.
Croll draws on military theory to illustrate his concept of a feedback loop. It is the OODA loop, which stands for observe, orient, decide and act. This comes from military strategist John Boyd who realized that combat “consisted of observing your circumstances, orienting yourself to your enemy’s way of thinking and your environment, deciding on a course of action and then acting on it.” Croll believes that the success of OODA is in large part “the fact it’s a loop” so that the results of “earlier actions feedback into later, hopefully wiser, ones.” This should allow combatants to “get inside their opponent’s loop, outsmarting and outmaneuvering them” because the system itself learns. For the CCO, this means that if your company can collect and analyze information better, you can act on that information faster.
Croll believes one of the greatest impediments to using this OODA feedback loop is the surplus of noise in our data; that “We need to capture and analyze it well, separating the digital wheat from the digital chaff, identifying meaningful undercurrents while ignoring meaningless flotsam. To do this we need to move to more robust system to put the data into a more usable format.” Croll moves through each of the steps in how a company collects, analyzes and acts on data.
The first step is data collection where the challenge is both the sheer amount of data coming in and its size. Once the data comes in it must be ingested and cleaned. If it comes into your organization in an unstructured format, you will need to cut it up and put into the correct database format for use. Croll touches on the storage component of where you place the data, whether in servers or on the cloud.
A key insight from Croll is the issue of platforms, which are the frameworks used to crunch large amounts of data more quickly. His key insight is to break up the data “into chunks that can be analyzed in parallel” so the data can be considered and acted upon more quickly. Another technique he considers is “to build a pipeline of processing steps, each optimized for a particular task.”
Another important component is machine learning and its importance in the data supply chain. Croll observes, “we’re trying to find signal within the noise, to discern patterns. Humans can’t find signal well by themselves. Just as astronomers use algorithms to scan the night’s sky for signals, then verify any promising anomalies themselves, so too can data analysts use machines to find interesting dimensions, groupings or patterns within the data. Machines can work at a lower signal-to-noise ratio than people.”
Yet Croll correctly notes that as important as machine learning is in big data collection and analysis, there is “no substitute for human eyes and ears.” Yet for many business leaders, displaying the data is most difficult because it is not generally in a readable form. It is important to portray the data in more visual style to help convey the “dozens of independent data sources” into navigable 3D environments.
Of course having all this data is of zero use unless you act on it. Big data can be used in a wide variety of decision making, from employment decisions around hiring and firing decision, to strategic planning, to risk management and compliance programs. But it does take a shift in compliance thinking to use such data. It advocates “fast, iterative learning.” Big data allows you to make a quicker assessment of the impact of measured risks.
Croll ends his chapter by noting that the “big data supply chain is the organizational OODA loop.” But unlike the OODA loop, it is more than simply about the loop and plugging information as you move through it. He believes “big data is mostly about feedback”; that is, obtaining the impact of the risks you have accepted. For this to work in compliance, a company’s compliance discipline needs to both understand and “choose a course of action based upon the results, then observe what happens and use that information to collect new data or analyze things in a different way. It’s a process of continuous optimization”.
Whether you consider the OODA loop or the big data supply chain feedback, this process, coupled with the data that is available to you should facilitate a more agile and directed business. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of innovation, I do not know what does.
Three Key Takeaways
To my mind the most significant and important book that every Chief Compliance Officer (CCO), General Counsel (GC) and compliance practitioner needs to read is The Chickenshit Club by Pulitzer Prize winning author Jesse Eisinger. It puts together for the first time, the story and timeline of how the Justice Department (DOJ) devolved from the group of prosecutors who convicted felons from the late 90s and early 00s financial scandal such as Enron and WorldCom, to the group which did not even bother to attempt to prosecute high ranking executives after the 2008 financial meltdown.
In this episode, I interview with book author, Jesse Eisinger and Paul Pelletier, a key source for the book. The interview is fascinating and I urge you to take a listen for both the substance and the interplay between Eisinger and Pelletier. We discuss the genesis of the book, what happened between Enron and 2008 which led to no prosecutions and conclude with both Eisinger and Pelletier's proposals to get the DOJ back on track as the nation's trial lawyers.
For the Everything Compliance podcast recording reviewing The Chickenshit Club, click here.
Finally and most importantly, to purchase a copy of The Chickenshit Club, click here.
Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including:
Next we consider superforecasting and its use by a compliance function. Imagine that as a Chief Compliance Officer (CCO), you could create a team which might well dramatically improve your company’s compliance and risk forecasting ability, but to do so you would be required to expose just how unreliable the professional corporate forecasters have been? Could you do so and, more importantly, would you do so? Most generally this is the predictive capability that organizations have used. However, the new “superforecasting” movement, led by Philip E. Tetlock and others, has been gaining strength to help improve this capability.
The concepts around superforecasting came of age after the intelligence failures leading up to the Iraq War. This led to the founding of the Good Judgment Project, which had as key component a multi-year predictive tournament, which was a series of gaming exercises pitting amateurs against professional intelligence analysts. The results of the Good Judgment Project was presented in a recent Harvard Business Review (HBR) article, by Tetlock and Paul J. H. Schoemaker, entitled “Superforecasting: How to Upgrade Your Company’s Judgment”. The authors had three general observations. First “talented generalists can outperform specialists in making forecasts.” Second, “carefully crafted training can enhance predictive acumen.” Third, “well-run teams can outperform individuals.”
To move to superforecasting, the authors laid out four precepts. The first is to find the sweet spot, which is somewhere between predictions that are “entirely straight-forward or seemingly impossible.” They note the sweet spot “that companies should focus on is forecasts for which some data, logic, and analysis can be used but seasoned judgment and careful questioning also play key roles. Predicting the commercial potential of drugs in clinical trials requires scientific expertise as well as business judgment.” I find the same to be true in compliance where “Assessors of acquisition candidates draw on formal scoring models, but they must also gauge intangibles such as cultural fit, the chemistry among leaders, and the likelihood that anticipated synergies will actually materialize.”
Next is to train for good judgment. This requires employees to learn the basics in such techniques as probability concepts, the definition of what is to be predicted and an understanding of numerical probabilities. As cognitive biases are widely know to skew judgment, companies need to raise awareness for this issue to arise. Finally, training to understand the psychology behind such biases narrowed predictive domains.
Next is to build the right kind of teams. The initial thing to realize is the importance of the composition of the team. The authors found that “cautious, humble, open-minded, analytical - and good with numbers. In assembling teams, companies should look for natural forecasters who show an alertness to bias, a knack for sound reasoning, and a respect for data.” Equally critical is that the “forecasting teams be intellectually diverse. At least one member should have domain expertise (a finance professional on a budget forecasting team, for example), but nonexperts are essential too - particularly ones who won’t shy away from challenging the presumed experts. Don’t underestimate these generalists.” Clearly your compliance superforecasting team should draw from the diversity within your organization not only in discipline but in temperament as well.
After the composition is considered, the authors move to “diverging, evaluating and converging.” The authors suggest “a successful team needs to manage three phases well: a diverging phase, in which the issue, assumptions, and approaches to finding an answer are explored from multiple angles; an evaluating phase, which includes time for productive disagreement; and a converging phase, when the team settles on a prediction. In each of these phases, learning and progress are fastest when questions are focused and feedback is frequent.”
The final component of composition is trust as there must be trust among your team members to facilitate good outcomes. This might also be understood that if the superforecasters demonstrate the errors or miscalculations of others in the group, not only will they be protected by senior management but their work will be defended. The authors note, “Few things chill a forecasting team faster than a sense that its conclusions could threaten the team itself.”
You then have to “track performance and give feedback” as the authors believe that it is essential to track the prediction outcomes and provide timely feedback to improve forecasting going forward. This also has the added benefit of providing an audit trail so that a company can learn from both the good and bad predictions. This leads to the authors’ next insight, which, in the process, is critical.
Such a feedback loop in the compliance sphere could lead to some of the following questions being posed: What information might others have that you don’t that might affect the compliance risk? What cognitive traps might skew your judgment on this transaction or risk? Why do you believe the company can safely navigate this compliance risk?
Answers to these and other questions can provide insight into not only specific predictions but also the process by which a team moved forward so that it can be replicated, in the future through an audit trail. [Think Document Document Document.] Also, “Well-run audits can reveal post facto whether forecasters coalesced around a bad anchor, framed the problem poorly, overlooked an important insight, or failed to engage (or even muzzled) team members with dissenting views. Likewise, they can highlight the process steps that led to good forecasts and thereby provide other teams with best practices for improving predictions.”
Like any innovation, there must be a commitment from senior management on moving forward. There must be data available both internally and research conducted externally with auditable trails on judgments, underlying assumption and data sources. The keys to success include frequent, precise predictions and measuring accuracy of predictions for comparison with real-world events. Nevertheless, such an exercise might well be exactly what a compliance function should do going forward. It might give the company enough information to take such a seemingly risky business move, when the prediction shows the risk was lower than the ‘experts’ said. Yet the authors end on this note, “But companies will capture this advantage only if respected leaders champion the effort, by broadcasting an openness to trial and error, a willingness to ruffle feathers, and a readiness to expose “what we know that ain’t so” in order to hone the firm’s predictive edge.”
Three Key Takeaways
The top compliance roundtable podcast is back with a wealth of new topics. Stayed tuned to the end where there are some great rants in this edition.
For the Cordery Compliance client alert and podcast on the topic see the following:
Jay Rosen brings a detailed discussion of voluntary monitoring and contrasts it with the ISO 37001 standard. Jay rants on the Patriots lose in their season opener.
For Jay Rosen’s posts see the following:
The members of the Everything Compliance panel include:
One of the key things the Department of Justice (DOJ) has consistently communicated is the importance of operationalizing rather than having a paper compliance program in place. The Department of Justice’s Evaluation of Corporate Compliance Programs (Evaluation) made clear that to receive credit in any Foreign Corrupt Practices Act (FCPA) enforcement action, you must fully operationalize your compliance program in the remediation phase.
All of this was driven home to me in an article I read in the Harvard Business Review (HBR), entitled “Disruptive Innovation?”, by Clayton M. Christensen, Michael E. Raynor and Rory McDonald. The authors were concerned that many of the commentary around the phrase ‘disruptive innovation’ were “in danger of losing their usefulness because they’ve become misunderstood and misapplied.” To answer this critique, the authors revisited the central tenets to the theory and how it had developed over the past 20 years. In doing so they detailed three key elements of disruption theory, which I have adapted to the compliance context.
The first is that compliance is a process. While this may seem as about the most self-evident statement one can make, as late as last week, I was contacted by someone who wanted an ‘off the shelf’ compliance package. They wanted me to do a couple of interviews of senior management and they put in some canned software program so they could claim they had a compliance program.
This attitude demonstrates the continuing battle the DOJ and Securities and Exchange Commission (SEC) face when communicating their expectations around compliance programs. Compliance programs should evolve as business risks change. Just as disruptive innovation tends to focus on process, your compliance program should focus on your overall business process to be successful.
The second key point is that Compliance 3.0 is very different from compliance programs of the past decade. As compliance programs have matured and the structural changes brought about in the Compliance 2.0 model, as articulated by Donna Boehme and others, we have now moved on to Compliance 3.0 where compliance is put into the fabric of an organization. The compliance function is moving from a solutions shop where all compliance functions are centered in the legal or compliance department to a process function where the front line business team can use technology and other tools to operationalize compliance. DOJ Compliance Counsel spoke to this concept in her recent remarks around how well a company would operationalize compliance by incorporating the business functions inputting to compliance around appropriate internal controls. The authors point to new business models as disruptive and I think this concept translates into how compliance can be burned into the DNA of an organization rather than simply sitting in the corporate headquarters in the US.
The third point is that not all disruptive innovations succeed. Here the authors write that disruption is only one step in both the creative and growth process. Throughout their article, they discuss Uber in the context of a disruptive business. However, Uber uses the smart phone platform, coupled with a superior rider experience as a part of its business model. For the compliance practitioner, I think the key concept is what SCCE President Roy Snell says are the three goals of any compliance program; to prevent, find and fix issues. You could also plug in here McNulty’s Maxims (What did you do to prevent it? What did you do to detect it? What did you do after you found out about it?).
This is why any successful compliance program should have multiple levels of oversight built into it. If something does slip through, a level of oversight should be in place to review it and hopefully prevent it. Consider the BHP Billiton’s FCPA enforcement action. It involved gifts, travel and entertainment around the 2008 Beijing Olympics. The issue was not that foreign officials were feted at the event. The issue that got the company into trouble was that they did not perform proper oversight over their carefully crafted program. A similar issue was seen in the Lily FCPA enforcement action where charitable donations were approved by an oversight committee without any substantive review and distributor commission rates were approved outside the standard range without appropriate review.
Disruption innovation has come to the compliance arena. One of the best examples is Louis Sapirman, the Chief Compliance Officer (CCO) at Dun & Bradstreet, who has incorporated not only social media tools but also the concepts of two-way communications into his company’s compliance program. Another is the use of your own company’s data to facilitate a straight line of sight by a CCO or compliance practitioner into transactions needing more detailed reviews from the compliance perspective.
As many compliance practitioners are lawyers, we are naturally reticent to embrace such change. However, I think the pronouncements of the DOJ this year have made it even clearer of the need for continued evolution of anti-corruption compliance going forward. Disruptive innovation can be one of the techniques to get your compliance program to that desired location.
Three Key Takeaways
Design thinking is another innovation which can help the Chief Compliance Officer (CCO) move forward in a cutting-edge manner to make a compliance program not only more robust but also operationalize it into the fabric of the company. Such a mechanism would help to drive compliance into the operational nature of a company, which is where the latest pronouncement from the Department of Justice (DOJ), in their Evaluation of Corporate Compliance Program suggest a company should take their compliance regime.
Design Thinking can bring innovation in a number of ways to your compliance program. Jon Kolko discussed this innovation in a Harvard Business Review (HBR) article entitled “Design Thinking Comes of Age”. Kolko’s insight that, “the approach, once used primarily in product design, is now infusing corporate culture” is one that any CCO or compliance practitioner can use in redesigning your compliance program for your internal customers, i.e. your employees and third parties that may fall under your compliance program. All of these groups have a user experience in doing compliance that may be complex and interactive. You need to design a compliance infrastructure to the way people work so that doing compliance becomes burned into the DNA of a workforce.
The first component of design thinking is to focus on the users’ experience with compliance. Kolko stated that designers need to focus on the “emotional experience” of the users; he explained that this concerns the “(… desires, aspirations, engagement, and experience) to describe products and users. Team members discuss the emotional resonance of a value proposition as much as they discuss utility and product requirements.” For the compliance function, this could be centered on the touch points the employee base has with the compliance function and that this should be “designed around the users’ needs rather internal operating efficiencies.”
The next step is to create something design thinkers use called “design artifacts”. While this is usually thought of as a physical item they can also be “spreadsheets, specifications, and other documents that have come to define the traditional organizational environment.” Their use is critical because “They add a fluid dimension to the exploration of complexity, allowing for nonlinear thought when tackling nonlinear problems.” Whatever the compliance practitioner may use, Kolko said, “design models are tools for understanding. They present alternative ways of looking at a problem.”
The next step is to “develop prototypes to explore potential solutions.” In others words, build a part of your system and test it from the users’ perspective. Here the author quoted innovation expert Michael Schrage for the following, “Prototyping is probably the single most pragmatic behavior the innovative firm can practice.” I think this is because “the act of prototyping can transform an idea into something truly valuable” through use, interaction and testing. Simply put, prototyping is seen as a better way to communicate ideas and obtain feedback.
While it may initially sound antithetical to the CCO or compliance practitioner, a key component for design thinking is a tolerance for failure. I realize that initially it may appear that you cannot have failure in your compliance program but when you consider that design thinking is an iterative process it becomes more palatable. Kolko quoted Greg Petroff, the chief experience officer at GE software, about how this process works at GE, “GE is moving away from a model of exhaustive product requirements”, adding “Teams learn what to do in the process of doing it, iterating, and pivoting.”
However design thinkers must “exhibit thoughtful restraint” when moving forward so that they can have deliberate decisions about what processes should not do. This means that if a compliance process is too complicated or requires too many steps for the business unit employee to successful navigate, you may need to pull it back. I like the manner in which Kolko ends this section by stating that sometimes you lead with “constrained focus.”
Kolko ended his article by noting three challenges he sees in implementing design thinking, which I believe apply directly to the CCO or compliance practitioner. First is that there must be a willingness to accept more ambiguity, particularly in the immediate expectation, for a monetary return on investment. A more functional or better compliance system design may not immediately yield some type of cost savings but it may be baked into the overall compliance experience. Second, a company must be willing to embrace the risk that comes from transformation. There is no way to guarantee the outcome so the company leaders need to be willing to allow the compliance function to take some chances in directions not previously gone. Third is the resetting of expectations as design does not solve problems but rather “cuts through complexity” to deliver a better overall compliance experience. This in turn will make the company a better-run organization.
Kuldeep Singh, writing in the SCCE magazine Compliance and Ethics, in an article entitled “Design Thinking: Creating an ethics-based compliance governance solution”, helped to put some flesh on these concepts. I found a key insight from Singh was that rather than simply concluding that violations of anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA) were engaged in by bad actors, it is rather good people doing bad things such as engaging in bribery and corruption.
Using design thinking to improve your compliance regime by building from the ground up rather than a legalistic top-down approach favored by most lawyers. For Singh, it all starts with the employees, not simply the problem. So you begin by asking questions, lots of questions. From this point he suggests that you formulate the proposed solution as a “problem statement”.
From this point, you are ready to begin brainstorming to come up with some solutions. There are four steps Singh lays out. First is to “state the problem to be solved with enough clarity of specificity.” The second is to “identify the objectives of the problem solution.” The third step is to “generate alternative solutions and create a list of alternatives prior to having a group discussion.” And finally, you end with collectively generating alternative solutions.
The final step is to test the proposed solutions, or as Singh puts it “test, test, prototype and test again.” The key is to avoid prejudgments so he advises to “let the tester interpret the prototype” and obtain their feedback. It is incumbent to iterate through the process multiple times, which allows you to narrow the scope of the solution and to “move from working on broad concepts to nuanced details.”
Singh puts this design thinking protocol to use to help create a more effective ethics and compliance training model. He uses employees to provide the initial input to improve its effectiveness and relevance to the front line employees. The compliance team then implements several proposed solutions until the most operative one or ones becomes apparent. These are then rolled out companywide for better and more effective compliance training. As the entire process is documented, when the regulators, such as the DOJ or Securities and Exchange Commission (SEC), come knocking, you will have the ability to not only explain your training but also demonstrate its effectiveness.
Three Key Takeaways