POPULARITY
42 episodes with chief compliance officer cco
3 episodes with chief compliance officer cco
7 episodes with chief compliance officer cco
2 episodes with chief compliance officer cco
2 episodes with chief compliance officer cco
2 episodes with chief compliance officer cco
Tom Fox and Jonathan Armstrong, renowned experts in cyber security, co-host the award-winning Life with GDPR. This episode discusses the complex topic of liability for the Chief Compliance Officer (CCO) and Chief Information Security Officer (CISO). Tom and Jonathan begin by examining notable cases like Joe Sullivan, the former CISO at Uber, who faced prosecution for mishandling a ransomware threat. They also cover other significant cases like Carlos Abarca from TSB Bank and Tim Brown from SolarWinds, highlighting the increasing trend towards personal liability among high-ranking compliance and security officers. Jonathan points out that prosecutors and legislators focus more on individual accountability, driven by the belief that this approach will encourage others to adhere to standards more rigorously. They explore the implications of misleading LinkedIn profiles and the importance of thorough due diligence when taking on new roles. The episode provides practical advice for C-suite executives to protect themselves, including negotiating indemnity clauses and ensuring accurate job descriptions. Key takeaways: Chief Compliance Officer Liability Overview Case Studies: Joe Sullivan and Uber, Carlos Barker and TSB Bank and Tim Brown and SolarWinds Legislation and Trends in Personal Liability SEC Formula for CCO Liability Resources: Connect with Tom Fox LinkedIn Connect with Jonathan Armstrong Twitter LinkedIn PunterSouthall Life with GDPR was recently honored as a Top Data Security Podcast Learn more about your ad choices. Visit megaphone.fm/adchoices
Compliance professionals play a vital role in maintaining the integrity and transparency of the ETF industry. Now, that may sound a bit dry, but I assure you, throughout my career, compliance departments have been filled with some of the most dynamic and interesting professionals at the firm. Today, we are joined by Amy Shelton and Melanie Zimdars. Amy Shelton is Senior Vice President and Chief Compliance Officer (CCO) for the American Century Funds, Advisor, Broker-Dealer and global operations. Amy is a member of key oversight committees including the Investment Oversight Committee and the Products & Markets Committee. Amy joined American Century Investments in 1994 and has served as CCO since 2014. In her free time, Amy enjoys cooking and hosting paella parties with her husband. Melanie Zimdars is Chief Compliance Officer (CCO) of Invesco Capital Management LLC. Prior to joining Invesco, Melanie served as Vice President and deputy Chief Compliance Officer at ALPS Holding, Inc. from 2009 to 2017. Melanie enjoys spending time outdoors with her husband and son, hiking and snowshoeing. Kristine Delano guides the conversation about fostering team relationships and building strong communication skills in the fast paced world ETF Compliance. Follow on Instagram kristine.delano.writer Visit www.womeninetfs.com to find additional support in the ETF industry. Go to www.kristinedelano.com for your Thrive Guide: a compilation of the most requested and insightful advice from our guests on Leadership and Advancement. In partnership with https://www.etfcentral.com/ Book recommendations: Never Finished by David Goggins Trust by Hernan Diaz
The role of a Chief Technology Officer (CTO) in compliance and data governance is explored in this podcast episode between Tom Fox and Oshri Cohen. They discuss the varying responsibilities of a CTO based on company size, with larger organizations focusing on strategic planning while smaller organizations have the CTO as the head engineer. The importance of the CTO in managing risks, particularly in industries like healthcare and finance, is emphasized, along with the role of the board in providing oversight. The conversation also delves into the significance of data strategy, compliance, and data governance, emphasizing the need for collaboration between the CTO and the Chief Compliance Officer (CCO). Technical due diligence and the establishment of a data commission within organizations are suggested as strategies for effective data governance. Overall, the conversation highlights the crucial role of the CTO in ensuring compliance and protecting sensitive information. · The Role of a CTO in Compliance · Data Strategy and Compliance · Data Governance Challenges · Data Governance and Startups · Risks in System Audits Resources Oshri Cohen on LinkedIn Tom Fox Instagram Facebook YouTube Twitter LinkedIn
Welcome to the Hughes Hubbard Anti-Corruption and Internal Investigations Practice Group's Podcast, All Things Investigations. In this podcast, host Tom Fox and guests Laura Perkins and Kevin Abikoff of the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group highlight some of the key legal issues in white-collar investigations, locally and internationally. Laura Perkins is a Hughes Hubbard partner whose practice focuses on representing clients in Foreign Corrupt Practices Act and white-collar criminal investigations. She also advises clients on issues related to the FCPA, the federal securities laws, the False Claims Act, and other federal statutes. Kevin Abikoff is partner, deputy chair at Hughes Hubbard, and Chairman of the firm's Anti-Corruption & Internal Investigations Practice Group. He specializes in securities and white-collar criminal litigation, enforcement, regulation, and counseling, emphasizing the representation of entities in anti-corruption (including FCPA) matters. Key ideas we discuss in this podcast: The DOJ's recent discussions about requiring Chief Compliance Officer (CCO) certifications. The Monaco Memo is a guidance document from the DOJ that sets expectations for prosecutors when investigating and prosecuting companies. How the Monaco Memo is taking a different approach to monitoring. The Monaco Memo gives companies flexibility in how they approach compliance, demonstrating they take it seriously. The DOJ can now successfully prosecute internal controls in a criminal context. Assessing the past year in FCPA. Resources Hughes Hubbard & Reed website FCPA & Bribery 2022 Fall Alert Laura Perkins on LinkedIn Kevin Abikoff on LinkedIn
The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject. In this episode, we consider the ABB Foreign Corrupt Practices Act resolution. We deep dive into the case and ask three key questions: (1) How did ABB obtain such a superior resolution? (2) As a three-time FCPA violator, how did the company avoid a monitor? (3) Why was there no requirement for Chief Compliance Officer (CCO) certification? Some of the highlights included: The background facts. The corrupt supplier's ABB used to facilitate their bribery and corruption. The convoluted self-disclosure in this matter. (Should they have used Twitter with the notation #committedbribery?) What constituted extraordinary cooperation during the pendency of the investigation? What are the implications of real-time sharing during an investigation? What were the steps which demonstrated the exception remediation? A root cause analysis is a basic Hallmark of an effective compliance program. Why was it separately called out? Did the DOJ change its policy from mandatory CCO certification to discretionary? Resources Tom has a five-part series in the FCPA Compliance and Ethics Blog Matt Kelly in Radical Compliance Learn more about your ad choices. Visit megaphone.fm/adchoices
Every Registered Investment Advisor is required to have a named Chief Compliance Officer (CCO).Whether you are thinking of starting your own RIA, or already have one and would prefer to outsource more of the compliance responsibilities, an outsourced CCO solution is worth considering.In the latest episode of my RIA Question & Answer series I am joined by Jeff Chapman of Dinsmore Compliance Services where we discuss, among other things:What compliance responsibilities do RIAs have in general?How do most RIAs fulfill those responsibilities?What is an outsourced CCO solution?What size RIA does an outsourced solution make sense for, and what does it cost?Come take a listen!Show notes: https://transitiontoria.com/what-is-an-outsourced-chief-compliance-officerAbout Host: Brad Wales is the founder of Transition To RIA, where he helps financial advisors to learn and understand everything there is to know about WHY and HOW to transition their practice to the Registered Investment Advisor (RIA) model. Brad has nearly 20 years of industry experience, including direct RIA related roles in Compliance, Finance and Business Development. He has an MBA and has held the 4, 7, 24, 63 & 65 licenses. On his website (TransitionToRIA.com) he has a large catalog of free videos, whitepapers, as well as other resources to help advisors fully understand the RIA model and how it would apply to their unique circumstances.
Welcome to a multi-part podcast series, Smart Automation for Risk Management, sponsored by Lextegrity Inc. Over this series, we have visited with Parth Chanda, Founder and Chief Executive Officer (CEO), Andy Miller, Chief Analytics Officer, and Kara Bonitatibus, Head of Product. We have looked at the Lextegrity Product Suite, taken a deep dive into continuous risk monitoring, considered pre-approvals and third-party due diligence and integrations and user experience. In a special bonus episode, Chanda and I will discuss the Integrity and Analytics Collective. In Episode 5, I visit with Bonitatibus on integrations and the user experience. We began with data integration, which is one of the biggest challenges facing every Chief Compliance Officer (CCO), compliance professional and indeed corporate compliance function. Bonitatibus said the starting point is to create software solutions that are intuitive, data-driven and integrated. Lextegrity has created various integrations in the pre-approval application, core integrations include HR systems, which are used to support approval logic. It also includes routing requests to an immediate manager through workflow. Next there is a prebuilt integration with a database check of sanctions, state owned entity and adverse media information. There can also be embedded and automated screening directly into any of the workflows. This can provide through put our third-party due diligence application process and compliance approver procedure. She ended by noting, “we have a pretty tool set that we can offer our customers with respect to integrations.” We ended by looking down the road for Lextegrity. Bonitatibus is very excited about some of Lextegrity’s future vision and priorities. The company is very focused on continuing to prioritize integrations across the entire product suite to really continue to evolve the end-to-end solution and continue to break down those silos of managing spend risk and risks in general. The company will also continue to expand the analytics embedded in the workflow technology. Finally, and hopefully to the delight of Lextegrity customers, they want to have more and more powerful reporting and analytics and visualizations across all of the products. Great visualizations are as much of an art as they are a science. Yet Bonitatibus sees them as a very powerful tool. Lextegrity wants compliance professionals to “think of our products as a roadmap, where everything is modular.” This allows building out an entire end-to-end solution in a manner where can start on the journey and expand out “wherever it’s most helpful and beneficial to you. We would love to work with companies to take their compliance programs to the next level.” Join us for our concluding special bonus episode, where Lextegrity Founder and Chief Executive Officer (CEO), Parth Chanda visits with me on the company’s Integrity Analytic Collective. For more on Lextegrity, check out their website here. Texas Tax rate at 80% of 8.25%
Welcome back to The Securities Compliance Podcast. In today’s special episode, we welcome in SEC Commissioner Hester M. Peirce for an in-depth conversation focusing on the controversial topic of Chief Compliance Officer (CCO) liability. In addition, we discuss the role of outsourced CCOs, the new Marketing Rule, and broker-dealer custody of digital asset securities and cryptocurrencies. She also spoke about the new presidential administration, which will bring in a new SEC Chair and Head of Enforcement, and whether she anticipates a slowdown in dialogue that’s taken place between the regulators and the industry. Interview Discussing the motivation to help move the conversation on CCO liability forward Biggest takeaway from the NSCP CCO Liability survey Concerns over whether personal liability will be imposed in cases of simple negligence Thoughts on outsourced Chief Compliance Officers Discussing the impact of a new Administration, SEC Chair, and Head of Enforcement Thoughts on the new SEC Marketing Rule including key takeaways Review the SEC request allowing limited purpose BDs to custody “digital asset securities” Focus areas for Commissioner Peirce in 2021 Career advice for new compliance professionals Quotes: “And I think the compliance people at a firm play a really important role in being a bridge and saying to the operational people at the firm, the people who are providing the advice, or doing the day-
I want to next focus specifically on the tactical steps of moving towards both continuous monitoring and continuous improvement of your compliance program. These twin concepts are perhaps the biggest modifications in the 2020 Update. The changes began in Section 1- Risk Assessments. The question-by-question analysis begins with “Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions?” Do you have access to continuous and real time transactional data at your organization? How about across silos within your organization. Most likely the answer to both is “no”. This means you no longer have a best practices compliance program at this point in time. How can you garner such information? While there is only one question in the Lessons Learned section, it is a compound question. It not only inquiries about data you may have obtained through your own work but also from other company’s in your industry operating in the same geo-region. Without commenting on the potential anti-trust aspects of this issue, if there is public source information available to you (and there always is), how are you using this information in your compliance regime. But this can be simply having your fully operationalized employee base keeping their eyes and ears open at trade show or any other gatherings of industry employee. The next area for continuous monitoring and continuous improvement was in an area of compliance which is not normally associated with those concepts, Policies and Procedures. The final area in the 2020 Update for consideration is appropriate called Continuous Improvement, Periodic Testing and Review and is found in the subsection monikered Evolving Updates. It reads: How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks? Similar to the language under Risk Assessment, this compound question considers the adaptation of a compliance program from your own lessons learned but also from other companies. The distinction now is that phrase is “other companies facing similar risks”? Think about how this language would apply to any company operating in China, West Africa or any other high-risk region in the globe. I would interpret this to mean every Chief Compliance Officer (CCO) and compliance practitioner needs to stay abreast of international anti-corruption enforcement actions where your company may be doing business. Three key takeaways: What is your process for continuous monitoring? What is your process for continuous Improvement? What source of information do you use that are outside your organization?
2020 was a very significant year for every compliance practitioner and compliance program. Not only was it the year with the single highest anti-bribery fine ever and highest annual amount of FCPA penalties. There were several significant enforcement actions, involving corporations coupled with a large number of individual prosecutions. Yet, perhaps most significantly, there were two noteworthy releases of information by the federal government which directly impacted compliance professionals. In June, the Department of Justice (DOJ) released its 2020 Update to the Evaluation of Corporate Compliance Programs - Guidance Document (2020 Evaluation) was released. It should be mandatory reading for every Chief Compliance Officer (CCO), compliance practitioner and professional or any other person interested in the latest thinking of the DOJ on what constitutes a best practices compliance program. The second release was the DOJ and Securities and Exchange Commission (SEC) released the updated A RESOURCE GUIDE TO THE U.S. FOREIGN CORRUPT PRACTICES ACT SECOND EDITION (2020 FCPA Resource Guide). This was a most welcomed update to the seminal and original FCPA Resource Guide, released in 2012 and widely recognized as the single best volume on the FCPA. Some of the key changes for the compliance professional include the following. The first change to note is the expanded definition to the questions “Is it [a corporate compliance program] being applied in good faith” with the addition of the queries, “In other words, is the program adequately resourced and empowered to function effectively?” This language comes from the 2020 Update. This change clearly reflects the need for a company to do far more than have a paper compliance program in place which presaged many of the changes brought forward in the 2020 Update. However, the biggest change is the addition of a new Hallmark, entitled “Investigation, Analysis, and Remediation of Misconduct. There are many interesting aspects to this new Hallmark, not the least that it begins with “The truest measure of an effective compliance program is how it responds to misconduct.” The 2020 Resource Guide is a most welcomed document from the DOJ and SEC. It brings forward the top FCPA and compliance resource from the past decade into this decade. The 2020 Update continues the DOJ communication to the compliance community about its expectations for a best practices compliance program. Three Key Takeaways The 2020 Update brings business intelligence to compliance. The key theme is continuous monitoring and continuous improvement. The 2020 FCPA Resource Guide emphasized the importance of root cause analysis.
#Compliance is the career up for discussion on today's podcast! Tune in to discuss the journey of the #UnitedNation's Chief Compliance Officer and Chief Executive Officer at RegFlags. Learn about her experience in drafting the Hong Kong Security Law. Hear her talk about the difference between Compliance and Internal Audit! She talks about pursuing a career in compliance and discusses the importance of compliance in the 21st Century! Discover the Journey of a Chief Compliance Officer (CCO) and find your passion and learn about a career in compliance by listening to the best Compliance Podcast on YouTube! Jenny Chow has viewed compliance as her life's work, undertaking senior roles in the field at major companies and angel investment firms, including Shanghai Pudong Development Bank, Industrial and Commercial Bank of China and China Renaissance. A lawyer by profession, she is currently the Chief Executive Officer at RegFlags & Innotech Strategies in Hong Kong. She is also the chief compliance officer at the United Nations Development Program. JENNY's LINKEDIN: https://www.linkedin.com/in/jenny-chow-89041a11/ Super excited to introduce our newest podcast section: GOT CAREER QUESTIONS in partnership with SIZIGI, which will give students an opportunity to get their questions answered by experts! Sizigi is a professional branding platform that allows users to build custom job presentations with their immersive ePortfolio content. Sizigi: The Resume of the New Generation, create your FREE ACCOUNT at https://www.joinsizigi.com/. Follow us and learn more: https://linktr.ee/Sizigi ------------------------------------- Introduction: (0:00) Why is Compliance Important? (2:16) Drafting the 2003 Hong Kong Security Law: (4:21) New age of Compliance?: (7:57) Keeping up with new compliance laws: (11:05) Working at Investment Banks, such as ICBC, SPDB: (13:01) Working at United Nations Development Programme (UNDP): (15:01) Working as the CEO for RegFlags & Innotech Strategies: (17:03) Role of Technology in today's world: (22:52) Skills required to become a good compliance officer: (26:45) Important advice to note!: (28:52) Conclusion: (31:05) ------------------------------------- INSTAGRAM: @the_careershow https://www.instagram.com/the_careershow/ LINKEDIN: @The Career Show https://www.linkedin.com/company/thecareershow --- Send in a voice message: https://anchor.fm/thecareershow/message
The 2020 Update not only continued to emphasize the importance of monitoring and testing the effectiveness of a compliance program, but it spoke more about a Chief Compliance Officer (CCO) and compliance function utilizing data to engage in both continuous monitoring and continuous improvement. The DOJ for some time now has stressed the importance of leveraging data in order to have objective evidence around whether or not a compliance program is working effectively. Yet, as many CCOs are legally trained they are unsure about what some of the specific areas to be considered are in establishing quantifiable metrics to monitor for effectiveness. A methodical review of the 2020 Update to identify the different areas where a company could potentially establish and quantify metrics to assess effectiveness is the place to start. Many companies have what Edwards called “metrics on the basics” and noted they “have in place processes whereby their employees review the Code of Conduct and confirm they are in compliance with it either when they first onboard with the company and then periodically on an annual basis, companies are doing just fine at reporting.” But it is now the barest minimum of what compliance professionals must do. For instance, they could consider the lifecycles of Quote To Cash (QTC) or Procure To Pay (P2P). The key is to start with a documented process which can be audited and build out from there. Three key takeaways: Create an inventory of compliance metrics. Create your metrics based upon the 2020 Update. Use these metrics for continuous monitoring and improvement.
Welcome back to The Securities Compliance Podcast. In this episode, we cover the controversial issue of Chief Compliance Officer (CCO) liability and address recent remarks and recommendations from SEC’s Commissioner Hester M. Peirce to clarify CCO responsibilities. The interview segment features Rob Kaplan and Bruce Karpati discussing the origin story of SEC’s Asset Management Unit. Finally, we continue the History Has Your Back series by taking deep look into a letter from Julius Caesar to Cicero during the Roman Civil War to shine a light on opportunities for personal and professional growth. Based on listener feedback, regular episodes of The Securities Compliance Podcast will drop every two weeks and may occasionally offer extended interviews with bonus content. In addition, the podcast will expand its offerings to include a master class miniseries for members of the National Society of Compliance Professionals (NSCP), and the future launch of the Lessons From the Frontline series. Headlines: When the Nail Fails–Remarks before the National Society of Compliance Professionals analyzing CCO liability Interview: Origin Story: Asset Management Unit’s evolution and impact SEC: Building the expertise in specialized areas, including five experts and fundamental areas of investment management Process initiatives and improvements Seeds of Collaboration: Leverage expertise across different SEC divisions Conflicts of Interest represented the foundation for issues review by the AMU NSCP Private Fund Forum Horizon issues for private funds: supervisory responsibilities and valuation issues History Has Your Back: Ancient Rome is split between two separate factions In a letter to Cicero, Julius Caesar employs a strategy of mercy and empathy as a sign of true strength. Compliance professionals can show real strength and gain credibility inside their firms through understanding and empathy Resources: Compliance in Context
In this podcast, I am joined I am joined by Carrie Penman, Chief Risk and Compliance Officer at NAVEX Global, Inc. We visit about their upcoming 2020 virtual conference, NAVEX Next, which is entitled Beyond the Moment. The theme, Beyond the Moment, defines the 2020 agenda and supports sessions that will help you and your organization move past a defensive stance on current events and trends. The goal is to help everyone be proactive and more holistic in their approach to risk and compliance management. If there is one key message that I have garnered in talking to compliance and other professionals about Coronavirus is that the future demands we be prepared, no matter what comes next. What are some of the key themes for this conference? Obviously the Coivd-19 lockdowns, work from home and remote working environments have changed a large number of risk factors that every Chief Compliance Officer (CCO) needs to consider from a risk perspective and address from a variety of angles; such as data privacy/protection, communications and training and ongoing engagement. Last year, NAVEX’s virtual conference had over 9,000 registrants. Best of all is the cost of the conference, its FREE. That is right, all of the above is available at no charge. NAVEX Global has submitted the conference to the Compliance Certification Board (CCB)® and is pending their review for approval of CCB CEUs. It will be held Thursday, October 22, from 10 AM to 4 PM Central Time. I hope that you will plan to join me for this great event. Registration, agenda and other information are available here. Learn more about your ad choices. Visit megaphone.fm/adchoices
One of the ongoing questions from members of Board of Directors is how to resolve the tension between oversight and managing. I recently had the opportunity to visit with Joe Howell, the Executive Vice President (EVP) of Workiva, Inc. on this subject. Howell has worked on and with Boards of Directors at various companies and I wanted to garner his understanding of the role of a Board and both senior management and a Chief Compliance Officer (CCO). Howell had a short response which I thought was an excellent starting point to understand the role; put sand in the shoes of management. The key to such a metaphor succeeding is that a Board of Directors, “by continuing to challenge management on these scenarios that management has considered and the stories management is telling itself about what could go wrong”, can “help get management out of its comfort zone by and large executive teams begin to believe themselves when they talk about how well they’re doing. The independent challenge that the board can offer putting the little bit of sand in the shoe to make sure that you’re thinking about things carefully can cause you to step back and really focus your resources where they're needed.” Howell noted the role of the Board is not management but oversight, focusing on governance. To do so, an effective Board should challenge senior management not only on what they have planned for but what they may not have considered or may not even know about. He said, “one very good example is the whole, the reputation of those stakeholders involved in the company and that can be the management team itself, the employees, and the board members themselves.” This is because reputational damage hurts everyone. Howell went on to state, “it’s very important as we go through some of the ways the board can help management in that role. I think the things that really make a difference to management is when the board is able to be an effective devil’s advocate. Not managing management but helping them in their governing role by helping management to step back and think critically of their own underlying assumptions and biases.” A Board is not simply there to be a rubber stamp for senior management. It must exercise independent judgment, action and oversight. Further, it is the Board’s role to ask hard, difficult and probing questions to make sure management is not only doing its job but has considered other risk possibilities. Three Key Takeaways Boards should force management to open up the company to itself. Boards should be a grain of sand in the shoe of management. Boards should make sure senior management is aware of and planning for both known and unknown risks.
This is still a tricky area for most legally trained compliance professionals as law schools are far behind the business world in teaching these skills. Yet, not only data analysis but also the presentation of data in a visual format will be a key skill for every Chief Compliance Officer (CCO) and compliance practitioner going forward. However, if you do not possess those skills yourself, you can create a kitchen cabinet of experts, from the talent available across your company, which you can call upon to help you going forward. For the CCO, this will require extensive out of the box thinking to help you not only understand the data and analytics but think through how to present it in the most efficient manner to your leadership. Three key takeaways: Look for talented and curious employees to be a part of your data science team. Encourage cross-mentoring to facilitate skills learning and transference. Moving the final mile is the most challenging.
Today, I want to consider the article Strategy For and With AI by David Kiron and Michael Schrage. The authors premise is, “A company’s strategy is defined by its key performance indicators. Artificial intelligence can help determine which outcomes to measure, how to measure them, and how to prioritize them.” Their article had several insights for the Chief Compliance Officer (CCO) or compliance practitioner who is looking to employ Artificial intelligence (AI) to help move their compliance program up a level. One of the first key insights is that it is not enough to simply have a strategy for AI. The authors stated, “Creating strategy with AI matters as much — or even more — in terms of exploring and exploiting strategic opportunity. This distinction is not semantic gamesmanship; it’s at the core of how algorithmic innovation truly works in organizations. Real-world success requires making these strategies both complementary and interdependent. Strategies for novel capabilities demand different managerial skills and emphases than strategies with them.” This makes clear that AI does not supplant the compliance function or the compliance professional, AI complements what the compliance professional can do with the information available to them. Yet the authors believe that when it comes to machine learning, an appropriate compliance strategy is defined by the key performance indicators (KPIs) leaders choose to optimize. This means that a CCO who cannot clearly identify and justify their strategic KPI portfolios has no strategy. The bottom line? AI plays a critical role in determining what and how compliance KPIs are measured and how best to optimize them. Optimizing carefully selected compliance KPIs becomes AI’s strategic purpose in the compliance function. Understanding the value of optimization is key to aligning and integrating strategies forand with AI and machine learning. KPIs create accountability for optimizing strategic aspirations, including compliance. Three key takeaways: Use KPIs to define and measure your innovation strategy. AI should only supplement, not supplant a compliance professional. What are your compliance KPIs? For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
Innovation in compliance is one of my passions for every Chief Compliance Officer (CCO) and compliance practitioner. So much so that I dedicate an entire podcast series to the topic, aptly named Innovation in Compliance. I was therefore intrigued with a recent Harvard Business Review (HBR) article, entitled What Kind of Chief Innovation Officer Does Your Company Need?, by Darko Lovric and Greig Schneider. They developed six-character types for innovators, which I have adapted for the different skills set a CCO might need to create innovation in compliance. Research skills - research skills allow folks to come up with new ideas and garner insights from large amounts of data. Engineering Skills - Engineering skills are used to build something that works, as in now. Investor skills- investors see innovation as the means to an end, and that end is growth. Advocacy skills - Advocacy skills help to deliver something new for the end user. Motivational skills- motivational skills in innovation but the authors found they work to unleash the employees’ imaginations. Organizational skills- Organizational skills are the true process focused skill set, focusing on extents like key performance indicators (KPIs), metrics, and stage gates. While you may not find one person with all of those skills, by identifying them a CCO might be able to bring a range of skills to an innovation project. Further, by tempering some of the more extreme aspects of each skill set by partnering it with a countervailing skill set, a CCO can bring a much more robust response to innovating. Also remember that innovation in compliance does not necessarily require a high cost of entry. You can innovate by looking to process improvement and moving outwards. Three key takeaways: Do you have an innovation expert in your compliance team? What skills do compliance professionals have that lend themselves to innovation. Think about broadening out your compliance reach through innovation. For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.
Welcome to this special five-part podcast series with Jay Rosen, VP of Business Development for Affiliated Monitors, Inc. (AMI), who is the sponsor of this podcast series. Corporate culture exists in the space between what an organization professes and what it does, yet who bears the responsibility for establishing and maintaining an ethical culture? In this series Jay and I will be exploring key aspects of corporate culture, including why it matters, what influences culture, the CCOs role in culture, assessing corporate culture and how to use that information to improve culture. In this Part III, we consider to what extent the Chief Compliance Officer (CCO) should be involved in shaping a culture of ethics and driving ethical behavior.Highlights include: · Who bears the responsibility for culture? · The duty most often falls to the CCO, so both the CCO and the entire compliance function need to be able to coordinate the various inputs and support mechanisms that guide employee behavior.· The CCO is often the face of the ethics program for the company – kind of the spokesperson for the company who helps to drive behavior.· In hiring and recruiting, a CCO can create a culture where an organization would only hire the right type of people as employees. · When managing upward, the CCO has an equally critical mandate through unfettered access to provide information to the Board regarding the compliance and ethics posture at the company, specifically including the culture.· What are the warning signs of an unethical culture? · It is up to the CCO to understand and have their finger on what the culture is, where the challenges are and what needs to be done to continually strengthen the culture. Please join us for Episode 4, where we explore how a company can begin to assess its own culture. For more information see Jay’s blog post What is the CCO’s Role in Strengthening the Organization’s Culture of Ethics?on Corporate Compliance Insights. For more information on Affiliated Monitors, Inc. check out their website here. Learn more about your ad choices. Visit megaphone.fm/adchoices
By Adam Turteltaub adam.turteltaub@corporatecompliance.org Being promoted from the compliance staff to the Chief Compliance Officer (CCO) can be a great moment. But, it’s the start of a new era professionally, one that requires a new set of skills to be successful in the long run. It’s a topic that Lea Fourkiller, Managing Director at Ankura Consulting, knows well, having risen in compliance to serve as a CCO, and working as a consultant to the compliance community. In this podcast, she shares her expertise in how to not just have the leadership title, but also succeed as a leader. Listen in for her insight into: The importance of understanding the scope of the new role, and avoiding being pulled back into doing your old job Earning the trust and respect of senior leaders Demonstrating your leadership skills, especially integrity The needs to listen, stay current on laws and regulations and what is going on in the business Thinking strategically and becoming a problem solver Collaboration with business leaders Developing your team It’s helpful information whether you are newly promoted to CCO or hope to be one day.
We are back with another five episodes of Adventures in Compliance to consider the next five stories from The Casebook of Sherlock Holmes, mining each story for themes and lessons related to the compliance professional, leadership and business ethics. In today’s offering, I consider The Three Garridebs. From this story the need for objective discipline in a variety of areas in any best practices compliance program. Compliance TakeawaysThat objectivity in disciple is called the Fair Process Doctrine. As you incorporate the Fair Process Doctrine in your compliance program, there are three key areas to focus on.Administration of discipline.Discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy.Employee promotions.If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates and rewards employees on.Internal investigations. Simply put, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial.An often-overlooked role of any Chief Compliance Officer (CCO) or compliance professional is to help provide employees with procedural fairness. If your compliance function is seen to be fair in the way it treats employees, in areas as varied as financial incentives, to promotions, to uniform discipline meted out across the globe; employees are more likely to inform the compliance department when something goes array. If employees believe they will be treated fairly, it will go a long way to more fully operationalizing your compliance program.Join us tomorrow as we consider The Problem of Thor Bridge.
In this episode, I want to discuss the opening scene where Lear bids his daughters express the breadth and scope of their love for him. Lear has called a conference to divide his kingdom between his three daughters, Goneril, Regan and Cordelia, his youngest who is clearly is favorite. Goneril professes her love is more than words alone can convey, saying “A love that makes . . . speech unable / Beyond all manner of so much I love you”. Regan professes, “Myself an enemy to all other joys, Which the most precious square of sense possesses, And find I am alone felicitate in your dear Highness’ love.” However, Cordelia refuses to play the flattering fool. Her father twice gives her the opportunity to redress this decision but she holds firm saying “Nothing, my lord”. This leads to the break in the family, the deaths of the sisters and the fullest scope of tragedy. Why do you need to engage your audience? I thought about this in the context of the Foreign Corrupt Practices Act, compliance and regime change. This is not Saddam Hussain regime change where the US government invades a country to throw out the old boss. This is a democratically elected-peaceful transfer of power. However, it now appears that regime change now means corruption investigations which impact not only the FCPA but also US companies. Every compliance officer needs to aware of this new reality. Take three recent regime changes, together with what they have meant; and perhaps one to come. 1. South Africa2. Malaysia3. Brazil4. Venezuela The bottom line is that every Chief Compliance Officer (CCO) must now watch local politics much more closely. If you are doing business in a high-risk country and there are new leaders brought in through democratically elected regime change, your company had better be ready for a robust corruption investigation. Certainly if Malaysia, South Africa and Brazil are any indication, prosecutors from nations with new regimes may well share their findings with the US Department of Justice (DOJ). This means that regime change could lead directly to a FCPA investigation, where the disclosure was by a foreign government and not the company self-disclosing. If there is no self-disclosure, a company is not eligible for the declination under the 2017 FCPA Corporate Enforcement Policy. Learn more about your ad choices. Visit megaphone.fm/adchoices
This week I return to one my favorite themes for every Chief Compliance Officer (CCO), compliance professional and compliance program: Sherlock Holmes. Over the next five days, I will be considering themes from the short stories to illustrate broader application to components of a best practices compliance program. I have used three primary resources in putting together this series: Maria Konnikova’s Mastermind(Konnikova); the online site shmoop.comand its blog post, The Return of Sherlock Holmes(shmoop); and finally the most seminal print work on the entire Holmes canon, the three-volume The New Annotated Sherlock Holmes(Klinger) edited with notes by Leslie S. Klinger. IN this episode, I consider the Adventure of the Red Circle and how it informs communication in a best practices compliance program.
This week I return to one my favorite themes for every Chief Compliance Officer (CCO), compliance professional and compliance program: Sherlock Holmes. Over the next five days, I will be considering themes from the short stories to illustrate broader application to components of a best practices compliance program. I have used three primary resources in putting together this series: Maria Konnikova’s Mastermind(Konnikova); the online site shmoop.comand its blog post, The Return of Sherlock Holmes(shmoop); and finally the most seminal print work on the entire Holmes canon, the three-volume The New Annotated Sherlock Holmes(Klinger) edited with notes by Leslie S. Klinger. IN this episode, I consider the Adventure of the Red Circle and how it informs communication in a best practices compliance program. Learn more about your ad choices. Visit megaphone.fm/adchoices
This podcast series returns to one my favorite themes for every Chief Compliance Officer (CCO), compliance professional and compliance program: Sherlock Holmes. In Adventures in Compliance, I consider themes from the short stories found in Holmes storiesto illustrate broader application to components of a best practices compliance program. Today, I consider the theme of imagination in your compliance program. Learn more about your ad choices. Visit megaphone.fm/adchoices
This week is a return to one my favorite themes for every Chief Compliance Officer (CCO), compliance professional and compliance program: Sherlock Holmes. Over this week, I am considering themes from the Holmes short stories to illustrate broader application to components of a best practices compliance program. In this episode, I consider the theme of mentoring in compliance. Learn more about your ad choices. Visit megaphone.fm/adchoices
Die Deutsche Telekom hat einen Ethikkodex für künstliche Intelligenz (KI) entwickelt. Wie verwendet die Deutsche Telekom KI? Was entwickelt sie selbst, was kauft sie ein? Und wie können Regeln für KI aussehen, sodass Mensch und Maschine harmonisch zusammenarbeiten? Darüber hat t3n.de-Chefredakteur Stephan Dörner im neuesten t3n Podcast mit Manuela Mackert, Chief Compliance Officer (CCO) der Telekom und Stefan Kohn, Vice President T-Gallery, gesprochen.
One of the first companies to embrace social media as a key tool in their compliance strategy was Dun & Bradstreet (D&B) who actively uses social media to make more effective the company’s compliance regime. The D&B experience provides three key insights for the Chief Compliance Officer (CCO) and compliance practitioner. Learn more about your ad choices. Visit megaphone.fm/adchoices
One of the challenges many compliance practitioners face when they move up in their careers is to move from tactical to strategic thinking. It is a requirement for any Chief Compliance Officer (CCO) to be able to think strategically as well as tactically but as you move up the corporate ladder, the strategic becomes more important. Strategic thinking is not something taught in law schools and in most business programs. Learn more about your ad choices. Visit megaphone.fm/adchoices
One of the challenges many compliance practitioners face when they move up in their careers is to move from tactical to strategic thinking. It is a requirement for any Chief Compliance Officer (CCO) to be able to think strategically as well as tactically but as you move up the corporate ladder, the strategic becomes more important. Strategic thinking is not something taught in law schools and in most business programs. Learn more about your ad choices. Visit megaphone.fm/adchoices
The role of the Chief Compliance Officer (CCO) has steadily grown in stature and prestige over the years. In the 2012 FCPA Guidance, under Hallmark Three of the 10 Hallmarks of an Effective Compliance Program, the focus was articulated by the title of the Hallmark, Oversight, Autonomy, and Resources. This Hallmark was significantly expanded in both the Evaluation of Corporate Compliance Program (Evaluation) and the new FCPA Corporate Enforcement Policy (Policy). Learn more about your ad choices. Visit megaphone.fm/adchoices
The life of a Chief Compliance Officer (CCO) can be intense and the one of the most powerful tools you have is persuasion. Jenny O’Brien, CCO at United Health Care, has talked about the techniques that a CCO can use to influence decision making in a company to do business in ethically and in compliance. She has called these techniques of persuasion “Seven Steps of Influence” and advocates a CCO employ them help influence decision-making within an organization. Learn more about your ad choices. Visit megaphone.fm/adchoices
How does one company and one Chief Compliance Officer (CCO) actively use social media to make more effective the company’s compliance culture. The company is the Dun & Bradstreet (D&B) and its CCO, Louis Sapirman, whom I visited with about his company’s integration of social media into compliance. Learn more about your ad choices. Visit megaphone.fm/adchoices
Design thinking is another innovation which can help the Chief Compliance Officer (CCO) move forward in a cutting-edge manner to make a compliance program not only more robust but also operationalize it into the fabric of the company. Such a mechanism would help to drive compliance into the operational nature of a company. Learn more about your ad choices. Visit megaphone.fm/adchoices
Is a Board of Directors a compliance internal control? I think the clear answer is yes. In the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board in a best practices compliance program. The first in Hallmark No. 1 states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, which says the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? The DOJ’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program. I believe that a Board must not only have a corporate compliance program in place but also actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. Lawyers often speak to and advise Boards on their legal obligations and duties. If a Board’s oversight is part of effective financial controls under Sarbanes Oxley (SOX), that also includes effective compliance controls. Failure to do either may result in something far worse than bad governance. It may directly lead to a FCPA violation and could even form the basis of an independent FCPA violation. A company must not only have a corporate compliance program in place it must also actively oversee that function. A failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Internal controls work together with compliance policies and procedures are an interrelated set of compliance control mechanisms. There are five general compliance internal controls for a Board or Board subcommittee role for compliance: Corporate Compliance Policy and Code of Conduct - A Board should have an overall governance document which will inform the company, its employees, stakeholders and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate. Risk Assessment - A Board should assess the compliance risks associated with its business. Implementing Procedures - A Board should determine if the company has a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy. Training - There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is and it should also understand its role in an effective compliance program. Monitor Compliance - A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger. There have been recent FCPA enforcement actions where the DOJ and SEC discussed the failure of internal controls as a basis for FCPA liability. With the questions about the Wal-Mart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing to even be aware of the allegations; there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program. Three Key Takeaways GTE compliance internal controls are low hanging fruit, pick them. Compliance internal controls can be both detect and prevent controls. Good compliance internal controls are good for business. For more information on how to improve your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Learn more about your ad choices. Visit megaphone.fm/adchoices
As they made clear with several FCPA enforcement actions in 2016, the SEC has placed a renewed interest in the accounting provisions of the FCPA, specifically the internal controls provisions. The BHP enforcement continued this trend, where there was no evidence that bribes were paid or offered in violation of the FCPA, the poor internal compliance controls at BHP led to a $25MM fine. Kara Brockmeyer, the former Chief, FCPA Unit; Division of Enforcement of the SEC, reiterated that the SEC was committed to protecting investors in US public companies and those which list other securities in the US, through enforcement of the accounting provisions, including internal controls provisions of the FCPA. It would seem that the reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur. What can you do around the FCPA’s requirements for internal controls and current SEC emphasis? I would suggest that you begin with an exercise where you map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the FCPA Guidance. While most compliance practitioners are familiar with the Ten Hallmarks, you may not be as familiar with standards for internal controls. I would suggest that you begin with the COSO 2013 Internal Controls Framework as your starting point. As a lawyer or compliance practitioner you may not be familiar with all the internal controls that you have in place. This exercise would give you a good opportunity to meet with the heads of Internal Audit, Finance and Accounting (F&A), Treasury or any other function in your company that deals with financial controls. Talk with them about the financial controls you may already have in place. An easy example is employee expense reports. Every company I have ever worked at or even heard about requires expenses for reimbursement to be presented, in documented form on some type of expense reimbursement form. This is mandatory for IRS reporting; so all entities perform this action. See how many controls are in place. Is the employee who submits the expense reimbursement required to sign it? Does his/her immediate supervisor review, approve and sign it? Does any party in the employee’s direct reporting chain review, approve and sign? Do any personnel from accounts payable review and approve that expenses have the requisite receipts attached? Is there any other review in accounts payable? Is there any aggregate review of expense reports? Is there a monetary limit over which additional reviews and approvals occur? Now if an employee has submitted expenses for activities that occurred outside the US are there are any foreign government officials involved? Were those recipients of any such gift, travel or entertainment identified on the expense reimbursement form? Was the business purpose of the meal, gift or entertainment recorded? Can you aggregate the monies spent on any one foreign official or by a single employee in your expense reporting system? All of these are internal controls that can be mapped to the appropriate prong of the Ten Hallmarks or other indicia of your compliance program. You can take this exercise through each of the five objectives under the COSO 2013 Internal Controls Framework and its attendant 17 Principles. From this mapping you can then perform a gap analysis to determine where you might need to implement internal compliance controls into your anti-corruption compliance program. This can lead to remedial steps that you can take. For example, you can recommend procedures be written for all key compliance areas in which there are currently no procedures and your existing procedures can be updated to include compliance issues and clear definition how controls are to be evidenced. Through this you can move from having detect controls in place, to having prevent controls, whenever possible. As a Chief Compliance Officer (CCO) or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. Compliance is a straightforward exercise; this does not mean that it is easy, you do have to work at it so that you will simply not have a paper, “check the box”, program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute. Three Key Takeaways Learn the internal controls your company currently has in place. Map your compliance internal controls to the COSO 2013 Framework, Use your gap analysis as a basis for remediation. Learn more about your ad choices. Visit megaphone.fm/adchoices
Who to suspend during any Foreign Corrupt Practices Act (FCPA) investigation is always a delicate question to answer. Unfortunately there is never an easy answer. As the Volkswagen (VW) emission-testing scandal continues to reverberate, it continues to bring up some very knotty questions, which have bedeviled the Chief Compliance Officer (CCO) or compliance practitioner in many areas. Today there is an example around internal investigations. In an article in the Wall Street Journal (WSJ) entitled “Scope of VW Suspensions Grows”, William Boston reported on the ongoing internal investigation by the company’s outside counsel Jones Day. Boston noted that VW had “suspended a larger number of engineers than previously acknowledged, following a recommendation from the law firm conducting” the investigation. The article went on to state, “Jones Day urged suspension of anyone who could have been involved in the scam - from high level decision makers to ordinary engineers – to prevent possible perpetrators from tampering with the evidence”. This final statement emphasizes a key consideration in a FCPA investigation, which is to tie down the evidence. Former Arnold & White partner Mara Senn has said that “probably from the government's perspective, the most important aspect of setting up an investigation in a way that makes them feel comfortable, is ensuring that all data is locked down.” However, if you are worried about evidence tampering you may have a bigger problem on your hands. Pointing up the difficulties in making such a blanket sweep an un-named source, who provided this information to Boston, was quoted in the WSJ piece as saying “We had to suspend everyone in this area to get them out of the way of this process. This is necessary for the investigation, but it’s really hard for us because we are now missing their professional knowledge and experience.” This issue brings up another point that Senn has discussed, around when to suspend or discipline an employee during an internal investigation. Senn related, “That is a very case-by-case difficult question to answer, but in general, I think it’s better to keep them around for as long as you may need them. Once they’ve been fired or otherwise disciplined, really, even if you keep them around, they’re going to be less cooperative with you and possibly, if you fire them, not cooperative at all. You can require them to be cooperative in the termination agreement, but obviously in practice, cooperation can mean a lot of different things.” In view of the Schrems decision by the European Court of Justice (ECJ), I also wonder how the investigation will fair with the German based employees? Obviously there will be data that in the US would be deemed company-owned but in Europe it may well be private to the employee being investigated. This problem became even greater with the recent decision by Privacy Regulators from 28 EU nations that backed the ECJ’s Schrems decision that invalidated the Safe Harbor regime. As reported by Jo Sherman in the FCPA Blog, “that closed the legal pipeline by which data has flowed freely from the EU to the U.S. for the last 15 years. The rationale for the court decision and the subsequent backing of the EU Data Protection Authorities is that the surveillance powers of the U.S. government are considered to be too excessive and disproportionate, and can override the data protections for EU citizens under the Safe Harbor framework.” Lanny Breuer, the former number two at the Department of Justice (DOJ) and now a partner at Covington and Burling LLP, raised an interesting concern in the context of the Justice Department’s FCPA Pilot Program. It is around what Breuer terms “de-confliction”. This involves the government asking a company to halt its own investigation for the government to be the first to interview witnesses. At the FCPA Blog Conference, Breuer said that if “de-confliction” is required as cooperation to gain the benefits of the pilot program, such a request from the DOJ would be “an extraordinary request, in my view” because it “could lead companies to be unable to disclose to other agencies or to shareholders, and it could keep a board in the dark about the alleged wrongdoing.” Breuer added, “In general, publicly traded companies can’t just stand down from doing an investigation when such an allegation comes in.” He also commented that “he’d been asked to do so a couple of times.” Breuer raised four questions during his presentation which every investigator must consider in the area of de-confliction. (1) Would complying with the request be consistent with directors’ and corporate officers’ fiduciary duty of oversight?; (2) How can a company make decisions without speaking with its employees?; (3) How will a delay affect the company’s other regulatory obligations?; and (4) How can external counsel advise a company without knowing the facts? Companies hire external counsel to conduct thorough investigations, evaluate their clients’ conduct, and provide informed legal advice. These tasks can be difficult if not impossible to accomplish where external counsel have their hands tied behind their backs. Clearly the DOJ could have a broader remit or be involved with other ongoing investigations where they might make such requests. However, such ‘de-confliction’ could stop a company from engaging in a root cause analysis or even robust investigation. At the same conference, an earlier panelist, Gerald Kral, the Chief Ethics and & Compliance Officer (CECO) of Brown-Forman, said on his panel that his company did an extensive root cause analysis of every claim or incident so it can not only understand what happened but put sufficient risk management protections in place to try and make sure it does not happen again. Three Key Takeaways The decision on whom to discipline and when are critical decisions during any investigation. You should take a case-by-case approach. The de-confliction question can be quite troubling during an internal investigation. Learn more about your ad choices. Visit megaphone.fm/adchoices
On June 16, 2017, the Department of Justice (DOJ) issued a Declination to Linde North American Inc. and Linde Gas North America LLC (collectively “Linde”). This is the first Declination issued by the DOJ in the era of the Trump Administration. For that reason alone, it was instructive and should be studied by the compliance profession. However, the case presented several interesting factors which merit consideration so we are discussing in depth to present lessons to be learned for the Chief Compliance Officer (CCO) or compliance practitioner. Lessons Learned This was yet another Foreign Corrupt Practices Act (FCPA) action where a company performed insufficient due diligence in the acquisition phase. The timing of the Linde purchase of Spectra Gases and Spectra Gases’ purchase of the income producing assets is too close in time to be a coincidence. It would certainly appear that Linde purchased Spectra Gases to facilitate its acquisition of the boron column and other assets. If your company is going to make such a multi-step acquisition, you must perform due diligence on all the actors and the assets involved. The Byzantine corporate structure created for the ownership of the boron column, its operation and management contract are clear red flags that any CCO should sniff out immediately. While I am sure the internal corporate excuse for this clear ruse was the ubiquitous ‘tax considerations’; every such transaction should be reviewed by compliance as well. Anytime there is more than one entity to accomplish one task, there is the possibility of fraud present. Further, it is not clear how Linde could not have been aware of the ownership interests of a company which it ultimately controlled. It would seem that the company did not even make any inquiry. Even in 2006, the Republic of Georgia’s reputation for bribery and corruption was quite high. The 2006 Transparency International-Corrupt Perceptions Index (TI-CPI) listed Georgia at 99 out of 176 countries listed so that alone warranted red flag scrutiny. If you are purchasing an entity in a country with such well known affinity for corruption, extra care is warranted. Perhaps back in 2006, Linde did not view the FCPA as something which it would deal with in such a situation. Yet even with all the apparent miss-steps and non-steps of compliance, the company was able to secure a declination from the DOJ. While there may be some additional penalties or sanctions by the Securities and Exchange Commission (SEC) for the failures of internal controls, the result obtained by Linde was certainly a superior result. The company would seem to have met the four pillars under the FCPA Pilot Program through (a) self-disclosure, (b) extraordinary cooperation, (3) full remediation, and (d) profit disgorgement. Interestingly, the profit disgorgement in this case would appear to have been beyond the five year of limitations for profit disgorgement under the recent Supreme Court decision in Kokesh. If there is a FCPA enforcement action brought by the SEC perhaps additional facts will be recited in any resolution documents. Nevertheless, kudos are due to Linde and its counsel for obtaining this declination. Every CCO should study it for both the superior result received and underlying facts to see if you face anything similar in the Republic of Georgia or elsewhere. For a full copy of the Linde Declination, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices
On June 16, 2017, the Department of Justice (DOJ) issued a Declination to Linde North American Inc. and Linde Gas North America LLC (collectively “Linde”). This is the first Declination issued by the DOJ in the era of the Trump Administration. For that reason alone, it was instructive and should be studied by the compliance profession. However, the case presented several interesting factors which merit consideration so we are discussing in depth to present lessons to be learned for the Chief Compliance Officer (CCO) or compliance practitioner. The Bribery Scheme Linde acquired Spectra Gases, Inc. (Spectra Gases) in October 2006. In November 2006, it purchased certain assets from the National High Technology Center (NHTC) of the Republic of Georgia. One of the keys to this purchase was a piece of equipment called the ““boron column,” which were used to produce boron gas.” Sales of boron gas after the acquisition helped fund the purchase price and payout to Spectra executives who stayed on after Linde purchased Spectra Gases. Unfortunately, the three Spectra executives who stayed on were in cahoots with corrupt offices from the NHTC who made the sales agreement with Linde. Part of the Earn-Out by the former Spectra (now Linde) officials was paid to these corrupt government officials, both directly and through certain third parties. But the funding scheme to pay the bribes was quite creative and demonstrates once again to the compliance practitioner the myriad ways in which funds can be generated to pay bribes. For reasons not made clear, Linde did not purchase the boron column outright but allowed the former Spectra executives and the corrupt NHTC officials to form two new entities to own and operate the boron column, Spectra Investors LLC (Spectra Investors) and Spectra Gases Georgia, which was wholly owned by Spectra Investors. Spectra Investors was owned 51% by the corrupt NHT officials and 49% by the Spectra Gases executives who now worked for Linde. Spectra Gases Georgia was formed as a separate management company, by the NHTC officials, which was claimed to provide services to Spectra Investors for which it would receive recompense. Of course, there was no evidence of services being delivered under this arrangement as it was simply a mechanism to funnel monies to the corrupt officials. As a result of the ownership structure of Spectra Investors, with 51% being owned by corrupt NHTC officials and the management services contract, the corrupt NHTC officials received “approximately 75% of the profits generated by the boron column” while Spectra Gases received 25% of the profits. Clearly even with bribery and corruption, it was a bad business deal. In January 2010, Linde dissolved Spectra Gases and became its successor-in-interest and at some point later discovered the illegal conduct. Prior to the time of the dissolution, Spectra Gases had “received approximately $6,390,000”. After Linde became the direct owner, it “received approximately $1,430,000 as a result of the corrupt” actions. The Declination While there is a dearth of fact about how the matter came to the attention of Linde and when it disclosed the matter to the DOJ, the decision to decline to prosecute was based on the following factors: (1) Linde’s timely self-disclosure; (2) a “thorough, comprehensive and proactive investigation” [emphasis supplied]; (3) Linde’s full cooperation and meeting the Yates Memo requirement for disclosing all known relevant facts about the “individuals involved in or responsible for the misconduct”; (4) full profit disgorgement; (5) Linde’s enhancement of its compliance program and internal controls; and (6) Linde’s full remediation, including termination or discipline of the three Spectra executives and lower-level employees involved in the misconduct; termination of the fraudulent management contract between the corrupt NHTC officials and Spectra Investors and termination of the Earn-Out payment due to the former Spectra executives who became Linde employees. The company also made the following payments. Lessons Learned This was yet another Foreign Corrupt Practices Act (FCPA) action where a company performed insufficient due diligence in the acquisition phase. The timing of the Linde purchase of Spectra Gases and Spectra Gases’ purchase of the income producing assets is too close in time to be a coincidence. It would certainly appear that Linde purchased Spectra Gases to facilitate its acquisition of the boron column and other assets. If your company is going to make such a multi-step acquisition, you must perform due diligence on all the actors and the assets involved. The Byzantine corporate structure created for the ownership of the boron column, its operation and management contract are clear red flags that any CCO should sniff out immediately. While I am sure the internal corporate excuse for this clear ruse was the ubiquitous ‘tax considerations’; every such transaction should be reviewed by compliance as well. Anytime there is more than one entity to accomplish one task, there is the possibility of fraud present. Further, it is not clear how Linde could not have been aware of the ownership interests of a company which it ultimately controlled. It would seem that the company did not even make any inquiry. Even in 2006, the Republic of Georgia’s reputation for bribery and corruption was quite high. The 2006 Transparency International-Corrupt Perceptions Index (TI-CPI) listed Georgia at 99 out of 176 countries listed so that alone warranted red flag scrutiny. If you are purchasing an entity in a country with such well known affinity for corruption, extra care is warranted. Perhaps back in 2006, Linde did not view the FCPA as something which it would deal with in such a situation. Yet even with all the apparent miss-steps and non-steps of compliance, the company was able to secure a declination from the DOJ. While there may be some additional penalties or sanctions by the Securities and Exchange Commission (SEC) for the failures of internal controls, the result obtained by Linde was certainly a superior result. The company would seem to have met the four pillars under the FCPA Pilot Program through (a) self-disclosure, (b) extraordinary cooperation, (3) full remediation, and (d) profit disgorgement. Interestingly, the profit disgorgement in this case would appear to have been beyond the five year of limitations for profit disgorgement under the recent Supreme Court decision in Kokesh. If there is a FCPA enforcement action brought by the SEC perhaps additional facts will be recited in any resolution documents. Nevertheless, kudos are due to Linde and its counsel for obtaining this declination. Every CCO should study it for both the superior result received and underlying facts to see if you face anything similar in the Republic of Georgia or elsewhere. For a full copy of the Linde Declination, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices
When then Assistant Attorney General Sally Yates, announced the Memo that bears her name, she said the following, “we have revised our policy guidance to require that if a company wants any credit for cooperation, any credit at all, it must identify all individuals involved in the wrongdoing, regardless of their position, status or seniority in the company and provide all relevant facts about their misconduct. It’s all or nothing. No more picking and choosing what gets disclosed. No more partial credit for cooperation that doesn’t include information about individuals.” This statement ties directly into the first point of the Yates Memo, which stated, “To be eligible for any cooperation credit, corporations must provide to the Department all relevant facts about the individuals involved in corporate misconduct.” The Yates Memo and Yates’ remarks indicated a transition to a new era of FCPA enforcement. The Yates Memo required that the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) to investigate individuals immediately at the start of investigations. She stated, “the department instructed its attorneys that, going forward, they are to focus on individuals from the start of an investigation, regardless of whether the investigation begins civilly or criminally. Moreover, once a case is underway, the inquiry into individual misconduct can and should proceed in tandem with the broader corporate investigation. Delays in the corporate case will no longer suffice as a reason to delay pursuit of the individuals involved.” Even though these remarks were directed at government lawyers, corporations are now required to initially change the focus of their investigations from attempting to perform any type of root cause analysis to obtaining evidence against individuals and turning it over to the government as soon as possible. For the Chief Compliance Officer (CCO) or compliance practitioner, this means the entire focus of your investigative protocol has changed. Previously an investigation was to determine how conduct that might have violated the FCPA had occurred, then focus on how to remedy it. The first step a CCO or compliance practitioner would take when sufficient evidence was developed was to fix the problem so that it did not re-occur going forward. If there were compliance program or internal control weaknesses, they would be immediately fixed so that neither the original perpetrators could continue the conduct but also so others could not take advantage of any such structural weakness. After the Yates Memo, that is no longer the case. The DOJ now expects you to bring them information about potentially culpable individuals who can be prosecuted going forward. This means employees are going to immediately stop talking to you if they were inclined to do so in the first place. It will require performing an essential root cause analysis more difficult and the attendant remedy that is a part of any best practices compliance program. But Yates went further than simply saying the DOJ expects you to turn over your own employees. She made clear that both she and the DOJ want companies to give up senior executives involved in illegal conduct. She said “We’re not going to be accepting a company’s cooperation when they just offer up the vice president in charge of going to jail.” Here the difficulty is around the FCPA requirement for a criminal prosecution or intent. How do you determine intent in a manner where senior executives may never have been involved directly in a transaction? Does this mean insufficient tone at the top will somehow morph into intent for a FCPA prosecution? Whatever it may mean going forward, at the very least I think it means that high heads in an organization could very well start to roll. The Yates Memo, when read in conjunction with the Frederic Bourke conviction, make clear that senior management, as well as other individuals, are now directly in the DOJ’s sights to prosecute for FCPA violations. This means that even if lower level employees are engaging in conduct which senior management did not know about or even told them not to engage in; senior management may be deemed by the DOJ to have engaged in conscious indifference by not engaging in ongoing monitoring as a part of an overall best practices compliance program. Simply expecting that employees will not violate the FCPA is no longer enough. Companies must monitor transaction to detect and prevent violations. With the Yates Memo now the effective policy of the DOJ, senior management who do not actively monitor their organizations may subject themselves to personal FCPA criminal liability. Given the scrutiny of the Standard Bank Deferred Prosecution Agreement (DPA) in the UK, I think it may well be the time where enforcement authorities begin to look at those responsible for an activity where a violation of anti-bribery/anti-corruption laws take place in addition to those committing the legal violation. Bourke was found guilty for conscious avoidance. How much of a stretch will it be for those senior managers who allow such behavior to be seen as either the norm or indeed expected? John Kay, writing in the Financial Times (FT) in an article entitled “Ignorance is no defence for financial misconduct”, wrote in the context of financial institution misconduct “If it is a criminal offence to be in charge of a den of thieves, the prosecution need only establish that you were in charge of it, not that you were yourself a thief. It is no defence that you thought the organisation was a monastery, which is broadly the argument employed by those made ‘physically ill’ by the discovery of what their subordinates had been doing.” After the Yates Memo, the same may hold true for senior management in companies which violate the FCPA. The impact of the Yates Memo was magnified by Attorney General Jeff Sessions through his remarks at the Ethics and Compliance Initiative (ECI) in April 2017. He reiterated that the DOJ would focus on individual criminal misconduct in the context of enforcing the FCPA. This continued emphasis will mean that there is even more pressure on corporate compliance programs to get it right and get it right sooner rather than later. Three Key Takeaways If companies want any credit, they must investigate potentially culpable individuals first and turn over the results to the DOJ. This may require companies to more thoroughly investigate conscious indifference. Never forget conscious avoidance is specifically prohibited under the FCPA. Learn more about your ad choices. Visit megaphone.fm/adchoices
Today, I want to consider some of the challenges you may well face during an investigation. Beyond the basics, a company must consider the intake process as a starting point, however Marks noted one of the biggest challenges is in the intake process. Rather surprisingly, he noted there are still companies without a hotline or anonymous reporting system, stating “we still see organizations whereby there is no formal ethics hotline except for the fact that they might send an email to some member of management or some member of the board.” The lack of an intake process immediately presents a challenge in beginning to work through an allegation of wrongdoing due to the inability to track when the allegation or information was received, who sent it, who received it, what did the company do when they received it? If a company has a formal ethics reporting system, with recordation of information “there’s some workflow, it’s a lot easier to kind of work through some of those things”, so there is an appropriate level of documentation to follow. Yet Marks has seen failures in even these basic steps “many times people do not read their emails on a timely basis, and getting to the root of the issue quickly could be the difference between somebody allowing the company to investigate this the right way, or incentivizing an individual to go outside the organization such as to SEC whistleblower program.” This makes the intake process critical because it assures that things are not only received, “but they’re looked at on a regular and timely basis and there is a process.” One area that still causes challenges is retaliation against whistleblowers. You might think that corporate America got the message that not only is retaliation incredibly idiotic and divisive but also illegal under both Sarbanes-Oxley (SOX) and Dodd-Frank but sadly that is not the case. Marks believes that avoiding retaliation is critical not only for an organization but also to foment a successful investigation. He stated, “Avoiding retaliation is very critical. I think there’s a real opportunity where human resources, if properly trained, can work with the rest of the team members and advise them on things that they should not be doing and things that they should be doing in order to avoid either the appearance of retaliation or the actual retaliation against the individual or individuals who reported or brought forth the potential of the alleged misconduct.” Equally important is that a company wants to encourage a stand-up culture. When individuals are trying to do the right thing, you certainly want to inspire other to do so as well. Marks related, “When somebody reports an ethical lapse, it generally means to me that they’re doing their job. And so, the indirect impact, or sometimes the direct impact of that is sometimes people are looked at as snitches or not towing the company line or they’re just generally out of bounds can negatively impact the organization.” An area where Marks has seen companies have difficulties in is what he termed threatened or pending litigation. Any investigation can morph into a much more serious situation and you must be ready to answer such questions as “(1) Does this gravitate itself into a class action lawsuit? Or (2) Does this gravitate to a regulatory review and subject to some punishment there?” The key is that as the investigation begins to uncover things and certain facts come to light, pending or threatened litigation is something that should always be discussed, but discussed very carefully and it should be discussed once those facts come to play. Sometimes you don’t have all those facts but sometimes it does make sense to kind of prognosticate and consider situations such as “This is what could happen. These are the issues that potentially could be uncovered.” Marks concluded, “I really do think that it’s important to think a couple of steps ahead and look at this as a chess match and never underestimate the fact that there could be pending or threatened litigation.” Not surprisingly, another area of challenge is when the regulators will not accept the investigation or are not satisfied with the results. While I would submit that if you follow the strictures laid out by Marks, that will satisfy regulators, he noted that there must be an appropriate level of skepticism brought by the investigation. He said there can be regulator issues when “there was not proper skepticism, there was not proper independence or simply things were not looked at under the right lens.” But once again the answer is to go through the steps that Marks laid out, or any other well defined protocol and have an independent team handling the investigation. Interestingly,a similar situation can arise if a company’s own auditors refuse to accept the results of an investigation. Marks said this is usually related to some type of unexpected development arises in an investigation. Marks noted, “when auditors are involved the element of surprise is never good.” He believes it is important to keep internal audit aware of developments as “they might want to do a shadow investigation, they might want to understand the scope of your expanded investigation and most certainly they want to understand the financial impact.” The reason is that if the company auditors do not accept your investigative results, “they may send you back to the drawing board. When that happens, all types of problems could manifest themselves or come out.” Marks noted that at times the most difficult challenge is when the company itself is reluctant to accept the results of the investigation. This comes when a company is in denial, believing it has a robust compliance program and internal controls or, worse yet, it simply believes that it is an ethical company. One or more of these indicia usually manifest themselves as a company with paper compliance program, a Chief Compliance Officer (CCO) with a title but no authority and a weak compliance culture. Marks said, “When I say the company does not respect the investigation, it’s almost like they’re fighting with you because they believe that nothing could ever go wrong. That really does send a very, very clear message, not only internally, but should it get out externally as well. It’s an indication to us that there’s a problem with the culture, there’s a problem with the compliance program, there’s generally a problem with governance overall. There are probably bigger issues there other than the matter that’s generally on the table.” Planning your investigation, having the right team members involved and meeting the challenges which inevitably arise during an investigation can be difficult. However, beginning with the Department of Justice’s (DOJ’s) Yates Memo and the Foreign Corrupt Practices Act (FCPA) Pilot Program and the release of the DOJ’s Evaluation of Corporate Compliance Programs (Evaluation), the pressure on every CCO and company to get an investigation done quickly, efficiently and, most importantly, done right is even greater now. Jonathan Marks has laid out a concrete way for you to think through how to plan an investigation, staff it properly and meet the inevitable challenges. Three Key Takeaway The intake process may seem the most straight-forward but many companies drop the ball at this initial step. You must never retaliate against employees who come foreward in good faith. Always think several steps ahead. Learn more about your ad choices. Visit megaphone.fm/adchoices
Beginning with the Department of Justice’s (DOJ’s) Yates Memo, its Foreign Corrupt Practices Act (FCPA) Pilot Program and then the release of the Evaluation of Corporate Compliance Programs (Evaluation), I believe the DOJ has put even more pressure on every Chief Compliance Officer (CCO), and indeed every company, to get an investigation done quickly, efficiently and most importantly done right is even greater. Jonathan Marks, a partner at Marcum LLP and a well-known internal investigation expert, provides some of his thoughts around what goes into a well-run investigation. His perspective is from someone who performs investigations outside your organization, either because the matter was so serious an outside expert was required; specific subject matter expertise (SME) was not available in your organization or due to the objectivity of the investigation. Today I want to consider who should be on your investigation team. As discussed previously data collection, retention and preservation are critical elements of any significant internal investigation so you will need to have the involvement of your IT function. IT can help put a litigation hold on email that can help with the preservation of data in other areas of the organization. Further, they can assist with certain other aspects as more facts and circumstances are known. HR is often an underutilized function for an internal investigator. HR can be very useful to provide context about employees’ work history. There may be notes in HR areas as diverse as training and exit interviews. HR can also be useful to give the investigator “some insight regarding the credibility of the individual that might be making the allegation. For example, are they a good and trusted employee? How long have they been there? What’s their general demeanor? What’s been the feedback on that particular individual?” Both the Board and senior management can provide different types of support for an investigation. Marks noted the Board has oversight responsibility and senior management is responsible for the day-to-day, tactical operations of the organization, including the internal controls. This means from the Board’s perspective, “we would want to make sure that our governance processes were in place and operating effectively when it comes to an investigation. So, my concern, or concern from a board member’s perspective, from an investigation, early on, is what’s the financial impact; what’s the legal impact, for a publicly traded organization? Are there potential issues here which we as a Board need to be concerned with going forward?” From the senior management’s perspective, Marks believes “the key thing there is if there is an issue and there was the ability to either override controls or controls weren’t in place or there was something that basically caused this, what do we need to do to assess that? What do we need to do to fix that? What was the root cause for this potential bad behavior? Like I said, how do we fix that or how do we put a plan together in order to fix that or shore that up?” He emphasized this is not the Board’s responsibility but that of senior management. Marks also pointed out that while an investigator would probably assume that the Board of Directors had been notified at this point about the issues being investigated, the investigators may want to make certain the Board has been made aware of the incident and investigation. Marks suggested outside consultants in the form of forensic accountants should be a part of your investigation team. Such a skilled set team member can bring an investigative mind that drives them to answer questions about what occurred, when and how it happened, and who was involved. However, most lawyers do not understand how forensic accounting is performed and how they can assist your compliance investigation going forward. Forensic auditing works to collect and analyze accounting and internal-controls evidence. They use this information to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of internal audit’s work can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Inquiries into accounting and internal controls raise a host of technical issues requiring specialized knowledge that forensic accountants are uniquely positioned to provide. This is a qualitative difference from internal audit, which more often looks at process to determine if it has been adhered to in a procedure. The objective of a forensic audit investigation team member is to collect, analyze and report on the evidence or facts surrounding an act that often has litigious, fraudulent or criminal implications. Auditors also collect and analyze evidence, but an independent auditor’s objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. However, a key role of the forensic accountant is to identify a concern and to notify company management about the issue or issues discovered. As with a decision on bringing in outside counsel to perform a compliance investigation, you will need to consider whether a forensic accountant should be retained as an outside consultant or hired as an employee. One critical reason to bring in an outside professional is so they will be not be governed by management or influenced by potential biases within a company. Lastly is the issue of privilege. If a forensic accountant is not assigned through your legal department or through outside counsel, you can kiss away even the chance of claiming privilege. Obviously, the GC would be involved to help protect the attorney client privilege if for no other reason. Further, an investigation needs to have the corporate compliance function involved, to understand what compliance program was in place at the time of the incident in question, what procedures the compliance function had and understand if this truly was a gap in the compliance function or “maybe there was an area within the compliance function that wasn’t operating as prescribed, or maybe it was a little bit weak.” Three Key Takeaways HR plays a key but often underused role in internal investigations. The Board of Directors and senior management have different roles. Use your legal department to protect the privilege. Learn more about your ad choices. Visit megaphone.fm/adchoices
In the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (Evaluation), under Prong 7 Confidential Reporting and Investigation asks the following: Properly Scoped Investigation by Qualified Personnel – How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented? These questions were clearly presaged by the DOJ’s Yates Memo and the Foreign Corrupt Practices Act (FCPA) Pilot Program. The pressure on every Chief Compliance Officer (CCO), and indeed company, to get an investigation done quickly, efficiently and most importantly done right is even greater now. Jonathan Marks, a partner at Marcum LLP and a well-known internal investigation expert, gave some of his thoughts around what goes into a well-run investigation. Marks began by cautioning that any CCO must be cognizant of the strictures laid out in the Evaluation. It all begins with who in-house is looking at the complaint and does the CCO, compliance practitioner or legal team have the skills and capabilities to handle the matter which has arisen? Obviously if there are esoteric accounting issues or significant internal control work-arounds and overrides, a CCO may not have those skills to really understand all the issues. Similarly, if the matter is a global FCPA or equivalent bribery and corruption matter, Marks related, these “come in different flavors, and because they come in different flavors you may not have the skills or capabilities to do an investigation that would take place in say Brazil or Russia or China or India.” All of this ties into how the government will view an investigation, particularly if the company does not have the skills and capabilities necessary to analyze the allegation, or if the allegation of fraud is serious enough where they believe that an independent investigation rather than an internal investigation really needs to be done.” Moreover, if allegations or the investigation are going to be subject to regulatory scrutiny, one of the benefits of having somebody come in from the outside is that there is independence, skepticism, the ability to work through things unlike you would with an internal investigation where an internal audit might be involved. Marks concluded by noted, “from an outsider’s perspective looking in, there is more credibility of having somebody come to conduct your investigation.” Marks believes the first thing that any investigator must do is understand the business environment and the extended business enterprise. He further stated, “what I mean is really understand the business you’re dealing with, the industry that it’s in, the potential risks, the pressures and motivations that might be at play here. Understanding that generally with most frauds there is some pressure to do something because of something else and there are some motivations.” Such an initial understanding can help you formulate a comprehension of the internal controls that might be in place or that were lacking that could either have not been designed properly or overridden. The next step is to quickly and thoroughly analyze the initial underlying facts and circumstances when it comes to the issue or the issues at hand. For Marks, the number one issue is the credibility of the complaint, which is more than simply the credibility of the complainant. Marks said it was important to understand how the allegations of wrongdoing came to light and the seriousness of the issues involved. He went on to note that his initial inquiry would include such questions as, “What are people saying happened or what is an individual saying that happened? You know the background of the complaint, if known. How long have they been with the organization? Are they credible? Have they complained before? If in fact this was either a whistle blower or a tip.” At this early assessment, Marks believes you should also consider the possible legal and financial impact of the allegations. If you determine it is serious at this early juncture, you should always consider your internal crisis management team and if your organization does not have one, you should consider retaining such an expert. Marks explained, “Crisis management doesn’t necessarily mean that a crisis happened, it means that if in fact we are in crisis mode, how does that impact the company? So, thinking about those issues and then knowing what to do, if in fact you are in a crisis mode, I think is ultra-critical.” He went on to add, “I think crisis management is totally underplayed. I think that many organizations don’t have an appropriate crisis management plan. If something bad does happen, a lot of times I see organizations that are struggling to kind of put the pieces together.” Marks also noted that both communication and collaboration are critical even at this early stage. He advocated that the company ask a series of questions such as what issues are “on the table” and who is impacted by these issues within the company; is it the company auditors or some other corporate function? He also advocated considering third parties and contracted entities in this calculus by inquiring if there were key suppliers impacted by the investigation. On the one hand, “a key supplier that might get wind of this and might not want to do business with us anymore?” Yet, conversely, such a key supplier could be a sole source supplier so you may need think about alternative arrangements. You should begin to consider these issues early on and continue to think about them as you are going through and doing and investigation. Document preservation is always a critical issue and Marks believes this is one which government regulators will pay particular attention to both at this initial phase and throughout the investigation. You need to take steps to ensure all data is locked down. This means getting into the weeds on such issues as where are all your company’s servers located; what is your back-up situation; do you have hand-held devices secured and are the organization’s instant and text messaging tied down. If you do not take such steps you could well find yourself in a situation where either information is lost or there's a possibility or suspicion that information is lost. Unfortunately, that is the situation that leads to a prosecutor’s imagination going wild. Basically, you need to have the information locked down so that if the government wants to come in and perform an independent review or test your hypothesis, you can provide them with the required information. Three Key Takeaways Always remember your ultimate audience may be the government. You must understand both the business environment and extended business enterprise. Communication and collaboration in any investigation are critical so you should begin early and continue to do so throughout the investigation. Learn more about your ad choices. Visit megaphone.fm/adchoices
Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hot-line, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties once an allegation is made. This allows the Compliance Department to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter. Indeed the SEC considers a variety of factors around giving credit to corporate investigations including: Did management, the board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm? In a presentation by Jay Martin, Vice President, Chief Compliance Officer (CCO) and the Senior Deputy Counsel for Baker Hughes Incorporated and Jacki Trevino, Senior Consultant, Advisory Services at SAI Global entitled, “FCPA Compliance Best Practices: Success Stories of Robust and Effective Anti-Corruption Compliance Programs in High Risk Markets” they presented the specifics of an investigation protocol. The five steps were: (1) Opening and Categorizing the Case; (2) Planning the Investigation; (3) Executing the Investigation Plan; (4) Determining Appropriate Follow-Up; and (5) Closing the Case. If you follow this basic protocol, you should be able to work through most investigations, in a clear, concise and cost effective manner. Furthermore you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to document, document, and document, not only the steps you took but why and the outcome obtained. Step 1: Opening and Categorizing the Case. This is the triage step and this first step, to categorize a compliance violation. You should notify the relevant individuals, including those on your investigation team and any senior management members under your notification protocols. After notification, you should assemble your investigation team for preliminary meetings and assessments. This Step 1 should be accomplished in one to three days after the allegation comes into compliance, either through your reporting structure or other means. Given the number of ways that information about violations or potential violations of the Foreign Corrupt Practices Act (FCPA) can be communicated to the Department of Justice (DOJ) having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a FCPA problem. A key consideration is making an initial determination of whether to bring in outside counsel to head up an investigation and a determination of the of the resources that you may want or need to commit to a problem. Step 2: Planning the Investigation. After assembling your investigation team, determine the required investigation tasks. These would include document review and interviews. If hard drives need to be copied or documents put on hold or sequestered in any way, or relationships need to be analyzed through relationship software programs or key word search programs, this should also be planned out at this time. These tasks should be integrated into a written investigation or work plan so that the entire process going forward is documented. Also, if there is a variation from the written investigation plan, such variation should be documented and an explanation provided as to why there was such a variation. Lastly, if international travel is involved this should also be considered and planned for at this step. Step 2 should be accomplished with another one to three days. Step 3: Executing the Investigation Plan. Under this step, the investigation should be completed. I would urge that the interviews not be effected until all documents are reviewed and ready for use in any interviews. Care should be taken to ensure that an appropriate Upjohn warning is issued and that the interviewee clearly understands that whoever is performing the interview represents the company and not the person being interviewed, whether they are the target of the investigation or not. The appropriate steps should also be taken to preserve the attorney-client privilege and attorney work product assertions. This Step 3 should be accomplished in one to two weeks. Step 4: Determining Appropriate Follow-Up. At this step, the preliminary investigation should be completed and you are ready to move into the final phases. In some investigations, it is relatively easy to determine when the work is essentially complete. For example, if the allegation is both specific and narrow, and the investigation reveals a compelling and benign explanation for the conduct alleged, then the investigation typically is complete and you are ready to convene the investigation team and the relevant business unit representatives. This group would decide on the appropriate disciplinary steps or other actions to take. This Step 4 should be completed in one day to one week. It must be cautioned that at this step, if there are findings of specific or discrete allegations of corruption and bribery, a decision must be made as how to handle such findings going forward. Step 5: Closing the Case. Under this final step, communicate the investigation results to the stakeholders and complete the case report. Everything done in the above steps should be documented and stored, either electronically or in hard copy form together. The case report should be completed. This Step 5 should be completed in one day to one week. Three Key Takeaways A written protocol, created before an investigation is a key starting point. Create specific steps to follow so there will be full transparency and documentation going forward. Consistency in approach is critical. Learn more about your ad choices. Visit megaphone.fm/adchoices
The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a Foreign Corrupt Practices Act (FCPA) issue for your company. As the Chief Compliance Officer (CCO), it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward. This month’s podcast series will provide to you all the steps you will need to consider going forward. This scenario was driven home in a FCPA enforcement action brought by the Securities and Exchange Commission (SEC) in July 2015 involving Mead Johnson Nutrition Company (Mead Johnson). In that case, the company performed two internal investigations into allegations that its Chinese business unit was engaged in conduct which violated the FCPA. Unfortunately the first investigation, performed in 2011 did not turn up any evidence of FCPA violations. It was not until 2013, when the SEC made an inquiry to the company that it performed an adequate internal investigation which uncovered FCPA violations. Similarly, consider Zimmer Biomet, which (when it was only Biomet) resolved an FCPA violation in 2012 for nearly $23MM and entered into a Deferred Prosecution Agreement (DPA). Within the year, Biomet notified its Monitor that it has found evidence of additional FCPA violations, which in turn violated the terms and conditions of the DPA. However these additional violations by the company (now Zimmer Biomet) turned out to have been actions which occurred in 2010, well before the initial DPA but were not uncovered in the company’s worldwide investigation which led to the first settlement. Zimmer Biomet paid an additional $13MM for this oversight and extended out both the DPA and the Monitorship, all because the company had failed to fully investigate itself thoroughly. The 2012 FCPA Guidance states the following on investigations, “Moreover, once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” That is simply it. This simple introduction was expanded upon in the Justice Department’s Evaluation of Corporate Compliance Programs (Evaluation) released in February. Prong 7 in the makes the following inquiries: Effectiveness of the Reporting Mechanism – How has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information? Properly Scoped Investigation by Qualified Personnel – How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented? Response to Investigations – Has the company’s investigation been used to identify root causes, system vulnerabilities, and accountability lapses, including among supervisory manager and senior executives? What has been the process for responding to investigative findings? How high up in the company do investigative findings go? The Mead Johnson and Zimmer Biomet matters are but two examples which make clear the need to have robust, integrated investigations. Marc Bohn, writing in the FCPA Blog, said about the Mead Johnson matter, “Investigations that lack sufficient depth, resources, or forethought can pose significant risk because they increase the likelihood that something critical will be overlooked, potentially permitting misconduct to continue unabated.” Both Mead Johnson and Zimmer Biomet point to the critical nature of FCPA investigations and why the government takes this requirement so rigorously. But more than protecting a company from liability under the FCPA, in the internationalized world of global compliance investigations are becoming more important. Bio-Rad recently announced that its FCPA settlement was a “risk-factor” which required public disclosure under US securities law. In the domestic arena, internal investigations can go a long way towards helping a company move past a public relations debacle or perhaps abate negative publicity. One need only consider the recently released internal investigation report commissioned by the Wells Fargo Board of Directors around the bank’s fraudulent accounts scandal. The report was merciless in its criticism of certain structural and cultural failures at the bank. It named names of culpable former senior executives at the company. However one thing it did not address were allegations from multiple whistleblowers who claimed to have reported the fraudulent conduct and were ignored or actively retaliated against. If the internal investigation turns out to have white washed these whistleblowers, the financial penalty and negative public reaction could be both swift and severe. Corrupt investigations are never a good thing for a company as they can disrupt business relationships and future opportunities. Yet today they are even more important. In the month of June I will be exploring how you can create, design and implement a robust investigation protocol for an internal investigation and when you should bring in outside counsel for an independent investigation. I will consider the Board of Director’s role in investigations and other corporate functions such as internal audit, IT and legal in any investigation. I will review special issues such as privilege, Upjohn and Miranda warnings and data privacy. As Hallmark Seven of the Ten Elements of an Effective Compliance program states, in part, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation” and Prong 7 of the Evaluation also deals with reporting; I will consider hotlines. Both their implementation and use in a best practices compliance program. I will feature several compliance practitioners, both lawyers and non-lawyers, who will relate how they developed their investigative strategies and navigated various stakeholders to obtain positive results for their clients. Three Key Takeaways Failure to thoroughly and properly investigations allegations of corruption can be costly. The internationalization of global anti-corruption enforcement makes performing robust investigations even more important. Use the month of June to learn about key aspects of investigations and internal reporting mechanisms. Learn more about your ad choices. Visit megaphone.fm/adchoices
The key concept from the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Program (Evaluation) is operationalization. For instance, under the query Shared Commitment is the following question - “How is information shared among different components of the company?” Under the Prong relating to Policies and Procedures the Designing Compliance Policies and Procedures asks, “What has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out?” Lastly, under the same Prong is Responsibility for Integration, with the following question “Who has been responsible for integrating policies and procedures?” These questions point to a Chief Compliance Officer (CCO) or compliance practitioner demonstrating how compliance is being burned into the fabric of an organization. While leadership at and from the top has long been considered by both the DOJ and compliance professionals as a key element to move compliance forward, the Evaluation has also crystalized thinking around compliance leadership from the middle and the bottom. I thought about these concepts when reading a recent Financial Times (FT) article by Andrew Hill, entitled “Leadership from the bottom up”. I was particularly struck by a quote from Shlomo Ben-Hur, a professor at IMD business school, who said, “We teach the top 5 per cent — but the majority of this work is carried out by the other 95 per cent.” In Ben-Hur’s work he found that many executives came from the middle management ranks. They tended to be persons “with a determination to “take what I have responsibility for and make it truly great.”” Anecdotally, he related “They typically said, ‘I’ve responsibility for the minibus,’ and people then asked them to drive bigger and bigger buses until one day they drove the whole business.”” Think of the military and the responsibility given to front line commanders and how that “is increasingly reflected at large companies.” The key for companies is that senior management must “find ways to transmit leadership skills to people who do not have ‘leader’ in their job description and will probably never attend a top-level leadership program.” Hill noted, “Ben-Hur’s work has focused on ensuring that managers understand how to assign the right jobs to their team members and motivate them to perform well, using theories of behavioural change that senior executives have typically never learnt on their way to the top. Dedicated managers well below the executive board need to know how to use these tools.” For the CCO or compliance practitioner, this provides a clear path to help in the operationalizing of compliance by providing the tools to persons far down the organization to put compliance into the operations of a business. One thing Hill writes about is a company should nuture such learning because by doing so, it will both teach practical skills around compliance but also foster a strong internal network of compliance advocates who can move initiatives up and down and organization. Moreover, as these individuals progress through the company ranks, they can take their compliance message with them at each new level. Building on the writings of Hill and the work of Professor Ben-Hur, my suggestion is to build a Compliance Excellence Center in your company. Bring in middle-managers to focus on understanding not only their roles in compliance but also how to assign the right team members to a compliance initiative and motivate employees going forward. Hill wrote that Airbus has recently established a corporate ‘university’ to spread leadership ideas through the company. Airbus’ theory behind this push is “being a leader isn’t just about being a vice-president; it’s about being able to push the company towards new ways of doing things and executing the things we have to execute. That could [apply to] a blue-collar worker on the shop floor or a VP.” A key is not simply to train such middle and front line managers on compliance but getting them to consider rollout, effectiveness, testing and improvement. In other words, as Jay Martin would say, it is all about execution. One way to help facilitate this is through exercises using incentives to “make leadership insights stick and change workplace behavior.” Hill also writes that concepts from entrepreneurship can assist in such learning by encouraging managers to “think and act independently” to operationalize compliance. Finally, never forget mentoring as a manner to spread good compliance practices throughout a company if a more formal approach is not possible. Too often, strategies to move a compliance program or even an initiative come from the top of an organization and are pushed down. To fully operationalize compliance, you must have leadership in compliance further down the organization which (hopefully) has been a part of the design process and can lead the implementation throughout an organization. Three Key Takeaways While tone at the top is critical, the tone at the bottom can actually work to more fully operationalize compliance. 95% of the work is done at this bottom level. Use HR to come up with a strategy to move compliance into the bottom for more complete operationalization. This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox. Learn more about your ad choices. Visit megaphone.fm/adchoices
The role of Human Resources (HR) in anti-corruption compliance programs, is often underestimated. If your company has a culture where compliance is perceived to be in competition or worse yet antithetical to HR, the company certainly is not hitting on all cylinders and maybe moving towards dysfunction. Another way you can operationalize compliance is in HR’s involvement of employee promotion. In Prong 8 of the Evaluation of Corporate Compliance Programs it asks the following question, Have there been any examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations? The 2012 FCPA Guidance expounded further, “[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts is short-term profitability, and that cutting ethical corners is an acceptable way of getting there, they’ll perform to that measure. To cite an example from a different walk of life: a college football coach can be told that the graduation rates of his players are what matters, but he’ll know differently if the sole focus of his contract extension talks or the decision to fire him is his win-loss record. In other words make compliance significant for professional growth in your organization and it will help to drive the message of doing business in compliance. I thought about these concepts when I read an article in the Corner Office column of the Sunday New York Times (NYT), where columnist Adam Bryant interviewed Sally Smith, the Chief Executive of Buffalo Wild Wings, the restaurant chain. She had some interesting concepts not only around leadership but thoughts on the hiring and promotion functions, which are useful for any Chief Compliance Officer (CCO) or compliance practitioner striving to drive compliance into the DNA of a company. Here Smith had some thoughts put in a manner on promotions not often articulated. One of her cornerstones is to search out the best person for any open position, whether through an external hire or internal promotion. Bryant stated that Smith said “We use the phrase “wait for great” in hiring. When you have an open position, don’t settle for someone who doesn’t quite have the cultural match or skill set you want. It’s better to wait for the right person.” Smith articulated some different skills that she uses to help make such a determination. Once a potential hire or promotion gets to her level for an interview, she will assume that person is technically competent but “I assume that you’re competent, but I’ll probe a bit to make sure you know what you’re talking about. And then I’ll say, “If I asked the person in the office next to you about you, what would they say?”” Passion and curiosity are other areas that Smith believes is important to probe during the hiring or promotion process. In the area of passion, Smith will “Often ask, “What do you do in your free time?” If they’re passionate about something, I know they’re going to bring that passion to the workplace.” Smith believes curiosity is important because it helps to determine whether a prospective hire will fit into the Buffalo Wild Wings culture. Bryant wrote, “I look for curiosity too, because if you’re curious and thinking about how things work, you’ll fit well in our culture. So I’ll ask about the last book they read, or the book that had the greatest impact on them.” Smith also inquires about jobs or assignments that went well and “ones that went off the tracks. You ask enough questions around those and you can determine whether they’re going to need a huge support team.” I found these insights by Smith very useful for a compliance practitioner and the hiring and promotion functions in a compliance program. By asking questions about compliance you can not only find out the candidates thoughts on compliance but you will also begin to communicate the importance of such precepts to them in this process. Now further imagine how powerful such a technique could be if a Chief Executive asked such questions around compliance when they were involved in the hiring or promotion process. Talk about setting a tone at the top from the start of someone’s career at that company. But the most important single item I gleaned from Bryant’s interview of Smith was the “Wait for great” phrase. If this were a part of the compliance discussion during promotion or hiring that could lead to having a workforce committed to doing business in the right way. Three Key Takeaways Denying a promotion or award due to an employee’s ethical lapses. Use promotions to reinforce your company’s commitment to compliance and ethics. Should you wait for great? This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox. Learn more about your ad choices. Visit megaphone.fm/adchoices
The Evaluation of Corporate Compliance Programs document makes clear that operationalization of compliance into an organization should be done at multiple levels in a company. Creating an ethical culture is an important step for any company to burn compliance into the DNA of a business. It must be done at every level of an organization on a continuous basis. In an article in the Harvard Business Journal (HBJ) online publication by Christopher McLaverty and Annie McKee, entitled “What You Can Do to Improve Ethics at Your Company”, the authors surveyed C-suite executives and noted, “More often the dilemmas were the result of competing interests, misaligned incentives, clashing cultures.” Based on this study and their prior work, the authors noted three major obstacles to ethical behavior. Initially was the issue of corporate change. The authors stated, “Companies can warp their own ethical climate by pushing too much change from the top, too quickly and too frequently. Leaders in the study reported having to implement staff reduction targets, dispose of big businesses in major markets, and lead mergers and acquisitions. Some of these activities included inherent conflicts of interest; others simply caused leaders to have to act counter to their values. Many leaders felt poorly prepared for the dilemmas they faced and felt compelled to take decisions they later regretted.” The second was the age old dilemma of compensation where incentives tended to drive certain behaviors or, as the authors stated, “People do what they are rewarded to do, and most leaders are rewarded for hitting targets.” Of course the most recent example is Wells Fargo where employee compensation was based solely on the number of accounts they opened. Yet such incentive based behavior was not limited to front line employees as the authors stated, “The lure of incentives are a problem in boardrooms too: Bonus payments and executive share schemes are often based on short-term business metrics, which can be counter to long-term success.” Finally, was an area which may require a Chief Compliance Officer (CCO) or compliance practitioner to think through several different calculi; cross cultural differences. Obviously some countries have gift giving cultures but this is more than simply the value of a gift to give at Christmas, it involves cultures where gift giving may be a part of the overall business relationship. The authors cited examples such as “closing a sales office in Japan, breaking a verbal promise made during after-work drinks in China, or ignoring “sleeping” business partners in a Saudi Arabian deal, all of which have cultural and ethical components.” An interesting insight was teaching employees how to understand what matters in an organization. This is not simply the written Codes but how things really work. The authors posited three questions: (1) How are employees paid? Obviously a compensation plan is a critical benchmark. If it is solely based on ‘eat what you kill’, focusing on the short term, it may presage problems down the road. (2) Who gets promoted and why? This is not simply whether the high producer gets promoted but how about those who speak up and raise ethical issues. Are they subtly (or not so subtly) discriminated against or held back from promotion? (3) How do employees feel about their organization? Although it seems straight-forward, if your employees are disengaged or worse yet, ashamed about your company, you might be an ethical time bomb waiting to happen. The authors then turned to initiatives that the interviewees had successfully used in their own organizations to improve the ethical climate. While noting that there is some importance in the corporate governance documents, such as a Code of Conduct and policies and procedures, the authors averred “Companies become ethical one person at a time, one decision at a time.” This means employees need to understand their organizations underlying culture. They stated, “Self-awareness enables you to build and strengthen that inner compass. Organizational awareness enables you to identify the forces in your company’s culture and processes that could drive you and others to do the wrong thing. You also need emotional self-control: it takes courage to step away from the crowd and do the right thing.” To have such courage, the authors noted many employees who did speak up had a personal network which operates as “an informal sounding board and can highlight options and choices that the leader may not have considered. When making ethical decisions, it’s important to recognize that your way isn’t the only way, and that even mandated choices will have consequences that you must deal with.” This is yet another reason for the breaking down of silos in a corporate organization because “The challenge is that most leaders have networks full of people who think and act like them and many fail to seek out diverse opinions, especially in highly charged situations. Instead, they hunker down with people who have similar beliefs and values. This can lead to particularly dire consequences in cross-cultural environments.” Finally, and perhaps most intuitively, is speaking up. Here business leaders must encourage not only a speak up culture but also one of no retaliation. But it is more than this as Vanessa Rossi, FCPA Due Diligence Counsel at Baker Hughes Inc. noted in a panel discussion to the Greater Houston Business and Ethics Roundtable, it is more tones at the tops as for many employee’s senior leadership resides in the form of their direct manager. The authors phrase it as “If you find you need to speak up, there will be a number of choices to be made. Do you talk to the boss? Consult with peers? Work with advisory functions such as legal, compliance or human resources? You can draw on your personal network for support and guidance on the right way forward within the context of your unique situation.” Ethics and compliance blend together in the corporate world. It is not just the responsibility of CCOs and compliance practitioners but of senior managers to support those employees who want to do the right thing. While written protocols are significant in both detection and prevention, one should never lose sight of a corporate culture as a way to positively impact your workforce and company going forward. Three Key Takeaways Beware of the three obstacles to creating an ethical culture. What really matters in your company? A speak up culture will improve the operational performance of your business. This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox. Learn more about your ad choices. Visit megaphone.fm/adchoices
What should a company do when it desires to hire a Chief Compliance Officer (CCO). I sat down and visited with Maurice Gilbert, the Managing Partner at Conselium Partners LP. Gilbert believes that it behooves any company to find the right CCO or compliance practitioner for the right position. But to do so, a company needs to fully understand and appreciate what it needs from such a position going forward. Unfortunately, many companies do not have this insight at the beginning of the recruitment process. The process often begins with the company supplied job description, which Gilbert noted is “typically a legacy of various things that are not even updated. It's a hodgepodge of things that maybe began a few years ago, but it needs to be updated to reflect what’s going on in the company at that particular moment. You have certain business risks. You have certain regulatory risks.... You need to be attentive to those risks so that you could build your profile about what those risks need to be addressed presently.” Moreover, “what you’re going to get in a company job description is just a litany of things that actually could be quite disjointed and may not necessarily make sense for what you’re going to be asking the person to do.” Gilbert will bring the key company stakeholders into an initial meeting to help them understand the process. Obviously, this will include Human Resources (HR) and others involved in the internal hiring process for the company. Gilbert gets them to rethink their approach to focus on what they will ask the new hire to accomplish because typically there is a disconnect between what the company thinks it needs and what it really needs. The next step is developing an appropriate job profile. Gilbert will ask the key stakeholders to give him a list of four things they would like the new hire to accomplish in the first year of employment. By limiting to this to four, Gilbert not only ends unrealistic expectations but helps winnow down the inevitable “laundry list of, “We'd like the professional to accomplish 30 things within the first year.” Many of which, are inconceivable. They have to be done in the course of several years. When we’re listening to the response, we, again, are counseling our client as to whether that makes sense or if that’s an unreasonable, let’s say, expectation.” Gilbert gave an example of a recent search he headed for a client. One of the things he was able to develop at this initial meeting was that the company wanted the CCO “to spend the first two, three months evaluating her staff, to see if she has the appropriate team in place for the rest of the journey. By the way, she’s traveling all over the world doing just that. Evaluating her staff.” However that task alone could take several months. The company also wanted the CCO to perform a comprehensive risk assessment immediately upon starting the position. It is simply not realistic to expect such disparate and time consuming tasks to be performed so quickly, all the while the new CCO would be expected to travel to company locations across the globe. Another important issue in this initial meeting is the professional growth opportunities that the company will present to any candidate. Gilbert explained that this is something companies do not always appreciate in the hiring process. Yet, as he explained, a company is trying to get a seasoned executive to leave a position so they need to have an attractive package ready to present. It is more than simply salary and benefits. Gilbert said, “we have to capture data such as, “What are career growth options once a person steps in and does a good job for three, whatever, years?” We have to capture data. “What is the culture of the company? What is the culture of the compliance department? What are the hot buttons and the management strategy, if you will, of the hiring authority? How does that person like to interface with the individuals?” A final query to the company is around the sourcing of candidates. Gilbert needs to know if there are any particular competitors, or companies, which the client feels are hands off for sourcing candidates from and before he leaves this meeting he needs to know the companies that his client does not want Conselium to recruit from. I found these points quite illuminating for several reasons. First, the company was not clear on what it wanted the new CCO to accomplish and had not thought through what it would need to commit to in terms of resources to have these goals accomplished. The second demonstrated the communications flow facilitated learning on the part of both parties, i.e. for the client this was to have a realistic expectation of the new role and for Gilbert it was to help develop an appropriate Job Profile. It also demonstrated the collaborative nature of the relationship. By engaging in this process Gilbert is able to move from simply a third party executive search firm to a trusted advisor to the client. By having such a relationship Gilbert and his company, Conselium, are able to deliver a much more focused and valuable service beyond the typical generalist experience available inside a corporation in the hiring process. From these discussions, Gilbert will develop a Job Profile and present to the company to have them sign off on not only the package of what they are looking for in a candidate, but also the package they will be willing to present. Gilbert related that through the capture of and agreement with these points, he is ready to begin the next step, which is to tell the compelling story about the job position on behalf of his client. Three Key Takeaways Bring in your key stakeholders to flesh out the job description. Consider the top four things you would like a new CCO to accomplish in the first year. For a new CCO to succeed, the company must have a realistic expectation developed before the process begins. This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox. Learn more about your ad choices. Visit megaphone.fm/adchoices
In the Department of Justice’s Evaluation of Corporate Compliance Programs, Prong 8 Incentive and Disciplinary Measures it states: Incentive System –How has the company considered the potential negative compliance implications of its incentives and rewards? This week I have been considering how a company could use incentives to further a compliance program and the role of HR in this process. I want to consider how incentives might lead to the converse but looking at the intersection of sales incentives and compliance which led to the problems at Wells Fargo. When you misalignment these two concepts with a faulty sales strategy it can lead to a catastrophic failure, literally costing a company millions of dollars in fines, loss of business and depreciation of shareholder value. The sales incentives under which Wells Fargo came to such grief is simple and even benign, cross-selling of products. As noted by Rachel Louise Ensign, writing in a Wall Street Journal (WSJ) article entitled “Banks Simple Strategy Gets Tangled”, “the concept sounds simple enough. If a customer has a checking account, why not sell him a mortgage, wealth management services and credit card as well?” She went on to write, “with banks becoming larger over the past two decades, cross-selling has become a mantra.” You can also think of the cross-selling McDonalds engages in every time you buy a Big Mac when the representative asks you “Would you like french fries with that?” Yet there are other reasons for engaging in this type of business practice. Each and every time a company has a touchpoint, particularly a commercial touchpoint with a business, it strengthens the relationship. According to Gary Silverman, writing in the Financial Times (FT) in an article entitled “John Stumpf, the Labrador of Main Street”, Wells Fargo’s Chief Executive Officer (CEO) “Mr Stumpf’s take on traditional Wells teaching was to promote deeper, more frequent contact with the people it serves. “If there’s one word to describe this company, it’s ‘relationship,’” he told the Financial Times in May. “What we’re trying to do is make sure that every team member, in every interaction with a customer, gets it right. If we don’t get it right, we try to make it right, really quickly.”” So what starts off as a legitimate, legal and beneficial business strategy becomes not only high risk but illegal because of the manner in which Wells Fargo administered its approach to cross-selling. As with any sales initiative, if a company wants to push it, it will set up incentives for the sales team to engage in such behavior. This can be done by increasing commissions around the service or product being emphasized, such as the banks products. Ensign noted, “Banks have tried to create incentives for cross-selling.” At some banks, “Branch employees can get bonuses—sometimes 10% or more of their salaries—when they sell additional products.” Companies can also increase sales by making clear that you will be evaluated on how much you sell a product or service. In other words, whether you receive a bonus, pay raise or even keep your job will be evaluated, in some part, on how much you cross-sell. You can even have a hybrid of the above, which may be the worst of all worlds. At Wells Fargo, employees were evaluated for continuing employment by supervisors on cross-selling. Yet they did not receive the same financial incentives to make such cross-selling. Branch managers and supervisors could receive bonuses of up to $10,000 per month for meeting cross-selling quotas when employees who hit their monthly quotas, received, in addition to continued employment, $25 gift cards. A panel at Compliance Week 2016, entitled “The Unsolvable Problem: Performance, Pay, Pressure and Misconduct”, contained an academic type, Marc Hodak, adjunct Professor of Business at New York University, Alexander Proels, Compliance Head Americas at Siemens, and Michael Weisman, Chief Ethics and Compliance Officer at The Kraft Heinz Company. They had some interesting thoughts around compensation, which I think you should consider in your role as a Chief Compliance Officer (CCO) going forward. One key area is the amount of your variable compensation relative to risk? What does your discretionary bonus program consist of? Is it corporate performance based? Group performance based? Only personal, i.e. eat what you kill? Or is it some combination of all of the above? What are some of the indicia that your compensation structure might be off the rails from the compliance perspectives? Weisman gave three examples: (1) Lofty goals but no direction for employees on how to get there; (2) that is a paucity of communication between management and line employees, meaning there was raw fear from employees to inform their immediate supervisor of bad news. Conversely, it could be the supervisors who do not want to hear such bad news; and (3) if your company has singular focus on numbers, meaning that is the single judge of your worth as an employee. Tied directly into this concept is that for every incentive there is an offsetting risk. Managing that risk must be done on an ongoing basis. As a CCO or compliance practitioner, you need to know your business and be a trusted business partner. You will need to understand the design of incentive plans and finally to be able to monitor incentive plans to identify underlying links that may arise through compliance violations. Hill ended his piece by citing to Oxford Saïd Business School Professor, Jonathan Trevor, for the following “whether the strategy, purpose and structure of companies are aligned often makes the difference between a good organisation and a bad one. Expunging phantasms is essential, but not enough. Leaders also need to make new truces, lest the dead hand of past behaviour strangles new ways of working.” This is particularly true in the convergence of compensation and compliance. Whatever the structure, there will be employees who try to game the system. Some will do it with the tacit or explicit approval of management. You, as the CCO, may be required to act. Three Key Takeaways Even a benign sales incentive program came become skewed. A sales incentive program can become high risk or illegal if not properly monitored. If there is alignment between the strategy, purpose and structure of an incentive system, it often makes the difference between a good and a bad one. This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox. Learn more about your ad choices. Visit megaphone.fm/adchoices
One of the areas that many companies have not paid as much attention to in their Foreign Corrupt Practices Act (FCPA) anti-corruption compliance programs is compensation. However the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have long made clear that they view monetary structure for compensation, rewarding those employees who do business in compliance with their employer’s compliance program, as one of the ways to reinforce the compliance program and the message of compliance. As far back as 2004, the then SEC Director of Enforcement, Stephen M. Cutler, said “[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it.” The FCPA Guidance states the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” A Harvard Business Review (HBR) article, entitled “The Right Way to Use Compensation”, discussed a company’s design and redesign of its employee’s compensation system to help drive certain behaviors. The piece’s subtitle indicated how the company fared in this technique as it read, “To shift strategy, change how you pay your team.” The article lays out a framework for the Chief Compliance Officer (CCO) or compliance practitioner to operationalize compensation as a mechanism in a best practices compliance program. As your compliance program matures and your strategy shifts, “it’s critical that the employees who bring in the revenue-the sales force-understand and behave in ways that support the new strategy. The sales compensation system can help ventures achieve that compliance.” The prescription for you as the compliance practitioner is to revise the incentive system to focus your employees on the goals of your compliance program. This may mean that you need to change the incentives as the compliance programs matures; from installing the building blocks of compliance to burning anti-corruption compliance into the DNA of your company. There are three key questions you should ask yourself in modifying your compensation structure. First, is the change simple? Second, is the changed aligned with your company values? Third, is the effective on behavior immediate due to the change? Simplicity Your employees should not need “a spreadsheet to calculate their earnings.” This is because if “too many variables are included, they may become confused about which behaviors” you are rewarding. Keep the plan simple and even employee KISS, Keep it simple sir, when designing your program. If you do not do so, your employees might fall back on old behaviors that worked in the past. Roberge notes, “It should be extraordinarily clear which outcomes you are rewarding.” The simplest way to incentive employees is to create metrics that they readily understand and are achievable in the context of the compliance program. This can start with attending Code of Conduct and compliance program training. Next might be a test to determine how much of that training was retained. It could be follow up, online training. It could mean instances of being a compliance champion in certain areas, whether with your employee base or third party sales force. Alignment As the CCO or compliance practitioner, you need to posit the most important compliance goal your entity needs to achieve. From there you should determine how your compensation program can be aligned with that goal. Roberge cautions what the DOJ and SEC both seem to understand, that you should not “underestimate the power of your compensation plan.” You can tweak your compliance communication, be it training, compliance videos, compliance reminders or other forms of compliance messaging but it is incumbent to remember that “if the majority of your company’s revenue is generated by salespeople, properly aligning their compensation plan will have greater impact than anything else.” The beauty of this alignment prong is that it works with your sales force throughout the entire sales channel. If your sales channel is employee based then their direct compensation can be used for alignment. However, such alignment also works with a third party sales force such as agents, representatives, channel ops partners and even distributors. Here Roberge had another suggestion regarding compensation that I thought had interesting concepts for third parties, the holdback or even clawback. This would come into place at some point in the future for these third parties who might meet certain compliance metrics that you design into your third party management program. Immediacy Finally, under immediacy, it is important that such structures be put in place “immediately” but in a way that incentives employees. Roberge believes that “any delay in the good (or bad) behavior and the related financial outcome will decrease the impact of the plan.” As a part of immediacy, I would add there must be sufficient communication with your employee or other third party sales base. Roberge suggested a town hall meeting or other similar event where you can communicate to a large number of people. Even in the world of employee compensation incentives, there should be transparency. He cautioned that transparency does not mean the design of the incentive system is a “democratic process. It was critical that the salespeople did not confuse transparency and involvement with an invitation to selfishly design the plan around their own needs.” However, he did believe that the employee base “appreciated the openness, even when the changes were not favorable to their individual situations.” Finally, he concluded, “Because of this involvement, when a new plan was rolled out, the sales team would understand why the final structure was chosen.” So just as Roberge, working with HubSpot as a start-up, learned through this experience “the power of a compensation plan to motivate salespeople not only to sell more but to act in ways that support a start-up’s evolving business model and overall strategy”; you can also use your compensation program as such an incentive. For the compliance practitioner one of the biggest reasons is to first change a company’s culture to make compliance more important but to then burn it into the fabric of your organization. But you must be able to evolve in your thinking and professionalism as a compliance practitioner to recognize the opportunities to change and then adapt your incentive program to make the doing of compliance part of your company’s everyday business process. Three Key Takeaways The DOJ and SEC have long advocated compensation as a way to motivate employees into ethical and compliant behaviors. Keep the compliance aspects of your compensation structure simply and easy for your employees to understand. Have full transparency in the frame of you compensation structure. This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox. Learn more about your ad choices. Visit megaphone.fm/adchoices
I conclude my One Month to Operationalizing your Compliance Program series by discussing how you can put your compliance program at the center of corporate strategy. An article in the Harvard Business Review (HBR) by Frank Cespedes, entitled “Putting Sales at the Center of Strategy”, discussed how to connect up management’s new sales plans with the “field realities.” Referencing the well-known Sam Waltonism that “There ain’t many customers at headquarters”; Cespedes believes that “If you and your team can’t make the crucial connections between strategy and sales, then no matter how much you invest in social media or worry about disruptive innovations, you may end up pressing for better execution when you actually need a better strategy or changing strategic direction when you should be focusing on the basics in the field.” This can be a critical problem when operationalizing compliance because operationalizing compliance is usually perceived as a top-down exercise. The reality that the employee base that must execute the compliance strategy is not considered. Even when there are comments from employees on compliance initiatives they are often derisively characterized as ‘push-back’ and not taken into account in moving the compliance effort forward. Communicate the Strategy It can be difficult for an employee base to implement a strategy that they do not understand. Even with a company wide training rollout, followed by “a string of e-mails from headquarters and periodic reports back on results. There are too few communications, and most are one-way; the root causes of underperformance are often hidden from both groups.” Here Cespedes’ insight is that clarification is a leadership responsibility and in the compliance function that means the Chief Compliance Officer (CCO) or other senior compliance practitioner. Moreover, if the problem is that employees do not understand how to function within the parameters of the compliance program, then there is a training problem and that is the fault of the compliance department. I once was subjected to a PowerPoint of 268 slides, which lasted 7.5 hours, about my company’s compliance regime. To say this was worse than useless was accurate. The business guys were all generally asleep one hour into the presentation as we went through the intricacies of the books and records citations to the FCPA. The training was a failure but it was not the fault of the attendees. If your own employees do not understand your compliance program that is your fault. Continually improve your compliance productivity Why not do the incentivize productivity around compliance? Work with your Human Resources (HR) department to come up with appropriate financial incentives. Many companies have ad hoc financial awards, which they present to employees to celebrate and honor outstanding efforts. Why not give out something like that around doing business in compliance? Does your company have, as a component of its bonus compensation plan, a part dedicated to compliance and ethics? If so, how is this component measured and then administered? There is very little in the corporate world that an employee notices more than what goes into the calculation of their bonuses. HR can, and should, facilitate this process by setting expectations early in the year and then following through when annual bonuses are released. With the assistance of HR, such a bonus can send a powerful message to employees regarding the seriousness with which compliance is taken at the company. There is nothing like putting your money where your mouth is for people to stand up and take notice. Improve the human element in your compliance program This is another area where HR can help the compliance program. More than ongoing assessment of employees for promotion into leadership positions, here HR can assist on the ground floor. HR can take the lead in asking questions around compliance and ethics in the interview process. Studies have suggested that certainly Gen Y & Xers appreciate such inquiries and want to work for companies that make such business ethics a part of the discussion. By having the discussion during the interview process, you can not only set expectations but you can also begin the training process on compliance. However, this approach should not end when an employee is hired. HR can also assist your compliance efforts by tracking employees through their company career to identify those who perform high in any compliance metric. This can also facilitate the delivery on more focused compliance training to those who may need it because of changes on compliance risks during their careers. Make your compliance strategy relevant Cespedes notes, “Most C-suite executives know these value-creation levers, but too few understand and operationalize the sales factors that affect them.” In the sales world this can translate into a reduction in assets to underperforming activities. This is all well and good but such actions must be coupled with an understanding of why sales might be underperforming in certain areas. In the compliance realm, I think this translates into two concepts, ongoing monitoring and risk assessment. Ongoing monitoring can allow you to move from a simple prevent mode to a more prescriptive mode; where you can uncover violations of your company’s compliance program before they become full blown FCPA violations. By using a risk assessment, you can take the temperature of where and how your company is doing business and determine if new products or service offerings increase your compliance risks. Above all, you need to get out and tell the compliance story. Louis D’Amrosio was quoted for the following, “You have to repeat something at least 10 times for an organization to fully internalize it.” If there is a disconnect between your compliance strategy and how your employee base is implementing or even interpreting that strategy, get out of the office and go out to the field. But you need to do more that simply talk you also need to listen. By doing so, can help to align your company’s compliance strategy with both the delivery and in the field. Three Key Takeaways Use information from your employees to make your compliance program more productive. Use social media and other innovative techniques to communicate your compliance strategy. Operationalize Operationalize Operationalize, then Document Document Document. This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com. Learn more about your ad choices. Visit megaphone.fm/adchoices
Under the Evaluation of Corporate Compliance Programs, Prong 2, it states: Senior and Middle Management Conduct at the Top – How have senior leaders, through their words and actions, encouraged or discouraged the type of misconduct in question? What concrete actions have they taken to demonstrate leadership in the company’s compliance and remediation efforts? How does the company monitor its senior leadership’s behavior? How has senior leadership modelled proper behavior to subordinates? This requirement is more than simply the ubiquitous ‘tone-at-the-top’ as here the Justice Department wants to see a company’s senior leadership actually doing compliance. How can senior management operationalize compliance going forward? One of the best places to start is the article from the Harvard Business Review by Professor Lynn Paine entitled, “Managing for Organizational Integrity”. Larry Thompson, former PepsiCo Senior Vice President of Governmental Affairs, General Counsel and Secretary, discussed the work of Professor Paine in citing five factors, which he believed were critical in establishing an effective integrity program and to set the right “Tone at the Top”. The guiding values of a company must make sense and be clearly communicated. The company’s leader must be personally committed and willing to take action on the values. A company’s systems and structures must support its guiding principles. A company’s values must be integrated into normal channels of management decision-making and reflected in the company’s critical decisions. Managers must be empowered to make ethically sound decisions on a day-to-day basis. David Lawler, in his book, Frequently Asked Questions in Anti-Bribery and Corruption boiled it down as follows “Whatever the size, structure or market of a commercial organization, top-level management’s commitment to bribery prevention is likely to include communication of the organization’s anti-bribery stance and appropriate degree of involvement in developing bribery prevention procedures.” Lawler went on to provide a short list of points that he suggests senior management engage in to communicate the type of tone to follow an anti-corruption regime.” I had a CEO of a client, who after I described his role in operationalizing his company’s compliance program observed the following, “You want me to be the ambassador for compliance.” I immediately averred in the affirmative. The following is a list of things that a CEO can do as an ‘Ambassador of Compliance’ Reject a ‘do as I say, not as I do’ mentality; Not just ‘talk-the-talk’ but ‘walk-the-walk’ of compliance; Oversee creation of a written statement of a zero tolerance towards bribery and corruption; Appoint and fully resource, with money and headcount, a Chief Compliance Officer; Oversee the development of a Code of Conduct and written compliance program implementing it; Ensure there are compliance metrics on all key business reports; Provide leadership to middle managers to facilitate filtering of the zero tolerance message down throughout the organization; Not only have a whistleblowing, reporting or speak up channel but celebrate it; Keep talking about doing the right thing; Make sure that you are seen providing your Chief Compliance Officer with access to yourself and the Board of Directors. Coming at it from a different perspective, author Martin Biegelman provides some concrete examples in his book entitled, “Building a World Class Compliance Program – Best Practices and Strategies for Success”. Biegelman begins the chapter discussed in this posting with the statement “The road to compliance starts at the top.” There is probably no dispute that a company takes on the tone of its top management. In this chapter Biegelman cites to a list used by Joe Murphy of actions that a CEO can demonstrate to set the requisite tone from the Captain’s Chair of any business. The list is as follows: Keep a copy of the Constitution on your Desk. Have a dog-eared copy of your company’s Code of Conduct on your desktop and be seen using it. Clout. Make sure your compliance department has authority, influence and budget within the company. Have your Chief Compliance Officer (CCO) report directly to the Board of Directors. Make them Accountable. At Senior Executive meetings, have each participant report on what they have done to further the compliance function in their business unit. Sticks and Carrots. Have both sanctions for violation of company compliance and ethics policies and incentives for doing business in a compliant manner. Don’t do as I say, Do as I do. Turn down an expensive dinner or trip offered by a vendor. Pass on a gift that you may have received. Turn down a transaction based upon ethical considerations. Be a Student. Be seen at intra-company compliance training. Take a one or two day course or attend a compliance conference outside your organization. Award Compliance. You should recognize outstanding compliance efforts with companywide announcements and awards. The Board. Recruit a nationally known compliance expert to sit on your company’s Board and chair the audit or compliance committee. Independent Review. Obtain an independent, outside review of your company’s compliance program and report the results to the Board’s Audit Committee. Mandate that all vendors in your Supply Chain embrace compliance and ethics as a business model. If not, pass on doing business with them. Talk to others in your industry and your peers on how to improve your company’s compliance efforts. Many companies struggle with some type of metric which can be used for upper management regarding compliance and communication of a company’s compliance values. One technique might be to require the CEO to post companywide emails or other communications once a quarter on some compliance related topic. The CEO’s direct reports would then also be required to email their senior management staff a minimum of once per quarter on a compliance topic. One can cascade this down the company as far as is practicable. Reminders can be set for each communication so that all personnel know when it is time to send out the message. If these communications are timely made, this metric has been met. Three Key Takeaways Senior management must actually do compliance; walk-the-walk, not simply talk-the-talk. Use your CEO to talk about current events and how those ethical failures are lessons to be learned for your organization. CEO as Compliance Ambassador. This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com. Learn more about your ad choices. Visit megaphone.fm/adchoices
Today I want to explore in some detail the first Objective in the COSO 2013 Framework-the Control Environment as a path to operationalize your compliance program. This Objective lays out five steps you can take to put the responsibility on function corporate disciplines to imbue compliance into the fabric of an organization. A. Control Environment Rittenberg said this “sets the tone for the implantation and operation of all other components of internal control. It starts with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees.” The five principles of the Control Environment object are as follows: Principle 1 - The organization demonstrates a commitment to integrity and ethical values. Principle 2 - The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Principle 3 - Management establishes with board oversight, structures, reporting lines and appropriate authorizations and responsibility in pursuit of the objectives. Principle 4 - The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives. Principle 5 - The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective. Principle 1 - Commitment to integrity and ethical values What are the characteristics of this Principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or other baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. This requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed. Principle 2 - Board independence and oversight This Principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. There should be compliance expertise at the Board level which allows it actively manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, information, compliance communications and compliance monitoring activities. Here, the Board’s Compliance Committee must demonstrate independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function. Principle 3 - Structures, reporting lines, authority and responsibility This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this Principle, you should consider all of the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally, this Principle requires establishment of the appropriate authority within the compliance function. You must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability. Principle 4 - Attracting, developing and retaining competent individuals This Principle gets into the nuts and bolts of operationalizing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This Principle next turns the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. You must be able to demonstrate, through compliance policies and their implementation and operationalization a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance. Principle 5 - Individuals held accountable This is the ‘stick’ Principle. A company must show that it enforces compliance accountability through its compliance structures, authorizations and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and, finally, clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This Principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated. The COSO formulation for internal controls is a key component for any best practices compliance program; whether based upon a FCPA formulation or another anti-corruption law, such as the UK Bribery Act. Moreover, as it probably the most utilized internal controls formulation under Sarbanes-Oxley 404(b) reporting, it should be well-known to your corporate internal controls function and therefore assessable to you as a Chief Compliance Officer (CCO) or compliance professional. In addition to the Principles articulated herein the specific Points of Focus listed in the COSO 2013 Framework can provide a roadmap for testing and evidencing your compliance program in this area. You should not fail to take advantage of it. Three Key Takeaways The COSO 2013 Framework sets out a structure which the compliance practitioner can use to put compliance into the fabric of an organization. For any public company, using the COSO Framework will allow a full response to any SOX 404(b) inquiry by regulators or auditors. The Control Environment Objective allows for not only implementation of controls but also requires individual accountability, as is set out in the Justice Department Evaluation of Corporate Compliance Programs. This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com. Learn more about your ad choices. Visit megaphone.fm/adchoices
Operationalizing your compliance program can take many shapes and forms. Using the entire risk management process to embed your compliance program within the contours of your organization is an important, key step as it will allow you to have full visibility of your compliance risks through a longer life cycle. Forecasting allows you to consider your business strategy and wed the risks you can foresee. Risk assessments allow you to evaluate and measure known risks. Risk-based monitoring allows you to monitor both the compliance risks you and detect those you do not know, on an ongoing basis. I think there are several key lessons to be considered by any Chief Compliance Officer (CCO) or compliance practitioner. The first is the process around risk management. Most compliance practitioners understand the need for a risk assessment as it is articulated as Hallmark No. 4 of the Ten Hallmarks of an Effective Compliance Program. From the FCPA Guidance, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” In addition to this business case, the FCPA Guidance also specified the enforcement reasons for performing a risk assessment, “DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not prevent an infraction in a low risk area because greater attention and resources had been devoted to a higher risk area.” The DOJ Evaluation of Corporate Compliance Programs builds on this. Yet as compliance evolves and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal prophylactic, but as a business process. Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of your business. Locwin noted that companies should be able to say with some degree of authority, “We think the following will happen in the next three months, six months, twelve months, twenty-four months, is really something that the businesses try to wrap their heads around in such a way that they can shunt resources where they think is appropriate in order to meet these future demands.” By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks. Risk-based monitoring follows on from the issues that your risk assessment identified as your highest risks. Locwin said, “Risk-based monitoring tends to look at things on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.” All of these three tools tie back into process management and process improvement. Locwin stated, “There’s always this balance between what’s actually important for our business or for proper execution, versus what’s actually going on in the whole process. If you’re not measuring at a high enough resolution, you’re not capturing a lot of the environmental, market force, external factors that probably are of high leverage to your operations in business that you just don’t know about.” Locwin tied them together with the following example, “There’s a 30% chance of this abject market failure happening, this product fails, this restaurant site contaminates people, this product doesn’t ship before Christmas, this phone explodes.” If you knew that in advance, the executive committee probably almost everywhere would say, “We have to act, and act now.” That’s where the rubber meets the road and you’ve got to forecast and a contingency in place. A lot of times, there isn’t that level of forecasting done in advance to say, “We think there’s this 30% chance of it occurring, therefore not only do we need a strong contingency plan, but we should expect to have to use it in Quarter 2. It’s right there sitting on everybody’s dashboard all the time.” In other words, it comes down to execution. This means you have to use the risk management tools available to you and when a situation arises, you remediate when required. This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into process loop. From this, you will develop continuous feedback and continuous improvement. I have gone through this in some detail to emphasize the business process nature that compliance has evolved into as a corporate discipline. By using these techniques, the CCO or compliance practitioner makes the business run more efficiently and at the end of the day, more profitably. The more you can bring these types of insight to a Chief Executive, the more you demonstrate how compliance adds to the bottom line and is not simply a cost center. Three Key Takeaways The risk management process is an important backbone of operationalizing compliance. You should be able monitor and measure both known and unknown risks. All of these steps help a business to run more efficiently and more profitably. This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com. Learn more about your ad choices. Visit megaphone.fm/adchoices
Yesterday I began a two-part series on the Department of Justice (DOJ’s) “Evaluation of Corporate Compliance Programs” (Evaluation) posted on the Fraud Section in February. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. Three Key Takeaways This DOJ Evaluation provides clear guidance on the expectations of government regulators regarding what your program should consist of, how it should be effected and where you need to go down the road. It is also a valuable teaching tool as you can lay out for your Board and senior management the clear requirements for any best practices compliance program. The document also re-emphasizes that you should listen when the DOJ communicate their expectations around compliance. Beginning with the initial public remarks of Hui Chen and comments by former Assistant Attorney General Leslie Caldwell in November 2015, through the announcement of the FCPA Pilot Program in April 2016 and subsequent public remarks by Caldwell, Sally Yates and Daniel Kahn, the DOJ has consistently articulated the need for the operationalization of a corporate compliance program. Indeed, one can draw a straight-line from Caldwell’s November 2015 remarks at the SIFMA Compliance and Legal Society New York Regional Seminar where she presented the requirements to operationalize compliance in discussing compliance program metrics. Any company which simply puts a paper program in place, whether it is certified or not, and then sits back on its collective hands, is in for a very rude awakening if it comes before the DOJ in an investigation or enforcement action. For it is in operationalization of your compliance program that the DOJ will give credit to a functioning compliance program. This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com. Learn more about your ad choices. Visit megaphone.fm/adchoices
Last month, the Department of Justice (DOJ) very quietly released a document, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), on the Fraud Section website. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. The document has one clear theme that I will be exploring this month—you must operationalize your compliance program. The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Once again, I detect the hand of DOJ Compliance Counsel Hui Chen in not only helping the DOJ to understand what constitutes an effective compliance program but also providing solid information to the greater compliance community on this score. Three Key Takeaways The DOJ Evaluation requires you to operationalize your compliance program. The DOJ Evaluation makes clear compliance is a business process. The DOJ Evaluation is significant for what it does not focus on, legal solutions or even legal language. This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com. Learn more about your ad choices. Visit megaphone.fm/adchoices
I end my One Month to a Better Board series with a discussion from the recently released Justice Department Evaluation of Corporate Compliance Programs as it relates to a Board of Directors. In an area of inquiry entitled, “Oversight” the DOJ asked three basic questions which we have explored throughout this series. The questions presented by the DOJ were: What compliance expertise has been available on the board of directors? Have the board of directors held executive or private sessions with the compliance function? What types of information has the board of directors examined in their exercise of oversight in the area in which the misconduct occurred? In addition to specifically stating that a Board of Directors must have a compliance subject matter expert going forward, it opines there should be a Board level committee dedicated to compliance as well. I have previously explored questions a Board should ask a Chief Compliance Officer (CCO). Today I want to focus some attention on questions by a Board of Directors around the Compliance Committee itself. To facilitate the answers to these DOJ questions, I have ended this series with a list of 20 questions below which reflect the oversight role of directors. These are questions which the Board should ask of both senior management and the Board itself. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary. The comments summarize the most current thinking on the issues and the practices of leading organizations. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization. Part I: Understanding the Role and Value of the Compliance Committee What are the Compliance Committee’s responsibilities and what value does it bring to the board? How can the Compliance Committee help the board enhance its relationship with management? What is the role of the Compliance Committee? Part II: Building an Effective Compliance Committee What skill sets does the Compliance Committee require? Who should sit on the Compliance Committee? Who should chair the Compliance Committee? Part III: Directed to the Board What is the Compliance Committee’s role in building an effective compliance program within the company? How can the Compliance Committee assess potential members and senior leaders of the company’s compliance program? How long should directors serve on the Compliance Committee? How can the Compliance Committee assist directors in retiring from the board? Part IV: Enhancing the Board’s Performance Effectiveness How can the Compliance Committee assist in director development? How can the Compliance Committee help the board chair sharpen the board’s overall performance focus? What is the Compliance Committee’s role in board evaluation and feedback? What should the Compliance Committee do if a director is not performing or not interacting effectively with other directors? Should the Compliance Committee have a role in chair succession? How can the Compliance Committee help the board keep its mandates, policies and practices up-to-date? Part V: Merging Roles of the Compliance Committees How can the Compliance Committee enhance the board’s relationship with institutional shareholders and other stakeholders? What is the Compliance Committee’s role in CCO succession? What role can the Compliance Committee play in preparing for a crisis, such as the discovery of a sign of a significant compliance violation? How can the Compliance Committee help the board in deciding CCO pay, bonus and resources made available to the corporate compliance function? Three Key Takeaways The DOJ Evaluation of Corporate Compliance Program requires active Board of Director engagement around compliance. Board communication on compliance is a two-way street; both in bound and out bound. Has the Board built an effective Board Compliance Committee? Learn more about your ad choices. Visit megaphone.fm/adchoices
In this episode, Matt Kelly and myself take a deep dive into the Department of Justice (DOJ) recent release, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), which went up on the Fraud Section website on February 8. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Learn more about your ad choices. Visit megaphone.fm/adchoices
In this episode, Matt Kelly and myself take a deep dive into the Department of Justice (DOJ) recent release, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), which went up on the Fraud Section website on February 8. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Learn more about your ad choices. Visit megaphone.fm/adchoices
One of the ongoing questions from members of Board of Directors is how to resolve the tension between oversight and managing. I recently had the opportunity to visit with Joe Howell, the Executive Vice President (EVP) of Workiva, Inc. on this subject. Howell has worked on and with Boards of Directors at various companies and I wanted to garner his understanding of the role of a Board and both senior management and a Chief Compliance Officer (CCO). Howell had a short response which I thought was an excellent starting point to understand the role; put sand in the shoes of management. The key to such a metaphor succeeding is that a Board of Directors, “by continuing to challenge management on these scenarios that management has considered and the stories management is telling itself about what could go wrong”, can “help get management out of its comfort zone by and large executive teams begin to believe themselves when they talk about how well they’re doing. The independent challenge that the board can offer putting the little bit of sand in the shoe to make sure that you’re thinking about things carefully can cause you to step back and really focus your resources where they're needed.” Board’s do this by posing questions to management that help them challenge their own assumptions, especially those assumptions which senior management is most confident about. Howell said that Board’s “need to help senior management consider the things that management is so sure about that maybe are going to play out the way that they expect. For example, the things that can hurt investors more than anything else is a surprise. Chaos does not help investors in general. The things that surprise investors frequently are the things that also surprise management. Does management consider all of the things that can go wrong and have they built an environment where they can both help prevent those things from happening and detect them when they’re small and they can actually do something about them.” Howell noted the role of the Board is not management but oversight, focusing on governance. To do so, an effective Board should challenge senior management not only on what they have planned for but what they may not have considered or may not even know about. He said, “one very good example is the whole, the reputation of those stakeholders involved in the company and that can be the management team itself, the employees, and the board members themselves.” This is because reputational damage hurts everyone. Howell went on to state, “it’s very important as we go through some of the ways the board can help management in that role. I think the things that really make a difference to management is when the board is able to be an effective devil’s advocate. Not managing management but helping them in their governing role by helping management to step back and think critically of their own underlying assumptions and biases.” One of continuing struggles I hear from Board members is asymmetrical information, largely due from the siloed nature of company information and structures. Howell acknowledged, “These sorts of barriers are pervasive in any company of any size that has a particularly operations and different product lines and different markets and different countries and different time zones. These limitations in the free flow of information by themselves create a risk to the organization, to the investors of the organization, to the employees of the organization and the board’s ability to ask questions. If nothing else in their governance control creates this reminder to management to open up itself to itself and listen carefully to its own organization and be able to link information to all of the places it needs to be fed.” I asked Howell to further explain his phase “open itself up to itself and listen”. He provided the following example, “how can the Chief Financial Officer make sure that he is giving all the information that the Chief Compliance Officer needs to do his job? Those questions from the board can be very valuable in making sure that the Chief Financial Officer doesn’t forget these issues and the Chief Compliance Officer has an opportunity to engage constructively with the Chief Financial Officer and others in the organization.” Somewhat counter-intuitively, Howell noted that when it comes to the Board’s oversight role around internal controls, less is often more. This occurs by helping management understand a company can overdo a control environment, “in the sense that when management guides controls around risks that are not going to be the most serious risks to the company, that they end up building excessive amounts of energy and protection where they're not really needed. That you as a management team end up deluding your attention and deluding your resources.” Howell went on to explain it is simply a matter of resources, “When things do go wrong, you’re in effect spread so thin that you don’t see those risks coming at you. The real question where less is more can be very valuable is when the board continues to challenge the management team on the scenarios that could play out. That could be devastating to an organization where risk really matters.” I asked Howell if he could provide any discrete examples and he pointed to the food service industry for the following., “For example, in a food service company or a restaurant company, if there were contamination or if there were things that could happen either at the plant or by people who are touching the food. Those are very serious risks that a company needs to both be mindful of and to be able to prevent. If something goes wrong, you need to be able to detect early. When customers of the company or others are hurt that there’s a consequence of failures that can be devastating.” In another example Howell said he had seen situations where internal “controls that are used for financial reporting for example, when examined in the light of where the risk really exists for the company, the companies have been able to reduce their controls actually by as many as half and improve their overall control environment and reduce the aggregate risk to the company. It’s interesting that even spending less money on controls by having fewer controls can improve the overall comfort that the company and its management and investors are protected from risk.” A Board is not simply there to be a rubber stamp for senior management. It must exercise independent judgment, action and oversight. Further, it is the Board’s role to ask hard, difficult and probing questions to make sure management is not only doing its job but has considered other risk possibilities. Three Key Takeaways Boards should force management to open up the company to itself. Boards should be a grain of sand in the shoe of management. Boards should make sure senior management is aware of and planning for both known and unknown risks. Learn more about your ad choices. Visit megaphone.fm/adchoices
The Office of Inspector General (OIG), Department of Health and Human Resources, issued a paper entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (the OIG Guidance). It provides an excellent road map for thinking about how to structure a Compliance Committee for your Board and a Board’s obligations. As an introduction, the OIG Guidance states that a Board must act in good faith around its obligations regarding compliance. This means that there must be both a corporation information and reporting system and that such reporting mechanisms provide appropriate information to a Board. It stated, “The existence of a corporate reporting system is a key compliance program element, which not only keeps the Board informed of the activities of the organization, but also enables an organization to evaluate and respond to issues of potentially illegal or otherwise inappropriate activity.” The OIG Guidance sets out four areas of Board oversight and review of a compliance function; “(1) roles of, and relationships between, the organization’s audit, compliance, and legal departments; (2) mechanism and process for issue-reporting within an organization; (3) approach to identifying regulatory risk; and (4) methods of encouraging enterprise-wide accountability for achievement of compliance goals and objectives.” While noting that a corporate compliance function should promote the prevention, detection and remediation of compliance violations, the OIG Guidance goes on to state that an organization’s Chief Compliance Officer (CCO) “should neither be counsel for the provider, nor be subordinate in function or position to counsel or the legal department, in any manner.” Rather the Board must ensure the CCO and compliance function have resources to fulfill their assigned role within an organization and access to the Board. The Board should evaluate and discuss how management works together to address risk, including the role of each in: identifying compliance risks, investigating compliance risks and avoiding duplication of effort, identifying and implementing appropriate corrective actions and decision-making, and communicating between the various functions throughout the process. A key component of Board oversight is through the flow of information. The OIG Guidance says, “The Board should set and enforce expectations for receiving particular types of compliance-related information from various members of management. The Board should receive regular reports regarding the organization’s risk mitigation and compliance efforts—separately and independently”. These reports can come to the Board via a variety of reporting mechanisms; regular Board meetings, special Executive Sessions where the Board meets with the CCO or compliance leadership outside of the presence of senior management and ad hoc communications from the CCO. All of these help create a “continuous expectation of open dialogue” which is paramount for proper Board oversight. Of course, if a serious compliance issue arises, it needs to be communicated directly, and in a timely manner, to the Board. But in addition to setting the expectations for the flows of information, a Board must also set expectations for holding senior management accountable for areas such as compliance. This can be through the assessment of “individual, department, or facility-level performance or consistency in executing the compliance program” and using this information to payout or withhold discretionary based bonuses “based upon compliance and quality outcomes.” The OIG Guidance also notes, “Some companies have made participation in annual incentive programs contingent on satisfactorily meeting annual compliance goals. Others have instituted employee and executive compensation claw-back/recoupment provisions if compliance metrics are not met.” However the key component is that “Through a system of defined compliance goals and objectives against which performance may be measured and incentivized, organizations can effectively communicate the message that everyone is ultimately responsible for compliance.” A Board also needs to have regular reports on the risks that any organization may face. This means keeping abreast of “relevant and emerging regulatory risks, the role and functioning of an organization’s compliance program in the face of those risks and the flow and elevation of reporting of potential issues and problems to senior management.” The OIG Guidance speaks to technological solutions when it says, “Some Boards use tools such as dashboards—containing key financial, operational and compliance indicators to assess risk, performance against budgets, strategic plans, policies and procedures, or other goals and objectives—in order to strike a balance between too much and too little information. For instance, Board quality committees can work with management to create the content of the dashboards with a goal of identifying and responding to risks and improving quality of care.” Moreover, a Board should also mandate that the company’s compliance function have the proper tools in place to facilitate compliance reporting internally. It states, “Boards should also consider establishing a risk-based reporting system, in which those responsible for the compliance function provide reports to the Board when certain risk-based criteria are met. The Board should be assured that there are mechanisms in place to ensure timely reporting of suspected violations and to evaluate and implement remedial measures. These tools may also be used to track and identify trends in organizational performance against corrective action plans developed in response to compliance concerns.” Ultimately a Board should drive home of the message of compliance as “a way of life” so that it permeates into the DNA of a health care organization. For if a Board can help drive compliance into the fabric of an organization, it will have done more than simply fulfill its legal obligations starting in the Caremark decision and going forward. The Board will have helped to make the entire organization more compliance-centric and when a Board can help to facilitate such a change in attitudes, it will have moved the organization several steps down the road of doing business in compliance with relevant laws and issues. The OIG Guidance is an excellent review for not only compliance professionals and others in the health care industry but a good primer for Boards around their own duties under a best practices compliance program. The US Federal Sentencing Guidelines, the Ten Hallmarks of an Effective Compliance Program, the “OIG voluntary compliance program guidance documents, and OIG Corporate Integrity Agreements (CIAs) can be used as baseline assessment tools for Boards and management in determining what specific functions may be necessary to meet the requirements of an effective compliance program. The Guidelines “offer incentives to organizations to reduce and ultimately eliminate criminal conduct by providing a structural foundation from which an organization may self-police its own conduct through an effective compliance and ethics program.” The compliance program guidance documents were developed by OIG to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements.” Three Key Takeaways Information flow up to the Board is critical. Compliance should be institutionalized in your company as a way of life. A Board needs to consider all risks. For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices
Case Law As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc. was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues. Second, the Court found that there is no duty of good faith that forms a basis, independent of the duties of care and loyalty, for director liability. Rather, Stone v. Ritter holds that the question of director liability turns on whether there is a "sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists.” According to Haynes and Boone in its publication, “Corporate Governance and the Role of the Board” a director’s business decisions generally qualify for protection by the “business judgment rule.” Under the business judgment rule, courts presume that directors making business decisions acted on an informed basis, in good faith, and with the honest belief that the action taken was in the best interests of the corporation. In lawsuits brought against directors brought by shareholders, courts applying the business judgment rule will determine only whether the directors making the decision (i) were free from conflicts of interest, (ii) appropriately informed themselves before taking the action, and (iii) acted after due consideration of all relevant information that was reasonably available. Under the business judgment rule, the board’s action will not subject board members to liability if the action or decision of the directors can be attributed to any rational business purpose. Directors that meet the criteria of the business judgment rule do not have to worry about having their business decisions second-guessed by a court, even where their decisions result in corporate losses. FCPA Guidance and US Sentencing Guidelines A Board’s duty under the Foreign Corrupt Practices Act (FCPA) is well known. In the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance, under the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1, entitled “Commitment from Senior Management and a Clearly Articulated Policy Against Corruption”, states “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3 entitled “Oversight, Autonomy and Resources”, where it discusses that the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the SEC desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement. From the Delaware cases, I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. The specific obligations set out regarding the FCPA drive home these general legal obligations down to the specific level of the statute. Three Key Takeaways The Delaware courts have led the way with the Caremark and Stone v. Ritter decisions. Note the obligations of the Board under the 10 Hallmarks of an Effective Compliance Program. The US Sentencing Guidelines also require Board involvement and oversight. For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices
As they made clear with several FCPA enforcement actions in 2016, the SEC has placed a renewed interest in the accounting provisions of the FCPA, specifically the internal controls provisions. The BHP enforcement continued this trend, where there was no evidence that bribes were paid or offered in violation of the FCPA, the poor internal compliance controls at BHP led to a $25MM fine. Indeed Kara Brockmeyer, Chief, FCPA Unit; Division of Enforcement of the SEC, reiterated that the SEC was committed to protecting investors in US public companies and those which list other securities in the US, through enforcement of the accounting provisions, including internal controls provisions of the FCPA. It would seem that the reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur. What can you do around the FCPA’s requirements for internal controls and current SEC emphasis? I would suggest that you begin with an exercise where you map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the FCPA Guidance. While most compliance practitioners are familiar with the Ten Hallmarks, you may not be as familiar with standards for internal controls. I would suggest that you begin with the COSO 2013 Framework as your starting point. As a lawyer or compliance practitioner you may not be familiar with all the internal controls that you have in place. This exercise would give you a good opportunity to meet with the heads of Internal Audit, Finance and Accounting (F&A), Treasury or any other function in your company that deals with financial controls. Talk with them about the financial controls you may already have in place. An easy example is employee expense reports. Every company I have ever worked at or even heard about requires expenses for reimbursement to be presented, in documented form on some type of expense reimbursement form. This is mandatory for IRS reporting; so all entities perform this action. See how many controls are in place. Is the employee who submits the expense reimbursement required to sign it? Does his/her immediate supervisor review, approve and sign it? Does any party in the employee’s direct reporting chain review, approve and sign? Does anyone from accounts payable review and approve, both for accuracy and to make sure that all referenced expenses are properly receipted? Is there any other review in accounts payable? Is there any aggregate review of expense reports? Is there a monetary limit over which additional reviews and approvals occur? Now if an employee has submitted expenses for activities that occurred outside the US are there are any foreign government officials involved? Were those employees identified on the expense reimbursement form? Was the business purpose of the meal, gift or other hospitality recorded? Can you aggregate the monies spent on any one foreign official or by a single employee in your expense reporting system? All of these are internal controls that can be mapped to the appropriate prong of the Ten Hallmarks or other indicia of your compliance program. You can take this exercise through each of the five objectives under the COSO 2013 Framework and its attendant 17 Principles. From this mapping you can then perform a gap analysis to determine where you might need to implement internal compliance controls into your anti-corruption compliance program. This can lead to remedial steps that you can take. For example you can recommend procedures be written for all key compliance areas in which there are currently no procedures and your existing procedures can be updated to include compliance issues and clear definition how controls are to be evidenced. Through this you can move from having detect controls in place, to having prevent controls, whenever possible. As a Chief Compliance Officer (CCO) or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. As I said last week, compliance is a straightforward exercise. This does not mean that it is easy; you do have to work at it so that you will simply not have a paper, “check the box”, program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute. Three Key Takeaways Learn the internal controls your company currently has in place. Map your compliance internal controls to the COSO 2013 Framework, Use your gap analysis as a basis for remediation. For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices
You should employ a 6-step process to revising your Code of Conduct. Get buy-in from decision makers at the highest level of the company Your company’s highest level must give the mandate for a revision to a Code of Conduct. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Establish a core revision committee You should create a cross-functional working group should head up your effort to revise your Code of Conduct. It can include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally, there should be functions within the company represented such as finance and accounting, IT, marketing and sales. Conduct a thorough technology assessment The foundation of the revision process is how your company captures, collaborates and preserves the decisions during the revision. Use should utilize the technology available to you to do so. This is also important in your distribution plan, particularly if the Code will only be available in hard copy. Determine translations and localizations The DOJ and SEC require a local language component. You need to use translations experts and know what they are doing when it comes to translations. Everyone must have the same understanding of the company’s Code-no matter the language. Develop a plan to communicate the Code of Conduct You should use the full panoply of tools available to it to publicize your new or revised Code of Conduct at roll-out. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide Code of Conduct meeting where the new or revised Code is rolled out across the company all in one day. Also remember, you must document that each employee receives it. Stay on Target If you set realistic expectations you should be able to stay on deadline and stay within your budget. Do not be distracted by other issues that might arise during the process. Key Takeaways When did you last revise your Code of Conduct? You must have senior management buy-in to successfully revise your Code of Conduct. Keep your eye on the ball. For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices
Welcome to Day 3 of 30 Days to a Better Compliance Program. Today I want to consider the Chief Compliance Officer (CCO) in your organization, through three prisms: access, resources and opportunities. Access What access does your CCO have to the top decision makers in your organization? While it really does not matter whether the CCO reports to the CEO, Board or GC; it does matter that the CCO have direct access to corporate decision maker. Resources This means both head count of personnel to operate your compliance function and the money available to implement the appropriate technology to sustain an effective compliance program. If your compliance team is run on a shoestring, you will likely be downgraded for your overall commitment to doing business in compliance with the FCPA. Put another way, if you spend more on paper clips than on your compliance program, your compliance program may well be under-funded. CCO Pay, Opportunity and Expertise In the Pilot Program, the DOJ laid out another important element for every compliance program, which is expertise of your CCO and compliance function. I think the clear implication is that the DOJ will even look at salaries. Once again if a company tries to get by on the cheap, it may certainly come back to bite them in the end. Finally the DOJ has made clear that compliance is part of the corporate family by even requiring that the CCO have opportunities for advancement with the corporation at the senior management level and that the compliance function shall be afforded similar opportunities. Three Key Takeaways The CCO must have access to the highest levels of your organization. The CCO must have adequate money and personnel resources to perform the function. The CCO must be qualified, appropriately compensated and have opportunity for advancement within the organization. For more information, check out my book Doing Compliance: Design, Create and Implement an Effective Anti-Corruption Compliance Program, which is available by clicking here. Learn more about your ad choices. Visit megaphone.fm/adchoices
Welcome to Barefoot innovation as we start into a fresh new year. Being appreciated! We are kicking off 2016 with a wonderful guest, Nitish Pandey of BMO, and also with exciting momentum for Barefoot Innovation. In December, we were named one of the top 9 fintech podcasts by FintechNews Switzerland. We are delighted to be counted among the best in the world, including the Breaking Banks show of my friend Brett King. (If you’re enjoying Barefoot Innovation, please do consider donating to our efforts to produce it using the button below!) Innovation Nation – fintech in the UK That recognition of our series was especially timely, because I was in London at the time to participate in a roundtable of the U.K.’s Financial Conduct Authority on the topic of today’s podcast. The FCA has taken the lead globally in proposing creation of a “regulatory sandbox” – a safe space in which financial innovators can experiment with ideas that might benefit consumers, but that could hit trip wires or raise concerns under today’s rules. Americans should focus on this: the U.K. has adopted a national strategy, from its top leaders on down, of becoming the fintech capital of the world. One facet of that strategy is the FCA’s launch ofProject Innovate, which has goals like this one: “We promote competition through disruptive innovation − innovation that offers new services to customers and challenges existing business models.” Consider that language – the regulator is explicitly “promoting…disruptive innovation.” The FCA’s efforts include creating an Innovation HUB that provides support for promising innovation, and a methodical review of how regulation impacts innovation. Last year they formally requested public input on two crucial questions: what regulations are impeding beneficial innovation, and is there a need for new regulations to foster innovation? While digesting the resulting comments, they put out their proposal on the sandbox concept. They’ve been sharing these ideas globally and exploring very creative approaches, like whether it would make sense to create a “virtual sandbox” in which innovators could test certain ideas through shared data, without exposing real consumers to any risk at all. Lawrence Wintermeyer of Innovate Finance, speaking at the FCA’s December sandbox roundtable, cited growing excitement around both “fintech” and “regtech.” He argued that London has the “tech” of the U.S. west coast, the “fin” of New York, and the “reg” of Washington – all clustered in one city where everyone can get together by public transport in fifteen minutes. The U.K. has other innovation advantages over the U.S., including a more concentrated banking system and a much simpler regulatory structure. Startups are also attracted by the ability to “passport” UK activities throughout the European Union, offering easy access to large markets. All this contrasts sharply with the U.S. model in which innovators seeking national scale must undertake the complex process of securing either a bank charter or 50 state licenses, or both. Still, part of London’s innovation success clearly stems from deciding to value the upside promise of innovation, in addition to policing the very real downside risk. The FCA’s efforts include a conscious effort to be nimble – something that does not come easily to any regulatory system. The resulting vibrancy is palpable. On this side of the Atlantic In the U.S., the same thinking is gaining traction. Comptroller of the Currency Tom Curry has appointed anew task force for Responsible Innovation, as we discussed in our recent episode with him. The CFPB has its Project Catalyst innovation lab, and the Federal Reserve Bank of San Francisco held a conference last fall on the “(R)evolution Underway” in financial services, addressing “how technological changes are presenting opportunities and challenges for financial institutions while compelling regulatory agencies to think about how innovation impacts the supervisory process.” These U.S. discussions increasingly include exploration of creating a regulatory sandbox – which brings me to our guest for this episode. Nitish Pandey is Senior Vice-President & Chief Legal Officer, U.S. Personal & Commercial Banking, for BMO Financial Group of BMO Harris. He believes our financial ecosystem needs a safe sandbox in which to innovate (as did Jesse McWaters and Rob Galaski in our episode on the “Secrets of Fintech”). Nitish and I started discussing the sandbox concept last summer (before the U.K.’s proposal). I’d convened a roundtable on disruption of consumer finance and how to (and not to) regulate it. Nitish, whom I’ve known for years, came to the meeting armed with the most specific blueprint I had seen on these ideas. In the months since then, he’s refined it and shared it publically several times. The goal of a sandbox approach is to allow testing of pro-consumer innovation, while assuring that customers are still well-protected. The issue has endless subtopics. For instance, is a sandbox really needed? How do current rules impede innovation -- if they do – and which ones are most problematic? Is it appropriate to use the concept of “risk tolerance” in consumer protection? If so, can risks be defined? Can they be quantified and measured? And, if a sandbox would help, how should it be designed? Do regulators have the legal power to waive or suspend rules to allow experimentation and if not, should they? What standards should innovators have to meet? How would experiments be time-limited? What standards should be used to permit them, and to judge their success? If new ideas prove out, should they be publicized? Should the whole market be allowed to adopt them? If so, would this require extensive rewriting of current rules? Will innovators have sufficient incentive to enter the sandbox, if competitors can simply adopt the ideas they pilot (in contrast to, say, government approval of new drugs after testing that ultimately produce patents)? How can innovators protect their confidential intellectual property? Would agency pre-review of sandbox proposals bog innovation down in bureaucracy, defeating the purpose of the whole exercise? And perhaps most importantly, how should consumers in a sandbox be protected? What limits should be placed on potential harm to them? Should they be compensated for any harm and if so, how? What disclosures should they receive? Should they have to give consent? How would harm be quantified? While Nitish doesn’t try to answer all of these questions, he tackles many of the hardest ones. And he pinpoints a core issue that’s widely underestimated. The problem is not just rigid and potentially counterproductive regulatory requirements. It’s also the sheer cost and effort of implementing full-scope compliance for virtually any change. If businesses can’t inexpensively test how customers would respond to an innovation, they won’t offer it. And they can’t test real-life response to new ideas today, without also building out massive compliance machinery – Nitish calls it the “pipes” – affecting nearly every function of the company. We’re in a “Lean Startup” world today where innovators grow by designing and refining a minimum viable product (MVP) through quick, intensive consumer interaction. Traditional companies can’t do this well, partly because their compliance systems weigh them down. Nitish has ideas how to design and execute a practical solution for this – without going bureaucrazy! Compliance as innovator? While I had Nitish with me, I also took the chance to have him share his advice on the revolution underway in the compliance function. He is the first bank compliance manager we’ve had as a guest, and a visionary in the field. He believes, as I do, that consumer financial protection is migrating from a rules-based system to an increasingly principles-based one. That shift is bringing permanent uncertainty which, in turn, requires deeply remaking the compliance management model. “It used to be, if you knew your regulations, you were fine,” he says in our discussion, whereas today’s compliance manager is a “true risk management professional who can be creative in the process and demonstrate excellent judgment as we rapidly move into an increasingly gray world.” He lays out the new role of compliance in today’s bank, why it’s needed, the key changes required, and how to make it happen. Nitish’s insight derives partly from his broad background. He has undergraduate and postgraduate qualifications in Law, Economics and Management in his native Australia and has held positions ranging from marketing to nearly every facet of risk management. He spent a decade at American Express in Compliance, Risk Management and Operations, focusing on consumer, small business and commercial portfolios. He was Deputy Chief Compliance Officer for American Express Centurion Bank, responsible for the oversight and implementation of the bank’s Compliance Program. In November 2014 he joined BMO as Chief Compliance Officer (CCO) for U.S. Personal and Commercial Banking. I hope you enjoy my talk with him as much as I did! More Links: BMO Bank Nitish’s slides from his presentation The FCA's Project Innovate The FCA’s Paper on the “Regulatory Sandbox” The CFPB’s Project Catalyst CFSI’s research on consumer financial wellness If you enjoy our work to bring together thought provoking ideas and people please consider a contribution to support the site. Donate Please subscribe to the podcast by opening your favorite podcast app and searching for "Jo Ann Barefoot", or in iTunes.
© 2020-2025 Ivy Podcast Discovery LLC
