This entry provides a wrap up on written standards, with a discussion on policies on cybersecurity. Regarding policies on cybersecurity, it has become so critical for corporation that the CCO and many compliance practitioners are now required to deal this issue.

Cybersecurity policies are the newest area to fall into the lap of the compliance professional. Fortunately, the state of New York's Department of Financial Services has issued the first state level regulations on cyber security for financial institutions. They became effective March 1, 2017 and while they are designed to protect financial services industries and consumers, they have application to and provide guidance for, a wider variety of non-financial service companies and commercial enterprises. It mandates your overall cybersecurity policy should be designed to meet the goals to prevent, detect and remediate a cybersecurity event.

While the regulation is obviously geared towards financial services firms, there were several points that any non-financial services compliance practitioner should consider. The overall cybersecurity program should be designed to meet the three goals of any best practices compliance program: (a) preventing any cybersecurity breaches or failures; (b) detect cybersecurity events; (b) remediate through responding to identified or detected cybersecurity events to mitigate any negative effects, recovering from them and restore normal operations and services. An added requirement for cybersecurity will be notification of appropriate regulatory authorities.

Your written policy should be based on a risk assessment, taking the following factors into consideration: “(a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response.”

There should be a corporate officer position which reports to the Board of Directors, who should report to the Board on the following topics: (1) the confidentiality and the integrity and security of the information systems; (2) the cybersecurity policies and procedures; (3) material cybersecurity risks; (4) overall effectiveness of the cybersecurity program; and (5) any material cybersecurity events. The cyber compliance team must all show proficiency in the discipline and keep abreast of cybersecurity developments.

For ongoing monitoring, there should be annual penetration testing and biennial vulnerability assessments. Finally, there must be annual risk assessments designed to test: (1) identified cybersecurity risks and threats; (2) criteria for the assessment of the confidentiality, integrity, security, availability and adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.

If a company allows a third-party provider to have access to or hold its data, it must perform an evaluation of that third-party provider in the following areas: (1) identification and risk assessment of the third-party provider; (2) minimum cybersecurity practices required to be met by third-party provider in order for them to do business; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of third-party provider; and (4) periodic assessment of third-party provider based on the risk they present and the continued adequacy of their cybersecurity practices. There should also be effective training and ongoing monitoring requirements for employees of impacted third-party providers.

All of the above should sound quite familiar to any anti-corruption compliance professional. Yet this DFS regulation should also be studied as a roadmap for the inevitable cybersecurity and InfoSec compliance which is just down the road for non-financial services industries. The third-party providers are particularly critical as many major data breaches occurred through connected third parties. One need only think of the Target data breach to the looting of the Central Bank of Bangladesh through the New York Federal Reserve Bank.

Three Key Takeaways

1. CCOs and compliance professionals need to be ready to take on cybersecurity policies and procedures.
2. Cybersecurity policies and procedures should strive to prevent, detect and remediate cybersecurity events and failures.
3. Do not forget the lesson from the Target data breach; you are only as secure as your weakest third-part link.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

The next area for policies is extortion payments, which are completely exempted out of the FCPA. Extortion payments are made for any action which threatens or demands payment for life, liberty, or health. These should be exempted out from your facilitation payments and your compliance program through specific language. You need to do this for a variety of reasons. First and foremost, your employees must understand that the company will support them if they are in any way threatened with harm, with arrest, physical detention or their health/safety is threatened.  As a compliance professional, you need to make sure employees understand they need to do whatever they must to get themselves out of such a situation.

Some of the situations your employees might face are along the lines of the following:

• Employees are stopped by police, military or paramilitary personnel, or militia (uniformed or not) at designated or other checkpoints or other places and a payment is demanded as a condition of passage of persons or property;
• Employees are threatened with arrest or detainment; or
• Employees are asked by persons claiming to be security personnel, immigration control, or health inspectors to pay for an allegedly required inoculation or other similar procedure.

I once had a situation where an employee was threatened with receiving a vaccination for yellow fever when they were departing a west African country. The employee paid some $85 to get out of that situation. I instructed him to submit it as a travel expense, writing out in a four sentence paragraph the event, attached to his expense report. The documentation proved that payment was not a facilitation payment. It was clearly an extortion payment.

The key though is that it be properly documented. But more than simply the documentation is that you must specifically list extortion payments in your books and records so you will in compliance with the books and records requirement of the FCPA to accurately record your expenses. You need to train your employees specifically on the actions to take both when they are put in the situation and what to do when they return to their office. In your policy state that if there is a threat to health safety or liberty, it is not a facilitation payment but an extortion payment. Make sure that they understand what their rights are and what their obligations are to report it when they come back to the corporate office or their office. Always remember, an extortion payment is not a FCPA violation.

Three Key Takeaways

1. Extortion payments are not illegal under the FCPA?
2. Was the action an extortion or some other type of situation?
3. Document Document Documents your extortion payments both the financial component and a description of the underlying events.

This month’s sponsor is the Doing Compliance Master Class. In 2018, I am partnering with Jonathan Marks and Marcum LLC to put on training. Look for dates of one of the top compliance related training going forward.

Welcome to Episode 5 of Compliance Man Goes Global podcast of FCPA Compliance Report International Edition. In this episode, we focus on typical concepts (or probably myths) of ways a Compliance professional might become a more valuable member of the management team rather than becoming most hated person in the organization.

Tom: To start with, Tim, probably we should explain to our listeners why we called our today’s episode ‘You Really Like Me’?

Tim Khasanov-Batirov:  We call today’s episode “You Really Like Me!” remembering Sally Field’s gushing acceptance speech at Oscar ceremony. The funny thing is that sometimes even in-house Compliance people have a strong wish to exclaim after her something like: “I haven't had an orthodox career, and I've wanted more than anything to have your respect. The first time I didn't feel it, but this time I feel it—and I can't deny the fact that you like me, right now, you like me!"      

Tom: OK, Tim, let’s see if this is possible in reality or would remain just a dream of Compliance officers globally.

Myth #1 There is a chance that Compliance officer could avoid being named the most hated person in the organization.  Tim, do you agree with this statement?

Tim Khasanov-Batirov: Let’s try. I think we have some pros here:  

Argument #1.

A Compliance professional can avoid being the most hated person if personnel along with top management understand the role of Compliance function in the organization. Unless a Compliance professional delivers a clear message about risks he or she manages and value they bring, they are dependent on subjective views of other team members. We have depicted this situation in the attached release of Compliance Man illustrated series.    

Argument #2.

You might think about setting KPIs based on respective regulatory requirements referring for instance to 10 Hallmarks of the Effective Compliance Program or the Evalution of Corporate Compliance Programs. This will allow you to set criteria, which could be used for unbiased and verifiable evaluation of your efforts.  

Tom:  I think, Tim that there are some cons here as well:

Argument #1

As we know, there is no way people will like a Compliance officer all the time. Subject to particular situation or position, the Compliance professional’s managers might change their minds. So we should not have illusion of being most loved person constantly.

Argument #2

There is a big risk if Compliance person becomes too friendly with the employees and becomes co-opted by the business folks. This could lead to losing impartiality. Therefore, there is a very thin line between being business-oriented ethics professional and attempts just to ‘get likes’ from management.   

Tim: Tom, I agree with you.

Tom: Let’s go, Tim. We can formulate the next concept or maybe misconception in the following way:

Myth #2. In real life, Compliance officer de-facto is not able to become a member of managerial team (or just “team” so to say) being isolated from it by virtue of his “business prevention” mission. Tim, will you agree with this concept?

Tim: I strongly disagree with this concept.

Argument #1.

In my view, Compliance department in many cases is called a “Business prevention unit” not because of being very strict and picky. It is because of not fully understanding the business processes involved. As soon as compliance officer starts to hear other team members, he will be able to suggest solutions, which are compliant, and business oriented in the same time.      

Argument #2.

It is about priorities. Management team should clearly see that Compliance officer is focusing on real regulatory risks and priorities rather than creating a useless bureaucracy regarding minor issues, which in many cases could be easily resolved.    

What are your views, Tom?

Tom: I have some pros to support the concept that in reality Compliance officer is not just another member of the business team.

Argument #1.

We have a special mission to assess business from external, in majority of cases regulatory prospective. Thus, many things, which at first glance might look as being good for business, could pose regulatory risk in the future. Thus, Compliance person is in charge of demonstrating a high-level or strategic view rather than solely looking at momentary business advantages.

Argument #2.

Compliance is a relatively new job in comparison to well established corporate functions such as  a  Legal Department or even Internal Audit. So even just by mere fact of being a “newcomer” the Compliance Officer differs from almost all members of the management team which represent “traditional” occupations.  

Tim: Agreed, Tom. As key takeaways from today discussion, I think we can mention the following:

• Compliance officer should be a business-oriented person with good understanding of business processes along with clear views on how to structure them in line with regulatory expectations.

Welcome to Day One of 360-degrees of communication in compliance. This month you will learn about techniques that the CCO can use to provide you not only a well-rounded role as a CCO but also facilitate a much more holistic approach to compliance in your organization. Best of all the techniques, discussed are largely available to you at little to no cost. There are things that you can do both in your method of running the CCO positions and innovations that you can bring to the compliance function in your organization. 

A 360-degree view of compliance is an effort to incorporate your compliance identity into a holistic approach so that compliance is in touch with and visible to your employees at all times. It is about creating a distinctive brand philosophy of compliance which is centered on your consumers. In other words, the customers of your compliance program; I.E., your employees it helps to anticipate all the aspects of your employees needs around compliance especially when compliance is either perceived as new perceived as something that comes out of the home office or is perceived as the Land of No. It gives you the opportunity to build a new brand image for your compliance program. 

Social media is a big part of a 360-degree view so there will be a focus on the use of social media in compliance and how it can facilitate your compliance program through your compliance messaging. I will discuss some specific techniques of social media tactics that have been successfully used by companies. We will consider the culture of compliance and the clash of different cultures that an organization may have, particularly through mergers and acquisitions but also internally, through organic growth and how a 360-degree view can help overcome this. Storytelling and compliance is another mechanism which is facilitated through a 360-degree. 

Other issues to be considered include how can a 360-degree view of communication facilitate your role as a leader in your company and in your compliance program? What are the techniques which can provide a holistic approach to your compliance function? What is the two-way street approach wedded to the benefit of 360-degrees of compliance and communication? Communication is much more powerful when it is a two-way street. Such a view also allows you to information from your customer base, once again your employees back up to your compliance program and incorporate that feedback loop directly into your compliance program going forward. 

There are several concepts which should be included in your 360-degree view of communications in compliance. Begin with an objective so you identify the purpose of your communication and the target of whom you are going to communicate to. Identify as clearly as you can the purpose and reason to ensure your message is aligned with your objectives. For instance, are you implementing a 360-degree view of communication to educate, inform, change perceptions or build trust and commitment? 

Next,  who is your audience? To communicate effectively you need to understand your audience. In any corporation, there are multiple audiences who are the key stakeholders in the 360-degree process. How much do they know? Some of the stakeholders include the Board of Directors, senior management, middle management, employee teams, committees, coaches, facilitators, customers, business partners, vendors, sales agents and representative, strategic alliances and business ventures. What are your distribution channels and how do you track your messaging? You should create a comprehensive spreadsheet to track the messages the intended audience and the delivery mechanism. Another key ingredient of the 360-degree approach is feedback. This is a key component of the 360-degree experience and educate each stakeholder on the benefits of feedback from the 360-degree approach. 

Finally, you need to evaluate what you have done. You can monitor your communication activities by tracking attendance at the events, website statistics, open rate of emails, downloads of materials, video hits; in other words, the same techniques that your marketing folks would use to determine their messaging’s effectiveness. The objective is to build trust for the 360-degree process by determining if the goal achieved. You can utilize surveys or focus groups to assess the impact on your target audience. By focusing on your customer customers of compliance, I.E. your employees, it allows you to identify gaps and improve the communication process for your compliance program. 

Three Key Takeaways 

1. Remember the definition of 360-degrees of compliance communications. It is an effort that includes the compliance identity into a holistic approach so compliance is in touch and visible to your employees at all times.
2. What is your objective? What are you trying to do with your 360-degrees view of compliance communications and how are you using that mechanism to deliver the objective your compliance program desires.
3. Evaluate. You need to evaluate has the message been delivered has it been heard and is it being implemented. 

This month’s podcast series is sponsored by Dun & Bradstreet.  Dun & Bradstreet’s compliance solutions provide comprehensive due diligence reporting and analysis to reduce your risk of working with fraudulent companies by accessing a company’s beneficial ownership, reputation risk and more.  For more information, go to dnb.com/compliance.

Your company has just made its largest acquisition ever and your Chief Executive Officer (CEO) says that he wants you to have a compliance post-acquisition integration plan on his desk in one week. Where do you begin? Of course, you think about the 2012 FCPA Guidance but remember that it did not have the time lines established in the recent enforcement actions involving Johnson & Johnson (J&J), Pfizer and Data Systems & Solutions LLC.

While there are time frames listed in these Deferred Prosecution Agreements (DPAs) are a guide of timeframes; many compliance professionals struggle with is how to perform these post-acquisition compliance integrations. An article from the Harvard Business Review, entitled “Two Routes to Resilience”, Clark Gilbert, Matthew Eyring and Richard Foster wrote about business transformation which speak directly to the compliance practitioner to help create post-acquisition integration game plan.

The authors, reviewed the situation where an entity must transform itself, leading to a transformation the authors call “establishing a ‘capabilities exchange’- a new organizational process that allows the two efforts to share resources without interfering with each other’s operations.” That is what a compliance practitioner must accomplish through a post-acquisition integration in the compliance context.

Anyone who has gone through a large merger or acquisition knows how terrifying it can be for the individual employee. Many people, particularly at the acquired company will be fearful of losing their jobs. This fear, mis-placed or well-founded, can lead to many difficulties in the integration process. The creation of a Compliance Capabilities Exchange process which allows “the two organizations to live together and share strengths” and will coordinate “the two transformational efforts so that each gets what it needs and is protected from [unwanted] interference by the other.” There are five steps in this process.

1. Establish Compliance Leadership. While this may be the “simplest step but also the one most open to abuse.” The process should be run by just a few top people, which I believe are the Chief Executive Officer, Chief Financial Officer and Chief Compliance Officer of the acquiring company and a similar counter-part from the acquired company.
2. Identify the compliance resources the two organizations can or need to share. Hopefully the acquiring organization will have some idea of the state of the compliance program before the deal is closed. It may be that there is some or all of a minimum best practices compliance program in place. If so, attention needs to turn to what can continue and how will need to be integrated.
3. Create Compliance Capability Exchange Teams. In many “synergy efforts, everyone is expected to think about ways resources might be shared.” In Compliance Capability Exchanges, the responsibility should be “carefully confined to a series of teams.” Senior leadership should create compliance teams by assigning a small number of people from both entities with the responsibility of allocating resources used in the integration project.
4. Protect Boundaries. This one is tricky as employees from the former target may not want to move forward with the integration; for fear of losing their jobs or some other reason. There may be internal disputes as to which group may handle an issue going forward. This area is tricky because it is important not to alienate new employees who might have good ideas on the integration or how to move forward. Once again, the Leadership Team must step in and referee disputes decisively if required.
5. Scale up and promote the new compliance program. It is important to celebrate and promote the new entity to both the acquiring company, others in the company and even external stakeholders. It is important that markets and others in the same or similar industry see this evolution and growth. Take the time to publicize the integrated compliance function with the internal customer; IE., company employees. This would include all other compliance stakeholders, including third party representatives, both on the sales and supply chain side of the house and even customers. Finally, be sure to inform your management, Board of Directors and regulators, such as the Department of Justice (DOJ), as appropriate.

Whatever compendium of steps you utilize for post-acquisition integration, they should be taken as soon as practicable.  The earlier you can deploy these steps the better off your company will be at the end of the day. In an Ernst & Young white paper, entitled “Increased Oversight of M&A: An Expanding Role for Audit Committees”, it stated “Failed M&A can destroy a company's market value, destabilize its financial position and credit ratings, impair its strategic position, weaken the organization and damage the company's reputation”. This is particularly true for failed M&A compliance. One need only consider the Latin Node FCPA enforcement actions where the acquiring company had to write off its entire investment.

Three Key Takeaways

1. Planning is critical in the post-acquisition phase.
2. Build upon what you learned in pre-acquisition due diligence.
3. You literally need to be ready to hit the ground running when a transaction closes. 

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

Today I want to look at what you should do with the information that you obtain in your pre-acquisition compliance due diligence. Jay Martin, Chief Compliance Officer (CCO) at BakerHughes, a GE company. suggests an approach that reviews key risk factors to move forward. Martin has laid out 15 key risk factors of targets under a FCPA analysis, which he believes should prompt a purchaser to conduct extra careful, heightened due diligence or even reconsider moving forward with an acquisition under extreme circumstances.

1. A presence in a high risk country, for example, a country with a Transparency International CPI rating of 5 or less;
2. Participation in an industry that has been the subject of recent anti-bribery or FCPA investigations, for example, in the oil and energy, telecommunications, or pharmaceuticals sectors;
3. Significant use of third-party agents, for example, sales representatives, consultants, distributors, subcontractors, or logistics personnel (customs, visas, freight forwarders, etc.)
4. Significant contracts with a foreign government, state-owned or state-controlled entities;
5. Substantial revenue from a foreign government, state-owned or state-controlled entity;
6. Substantial projected revenue growth in the foreign country;
7. High amount or frequency of claimed discounts, rebates, or refunds in the foreign country;
8. A substantial system of regulatory approval, for example, for licenses and permits, in the country;
9. A history of prior government corruption investigations or prosecutions;
10. Poor or no anti-bribery or FCPA training;
11. A weak corporate compliance program and culture, from legal, sales and finance perspectives at the parent level or in foreign country operations;
12. Significant issues in past compliance audits, for example, excessive undocumented entertainment of government officials;
13. The degree of competition in the foreign country;
14. Weak internal controls at the parent or in foreign country operations; and
15. In-country managers who appear indifferent or uncommitted to U.S. laws, the FCPA, and/or anti-bribery laws. 

In evaluating answers to the above inquiries or those you might develop on your own, you may also wish to consider some type of risk rating for the responses, to better determine is the amount of risk that your company is willing to accept to do so you will need to both assess risk and subsequently evaluate that risk. Risks should initially be identified and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the post-acquisition remediation plan going forward. A risk-rating guide similar to the following can be used.

LIKELIHOOD

‘Likelihood’ factors to consider: The existence of compliance internal controls, written policies and procedures designed to mitigate risk, leadership capable to recognize and prevent a compliance breakdown; Compliance failures or near misses; and/or Training and awareness programs. Product of ‘likelihood’ and significance ratings reflects the significance of a particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The key to such an approach is the action steps prescribed by their analysis. This is another way of saying that the pre-acquisition risk assessment informs the post-acquisition remedial actions to the target’s compliance program. This is the method set forth in the 2012 FCPA Guidance. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the mergers and acquisitions arena. The model is a reasoned approach and can provide the articulation needed to explain which steps were taken.

It is also important that after the due diligence is completed, and if the transaction moves forward, the acquiring company should attempt to protect itself through the most robust contract provisions that it can obtain, these would include indemnification against possible FCPA violations, including both payment of all investigative costs and any assessed penalties. An acquiring company should also include repsentations and warranties in the final sales agreement for the entire target company that its participation in transactions is permitted under the local law where the transaction took place; that there is an absence of government owners in company; and that the target company has made no corrupt payments to foreign officials. Lastly, there must be a representation that all the books and records presented to the acquiring company for review were complete and accurate.

To emphasize all of the above, the DOJ stated in the Pfizer Deferred Prosecution Agreement (DPA), in the mergers and acquisition context, that a company is to ensure that, when practicable and appropriate on the basis of a FCPA risk assessment, new business entities are only acquired after thorough risk-based FCPA and anti-corruption due diligence is conducted by a suitable combination of legal, accounting, and compliance personnel. When such anti-corruption due diligence is appropriate but not practicable prior to acquisition for reasons beyond a company’s control, or due to any applicable law, rule, or regulation, an acquiring company should continue to conduct anti-corruption due diligence subsequent to the acquisition and report to the DOJ any corrupt payments or falsified books and records.

Three Key Takeaways

1. Create a list of key risk factors in your protocol.
2. Create a forced risk ranking, but remember it is simply that, a forced risk ranking.
3. Your pre-acquisition team should include a suitable combination of legal, accounting, and compliance personnel.

This month’s podcast series is sponsored by Michael Volkov and The Volkov Law Group.  The Volkov Law Group is a premier law firm specializing in corporate ethics and compliance, internal investigations and white collar defense.  For more information and to discuss practical solutions to compliance and enforcement issues, email Michael Volkov at mvolkov@volkovlaw.com or check out www.volkovlaw.com.

As I end this section on innovation, I want to conclude by laying out a road map which allows a CCO or compliance practitioner to make more effective and better operationalize a corporate compliance program. With the DOJ’s Evaluation of Corporate Compliance Programs emphasis of operationalizing your compliance regime, innovation is an important tool for you to use in this journey, yet one that I believe is too often overlooked.  One of the best recent roadmaps I have seen was suggested by LRN Corporation’s 2016 Ethics and Compliance Program Effectiveness Report.

The Report detailed four key findings which are symptomatic of an operationalized compliance program. Susan Divers, Senior Advisor at LRN Corporation, noted overarching theme in is that ethics and compliance “programs centered on values are more effective than ones that aren’t. A values-based approach toward shaping culture emphasizes and sets expectations, not just about what can and cannot be done according to rules, but rather what should and should not be done in alignment with core beliefs. In rules-based environments, that is, everyone’s job is to do the next thing right—to act correctly. In values based environments, in contrast, everyone’s job is to do the next right thing—to act morally.”

It is this drive to burn compliance into the DNA of an organization that fully operationalizes compliance. Think of any recent scandal, Volkswagen (VW), Wells Fargo, Valeant, Uber or you name the scandal, where if an employee had simply done the right thing instead of the illegal action, how much better off a company would have been. The four findings were:

The most effective E&C programs are embedded in business operations. Diver pointed out it is critical a company should think “about ethics and compliance and values as part of your brand.” By doing so, each level in a company will understand its role going forward, from the Board of Directors, senior management, middle management and the employee base. Moreover, the company will train, develop and promote an ethics and compliance program through each of these levels.

Susan Divers provided an insightful example, “I think if I were to use one word to characterize all of them together, it would be holistic. The first one of embedding your ethics and compliance programs in your business operations, one big piece of that is your brand. For example, Volkswagen used to have a fantastic brand. You thought of Volkswagen and you thought of basically a green car, and one that was well engineered. Now it’s a massive fraud. One headline I saw called it Hoaxwagen.”

The most successful ethics and compliance programs use a variety of channels to convert guidance into practice. An effective compliance program will communicate the corporate ethics and compliance values through multiple channels throughout the company, on an ongoing basis. This speaks not only to upward and downward communications within an organization but also inbound and outbound to the company as well. But more than simply saying there should be communication, the Report also assesses how communications occur through inquiring into the clearness and conciseness of messages and whether an organization uses more effective communication techniques such as shorter, more frequent training models or facilitated workshops as opposed to rote one hour lectures from lawyers.

Communications can be made in other, more subtle manners. Consider what are the actual behaviors that the conduct demonstrates? Divers said that at LRN, “We’re not so fond here of tone at the top. We’re more fond of actions at the top, because tone can be one thing and actions are another. Looking at whether managers’ ethical behavior counts in terms of promotion and bonuses, that’s really where the rubber meets the road in a lot of places, and that makes a huge difference. Another aspect of that is making middle managers accountable for ethics and compliance in their business, and the good programs coach people in that aspect. That’s really some of the key aspects we looked at for how you embed in business ops.”

High-performing programs proactively convert regulatory guidance into practice. I found this to be one not often enough discussed as many compliance practitioners struggle to convert DOJ pronouncements, comments or lessons learned from FCPA enforcement actions into practical guidance. The most effective compliance programs internalize such guidance from prosecutors and regulators and continuously improve. Here one might consider an example torn from the headlines: when the Wal-Mart corruption scandal in Mexico broke, I called one CCO the next day who told me he had already put a PowerPoint presentation in front of his senior management about the perils of finding your corporate name splashed across the front page of the New York Times alleging your organization of bribery and corruption.

Divers considered this finding from another perspective. She stated, “You have to look for the actual challenge the people view in the company, whether that’s sales force, or other disciplines. There in lots of different ways and in positive ways, not just negative ways. One of the things we did, which we didn’t just tell people that serious actions meant this, we looked at actual business cases where people had done the right thing and made the right choices to comply with regulations, and that’s very powerful for modeling. Another aspect of that is how you embed your Code of Conduct. Do you just put it out on the website and say, “Great, here it is. Read it,” or you have discussion? Obviously, those are more effective.”

High-performing programs spread their impact broadly, recognizing that it is the whole organization that needs to be engaged in ethics. This finding considers whether an organization has moved away from a “silo-based approach to ethics and compliance.” It did so by reviewing how the different corporate functions work as catalysts for imbuing your organization values in their specific corporate discipline. Here Divers related that “high performing programs aren’t sitting in a closet somewhere, only visited when there’s an ethics issue. High-performing programs are out there. They work across the corporation with human resources, with internal audit, with legal, and even with sales and marketing, and finance and accounting, to make sure that ethics are a part and parcel of business operations.”

This month I have reviewed a variety of innovations in compliance; from innovations in structure, use of social media tools and concepts, to new and different ways to consider your internal resources as ways to innovate in your compliance regime. The DOJ has consistently said that a compliance program must evolve. It must evolve to meet new or updated risks, new opportunities or different regulations. Innovation is one of the best ways to evolve. Finally and perhaps most importantly as a compliance practitioner, always remember that you are only limited by your imagination.

Three Key Takeaways

1. Innovation is one of the most overlooked and under-utilized tools in compliance.
2. Operationalizing your compliance program will require innovation in your compliance program going forward.
3. As with most CCO initiatives, you are only limited by your imagination.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including: 

1. Equifax continues to be in the news. Ben DiPietro reports from the compliance perspective in two articles from the WSJ Risk & Compliance Journal, see here and here.
2. Julie DiMauro interviews Philip Urofsky on the US commitment to enforcing the FCPA. See her article in the FCPA Blog.
3. A new scorecard is out on the amounts of money paid as bribes by the Brazilian construction company, Odebrecht. See article by Dick Cassin the FCPA Blog.
4. On the intersection of Uber and Hell. See article by Tom Fox in Compliance Week (sub req’d).
5. Sushi and money-laundering. The increasing intersection of AML and anti-corruption compliance. Sam Rubenfeld reports in the WSJ Risk & Compliance Journal.
6. Matt Kelly joins us for an emergency rant and to announce the birth of the latest addition to the Kelly Clan.
7. Want to be a Kleptocrat? The Mintz Group has developed an app “Kleptocrat” available in the Apple app store. Sam Rubenfeld reports in the WSJ Risk & Compliance Journal.
8. Cleveland Indians set the AL mark for consecutive wins, now go for the MLB record.
9. Is Thursday night football dead? It might be after the Texans deliver one of the ugliest wins ever on the Thursday night national stage.
10. This month’s podcast series on One Month to a More Effective Compliance Program is in full production. In September, I am reviewing innovations for your compliance program. This week’s topics include embracing in your agile compliance program, design thinking in compliance, how Kaizen can improve your compliance program, disruption in compliance and superforecasting to better risk management. Oversight Systems is this month’s sponsor. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
11. The Jay Rosen weekend report preview-story telling in compliance.

One of the most constant things that I have observed in my 10+ years of practice in the compliance space is its constant evolution. Compliance techniques and practices, which were considered cutting edge when I began, have moved to standard fare and are now largely minimum practices. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have mirrored this evolution in not only how they view compliance programs but also in their own enforcement regimes and protocols. Today I want to consider agile innovations methods for your compliance program. 

According to a Harvard Business Review (HBR) article “Embracing Agile”, by Darrell K. Rigby, Jeff Sutherland and Hirotaka Takeuchi, agile methodologies “involve new values, principles, practices and benefits and are a radical alternative to command-and control-style management.” It is accomplished by taking employees “out of their functional silos and putting them in customer-focused multidisciplinary teams”. As the customers of the compliance function are the company’s employees, I think the transition can be made. 

One of the most basic problems is that business executives basically understand only enough about agile to be dangerous but they do not understand the comprehensive approach that needs to be taken. This means that senior management will continue to the same management practices that in fact work to undermine the agile process. The authors suggest the solution is that executives learn the basics of the agile process and understand the conditions in which it does or does not work. They should begin with a small team and project and let the operation spread organically. 

Some of the right conditions for the success of an agile initiative in the compliance arena are as follows. You should have the right market environment for the project. This means you need to have your internal customers involved and allow feedback to change any proposed solution. You must be willing to innovate, particularly if there are complex compliance problems involved. You will need to break down the solutions into digestible junks, which may actually change the scope but through cross-functional employee collaboration, you can have appropriate creative breakthroughs. 

Digestible junks will allow you have incremental developments, which can be tested and then rolled out for use by your employee base. As your internal customers use the innovations, the work cycles can be broken down further so both testing and innovation can continue unabated. This allows a continual feedback loop so that late changes in the innovation can be managed and incorporated going forward. Finally, if there are interim mistakes, it can be a valuable source of lessons learned going forward. 

An example might be around compliance training, a topic oft-times commented upon as rote and something employees simply have to get through. Some commentators have characterized such training as a basic ‘tick the box’ exercise simply to get government credit. While such commentary fails to understand the benefits of communication through training, it does point up the issue of the stiltedness of compliance training.

An approach to this might be to put together an agile team to look at training so that compliance could create topical training, in a few days to respond to market or other conditions, separated out by the challenges met in various product lines or geographic areas. This innovation can include budgets as well, making your compliance function more cost effective through innovation. 

Another concept is to start small and let the word spread. This is antithetical to many large companies that “launch change programs as massive efforts” largely because the project sponsors feel that if they do not do so, the rest of the company will divine that the effort is not really supported by senior management and respond accordingly. However, the authors suggest “agile might spread to another function, with the original practitioners acting as coaches. Each success seems to create a group of passionate evangelists who can hardly wait to tell others in the organization how well agile works.” 

The C-Suite has a role as well by practicing agile at the top of the organization so not only could senior management provide new techniques through an agile exercise, they could learn how to support more fully the compliance function which might engage in an agile review. “Senior executives who come together as an agile team and learn to apply the discipline to these activities achieve far-reaching benefits. Their own productivity and morale improve. They speak the language of the teams they are empowering. They experience common challenges and learn how to overcome them. They recognize and stop behaviors that impede agile teams. They learn to simplify and focus work. Results improve, increasing confidence and engagement throughout the organization.”

There are three succinct benefits. First by having senior management involved in an agile exercise, it would allow them to “catch up with the troops” and to reprioritize their efforts going forward to be better aligned with the real-time nature of agile. Second, it allows a speedier corporate transition as it can allow the employees to know if management is in tune with what the employees care about going forward. Finally, it can present clear alignment of departments and functions on a common vision. I can think of no greater strength for the compliance function to rely upon. This can be used to expose senior managers to break out of their “silos in today’s overspecialized organizations-for general management roles.” 

The authors conclude by noting the need to destroy barriers to agile. They list five pointers. First “get everyone on the same page” which they believe is the key responsibility of management. Second is not to change structures but to change roles so that internal company disciplines “can learn to work together simultaneously, rather than separately and sequentially.” Next is to name only one boss for each decision as in the agile operating model it must be “crystal clear” who can make the final decision. Penultimately, your agile exercise should focus on teams not individuals because it is the team’s collective intelligence that brings the power to an agile exercise. Finally, lead with questions not orders. Here the authors cite to General George S. Patton, who “famously advised leaders never to tell people how to do things: “Tell them what to do, and they will surprise you with their ingenuity.”” 

The agile exercise will probably not work in a compliance function under the thumb of the corporate legal department, as innovation is typically not in the remit of legal. However for a compliance function that desires to bring new and unexpected ways of doing compliance to your organization, going through an agile exercise might be just the thing to move compliance into the very DNA of your organization. 

Three Key Takeaways

1. Agile compliance involves new practices and benefits and is a radical alternative to command-and control-style management.
2. Agile compliance allows you to take small, digestible steps.
3. Agile compliance works at the top. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

In this very topical episode Matt Kelly and I take a deep dive into the administration’s response to the events over the weekend in Charlottesville and what it means for business leaders, compliance practitioners and others going forward. With the resignation of Ken Fraizer, CEO of Merck and others from the administration’s voluntary business counsel, due to the administration’s embrace of the alt-right and white supremacy, many CEO’s are asking the question “Where’s the upside” to publicly embracing the administration. From the compliance perspective, we explore the question in the context of a corporation’s ethical values, it business mission and statement for its employees and customers. Finally, we consider the documented ‘Trump Risk’ and how it is negatively impacting US businesses across the globe.

For more see Matt’ Blog post, Trump Tests Corporate America’s Commitment to Values on RadicalCompliance.com

If you have not seen it, I would suggest you go to see what I believe is the summer’s top movie, Dunkirk. It is great cinema, good history and presents the view of soldier on the ground from the English perspective. It unfolds on land, sea and air; in decreasing time frames of one week, one day and one hour. I was lucky enough to see it in glorious 70MM wide screen so the resolution was outstanding. There are several leadership lessons which I believe can be learned from the British (and German) experiences at Dunkirk.

In this episode Mike Volkov and I discuss the two official pronouncements from the Sessions’ Justice Department regarding FCPA enforcement. They were both declinations used under the FCPA Pilot Program, which was announced in April 2016. The first declination involved Linde Gas North America LLC and Linde North America Inc. Linde Gas is a wholly owned subsidiary of the Linde Group, a German based entity which is listed on multiple stock exchanges in Germany, but not listed in the US.  The second declination involved CDM Smith Inc. a privately held company, headquartered in Boston MA. As neither company is a US publicly listed entity, neither is subject to jurisdiction of the SEC. Hence both declinations were granted with the notation of declinations with disgorgement. In Linde Gas, the disgorgement amount was $7.8 million and forfeit $3.4 million, for a total of $11.2 million and in the CDM Smith declination the disgorgement amount was $4.037 million. Both declinations were superior results obtained by the companies as both had clearly violated the FCPA, for multiple years in ongoing bribery and corruption schemes.

For more on these two enforcement actions see the following:

1. Linde in the Republic of Georgia: A Declination and Lessons Learned by Tom Fox;
2. A Second Superior Result - CDM Smith Obtains a Declination by Tom Fox; and
3. Justice Department Resolves Two Cases Under FCPA Pilot Program by Mike Volkov.

In this episode, Matt Kelly and I take a deep dive into the weeds on a Memo issued by Secretary of Defense James Mattis last week. It deals specifically with ethical conduct within the DOD and US military. It is one of the most power statements we have seen on ethics, the commitment to ethics, ethics training and the modeling of ethical behavior. It is short, only 250 words or so. We unpack the entire Memo and then engage in political speculation as to why it was released and what that may portend. Matt wrote about it earlier this week on his sight, Radical Compliance. It is so significant, I will post about it later this week. Every CCO and compliance practitioner should read Matt’s piece and the Memo.

See Matt Kelly’s blog post Secretary Mattis’ Insights on Ethics

For a copy of the Mattis Memo, click here.

Next I consider at how data analytics can be used for continuous improvement where the primary sales force used by a company is third parties. A clear majority of Foreign Corrupt Practices Act (FCPA) violations and related enforcement actions have come from the use of third parties. While sham contracting (i.e. using a third party to conduit the payment of a bribe) has lessened in recent years, there are related data analysis that can be performed to ascertain whether a third party is likely performing legitimate services for your company.  There are several more analytics that can be run in combination to identify suspicious third parties and some of the simplest can be to look for duplicate or erroneous payments, all of which can lead to continuous improvement.

A key to moving from detection to prevention to continuous improvement is the frequency of review. It is common for organizations to periodically review a year or more of accounts payable invoices at one time for errors or overpayments. Changing this from a one-time annual or biennial event to something that is done daily or weekly dramatically improves the value of such controls. This more frequent, preventative analysis is integral to a foundation of third party management. While many company perform periodic look-back audits, ongoing monitoring also works to accomplish the same queries on a daily or weekly basis. This allows organizations to find duplicate payments or overpayments after the invoice has been approved but prior to its disbursement. So instead of detecting a payment error three or six months after it is made, you prevent the money from leaving the company altogether.

                        Duplicate invoices are a favorite mechanism of fraudsters. Consider the following scenario, Invoice No. ABC-13, was paid for $10,597.95. Thirty days later the same vendor re-submitted the same invoice due to non-payment, but it was recorded by the payor organization without the hyphen between ABC and 13, consequently it was not detected by the system of payable controls. The problem is the second invoice had slightly different writing on the face of it, but it was for the same services and hence was a duplicate invoice. On the company side, both invoices were scanned into the company’s imaging system and queued for payment. Data analysis can locate such overpayments and identify a second payment should not be made because it is a match of one that had been previously approved.

Another analysis, which a compliance practitioner could compare using vendor name and other identifying information, for example address, country, data from a watch list such as Politically Exposed Persons (PEP) or Specially Designated National (SDN), to names and other identifying information on your vendor file. An inquiry could also be used to test in other ways such as if a vendor has the same surname as a vendor on the specially designated national terrorist list, or a politically exposed person.

Now suppose they share the same name as an elected official down in Brazil. How do we make sure that our vendor or broker is a different John Doe than the John Doe that is a politically exposed person in that country? It is only upon closer inspection where you can determine that the middle names are different and the ages are different, one of has an address is Brasilia and the other is in Sao Paulo. Without further inspection including other demographic information about your vendors, consultants or third parties and the comparing them to watch list individuals, such red flags are present but not cleared. That is what data analytics is designed to do, is to help you go from tens of thousands of “maybes” to a very small number of potential issues which need to be researched individually.

One of the important functions of any best practices compliance program is to not only follow the money but try to spot where pots of money could be created to pay bribes. Through comparison of invoices for similar items among similar vendors, data analytics uncover overcharges and fraudulent billings. Continual transaction monitoring and data analysis can prove its value through more frequent review, as individuals tend to perform better when they know they are being monitored.

The techniques used in transaction monitoring for suspicious invoices can be easily translated into data analysis for anti-corruption. Software allows a very large aggregation of suspicious payments not only by day or by month, but also by vendor or even by employee who may have keyed the invoices into your system. As these suspicious invoices begin to cluster by market, business unit or person a pattern forms which can be the basis of additional inquiry. That is the value of analytics. Analytics allows a compliance practitioner to sort and resort, combine and aggregate, so that patterns can be investigated more fully.

This final concept, of finding patterns that can be discerned through the aggregation of huge amounts of transactions, is the next step for compliance functions. Yet data analysis does far more than simply allow you to follow the money. It can be a part of your third party ongoing monitoring as well by allowing you to partner the information on third parties who might come into your company where there was no proper compliance vetting. The opportunity for continuous improvement through a feedback loop is obvious and a clear step you should take going forward.  

Three Key Takeaways

1. Always remember to follow the money to see where a pot of money could be created to fund a bribe.
2. Transaction monitoring techniques around fraud monitoring translate to data analysis for compliance.
3. Do not forget to check names against known PEP and SDN lists. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Third parties still present the highest risk around FCPA compliance. It is therefore critical that you use monitoring and auditing when it comes to continuous improvement for this high-risk area. Today I want to consider three aspects of a company’s audit program for its compliance function: the types and purpose of third-party audits, planning for third-party audits and interviewing third parties.

Welcome to the August edition of One Month to More Effective Continuous Improvement. As you know, each month in 2017 I am presenting a series of podcasts on one topic which will allow you to create a more effective compliance program. This month I will discuss what techniques to create continuous improvement in your compliance program. 

Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its chapter 5 Guiding Principles of Enforcement industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs (Evaluation) lists three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions. 

You should keep track of external and internal events which may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events which drive changes within a company, i.e. a company reorganization or major acquisition. This type of review appears to be similar to the DOJ advocacy of ongoing risk assessments. The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its custom­ers, the laws that govern its actions, and the standards of its industry. In addition, effective compliance programs, meaning those that do not simply exist on paper, but are operationalized will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” 

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

The 2012 FCPA Guidance goes on to make clear that each company should assess and manage its risks. It specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and SEC consider when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges. 

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information. 

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue. 

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.

What should you do with this information? I would suggest that you have a strategic plan in place ready to implement your findings of continuous improvement, by using the following: 

• Review the Goals of the Strategic Plan. This requires that you arrange a time for the Chief Compliance Officer (CCO) and team to review the goals of the Strategic Plan, which the CCO should lead to determine how this goal in the Plan measures up to its implementation in your company.
• Design an Execution Plan. The “Keep it Simple Sir” or KISS method is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straight forward plan to ensure that the goal in question is being addressed.
• Put Accountabilities in Place. In any plan of execution, there must be accountabilities attached to them. This requires the CCO or other senior compliance department representative to put these in place and then mandate a report requirement on how the task assigned is being achieved.
• Schedule the Next Review of the Plan. There should be a regular review of the process. It allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis. 

It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will put a mechanism in place to demonstrate your company’s commitment to compliance by following through on intentions as set forth in your strategic plan. 

Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The 2012 FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.” 

Three Key Takeaways

1. Your compliance program should be continually evolving.
2. Monitoring and auditing are different, yet complimentary tools for continuous improvement.
3. DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

In this episode, I visit with Virginia Suveiu who counsels on legal risk management, regulatory compliance and public policy, as well as commercial and international law matters.

She is a subject matter expert on risk and developed the Legal Risk Management Specialized Studies Certificate Program for UCI Extension, where she teaches for that program as well as the Contract Management Certificate Program. She has published articles on a variety of business law matters, most recently for the National Contract Management Association’s Contract Management Magazine May 2015 issue, as well as for the National Center for State Courts and the Aerospace and Defense Forum, among others. 

There are a wide variety of risks that every corporation and compliance practitioners faces. These include regulatory risks, legal risks, reputational risks, safety risks, environmental risks, and many other types of risks. We consider whether there is one process or approach to take to on the over-arching concept of risk management or if the approach needs to be fined tuned by organization? We discuss the Legal Risk Management Specialized Studies Certificate Program, including what are the program benefits and who should attend. We explore the approach in teaching risk management. We discuss some of her current initiatives on the study of and teaching of risk.

In this episode, I visit with Melanie Johnson, co-founder of Elite Online Publishing, which aids entrepreneurs, business leaders, and professional athletes to create, publish, and market their books, to build their business and brand. Melanie talks about her professional journey which led to this venture and how her career in broadcasting gave her a unique understanding for the world of online publishing. She discusses using your skills and passion to develop your own business. 

A gap analysis is a method of assessing the differences in performance between a business' internal controls to determine whether business requirements are being met and, if not, what steps should be taken to ensure they are met successfully. Moreover, it is a determination of the degree of conformance of your organization to the requirements of an internal controls standard. A gap analysis is mainly a document review or a “show me the evidence” type activity, evidence which usually will come in the form of a record or document. During a gap analysis, there is some auditing accomplished, through key stakeholders providing the evidence they may have –or not- for each of the requirements set forth in the relevant internal controls standard.

Gap analysis are very often conducted at the beginning of the journey of an organization seeking compliance to an internal controls standard or it can be used as the basis for internal controls enhancement. Interestingly this can lead to more or even less internal controls, as sometimes in the realm of internal controls, less is more. The primary reason why a gap analysis is conducted at the beginning of the development phase or after some development has occurred is because the organization wants to know where they stand regarding meeting the relevant internal controls standard and they want to know specifically what they need to do to close the gaps. Companies need to understand where their gaps in internal controls are located, how large those gaps might be and what they need to do to close those holes and get closer to fully meeting the requirements of the chosen specification or standard.

Gap analysis is a technique that can be used to assess if an enterprise can meet its needs using its present capabilities. The capabilities that may be examined for improvement include staff competencies, facilities, applications, technical infrastructure, processes and lines of business; all with an eye towards (1) improving the compliance environment and (2) operationalizing compliance into the functional business units. 

Miriam Boudreaux posed the following, “Imagine a situation where you have been asked to improve the performance or efficiency of a particular unit of an organization. You have no clue whatsoever as to what set of factors is the real cause of the degraded performance you have been asked to improve. Identifying the gap between what is expected and what you are delivering, that is, the difference between the current state and the future state, is referred to as “Gap Analysis”.” 

She goes on to state that a “gap analysis can be defined in a number of ways, which more or less point towards the same meaning: 

1. It is the process through which a company compares its current or actual performance to its expected performance to determine whether it is meeting its objectives and using its resources effectively. 

2. It is a technique that businesses use to determine what steps need to be taken in order to move from their current states to their desired future states. 

From both definitions, it is evident that gap analysis is a technique that can help a business reach its peak eventually. By defining and analyzing gaps, a project team can create an action plan to move the business forward and fill performance gaps.” 

After the completion of the gap analysis there should be a report which presents a clear summary or where the major gaps exist between the company’s documentation and the internal controls requirements. It also should show a detail recount of each requirement and the degree of compliance, with corresponding actions that need to be taken to close these gaps. Here lies a major difference between an Audit report for example and a gap analysis report: the gap analysis report has some inherent advice to it, which makes it suitable to be accomplished by consultants or experts in the chosen specification or standards. 

Another way to consider a gap analysis is the steps you should take. These include: 

1. Accurately defining the future goals: If you are not clear about the organization’s goals, all your efforts will be in vain. The first and foremost thing to be done is to identify what exactly the goals of the business are and the changes needed to achieve these goals. If the goal is not clear, the improvement exercise will keep on deviating from its desired path. 

2. Identifying the current scenario and associated issues: To reach the place you desire, you should first assess where you are located in your internal controls regime. For example, a failure to see the real reason behind the poor compliance performance of your business units may affect profit and growth on the long run. At this stage, the analyst may organize brainstorming sessions, employee interviews, document review sessions to gain insight into present challenges. Only after a comprehensive definition of present challenges can one get a clear picture of the situation. 

3. Devising the action plan: Now that you know the present and future expectations, you can think of the how factor, which is in form of a plan. How will you implement the action plan to close the identified gaps? The solutions may include several steps like hiring more employees, procuring extra machines and equipment, offering perks and incentives to get the best out of employees and so on. 

4. Report: Finally, you will want to report your findings with the appropriate data and analysis presented. To do this, you may wish to use our gap analysis report template. In your report, you will include things like the background of the company and analysis, problems that have occurred, and even reasons for undertaking the analysis. Then, you will present your findings, showing the strategic objectives, current standing, deficiencies, and whether the current situation is acceptable. If the situation is unacceptable, you will present a course of action for improvement. Finally, all your analysis will be backed up with the data gathered during the analysis.

Three Key Takeaways

1. Be prepared to require evidence from key stakeholders.
2. Use a multistage approach to a gap analysis.
3. To get to where you want to be, you have to know where you are.

For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com.

In this episode, I visit with James Gellert, CEO of RapidRatings, a company which uses a financial dialogue to determine third party supplier health and viability. Gellert explains what supply chain resilience is and how can examining financial health of your suppliers can lead to a more financially efficient supply chain. We then discuss the company’s third party risk management tools. We consider how a company might evaluate a potential purchaser, partner or someone buying a part of a business. Finally we have a lengthy discussion of how a corporate compliance function use the health of a third party as a tool to determine third party compliance risk? 

For more information on RapidRatings, check out their website by clicking here.

In the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (Evaluation), under Prong 7 Confidential Reporting and Investigation asks the following: Properly Scoped Investigation by Qualified Personnel – How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented? These questions were clearly presaged by the DOJ’s Yates Memo and the Foreign Corrupt Practices Act (FCPA) Pilot Program. The pressure on every Chief Compliance Officer (CCO), and indeed company, to get an investigation done quickly, efficiently and most importantly done right is even greater now.   

Jonathan Marks, a partner at Marcum LLP and a well-known internal investigation expert, gave some of his thoughts around what goes into a well-run investigation. Marks began by cautioning that any CCO must be cognizant of the strictures laid out in the Evaluation. It all begins with who in-house is looking at the complaint and does the CCO, compliance practitioner or legal team have the skills and capabilities to handle the matter which has arisen? Obviously if there are esoteric accounting issues or significant internal control work-arounds and overrides, a CCO may not have those skills to really understand all the issues. Similarly, if the matter is a global FCPA or equivalent bribery and corruption matter, Marks related, these “come in different flavors, and because they come in different flavors you may not have the skills or capabilities to do an investigation that would take place in say Brazil or Russia or China or India.” 

All of this ties into how the government will view an investigation, particularly if the company does not have the skills and capabilities necessary to analyze the allegation, or if the allegation of fraud is serious enough where they believe that an independent investigation rather than an internal investigation really needs to be done.” Moreover, if allegations or the investigation are going to be subject to regulatory scrutiny, one of the benefits of having somebody come in from the outside is that there is independence, skepticism, the ability to work through things unlike you would with an internal investigation where an internal audit might be involved. Marks concluded by noted, “from an outsider’s perspective looking in, there is more credibility of having somebody come to conduct your investigation.” 

Marks believes the first thing that any investigator must do is understand the business environment and the extended business enterprise. He further stated, “what I mean is really understand the business you’re dealing with, the industry that it’s in, the potential risks, the pressures and motivations that might be at play here. Understanding that generally with most frauds there is some pressure to do something because of something else and there are some motivations.” Such an initial understanding can help you formulate a comprehension of the internal controls that might be in place or that were lacking that could either have not been designed properly or overridden.

The next step is to quickly and thoroughly analyze the initial underlying facts and circumstances when it comes to the issue or the issues at hand. For Marks, the number one issue is the credibility of the complaint, which is more than simply the credibility of the complainant. Marks said it was important to understand how the allegations of wrongdoing came to light and the seriousness of the issues involved. He went on to note that his initial inquiry would include such questions as, “What are people saying happened or what is an individual saying that happened? You know the background of the complaint, if known. How long have they been with the organization? Are they credible? Have they complained before? If in fact this was either a whistle blower or a tip.”           

At this early assessment, Marks believes you should also consider the possible legal and financial impact of the allegations. If you determine it is serious at this early juncture, you should always consider your internal crisis management team and if your organization does not have one, you should consider retaining such an expert. Marks explained, “Crisis management doesn’t necessarily mean that a crisis happened, it means that if in fact we are in crisis mode, how does that impact the company? So, thinking about those issues and then knowing what to do, if in fact you are in a crisis mode, I think is ultra-critical.” He went on to add, “I think crisis management is totally underplayed. I think that many organizations don’t have an appropriate crisis management plan. If something bad does happen, a lot of times I see organizations that are struggling to kind of put the pieces together.” 

Marks also noted that both communication and collaboration are critical even at this early stage. He advocated that the company ask a series of questions such as what issues are “on the table” and who is impacted by these issues within the company; is it the company auditors or some other corporate function? He also advocated considering third parties and contracted entities in this calculus by inquiring if there were key suppliers impacted by the investigation. On the one hand, “a key supplier that might get wind of this and might not want to do business with us anymore?” Yet, conversely, such a key supplier could be a sole source supplier so you may need think about alternative arrangements. You should begin to consider these issues early on and continue to think about them as you are going through and doing and investigation. 

Document preservation is always a critical issue and Marks believes this is one which government regulators will pay particular attention to both at this initial phase and throughout the investigation. You need to take steps to ensure all data is locked down. This means getting into the weeds on such issues as where are all your company’s servers located; what is your back-up situation; do you have hand-held devices secured and are the organization’s instant and text messaging tied down. If you do not take such steps you could well find yourself in a situation where either information is lost or there's a possibility or suspicion that information is lost. Unfortunately, that is the situation that leads to a prosecutor’s imagination going wild. Basically, you need to have the information locked down so that if the government wants to come in and perform an independent review or test your hypothesis, you can provide them with the required information. 

Three Key Takeaways

1. Always remember your ultimate audience may be the government.
2. You must understand both the business environment and extended business enterprise.
3. Communication and collaboration in any investigation are critical so you should begin early and continue to do so throughout the investigation.

The dog days of summer are on the horizon and the Houston Astros lead the major leagues in winning percentage. Coincidence that the US pulls out of the Paris Climate Accords the same week the Astros are playing .700 baseball? The top four commentators in compliance return to talk about what is one their summer radar for consideration. This episode concludes with the panelists’ rants. 

1. Matt Kelly opens with a discussion of the revisions to the COSO ERM Framework, which were based on comments by practitioners. Matt considers the integration of the COSO ERM Framework into functional business units moving to operationalize ERM in organizations and we consider how the ERM Framework differs yet is complimentary to the COSO Internal Controls Framework. 

For Matt Kelly’s posts on the COSO ERM Framework, see the following:

More Details on COSO ERM Framework

Update to COSO ERM Framework Update

ERM Framework: Govt. Calls for Unity

More Clues on Draft ERM Framework

Draft ERM Framework is Here: How to Get Started 

2. Mike Volkov examines the FinCen enforcement action involving Thomas Haider, the former CCO at MoneyGram. Mike considers the implications for CCOs and whether the case even matters for CCOs. 

For Mike Volkov’s post see on the Haidar enforcement action, see the following: 

            MoneyGram CCO Pays Civil Penalty

3. Jonathan Armstrong reviews the recently released information that both Wood Group/AMEC are under the SFO concerning its Unaoil investigation. He explores some of the following questions: What should companies be doing around Unaoil? What happens if you discover a merger candidate is under investigation or in the case of AMEC, self-disclose they are under investigation. What does it mean if the acquiring entity rather than the target is under investigation? Finally, Armstrong handicaps the upcoming UK election and what it might mean for compliance. 

For Cordery Compliance's Client Alert see the following: 

        Bribery Due Diligence

4. Jay Rosen brings his Mr. Monitorship hat and former Mr. Translations eye to the question of operationalizing your compliance program. He considers how the compliance function can work with other corporate functions to embed compliance into the fabric of an organization, concluding with by doing so a compliance function could become a competitive advantage for a business. 

For Jay Rosen’s posts see the following: 

 Compliance as a Competitive Advantage

For Tom Fox’s posts on operationalization of compliance see the following: 

Operationalizing Compliance, starting with Pizza

Operationalizing Compliance by Overcoming Obstacles

Operationalizing Compliance through Human Resources

Operationalizing Compliance through the Controller’s Office

Operationalizing Compliance through Internal Audit

The members of the Everything Compliance panel include:

• Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
• Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
• Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com
• Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com

In this episode, I visit with Robyn Bew, the Director of Strategic Content Development for the National Association of Corporate Directors (NACD) and Henry Stoever, the Chief Marketing Officer for the NACD. They discuss what is the NACD, who are its members and why directors or those desiring to be directors should join. We review some of the highlights from the 2017 NACD Directors Compensation Reports, the types of trainings offered by the NACD and the NACD’s advocacy for the director profession. You can find out more about the NACD by checking out their website, NACDonline.org.

In this episode, Roy Snell and I discuss the following:

• Measuring the effectiveness of your compliance program three ways;
• Why Roy thinks the CO shouldn’t chair the compliance committee – but maybe the general counsel should;
• Who I think should chair the compliance committee;
• Why you should prove your point 5 different ways instead of just 1;
• Brexit: Keep Calm and Do Compliance; and
• How Compliance transcends politics.

When was the last time you considered the health of your company’s third party management program? A good way to test that well-being is to perform a check-up on your third party program. An article entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, provided a manner for the compliance practitioner to test an “organizations health status concerning your relationship to your third parties.” The article provided seven points that you can consider in a self-assessment:

1. Do you have a list or database of all your third parties and their information? Does your company have a full list of all third parties including such basic information as name, location, type of services provided, contract files and dates, principals of the third party and primary contact, due diligence files and any other information you might need to manage the third party relationship going forward? When was the last time this list was checked or updated?
2. Have you done a risk assessment of your third parties and prioritized them by level of risk? You need to check and double-check which third party services present the greatest risk to your company by asking some of the following questions: (a) Is the third party’s service critical to your business?; (b) Is the third party’s service performed with little company supervision or oversight?; (c) Does the third party have access to any company funds, resources or assets?; (d) Can the third party fund the company contractually?; and (e) Does the third party obtain any foreign governmental licenses, certifications or other approvals for your company? When was the last time you asked these questions of the Business Sponsor or Relationship Manager.
3. Do you have a due diligence process for the selection of third parties, based on the risk assessment? You should use the information determined through the risk assessment to “tailor the level of diligence to the level of risk.” Assign a risk profile to categories, such as high, medium and low. The higher the risk, the more due diligence will be required to vet the third party. Do you receive updated due diligence reports on a quarterly, semi-annual or annual basis?
4. Once the risk categories have been determined, create a written due diligence process. Obviously you need to have a written policy and defined procedures to implement your due diligence policy. However, when was the last time it was reviewed or updated? What happens if you the compliance professional is hit by a bus coming to work? Would a substitute know what to do or would there be a written reference for your replacement? You should consider the following: (a) who is responsible for implementation; (b) list of red flags and how such red flags are to be dealt with and cleared; (c) a procedure to pay for any due diligence performed; (d) reference checks on third parties; (e) procedures for in-person interviews for third parties in a high risk category; (f) conflicts of interest checks, and (g) process for documentation and storage of all of the above information.
5. Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations? When was the last time you considered your compliance terms and conditions or reviewed all of your third party contracts to ascertain if they include compliance terms and conditions: (a) anti-corruption and anti-bribery certification; (b)requirement that the third party maintain accurate books and records and that your company has audit rights; (c) indemnity rights; (d) anti-corruption and anti-bribery training for the third party’s employees; (e) an anonymous reporting mechanism for ethics complaints; (f) require the third party to obtain pre-approval to subcontract out any of its work for your company; (g) require the third party to report any ownership change back to your company, and lastly (h) clear termination rights.
6. Relationship Managers. Just as your company would never have an employee who is not supervised, your company should not have a third party which does not have company oversight. Do you rotate Relationship Managers? What training has the compliance function provided to them as the company’s point of contact for third parties?
7. Red flags review. When was the last time you checked on your third parties for any new red flags which may have arisen after the initial due diligence was performed or completed? At what interval do you update or renew your due diligence? How about a change from the company side regarding sales, sales practices, products or services which might become high-risk?

Many companies understand the maxim “Know Your Customer (KYC)”, nevertheless, in today’s global economy this maxim may well need to be expanded to “Know Your Third Party”. The bottom is that that there is no out, no; when it comes to third party risk management and third party compliance efforts. A good place to start is with a third program party checkup.

Three Key Takeaways

1. What is the health of your third party risk management program?
2. When was the last time you reviewed and updated your third party database list?
3. Expand your KYC thinking to Know Your Third Party.

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.