The FCPA world is littered with enforcement actions against companies for the most basic compliance failures – those around gifts, travel, and entertainment (GTE). Many compliance professionals struggle with issues from GTE: Violations can arise out of anything, from discrepancies between outbound and inbound reporting to simply relying too heavily on the manual process of maintaining spreadsheets.
As your company is considering RTW sometime in fall 2021, you know you will need to remind everyone about why GTE is so critical to compliance. How do you add in an analysis of more efficient business travel, time use, and even whether you need to travel for meetings?
Key points discussed in the episode:
✔️The Gifts, Travel, and Entertainment (GTE) Policy is foundational to a company’s values. GTE touches so many other pieces in a compliance program – COI, anti-corruption, anti-fraud, government contracting, donations/corporate giving, marketing in the healthcare space, etc. Small numbers are essential, and telling the truth about GTE reimbursement is critical to an ethical culture.
✔️Each company has different GTE rules in place – first, you have to take stock of what rules apply to your company and your sales force.
✔️ Look at who you do business with? If your customers are all state governments, that makes it easy – no gifts or entertainment, ever—however, companies operating in several markets may have varying customers. Be aware of what your customers can and cannot accept re: GTE.
✔️ In your organization, build a policy that speaks to your specific obligations. Make it clear that every single gift or entertainment expense must be documented and submitted, and nothing is off-books.
✔️ Include as many examples as possible in your policy – call out specific things that are not allowed (aka DO NOT GIVE ANYONE A FERRARI OR A HOUSE IN THE HAMPTONS…OR A CONGRESSIONAL SEAT).
✔️ Make things much more concrete and give people an idea of what’s appropriate and not appropriate. It is essential to call out cash and cash equivalents to explain better why It is NEVER okay to give cash or equivalents as GTE.
✔️ Train the heck out of the policy – both the broad workforce and the finance team that will be reviewing the invoices and the sales team that will be incurring the expenses. Walk them through expectations and what to watch out for as red flags.
✔️ Use checklists – give the team reviewing invoices a list of what to look for (good and bad) and have them do it (formally or informally) for each invoice.
—————————————————————————-
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
Podcast
Companies with more internal reports and complaints benefit from lesser problems occurring inside. In his paper, Dr. Kyle Welch shared that overall litigation settlements of non-material matters dropped almost 20% over three years as well. It is, therefore, made clear that speak up culture is not simply about compliance and violations but building up the trust that it is safe to raise your hand and express concerns and give feedback.
Key points discussed in the episode:
✔️ Speak up culture is built on trust. Employees must trust that when they report wrongdoing, or potential misconduct, that those reports will be investigated and, if needed, actions will be taken. Without this trust, speak up culture is a pipe dream.
✔️ There is a disconnect between the employees on the front line and the senior management in most organizations; therefore, trust is part of the psychological safety that we all must work to create. Whistleblower policies and generic communications about hotlines are not good enough.
✔️ The middle managers are going to be the most influential culture builders in your organization. Create a model of engagement with middle managers – and engage with them. Hold town hall sessions, encourage transparency, and listen regularly. Remember, the flow of information and cadence is important.
✔️ Include as many ways as possible for people to reach out and speak up – formally and informally. Hotlines tend to be a “last resort,” and employees use them when they’ve exhausted other options. Let’s create opportunities to have concerns addressed faster and possibly less formally.
✔️ Be proactive – ask for feedback, concerns, and complaints. Open the lines of communication, so when there is something to report, it is already second nature for employees to report it.
✔️ Take concerns seriously and have a high say-do ratio. The basis for speak up culture is that we want employees to raise concerns. That means when they raise those concerns, we must do our part and act on them. Employees need to see things change as a result of their speaking up.
✔️ Make sure you have a clear anti-retaliation policy and that employees reporting concerns in good faith are not retaliated against.
—————————————————————————-
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
Scenario: After an ongoing investigation closes on a typical day in a CCO’s life, you wonder if there is anything else to do. After reading Tom Fox’s The Compliance Handbook – 2nd Edition, you learn that a root cause analysis is now one of the hallmarks of an effective compliance program.
What steps do you take, and how do you perform a root cause analysis (RCA)?
Key points discussed in the episode:
✔️ Investigations are often the trigger for a root cause analysis, but they’re not the same thing. In an investigation, you’re trying to prove or disprove an allegation. If you uncover wrongdoing, it is crucial to continue to seek the root of the problem.
✔️ Root cause analysis lets us figure out and find the source of the problem instead of only looking at the symptoms. Think of it like going to the doctor if you’re sick. You tell the doctor all of your symptoms, they ask questions and run tests and then, hopefully, find the source of why you’re sick, and then attack that. The same principle applies to compliance.
✔️ When looking at the root cause, look for circumstances that contribute to the compliance issue – and ask these questions!
- What led to this issue?
- What conditions allowed this to happen?
- What needs to happen to keep this from happening again?
✔️ Find the problem and fix the problem. Remediate and document your changes per the DOJ Guidance.
- We’re constantly growing and building our compliance programs, but addressing the root cause includes developing a measure of success – how will we know if the remediations we put into place worked? How will we measure progress?
- Use the results of your RCA to remediate any issues you’ve found.
- Carry the RCA findings forward in any related risk assessments – monitor that your remediations are working/and adjust if they aren’t
- Update programs and processes to reflect the remediations – and don’t forget to TRAIN on anything new (including the context for the changes – tell employees WHY they should care, not that they should “just care.”
- Once fully remediated (if possible), document the remediation and how that connects to improved processes moving forward.
✔️ Root cause analysis is fundamental. Since we know the DOJ wants compliance programs to be proactive instead of reactive, root cause analysis is one of the ways we can do that. If we know people are doing things they shouldn’t do – we need to know why? Is it a problem with our hiring? A lack of controls? Not enough training? Or do we have a culture issue? We need to look under the proverbial rug to find out why things are happening, not just how they happened.
—————————————————————————-
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
How to Survive a GDPR Data Breach in the USA Eventually, every company will deal with cybersecurity issues that include hacking that exploits security controls and technical, physical, or human-based elements. Such an emergency requires a robust internal incident response plan as soon as possible. Compliance leader, attorney, and international public speaker Kortney Nordrum reminds you of these crucial situations; “You want to have a plan before you have to use a plan.” Key points discussed in the episode:
✔️ Make sure there’s an incident or a crisis plan and that you have a set you’re going to call, who’s going to get on the phone, and who will make decisions. These should be documented so that there’s no time for guesswork when things are urgent.
✔️ Ensuring a solid system for awareness should start at the level of the customer service representative and the email help desk teams to preempt data breach issues. Have the right people be able to ring the right alarm bells early in your organization.
✔️ Evaluate the extent of the information security hack or breach on top of all other risk and regulatory assessments.
✔️ Determine which are the impacted customers and employees and analyze the individual countries of residence. Figure out where reporting should happen as prescribed in the General Data Protection Regulation (GDPR) of the European Union.
✔️ Set up a toll-free number for questions and work with the core team on public notices or any public response. When we see organizations getting hacked, you’ll see it on a blog before that organization says anything publicly. Make sure to direct the message rather than have gossip around what happened.
✔️ Engage a forensic firm if needed if in-house knowledge is not enough to assess what happened, how the breach occurred, and set the steps necessary to prevent it from happening again.
✔️ It is best for compliance professionals to remember what the adage says: “an ounce of prevention is worth a pound of cure.” Getting ready for a hacking incident requires early planning on initiating incident response measures tested at least yearly and reducing or preventing adverse impacts should they happen. —–
———————————————————————–
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Cou
Categories
The Compliance Budget Process
How Do You Prepare An Annual Compliance Budget? (And Ask For More Money)
Budgeting is one of the most important functions in any corporate discipline. Thought leaders do not often talk about this one in conferences and literature. Yet, it’s something that every compliance officer, every CCO, has to do and everyone down the compliance chain. Whether it’s a special project such as a Code of Conduct makeover, major tech upgrade or bringing in an external party to do a comprehensive risk assessment — explore the compliance budgeting process and learn how to plan for such expenses and understand the documentations needed to prepare.
Key points discussed in the episode:
✔️ Determine what your function is responsible for, as it varies at every organization. Identify what resides in your budget and what lives somewhere else?
✔️ Review the guidance. The DOJ’s most recent Evaluation of Corporate Compliance Programs guidance makes it clear that they expect compliance programs to be “adequately resourced and empowered to function effectively.” That means you should budget for enough:
- People to run your program
- Tools to operate and maintain your program
- Resources to make continuous improvements
✔️ Risk assess the program itself – what are the biggest needs? Where do we need more resources? Are we over-resourced in any areas?
- Have internal operations changed?
- Have laws or regs changed – or enforcement ramped up?
- Are there any new risks that we’ve never had before?
✔️Do we have any compliance “messes” or issues that need to be addressed or cleaned up? If so, what will those cost?
✔️ What special projects or improvements are we planning? What do we need to make those projects/improvements successful?
✔️ Benchmarking – look at surveys, talk to other compliance professionals
✔️ Build allies. Talk to anyone who may be able to support or influence your budget. Take the opportunity to explain why you need what you’re asking for and why/how it will help the organization.
✔️ There aren’t any hard and fast rules about budgeting for compliance departments. If you’re under-resourced, it is your job to make enough noise that the C-suite and the board realize what risks underfunding compliance brings to the organization. If nothing else works, use the big guns – worst-case scenarios and how much they could cost.
—————————————————————————-
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
How do you deal with having a leader who runs a public corporation?
Scenario: So you have a superstar CEO who is hyper-intelligent, dynamic, disruptive, and indeed uber-famous, and that person can bend the wind to his will, or so he thinks. Unfortunately, he also thinks rules and regulations like the SEC, disclosure, and financial statements are only for mere mortals, of which he is not one. He routinely makes questionable statements that drive his share price up and down. He also threatens employees with termination on the spot for those who don’t meet his rigorous work standards, even though the company has a written due process policy that H.R. has implemented.
As a compliance professional, how can you create a structure and work with a CEO who has an over-the-top personality and protect the company and work with that going forward? How do you utilize your Board of Directors? And other than perhaps giving your resignation or not taking the job to start with, — where might you start?
Key takeaways in the episode:
✔️ Why some great founders of disruptive companies struggle to transition into becoming mature corporate leaders. We run through several scenarios of a cult of personality with CEOs that started long before the technology boom and how leaders sometimes have destructive impulses that hurt their corporation?
✔️ Visionaries need practical people who know the rules, controls, and laws to run a company successfully. Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, states that a company will crumble without both. As compliance professionals, it is our job to rein it when all creative people don’t necessarily understand the rules they have to live by.
✔️ The Board of Directors’ job is to protect the company. If the CEO is a liability or presents insurmountable risks, that will ultimately fall on the board’s shoulders. Leverage your independent directors because, at the end of the day, the Board is the boss of the CEO.
✔️ Assess who is under the spell of the CEO? Is it internal, or is it external? If people are so bought into the person that they agree to whatever he says, it’s an internal culture issue. Ensure that some people are keeping perspective and monitoring controls are being enforced.
✔️ Why startups should institute internal controls early. As soon as you start employing people and go through hiring and payroll processes, that’s when you have to start caring about compliance and ensuring you have internal control structures to support what you’re building.
✔️ Culture trumps everything. Whether you’re working for a very charismatic disruptor CEO or a conservative CEO, the company’s culture should be one of compliance. If it’s not, then as a compliance professional, it’s your job to try to establish that.
✔️Even if you work for a disruptive leader, a high-flying, uber technologically savvy person, if they still respect you and your work, that’s key in leadership. In business, there are many negotiables, but it is imperative not to lose sight of being a decent human being and respecting others — that’s the one non-negotiable.
—————————————————————————-
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
How to manage if a conflict of interest arises in your organization?
Scenario: It’s Friday, July 3, and the General Counsel is on holiday. At 4 PM, you get a call from someone who tells you he has a deal with the CEO to be put on the Board of Directors. He further says he’s held up his end of the agreement to loan the CEO $5MM for a Board seat. He says he has the email traffic and will file a suit unless he is named to the Board within three days. He says the GC has approved this deal and is on the email trail.
What can you do? You review the code of conduct and believe it’s a Conflict of Interest (COI). There are four new Board members. Did they have similar arrangements?
In this episode, Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation, thresh out what to do if you are in a similar scenario and assess the best approach and manage corruption within your organization.
Key takeaways in the episode:
✔️ Make your first call with outside counsel. If members of the BOD are suspect, you wouldn’t want to tip them off by calling the Audit Committee chair – especially if that individual may be part of the problem.
✔️ Push to have outside counsel perform the special investigation instead of the BOD. That way, the results are above reproach.
✔️ Board membership should be vetted by counsel, especially when it comes to COI.
✔️ Reiterate that disclosing a conflict of interest is required, but that doesn’t mean that the conflict will cause a problem. Conflicts have to be managed. Some of them will result in the Board, the CEO, executive leadership, or members of the workforce not being able to take the actions they want to take.
✔️ Use COI incidents as an opportunity to retrain, reeducate and build awareness with the rest of the workforce on conflicts of interest and the code of conduct.
✔️ Train people in person on conflicts of interest and use real-life examples. COIs can be much broader, and ensure you name those. It can be sending business to a relative, a wife, or a child on the payroll can be a wide variety of things.
✔️ When you’re appointing so much of the Board and looking for people to help run your company, full diligence is really important.
—————————————————————————-
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
Are you up and ready to return to the workplace?
Scenario: The CDC has dropped its mask mandate and social distancing guidelines. Your CEO says he wants plans for returning to the workplace (RTW) from each department head in one week. You are in the middle of evaluating your compliance training program, which for the past year has been virtual and remote, and you push to the back burner to get ready to return to the office. One day into that project, you get an email from the CEO who says he wants compliance training to be updated for RTW and, by the way, make it more exciting and relevant.
You call HR and ask if there have been any training evaluation surveys, and it turns out there have not been any, so you don’t know where the CEO’s comment came from.
What are some of the key steps you think about to improve the quality of your compliance training, make it applicable to RTW, make it effective, and most importantly, avoid compliance training fatigue?
Key takeaways in the episode:
✔️ Measures relating to RTW issues. Returning to work presents the perfect opportunity to train (or retrain) everyone on basic COVID practices and compliance responsibilities. Many states and jurisdictions require COVID-specific training before reopening offices.
✔️ Risk ranking employees for compliance training. Determine who needs what training through risk ranking by job duties. Train people on what they need to know and don’t throw extra training at anyone “just to be safe.”
✔️ The benefits of live training. Human interaction is essential. Think about how much richer the context is if you do compliance training at the yearly sales kickoff event, this shows your people the personal element to compliance.
✔️Which is better, a one-hour online course v. monthly 5-minute training videos? Either way works. Adults need to hear information approximately seven times before they remember it. Short, monthly videos would help with that retention. On the other hand, a more extended module would allow for more context and real-world scenarios in training. Both have benefits and takeaways.
✔️ Measure effectiveness with what happens AFTER training — are your people making good choices? Are issues being caught and reported? Do people come to HR/Compliance/Legal with questions/issues/red flags?
—————————————————————————-
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear, and give you some lessons learned going forward. This show is hosted by the Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation.
Today’s episode is all about JOINT VENTURES. New sets of compliance risks arise for companies subject to the Foreign Corrupt Practices Act (FCPA). Suppose that you are given two weeks to close a joint venture, what are concrete steps you can take to protect the organization and help the joint venture do business ethically and profitably?
Key steps & takeaways discussed in the episode:
✔️ Set expectations and figure out what Compliance is exactly in charge of handling. Initiate M&A due diligence process and send DD questionnaire to the integration/JV manager.
✔️ Brief the team on the advanced timeline and reprioritize DD based on risks.
✔️Learn key steps to expect from outside counsel and what can you do in-house as well?
○ Counsel:
· Responsible for drafting agreements
· Need to advise on government approvals and registration/licensing if needed
· Deep dive into the JV candidate company and their Board/Executive leadership
· Antitrust management – with JV candidate and their counsel
· Engage a third-party diligence organization to do boots-on-the-ground diligence in foreign partner country
○ In house:
· Compliance, privacy, and risk diligence – including questionnaires, interviews, meetings, and reviewing evidence and documents provided by the JV candidate
· Training the internal JV team on what they can and can’t do throughout diligence (what they can disclose, ask about, and plan for)
· Preparing readouts and diligence summaries for the Board
✔️It always pays to be prepared. People don’t always have the resources needed. Putting together a toolkit that you can rely upon when the timing is condensed will be helpful. Having a backpack full of tools for M&A, a questionnaire already equips you to respond to a speedy timeline.
✔️Build a cadence with your business, your CEO, your executive leadership that keeps you in the loop. Be the trusted business adviser who masters compliance, ethics, and legal requirements. Make it clear that your business savvy and proactively address concerns; then it will build your credibility. Also, do not be a panic button. Do not raise a red flag unless you need to raise a red flag.
✔️ Never stop engaging in due diligence. You never stop communicating, learning, finding out, and obtaining information. Data is a two-way street. It is both inbound and outbound. Always prepare for the unexpected when the unexpected hits, what do you do because you have prepared so it’s not unexpected.
—————————————————————————-
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
One afternoon at 4 PM, you get a call from the local Securities and Exchange Commission office, and they say they want to come by in two days to review your company’s Code of Conduct. You ask them why they want to review your Code. They tell you that it is a foundational document of your compliance program and view it as an internal control and, therefore, enforce it under the FCPA. They want to review all aspects of your Code design, implantation, training, and rollout.
What steps do you need to take to demonstrate the robustness of your Code but also your training and ongoing communications on it?
How do you dig deeper and review the Code of Conduct design, implementation, and review process?
How do you make sure facts on the ground have not changed and that your Code is still relevant?
IN THIS NEW EPISODE, Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation, break down the steps you need to take to survive (and ace) the Code of Conduct investigation review by the SEC.
Major takeaways discussed in the episode:
✔️ Dig deeper and review the Code of Conduct design, implementation, and review process. Show any changes or amendments, what was the process for these actions. Finally, how do you make specific facts on the ground that have not changed and that your Code is still relevant?
✔️ Build a focus group and pull in people from teams in audit, finance, I.T., business folks, and procurement to assess the current Code to identify what works, what doesn’t, and what’s missing.
✔️ Another vital step is benchmarking. Search and see examples of codes, whether a private or public company, big or small, to benchmark against and identify where you think you should be and where others are in your industry.
✔️ Develop a code that you’re proud of and that you want to display to the world. It should reflect and be tailored to fit your organization and not any other.
✔️ Approval and buy-in from the Board and top management are necessary to lend credibility and authenticity to the Code’s core message. This serves as the organization’s Bible for how to operate.
✔️ Identify your Code of Conduct training protocol and require annual attestation that the Code of Conduct is read and understood by all employees and directors.
✔️ Checklist of evidence to present to the SEC
■ Creation/Design
● Focus group minutes
● Drafts and updates to prior code language
● Benchmarking data and session information
● Translations
● Code launch plan – detailing Communications, emails, mgr meetings, printouts, CEO video
■ Training
● Training records & attestations
● Transcript of Code of Conduct training
■ Operationalization
● Culture and compliance surveys
● The open rate on emails/click rate on Code on the intranet
● How often employees reach out with questions
● Hotline calls and investigations
● Are people making good choices? Root cause analysis of non-compliance
—————————————————————————-
Welcome to SURVIVE AND THRIVE, the newest addition to the Compliance Podcast Network. Hosted by the Compliance Evangelist Thomas Fox and Kortney Nordrum, Regulatory Counsel & Chief Compliance Officer, Deluxe Corporation. This is a podcast where we unpack compliance, crisis disasters and walk you through all the red flags which appear and give you some lessons learned going forward.
Do you have a podcast (or do you want to)? Join the only network dedicated to compliance, risk management, and business ethics, the Compliance Podcast Network. For more information, contact Tom Fox at tfox@tfoxlaw.com.
