Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2018
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: Category: general
Feb 8, 2018

In this episode, Matt Kelly and I take a deep dive into the events which led to the resignation of Steve Wynn as the CEO and Chairman of Wynn Casinos for sexual harassment and misconduct. We consider how quickly the scandal escalated after it was initially reported by the Wall Street Journal and the response (or lack thereof) by the Board of Directors to Wynn’s conduct which had been an open secret for almost 20 years. We review what structural inputs a company should have in place when it has a true charismatic leader. We consider the role of the Board of Directors in light of the recent Wells Fargo penalty levied by the Federal Reserve to limit growth and require the Wells Fargo Board to refocus its efforts on more robust corporate risk management.

For more on the Wynn scandal and corporate governance, see Matt’s blog post So Much Wynning You Can’t Stand It

For more on the Federal Reserve’s penalty on Wells Fargo and the Board of Director’s need for a compliance profession on the Board, see Tom’s blog post, Wells Fargo, Put a Compliance Professional on Your Board

Jan 24, 2018

The role of the Chief Compliance Officer (CCO) has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance, under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program, the focus was articulated by the title of the Hallmark, Oversight, Autonomy, and Resources. In it the 2012 FCPA Guidance focused on the whether the CCO held senior management status and had a direct reporting line to the Board; stating “In appraising a compliance program, DOJ and SEC also consider whether a company has assigned responsibility for the oversight and implementation of a company’s compliance program to one or more specific senior executives within an organization. Those individuals must have appropriate authority within the organization adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively. Adequate autonomy generally includes direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors.”

This Hallmark was significantly expanded in both the Evaluation of Corporate Compliance Program (Evaluation) and the new FCPA Corporate Enforcement Policy (Policy). Over the next two blog posts, I will be considering how the Department of Justice (DOJ) has increased the prestige, authority and role of both the CCO and corporate compliance function.

The DOJ’s Evaluation of Corporate Compliance Programs, made the following query about the CCO position: 

  1. Autonomy and Resources 

Stature – How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions? 

 Autonomy Have the compliance and relevant control functions had direct reporting lines to anyone on the board of directors? How often do they meet with the board of directors? Are members of the senior management present for these meetings? Who reviewed the performance of the compliance function and what was the review process? Who has determined compensation/bonuses/raises/hiring/termination of compliance officers? Do the compliance and relevant control personnel in the field have reporting lines to headquarters? If not, how has the company ensured their independence? 

In the Policy, the DOJ laid out additional factors around CCO authority: 

  1. The quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk;
  2. The authority and independence of the compliance function and the availability of compliance expertise to the board;
  3. The compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and
  4. The reporting structure of any compliance personnel employed or contracted by the company.

There is a new requirement for compliance “independence”. The DOJ has not taken a position on whether a General Counsel (GC) can also be the CCO. However, this new language would seem to signal the death knell for the dual GC/CCO role. It may also signal the larger issue that the CCO should have a separate reporting line to the Board, apart from through the GC. While the DOJ’s stated position that it does not concern itself with whether the CCO reports to the GC or reports independently, it is more concerned about whether the CCO has the voice to go to the Chief Executive Officer (CEO) or Board of Directors directly not via the GC. Even if the answer were yes, the DOJ would want to know if the CCO has ever exercised that right. Yet the Evaluation comes as close to any time previously in articulating a DOJ policy that the CCO be independent of the GC’s office. Therefore, if your CCO still reports up through the GC, you must have demonstrable evidence of both CCO independence and actual line of sight authority to the Board.

The Evaluation and the Policy build upon the 10 Hallmarks of an Effective Compliance Program and demonstrate the continued evolution in the thinking of the DOJ around the CCO position and the compliance function. Their articulated inquiries can only strengthen the CCO position specifically and the compliance profession more generally. The more the DOJ talks about independence, coupled with resources being made available and authority concomitant with the CCO position, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance positions in their organizations.

Three Key Takeaways

  1. How can you show compliance really has a seat at the senior executive table?
  2. What are the professional qualifications of your CCO?
  3. Does your CCO have true independence to report directly to the Board of Directors? 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Jan 12, 2018

In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

  1. Does Free Speech exist at the office? Can you tell your boss what you think of them? Ben DiPietro looks at a new Department of Labor approach in WSJ Risk and Compliance Journal.
  2. Are fraudsters like the rich (as in different than the rest of us)? Jonathan Marks explores the mind of the fraudster in his Board and Fraud blog.
  3. What can you do to manage your third parties more effectively? Rick Chapman provides his experiences in the SCCE Blog.
  4. Is there a unified theory of corruption? Professor Joseph Pazsgai explores the question in a guest post on the FCPA Blog.
  5. Mike Volkov gives his five top compliance predictions for 2018 in the Crime, Corruption and Compliance Blog.
  6. Oh thank Heaven? Feds raid 7-11 looking for criminals (IE undocumented workers). See story by Alicia Caldwell in the WSJ.
  7. Is there a real (or perceived) bias in the monitorship process? Several experts are cited in GIR piece sub. req’d
  8. Shearman & Sterling releases its annual report, the Recent Trends and Patterns in the Enforcement of the FCPA.
  9. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program. In January, I bring together the entire year of compliance program best practices with 31 days to a more effective compliance program. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  10. Tom announces his next Compliance Master Class, sponsored by Marcum LLP. It will be held on February 11 & 12 at Marcum’s offices in Miami, FL. More information or a copy of the agenda, or to register, will be available on my website, FCPA Compliance Report or at Marcum LLP.
  11. Jay Rosen previews the Jay Rosen weekend report.
  12. We preview this week’s NFL playoffs.

 

Jan 9, 2018

A 360-degree view of compliance is an effort to incorporate your compliance identity into a holistic approach so that compliance is in touch with and visible to your employees at all times. It is about creating a distinctive brand philosophy of compliance which is centered on your consumers. In other words, it helps a compliance practitioner to anticipate all the aspects of your employees needs around compliance your employees, who are the customers of your compliance program. This is especially true when compliance is either perceived as something that comes out of the home office or is perceived as the Land of No, largely inhabited by Dr. No. A 360-degree view of compliance gives you the opportunity to build a new brand image for your compliance program.

Previously, I had thought of communications really as a two-way street upward and downward, inbound and outbound, and side to side communications. However, you might choose to phrase it, a 360-degree approach to compliance communications is something different. You simply can no longer as effectively communicate in just two ways. You now communicate in a more holistic manner, and in multiple ways. If you are just thinking about communications in the classic form you are missing something that is happening around you.

360-degrees of compliance communication is not just a classic form of communication but rather it is a communication in the concept of every interaction, whether they be planned interactions or whether they be into or accidental interactions. It is all a form of communication. This is particularly true if you are a compliance professional, a chief compliance officer or a compliant practitioner. The things you do, the way you act, and the way people see you are always communicating. It is not simply communicating to one another as often you may well be communicating to a group across siloed boundaries, to the constituencies with whom you had not even planned to initially communicate.

There are several concepts which should be included in your 360-degree view of compliance communications. Begin with an objective so you identify the purpose of your communication and the target of whom you are going to communicate to. Identify as clearly as you can the purpose and reason to ensure your message is aligned with your objectives. For instance, are you implementing a 360-degree view of communication to educate, inform, change perceptions or build trust and commitment?

Next, who is your audience? To communicate effectively you need to understand your audience. In any corporation, there are multiple audiences who are the key stakeholders in the 360-degree process. How much do they know? Some of the stakeholders include the Board of Directors, senior management, middle management, employee teams, committees, coaches, facilitators, customers, business partners, vendors, sales agents and representative, strategic alliances and business ventures. What are your distribution channels and how do you track your messaging? You should create a comprehensive spreadsheet to track the messages the intended audience and the delivery mechanism. Another key ingredient of the 360-degree approach is feedback. This is a key component of the 360-degree experience and educate each stakeholder on the benefits of feedback from the 360-degree approach.

Finally, you need to evaluate what you have done. You can monitor your communication activities by tracking attendance at the events, website statistics, open rate of emails, downloads of materials, video hits; in other words, the same techniques that your marketing folks would use to determine their messaging’s effectiveness. The objective is to build trust for the 360-degree process by determining if the goal achieved. You can utilize surveys or focus groups to assess the impact on your target audience. By focusing on your customer customers of compliance, I.E. your employees, it allows you to identify gaps and improve the communication process for your compliance program.

Using such a 360-degree approach to communication, allows a CCO to “see around corners” and can be one of the greatest strengths of a best practices compliance program. The reason is listening. Listening is a key leadership component and there are certainly many ways to listen. You can sit in your office and wait for a call or report on the hotline or you can go out into the field and find out what challenges employees are facing. From this you can work with them to craft a solution that works for the company and holds to the company’s ethical and compliance values.

Three Key Takeaways

  1. Remember the definition of 360-degrees of compliance communications. It is an effort that includes the compliance identity into a holistic approach so compliance is in touch and visible to your employees at all times.
  2. What is your objective? What are you trying to do with your 360-degrees of compliance communications and how are you using that mechanism to deliver the objectives of your compliance program.
  3. Evaluate. You need to evaluate three factors: (a) has the message been delivered; (b) has it been heard; and (c) is it being implemented.

 

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Dec 31, 2017

Jay and I take things in a different direction this week. We take the top five podcasts from 2017 and each of us, gives a highlight from that episode to highlight some of the key compliance issues from 2017, for our year end wrapup edition.

1. Episode 55-The Covfefe Edition, for the week ending June 2

 From Jay- Compliance is making its way into Boards of Directors. See article by Ben DiPietro in the WSJ Risk and Compliance Journal.

From Tom- Samuel Mebiame, sentenced to two years behind bars for paying bribes to help Och-Ziff with lucrative mining deals in Africa. See article by Sam Rubenfeld in WSJ Risk and Compliance Journal. Judge asks why no one else was criminally prosecuted. See article in Bloomberg.

2. Episode 53-The I Left My Heart in SF Edition, for the week ending May 19 

From Jay- Should compliance and ethics be wedded? New report by Institute of Business Ethics and the Ethics Institute considers the issues. See article in WSJ Risk and Compliance Journal.

From Tom- Astros lead the MLB with the best record in baseball. Will they regress to the mean?

3. Episode 52-The Firing the Investigators Edition, for the week ending May 12

 From Jay- ECI Report Finds Use of Corporate Monitors is on the Rise. For a copy of report, click here. For a webinar replay with Affiliated Monitors’ Eric Feldman and Nasdaq’s Michael Kallens click here.

From Tom- Why the judgment of CEOs and their actions really do matter. See James Stewart considers Barclays’ Jes Staley in his Common Sense column in the New York Times.   

4. Episode 54-The Rubber Match Edition, for the week ending May 26

From Jay-he recaps the SCCE San Francisco event he attended last week. See Jay’s recap in his article I Left My #SCCE Heart in San Francisco or I Love It When A Plan Comes Together!

From Tom-Was the individual enforcement against the MoneyGram CCO significant or much ado about nothing? See article by Dick Cassin in the FCPA Blog and by Sara Kropt in her Grand Jury Blog.

5.  Episode 77-The Home for the Holidays Edition, for the week ending November 17

 From Jay-

1a) Wal-Mart reserves $283MM to settle its outstanding FCPA matter. See article by Dick Cassin in the FCPA Blog. Henry Cutter reports in the WSJ Risk and Compliance Journal.

1b) The Everything Compliance gang put together an eBook of their reflections from the recent SCCE 2017 Compliance and Ethics Institute. It is available for download free on JDSupra. It is also available on the Affiliated Monitors site by clicking here.

From Tom- Tom visited with Marc Havener and Bryan Belknap about using movie clips to expand your compliance training classroom. See Tom’s blog post here

Dec 31, 2017

This entry provides a wrap up on written standards, with a discussion on policies on cybersecurity. Regarding policies on cybersecurity, it has become so critical for corporation that the CCO and many compliance practitioners are now required to deal this issue.

Cybersecurity policies are the newest area to fall into the lap of the compliance professional. Fortunately, the state of New York's Department of Financial Services has issued the first state level regulations on cyber security for financial institutions. They became effective March 1, 2017 and while they are designed to protect financial services industries and consumers, they have application to and provide guidance for, a wider variety of non-financial service companies and commercial enterprises. It mandates your overall cybersecurity policy should be designed to meet the goals to prevent, detect and remediate a cybersecurity event.

While the regulation is obviously geared towards financial services firms, there were several points that any non-financial services compliance practitioner should consider. The overall cybersecurity program should be designed to meet the three goals of any best practices compliance program: (a) preventing any cybersecurity breaches or failures; (b) detect cybersecurity events; (b) remediate through responding to identified or detected cybersecurity events to mitigate any negative effects, recovering from them and restore normal operations and services. An added requirement for cybersecurity will be notification of appropriate regulatory authorities.

Your written policy should be based on a risk assessment, taking the following factors into consideration: “(a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response.”

There should be a corporate officer position which reports to the Board of Directors, who should report to the Board on the following topics: (1) the confidentiality and the integrity and security of the information systems; (2) the cybersecurity policies and procedures; (3) material cybersecurity risks; (4) overall effectiveness of the cybersecurity program; and (5) any material cybersecurity events. The cyber compliance team must all show proficiency in the discipline and keep abreast of cybersecurity developments.

For ongoing monitoring, there should be annual penetration testing and biennial vulnerability assessments. Finally, there must be annual risk assessments designed to test: (1) identified cybersecurity risks and threats; (2) criteria for the assessment of the confidentiality, integrity, security, availability and adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.

If a company allows a third-party provider to have access to or hold its data, it must perform an evaluation of that third-party provider in the following areas: (1) identification and risk assessment of the third-party provider; (2) minimum cybersecurity practices required to be met by third-party provider in order for them to do business; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of third-party provider; and (4) periodic assessment of third-party provider based on the risk they present and the continued adequacy of their cybersecurity practices. There should also be effective training and ongoing monitoring requirements for employees of impacted third-party providers.

All of the above should sound quite familiar to any anti-corruption compliance professional. Yet this DFS regulation should also be studied as a roadmap for the inevitable cybersecurity and InfoSec compliance which is just down the road for non-financial services industries. The third-party providers are particularly critical as many major data breaches occurred through connected third parties. One need only think of the Target data breach to the looting of the Central Bank of Bangladesh through the New York Federal Reserve Bank.

Three Key Takeaways

  1. CCOs and compliance professionals need to be ready to take on cybersecurity policies and procedures.
  2. Cybersecurity policies and procedures should strive to prevent, detect and remediate cybersecurity events and failures.
  3. Do not forget the lesson from the Target data breach; you are only as secure as your weakest third-part link.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Dec 30, 2017

The next area for policies is extortion payments, which are completely exempted out of the FCPA. Extortion payments are made for any action which threatens or demands payment for life, liberty, or health. These should be exempted out from your facilitation payments and your compliance program through specific language. You need to do this for a variety of reasons. First and foremost, your employees must understand that the company will support them if they are in any way threatened with harm, with arrest, physical detention or their health/safety is threatened.  As a compliance professional, you need to make sure employees understand they need to do whatever they must to get themselves out of such a situation.

Some of the situations your employees might face are along the lines of the following:

  • Employees are stopped by police, military or paramilitary personnel, or militia (uniformed or not) at designated or other checkpoints or other places and a payment is demanded as a condition of passage of persons or property;
  • Employees are threatened with arrest or detainment; or
  • Employees are asked by persons claiming to be security personnel, immigration control, or health inspectors to pay for an allegedly required inoculation or other similar procedure.

I once had a situation where an employee was threatened with receiving a vaccination for yellow fever when they were departing a west African country. The employee paid some $85 to get out of that situation. I instructed him to submit it as a travel expense, writing out in a four sentence paragraph the event, attached to his expense report. The documentation proved that payment was not a facilitation payment. It was clearly an extortion payment.

The key though is that it be properly documented. But more than simply the documentation is that you must specifically list extortion payments in your books and records so you will in compliance with the books and records requirement of the FCPA to accurately record your expenses. You need to train your employees specifically on the actions to take both when they are put in the situation and what to do when they return to their office. In your policy state that if there is a threat to health safety or liberty, it is not a facilitation payment but an extortion payment. Make sure that they understand what their rights are and what their obligations are to report it when they come back to the corporate office or their office. Always remember, an extortion payment is not a FCPA violation.

Three Key Takeaways

  1. Extortion payments are not illegal under the FCPA?
  2. Was the action an extortion or some other type of situation?
  3. Document Document Documents your extortion payments both the financial component and a description of the underlying events.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Nov 15, 2017

Welcome to Episode 5 of Compliance Man Goes Global podcast of FCPA Compliance Report International Edition. In this episode, we focus on typical concepts (or probably myths) of ways a Compliance professional might become a more valuable member of the management team rather than becoming most hated person in the organization.

Tom: To start with, Tim, probably we should explain to our listeners why we called our today’s episode ‘You Really Like Me’?

Tim Khasanov-Batirov:  We call today’s episode “You Really Like Me!” remembering Sally Field’s gushing acceptance speech at Oscar ceremony. The funny thing is that sometimes even in-house Compliance people have a strong wish to exclaim after her something like: “I haven't had an orthodox career, and I've wanted more than anything to have your respect. The first time I didn't feel it, but this time I feel it—and I can't deny the fact that you like me, right now, you like me!"      

Tom: OK, Tim, let’s see if this is possible in reality or would remain just a dream of Compliance officers globally.

Myth #1 There is a chance that Compliance officer could avoid being named the most hated person in the organization.  Tim, do you agree with this statement?

Tim Khasanov-Batirov: Let’s try. I think we have some pros here:  

Argument #1.

A Compliance professional can avoid being the most hated person if personnel along with top management understand the role of Compliance function in the organization. Unless a Compliance professional delivers a clear message about risks he or she manages and value they bring, they are dependent on subjective views of other team members. We have depicted this situation in the attached release of Compliance Man illustrated series.    

Argument #2.

You might think about setting KPIs based on respective regulatory requirements referring for instance to 10 Hallmarks of the Effective Compliance Program or the Evalution of Corporate Compliance Programs. This will allow you to set criteria, which could be used for unbiased and verifiable evaluation of your efforts.  

Tom:  I think, Tim that there are some cons here as well:

Argument #1

As we know, there is no way people will like a Compliance officer all the time. Subject to particular situation or position, the Compliance professional’s managers might change their minds. So we should not have illusion of being most loved person constantly.

  

Argument #2

There is a big risk if Compliance person becomes too friendly with the employees and becomes co-opted by the business folks. This could lead to losing impartiality. Therefore, there is a very thin line between being business-oriented ethics professional and attempts just to ‘get likes’ from management.   

Tim: Tom, I agree with you.

Tom: Let’s go, Tim. We can formulate the next concept or maybe misconception in the following way:

Myth #2. In real life, Compliance officer de-facto is not able to become a member of managerial team (or just “team” so to say) being isolated from it by virtue of his “business prevention” mission. Tim, will you agree with this concept?

Tim: I strongly disagree with this concept.

Argument #1.

In my view, Compliance department in many cases is called a “Business prevention unit” not because of being very strict and picky. It is because of not fully understanding the business processes involved. As soon as compliance officer starts to hear other team members, he will be able to suggest solutions, which are compliant, and business oriented in the same time.      

Argument #2.

It is about priorities. Management team should clearly see that Compliance officer is focusing on real regulatory risks and priorities rather than creating a useless bureaucracy regarding minor issues, which in many cases could be easily resolved.    

What are your views, Tom?

Tom: I have some pros to support the concept that in reality Compliance officer is not just another member of the business team.

Argument #1.

We have a special mission to assess business from external, in majority of cases regulatory prospective. Thus, many things, which at first glance might look as being good for business, could pose regulatory risk in the future. Thus, Compliance person is in charge of demonstrating a high-level or strategic view rather than solely looking at momentary business advantages.

Argument #2.

Compliance is a relatively new job in comparison to well established corporate functions such as  a  Legal Department or even Internal Audit. So even just by mere fact of being a “newcomer” the Compliance Officer differs from almost all members of the management team which represent “traditional” occupations.  

Tim: Agreed, Tom. As key takeaways from today discussion, I think we can mention the following:

  • Compliance officer should be a business-oriented person with good understanding of business processes along with clear views on how to structure them in line with regulatory expectations.
Nov 1, 2017

Welcome to Day One of 360-degrees of communication in compliance. This month you will learn about techniques that the CCO can use to provide you not only a well-rounded role as a CCO but also facilitate a much more holistic approach to compliance in your organization. Best of all the techniques, discussed are largely available to you at little to no cost. There are things that you can do both in your method of running the CCO positions and innovations that you can bring to the compliance function in your organization. 

A 360-degree view of compliance is an effort to incorporate your compliance identity into a holistic approach so that compliance is in touch with and visible to your employees at all times. It is about creating a distinctive brand philosophy of compliance which is centered on your consumers. In other words, the customers of your compliance program; I.E., your employees it helps to anticipate all the aspects of your employees needs around compliance especially when compliance is either perceived as new perceived as something that comes out of the home office or is perceived as the Land of No. It gives you the opportunity to build a new brand image for your compliance program. 

Social media is a big part of a 360-degree view so there will be a focus on the use of social media in compliance and how it can facilitate your compliance program through your compliance messaging. I will discuss some specific techniques of social media tactics that have been successfully used by companies. We will consider the culture of compliance and the clash of different cultures that an organization may have, particularly through mergers and acquisitions but also internally, through organic growth and how a 360-degree view can help overcome this. Storytelling and compliance is another mechanism which is facilitated through a 360-degree. 

Other issues to be considered include how can a 360-degree view of communication facilitate your role as a leader in your company and in your compliance program? What are the techniques which can provide a holistic approach to your compliance function? What is the two-way street approach wedded to the benefit of 360-degrees of compliance and communication? Communication is much more powerful when it is a two-way street. Such a view also allows you to information from your customer base, once again your employees back up to your compliance program and incorporate that feedback loop directly into your compliance program going forward. 

There are several concepts which should be included in your 360-degree view of communications in compliance. Begin with an objective so you identify the purpose of your communication and the target of whom you are going to communicate to. Identify as clearly as you can the purpose and reason to ensure your message is aligned with your objectives. For instance, are you implementing a 360-degree view of communication to educate, inform, change perceptions or build trust and commitment? 

Next,  who is your audience? To communicate effectively you need to understand your audience. In any corporation, there are multiple audiences who are the key stakeholders in the 360-degree process. How much do they know? Some of the stakeholders include the Board of Directors, senior management, middle management, employee teams, committees, coaches, facilitators, customers, business partners, vendors, sales agents and representative, strategic alliances and business ventures. What are your distribution channels and how do you track your messaging? You should create a comprehensive spreadsheet to track the messages the intended audience and the delivery mechanism. Another key ingredient of the 360-degree approach is feedback. This is a key component of the 360-degree experience and educate each stakeholder on the benefits of feedback from the 360-degree approach. 

Finally, you need to evaluate what you have done. You can monitor your communication activities by tracking attendance at the events, website statistics, open rate of emails, downloads of materials, video hits; in other words, the same techniques that your marketing folks would use to determine their messaging’s effectiveness. The objective is to build trust for the 360-degree process by determining if the goal achieved. You can utilize surveys or focus groups to assess the impact on your target audience. By focusing on your customer customers of compliance, I.E. your employees, it allows you to identify gaps and improve the communication process for your compliance program. 

Three Key Takeaways 

  1. Remember the definition of 360-degrees of compliance communications. It is an effort that includes the compliance identity into a holistic approach so compliance is in touch and visible to your employees at all times.
  2. What is your objective? What are you trying to do with your 360-degrees view of compliance communications and how are you using that mechanism to deliver the objective your compliance program desires.
  3. Evaluate. You need to evaluate has the message been delivered has it been heard and is it being implemented. 

This month’s podcast series is sponsored by Dun & Bradstreet.  Dun & Bradstreet’s compliance solutions provide comprehensive due diligence reporting and analysis to reduce your risk of working with fraudulent companies by accessing a company’s beneficial ownership, reputation risk and more.  For more information, go to dnb.com/compliance.

Oct 12, 2017

Your company has just made its largest acquisition ever and your Chief Executive Officer (CEO) says that he wants you to have a compliance post-acquisition integration plan on his desk in one week. Where do you begin? Of course, you think about the 2012 FCPA Guidance but remember that it did not have the time lines established in the recent enforcement actions involving Johnson & Johnson (J&J), Pfizer and Data Systems & Solutions LLC.

While there are time frames listed in these Deferred Prosecution Agreements (DPAs) are a guide of timeframes; many compliance professionals struggle with is how to perform these post-acquisition compliance integrations. An article from the Harvard Business Review, entitled “Two Routes to Resilience”, Clark Gilbert, Matthew Eyring and Richard Foster wrote about business transformation which speak directly to the compliance practitioner to help create post-acquisition integration game plan.

The authors, reviewed the situation where an entity must transform itself, leading to a transformation the authors call “establishing a ‘capabilities exchange’- a new organizational process that allows the two efforts to share resources without interfering with each other’s operations.” That is what a compliance practitioner must accomplish through a post-acquisition integration in the compliance context.

Anyone who has gone through a large merger or acquisition knows how terrifying it can be for the individual employee. Many people, particularly at the acquired company will be fearful of losing their jobs. This fear, mis-placed or well-founded, can lead to many difficulties in the integration process. The creation of a Compliance Capabilities Exchange process which allows “the two organizations to live together and share strengths” and will coordinate “the two transformational efforts so that each gets what it needs and is protected from [unwanted] interference by the other.” There are five steps in this process.

  1. Establish Compliance Leadership. While this may be the “simplest step but also the one most open to abuse.” The process should be run by just a few top people, which I believe are the Chief Executive Officer, Chief Financial Officer and Chief Compliance Officer of the acquiring company and a similar counter-part from the acquired company.
  2. Identify the compliance resources the two organizations can or need to share. Hopefully the acquiring organization will have some idea of the state of the compliance program before the deal is closed. It may be that there is some or all of a minimum best practices compliance program in place. If so, attention needs to turn to what can continue and how will need to be integrated.
  3. Create Compliance Capability Exchange Teams. In many “synergy efforts, everyone is expected to think about ways resources might be shared.” In Compliance Capability Exchanges, the responsibility should be “carefully confined to a series of teams.” Senior leadership should create compliance teams by assigning a small number of people from both entities with the responsibility of allocating resources used in the integration project.
  4. Protect Boundaries. This one is tricky as employees from the former target may not want to move forward with the integration; for fear of losing their jobs or some other reason. There may be internal disputes as to which group may handle an issue going forward. This area is tricky because it is important not to alienate new employees who might have good ideas on the integration or how to move forward. Once again, the Leadership Team must step in and referee disputes decisively if required.
  5. Scale up and promote the new compliance program. It is important to celebrate and promote the new entity to both the acquiring company, others in the company and even external stakeholders. It is important that markets and others in the same or similar industry see this evolution and growth. Take the time to publicize the integrated compliance function with the internal customer; IE., company employees. This would include all other compliance stakeholders, including third party representatives, both on the sales and supply chain side of the house and even customers. Finally, be sure to inform your management, Board of Directors and regulators, such as the Department of Justice (DOJ), as appropriate.

Whatever compendium of steps you utilize for post-acquisition integration, they should be taken as soon as practicable.  The earlier you can deploy these steps the better off your company will be at the end of the day. In an Ernst & Young white paper, entitled “Increased Oversight of M&A: An Expanding Role for Audit Committees”, it stated “Failed M&A can destroy a company's market value, destabilize its financial position and credit ratings, impair its strategic position, weaken the organization and damage the company's reputation”. This is particularly true for failed M&A compliance. One need only consider the Latin Node FCPA enforcement actions where the acquiring company had to write off its entire investment.

Three Key Takeaways

  1. Planning is critical in the post-acquisition phase.
  2. Build upon what you learned in pre-acquisition due diligence.
  3. You literally need to be ready to hit the ground running when a transaction closes. 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Oct 10, 2017

Today I want to look at what you should do with the information that you obtain in your pre-acquisition compliance due diligence. Jay Martin, Chief Compliance Officer (CCO) at BakerHughes, a GE company. suggests an approach that reviews key risk factors to move forward. Martin has laid out 15 key risk factors of targets under a FCPA analysis, which he believes should prompt a purchaser to conduct extra careful, heightened due diligence or even reconsider moving forward with an acquisition under extreme circumstances.

  1. A presence in a high risk country, for example, a country with a Transparency International CPI rating of 5 or less;
  2. Participation in an industry that has been the subject of recent anti-bribery or FCPA investigations, for example, in the oil and energy, telecommunications, or pharmaceuticals sectors;
  3. Significant use of third-party agents, for example, sales representatives, consultants, distributors, subcontractors, or logistics personnel (customs, visas, freight forwarders, etc.)
  4. Significant contracts with a foreign government, state-owned or state-controlled entities;
  5. Substantial revenue from a foreign government, state-owned or state-controlled entity;
  6. Substantial projected revenue growth in the foreign country;
  7. High amount or frequency of claimed discounts, rebates, or refunds in the foreign country;
  8. A substantial system of regulatory approval, for example, for licenses and permits, in the country;
  9. A history of prior government corruption investigations or prosecutions;
  10. Poor or no anti-bribery or FCPA training;
  11. A weak corporate compliance program and culture, from legal, sales and finance perspectives at the parent level or in foreign country operations;
  12. Significant issues in past compliance audits, for example, excessive undocumented entertainment of government officials;
  13. The degree of competition in the foreign country;
  14. Weak internal controls at the parent or in foreign country operations; and
  15. In-country managers who appear indifferent or uncommitted to U.S. laws, the FCPA, and/or anti-bribery laws. 

In evaluating answers to the above inquiries or those you might develop on your own, you may also wish to consider some type of risk rating for the responses, to better determine is the amount of risk that your company is willing to accept to do so you will need to both assess risk and subsequently evaluate that risk. Risks should initially be identified and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the post-acquisition remediation plan going forward. A risk-rating guide similar to the following can be used.

LIKELIHOOD

Likelihood Rating

Assessment

Evaluation Criteria

1

Almost Certain

High likely, this event is expected to occur

2

Likely

Strong possibility that an event will occur and there is sufficient historical incidence to support it

3

Possible

Event may occur at some point, typically there is a history to support it

4

Unlikely

Not expected but there’s a slight possibility that it may occur

5

Rare

Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of compliance internal controls, written policies and procedures designed to mitigate risk, leadership capable to recognize and prevent a compliance breakdown; Compliance failures or near misses; and/or Training and awareness programs. Product of ‘likelihood’ and significance ratings reflects the significance of a particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The key to such an approach is the action steps prescribed by their analysis. This is another way of saying that the pre-acquisition risk assessment informs the post-acquisition remedial actions to the target’s compliance program. This is the method set forth in the 2012 FCPA Guidance. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the mergers and acquisitions arena. The model is a reasoned approach and can provide the articulation needed to explain which steps were taken.

It is also important that after the due diligence is completed, and if the transaction moves forward, the acquiring company should attempt to protect itself through the most robust contract provisions that it can obtain, these would include indemnification against possible FCPA violations, including both payment of all investigative costs and any assessed penalties. An acquiring company should also include repsentations and warranties in the final sales agreement for the entire target company that its participation in transactions is permitted under the local law where the transaction took place; that there is an absence of government owners in company; and that the target company has made no corrupt payments to foreign officials. Lastly, there must be a representation that all the books and records presented to the acquiring company for review were complete and accurate.

To emphasize all of the above, the DOJ stated in the Pfizer Deferred Prosecution Agreement (DPA), in the mergers and acquisition context, that a company is to ensure that, when practicable and appropriate on the basis of a FCPA risk assessment, new business entities are only acquired after thorough risk-based FCPA and anti-corruption due diligence is conducted by a suitable combination of legal, accounting, and compliance personnel. When such anti-corruption due diligence is appropriate but not practicable prior to acquisition for reasons beyond a company’s control, or due to any applicable law, rule, or regulation, an acquiring company should continue to conduct anti-corruption due diligence subsequent to the acquisition and report to the DOJ any corrupt payments or falsified books and records.

Three Key Takeaways

  1. Create a list of key risk factors in your protocol.
  2. Create a forced risk ranking, but remember it is simply that, a forced risk ranking.
  3. Your pre-acquisition team should include a suitable combination of legal, accounting, and compliance personnel.

 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Sep 29, 2017

As I end this section on innovation, I want to conclude by laying out a road map which allows a CCO or compliance practitioner to make more effective and better operationalize a corporate compliance program. With the DOJ’s Evaluation of Corporate Compliance Programs emphasis of operationalizing your compliance regime, innovation is an important tool for you to use in this journey, yet one that I believe is too often overlooked.  One of the best recent roadmaps I have seen was suggested by LRN Corporation’s 2016 Ethics and Compliance Program Effectiveness Report.

The Report detailed four key findings which are symptomatic of an operationalized compliance program. Susan Divers, Senior Advisor at LRN Corporation, noted overarching theme in is that ethics and compliance “programs centered on values are more effective than ones that aren’t. A values-based approach toward shaping culture emphasizes and sets expectations, not just about what can and cannot be done according to rules, but rather what should and should not be done in alignment with core beliefs. In rules-based environments, that is, everyone’s job is to do the next thing right—to act correctly. In values based environments, in contrast, everyone’s job is to do the next right thing—to act morally.”

It is this drive to burn compliance into the DNA of an organization that fully operationalizes compliance. Think of any recent scandal, Volkswagen (VW), Wells Fargo, Valeant, Uber or you name the scandal, where if an employee had simply done the right thing instead of the illegal action, how much better off a company would have been. The four findings were:

The most effective E&C programs are embedded in business operations. Diver pointed out it is critical a company should think “about ethics and compliance and values as part of your brand.” By doing so, each level in a company will understand its role going forward, from the Board of Directors, senior management, middle management and the employee base. Moreover, the company will train, develop and promote an ethics and compliance program through each of these levels.

Susan Divers provided an insightful example, “I think if I were to use one word to characterize all of them together, it would be holistic. The first one of embedding your ethics and compliance programs in your business operations, one big piece of that is your brand. For example, Volkswagen used to have a fantastic brand. You thought of Volkswagen and you thought of basically a green car, and one that was well engineered. Now it’s a massive fraud. One headline I saw called it Hoaxwagen.”

The most successful ethics and compliance programs use a variety of channels to convert guidance into practice. An effective compliance program will communicate the corporate ethics and compliance values through multiple channels throughout the company, on an ongoing basis. This speaks not only to upward and downward communications within an organization but also inbound and outbound to the company as well. But more than simply saying there should be communication, the Report also assesses how communications occur through inquiring into the clearness and conciseness of messages and whether an organization uses more effective communication techniques such as shorter, more frequent training models or facilitated workshops as opposed to rote one hour lectures from lawyers.

Communications can be made in other, more subtle manners. Consider what are the actual behaviors that the conduct demonstrates? Divers said that at LRN, “We’re not so fond here of tone at the top. We’re more fond of actions at the top, because tone can be one thing and actions are another. Looking at whether managers’ ethical behavior counts in terms of promotion and bonuses, that’s really where the rubber meets the road in a lot of places, and that makes a huge difference. Another aspect of that is making middle managers accountable for ethics and compliance in their business, and the good programs coach people in that aspect. That’s really some of the key aspects we looked at for how you embed in business ops.”

High-performing programs proactively convert regulatory guidance into practice. I found this to be one not often enough discussed as many compliance practitioners struggle to convert DOJ pronouncements, comments or lessons learned from FCPA enforcement actions into practical guidance. The most effective compliance programs internalize such guidance from prosecutors and regulators and continuously improve. Here one might consider an example torn from the headlines: when the Wal-Mart corruption scandal in Mexico broke, I called one CCO the next day who told me he had already put a PowerPoint presentation in front of his senior management about the perils of finding your corporate name splashed across the front page of the New York Times alleging your organization of bribery and corruption.

Divers considered this finding from another perspective. She stated, “You have to look for the actual challenge the people view in the company, whether that’s sales force, or other disciplines. There in lots of different ways and in positive ways, not just negative ways. One of the things we did, which we didn’t just tell people that serious actions meant this, we looked at actual business cases where people had done the right thing and made the right choices to comply with regulations, and that’s very powerful for modeling. Another aspect of that is how you embed your Code of Conduct. Do you just put it out on the website and say, “Great, here it is. Read it,” or you have discussion? Obviously, those are more effective.”

High-performing programs spread their impact broadly, recognizing that it is the whole organization that needs to be engaged in ethics. This finding considers whether an organization has moved away from a “silo-based approach to ethics and compliance.” It did so by reviewing how the different corporate functions work as catalysts for imbuing your organization values in their specific corporate discipline. Here Divers related that “high performing programs aren’t sitting in a closet somewhere, only visited when there’s an ethics issue. High-performing programs are out there. They work across the corporation with human resources, with internal audit, with legal, and even with sales and marketing, and finance and accounting, to make sure that ethics are a part and parcel of business operations.”

This month I have reviewed a variety of innovations in compliance; from innovations in structure, use of social media tools and concepts, to new and different ways to consider your internal resources as ways to innovate in your compliance regime. The DOJ has consistently said that a compliance program must evolve. It must evolve to meet new or updated risks, new opportunities or different regulations. Innovation is one of the best ways to evolve. Finally and perhaps most importantly as a compliance practitioner, always remember that you are only limited by your imagination.

Three Key Takeaways

  1. Innovation is one of the most overlooked and under-utilized tools in compliance.
  2. Operationalizing your compliance program will require innovation in your compliance program going forward.
  3. As with most CCO initiatives, you are only limited by your imagination.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 15, 2017

Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including: 

  1. Equifax continues to be in the news. Ben DiPietro reports from the compliance perspective in two articles from the WSJ Risk & Compliance Journal, see here and here.
  2. Julie DiMauro interviews Philip Urofsky on the US commitment to enforcing the FCPA. See her article in the FCPA Blog.
  3. A new scorecard is out on the amounts of money paid as bribes by the Brazilian construction company, Odebrecht. See article by Dick Cassin the FCPA Blog.
  4. On the intersection of Uber and Hell. See article by Tom Fox in Compliance Week (sub req’d).
  5. Sushi and money-laundering. The increasing intersection of AML and anti-corruption compliance. Sam Rubenfeld reports in the WSJ Risk & Compliance Journal.
  6. Matt Kelly joins us for an emergency rant and to announce the birth of the latest addition to the Kelly Clan.
  7. Want to be a Kleptocrat? The Mintz Group has developed an app “Kleptocrat” available in the Apple app store. Sam Rubenfeld reports in the WSJ Risk & Compliance Journal.
  8. Cleveland Indians set the AL mark for consecutive wins, now go for the MLB record.
  9. Is Thursday night football dead? It might be after the Texans deliver one of the ugliest wins ever on the Thursday night national stage.
  10. This month’s podcast series on One Month to a More Effective Compliance Program is in full production. In September, I am reviewing innovations for your compliance program. This week’s topics include embracing in your agile compliance program, design thinking in compliance, how Kaizen can improve your compliance program, disruption in compliance and superforecasting to better risk management. Oversight Systems is this month’s sponsor. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  11. The Jay Rosen weekend report preview-story telling in compliance.
Sep 8, 2017

One of the most constant things that I have observed in my 10+ years of practice in the compliance space is its constant evolution. Compliance techniques and practices, which were considered cutting edge when I began, have moved to standard fare and are now largely minimum practices. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have mirrored this evolution in not only how they view compliance programs but also in their own enforcement regimes and protocols. Today I want to consider agile innovations methods for your compliance program. 

According to a Harvard Business Review (HBR) article “Embracing Agile, by Darrell K. Rigby, Jeff Sutherland and Hirotaka Takeuchi, agile methodologies “involve new values, principles, practices and benefits and are a radical alternative to command-and control-style management.” It is accomplished by taking employees “out of their functional silos and putting them in customer-focused multidisciplinary teams”. As the customers of the compliance function are the company’s employees, I think the transition can be made. 

One of the most basic problems is that business executives basically understand only enough about agile to be dangerous but they do not understand the comprehensive approach that needs to be taken. This means that senior management will continue to the same management practices that in fact work to undermine the agile process. The authors suggest the solution is that executives learn the basics of the agile process and understand the conditions in which it does or does not work. They should begin with a small team and project and let the operation spread organically. 

Some of the right conditions for the success of an agile initiative in the compliance arena are as follows. You should have the right market environment for the project. This means you need to have your internal customers involved and allow feedback to change any proposed solution. You must be willing to innovate, particularly if there are complex compliance problems involved. You will need to break down the solutions into digestible junks, which may actually change the scope but through cross-functional employee collaboration, you can have appropriate creative breakthroughs. 

Digestible junks will allow you have incremental developments, which can be tested and then rolled out for use by your employee base. As your internal customers use the innovations, the work cycles can be broken down further so both testing and innovation can continue unabated. This allows a continual feedback loop so that late changes in the innovation can be managed and incorporated going forward. Finally, if there are interim mistakes, it can be a valuable source of lessons learned going forward. 

An example might be around compliance training, a topic oft-times commented upon as rote and something employees simply have to get through. Some commentators have characterized such training as a basic ‘tick the box’ exercise simply to get government credit. While such commentary fails to understand the benefits of communication through training, it does point up the issue of the stiltedness of compliance training.

An approach to this might be to put together an agile team to look at training so that compliance could create topical training, in a few days to respond to market or other conditions, separated out by the challenges met in various product lines or geographic areas. This innovation can include budgets as well, making your compliance function more cost effective through innovation. 

Another concept is to start small and let the word spread. This is antithetical to many large companies that “launch change programs as massive efforts” largely because the project sponsors feel that if they do not do so, the rest of the company will divine that the effort is not really supported by senior management and respond accordingly. However, the authors suggest “agile might spread to another function, with the original practitioners acting as coaches. Each success seems to create a group of passionate evangelists who can hardly wait to tell others in the organization how well agile works.” 

The C-Suite has a role as well by practicing agile at the top of the organization so not only could senior management provide new techniques through an agile exercise, they could learn how to support more fully the compliance function which might engage in an agile review. “Senior executives who come together as an agile team and learn to apply the discipline to these activities achieve far-reaching benefits. Their own productivity and morale improve. They speak the language of the teams they are empowering. They experience common challenges and learn how to overcome them. They recognize and stop behaviors that impede agile teams. They learn to simplify and focus work. Results improve, increasing confidence and engagement throughout the organization.”

There are three succinct benefits. First by having senior management involved in an agile exercise, it would allow them to “catch up with the troops” and to reprioritize their efforts going forward to be better aligned with the real-time nature of agile. Second, it allows a speedier corporate transition as it can allow the employees to know if management is in tune with what the employees care about going forward. Finally, it can present clear alignment of departments and functions on a common vision. I can think of no greater strength for the compliance function to rely upon. This can be used to expose senior managers to break out of their “silos in today’s overspecialized organizations-for general management roles.” 

The authors conclude by noting the need to destroy barriers to agile. They list five pointers. First “get everyone on the same page” which they believe is the key responsibility of management. Second is not to change structures but to change roles so that internal company disciplines “can learn to work together simultaneously, rather than separately and sequentially.” Next is to name only one boss for each decision as in the agile operating model it must be “crystal clear” who can make the final decision. Penultimately, your agile exercise should focus on teams not individuals because it is the team’s collective intelligence that brings the power to an agile exercise. Finally, lead with questions not orders. Here the authors cite to General George S. Patton, who “famously advised leaders never to tell people how to do things: “Tell them what to do, and they will surprise you with their ingenuity.”” 

The agile exercise will probably not work in a compliance function under the thumb of the corporate legal department, as innovation is typically not in the remit of legal. However for a compliance function that desires to bring new and unexpected ways of doing compliance to your organization, going through an agile exercise might be just the thing to move compliance into the very DNA of your organization. 

Three Key Takeaways

  1. Agile compliance involves new practices and benefits and is a radical alternative to command-and control-style management.
  2. Agile compliance allows you to take small, digestible steps.
  3. Agile compliance works at the top. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Aug 16, 2017

In this very topical episode Matt Kelly and I take a deep dive into the administration’s response to the events over the weekend in Charlottesville and what it means for business leaders, compliance practitioners and others going forward. With the resignation of Ken Fraizer, CEO of Merck and others from the administration’s voluntary business counsel, due to the administration’s embrace of the alt-right and white supremacy, many CEO’s are asking the question “Where’s the upside” to publicly embracing the administration. From the compliance perspective, we explore the question in the context of a corporation’s ethical values, it business mission and statement for its employees and customers. Finally, we consider the documented ‘Trump Risk’ and how it is negatively impacting US businesses across the globe.

For more see Matt’ Blog post, Trump Tests Corporate America’s Commitment to Values on RadicalCompliance.com

Aug 15, 2017

If you have not seen it, I would suggest you go to see what I believe is the summer’s top movie, Dunkirk. It is great cinema, good history and presents the view of soldier on the ground from the English perspective. It unfolds on land, sea and air; in decreasing time frames of one week, one day and one hour. I was lucky enough to see it in glorious 70MM wide screen so the resolution was outstanding. There are several leadership lessons which I believe can be learned from the British (and German) experiences at Dunkirk.

Aug 14, 2017

In this episode Mike Volkov and I discuss the two official pronouncements from the Sessions’ Justice Department regarding FCPA enforcement. They were both declinations used under the FCPA Pilot Program, which was announced in April 2016. The first declination involved Linde Gas North America LLC and Linde North America Inc. Linde Gas is a wholly owned subsidiary of the Linde Group, a German based entity which is listed on multiple stock exchanges in Germany, but not listed in the US.  The second declination involved CDM Smith Inc. a privately held company, headquartered in Boston MA. As neither company is a US publicly listed entity, neither is subject to jurisdiction of the SEC. Hence both declinations were granted with the notation of declinations with disgorgement. In Linde Gas, the disgorgement amount was $7.8 million and forfeit $3.4 million, for a total of $11.2 million and in the CDM Smith declination the disgorgement amount was $4.037 million. Both declinations were superior results obtained by the companies as both had clearly violated the FCPA, for multiple years in ongoing bribery and corruption schemes.

For more on these two enforcement actions see the following:

  1. Linde in the Republic of Georgia: A Declination and Lessons Learned by Tom Fox;
  2. A Second Superior Result - CDM Smith Obtains a Declination by Tom Fox; and
  3. Justice Department Resolves Two Cases Under FCPA Pilot Program by Mike Volkov.
Aug 9, 2017

In this episode, Matt Kelly and I take a deep dive into the weeds on a Memo issued by Secretary of Defense James Mattis last week. It deals specifically with ethical conduct within the DOD and US military. It is one of the most power statements we have seen on ethics, the commitment to ethics, ethics training and the modeling of ethical behavior. It is short, only 250 words or so. We unpack the entire Memo and then engage in political speculation as to why it was released and what that may portend. Matt wrote about it earlier this week on his sight, Radical Compliance. It is so significant, I will post about it later this week. Every CCO and compliance practitioner should read Matt’s piece and the Memo.

See Matt Kelly’s blog post Secretary Mattis’ Insights on Ethics

For a copy of the Mattis Memo, click here.

Aug 8, 2017

Next I consider at how data analytics can be used for continuous improvement where the primary sales force used by a company is third parties. A clear majority of Foreign Corrupt Practices Act (FCPA) violations and related enforcement actions have come from the use of third parties. While sham contracting (i.e. using a third party to conduit the payment of a bribe) has lessened in recent years, there are related data analysis that can be performed to ascertain whether a third party is likely performing legitimate services for your company.  There are several more analytics that can be run in combination to identify suspicious third parties and some of the simplest can be to look for duplicate or erroneous payments, all of which can lead to continuous improvement.

A key to moving from detection to prevention to continuous improvement is the frequency of review. It is common for organizations to periodically review a year or more of accounts payable invoices at one time for errors or overpayments. Changing this from a one-time annual or biennial event to something that is done daily or weekly dramatically improves the value of such controls. This more frequent, preventative analysis is integral to a foundation of third party management. While many company perform periodic look-back audits, ongoing monitoring also works to accomplish the same queries on a daily or weekly basis. This allows organizations to find duplicate payments or overpayments after the invoice has been approved but prior to its disbursement. So instead of detecting a payment error three or six months after it is made, you prevent the money from leaving the company altogether.

                        Duplicate invoices are a favorite mechanism of fraudsters. Consider the following scenario, Invoice No. ABC-13, was paid for $10,597.95. Thirty days later the same vendor re-submitted the same invoice due to non-payment, but it was recorded by the payor organization without the hyphen between ABC and 13, consequently it was not detected by the system of payable controls. The problem is the second invoice had slightly different writing on the face of it, but it was for the same services and hence was a duplicate invoice. On the company side, both invoices were scanned into the company’s imaging system and queued for payment. Data analysis can locate such overpayments and identify a second payment should not be made because it is a match of one that had been previously approved.

Another analysis, which a compliance practitioner could compare using vendor name and other identifying information, for example address, country, data from a watch list such as Politically Exposed Persons (PEP) or Specially Designated National (SDN), to names and other identifying information on your vendor file. An inquiry could also be used to test in other ways such as if a vendor has the same surname as a vendor on the specially designated national terrorist list, or a politically exposed person.

Now suppose they share the same name as an elected official down in Brazil. How do we make sure that our vendor or broker is a different John Doe than the John Doe that is a politically exposed person in that country? It is only upon closer inspection where you can determine that the middle names are different and the ages are different, one of has an address is Brasilia and the other is in Sao Paulo. Without further inspection including other demographic information about your vendors, consultants or third parties and the comparing them to watch list individuals, such red flags are present but not cleared. That is what data analytics is designed to do, is to help you go from tens of thousands of “maybes” to a very small number of potential issues which need to be researched individually.

One of the important functions of any best practices compliance program is to not only follow the money but try to spot where pots of money could be created to pay bribes. Through comparison of invoices for similar items among similar vendors, data analytics uncover overcharges and fraudulent billings. Continual transaction monitoring and data analysis can prove its value through more frequent review, as individuals tend to perform better when they know they are being monitored.

The techniques used in transaction monitoring for suspicious invoices can be easily translated into data analysis for anti-corruption. Software allows a very large aggregation of suspicious payments not only by day or by month, but also by vendor or even by employee who may have keyed the invoices into your system. As these suspicious invoices begin to cluster by market, business unit or person a pattern forms which can be the basis of additional inquiry. That is the value of analytics. Analytics allows a compliance practitioner to sort and resort, combine and aggregate, so that patterns can be investigated more fully.

This final concept, of finding patterns that can be discerned through the aggregation of huge amounts of transactions, is the next step for compliance functions. Yet data analysis does far more than simply allow you to follow the money. It can be a part of your third party ongoing monitoring as well by allowing you to partner the information on third parties who might come into your company where there was no proper compliance vetting. The opportunity for continuous improvement through a feedback loop is obvious and a clear step you should take going forward.  

Three Key Takeaways

  1. Always remember to follow the money to see where a pot of money could be created to fund a bribe.
  2. Transaction monitoring techniques around fraud monitoring translate to data analysis for compliance.
  3. Do not forget to check names against known PEP and SDN lists. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 7, 2017

Third parties still present the highest risk around FCPA compliance. It is therefore critical that you use monitoring and auditing when it comes to continuous improvement for this high-risk area. Today I want to consider three aspects of a company’s audit program for its compliance function: the types and purpose of third-party audits, planning for third-party audits and interviewing third parties.

Aug 1, 2017

Welcome to the August edition of One Month to More Effective Continuous Improvement. As you know, each month in 2017 I am presenting a series of podcasts on one topic which will allow you to create a more effective compliance program. This month I will discuss what techniques to create continuous improvement in your compliance program. 

Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its chapter 5 Guiding Principles of Enforcement industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs (Evaluation) lists three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions. 

You should keep track of external and internal events which may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events which drive changes within a company, i.e. a company reorganization or major acquisition. This type of review appears to be similar to the DOJ advocacy of ongoing risk assessments. The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its custom­ers, the laws that govern its actions, and the standards of its industry. In addition, effective compliance programs, meaning those that do not simply exist on paper, but are operationalized will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” 

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

 

The 2012 FCPA Guidance goes on to make clear that each company should assess and manage its risks. It specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and SEC consider when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges. 

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information. 

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue. 

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.

What should you do with this information? I would suggest that you have a strategic plan in place ready to implement your findings of continuous improvement, by using the following: 

  • Review the Goals of the Strategic Plan. This requires that you arrange a time for the Chief Compliance Officer (CCO) and team to review the goals of the Strategic Plan, which the CCO should lead to determine how this goal in the Plan measures up to its implementation in your company.
  • Design an Execution Plan. The “Keep it Simple Sir” or KISS method is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straight forward plan to ensure that the goal in question is being addressed.
  • Put Accountabilities in Place. In any plan of execution, there must be accountabilities attached to them. This requires the CCO or other senior compliance department representative to put these in place and then mandate a report requirement on how the task assigned is being achieved.
  • Schedule the Next Review of the Plan. There should be a regular review of the process. It allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis. 

It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will put a mechanism in place to demonstrate your company’s commitment to compliance by following through on intentions as set forth in your strategic plan. 

Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The 2012 FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.” 

Three Key Takeaways

  1. Your compliance program should be continually evolving.
  2. Monitoring and auditing are different, yet complimentary tools for continuous improvement.
  3. DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Jul 31, 2017

In this episode, I visit with Virginia Suveiu who counsels on legal risk management, regulatory compliance and public policy, as well as commercial and international law matters.

She is a subject matter expert on risk and developed the Legal Risk Management Specialized Studies Certificate Program for UCI Extension, where she teaches for that program as well as the Contract Management Certificate Program. She has published articles on a variety of business law matters, most recently for the National Contract Management Association’s Contract Management Magazine May 2015 issue, as well as for the National Center for State Courts and the Aerospace and Defense Forum, among others. 

There are a wide variety of risks that every corporation and compliance practitioners faces. These include regulatory risks, legal risks, reputational risks, safety risks, environmental risks, and many other types of risks. We consider whether there is one process or approach to take to on the over-arching concept of risk management or if the approach needs to be fined tuned by organization? We discuss the Legal Risk Management Specialized Studies Certificate Program, including what are the program benefits and who should attend. We explore the approach in teaching risk management. We discuss some of her current initiatives on the study of and teaching of risk.

Jul 17, 2017

In this episode, I visit with Melanie Johnson, co-founder of Elite Online Publishing, which aids entrepreneurs, business leaders, and professional athletes to create, publish, and market their books, to build their business and brand. Melanie talks about her professional journey which led to this venture and how her career in broadcasting gave her a unique understanding for the world of online publishing. She discusses using your skills and passion to develop your own business. 

Jul 14, 2017

A gap analysis is a method of assessing the differences in performance between a business' internal controls to determine whether business requirements are being met and, if not, what steps should be taken to ensure they are met successfully. Moreover, it is a determination of the degree of conformance of your organization to the requirements of an internal controls standard. A gap analysis is mainly a document review or a “show me the evidence” type activity, evidence which usually will come in the form of a record or document. During a gap analysis, there is some auditing accomplished, through key stakeholders providing the evidence they may have –or not- for each of the requirements set forth in the relevant internal controls standard.

 

Gap analysis are very often conducted at the beginning of the journey of an organization seeking compliance to an internal controls standard or it can be used as the basis for internal controls enhancement. Interestingly this can lead to more or even less internal controls, as sometimes in the realm of internal controls, less is more. The primary reason why a gap analysis is conducted at the beginning of the development phase or after some development has occurred is because the organization wants to know where they stand regarding meeting the relevant internal controls standard and they want to know specifically what they need to do to close the gaps. Companies need to understand where their gaps in internal controls are located, how large those gaps might be and what they need to do to close those holes and get closer to fully meeting the requirements of the chosen specification or standard.

 

Gap analysis is a technique that can be used to assess if an enterprise can meet its needs using its present capabilities. The capabilities that may be examined for improvement include staff competencies, facilities, applications, technical infrastructure, processes and lines of business; all with an eye towards (1) improving the compliance environment and (2) operationalizing compliance into the functional business units. 

Miriam Boudreaux posed the following, “Imagine a situation where you have been asked to improve the performance or efficiency of a particular unit of an organization. You have no clue whatsoever as to what set of factors is the real cause of the degraded performance you have been asked to improve. Identifying the gap between what is expected and what you are delivering, that is, the difference between the current state and the future state, is referred to as “Gap Analysis”.” 

She goes on to state that a “gap analysis can be defined in a number of ways, which more or less point towards the same meaning: 

  1. It is the process through which a company compares its current or actual performance to its expected performance to determine whether it is meeting its objectives and using its resources effectively. 
  1. It is a technique that businesses use to determine what steps need to be taken in order to move from their current states to their desired future states. 

From both definitions, it is evident that gap analysis is a technique that can help a business reach its peak eventually. By defining and analyzing gaps, a project team can create an action plan to move the business forward and fill performance gaps.” 

After the completion of the gap analysis there should be a report which presents a clear summary or where the major gaps exist between the company’s documentation and the internal controls requirements. It also should show a detail recount of each requirement and the degree of compliance, with corresponding actions that need to be taken to close these gaps. Here lies a major difference between an Audit report for example and a gap analysis report: the gap analysis report has some inherent advice to it, which makes it suitable to be accomplished by consultants or experts in the chosen specification or standards. 

Another way to consider a gap analysis is the steps you should take. These include: 

  1. Accurately defining the future goals: If you are not clear about the organization’s goals, all your efforts will be in vain. The first and foremost thing to be done is to identify what exactly the goals of the business are and the changes needed to achieve these goals. If the goal is not clear, the improvement exercise will keep on deviating from its desired path. 
  1. Identifying the current scenario and associated issues: To reach the place you desire, you should first assess where you are located in your internal controls regime. For example, a failure to see the real reason behind the poor compliance performance of your business units may affect profit and growth on the long run. At this stage, the analyst may organize brainstorming sessions, employee interviews, document review sessions to gain insight into present challenges. Only after a comprehensive definition of present challenges can one get a clear picture of the situation. 
  1. Devising the action plan: Now that you know the present and future expectations, you can think of the how factor, which is in form of a plan. How will you implement the action plan to close the identified gaps? The solutions may include several steps like hiring more employees, procuring extra machines and equipment, offering perks and incentives to get the best out of employees and so on. 
  1. Report: Finally, you will want to report your findings with the appropriate data and analysis presented. To do this, you may wish to use our gap analysis report template. In your report, you will include things like the background of the company and analysis, problems that have occurred, and even reasons for undertaking the analysis. Then, you will present your findings, showing the strategic objectives, current standing, deficiencies, and whether the current situation is acceptable. If the situation is unacceptable, you will present a course of action for improvement. Finally, all your analysis will be backed up with the data gathered during the analysis.

Three Key Takeaways

  1. Be prepared to require evidence from key stakeholders.
  2. Use a multistage approach to a gap analysis.
  3. To get to where you want to be, you have to know where you are.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

Jun 26, 2017

In this episode, I visit with James Gellert, CEO of RapidRatings, a company which uses a financial dialogue to determine third party supplier health and viability. Gellert explains what supply chain resilience is and how can examining financial health of your suppliers can lead to a more financially efficient supply chain. We then discuss the company’s third party risk management tools. We consider how a company might evaluate a potential purchaser, partner or someone buying a part of a business. Finally we have a lengthy discussion of how a corporate compliance function use the health of a third party as a tool to determine third party compliance risk? 

For more information on RapidRatings, check out their website by clicking here.

1 2 3 Next »