Podcasts about doj evaluation

Welcome to the Great Women in Compliance podcast with Hemma Lomax and Lisa Fine, sponsored by Corporate Compliance Insights. Over the past few months, the Department of Justice put forth the Whistleblower Pilot Program, and the update to the Evaluation of Corporate Compliance Programs. It was the perfect time to focus on how these impact whistleblower laws. Jane Norberg, who is a partner at Arnold & Porter and the former Chief of the Office of the Whistleblower and Mary Inman, who is a founding partner of Whistleblower Partners. Mary is also an advocate for the power of whistleblowers and is known for representing Facebook Files whistleblower Frances Haugen and Theranos whistleblower Tyler Shultz. They provide insight into what makes a credible and legitimate whistleblower, how the SEC reviews tips from whistleblowers and what we as compliance professionals can do to build effective programs. All focused on the review of all concerns that are raised, regardless of the source. They provide some thoughts about how to handle different situations before, during, and after an investigation, providing practical advice. The group discusses the new DOJ Whistleblower Pilot program and where it follows the past programs like the SEC program and where it is filling new gaps. One part of the program includes the 120-day requirement for reporting an issue, and they focused on what that would mean for organizations. Mary and Jane share their views on the requirements and the best practices and reference how most compliance professionals are using the DOJ Evaluation of Corporate Compliance to develop their programs, which means that an issue is investigated. In practical terms, following the ECCP requirement to investigate, and the pilot program has a “race to report,” is a challenge, and this is discussed in depth. Mary and Jane both provided “one thing you should know” to conclude the discussion. Both points are significant ones for anyone who is dealing with any point of the whistleblower or building a strong speak up/anti-retaliation culture. Join the Great Women in Compliance community on LinkedIn here.

In this segment Sean discusses the DOJ Criminal Division's Evaluation of Corporate Compliance Programs. Sean breaks down various aspects of what most consider a prosecutors playbook. A discussion of conducting internal audits and developing corrective actions to ensure listeners are intune with what is required ensures risk mitigation.

In an area of inquiry entitled Oversight, the 2020 Update asks three basic questions which we have explored throughout this chapter:  What compliance expertise has been available on the Board of Directors? Have the Board of Directors held executive or private sessions with the compliance function? What types of information has the Board of Directors examined in their exercise of oversight in the area in which the misconduct occurred? To facilitate the answers to these questions, consider this list of 20 questions to reflect the oversight role of directors. These are questions the Board should ask of both senior management and the Board should ask itself. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization. Three key takeaways: The DOJ Evaluation requires active Board of Director engagement around compliance. Board communication on compliance is a two-way street; both inbound and outbound. Has the Board built an effective Compliance Committee for itself?

Welcome to a special five-part podcast series, A Conversation with Convercent and StoneTurn: From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Convercent and StoneTurn Group. Over the course of the series we have explored the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). We focus on investigations, data analytics, evaluating compliance programs, internal reporting and corporate culture. Participants in this podcast series include: Asha Palmer, Convercent Chief Ethics and Compliance Officer (CECO) and Executive Vice President (EVP) of CONVERGE; Rex Homme, Michele Edwards, and Stephen Martin, all Partners at StoneTurn. In this fifth and final episode, I am joined by Martin for a discussion of evaluating compliance programs. Resources For more information on StoneTurn, check out their website, here. For more information on Convercent, check out their website, here. To download a copy of the Convercent Interactive Self-Assessment based on the 2020 Update to the Evaluation of Corporate Compliance Programs, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

Welcome to a special five-part podcast series, A Conversation with Convercent and StoneTurn: From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Convercent and StoneTurn Group. Over the course of the series we are exploring the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). We focus on investigations, data analytics, evaluating compliance programs, internal reporting and corporate culture. Participants in this podcast series include: Asha Palmer, Convercent Chief Ethics and Compliance Officer (CECO) and Executive Vice President (EVP) of CONVERGE; Rex Homme, Michele Edwards, and Stephen Martin, all Partners at StoneTurn. In this fourth episode, we take a deep dive with Palmer into corporate culture. Join us tomorrow, as Stephen Martin, Partner at StoneTurn discusses evaluating compliance programs. Resources For more information on StoneTurn, check out their website, here. For more information on Convercent, check out their website, here. To download a copy of the Convercent Interactive Self-Assessment based on the 2020 Update to the Evaluation of Corporate Compliance Programs, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

Welcome to a special five-part podcast series, A Conversation with Convercent and StoneTurn:  From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Convercent and StoneTurn Group. Over the course of the series we will explore the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). We focus on investigations, data analytics, evaluating compliance programs, internal reporting and corporate culture. Participants in this podcast series include: Asha Palmer, Convercent Chief Ethics and Compliance Officer (CECO) and Executive Vice President (EVP) of CONVERGE; Rex Homme, Michele Edwards, and Stephen Martin, all Partners at StoneTurn. In this third episode, Edwards and I discuss how a compliance professional can create an inventory of metrics by which to monitor and then improve a compliance program. Join us tomorrow, as Asha Palmer, CECO at Convercent, discusses corporate culture itself to better monitor and improve your compliance program. Resources For more information on StoneTurn, check out their website, here.  For more information on Convercent, check out their website, here. To download a copy of the  Convercent Interactive Self-Assessment based on the 2020 Update to the Evaluation of Corporate Compliance Programs, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

Welcome to a special five-part podcast series, A Conversation with Convercent and StoneTurn: From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Convercent and StoneTurn Group. Over the course of the series we will explore the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). We focus on investigations, data analytics, evaluating compliance programs, internal reporting and corporate culture. Participants in this podcast series include: Asha Palmer, Convercent Chief Ethics and Compliance Officer (CECO) and Executive Vice President (EVP) of CONVERGE; Rex Homme, Michele Edwards, and Stephen Martin, all Partners at StoneTurn. In this second episode, we take a deep dive with Palmer into internal reporting. Join us tomorrow, as Michele Edwards, Partner at StoneTurn details how to create an inventory of compliance metrics. Resources For more information on StoneTurn, check out their website, here.  For more information on Convercent, check out their website, here. To download a copy of the  Convercent Interactive Self-Assessment based on the 2020 Update to the Evaluation of Corporate Compliance Programs, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

Welcome to a special five-part podcast series, A Conversation with Convercent and StoneTurn: From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Convercent and StoneTurn. Over the course of the series we will explore the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). We focus on investigations, data analytics, evaluating compliance programs, internal reporting and corporate culture. Participants in this podcast series include: Asha Palmer, Convercent Chief Ethics and Compliance Officer (CECO) and Executive Vice President (EVP) of CONVERGE; Rex Homme, Michele Edwards, and Stephen Martin, all Partners at StoneTurn. In this first episode, we take a deep dive with Homme into conducting investigations and ensuring consistent outcomes. Join us tomorrow, as Asha Palmer, Convercent Chief Ethics and Compliance Officer (CECO) and Executive Vice President (EVP) of CONVERGE discusses best practices in internal reporting. Resources For more information on StoneTurn, check out their website, here.  For more information on Convercent, check out their website, here. To download a copy of the  Convercent Interactive Self-Assessment based on the 2020 Update to the Evaluation of Corporate Compliance Programs, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

As peaceful protesters are attacked by the Army on the order of the Trump Administration, Tom and Jay ask “now that Trump has his wall around the White House, will Mexico pay for it?” Self-distancing Tom and Jay are back to consider some of the top compliance articles and stories on the new 2020 Update to the DOJ Evaluation of Corporate Compliance Programs.  Tom Fox goes through a multipart deep dive. Part 1-Overall Themes, Part 2-Data and Continuous Improvement, Part 3-Third parties and M&A, Part 4-CCO and the Complaince Function, Part 5-Conclusion. Matt Kelly explores on Radical Compliance. Matt Kelly goes Pizza Pizza with another article in Navex Global’s Ethics and Compalince Matters. Dylan Tokar reports in WSJ Risk and Compliance Journal. Mike Volkov has a 3-part exploration on Corruption Crime and Compliance. Part 1, Part 2 and Part 3. Dick Cassin explores organizational justice in the FCPA Blog. Jonathan Marks looks at it from the forensic perspective in Board and Fraud. Interested in moving to the CCO chair? Check out my latest podcast series The Compliance Lifewhere I interview one CCO type for a month on their journey to the CCO chair and beyond. In on this month’s edition I visit with Ryan Rabalais. In this Part 1, he details his journey into compliance and the winding road which took him to the CCO Chair. The Compliance Life is now available on iTunes. On Compliance and Coronavirus this week: David Wolf on using podcasting and audio white papers as communication tools during the time of Covid-19; James Green on operationalizing risk management during this health crisis; Eden Gillott joins me to discuss crisis communication during the time of Covid-19. Compliance and Coronavirus is available on iTunes here. On the Compliance Podcast Network, this month topic: internal reporting and investigations; all on 31 Days to a More Effective Compliance Program. This week’s offerings: Monday-intro to internal reporting and investigations; Tuesday-Advantages of an internal reporting system; Wednesday-Internal reporting case study; Thursday- Internal Reporting Best Practices; Friday- Answering DOJ questions on internal reporting. Note 31 Days to a More Effective Compliance Program now has its own iTunes channel. Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com. Learn more about your ad choices. Visit megaphone.fm/adchoices

With the DOJ Evaluation’s emphasis on operationalizing your compliance regime, innovation is an important tool for you to use in this journey, yet one that is too often overlooked. We have considered a variety of innovations in compliance; from innovations in structure, use of social media tools and concepts, to new and different ways to consider your internal resources as ways to innovate in your compliance regime. The DOJ has consistently said that a compliance program must evolve. It must evolve to meet new or updated risks, new opportunities or different regulations. Innovation is one of the best ways to evolve. Finally, and perhaps most importantly as a compliance practitioner, always remember that you are only limited by your imagination.  Three key takeaways: Innovation is one of the most overlooked and under-utilized tools in compliance. Operationalizing your compliance program will require innovation in your compliance program going forward. As with most CCO initiatives, you are only limited by your imagination.

In addition to a company’s senior management, there is a Board of Directors at the top. Yet the role of the Board is different than that of senior management. For the Board of Director, the Evaluation of Corporate Compliance Programs - Guidance Document (2019 Guidance) stated: Oversight – What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?  The DOJ Antitrust Division’s Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (Antitrust Compliance Program Guidance) was even more explicit in announcing  their expectation for robust Board oversight of a corporate compliance function. The Antitrust Compliance Program Guidance stated “For the antitrust compliance program to be effective, those with operational responsibility for the program must have sufficient autonomy, authority, and seniority within the company’s governance structure, as well as adequate resources for training, monitoring, auditing and periodic evaluation of the program. The Antitrust Compliance Program Guidance then went on to ask the following questions: Who has overall responsibility for the antitrust compliance program? Is there a chief compliance officer or executive within the company responsible for antitrust compliance? If so, to whom does the individual report, e.g., the Board of Directors, audit committee, or other governing body? How often does the compliance officer or executive meet with the Board, audit committee, or other governing body? How does the company ensure the independence of its compliance personnel?   Three key takeaways: The DOJ Evaluation requires active Board of Director engagement and oversight around compliance. Board communication on compliance is a two-way street; both inbound and outbound. Does the Board of Directors have a Compliance Expert? Learn more about your ad choices. Visit megaphone.fm/adchoices

In addition to a company’s senior management, there is a Board of Directors at the top. Yet the role of the Board is different than that of senior management. For the Board of Director, the Evaluation of Corporate Compliance Programs - Guidance Document (2019 Guidance) stated: Oversight – What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred?  The DOJ Antitrust Division’s Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (Antitrust Compliance Program Guidance) was even more explicit in announcing  their expectation for robust Board oversight of a corporate compliance function. The Antitrust Compliance Program Guidance stated “For the antitrust compliance program to be effective, those with operational responsibility for the program must have sufficient autonomy, authority, and seniority within the company’s governance structure, as well as adequate resources for training, monitoring, auditing and periodic evaluation of the program. The Antitrust Compliance Program Guidance then went on to ask the following questions: Who has overall responsibility for the antitrust compliance program? Is there a chief compliance officer or executive within the company responsible for antitrust compliance? If so, to whom does the individual report, e.g., the Board of Directors, audit committee, or other governing body? How often does the compliance officer or executive meet with the Board, audit committee, or other governing body? How does the company ensure the independence of its compliance personnel?   Three key takeaways: The DOJ Evaluation requires active Board of Director engagement and oversight around compliance. Board communication on compliance is a two-way street; both inbound and outbound. Does the Board of Directors have a Compliance Expert?

Welcome to the only roundtable podcast in compliance. Today, we have a quartet of Jay Rosen, Matt Kelly, Jonathan Armstrong and Tom Fox. Rants and shouts outs follow the commentary for this episode.    Jay Rosen takes a look at the recent white paper by ECI President Dr. Pay Harned on the new DOJ Evaluation of Corporate Compliance Programs and ECI’s High Quality Compliance Programs. Jay shouts out to Preet Bharara’s podcast “Stay Tuned”.Jonathan Armstrong considers the Sarclad Deferred Prosecution Agreement the SFO’s failures in prosecuting individuals former company employees. Jonathan shouts out to those who talk about mental health issues in public.Tom Fox considers the lessons learned from the TechnipFMC and Microsoft FCPA settlements. Tom shouts out to his fellow Southerner Moscow Mitch and his invitation to Mr. Putin to come on over during the next presidential election.Matt Kelly considers the lessons from the recent Facebook settlements with the FTC and SEC. Kelly shouts out to Federal Reserve examiners who reviewed tech vendors at banks they were auditing.The members of the Everything Compliance are:Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.comMike Volkov– One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com.Matt Kelly– Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.comJonathan Armstrong–is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.comSarah Hadden–Publisher at Corporate Compliance Insights. Hadden can be reached at Sarah@corporatecomplianceinsights.comThe host and producer (and sometime panelist) of Everything Compliance is Tom Fox the Compliance Evangelist. Everything Compliance is a part of the Compliance Podcast Network. Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode I visit with Affiliated Monitor’s Managing Director Jesse Caplan on the recently released DOJ Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations.  Highlights from the podcast include: How does this change the Antitrust Division Leniency Program?Does your compliance program have an antitrust focus?How should compliance professionals consider using this Evaluation?How does this Evaluation fit in with Evaluation of FCPA Compliance Programs?For a copy of the DOJ Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations, click here. Learn more about your ad choices. Visit megaphone.fm/adchoices

  In the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (Evaluation), under Prong 7 Confidential Reporting and Investigation asks the following: Properly Scoped Investigation by Qualified Personnel – How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented? These questions were clearly presaged by the DOJ’s Yates Memo and the Foreign Corrupt Practices Act (FCPA) Pilot Program. The pressure on every Chief Compliance Officer (CCO), and indeed company, to get an investigation done quickly, efficiently and most importantly done right is even greater now.    Jonathan Marks, a partner at Marcum LLP and a well-known internal investigation expert, gave some of his thoughts around what goes into a well-run investigation. Marks began by cautioning that any CCO must be cognizant of the strictures laid out in the Evaluation. It all begins with who in-house is looking at the complaint and does the CCO, compliance practitioner or legal team have the skills and capabilities to handle the matter which has arisen? Obviously if there are esoteric accounting issues or significant internal control work-arounds and overrides, a CCO may not have those skills to really understand all the issues. Similarly, if the matter is a global FCPA or equivalent bribery and corruption matter, Marks related, these “come in different flavors, and because they come in different flavors you may not have the skills or capabilities to do an investigation that would take place in say Brazil or Russia or China or India.”  All of this ties into how the government will view an investigation, particularly if the company does not have the skills and capabilities necessary to analyze the allegation, or if the allegation of fraud is serious enough where they believe that an independent investigation rather than an internal investigation really needs to be done.” Moreover, if allegations or the investigation are going to be subject to regulatory scrutiny, one of the benefits of having somebody come in from the outside is that there is independence, skepticism, the ability to work through things unlike you would with an internal investigation where an internal audit might be involved. Marks concluded by noted, “from an outsider’s perspective looking in, there is more credibility of having somebody come to conduct your investigation.”  Marks believes the first thing that any investigator must do is understand the business environment and the extended business enterprise. He further stated, “what I mean is really understand the business you’re dealing with, the industry that it’s in, the potential risks, the pressures and motivations that might be at play here. Understanding that generally with most frauds there is some pressure to do something because of something else and there are some motivations.” Such an initial understanding can help you formulate a comprehension of the internal controls that might be in place or that were lacking that could either have not been designed properly or overridden.   The next step is to quickly and thoroughly analyze the initial underlying facts and circumstances when it comes to the issue or the issues at hand. For Marks, the number one issue is the credibility of the complaint, which is more than simply the credibility of the complainant. Marks said it was important to understand how the allegations of wrongdoing came to light and the seriousness of the issues involved. He went on to note that his initial inquiry would include such questions as, “What are people saying happened or what is an individual saying that happened? You know the background of the complaint, if known. How long have they been with the organization? Are they credible? Have they complained before? If in fact this was either a whistle blower or a tip.”            At this early assessment, Marks believes you should also consider the possible legal and financial impact of the allegations. If you determine it is serious at this early juncture, you should always consider your internal crisis management team and if your organization does not have one, you should consider retaining such an expert. Marks explained, “Crisis management doesn’t necessarily mean that a crisis happened, it means that if in fact we are in crisis mode, how does that impact the company? So, thinking about those issues and then knowing what to do, if in fact you are in a crisis mode, I think is ultra-critical.” He went on to add, “I think crisis management is totally underplayed. I think that many organizations don’t have an appropriate crisis management plan. If something bad does happen, a lot of times I see organizations that are struggling to kind of put the pieces together.”  Marks also noted that both communication and collaboration are critical even at this early stage. He advocated that the company ask a series of questions such as what issues are “on the table” and who is impacted by these issues within the company; is it the company auditors or some other corporate function? He also advocated considering third parties and contracted entities in this calculus by inquiring if there were key suppliers impacted by the investigation. On the one hand, “a key supplier that might get wind of this and might not want to do business with us anymore?” Yet, conversely, such a key supplier could be a sole source supplier so you may need think about alternative arrangements. You should begin to consider these issues early on and continue to think about them as you are going through and doing and investigation.  Document preservation is always a critical issue and Marks believes this is one which government regulators will pay particular attention to both at this initial phase and throughout the investigation. You need to take steps to ensure all data is locked down. This means getting into the weeds on such issues as where are all your company’s servers located; what is your back-up situation; do you have hand-held devices secured and are the organization’s instant and text messaging tied down. If you do not take such steps you could well find yourself in a situation where either information is lost or there's a possibility or suspicion that information is lost. Unfortunately, that is the situation that leads to a prosecutor’s imagination going wild. Basically, you need to have the information locked down so that if the government wants to come in and perform an independent review or test your hypothesis, you can provide them with the required information.  Three Key Takeaways Always remember your ultimate audience may be the government. You must understand both the business environment and extended business enterprise. Communication and collaboration in any investigation are critical so you should begin early and continue to do so throughout the investigation.     Learn more about your ad choices. Visit megaphone.fm/adchoices

  There is nothing like an internal whistleblower report about a FCPA violation, the finding of such an issue or (even worse) a subpoena from the DOJ to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However it may well be the time for a very serious reality check.  The DOJ Evaluation of Corporate Compliance Programs focuses this question in Prong 7 with the following: Response to Investigations –What has been the process for responding to investigative findings? You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to begin to talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.  One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. Russ Berland, the Chief Compliance Officer at Dematic Inc. has noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and then from then on, you’re fighting with everybody else for their attention, just like the normal things in business life. It’s, they’re coming in and saying, “Okay, here’s the situation as we know it now, there is an investigation path, and corresponding to that, here’s what we think is the remediation path and some outlines of what it’s going to take,” often with some dollar signs attached to it.”  You need to explain the costs to the Board and senior management. As Berland said, you need to be upfront and candid in firmly stating, “For us to get to this place, this is what it’s going to cost.” Moreover, you need to be able to show how some companies paid very large amounts, not just in the eventual fine and penalty but also in other costs. Berland went on to say, “We want to show you how people have lost money by having to write big checks, because they didn’t take this seriously, and saved money, because they didn’t have to write as big a check, because they took this very seriously, and your return on investment here is going to be very high if you do this well.” This is easier with the information that was provided in the 2016 DOJ Pilot Program around FCPA enforcement as it demonstrated how much discount a company can receive below the minimum range of the Sentencing Guidelines for remediation.   One of the most difficult parts is that the investigation is often done in a way in which the investigators want to maintain as tight a control over the information and privilege as they possibly can. The remediation really requires output from the investigation to understand where the risk points are and where the gaps are, both in the compliance program and the internal controls. There’s a tension there, and it needs to be structured in a way that information can be shared with those who are designing the remediation without fear of compromising the investigation.  Dan Chapman, CCO at Vimpelcom and formerly CCO at Parker Drilling,  also believes that costs must be adequately discussed to set proper expectations. These include both direct costs and, even more importantly, a discussion of indirect costs to the company. He noted that “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “kind of everything stops to focus on the investigation.” This indirect cost comes through largely the time commitment of senior management. He further explained, “if senior management has to commit 20% of their time, that’s 20% that’s not going towards revenue generating, shareholder value protecting activities.”  Yet, how can you communicate that to somebody who has not gone through a full blown internal investigation then coupled with a federal investigation with the DOJ and Federal Bureau of Investigation (FBI) involved? Understanding that the all-encompassing nature of such an event is difficult to articulate, Chapman goes through some of his past experiences as touch points. He said, “I talk about past experiences. One example would be at a past company, my first week on the job, they had a worldwide conference for all the senior managers from around the world. At that meeting, I asked all the senior executives, you know, C-level executives. I said, “Over the last few years, have you spent 5% of your time on the matter? They’d raise their hands. Then I kept escalating it: 10%, 15%. Hands didn’t go down until about 20%. Then I explained to them, to the audience, I said, “So if you got 5%, 10%, 15% more than your senior management, where would this company be?” I think that’s helpful, but there’s not great way to quantify it. It’s kind of like quantifying compliance generally. How do you quantify the absence of non-compliance? How do you quantify what could have been? How do you quantify the opportunity costs of managements time?”  You can explain the upside of compliance and do that in a manner that juxtaposes the cost. Chapman said you could mention things such as, “If you have clear policies and people know what to do, think how much easier your life would be. Instead of having to make calls and figure it out on your own every single time, you had clear policy.” The same types of arguments come into play in areas generally considered the purview of HR, i.e. recruiting and retention.  About recruiting Chapman posed the following for consideration, “Think about recruiting. Where do your new hires out of college come from? Where do they get their information about your company? If they Google your company, what’s one of the first things they see if you’ve been in trouble? They Google it, and they’ll get a penalty, or they’ll get some news article about the wrongdoings.” He also points out retention of current employees by asking, “How you would feel if everybody at this company felt good about working here, and no one felt embarrassed by what happened. Would that help retention?”  Yet even more than these types of points about employees in the organization, Chapman believes it is important to make it personal to the highest level of the organization and try to make it as real and personal to your audience as possible. He says he asks the Board and senior management “What about you? How do you feel about being involved in it? Rather than being something that’s out there, the company, what about you? How do you feel about being here?”  Obviously, the investigation will be critical for you to help understand what remediation your compliance program will need going forward. As Berland said, “Somebody found a way to get around your system. Maybe they colluded to overcome the internal controls. Maybe there was a group that simply wasn’t well trained, didn’t understand, or there was a group that was extremely well trained, and decided to do it anyway. But somehow, there are issues in your system, and by system, the overall system of the executive tone, the governance, the compliance program, the internal controls, all at a meta level.”            It is axiomatic that you cannot finds gaps in your compliance system until you stress test it. Viewed in this light, your compliance failures can be viewed as such a stress test. Berland said, “Well, guess what, you just got handed a stress test, and this is where the system broke down. Now you know there’s a gap. Well, absent the investigation, as painful and difficult as that is, that gap would have just been sitting there.” The investigation will raise information to you about the failures of your compliance program that you may not have known existed previously.  While there will be a desire by some folks to not give out any information about the investigation until it is completed and there is a final report, you must resist this at all costs. If the results of the investigation are not made available to you as the CCO or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because, as Berland noted, “you’re just going off suppositions and guesses.”  He advocates there be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed.  Such an approach can also be a recipe for disaster. First, and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the FCPA Pilot Program. Moreover, the executive attention will have dissipated, or, as Berland said, “When you’ve got the energy, use it.”  What about the always-dreaded ‘Where Else’ question in any FCPA investigation? Berland believes the key is “anticipating the question is going to come up, and having an answer ready, which is, “We are going to do a comprehensive risk assessment of the remainder of the company. We are not going to go out and look under every leaf and every, you know, check every tree, but we are going to do a very extensive risk assessment, and we’ll be able to come back and tell you that we don’t think there is a likelihood of other issues in other places.””            However, the answer could be equally something along the lines that ““we have found a high likelihood and we’re going to continue to take deeper and deeper considers that section until we know if something happened or not.” That was an acceptable answer. It was, you know, “here's the slice of the pie where we know something is happening, and here’s the process to look at the rest, given it really is kind of a risk assessment plus going forward.””  Three Key Takeaways A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward. Be aware of how your investigation can impact and even inform your remediation efforts. How do you deal with the dreaded ‘where else’ question?   Learn more about your ad choices. Visit megaphone.fm/adchoices

One of the things that I learned from the television series M*A*S*H was the need for triage. In the hospital setting, triage is the process of determining the priority of patients’ treatments based on the severity of their condition. This is considered in different language in the Justice Department’s (DOJ) Evaluation of Corporate Compliance Programs (Evaluation), which under Prong 7 reads, in part, Properly Scoped Investigation by Qualified Personnel – How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented? Tying all of together is short but succinct statement found in the 2012 FCPA Guidance, “once an allegation is made, companies should have in place an efficient, reliable,  and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.”  Given the number of ways that information about violations or potential violations can be communicated to the government regulators,  having a robust triage system is an important way that a company can separate the wheat from the chaff and bring the right number of resources to bear on a compliance problem. One of the things that this is important in making an initial determination of whether to bring in outside counsel to head up an investigation. It is also important in a determination of the resources that you may want or need to commit to a problem. You literally need to “kick the tires” of any allegations or information so that you know the circumstances in front of you before you make the decision going forward. You can do this through a robust triage process.  Jonathan Marks, a partner at Marcum LLP has suggested a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, what will be the types of evidence you will need to consider going forward. Finally, before selecting a triage solution you should understand what tools are available, including both forensic and human, to complete the investigation. Marks’ five-stage process includes the following:  Stage 1.  These consist of allegations have a low threat level and do not suggest a breakdown of internal controls. Tips that get grouped into this stage do not have a financial or reputational impact.  Stage 2. These allegations are more serious in nature, and often indicate some deficiency in the design of internal controls. Examples include business rule violations such as recurring employee theft or patterns of falsifying expense reports.  Stage 3. These allegations are serious in nature, generally involve an override of internal controls, and thus are at a minimum a serious deficiency. But they have only a minimal impact on the financial statements or the company’s reputation. More serious allegations in this category include fraud, embezzlement, and bribery involving employees or mid-level management.  Stage 4. These are serious allegations that could have an impact on the completeness and accuracy of the audited financial statements, and that could indicate a material weakness in internal controls. They do not, however, appear to involve any member of the senior management team.  Stage 5. These are serious allegations that involve one or more members of the senior management team, or are serious enough to damage the company’s reputation. The receipt of allegations in this stage usually place the company into crisis management mode, and could result in the restatement of audited financial statements or added regulatory scrutiny.  By using such an approach, you will be able to respond more quickly and efficiently to any allegations which arise. Of course, as more information is developed during the course of an investigation, the matter can be moved up or down this scale. Such an approach is also important for a company’s outside investigative counsel to partner more with the entity as a way to help hold down costs. Outside counsel can work to build confidence that the company’s investigators could handle a large or wide-ranging investigation. This confidence would help outside counsel in any discussions they might have with the DOJ during the pendency of a FCPA investigation. Such an approach also has the effective of keeping your investigative costs below the ridiculous level. This is because beyond the tactical need to initially scope any FCPA allegation which may arise through a company’s internal reporting mechanism, it allows you to move to the next step of developing a reasonable investigation plan. This can be particularly important if you self-disclose to the DOJ. You will need to go into the DOJ and present your investigation plan so an early discussion with the government on the scope of the investigation is critical.  You should engage the DOJ to show not only the scope of your investigation but that it can be limited so that you do not face the dreaded ‘where else’ question. You should develop a logical plan with the nexus to the facts. But it is critical that you and your investigation plan must have credibility with the government that not only will your investigation will be robust but that facts you have determined in your initial triage are a reasonable interpretation.  Appropriate triage of allegations has several different impacts for any matter which comes to the attention of the compliance function. Obviously, it will help you to initially determine the seriousness of the matter. From there you can allocate an appropriate level of resources. It will also aid in your discussion with the DOJ if you have to go that route. Finally, in the situation where facts come in, it gives you evidence a documented process was followed with which you can show the government that a claim was properly scope as required under the Evaluation. But the key is to be prepared, not only in terms of having your investigation and notification protocols in place before an allegation comes in but also doing the proper triage so that you have an initial understanding of what you may be facing.  Three Key Takeaways Compliance can learn from M*A*S*H about the need for triage. Initial triage allows you to separate the wheat of serious allegations from the chaff of more inconsequential allegations. A robust triage process allows for greater credibility with government regulators. Learn more about your ad choices. Visit megaphone.fm/adchoices

The key concept from the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Program (Evaluation) is operationalization. For instance, under the query Shared Commitment is the following question - “How is information shared among different components of the company?” Under the Prong relating to Policies and Procedures the Designing Compliance Policies and Procedures asks, “What has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out?” Lastly, under the same Prong is Responsibility for Integration, with the following question “Who has been responsible for integrating policies and procedures?” These questions point to a Chief Compliance Officer (CCO) or compliance practitioner demonstrating how compliance is being burned into the fabric of an organization. While leadership at and from the top has long been considered by both the DOJ and compliance professionals as a key element to move compliance forward, the Evaluation has also crystalized thinking around compliance leadership from the middle and the bottom. I thought about these concepts when reading a recent Financial Times (FT) article by Andrew Hill, entitled “Leadership from the bottom up”. I was particularly struck by a quote from Shlomo Ben-Hur, a professor at IMD business school, who said, “We teach the top 5 per cent — but the majority of this work is carried out by the other 95 per cent.”  In Ben-Hur’s work he found that many executives came from the middle management ranks. They tended to be persons “with a determination to “take what I have responsibility for and make it truly great.”” Anecdotally, he related “They typically said, ‘I’ve responsibility for the minibus,’ and people then asked them to drive bigger and bigger buses until one day they drove the whole business.”” Think of the military and the responsibility given to front line commanders and how that “is increasingly reflected at large companies.”  The key for companies is that senior management must “find ways to transmit leadership skills to people who do not have ‘leader’ in their job description and will probably never attend a top-level leadership program.” Hill noted, “Ben-Hur’s work has focused on ensuring that managers understand how to assign the right jobs to their team members and motivate them to perform well, using theories of behavioural change that senior executives have typically never learnt on their way to the top. Dedicated managers well below the executive board need to know how to use these tools.”  For the CCO or compliance practitioner, this provides a clear path to help in the operationalizing of compliance by providing the tools to persons far down the organization to put compliance into the operations of a business. One thing Hill writes about is a company should nuture such learning because by doing so, it will both teach practical skills around compliance but also foster a strong internal network of compliance advocates who can move initiatives up and down and organization. Moreover, as these individuals progress through the company ranks, they can take their compliance message with them at each new level.  Building on the writings of Hill and the work of Professor Ben-Hur, my suggestion is to build a Compliance Excellence Center in your company. Bring in middle-managers to focus on understanding not only their roles in compliance but also how to assign the right team members to a compliance initiative and motivate employees going forward. Hill wrote that Airbus has recently established a corporate ‘university’ to spread leadership ideas through the company. Airbus’ theory behind this push is “being a leader isn’t just about being a vice-president; it’s about being able to push the company towards new ways of doing things and executing the things we have to execute. That could [apply to] a blue-collar worker on the shop floor or a VP.”  A key is not simply to train such middle and front line managers on compliance but getting them to consider rollout, effectiveness, testing and improvement. In other words, as Jay Martin would say, it is all about execution. One way to help facilitate this is through exercises using incentives to “make leadership insights stick and change workplace behavior.” Hill also writes that concepts from entrepreneurship can assist in such learning by encouraging managers to “think and act independently” to operationalize compliance. Finally, never forget mentoring as a manner to spread good compliance practices throughout a company if a more formal approach is not possible.  Too often, strategies to move a compliance program or even an initiative come from the top of an organization and are pushed down. To fully operationalize compliance, you must have leadership in compliance further down the organization which (hopefully) has been a part of the design process and can lead the implementation throughout an organization.  Three Key Takeaways While tone at the top is critical, the tone at the bottom can actually work to more fully operationalize compliance. 95% of the work is done at this bottom level. Use HR to come up with a strategy to move compliance into the bottom for more complete operationalization.  This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox. Learn more about your ad choices. Visit megaphone.fm/adchoices

In this second of a two-part series, we conclude the panel’s discussion of the first 100 days of the Trump administration as it relates to compliance. This episode concludes with the panelists’ rants. Matt Kelly opens with a discussion of regulatory enforcement under the Trump administration, how the ‘Trump Effect’ is negatively impacting corporations, industry responses to deregulation issues and lays down some markers around compliance issues under the new administration. For Matt Kelly’s posts see the following: Compliance in the Trump Era: More Markers Placed Trump Administration Whacks Telco Firm for $892 Million Drone Industry Pan Trump’s Regulatory Trump Risk Disclosures Start Rolling In First SEC Whistleblower Award of Trump Era Sessions Dodges, Weaves, Promises on FCPA   Mike Volkov rounds out the discussion with a review of where the DOJ is currently under AG Sessions, remarks by DOJ officials on FCPA enforcement, the future of the Pilot Program and DOJ Compliance Counsel, Hui Chen.  For Mike Volkov’s posts see the following: Yates, AG Sessions and Individual Criminal Prosecutions New E-Book — Moving the Goalposts: The Justice Department Redefines Effective Compliance FCPA Remediation Focus on Supervisory Personnel FPCA Pilot Program Motors On   For the Cordery Compliance client alerts see the following: EU conflicts minerals compliance legislation  DOJ Evaluation of Corporate Compliance: how does it compare to UK Bribery Act 2010?   For Jay Rosen’s posts see the following:  Still in the Enforcement Business and Evaluation of Corporate Compliance Programs “It Was the Best of Times, It was the Worst of Times,” or “Ignorance is Strength”   For Tom Fox’s posts see the following: The Trump Administration-Kaos is Bad for Business The Trump Administration-Failures in Leadership and Management The Trump Administration-Preparing for a Catastrophe The Trump Administration-the Business Response DOJ Enforcement of the FCPA and the International Fight against Corruption in the Trump Administration  The members of the Everything Compliance panel include: Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com. Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com Learn more about your ad choices. Visit megaphone.fm/adchoices

In this second of a two-part series, we conclude the panel’s discussion of the first 100 days of the Trump administration as it relates to compliance. This episode concludes with the panelists’ rants. For Matt Kelly’s posts see the following: Compliance in the Trump Era: More Markers Placed Trump Administration Whacks Telco Firm for $892 Million Drone Industry Pan Trump’s Regulatory Trump Risk Disclosures Start Rolling In First SEC Whistleblower Award of Trump Era Sessions Dodges, Weaves, Promises on FCPA For Mike Volkov’s posts see the following: Yates, AG Sessions and Individual Criminal Prosecutions New E-Book — Moving the Goalposts: The Justice Department Redefines Effective Compliance FCPA Remediation Focus on Supervisory Personnel FPCA Pilot Program Motors On For the Cordery Compliance client alerts see the following: EU conflicts minerals compliance legislation DOJ Evaluation of Corporate Compliance: how does it compare to UK Bribery Act 2010? For Jay Rosen’s posts see the following: Still in the Enforcement Business and Evaluation of Corporate Compliance Programs “It Was the Best of Times, It was the Worst of Times,” or “Ignorance is Strength” For Tom Fox’s posts see the following: The Trump Administration-Kaos is Bad for Business The Trump Administration-Failures in Leadership and Management The Trump Administration-Preparing for a Catastrophe The Trump Administration-the Business Response DOJ Enforcement of the FCPA and the International Fight against Corruption in the Trump Administration Learn more about your ad choices. Visit megaphone.fm/adchoices

This episode is the first of a two-part series of podcasts dedicated to the chaotic (at best) first 100 days of the Trump administration as it related to compliance. Today we have Jonathan Armstrong and Jay Rosen. Next week Matt Kelly and Mike Volkov.  Jonathan Armstrong leads a discussion of the Trump administrations devolution of Privacy Shield, GDPR and what they mean for American companies doing business in the UK and EU. He discusses the key differences in the DOJ’s Evaluation of Corporate Compliance Programs in an FCPA analysis and under the Bribery Act, differences in the EU approach to conflict minerals and under the Trump Administration and concludes by giving us his thoughts on what Brexit means for compliance. For the Cordery Compliance client alerts see the following: EU conflicts minerals compliance legislation  DOJ Evaluation of Corporate Compliance: how does it compare to UK Bribery Act 2010? BREXIT Glossary Jay Rosen considers what companies the intersection of business and politics under the Trump administration, the business response he has observed to Trump administrations steps and miss-steps, the comments made by DOJ representatives at Q1 conferences and the vibe of compliance conference attendees. For Jay’s post see,  Still in the Enforcement Business and Evaluation of Corporate Compliance Programs “It Was the Best of Times, It was the Worst of Times,” or “Ignorance is Strength” For Matt Kelly’s posts see: Compliance in the Trump Era: More Markers Placed Trump Administration Whacks Telco Firm for $892 Million Drone Industry Pan Trump’s Regulatory Trump Risk Disclosures Start Rolling In First SEC Whistleblower Award of Trump Era Sessions Dodges, Weaves, Promises on FCPA   For Mike Volkov’s posts see the following: Yates, AG Sessions and Individual Criminal Prosecutions New E-Book — Moving the Goalposts: The Justice Department Redefines Effective Compliance FCPA Remediation Focus on Supervisory Personnel FPCA Pilot Program Motors On   For Tom Fox’s posts on the Trump administration’s first 100 days see the following: The Trump Administration-Kaos is Bad for Business The Trump Administration-Failures in Leadership and Management The Trump Administration-Preparing for a Catastrophe The Trump Administration-the Business Response DOJ Enforcement of the FCPA and the International Fight against Corruption in the Trump Administration The members of the Everything Compliance panel include: Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com Mike Volkov – One of the top FCPA commentators and practitioners around and the Chief Executive Officer of The Volkov Law Group, LLC. Volkov can be reached at mvolkov@volkovlawgroup.com. Matt Kelly – Founder and CEO of Radical Compliance, is the former Editor of Compliance Week. Kelly can be reached at mkelly@radicalcompliance.com Jonathan Armstrong – Rounding out the panel is our UK colleague, who is an experienced lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com Learn more about your ad choices. Visit megaphone.fm/adchoices

In this episode I visit with Jonathan Armstrong on his views on the new DOJ Evaluation of Corporate Compliance Programs. Armstrong provides a detailed analysis of some of the key differences between how compliance is operationalized in the US as opposed to the UK and EU countries. He explains how the enhanced requirements for root cause analysis, risk assessments and investigations and the supplemented requirements to tie back into the ongoing compliance monitoring and updating, could run afoul of UK and EU data protection and data privacy requirements.  He also considers what a non-US company, subject to the FCPA what should look to as a best practices compliance program to best protect the organization. Finally explores just how far does all of this go? He provides on statistic that puts a huge bow on the difficulties going forward.  For the Cordery Compliance article see the following, US Department of Justice on Evaluation of Corporate Compliance : how does it compare to UK Bribery Act 2010? Learn more about your ad choices. Visit megaphone.fm/adchoices

From the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs:  Autonomy and Resources  Stature – How has the compliance function compared with other strategic functions in the company in terms of stature, compensation levels, rank/title, reporting line, resources, and access to key decision-makers? What has been the turnover rate for compliance and relevant control function personnel? What role has compliance played in the company’s strategic and operational decisions?   Experience and Qualifications – Have the compliance and control personnel had the appropriate experience and qualifications for their roles and responsibilities?   While the DOJ’s stated position that it does not concern itself with whether the CCO reports to the General Counsel (GC) or reports independently, but it is more concerned about whether the CCO has the voice to go to the Chief Executive Officer (CEO) or Board of Directors directly, without going through the GC first. Even if the answer were yes, the DOJ would want to know if the CCO has ever exercised that right. Yet the Evaluation comes as close to any time previously in articulating a DOJ policy that the CCO be independent of the GC’s office. Therefore, if your CCO still reports up through the GC, you must have demonstrable evidence of both CCO independence and actual line of sight authority to the Board. With the operationalization of compliance, the DOJ wants to know if the if business unit of a company is responsible for at least a part of compliance. Put in the manner of the Evaluation, is compliance operationalized within your organization? An interesting angle is the real problem for a CCO if compliance is not embedded into the business; that problem is that the CCO simply becomes a policeman, telling the business unit what it cannot do. Or as I would say, being Dr. No from the Land of No. Here are some questions you should consider in evaluating this prong. First and foremost, is the CCO a part of the senior management or the C-Suite? Is the CCO part of regular meetings of this group? Who can terminate the CCO; is it was the CEO, the Audit Committee of the Board or does CCO termination require approval of the entire Board? Most importantly, could a person under investigation or even scrutiny by the CCO fire the CCO? If the answer is yes, the CCO clearly does not have requisite independence.  Additional questions to consider are (a) Who can over-rule a decision by a CCO within an organization?  and (b) Who is making the decisions around salary and compensation for the CCO? Is it the CEO, the GC, the Audit Committee of the Board or some other person or group?  An evolution in thinking by the DOJ is looking at turnover rates, as this is not something the DOJ has previously focused upon. For any company which simply lays off its entire compliance function and rolls it into the legal department; how do you think that would appear to the DOJ if it came knocking to investigate a potential FCPA violation?  Also to be considered is the compensation, both in salary and benefits paid to the CCO and compliance practitioners within an organization. In the FCPA Pilot Program, under Prong 3, Remediation, the DOJ said it would consider “How a company's compliance personnel are compensated and promoted compared to other employees”. This was carried forward in the Evaluation so you will need to consider benchmarked studies or other evidence of an appropriate level of pay for a corporate compliance function.  Finally, what resources have been made available to the compliance function. This would include both monetary budget for operationalization but also head count resources. One might hope the days have long since pasted when companies would come into the DOJ and plead the compliance function ‘only’ had $100,000; $200,000 or you name the figure in resources; to be met with the prosecutor’s question “What was your annual spend on yellow-sticky note pads?” When the inevitable response was considerably more than the entire compliance budget, the prosecutor’s response was something along the lines of “Which is more mission critical for complying with the law?”  Another evolution in the DOJ’s thinking was in experience and qualifications for the compliance function. In the Pilot Program, Prong 3 was the following, “The quality and experience of the compliance personnel such that they can understand and identify the transactions identified as posing a potential risk”. This has been broadened to “Have the compliance and control personnel had the appropriate experience and qualifications for their roles and responsibilities?”  The Evaluation demonstrates the continued evolution in the thinking of the DOJ around the CCO position and the compliance function. Their articulated inquiries can only strengthen the CCO position specifically and the compliance profession more generally. The more the DOJ talks about the independence of, coupled with resources being made available and authority concomitant with the CCO position, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.  Three Key Takeaways How can you show compliance really has a seat at the senior executive table? What are the professional qualifications of your CCO and compliance team? What are the resources made available to your compliance function?  This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.   Learn more about your ad choices. Visit megaphone.fm/adchoices

Operationalizing your compliance program can take many shapes and forms. Using the entire risk management process to embed your compliance program within the contours of your organization is an important, key step as it will allow you to have full visibility of your compliance risks through a longer life cycle. Forecasting allows you to consider your business strategy and wed the risks you can foresee. Risk assessments allow you to evaluate and measure known risks. Risk-based monitoring allows you to monitor both the compliance risks you and detect those you do not know, on an ongoing basis.  I think there are several key lessons to be considered by any Chief Compliance Officer (CCO) or compliance practitioner. The first is the process around risk management. Most compliance practitioners understand the need for a risk assessment as it is articulated as Hallmark No. 4 of the Ten Hallmarks of an Effective Compliance Program. From the FCPA Guidance, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” In addition to this business case, the FCPA Guidance also specified the enforcement reasons for performing a risk assessment, “DOJ and SEC will give meaningful credit to a company that implements in good faith a comprehensive, risk-based compliance program, even if that program does not pre­vent an infraction in a low risk area because greater atten­tion and resources had been devoted to a higher risk area.” The DOJ Evaluation of Corporate Compliance Programs builds on this.  Yet as compliance evolves and corporate compliance programs become more sophisticated, compliance is seen not as simply a legal prophylactic, but as a business process. Seen in this light, it is clear the risk management process should begin with forecasting as it attempts to estimate future aspects of your business. Locwin noted that companies should be able to say with some degree of authority, “We think the following will happen in the next three months, six months, twelve months, twenty-four months, is really something that the businesses try to wrap their heads around in such a way that they can shunt resources where they think is appropriate in order to meet these future demands.”  By starting with forecasting, a compliance function utilizes risk assessment to consider issues which forecasting did not predict for or issues which the forecasting model raised as a potential outcome which warranted a deeper dive. If you are moving into a new product or sales area and are required to use third-party sales agents, a risk assessment would provide information that a company could use to ameliorate the risks.  Risk-based monitoring follows on from the issues that your risk assessment identified as your highest risks. Locwin said, “Risk-based monitoring tends to look at things on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.”  All of these three tools tie back into process management and process improvement. Locwin stated, “There’s always this balance between what’s actually important for our business or for proper execution, versus what’s actually going on in the whole process. If you’re not measuring at a high enough resolution, you’re not capturing a lot of the environmental, market force, external factors that probably are of high leverage to your operations in business that you just don’t know about.”  Locwin tied them together with the following example, “There’s a 30% chance of this abject market failure happening, this product fails, this restaurant site contaminates people, this product doesn’t ship before Christmas, this phone explodes.” If you knew that in advance, the executive committee probably almost everywhere would say, “We have to act, and act now.” That’s where the rubber meets the road and you’ve got to forecast and a contingency in place. A lot of times, there isn’t that level of forecasting done in advance to say, “We think there’s this 30% chance of it occurring, therefore not only do we need a strong contingency plan, but we should expect to have to use it in Quarter 2. It’s right there sitting on everybody’s dashboard all the time.” In other words, it comes down to execution. This means you have to use the risk management tools available to you and when a situation arises, you remediate when required. This is not only where the rubber hits the road but the information and data you garner in the execution phase should be fed back into process loop. From this, you will develop continuous feedback and continuous improvement.  I have gone through this in some detail to emphasize the business process nature that compliance has evolved into as a corporate discipline. By using these techniques, the CCO or compliance practitioner makes the business run more efficiently and at the end of the day, more profitably. The more you can bring these types of insight to a Chief Executive, the more you demonstrate how compliance adds to the bottom line and is not simply a cost center.  Three Key Takeaways The risk management process is an important backbone of operationalizing compliance. You should be able monitor and measure both known and unknown risks. All of these steps help a business to run more efficiently and more profitably.  This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com. Learn more about your ad choices. Visit megaphone.fm/adchoices

The DOJ Evaluation of Corporate Compliance Programs states: Risk Management Process – What methodology has the company used to identify, analyze, and address the particular risks it faced? Information Gathering and Analysis – What information or metrics has the company collected and used to help detect the type of misconduct in question? How has the information or metrics informed the company’s compliance program? I continue my exploration of the risk management process by focusing today on risk assessments. One cannot really say enough about the role of risk assessment in compliance programs. Each time you hear a regulator talk about compliance programs, it starts along the lines of you cannot manage your FCPA risk without first determining what your company’s risk is; and to determine that compliance risk, the process you should utilize comes through a risk assessment. We previously considered forecasting. The differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As Ben Locwin has explained, “What you’re trying to do then is decide on how you would address these. Risk assessments should create your risk registry. Those items which are most consequential for your organization, whatever it happens to be.” Within the context of an anti-corruption compliance program, you are trying to make adjustments based on the risks of violation of the law, out in the marketplace. For instance, in a compliance forecast, third-party risk should be considered at the top of your ordinal list of risk and you should consider a multitude of factors such as the operating procedures, processes and systems and training. Of course, the execution of that process is a critical component as well. All these things, to some degree, should appear in a risk assessment for the organization. Meaning, at the corporate level, what happens if you change products or sell into a new geographic area which is perceived to be more high-risk? There should be a risk assessment node which has a component that notes these changes so that you can adapt as necessary. Locwin stated, “The risk assessment itself is designed to be able to elevate these, and if something does happen, the next step would be to take appropriate course of action to address any of those risks.” An example which illustrates the differences between forecasting and a risk assessment, yet how the two are complimentary. This winter when I began purchasing hot coffee products from Starbuck, as opposed to the cold drinks I buy during the hotter parts of the year, I discovered that baristas’ no longer put sleeves on coffee cups but now require you to ask for one. The second time I had to ask for a sleeve, I inquired from the barista why I had to do so. She replied that corporate had changed the policy for environmental reasons and that she could only provide a sleeve at the specific request of the customer. When I pointed out that it slowed the line down and was much less efficient in the delivery of Starbuck’s coffee, she replied, “You're absolutely right. I hate it. Would you please email Starbucks and tell them of your dissatisfaction?” I will let Locwin pick it up from here, “what you’ve put your finger on is the crux of the balance of forecasting versus risk assessment. They’re two very different things, but at the same time, as they weave through time, they interchange. For example, Starbucks would potentially say, “We forecast that consumers are going to be more concerned about paper use, sleeves, the economic costs to the world, of extra paper waste and things. We’re going to, in certain locations, let’s say across Texas, we’re going to pilot that we don’t give out sleeves unless they’re asked for.” In their risk assessment, which I can tell you didn’t change from that forecast, what they then should have had was a commensurate line item which said, “If consumers start to have a problem with what’s being done at these locations, our immediate contingency plan is to do the following, to strip it away immediately, full stop, so that every cup gets a sleeve, so that they’re not slowing down lines, consumers say you heard us immediately, and then the organization is back on track.” Their forecast plans something, the risk assessment should have had countermeasures to address, and instead if they didn’t have this in place, they’re going to have to wait until they start to have a Twitter feed that blows up… The risk assessment model should say, “Then we will do the following.” Really they don’t have the capability in a lot of cases to measure the effect of this and immediately course correct. It’s probably going to be a month, two months, four months before they start to get wind of this in a consistent way to say, “Texas was dissatisfied by this change and same in our pilot in Wisconsin. Let’s stop not giving out sleeves… Then eventually that starts to dissipate and they get rid of this whole new silly paradigm.” Locwin’s point was that your risk assessment can help to inform your response to FCPA violation, corporate crisis or even (in my opinion) the misstep of requiring Starbucks customers to ask for sleeves for their coffee purchases. In another article by Locwin, entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”, he noted, “knowledge is power”. He went on to add, “Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we’ve classified them correctly. With a good understanding of each of these, we’re in a much better position to speak about the quality of our businesses.” Three Key Takeaways The Evaluation put renewed emphasis on risk assessments. Risk assessments logically follow and are complimentary to forecasting. The risk assessment output allows you to prioritize your response with plan funding and deliver resources in a risk management solution. This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com. Learn more about your ad choices. Visit megaphone.fm/adchoices

Last month, the Department of Justice (DOJ) very quietly released a document, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), on the Fraud Section website. The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner. The document has one clear theme that I will be exploring this month—you must operationalize your compliance program. The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation. Once again, I detect the hand of DOJ Compliance Counsel Hui Chen in not only helping the DOJ to understand what constitutes an effective compliance program but also providing solid information to the greater compliance community on this score.   Three Key Takeaways The DOJ Evaluation requires you to operationalize your compliance program. The DOJ Evaluation makes clear compliance is a business process. The DOJ Evaluation is significant for what it does not focus on, legal solutions or even legal language. This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights On Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com. Learn more about your ad choices. Visit megaphone.fm/adchoices

In this special live, on location episode, Jay Rosen and I discuss the recent SCCE 2017 Utilities and Energy Conference held in Washington DC. He hit on the highlights, topics, vendors and key note speakers. We also discuss the impact of the recently released DOJ Evaluation of Corporate Compliance Programs. Finally we have a guest appearance by Jim Moore, recently installed as SVP at Trust Point International. For a copy of the Evaluation of Corporate Compliance Programs, click here. For my two blog posts on the Evaluation, Part I and Part I Learn more about your ad choices. Visit megaphone.fm/adchoices

In this final five days of my One Month to a Better Board series, I will look at inquiries and questions a Board can take to help the organization actually do compliance going forward. I begin with an exploration of how can a Board work to incorporate the compliance function into a long-term business strategy of the organization. A Board can do so by engaging with the Chief Compliance Officer and compliance function through having a strong Board which is committed to doing business ethically and incompliance with anti-corruption laws such as the FCPA and engaging actively with the CCO and compliance function. This post will begin a discuss of various tools and techniques a Board can use and engage to move to this level of engagement. The first point is to develop a framework for incorporating compliance into your long-term strategy. This framework draws from the State Street Global Advisors’ strategy for sustainability and adapts it to compliance. To set up the framework for evaluation of the compliance function is a three-step process, which you can use to determine how comprehensive you compliance program is as a starting point. Step 1-has the company identified the compliance issues relevant to the Board? Step 2-has the company assessed and incorporated those compliance issues into its long-term strategy? Step 3-has the company communicated its approach to compliance and the influence of those factors on its overall strategy? From this initial inquiry you can move into some specific questions that the Board can use to determine the overall state of your company’s compliance program. First a Board can work to identify compliance issues material to your organization. This can be accomplished with compliance related key performance indicators, which a Board should then prioritize to elevate their impact on compliance. A Board should consider these through the life-cycle of a business line or geographic sales area. Next the Board should work to move compliance into both the long-term strategy for the company and also have the CCO detail the long-term strategy for the compliance function. Drawing from the February release Justice Department Evaluation of Corporate Compliance Programs (Evaluation), the Board should actively work to incorporate compliance into the long term capital allocation of the company. Obviously the earlier the investment the better as it brings benefits such as benefits through brand differentiation, lowering the risk profile of the company and improving nimbleness in market responses  The Board should oversee the incorporate of KPIs into senior management performance evaluations and compensation. Once again building upon the Evaluation which asks how the company monitors its senior leadership’s behavior and how senior leadership modelled proper behavior to subordinates, the Board should make certain systems are in place to quantify or measure performance related to compliance issues, should establish performance goals against which they measure compliance achievement and finally disclose to shareholders the material compliance issues that drive compensation, the specific goals or performance targets that management has to achieve and report on the actual performance against established goals to justify compensation payouts. Finally the Board should work to communicate the influence of compliance factors on overall corporate strategy by demonstrating how compliance was integrated into the business. Not only is this good from a business perspective and shareholder expectation but also as the DOJ Evaluation makes clear what the government expects is the operationalization of compliance going forward. These general factors will lead us into more specific questions that a Board can pose as we continue one month to a better board for a best practices compliance program. Three Key Takeaways Having a long term strategy is critical. What is the Board’s framework for assessing compliance? Create KPIs to measure senior management’s actions around compliance. Learn more about your ad choices. Visit megaphone.fm/adchoices