Author: admin

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 31 – Using a Root Cause Analysis for Remediation

The 2023 ECCP re-emphasized the need for both performing a root cause analysis but equally importantly using it to remediate your compliance program. It stated, “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.” It went on to state, what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk.”

When you step back and consider what the DOJ was trying to accomplish with its 2023 ECCP, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.

 Three key takeaways:

1. The key to using a root cause analysis is objectivity and independence.

2. The critical element is how did you use the information you developed in the root cause analysis?

3. The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization.

Categories
Daily Compliance News

Daily Compliance News: January 31, 2024 – The $70,000 Watch Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

• Germany to seize $2 billion worth of bitcoin. (NYT)

• Musk’s $55 billion pay package is voided.  (FT)

• An Ecuadorian official got a $70,000 watch as a bribe.  (Bloomberg)

• More lawyer trouble for fake ChatGPT citations.  (Reuters)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
The Hill Country Podcast

The Hill Country Podcast – The Hill Country Arts Foundation

Welcome to the award-winning The Hill Country Podcast. The Texas Hill Country is one of the most beautiful places on earth. In this podcast, Hill Country resident Tom Fox visits with the people and organizations that make this the most unique area of Texas. This week the Hill Country Podcast cross-posts the first episode of the Hill Country Arts Foundation podcast, with co-hosts Mia Church and Sarah Derousseau. They discuss the Hill Country Arts Foundation and what is going on there this season and into 2024.

Resources:

Hill Country Arts Foundation

Categories
Great Women in Compliance

Great Women in Compliance – A Roundtable Discussion with Asha Palmer and Jason Meyer on Neurodivergent Learners

Welcome to the Great Women in Compliance Podcast. In this #GWIC episode, Ellen Hunt and Sarah Hadden visit with Asha Palmer and Jason Meyer about their experiences with neurodiversity and neurodivergent workers.

You can hear this episode on Corporate Compliance Insights or wherever you hear podcasts. https://lnkd.in/d9VGcfw

We live in a neurodiverse world, but what should Compliance do to reach neurodivergent workers? In this roundtable discussion with Asha Palmer, SVP of Compliance Solutions at Skillsoft and Jason Meyer, founder of the NeuRO Inclusion Initiative, we explore this question and talk about how Compliance can get its critical messages out in a way that they are understood by all. With an estimated 20% of the workforce being neurodivergent, now is the time to adapt and adjust how we are presenting compliance information so that it is neuroinclusive.

Listen in to learn more about:

  • How to create easy-to-digest bite-sized learnings to avoid cognitive overload not only for neuro divergent workers but for everyone;
  • Methods other than “separate but equal” to include the neuro divergent; and
  • Getting the feedback that you need to meet your learners where they are.

Additional Resources:

Categories
Compliance Into the Weeds

Compliance Into The Weeds: Oscar Season and Internal Controls

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt take a deep dive into a payments and internal controls miasma involving actors Tom Holland and Tom Hollander.

The recent incident involving British actor Tom Hollander, who accidentally received a payment intended for Tom Holland due to a mix-up at their shared talent agency, has brought to light the critical importance of robust accounting controls for payments. Tom emphasizes the need for a second set of eyes to oversee payments and ensure they are going to the correct recipients. He suggests that smaller organizations can implement human review controls, while larger ones may need to rely on technology such as robotic process automation. Matt is highlighting the potential legal and regulatory consequences of sending payments to the wrong recipients. He stresses the need for organizations to demonstrate to regulators that errors are rare and accidental and that they have effective assurance processes in place. Join Tom Fox and Matt Kelly as they delve deeper into this topic in the latest episode of Compliance into the Weeds.

Key Highlights:

  • Payment Mix-up Highlights Importance of Internal Controls
  • Error Prevention and Correction in Payments
  • Mitigating Compliance Risks with Internal Controls

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

Using a Root Cause Analysis for Remediation

The 2023 ECCP re-emphasized the need for both performing a root cause analysis but equally importantly using it to remediate your compliance program. It stated, “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”

It went on to state, what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).” The following questions were then posed:

Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?

Prior Weaknesses—What controls failed? If policies or procedures should have prohibited the misconduct, were they effectively implemented, and have functions that had ownership of these policies and procedures been held accountable?

You should begin with the question of who should perform the remediation; should it be an investigator or an investigative team which were a part of the root cause analysis? Jonathan Marks, believes the key is both “independence and objectivity.” It may be that an investigator or investigative team is a subject matter expert and “therefore more qualified to get that particular recourse”. Yet to perform the remediation, the key is to integrate the information developed from the root cause analysis into the solution.

Marks further noted that the company may also have deficiencies in internal controls. More importantly, the failure to remediate gaps in internal controls “provides the opportunity for additional errors or misconduct to occur, and thus could damage the company’s credibility with regulators” by allowing the same or similar conduct to reoccur. Finally, with both the 2023 ECCP and FCPA Corporate Enforcement Policy, the DOJ has added its voice to prior SEC statements that regulators “will focus on what steps the company took upon learning of the misconduct, whether the company immediately stopped the misconduct, and what new and more effective internal controls or procedures the company has adopted or plans to adopt to prevent a recurrence.”

As required under the 2023 ECCP, from the regulatory perspective, the critical element is how did you use the information you developed in the root cause analysis? Every time you see a problem as a CCO, you should perform a root cause analysis. Was something approved or not approved before the untoward event happened? Was any harm was done? Why or why not? Why did that system fail? Was it because the person who is doing the approval was too busy? Was it because people didn’t understand? It is in answering these and other questions which have been developed through a root cause analysis that you can bring real value and real solutions to your compliance programs.

The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step processes, in which one process can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event and you will have a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.

When you step back and consider what the DOJ was trying to accomplish with its 2023 ECCP, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program: Day 30 – The Foreign Extortion Prevention Act

The compliance community has long recognized the gaping hole in the FCPA. As a supply-side law, it criminalizes the payment of bribes, not the demand to pay a bribe or extortion. The gap was recently filled by the Foreign Extortion Prevention Act (FEPA), which extended crucial protections to Americans working abroad and provided the DOJ with a potent new tool. By criminalizing both the giving and demanding of foreign bribes, FEPA seeks to level the playing field for American workers while fostering ethical business practices globally. FEPA represents a promising solution to protect Americans working overseas, promote fair business competition, and combat corruption on a global scale. With its potential to bring about meaningful change, FEPA is a vital step in safeguarding American values and interests in the international arena.

Sam Rubenfeld, cited Scott Greytak, the director of advocacy for Transparency International US, for the following: “FEPA is a landmark, bipartisan law that holds the potential to help root out foreign corruption at its source. It is arguably the most sweeping and consequential foreign bribery law in nearly half a century.”

Three key takeaways:

1. FEPA changes the game for ABC.

2. Make sure your policies and procedures capture any extortion attempts made illegal under FEPA.

3. Determine your external reporting for FEPA violations.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Innovation in Compliance

Innovation in Compliance – Dr. Karen Jacobson on Uncovering The Impact of Behavior

Innovation comes in many forms, and compliance professionals need to not only be ready for it but also embrace it. Today, I visited Dr. Karen Jacobson, a renowned expert in organizational leadership and communication.

Dr. Jacobson brings a unique perspective to her work, shaped by her diverse experiences ranging from serving in the military in Israel to running chiropractic offices in New York and Arizona. Dr. Jacobson’s holistic approach to organizational leadership and communication is rooted in her belief that work positioning, repetitive movements, and physical challenges are all interconnected and can impact the overall functioning of an organization. Drawing from her experiences in war, military, healthcare, and even competitive amateur ballroom dancing, she emphasizes the importance of core human connection skills such as conflict reduction, effective communication, and motivation. Her background as a chiropractor also gives her insights into understanding people and their behavior, including habits that affect posture and confidence. Join Tom Fox and Dr. Karen Jacobson on this episode of Innovation in Compliance.

Key Highlights:

  • Understanding behavioral styles is crucial for effective communication in the workplace.
  • Adapting communication for different generations and cultural differences is essential for effective workplace communication.
  • Effective leadership outside the United States requires understanding and respecting different cultures and customs.
  • Understanding personal strengths and leading with them can lead to more effective leadership.

Resources:

Karen Jacobson

Website

LinkedIn

Facebook

Twitter

YouTube

Instagram

 

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Daily Compliance News

Daily Compliance News: January 30, 2024 – The Venezuelan Sanction Redux Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • WWE President resigns after allegations of assault and trafficking.  (NYT)
  • How Moro fell from grace. (FT)
  • Venezuelan sanctions are back on. (Bloomberg)
  • The first ADM shareholder suit for fraud was filed. (Reuters)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

What is a Root Cause Analysis?

One of the biggest changes in the 2020 FCPA Resource Guide, 2nd edition, is the addition of a new Hallmark, entitled, Investigation, Analysis, and Remediation of Misconduct, which reads in full:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.

There are many interesting aspects to this Hallmark, not the least that it begins with “The truest measure of an effective compliance program is how it responds to misconduct.” This builds upon the language found in the “Confidential Reporting and Internal Investigations Hallmark, which stated, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response,”. Now beyond being properly funded, you must have a “well-functioning mechanism” for the “timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.”

This clearly mandates that once an allegation or even suspicion comes to the attention of compliance, it must be properly triaged, your investigation protocol should kick in with a detailed and effective investigation that is completed in a reasonable time and provide a response to the investigative findings. Moreover, an investigation is not the ending point and should be followed with a robust root cause analysis. This builds upon several sources.

The 2023 ECCP also raised the following questions under “Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?”

Well known fraud investigator Jonathan Marks, partner at BDO, defined a root cause analysis as “research based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” He went on to note, “Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. When we are able to determine why an event or failure occurred, we can then recommend workable corrective measures that deter future events of the type observed.”

However, there is no one formula for performing a root cause analysis. One protocol, articulated by Health COMPass, advocates a four-step process which includes:

Step 1: Identify possible causal factors. Using the incident(s) to identify causal factors—things that cause or contribute to the compliance failure. It includes asking such questions as:

• What sequence of events leads to the problem?

• What conditions allow the problem to occur? [e.g., traditional values and practices]

• What problems co-exist with the central problem and might contribute to it? [e.g., lack of health facilities]

• Identify as many causal factors as possible. Start with the problem and brainstorm causal factors for that problem by asking “Why?” The root cause analysis team can also ask themselves (based on their own experience) and stakeholders “why” or “so what” questions to identify causal factors.

Step 2: Identify the root cause. To find root causes—the primary sources of the compliance violation—start with the causal factors and ask why. Root causes are seldom found in the most obvious causes. It is important to dig deeper and continue to ask “Why?” until nearly all responses have been exhausted or roots that seem important to address are reached. There are several useful methods for identifying root causes. One is to construct a root cause tree. Start with the problem and brainstorm causal factors for that problem by asking why. Connect them in a logical cause and effect order until arriving at the root of the problem.

Step 3: Identify communication challenges. Now ask which root causes are challenges that compliance can and should address and which are not. Share findings about other root causes with local authorities and leaders or organizations that might be able to address them.

Step 4: Prioritize compliance challenges. If root cause analysis identifies more than one compliance failure, decide which failure to address first. Rank root causes in order, starting with the main cause. To determine rank, consider:

• The potential impact of addressing the compliance failure. The greater the potential impact, the more important it is to address.

• How difficult it will be to reach the audience associated with the compliance failure.

• The mandate attached to the funding.

• If more than one causal factor is linked to the root cause. When a root cause is the source of multiple causal factors, it indicates that addressing the root cause can have far-reaching effects.

Another approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the folks at iSixSigma.com believe this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “Five Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.”

To use this approach, iSixSigma.com suggests the following protocol. Begin by writing down the specific problem, which assists you to formulate the issue or problem. Then begin asking, “Why?” Ask why the compliance failure occurred write the answer down below the problem. But do not stop there if this first response does not “identify the root cause of the problem that you wrote down in Step 1, ask why again and write that answer down. Loop back to step 3 until the team is in agreement that the problem’s root cause is identified. Again, this may take fewer or more times than five whys.”

Ultimately, performing a root cause analysis is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer that is provided to you, as you might in an internal investigation. As Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they’re doing.”