Info

FCPA Compliance Report

Tom Fox has practiced law in Houston for 30 years and now brings you the FCPA Compliance and Ethics Report. Learn the latest in anti-corruption and anti-bribery compliance and international transaction issues, as well as business solutions to compliance problems.
RSS Feed Subscribe in Apple Podcasts
FCPA Compliance Report
2019
May


2018
November
October
September
August
July
June
May
April
March
February
January


2017
December
November
October
September
August
July
June
May
April
March
February
January


2016
December
November
October
September
August
March
February


2015
December


Categories

All Episodes
Archives
Categories
Now displaying: 2017
Sep 18, 2017

To my mind the most significant and important book that every Chief Compliance Officer (CCO), General Counsel (GC) and compliance practitioner needs to read is The Chickenshit Club by Pulitzer Prize winning author Jesse Eisinger. It puts together for the first time, the story and timeline of how the Justice Department (DOJ) devolved from the group of prosecutors who convicted felons from the late 90s and early 00s financial scandal such as Enron and WorldCom, to the group which did not even bother to attempt to prosecute high ranking executives after the 2008 financial meltdown.

In this episode, I interview with book author, Jesse Eisinger and Paul Pelletier, a key source for the book. The interview is fascinating and I urge you to take a listen for both the substance and the interplay between Eisinger and Pelletier. We discuss the genesis of the book, what happened between Enron and 2008 which led to no prosecutions and conclude with both Eisinger and Pelletier's proposals to get the DOJ back on track as the nation's trial lawyers. 

For the Everything Compliance podcast recording reviewing The Chickenshit Club, click here.

Finally and most importantly, to purchase a copy of The Chickenshit Club, click here.

Sep 15, 2017

Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including: 

  1. Equifax continues to be in the news. Ben DiPietro reports from the compliance perspective in two articles from the WSJ Risk & Compliance Journal, see here and here.
  2. Julie DiMauro interviews Philip Urofsky on the US commitment to enforcing the FCPA. See her article in the FCPA Blog.
  3. A new scorecard is out on the amounts of money paid as bribes by the Brazilian construction company, Odebrecht. See article by Dick Cassin the FCPA Blog.
  4. On the intersection of Uber and Hell. See article by Tom Fox in Compliance Week (sub req’d).
  5. Sushi and money-laundering. The increasing intersection of AML and anti-corruption compliance. Sam Rubenfeld reports in the WSJ Risk & Compliance Journal.
  6. Matt Kelly joins us for an emergency rant and to announce the birth of the latest addition to the Kelly Clan.
  7. Want to be a Kleptocrat? The Mintz Group has developed an app “Kleptocrat” available in the Apple app store. Sam Rubenfeld reports in the WSJ Risk & Compliance Journal.
  8. Cleveland Indians set the AL mark for consecutive wins, now go for the MLB record.
  9. Is Thursday night football dead? It might be after the Texans deliver one of the ugliest wins ever on the Thursday night national stage.
  10. This month’s podcast series on One Month to a More Effective Compliance Program is in full production. In September, I am reviewing innovations for your compliance program. This week’s topics include embracing in your agile compliance program, design thinking in compliance, how Kaizen can improve your compliance program, disruption in compliance and superforecasting to better risk management. Oversight Systems is this month’s sponsor. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  11. The Jay Rosen weekend report preview-story telling in compliance.
Sep 15, 2017

Next we consider superforecasting and its use by a compliance function. Imagine that as a Chief Compliance Officer (CCO), you could create a team which might well dramatically improve your company’s compliance and risk forecasting ability, but to do so you would be required to expose just how unreliable the professional corporate forecasters have been? Could you do so and, more importantly, would you do so? Most generally this is the predictive capability that organizations have used. However, the new “superforecasting” movement, led by Philip E. Tetlock and others, has been gaining strength to help improve this capability. 

The concepts around superforecasting came of age after the intelligence failures leading up to the Iraq War. This led to the founding of the Good Judgment Project, which had as key component a multi-year predictive tournament, which was a series of gaming exercises pitting amateurs against professional intelligence analysts. The results of the Good Judgment Project was presented in a recent Harvard Business Review (HBR) article, by Tetlock and Paul J. H. Schoemaker, entitled “Superforecasting: How to Upgrade Your Company’s Judgment”. The authors had three general observations. First “talented generalists can outperform specialists in making forecasts.” Second, “carefully crafted training can enhance predictive acumen.” Third, “well-run teams can outperform individuals.” 

To move to superforecasting, the authors laid out four precepts. The first is to find the sweet spot, which is somewhere between predictions that are “entirely straight-forward or seemingly impossible.” They note the sweet spot “that companies should focus on is forecasts for which some data, logic, and analysis can be used but seasoned judgment and careful questioning also play key roles. Predicting the commercial potential of drugs in clinical trials requires scientific expertise as well as business judgment.” I find the same to be true in compliance where “Assessors of acquisition candidates draw on formal scoring models, but they must also gauge intangibles such as cultural fit, the chemistry among leaders, and the likelihood that anticipated synergies will actually materialize.” 

Next is to train for good judgment. This requires employees to learn the basics in such techniques as probability concepts, the definition of what is to be predicted and an understanding of numerical probabilities. As cognitive biases are widely know to skew judgment, companies need to raise awareness for this issue to arise. Finally, training to understand the psychology behind such biases narrowed predictive domains. 

Next is to build the right kind of teams. The initial thing to realize is the importance of the composition of the team. The authors found that “cautious, humble, open-minded, analytical - and good with numbers. In assembling teams, companies should look for natural forecasters who show an alertness to bias, a knack for sound reasoning, and a respect for data.” Equally critical is that the “forecasting teams be intellectually diverse. At least one member should have domain expertise (a finance professional on a budget forecasting team, for example), but nonexperts are essential too - particularly ones who won’t shy away from challenging the presumed experts. Don’t underestimate these generalists.” Clearly your compliance superforecasting team should draw from the diversity within your organization not only in discipline but in temperament as well. 

After the composition is considered, the authors move to “diverging, evaluating and converging.” The authors suggest “a successful team needs to manage three phases well: a diverging phase, in which the issue, assumptions, and approaches to finding an answer are explored from multiple angles; an evaluating phase, which includes time for productive disagreement; and a converging phase, when the team settles on a prediction. In each of these phases, learning and progress are fastest when questions are focused and feedback is frequent.” 

The final component of composition is trust as there must be trust among your team members to facilitate good outcomes. This might also be understood that if the superforecasters demonstrate the errors or miscalculations of others in the group, not only will they be protected by senior management but their work will be defended. The authors note, “Few things chill a forecasting team faster than a sense that its conclusions could threaten the team itself.” 

You then have to “track performance and give feedback” as the authors believe that it is essential to track the prediction outcomes and provide timely feedback to improve forecasting going forward. This also has the added benefit of providing an audit trail so that a company can learn from both the good and bad predictions. This leads to the authors’ next insight, which, in the process, is critical. 

Such a feedback loop in the compliance sphere could lead to some of the following questions being posed: What information might others have that you don’t that might affect the compliance risk? What cognitive traps might skew your judgment on this transaction or risk? Why do you believe the company can safely navigate this compliance risk? 

Answers to these and other questions can provide insight into not only specific predictions but also the process by which a team moved forward so that it can be replicated, in the future through an audit trail. [Think Document Document Document.] Also, “Well-run audits can reveal post facto whether forecasters coalesced around a bad anchor, framed the problem poorly, overlooked an important insight, or failed to engage (or even muzzled) team members with dissenting views. Likewise, they can highlight the process steps that led to good forecasts and thereby provide other teams with best practices for improving predictions.” 

Like any innovation, there must be a commitment from senior management on moving forward. There must be data available both internally and research conducted externally with auditable trails on judgments, underlying assumption and data sources. The keys to success include frequent, precise predictions and measuring accuracy of predictions for comparison with real-world events. Nevertheless, such an exercise might well be exactly what a compliance function should do going forward. It might give the company enough information to take such a seemingly risky business move, when the prediction shows the risk was lower than the ‘experts’ said. Yet the authors end on this note, “But companies will capture this advantage only if respected leaders champion the effort, by broadcasting an openness to trial and error, a willingness to ruffle feathers, and a readiness to expose “what we know that ain’t so” in order to hone the firm’s predictive edge.” 

Three Key Takeaways

  1. Imagine you could create a team which might well dramatically improve your company’s compliance and risk forecasting ability.
  2. It is essential to track the prediction outcomes and provide timely feedback to improve forecasting going forward.
  3. Like any innovation, there must be a commitment from management on moving forward.

 

 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 14, 2017

One of the key things the Department of Justice (DOJ) has consistently communicated is the importance of operationalizing rather than having a paper compliance program in place. The Department of Justice’s Evaluation of Corporate Compliance Programs (Evaluation) made clear that to receive credit in any Foreign Corrupt Practices Act (FCPA) enforcement action, you must fully operationalize your compliance program in the remediation phase. 

All of this was driven home to me in an article I read in the Harvard Business Review (HBR), entitled “Disruptive Innovation?”, by Clayton M. Christensen, Michael E. Raynor and Rory McDonald. The authors were concerned that many of the commentary around the phrase ‘disruptive innovation’ were “in danger of losing their usefulness because they’ve become misunderstood and misapplied.” To answer this critique, the authors revisited the central tenets to the theory and how it had developed over the past 20 years. In doing so they detailed three key elements of disruption theory, which I have adapted to the compliance context. 

The first is that compliance is a process. While this may seem as about the most self-evident statement one can make, as late as last week, I was contacted by someone who wanted an ‘off the shelf’ compliance package. They wanted me to do a couple of interviews of senior management and they put in some canned software program so they could claim they had a compliance program. 

This attitude demonstrates the continuing battle the DOJ and Securities and Exchange Commission (SEC) face when communicating their expectations around compliance programs. Compliance programs should evolve as business risks change. Just as disruptive innovation tends to focus on process, your compliance program should focus on your overall business process to be successful. 

The second key point is that Compliance 3.0 is very different from compliance programs of the past decade. As compliance programs have matured and the structural changes brought about in the Compliance 2.0 model, as articulated by Donna Boehme and others, we have now moved on to Compliance 3.0 where compliance is put into the fabric of an organization. The compliance function is moving from a solutions shop where all compliance functions are centered in the legal or compliance department to a process function where the front line business team can use technology and other tools to operationalize compliance. DOJ Compliance Counsel spoke to this concept in her recent remarks around how well a company would operationalize compliance by incorporating the business functions inputting to compliance around appropriate internal controls. The authors point to new business models as disruptive and I think this concept translates into how compliance can be burned into the DNA of an organization rather than simply sitting in the corporate headquarters in the US. 

The third point is that not all disruptive innovations succeed. Here the authors write that disruption is only one step in both the creative and growth process. Throughout their article, they discuss Uber in the context of a disruptive business. However, Uber uses the smart phone platform, coupled with a superior rider experience as a part of its business model. For the compliance practitioner, I think the key concept is what SCCE President Roy Snell says are the three goals of any compliance program; to prevent, find and fix issues. You could also plug in here McNulty’s Maxims (What did you do to prevent it? What did you do to detect it? What did you do after you found out about it?). 

This is why any successful compliance program should have multiple levels of oversight built into it. If something does slip through, a level of oversight should be in place to review it and hopefully prevent it. Consider the BHP Billiton’s FCPA enforcement action. It involved gifts, travel and entertainment around the 2008 Beijing Olympics. The issue was not that foreign officials were feted at the event. The issue that got the company into trouble was that they did not perform proper oversight over their carefully crafted program. A similar issue was seen in the Lily FCPA enforcement action where charitable donations were approved by an oversight committee without any substantive review and distributor commission rates were approved outside the standard range without appropriate review. 

Disruption innovation has come to the compliance arena. One of the best examples is Louis Sapirman, the Chief Compliance Officer (CCO) at Dun & Bradstreet, who has incorporated not only social media tools but also the concepts of two-way communications into his company’s compliance program. Another is the use of your own company’s data to facilitate a straight line of sight by a CCO or compliance practitioner into transactions needing more detailed reviews from the compliance perspective. 

As many compliance practitioners are lawyers, we are naturally reticent to embrace such change. However, I think the pronouncements of the DOJ this year have made it even clearer of the need for continued evolution of anti-corruption compliance going forward. Disruptive innovation can be one of the techniques to get your compliance program to that desired location. 

Three Key Takeaways

  1. Compliance programs should evolve as business risks change.
  2. Compliance has moved to the front lines of a business.
  3. Disruptive innovation is only one step in both the creative and growth process. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 14, 2017

The top compliance roundtable podcast is back with a wealth of new topics. Stayed tuned to the end where there are some great rants in this edition. 

  1. Jonathan Armstrong considers the UK government’s response to GDPR. Jonathan rants about idiots on social media. 

For the Cordery Compliance client alert and podcast on the topic see the following: 

UK Government publishes GDPR intentions

 GDPR Intentions with New Criminal Offenses Published by UK Government

Jay Rosen brings a detailed discussion of voluntary monitoring and contrasts it with the ISO 37001 standard. Jay rants on the Patriots lose in their season opener. 

For Jay Rosen’s posts see the following: 

Mayweather, Jr. vs. McGregor; Balboa vs. Creed and ISO-37001 vs. Voluntary Monitoring

The members of the Everything Compliance panel include:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.
  • Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
Sep 13, 2017

Design thinking is another innovation which can help the Chief Compliance Officer (CCO) move forward in a cutting-edge manner to make a compliance program not only more robust but also operationalize it into the fabric of the company. Such a mechanism would help to drive compliance into the operational nature of a company, which is where the latest pronouncement from the Department of Justice (DOJ), in their Evaluation of Corporate Compliance Program suggest a company should take their compliance regime. 

Design Thinking can bring innovation in a number of ways to your compliance program. Jon Kolko discussed this innovation in a Harvard Business Review (HBR) article entitled “Design Thinking Comes of Age. Kolko’s insight that, “the approach, once used primarily in product design, is now infusing corporate culture” is one that any CCO or compliance practitioner can use in redesigning your compliance program for your internal customers, i.e. your employees and third parties that may fall under your compliance program. All of these groups have a user experience in doing compliance that may be complex and interactive. You need to design a compliance infrastructure to the way people work so that doing compliance becomes burned into the DNA of a workforce. 

The first component of design thinking is to focus on the users’ experience with compliance. Kolko stated that designers need to focus on the “emotional experience” of the users; he explained that this concerns the “(… desires, aspirations, engagement, and experience) to describe products and users. Team members discuss the emotional resonance of a value proposition as much as they discuss utility and product requirements.” For the compliance function, this could be centered on the touch points the employee base has with the compliance function and that this should be “designed around the users’ needs rather internal operating efficiencies.” 

The next step is to create something design thinkers use called “design artifacts”. While this is usually thought of as a physical item they can also be “spreadsheets, specifications, and other documents that have come to define the traditional organizational environment.” Their use is critical because “They add a fluid dimension to the exploration of complexity, allowing for nonlinear thought when tackling nonlinear problems.” Whatever the compliance practitioner may use, Kolko said, “design models are tools for understanding. They present alternative ways of looking at a problem.” 

The next step is to “develop prototypes to explore potential solutions.” In others words, build a part of your system and test it from the users’ perspective. Here the author quoted innovation expert Michael Schrage for the following, “Prototyping is probably the single most pragmatic behavior the innovative firm can practice.” I think this is because “the act of prototyping can transform an idea into something truly valuable” through use, interaction and testing. Simply put, prototyping is seen as a better way to communicate ideas and obtain feedback.

 

While it may initially sound antithetical to the CCO or compliance practitioner, a key component for design thinking is a tolerance for failure. I realize that initially it may appear that you cannot have failure in your compliance program but when you consider that design thinking is an iterative process it becomes more palatable. Kolko quoted Greg Petroff, the chief experience officer at GE software, about how this process works at GE, “GE is moving away from a model of exhaustive product requirements”, adding “Teams learn what to do in the process of doing it, iterating, and pivoting.” 

However design thinkers must “exhibit thoughtful restraint” when moving forward so that they can have deliberate decisions about what processes should not do. This means that if a compliance process is too complicated or requires too many steps for the business unit employee to successful navigate, you may need to pull it back. I like the manner in which Kolko ends this section by stating that sometimes you lead with “constrained focus.” 

Kolko ended his article by noting three challenges he sees in implementing design thinking, which I believe apply directly to the CCO or compliance practitioner. First is that there must be a willingness to accept more ambiguity, particularly in the immediate expectation, for a monetary return on investment. A more functional or better compliance system design may not immediately yield some type of cost savings but it may be baked into the overall compliance experience. Second, a company must be willing to embrace the risk that comes from transformation. There is no way to guarantee the outcome so the company leaders need to be willing to allow the compliance function to take some chances in directions not previously gone. Third is the resetting of expectations as design does not solve problems but rather “cuts through complexity” to deliver a better overall compliance experience. This in turn will make the company a better-run organization. 

Kuldeep Singh, writing in the SCCE magazine Compliance and Ethics, in an article entitled “Design Thinking: Creating an ethics-based compliance governance solution”, helped to put some flesh on these concepts. I found a key insight from Singh was that rather than simply concluding that violations of anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA) were engaged in by bad actors, it is rather good people doing bad things such as engaging in bribery and corruption. 

Using design thinking to improve your compliance regime by building from the ground up rather than a legalistic top-down approach favored by most lawyers. For Singh, it all starts with the employees, not simply the problem. So you begin by asking questions, lots of questions. From this point he suggests that you formulate the proposed solution as a “problem statement”. 

From this point, you are ready to begin brainstorming to come up with some solutions. There are four steps Singh lays out. First is to “state the problem to be solved with enough clarity of specificity.” The second is to “identify the objectives of the problem solution.” The third step is to “generate alternative solutions and create a list of alternatives prior to having a group discussion.” And finally, you end with collectively generating alternative solutions. 

The final step is to test the proposed solutions, or as Singh puts it “test, test, prototype and test again.” The key is to avoid prejudgments so he advises to “let the tester interpret the prototype” and obtain their feedback. It is incumbent to iterate through the process multiple times, which allows you to narrow the scope of the solution and to “move from working on broad concepts to nuanced details.” 

Singh puts this design thinking protocol to use to help create a more effective ethics and compliance training model. He uses employees to provide the initial input to improve its effectiveness and relevance to the front line employees. The compliance team then implements several proposed solutions until the most operative one or ones becomes apparent. These are then rolled out companywide for better and more effective compliance training. As the entire process is documented, when the regulators, such as the DOJ or Securities and Exchange Commission (SEC), come knocking, you will have the ability to not only explain your training but also demonstrate its effectiveness. 

Three Key Takeaways

  1. Design thinking concepts are not simply for product innovation but for culture innovation as well.
  2. Design thinking works around the users’ needs rather internal operating efficiencies. For a compliance program, this means employees, third parties and customers.
  3. Design thinking works to improve your compliance regime by building from the ground up rather than a legalistic top-down approach.

 

 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 12, 2017

I believe one of the most significant innovations in compliance will come through the incorporation of blockchain into compliance. I see great value propositions for the compliance function. Mike Volkov has noted, “The key to blockchain is creating a secure environment among multiple actors in which the actors can record events and transactions in real time in shared ledgers. These ledgers are immutable, meaning they cannot be modified, and secure from potential hacking or modification. Blockchain users can receive real-time reports of activities without having to rely on post hoc reports. As a consequence, a specific user can flag potential red flags early, almost in real time, when events occur based on specific settings they establish for monitoring blockchain events.” 

A more detailed exploration of the use of blockchain was presented in an article in the MIT Sloan Management Review, entitled “How Blockchain Will Change Organizations, where authors Don Tapscott and Alex Tapscott speculate that the transformations which blockchain may facilitate in the corporate world could lead to some truly revolutionary modifications in key businesses processes. 

How could blockchain have such a dramatic impact on compliance? First is the explanation of what blockchain might mean as a tool in business process. The authors explained that in a business transaction, you cannot email money as you can a document so a company must “use intermediaries to establish trust and maintain integrity. Banks, governments, and in some cases big technology companies have the ability to confirm identities so that we can transfer assets; the intermediaries settle transactions and keep records. For the most part, intermediaries do an adequate job, with some notable exceptions. One concern is that they use servers that are vulnerable to crashes, fraud, and hacks.” 

The authors then go on to ask, “What would happen if there were an internet of value where parties to a transaction could store and exchange value without the need for traditional intermediaries?” The answer is that blockchain provides a transparent method to verify and approve transactions that is encrypted. Not only would this lower transaction costs and perhaps even barriers to doing business but also allow greater expansion of business into new geographic areas, through the use of previously external resources which were prohibitively expensive. Think of the possibilities in compliance for the supply chain and vertical integration. 

There are several specific areas where the value from blockchain could enhance the operationalization of compliance into the fabric of a company. In Human Resources (HR) and Procurement “Blockchain will enable organizations requiring specialized talent and capabilities to obtain better information about potential contractors and partners than many traditional recruitment and procurement methods offer.” This means that with a potential third party business partner’s consent, a company will have access to a cache of information that is known to be correct because it has been uploaded, stored, and managed on a highly secure, distributable database. Such potential business partners would not be able to misrepresent their capabilities after such information has entered on the blockchain. The authors also note that “Tampering with data after the fact wouldn’t be possible: It would involve taking over the entire blockchain, a nearly impossible task.”

This is made even more powerful in the area of financial reporting. Typically, a search is “horizontal (across the web) and vertical (within particular websites). What you find can be out-of-date or inaccurate in other ways. On a blockchain, though, there’s a third dimension: sequence. In addition to being able to obtain a historical picture of the company since it was incorporated, you can see what has occurred in the last few minutes.” The authors correctly note, “The opportunity to search a company’s complete record of value will have profound implications for transparency as it brings to light off-book transactions and hidden accounts. People responsible for records and reports will be able to create filters that allow stakeholders to find what they are searching for at the press of a button. Companies will be able to create transaction ticker tapes and dashboards, some for internal use”. This would be extremely helpful in the difficult vetting of third parties around financial information. 

In the sales realm, blockchain could be most helpful in understanding who you are doing business with and, more particularly, if the company is a state-owned enterprise. The same information you would consider about potential third parties sales agents would be available from customers. Obviously this would be critical in any Foreign Corrupt Practices Act (FCPA) analysis but it could also pay big results in anti-money laundering (AML) compliance. As the authors note, “sellers won’t have to incur the cost of establishing trust — thus they can facilitate transactions that would have been risky or might not have been possible otherwise.” Finally, there could be a data security plus as “blockchains will eliminate the cost of warehousing data and protecting other people’s data from security breaches.”

There are two specific areas where I see blockchain directly impacting the compliance profession. The first is with third parties. Volkov has stated, “a company could maintain immutable records of its due diligence process for a specific third party or a specific regulatory requirement. Due diligence delays would be eliminated by providing immediate and real-time and immediate access to the data, collection of information from potential third parties, and analysis of the information. A compliance officer could expedite the entire verification and validation process.” 

The second area where blockchain provides a potential game changer is contracts, specifically around compliance terms and conditions. As the authors explain, “Blockchains facilitate contracting in both the short and long term. Through smart contracts — software that, in effect, mimics the logic of contracts with guaranteed execution, enforcement, and payments — companies will be able to automate the terms of agreement. This means that if a company develops contract programs to run on blockchain, it can incorporate the required compliance term and conditions and with blockchain, it can trigger alerts and ensure compliance This could be expanded to include compliance training, annual certification, or another ongoing obligation. 

The authors conclude that blockchain could help alleviate some of the more egregious scandals seen, beginning back with Enron and up through Volkswagen (VW) and Wells Fargo. They believe that blockchain could help to “codify ethics and integrity into the circuitry of the enterprise, or reduce the moral hazard that too often sees management gambling with shareholder capital. Through smart contracts under blockchain, shareholders will be able to enforce the commitments executives make. Companies can specify relationships and state specific outcomes and goals so that everyone understands what the respective parties have signed up to do and whether those things are actually getting done.” 

This final points sounds to me quite a bit like operationalizing compliance. It will be interesting to see when the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) will begin to comment on blockchain as a part of a best practices compliance program. 

Three Key Takeaways

  1. Blockchain has great potential for the compliance profession.
  2. Blockchain can facilitate the third party due diligence and update requirements.
  3. Blockchain can provide a clear trigger for compliance terms and conditions.

 

 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

 

Sep 12, 2017

In this episode, Roy Snell and I have a wide ranging discussion on the SCCE's Compliance and Ethics Institute. Roy reviews its history and how it became the largest annual event for the compliance professional. He talks about some of the highlights over the years and hits on some of the highlights for the 2017 event. 

You can find out more information on the event at the SCCE website, by clicking here

Sep 11, 2017

In Compliance and Continuous Improvement”, John Nocero discussed the concept of Kaizen or continuous improvement in compliance. He explained, “Loosely translated, Kaizen means change for the better. It has been utilized successfully by a variety of organizations in healthcare, psychotherapy, government and other industries to help develop long-term competitive strategies, improve operational practices and stay viable. When you think about it further, this principle has even more direct application to the compliance practitioner. In today’s environment in which we work, being a compliance practitioner is like setting yourself on fire at the beginning of the day and trying to put it out by day’s end. We fight fires. We want to be able to control the fire that is burning within ourselves – by learning how to handle the difficult conversation before it occurs, or anticipating how we will act when someone challenges our knowledge or authority.” 

The company Graphic Products explains on their website, “Kaizen works by reducing waste (muda) and eliminating work processes that are overly difficult (muri). As a lean business practice, Kaizen succeeds when all employees look for areas to improve and provide suggestions based on their observations and experience. Generally, these suggestions are for small changes that incrementally change the business for the better.” They suggest a four-step approach, which they call “Plan-Do-Check-Act (PDCA).” 

Under the Plan prong, you “define the problem and develop potential solutions.” Under the Do prong, you next move to “implementing the best solution.” During the Check prong you should “evaluate results to see if the solution worked.” Under the Act prong, you have one of two options: (A) If the solution you implemented succeeded, you work to standardize it and then implement it across the organization. (B) However if the solution did not work, you should return to the planning stage and start again. The site notes that using “PDCA to implement changes ensures that there is a continuous cycle in place to monitor changes and to continue to improve upon them.” 

Copenhagen Compliance suggest another approach in their e-newsletter entitled Using the Kaizen Approach to Risk Management by the Audit Committee”. They say, “Understanding the current nature of a risk is a precondition for a determining your risk appetite and providing a risk response.” It is therefore incumbent that you take the necessary “time, resources and expertise to have a closer look at individual risks and understand what a risk management means to the various department heads and divisions.” 

Using the small workshop format to determine and consider the different levels of risk, they propose you should start with the following questions: 

  1. List the different causes and the circumstances that decrease or increase the likelihood of risks;
  2. List the different causes and the circumstances to understand a risk at an individual level;
  3. List the different causes and effect that can make risks occur;
  4. Describe the effects which take place immediately after a risk occurs; and
  5. Describe the effects of a risk that happen because of the primary effects or because time elapses. 

The answers you deliver to these queries should provide you with a detailed analysis and more insight into both the order and magnitude of the compliance risks your company faces going forward. However Copenhagen Compliance then suggests a second step where you review the risks from a difference perspective. You should begin by using the results of the first exercise to take a look at a couple of different areas. First you should consider “the different causes and the circumstances that focus on the processes or events that precede a risk occurrence.” From there you should “list the different causes and the circumstances that focus on the processes or events that precede a cause of the risk.” The data you develop in this second phase “will provide valuable insights to determine the risk appetite, effective responses to optimize the management of risks with focus on Risk identification” which are embedded in the way you are doing business. 

Marty Ellen, the Chief Financial Officer (CFO) at Dr. Pepper, discussed these theoretical underpinnings in a Wall Street Journal (WSJ) article, entitled “How Dr Pepper Cuts Cost. And Then Cuts Costs Some More”, by Mike Esterl. At Dr. Pepper, Kaizen events are known as “Rapid Continuous Improvement” or RCI. Ellen said, “RCI is about taking the existing baseline and improving it by finding the waste. It starts with walking the entire process. We call it “going to gemba,” which is Japanese for going to see how the work is done. The goal is always to shorten cycle times. You would be surprised. You put a bunch of people in a room to describe how a process works, and they don’t all agree with each other - and they all work on the same process.” 

For the Chief Compliance Officer (CCO) or compliance practitioner, the most interesting take-away from the article was that Ellen has successfully used the process not only in manufacturing processes but also in internal controls and financial processes such as accounts payable. Moreover, using RCI is not about cutting jobs but making the internal processes more efficient. So if you can reduce costs in compliance by being more efficient in the process it sounds like a win for all concerned. 

Three Key Takeaways

  1. Kaizen works by reducing waste and eliminating work processes that are overly difficult.
  2. Use a four-step approach, “Plan-Do-Check-Act”.
  3. Kaizen works in for internal compliance controls and compliance processes.  

 

 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 11, 2017

In this episode, I visit with Alex Tsigutkin, founder and CEO of AxiomSL and Varun Singhal – Senior Vice President Product Management, AxiomSL. AxiomSL a global leader in risk data management and regulatory reporting solutions for the financial industry, including banks, broker dealers, asset managers and insurance companies. Its unique enterprise data management (EDM) platform delivers data lineage, risk aggregation, analytics, workflow automation. 

We discuss data lineage, which is quickly becoming a top line concern and challenge for data managers in financial services. In the past, data lineage—generation of a trail of information that tracks the use and custody of data as it travels throughout the enterprise—was primarily a concern for niche internal projects, usually run by reporting teams. A combination of closer oversight by prudential regulators and rising global standards around data governance, itself, has rapidly led many financial institutions to become more interested in how to do this on a broader level. The implications to and applications for the anti-corruption compliance profession are significant for transparency and accountability in data for sales, third party sales agents and payments, data flow in an organization and vendors in the Supply Chain. You can find out more about AxiomSL and data lineage by checking out their website, by clicking here.

Sep 8, 2017

One of the most constant things that I have observed in my 10+ years of practice in the compliance space is its constant evolution. Compliance techniques and practices, which were considered cutting edge when I began, have moved to standard fare and are now largely minimum practices. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have mirrored this evolution in not only how they view compliance programs but also in their own enforcement regimes and protocols. Today I want to consider agile innovations methods for your compliance program. 

According to a Harvard Business Review (HBR) article “Embracing Agile, by Darrell K. Rigby, Jeff Sutherland and Hirotaka Takeuchi, agile methodologies “involve new values, principles, practices and benefits and are a radical alternative to command-and control-style management.” It is accomplished by taking employees “out of their functional silos and putting them in customer-focused multidisciplinary teams”. As the customers of the compliance function are the company’s employees, I think the transition can be made. 

One of the most basic problems is that business executives basically understand only enough about agile to be dangerous but they do not understand the comprehensive approach that needs to be taken. This means that senior management will continue to the same management practices that in fact work to undermine the agile process. The authors suggest the solution is that executives learn the basics of the agile process and understand the conditions in which it does or does not work. They should begin with a small team and project and let the operation spread organically. 

Some of the right conditions for the success of an agile initiative in the compliance arena are as follows. You should have the right market environment for the project. This means you need to have your internal customers involved and allow feedback to change any proposed solution. You must be willing to innovate, particularly if there are complex compliance problems involved. You will need to break down the solutions into digestible junks, which may actually change the scope but through cross-functional employee collaboration, you can have appropriate creative breakthroughs. 

Digestible junks will allow you have incremental developments, which can be tested and then rolled out for use by your employee base. As your internal customers use the innovations, the work cycles can be broken down further so both testing and innovation can continue unabated. This allows a continual feedback loop so that late changes in the innovation can be managed and incorporated going forward. Finally, if there are interim mistakes, it can be a valuable source of lessons learned going forward. 

An example might be around compliance training, a topic oft-times commented upon as rote and something employees simply have to get through. Some commentators have characterized such training as a basic ‘tick the box’ exercise simply to get government credit. While such commentary fails to understand the benefits of communication through training, it does point up the issue of the stiltedness of compliance training.

An approach to this might be to put together an agile team to look at training so that compliance could create topical training, in a few days to respond to market or other conditions, separated out by the challenges met in various product lines or geographic areas. This innovation can include budgets as well, making your compliance function more cost effective through innovation. 

Another concept is to start small and let the word spread. This is antithetical to many large companies that “launch change programs as massive efforts” largely because the project sponsors feel that if they do not do so, the rest of the company will divine that the effort is not really supported by senior management and respond accordingly. However, the authors suggest “agile might spread to another function, with the original practitioners acting as coaches. Each success seems to create a group of passionate evangelists who can hardly wait to tell others in the organization how well agile works.” 

The C-Suite has a role as well by practicing agile at the top of the organization so not only could senior management provide new techniques through an agile exercise, they could learn how to support more fully the compliance function which might engage in an agile review. “Senior executives who come together as an agile team and learn to apply the discipline to these activities achieve far-reaching benefits. Their own productivity and morale improve. They speak the language of the teams they are empowering. They experience common challenges and learn how to overcome them. They recognize and stop behaviors that impede agile teams. They learn to simplify and focus work. Results improve, increasing confidence and engagement throughout the organization.”

There are three succinct benefits. First by having senior management involved in an agile exercise, it would allow them to “catch up with the troops” and to reprioritize their efforts going forward to be better aligned with the real-time nature of agile. Second, it allows a speedier corporate transition as it can allow the employees to know if management is in tune with what the employees care about going forward. Finally, it can present clear alignment of departments and functions on a common vision. I can think of no greater strength for the compliance function to rely upon. This can be used to expose senior managers to break out of their “silos in today’s overspecialized organizations-for general management roles.” 

The authors conclude by noting the need to destroy barriers to agile. They list five pointers. First “get everyone on the same page” which they believe is the key responsibility of management. Second is not to change structures but to change roles so that internal company disciplines “can learn to work together simultaneously, rather than separately and sequentially.” Next is to name only one boss for each decision as in the agile operating model it must be “crystal clear” who can make the final decision. Penultimately, your agile exercise should focus on teams not individuals because it is the team’s collective intelligence that brings the power to an agile exercise. Finally, lead with questions not orders. Here the authors cite to General George S. Patton, who “famously advised leaders never to tell people how to do things: “Tell them what to do, and they will surprise you with their ingenuity.”” 

The agile exercise will probably not work in a compliance function under the thumb of the corporate legal department, as innovation is typically not in the remit of legal. However for a compliance function that desires to bring new and unexpected ways of doing compliance to your organization, going through an agile exercise might be just the thing to move compliance into the very DNA of your organization. 

Three Key Takeaways

  1. Agile compliance involves new practices and benefits and is a radical alternative to command-and control-style management.
  2. Agile compliance allows you to take small, digestible steps.
  3. Agile compliance works at the top. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 8, 2017

After a two week absence, Jay and I return for a wide-ranging discussion on some of the top compliance and ethics related stories which happened while we were off, including: 

  1. Retired U.S. Army colonel, Joseph Baptiste was caught in a FCPA sting. Sam Rubenfeld reports in the WSJ Risk and Compliance Journal. Richard Bistrong writes that the Baptiste arrest was unlike the Gun Sting case, where he was a cooperating witness. See his blog post in the FCPA Blog.
  2. Andy Spalding asks if the DOJ could make the Pilot Program even better? See his article in the FCPA Blog.
  3. New York banker Mahmoud Thiam jailed for seven years for laundering bribes from Chinese companies. See article by Dick Cassin the FCPA Blog.
  4. Wells Fargo’s woes grow even worse. See Joe Mont’s article in Compliance Week.
  5. Mike Volkov has a two-part series on the intersection of anti-corruption compliance and anti-trust compliance. For Part I, click here. For Part II, click here.
  6. Bill Steinman writes about why we fight graft and corruption in the FCPA Blog.
  7. Compliance Week explores the pro and con arguments of SEC no admission settlements. For the pro side see post by Brad Karp and Susanna Buergel of Paul Weiss. For the con side see post by Judge Jed Rakoff.
  8. SFO wants great powers to fight money-laundering. See article by Suzy Ring in Bloomberg.
  9. Not surprisingly, Uber is under investigation for possible FCPA violations. See article in the WSJ.
  10. Tom interviews Adam Turteltaub about the upcoming SCCE 2017 Compliance and Ethics Institute. See podcast and for registration information click here.
  11. What are the compliance lessons from Hurricane Harvey? Tom explored in Hurricane Harvey-Reflections on Being Prepared and Practicing Compliance. Jaclyn Jaeger discusses Corporate Philanthropy at it Finest in Compliance Week. Matt Kelly explored these themes in a blog post on Radical Compliance. Finally Tom and Matt explored these themes and more in podcast in Compliance into the Weeds.
  12. Yet another Boston sports team caught cheating, as the Red Sox steal signs from the hated Yankees via an AppleWatch. See article in the New York Times.
  13. This month’s podcast series on One Month to a More Effective Compliance Program is in full production. In September, I am reviewing innovations for your compliance program. This week’s topics include how to set a strategic plan for innovation in your compliance program, Artificial Intelligence as a compliance advantage, how to find patterns in raked leaves and ComTech. Oversight Systems is this month’s sponsor. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
Sep 7, 2017

What will be the role of Artificial Intelligence (AI) in compliance going forward? LawTech had disrupted the legal profession and how it is reshaping many areas of private practice. I found the article had multiple implications for the compliance function. Indeed, I believe there will be a ComTech industry lurking down the road. 

Obviously, document review is one area where ComTech would be most useful. There are many companies who provide key word searches and these same concepts translate readily into the compliance world through massive database searches for key words, such as an ongoing email review through email sweeps. The concept is straightforward; at regular intervals, you sweep through your company email database for identified key words that can be flagged for further investigation, if required. Such a sweep is not limited to anti-corruption compliance but any of the risk factors identified for your company. 

The objective of this approach is to find the evidence of a compliance breakdown by sweeping systems to uncover items that may contain real issues. From here, you can assess and prioritize, by checking and verifying if an issue needs investigating and focusing on the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities. AI can help you to perform all of this more cheaply and efficiently.

Soon compliance will be pushed more to the forefront in anti-money laundering (AML). As banking institutions continue to tighten and strengthen AML controls, criminals and other nefarious actors will move into non-financial corporations to move money for the simple reason that such robust controls required in the financial and financial services world are not generally required in the non-financial corporate world. Non-financial corporations should have robust AML controls in place and one of the requirements for any best practices AML policy is to “Know Your Customer” (KYC). AI will allow a more robust KYC approach. 

Another area where compliance is often left behind is in the arena of Mergers and Acquisitions (M&A). Since the 2012 FCPA Guidance, the focus of compliance in M&A has been more and more on the pre-acquisition phase of a deal. Often the compliance function is either brought in at the last minute and does not have the time to perform adequate compliance due diligence or there is an overwhelming amount of data to be reviewed and the resources available (or made available) to the compliance function is woefully inadequate. AI can help in this area. There are companies which have software that allows thousands of documents to be reviewed in the M&A context. 

The review could include such issues as whether third party sales representatives have the requisite background due diligence in the files, their status and commission rates paid. There could be a review of top sales and business developments folks in high-risk regions, correlated with a gift, travel and entertainment analysis. Finally, you could consider sales in high risk regions or even sales spikes from low risk areas from the compliance perspective. 

A prime example of where AI can assist the compliance function is with third parties in the Supply Chain arena. Every multi-national has literally thousands of vendors. Getting a handle on those is always a challenge simply because of the numbers involved. Using AI, a compliance practitioner can immediately identify vendors that present anti-corruption compliance or other risks to an organization. Once again, having led an effort to list out all employer’s vendors by hand to begin the risk ranking process, I can personally attest to the greater efficiencies AI can bring to the exercise. 

There is yet another set of AI tools which can review contracts to see if any specific types of clauses are non-standard. It would seem a relatively easy software coding exercise to adapt such products to compliance clauses. This type of approach could also be used for non-standard governance clauses in joint venture (JV) or other types of partnerships agreements. Having once been assigned the task of reading all my employer’s JV agreements (87) and third party sales agents contracts (211) from across the globe and recalling the amount of time it took to do so; I can personally attest again to the greater efficiencies we are considering through the use of AI. 

This example also points to one of the key disadvantages to AI and ComTech going forward. In past years, it was through document review and the detailed reading of documents and cases that many junior lawyers were trained. In my experience, reading all those JV agreements and third party sales agents’ agreements gave me a very good education in contract language and what positions were more and less favorable to each party. This is how many young associates were trained in law firms. This very practical method of training will eventually go away. 

This final example also points to one of the key limitations of ComTech. While it might have helped to have AI review the JV agreements and third party sales agents’ contracts, it only could identify non-standard contract language. Unfortunately, since most of the agreements and contracts were bespoke they were uniformly non-standard. Further, the assignment I was given required an analysis of each non-standard contract so the judgment of a human was required. Even as AI becomes more sophisticated, the judgment of a professionally trained compliance practitioner is still required to validate the areas flagged by AI as anomalies. 

Gary Kasparov recognized this after his loss to IBM’s Big Blue in a chess match. In a review of his recent book Deep Thinking-Where Artificial Intelligence Ends and Human Creativity Begins, it noted that Kasparov “recognized that computers do well what humans do badly and vice versa, suggesting a useful complementarity.” Moreover, “he argues that humans are often fallible, finding patterns in randomness and correlations where none exist. Computers can help us be more objective and amplify our intelligence. Technological progress can never be stopped even if it should be better managed.” Kasparov even formulated his own theorem, which he calls “Kasparov’s Law” and it reads, “Weak human + machine + better process is superior to strong human + machine + inferior process.” 

There have always been technological innovations which help make co mpliance disciplines run more efficiently, more smoothly and more profitably. AI is simply another step in this line of technological developments. There is certainly no reason to be afraid of using it. Given the disruption which has impacted the legal profession through LawTech; disruption is not far behind in the compliance world through ComTech. 

Three Key Takeaways

  1. Artificial intelligence has already disrupted the legal profession, the compliance profession may be next. ComTech will be the result.
  2. Document review will be the first area of significant AI use in compliance.
  3. Beware the limitations and disadvantages of ComTech. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 7, 2017

In this episode, I visit with Rakhi Kumar, the Managing Director, Head of ESG Investing and Asset Stewardship for State Street Global Advisors (SSGA) on the firm’s recent white paper entitled, “SSGA’s Perspective On Effective Climate Change Disclosure”. While the white paper focused more specifically on climate impact and climate risk to businesses in the energy and mineral extractive industry, it set out a protocol which every Board of Directors can use for a wide variety of risks, including compliance risk.

We consider the purpose & methodology of SSGA’s white paper. We take a deep dive into the four areas of how a Board can better position climate change risk:

  1. Governance and board oversight of climate risk
  2. Establishing and disclosing long-term GHG goals
  3. Disclosing information on carbon price assumptions
  4. Discussing impacts of scenario planning on tong-term capital allocation impact

We then consider the SSGA approach in the context of a broader risk management process through the exploration of such issues as

  1. How broadly do climate related changes impact businesses?
  2. How should businesses prepare for disruption due to climate change or climate impact?
  3. Is there a business opportunity for companies which engage in strategic risk management around climate change?
Sep 6, 2017

We previously considered how artificial intelligence (AI) can be used as business advantage for compliance. However, the power of AI can also extend the more traditional functions of prevention, detection and remediation. The first way is in simply the mass amount of data which could inundate a compliance practitioner. Many compliance practitioners are overwhelmed about the amount of data available to them and do not know how or even where to begin. 

Patrick Taylor, President and CEO of Oversight Systems, Inc. has noted that AI allows the compliance practitioner to understand the “subtle clues in that pattern of activity that will clue me in to take a different look”. He likened to seeing a pattern in “raked leaves” which allows you to then step in and take a deeper and broader look at an issue, either through an audit or investigation.  This is where compliance practitioner can step back and literally keep an eye on the big picture and longer term as opposed to just the immediate numbers and information in front of them. It may also be the best hope for finding that kind of systemic fraudulent behavior. 

This speaks to one of the difficult issues for the compliance practitioner, which is what does all the information mean? Consider the example of GlaxoSmithKline (GSK) in China. The Chinese business unit employees were working en masse to create fraudulent reimbursable invoices, inflating the cost of industry events to create a pool of money to pay bribes. They would stage an event around a drug product, or service in a hotel. They would inflate the hotel charge 20% above the actual costs and submit the entire amount to the corporate office for reimbursement. In some cases, GSK employees would submit invoices for events which never took place. 

Now layer on top of these deceptions, in China, there is a rampant sale of fake receipts. For every Marriott the Chinese business unit utilized, personnel they could buy an official Marriott receipt, which showed the price that was paid and it was a backup documentation for the auditor to look at on that expense report. Finally, there was the illegal sale of official Chinese government real tax stamps to tier on another level of complexity. 

Taylor said that AI would provide you the opportunity to detect even this type of massive and systemic fraud because, statistically those charges would not make sense. Taylor said the reason this type of fraud can be so difficult to detect and prevent is the charges were on credit cards, so recorded and there was paper documentation to back up the charges. Standard modalities of detection will not assist the compliance practitioner. You just know that something does not make sense. AI allows a compliance professional to gather and compute statistics across a wide variety of customers and situations; such as geographic and time dimensions. 

Using these two data points, you can analyze what is a reasonable amount to spend at a hotel or other venue. But also includes such variables as the time of year as some cities have tremendous seasonality in their hotel charges. Yet others do not and indeed there may even be zero variability in transportation cost across seasons. AI allows you to pull geographic, time, type of expense and even specific vendors statistics for a big-picture analysis. 

In a broader manner, consider all the data points in the lifecycle of any business transaction which produce data analytics for a compliance practitioner. When Business Development (BD) initially makes a call on a potential customer; when a request for proposal (RFP) comes into an organization; when the response is formulated with pricing and proposed discounts; during any subsequent contract negotiations; post-contract obligations for travel and training; and continued business development contacts with a customer. 

Each of these steps could provide data, which taken singularly might not raise any red flags or even be outside company specifications, but taken as a whole it might be a transaction which would lend itself to compliance oversight. Starting with the BD representative, what was the spend on gifts, meals and entertainment (GTE)? Even if that information is not available to the compliance department it is available from employee reimbursement requests so it can be used to take an appropriate business deduction from the Internal Revenue Service (IRS). From the Foreign Corrupt Practices Act (FCPA) perspective, is the BD representative entertaining a foreign government official under the Act? If so, what is the aggregate spending by any one such government official over a 12-month period by one BD representative? What is the BD spend on one particular state owned enterprise official by several company BD representatives? Has there been any travel involved to tour company facilities? If so, what was the aggregate spend and was it correlated with other GTE spends? 

Moving on to any contract negotiations which might take place, were any discounts offered outside the standard discount range? If so were these discounts properly vetted through the internal company process? Was this process documented and was there senior management sign-off in place? Did the customer suggest the use of any third parties as suppliers to the prime contract? Were there any charitable donations requested by the customer? Were there any charitable donations made during any part of this process or within 12 months after a successful contract negotiation? Was the contract properly vetted by all required internal processes: by management, legal, and compliance? 

If the business function was successful in concluding the contract; did it specify any travel for the customer? How about ongoing training and if so where and for how long? Was there a specification of business class or above travel accommodations? Has any required compliance or FCPA training been delivered to third parties involved in the contract? Was there any Corporate Social Responsibility (CSR) requirement going forward? Does compliance have visibility into this or does is go through a company charitable donation group or committee? 

These are but some of the data points which could be inputted and analyzed to determine if any compliance issues arose. But they would also provide the company with a wealth of information on its internal efficiencies around sales and their corresponding processes. Obviously, AItion holds both promise and challenge for CCOs. However, when a compliance function embraces the use of AI and embraces this human and technological approach for forecasting and risk assessments and then keeps improving their risk management techniques, it will create a sustainable strategic business, compliance and intelligence advantage over its competition. 

Three Key Takeaways

  1. Do you know what your information means?.
  2. AI can help both the detect and prevent prongs in a best practices compliance program.
  3. AI can help you to see the patterns in raked leaves. 

 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 6, 2017

In this episode, Matt Kelly and I take a deep dive into the good, bad and ugly of Hurricane Harvey for the compliance professional. We discuss what lessons may be drawn from the storm and its aftermath for the greater compliance, ERM and business communities and the need to take a much greater holistic approach to the consideration of your risk management strategy. We end with some thoughts on the travails of Salt Lake City nurse Alex Wubbels who was arrested for obeying the law in refusing to take blood from an unconscious patient.  We consider her plight from the compliance perspective. 

For more on Hurricane Harvey and its aftermath see the following:

Matt Kelly’s piece Corporate Ethics, and Glitches, in Houston

Tom Fox’s pieces

 Hurricane Harvey - Reflections on Being Prepared

How Weather Can Bring Analytical Clarity to Compliance

How the Storms of “The Scottish Play” Inform Your Compliance Program

Holmes, the Fog of London and Root Cause Analysis

Practicing Compliance

For Matt’s piece on the arrest of Nurse Wubbels, click here.

Sep 5, 2017

Next we consider the introduction of Artificial Intelligence (AI) into the compliance profession. A few pieces claimed AI is revolutionary and would change the face of compliance. Well I have some news for such pontificators, technology has been involved in compliance since the profession began in earnest with the implementation of the US Sentencing Guidelines in 1992. One thing is certain however and that is technology that will improve the efficiency of compliance and will assist in the operationalization of compliance into fabric of every business which embraces it. 

A recent article in MIT Sloan Management Review, entitled “Building a More Intelligent Enterprise, by Paul J. H. Schoemaker and Phillip E. Tetlock explored how businesses could “blend technology-enabled insights with a sophisticated understanding of human judgment, reasoning, and choice” which will provide to them “an advantage over their rivals”. The compliance professional who incorporates the techniques they advocate into their organization’s compliance program will not only move their compliance program forward but also make their company run more efficiently and, at the end of the day, more profitably. 

The reason is not simply that AI can make compliance more effective and more efficient but “in the knowledge economy, strategic advantages will increasingly depend on a shared capacity to make superior judgments and choices.” AI is a step which weds the human interaction and experiences with the data which is available to every company - its own internal information which is most generally sitting in siloed verticals and not being used. This data can “provide the foundation for operations research, forecasting models” when using AI. When you couple this data with the “growing understanding of human judgment, reasoning, and choice” which has provided insights in what humans do well or poorly; you can pair the best of these two seemingly disparate incongruities. 

The authors suggest that you use this strategy in an area which will have the greatest benefit for your company, stating, “The starting point for becoming an intelligent enterprise is learning to allocate analytical effort where it will most pay off — in other words, being strategic about which problems you decide to tackle head-on. The sweet spot for intelligent enterprises is where hard data and soft judgment can be productively combined.” For the compliance professional, this translates to your greatest risk area. Consider the possibility that you could identify through forecasting what your highest risk might be, then use AI to more efficiently and accurately assess the risk and finally tie both an AI technology solution with compliance subject matter expertise (SME) to manage the risk going forward. 

The key in such a scenario is in aiding the compliance practitioner to avoid judgmental “biases that often distort human information processing and by recognizing the precarious assumptions on which statistical models sometimes rest, the analytical whole can occasionally become more than the sum of its parts.” This means you should critically look at a variety of factors around where your compliance risks lie. Most compliance practitioners only rely on the Transparency International-Corruptions Perceptions Index (TI-CPI) for a country’s corruption rating. While the TI-CPI is a good starting point, it is only that. A compliance analysis that an area is high, medium or even low risk does not consider the starting assumption using the TI-CPI. Moreover, because this Index has been used so long, compliance professionals are biased towards and do not seek out other data which might provide a more nuanced approach. 

Another technique which I have been involved with is known as boot-strapping. Here a group of SMEs would develop a model of possible risks which could be assessed with large amounts of data or other inputs. By modeling the experts’ knowledge in risk areas, you could develop not only a more comprehensive forecast and assessment of risk but it would also be more consistent, which would greatly help in your planning and risk management. 

The authors reported researchers who asked a group of corn experts to rate 500 ears of corn to predict their eventual prices in the marketplace, using a variety of factors. “The researchers then created a simple scoring model based on cues that judges claimed were most important in driving their own predictions. Both the judges and the researchers expected the simple additive models to do much worse than the predictions of seasoned experts. But to everyone’s surprise, the models that mimicked the judges’ strategies nearly always performed better than the judges themselves.” Most of the factors were subjective but that did not stop the model from being more efficient. The authors believe the boot-strapping model “remains one of the most compelling demonstrations of the potential benefits of combining the powers of models and humans, including the value of expert intuition.” 

Boot-strapping is the most straight-forward use of this type of technology, as it is “a simple input-output approach to modeling expertise without delving into process models of human reasoning.” Now consider how boot-strapping can be augmented by AI technologies “that allow for more complex relationships among variables drawn from human insights or from mining big datasets.” 

These are but some of the data points which could be inputted and analyzed to determine if any compliance issues arose. But they would also provide the company with a wealth of information on its internal efficiencies around sales and their corresponding processes. The authors conclude by noting, “the cognitive-science revolution holds both promise and challenge for business leaders.” However, when a compliance function embraces the use of AI and embraces this human and technological approach for forecasting and risk assessments and then keeps improving their risk management techniques, it will create a sustainable strategic business, compliance and intelligence advantage over its competition. 

Three Key Takeaways

  1. Innovation in your compliance program has been required since the implementation of the US Sentencing Guidelines.
  2. AI can help compliance in the knowledge economy.
  3. AI in compliance will benefit the business going forward.

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Sep 5, 2017

In this episode, I visit with Adam Turteltaub, Vice President of Strategic Initiatives and International Programs. We discuss the upcoming 2017 Compliance and Ethics Institute, which is one of the primary education and networking event for professionals working in the Compliance and Ethics profession across all industries around the world. Sessions at the 2017 conference will offer the latest compliance information on hot topics and current events. Sessions are carefully selected and will be presented by leading experts who will explore real-world compliance issues, practical application, emerging trends, and state of the art techniques. 

The CEI conference and compliance training is great for everyone in the compliance and ethics field including: Compliance Auditors, Compliance Directors, Compliance Management, Compliance Officers, Risk Managers, International Compliance, Financial Compliance, Corporate Business Ethics, Ethics Officers, Ethics Management, Compliance Lawyers, HR Management, and Human Resource Risk. 

Adam and I discuss the tracks for breakout sessions and events, the pre-and post conference events and sessions you wish consider and the volunteer opportunities that are available. If you attend only one compliance and ethics event for the year, this is one for you. You can find out more information at the SCCE homepage, by clicking here.

Sep 1, 2017

Welcome to the September edition of my yearlong podcast series of One Month to a More Effective Compliance Program. In the month of September, I will be focusing on innovation in compliance. I will look at innovation from a variety of angles including AI and ComTech, structural innovations, tools and tactics and innovation in leadership. At this end of September, you will have a number of solid ideas you can use to move your compliance program forward. 

I begin this month by considering the starting point, which is an innovation strategy. In the most recent Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs) issued by the Department of Justice they all include an element along the following strictures, “The Company will conduct periodic reviews and testing of its anti-corruption compliance code, policies, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and the Company’s anti-corruption code, policies, and procedures, taking into account relevant developments in the field and evolving international and industry standards.”[Emphasis supplied]. This means that the DOJ expects innovation in your compliance program to keep up with evolving international and industry standards. This requires you to implement an innovation strategy. 

All of this means you should begin with an innovation strategy for your compliance program. Gary P. Pisano, in an article in the Harvard Business Review (HBR), entitled “You Need an Innovation Strategy” discussed such an approach. He began by stating the problem that many companies face is that “innovation remains a frustrating pursuit.” The key to success is something that every CCO or compliance practitioner should take to heart; which is, a compliance practitioner must be able to lay out an innovation strategy for compliance that details the efforts will support the overall business strategy. This means creating an innovation strategy for compliance that will create value for customers of compliance, IE., employees, third parties and customer, show how the company will capture that compliance value going forward and finally which types of compliance innovation to pursue.

First, some basic definitions useful for the compliance practitioner to think through innovation in the compliance function. Pisano defined a “strategy is nothing more than a commitment to a set of coherent, mutually reinforcing policies or behaviors aimed at achieving a specific competitive goal.” If you have a good strategy, it can promote alignment among diverse groups in a company, help to clarify objectives and priorities and guide your focus on those objectives. It can also be modified as necessary and with sufficient feedback. 

There are several questions you need to consider in connecting innovation to strategy. Initially, how will innovation create value for the customers of compliance; IE., your employees and relevant third parties? Your innovation can make compliance faster, easier, quicker, nimbler and so on. Focus on that creation of value going forward. Pisano’s next question was “How will the company capture a share of the value its innovations generate?” He suggests companies think through how to “keep their own position in the [compliance] ecosystem strong” through innovation. Next what types of innovation will allow the company to create and capture value, and what resources should each type receive, such as a change in technology and a change in a business process. Both are equally valid.

Obviously senior management has a key role around innovation in compliance, as innovation can be driven downward or backward if there is not sufficient management support. This means not only must there be sufficient resources allocated but management must also incentivize the business units to proceed with implementing the innovations. Another area where senior management is critical is with making trade-offs. 

The author noted there are four essential tasks in creating and implementing an innovation strategy. Task 1 is to “answer the question “How are we expecting innovation to create value for customers and for our company?” and then explain that to the organization.” Task 2 “is to create a high-level plan for allocating resources to the different kinds of innovation.” Task 3 is “to manage trade-offs. Because every function will naturally want to serve its own interests, only senior leaders can make the choices that are best for the whole company.” Finally, task 4 dovetails with what almost every DOJ or speaker from the Securities and Exchange Commission (SEC) I have ever heard say when they talk about the basics of any best practices compliance program. It is that both compliance and innovation strategies must evolve. Pisano wrote that every innovation “strategy represents a hypothesis that is tested against the unfolding realities of markets, technologies, regulations, and competitors. Just as product designs must evolve to stay competitive, so too must innovation strategies. Like the process of innovation itself, an innovation strategy involves continual experimentation, learning, and adaptation.”

You must recognize that your compliance program will have to be innovative. Start with a strategy which has senior management buy-in and support, then move to implement. Finally use data in a feedback loop to fine tune your innovations. Innovation in compliance is one of the key differences between those who advocate static compliance standards embodied in a written compliance program and those who advocate an operationalized compliance program is that the latter creates an active, vibrant and effective compliance program. That is the bottom line for innovation. 

Three Key Takeaways

  1. Both the DOJ and SEC expect innovation in your compliance program.
  2. Innovation in compliance should have a strategy going forward.
  3. The key is to demonstrate how the compliance innovation will benefit the business going forward. 

This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.

Aug 31, 2017

In the August edition of One Month to More Effective Continuous Improvement I have considered some of the techniques to create continuous improvement in your compliance program.

Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its chapter 5 Guiding Principles of Enforcement industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs (Evaluation) lists three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions.

You should keep track of external and internal events which may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events which drive changes within a company, i.e. a company reorganization or major acquisition. This type of review appears to be similar to the DOJ advocacy of ongoing risk assessments. The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its custom­ers, the laws that govern its actions, and the standards of its industry. In addition, effective compliance programs, meaning those that do not simply exist on paper, but are operationalized will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”

Continuous improvement requires that monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

One technique that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information. 

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.

Over the month of August I have presented a variety of specific tools and techniques for the compliance practitioner to utilize. They include financial audit, the culture audit, continuous controls monitoring, various risk management strategies which can become continuous monitoring. The tools are both quantitative and qualitative. Pick and choose the right tools for your company’s business and compliance profile. 

Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The 2012 FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.” 

Three Key Takeaways

  1. Your compliance program should be continually evolving.
  2. There are a variety of tools for continuous improvement which will enhance both your compliance and business processes.
  3. DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered.

A big shout out and thank you to this month’s sponsor Affiliated Monitors. They use a variety of the tools and techniques I have described over the month in their services. I hope you will check them out. For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 30, 2017

Continuous improvement also requires you to consider the backbone of your compliance program, your written Code of Conduct, policies and procedures. Under Prong 9, in the Department of Justice’s Evaluation of Corporate Compliance Programs, it states, Evolving UpdatesHow often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries

Moreover, under Prong 4, the Evaluation considers not only the design of your Code of Conduct but its accessibility with a variety of questions and factors. These include what was considered for your Code of Conduct, how the Code improvement was implemented, whether the gatekeepers were consulted and most importantly whether they bought into the entire process. Finally, is your Code accessible to all employees.

I thought about this updating in the context of your best practices compliance program. The cornerstone of any such compliance program is recognized to be your Code of Conduct. But a Code of Conduct should not be a static document. It needs to evaluated and updated as circumstances warrant. Yet such updating should not be performed in an ad hoc manner. As intoned in the 2012vFCPA Guidance, your compliance program should be thoughtful and well considered. In “Six steps for revising your company’s Code of Conduct”, Anne Marie Logarta and Ruth Ward discussed how you should think through the updating of your Code of Conduct.

  • When was the last time your Code of Conduct was released or revised?
  • Have there been changes to your company’s internal policies since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?
  • Are any of the guidelines outdated?
  • Is there a budget to update your Code?

After evaluating these initial issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. If you decide to move forward the authors have a six-point guide that should assist you in making your revision process successful.

  1. Get buy-in from decision makers at the highest level of the company

Your company’s highest level must give the mandate for a revision to a Code of Conduct. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”

  1. Establish a core revision committee

A cross-functional working group should head up your effort to revise your Code of Conduct. They suggest that this group include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, Code of Conduct topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. It is incumbent you create a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”

  1. Conduct a thorough technology assessment

The backbone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” Technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.

In addition to this use of technology in drafting your Code of Conduct revision, you should determine if your Code of Conduct will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code will only be available in hard copy.

  1. Determine translations and localizations

You must translate your Code of Conduct into appropriate local languages. This is particularly important if your Code is pre-2012, when the FCPA Guidance came out and made clear that translation into local languages was a minimum of a best practices compliance program. The key is that “your employees have the same understanding of the company’s Code-no matter the language.” The Evaluation also makes this requirement for accessibility mandatory.

  1. Develop a plan to communicate the Code of Conduct

A roll-out is always critical because it “is important that the revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” Your company should use the full panoply of tools available to it to publicize your revised Code of Conduct. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide meeting where the new or revised Code is rolled out across the company all in one day. Recent pronouncements from the Department of Justice (DOJ) have suggested that testing the knowledge of employees on the Code is becoming more important. However, the bottom-line, as with all thing compliance-related, is Document, Document and Document. However you deliver the new or revised Code of Conduct, you must document that each employee receives it and understands it.

  1. Stay on Target

If you set realistic expectations you should be able to stay on deadline and stay within your budget. They state, “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.

If you are a compliance practitioner, I urge you to look at your company’s Code of Conduct, policies and procedures. If your Code is pre-2012, you need to update sooner rather than later and consider what the FCPA Guidance says about a best practices Code of Conduct. With the new information presented by the DOJ you need to consider how you can measure how well your employees are retaining it as well. It is far better to review and update if appropriate than wait for a massive Foreign Corrupt Practices Act (FCPA) investigation to go through the process.

Three Key Takeaways

  1. Continuous improvement includes your Code of Conduct.
  2. When was the last time you assessed and updated your Code of Conduct.
  3. Who, what, how are important issues of continuous improvement for your Code of Conduct.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 28, 2017

A Program Manager in a Power Plant Process group told me about the ‘Mock Audit’ that his company performs in its power plants across the country. He explained that his industry is heavily regulated at both the state and federal level. Power plants are subject to numerous levels of oversight including various ISO standards to which they must comply. ISO is the International Organization for Standardization and it develops and publishes International Standards for various industries and organization.

The ISO 9000 standards provide guidance and tools for companies and organizations who want to ensure that their products and services consistently meet customer’s requirements, and that quality is consistently improved. One of the components of ISO 9000 compliance is an internal audit to check how a quality management system is working. But, for the utility industry, there are additional, more formal audits by various state and federal regulatory bodies, including both North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC). In other words, the utility industry is subject to numerous rules and regulations which require compliance audits.

To help prepare for these formal internal and external audits, his company employs the Mock Audit. In the Mock Audit, his team will go through the factors which will be reviewed in a formal audit at a power plant. But the thing that struck me was that he said that when goes into a plant, he tells the plant personnel “we all wear the same color shirt” and by this he means they are all on the same team, trying to achieve the same goal of doing business in compliance with the rules and regulations that the power industry is required to operate under. Coming from the energy service industry, the ‘color of one’s shirt’ is a powerful concept. I worked at Halliburton which is known as “Big Red”. Halliburton’s competitor, Schlumberger, is known as “Big Blue”. Once in an employment interview someone asked me if I could work under a person who came from “Big Blue” and I knew instantly what they meant.

The Mock Audit is a mechanism by which a compliance team can go into a facility and not only try to determine what might need remediation but, equally importantly, help the employees in that facility to move towards greater compliance. The team members who perform these Mock Audits are not lawyers but are engineers or other process focused team members. These Mock Audits help to uncover gaps that need closing before any of the regulatory mandated audits by external audit teams. As this Program Manager explained to me, they are a powerful compliance tool.

I thought about this concept of the Mock Audit in the context of continuous improvement under the Foreign Corrupt Practices Act (FCPA). Typically such monitoring and annual assessments are done by lawyers. One thing that I think we as lawyers bring to this process too often is an adversarial relationship. It sometimes feels and sounds like we are trying to find a violation or something wrong regarding a company’s compliance program. We are not there to try and help employees learn from their mistakes (if any) and we do not present ourselves as ‘wearing the same color shirt’. While there certainly is a fine line that must be trod in monitoring and annual assessments, if the compliance practitioner could adopt a bit of the tone of the Mock Audit it might open things up for a more useful and constructive exercise going forward. This is not to say that a more formal compliance audit should be conducted with such a tone, as it is a different type of activity. But, just as the Mock Audit is there to uncover any gaps and help fill those gaps, monitoring or annual assessments can also be used to help close compliance gaps before a biennial formal compliance audit. So what are some of the steps that a compliance practitioner can take?

I once worked in a corporate legal department where the attitude was very much ‘us against them’. The legal department was viewed as the last bastion between the business guys doing something to put the company at risk. The attitude was not cooperative at all. I would suggest that even if the legal department feels like it has to maintain that attitude, the compliance department is not required to have that attitude, at least not all the time. Just as my new found colleague from the utility industry can help power plant employees to do their work more in compliance with the rules and regulations that they are required to follow, the compliance department can work with employees rather than simply dictate the rules which are to be followed. An annual assessment is the perfect opportunity to learn more about a region or group’s compliance challenges and how those challenges are being met and might be met going forward. But it will not work if it starts out with the us against them or I am here to get you attitude. You have to wear the same color shirt and be on the same team.

One of the more constant complaints that I have heard from business unit folks is that compliance did not share the results of any assessments or audits with them. Not only was there no transparency at the end of the process but there seemed to be no simple desire for local participation or input to resolve any outstanding issues uncovered. So another step I gleaned from the Mock Audit is to review any assessment findings with the senior management team of the group or area being assessed. If warranted, the management team from the group or area reviewed should be a part of any corrective action plan that addresses a specific gap in compliance. You can use this opportunity to demonstrate that the overall goal is to drive towards compliance and that use of local input may be one of the best paths to positive change over the long term. As with anything, else if people feel like they have input into the process, they will be more likely invested to make sure the process succeeds. When you return to the corporate office you can collaborate with the group or region until issues are fully addressed.

The 2012 FCPA Guidance made clear that compliance audits, with actionable remediation plans, are a key component of any effective compliance program. The concept of the Mock Audit is one that can facilitate continuous improvement. As it is a process designed to help your employees do business in a more compliant manner it is a tool that should not be overlooked.

Three Key Takeaways

  1. Always remember we wear the same color shirt.
  2. Review your findings with the group being assessed.
  3. Use the Mock Audit to both learn and educate. 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 25, 2017

Compliance does not exist in a time-warp vacuum, with programs living in 1977 when the first major anti-corruption legislation, the Foreign Corrupt Practices Act was passed. The law has advanced since that time, as has compliance and society as well. One of the ways that you can engage in continuous improvement for your compliance program is based upon the two-way use of social media. Social media can be used not only to communicate with your employee base but also for your employee base to communicate with you, most particularly if you are prepared to listen. 

For every CCO or compliance practitioner, you have multiple audiences. First and foremost is your employee base but there can be third parties, shareholder or other stakeholders. One of the key insights of several business leaders I have studied is the art of listening. In an article in the MIT Sloan Management Review, entitled “How Twitter Users Can Generate Better Ideas”, authors Salvatore Parise, Eoin Whelan and Steve Todd postulated that “New research suggests that employees with a diverse Twitter network – one that exposes them to people and ideas they don’t already know – tend to generate better ideas.” Their research led them to three interesting findings: (1) “Overall, employees who used Twitter had better ideas than those who didn’t.”; (2) In particular, there was a link between the amount of diversity in employees’ “Twitter networks and the quality of their ideas.”; and (3) Twitter users who combined idea scouting and idea connecting were the most innovative. 

I do not think the first point is too controversial or even insightful as it simply confirms that persons who tend have greater curiosity tend to be more innovative. The logic is fairly straightforward, as the authors note, “Good ideas emerge when new information received is combined with what a person already knows.” In today’s digitally connected world, the amount of information in almost any area is significant. What the authors were able to conclude is that through the use of Twitter, “the potential for accessing a divergent set of ideas is greater.” 

However it was the third finding that I thought could positively impact the compliance profession, the role of the Idea Scout and the Idea Connector. An idea scout is an employee who looks outside the organization to bring in new ideas. An idea connector, meanwhile, is someone who can assimilate the external ideas and find opportunities within the organization to implement these new concepts.” For the compliance practitioner, the ability to “identify, assimilate and exploit new [compliance] ideas” is the key takeaway. However to improve your compliance innovation, “you need to maintain a diverse network while also developing your assimilation and exploitation skills.” 

For the compliance practitioner, Twitter can be “described as a ‘gateway to solution options’ and a way to obtain different perspectives and to challenge one’s current thinking.” Interestingly the authors found that “It’s not the number of people you follow on Twitter that matters; it’s the diversity within your Twitter network.” The authors go on to state, “Diversity of employee’s Twitter network is conductive to innovation.” Typically an Idea Scout will “identify external ideas from experts and resources on Twitter.” Clearly the compliance practitioner can take advantage of experts with the anti-corruption compliance field but there is perhaps an equally rich source of innovation from those outside this arena. 

An interesting approach was what the authors called the “breadcrumb” approach to finding innovation leaders and thought-provokers. It entailed a “period of “listening” to colleagues and industry leaders who are on the platform - including what they are tweeting about, who they are following and replying to on the platform, who is being retweeted often”. So with most good leadership techniques the first key is to listen. 

Equally important to this Idea Scout is the Idea Connector, who is putting the disparate strands from Twitter’s 140 character tweets together. For the compliance function, this will be someone who identifies compliance best practices or other information from Twitter ideas, can then put them together and direct the information to the relevant company stakeholders. Finally, such a person can “Curate Twitter ideas and matches them with company resources needed to implement them.” 

Here the authors listed a variety of ways an Idea Connector can use Twitter. One user said, “I try to sift through all the Twitter content from my network and look for trends and relationships between topics. I put my analysis and interpretation on it. I feel that’s where my value-add is.” Another method is to focus on analytics and one user “filtered specific subsets of the topic for different stakeholders” at his company. Another method was to create “social dashboards or company blogs based on the insight” received thought Twitter. Interesting, one of the key requirements for successfully mining Twitter was in finding ways to share its content “since many employees, especially baby-boomers don’t use the platform themselves.” Conversely by mining information from Twitter and presenting it, this can allow these ‘technologically challenged’ older employees to ascertain how they can target millennial’s. 

But as much as these concepts can move a CCO or compliance practitioner to innovation in a compliance program, it can also foster additional information through the following of your own employees. It is well known that Twitter can facilitate greater communication to and between the compliance function and its customer base, aka the company employees. However the authors also point to the use of Twitter to enable this same type of innovation because it “is different than email and other forms of information sources in that it enables continuous engagement”. 

Twitter was created to allow people to connect with one and other and communicate about their activities. However the marketing potential was immediately seen and used by many companies. Now a deeper understanding of its use and benefits has developed. For the compliance practitioner one thing you want to consider is to align your Twitter and great social media strategy with your compliance strategy; match your Twitter strategy to your compliance strategy. 

Twitter can be powerful tool for the compliance practitioner, as it allows you to both listen and communicate. It is one of the only tools that can work both inbound for you to obtain information and insight and in an outbound manner as well; where you are able to communicate with your compliance customer base, your employees. You should work to incorporate one or more of the techniques listed herein to help you burn compliance into the DNA fabric of your organization through continuous improvement. 

Three Key Takeaways

  1. Social media is a two-way approach to communications.
  2. Twitter or a similar tool can facilitate your compliance program improvement.
  3. Study and embrace technology to move your compliance program forward.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 24, 2017

The FCPA Guidance specifies that “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its custom­ers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” 

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs. 

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information. 

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue. 

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. Many compliance practitioners understand you should be checking in routinely with local Finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance. 

Yet ongoing monitoring is not limited to the financial component of compliance. Another approach to review emails as both a preventative and detection program through the technique of email sweeps. The concept is straightforward; at regular intervals you can sweep through your company email database for identified key words that can be flagged for further investigation, if required. The beauty of this approach is that does not require an extensive eDiscovery software tool or license purchase. It can be accomplished generally in two days or less. Also it is not limited to anti-corruption compliance but any of the risk factors identified for your company. 

The objective of this approach is to ‘find the smoke’ which may be the evidence of a compliance breakdown (and related fire) by sweeping through emails is to uncover those that may contain real issues. From this starting point, you can assess and prioritize, by checking and verifying that there are issues worth investigating. From here you can identify the issues you want to investigate first. Further, and if warranted, you can invoke your investigation protocol, with all the requisite protections and securities.

In addition to the cost effectiveness of this approach, in that you are only paying for the services when you need them and as they are delivered, this approach satisfies the Tom Fox mantra of Document, Document, and Document because everything you have done can be verified and audited. Finally, as the regulators continue to evolve in their understandings and appreciation of a best practices compliance program, you will evolve your compliance program to a new level of detection that could well allow you to have a more robust prevent mode. When your compliance program has a strong prevent prong, it can be the most effective to stave off anything issues from becoming Foreign Corrupt Practices Act (FCPA) violations.

Continuous improvement through continuous monitoring will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is a continuously evolving organism, just as your company is continually improving its business processes. The FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.” 

Three Key Takeaways

  1. Ongoing monitoring is not limited to financial monitoring, a holistic approach would look at other indicia of corruption.
  2. Where there is smoke, there is most usually fire.
  3. Continuous improvement can be achieved in a variety of efficient, cost effective ways.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Aug 24, 2017

In this episode, I visit with Joe Oringel, co-founder of Visual Risk IQ, a data analytics and visualization company. They have developed a manner not only extract data but present it in a way that is very interesting very useful and very informative for a very variety of stakeholders, including Boards of Directors. He's made presentations to boards. Joe is formally trained in internal audit and he has worked with and in a wide variety of corporate positions which have allowed him to gain some very good insight into what types of information a Board of Director’s needs. We discuss the types of information that can lend itself to visualization what a Board of Directors would want, what the Board of Directors should ask for and finally what a Board of Directors would want in a dashboard of information so that it can facilitate an unstructured dialog by the Board and reporting executive.

Check out more about Joe Oringel and Visual Risk IQ by clicking here.

1 « Previous 4 5 6 7 8 9 10 Next » 20