Author: admin

Categories
Great Women in Compliance

Great Women in Compliance: Bets Lillo on Compliance and Boards of Directors

Welcome to the Great Women in Compliance Podcast. In this episode, Lisa Fine visits with Bets Lillo about her experience on a corporate Board of Directors and how to utilize an ethics and compliance background to maximize your opportunities to serve on a Board of Directors.

Bets is an engineer and corporate executive with a rich background in sales, technology, finance, operations, and M&A. She is a recognized expert in risk management. She brings a unique perspective on the role and value of compliance professionals in enterprise transformation, believing that they can bring extraordinary value to boards due to their broad understanding of business operations. She emphasizes the importance of compliance professionals being effective because of their experience in an influence and collaboration context, as they focus on being creative, recognizing ethical decision-making, and reducing risk. She also encourages compliance professionals to enhance their qualifications by obtaining a board certification from a credible organization. Join Lisa Fine and Bets Lillo on this episode of the Great Women in Compliance podcast for her insights into how to become a viable candidate for board service and how to succeed in that role.

Key Highlights:

  • Maintaining Operations and Compliance During Transformation
  • The Strategic Value of Compliance Professionals
  • Elevating Compliance Professionals on Board: Expert Listeners and Observers
  • Building Relationships for Board Opportunities
  • Transitioning to Corporate Boards through Nonprofit Experience

Resources:

Join the Great Women in Compliance community on LinkedIn here.

Categories
Blog

Internal Reporting and Triaging of Claims

The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond going forward. This system has become even more important after the 2022 announcement of the Monaco Memo. Further, as the 2022 ABB FCPA resolution made clear, self-disclosing to the DOJ is the vital first step for all discounts under the Corporate Enforcement Policy to begin.

This scenario was driven home by the WPP Foreign Corrupt Practices enforcement action in 2021. Here, a whistleblower reported internally on allegations of bribery and corruption in the company’s India subsidiary. WPP turned over the investigation to an inexperienced accounting firm in India and then allowed the investigation to be controlled by the business unit management that was engaging in the bribery and corruption. The result, unsurprisingly, was no adverse findings. However, the whistleblower did not stop there and reported six more times (seven total) with an increasing amount of documentary support. Finally, the company took the allegations seriously and commissioned an internal investigation.

Internal reporting. The 2020 FCPA Resource Guide, 2nd edition, has as clear and concise a statement about hotlines as any other requirement found in Hallmarks of an Effective Compliance Program. It states:

An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.

The Evaluation reinforced this language with the following found under Reporting and Investigation:

How has the company collected, analyzed, and used information from its reporting mechanisms? How has the company assessed the seriousness of the allegations it received? Has the compliance function had full access to reporting and investigative information?

This is more than simply maintaining hotlines. Companies have to make real efforts to listen to employees. You need to have managers who are trained on how to handle employee concerns; they must be incentivized to take on this compliance responsibility and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns.

The reason is that a business’s own employees are a company’s best source of information about what is going on in the company. It is certainly a best practice for a company to listen to its own employees, particularly to help improve its processes and procedures. But more than listening to its employees, a company should provide a safe and secure route for employees to escalate their concerns. This is the underlying rationale behind an anonymous reporting system within any organization. Both the U.S. Sentencing Guidelines and the Organization of Economic Cooperation and Development (OECD) Good Practices list as one of their components an anonymous reporting mechanism by which employees can report compliance and ethics violations. Of course, the Dodd-Frank Whistleblower provisions also give heed to the implementation of a hotline.

What are some of the best practices for a hotline? Start with the following:

Availability. Your reporting mechanism can be easily accessed by your entire employee base. This may require more than one tool, such as telephone report, internet reporting and other mechanisms.

Anonymity. There must be a manner to make reports anonymously if the reporter so desires.

Escalation. You must have a protocol or mechanism to take any reports up the chain if they warrant being heightened within the organization.

Follow-up. There must be a sufficient follow up protocol to make sure any reported events receive the warranted attention. There should also be a way to keep the incident reporter informed as to the progress of the matter within your investigative protocol.

Oversight. There should be multiple levels of review within your organization on reports which come into your organization. This would include senior compliance department staff, senior company management and up to the Board of Directors.

In this area is that of internal company investigations, if your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Furthermore, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the process will be fair.

After your investigation is complete, the Fair Process Doctrine demands that any discipline must not only be administered fairly but it must be administered uniformly across the company for a violation of any compliance policy. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

Triaging claims. Given the number of ways that information about violations or potential violations can be communicated to the government regulators, having a robust triage system is an important way that a company can determine what resources to bring to bear on a compliance problem.

Jonathan Marks has articulated a five-stage triage process which allows for not only an early assessment of any allegations but also a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, consider what will be the types of evidence to review going forward. Finally, before selecting a triage solution, understand what tools are available, including both forensic and human, to complete the investigation.

Marks’ five-stage process for early assessments are as follows:

Stage 1. These consist of allegations that have a low threat level and do not suggest a breakdown of internal controls. Tips that get grouped into this stage do not have a financial or reputational impact.

Stage 2. These allegations are more serious in nature, and often indicate some deficiency in the design of internal controls. Examples include business rule violations such as recurring employee theft or patterns of falsifying expense reports.

Stage 3. These allegations are serious in nature, generally involve an override of internal controls, and thus are at a minimum a serious deficiency. But they have only a minimal impact on the financial statements or the company’s reputation. More serious allegations in this category include fraud, embezzlement, and bribery involving employees or mid-level management.

Stage 4. These are serious allegations that could have an impact on the completeness and accuracy of the audited financial statements, and that could indicate a material weakness in internal controls. They do not, however, appear to involve any member of the senior management team.

Stage 5. These are serious allegations that involve one or more members of the senior management team or are serious enough to damage the company’s reputation. The receipt of allegations in this stage usually places the company into crisis management mode and could result in the restatement of audited financial statements or added regulatory scrutiny.

Finally, after you ascertain you have an effective reporting mechanism through your hotline and demonstrate you have a robust and properly scoped investigation protocol, you must use the information you receive to remediate any issues which may arise. It is not enough merely to show that a hotline exists, you must present the data it produces.

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 23 – The Investigation Protocol

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate in consultation with other groups, such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties once an allegation is made. This allows the compliance team to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.

Indeed, there are a variety of factors around giving credit to corporate investigations, including: Did management, the board, or committees consisting solely of outside directors oversee the review? Did company employees or outside parties perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm?

Three key takeaways:

1. A written protocol, created before an investigation, is a key starting point.

2. Create specific steps to follow so there will be full transparency and documentation going forward.

3. Consistency in approach is critical.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Data Driven Compliance

Data Driven Compliance: The Journeys of Albemarle and ABB to Data-Driven Compliance, Part 2

Are you struggling to keep up with the ever-changing compliance programs in your business? Look no further than the award-winning Data-Driven Compliance podcast, hosted by Tom Fox. This podcast features an in-depth conversation around the uses of data and data analytics in compliance programs. Data-Driven Compliance is back with another exciting episode. In this special second part of a two-part podcast, I co-host with Vince Walden, CEO of KonaAI, to visit with our guests Andrew McBride, Chief Risk Officer at Albemarle, and Tapan Debnath, Head of Integrity, Regulatory Affairs, and Data Privacy—Process Automation at ABB, on their respective companies’ journeys to data-driven compliance.

Debnath’s perspective on the challenges and strategies in compliance data analytics is centered on the need for clear goals, defined processes, and the importance of early planning and resource allocation. He sees compliance data analytics as a journey rather than a project, encouraging organizations to start with imperfect data and refine their processes over time. On the other hand, McBride’s perspective is focused on prioritization, resource allocation, and audience-driven decision-making. He emphasizes the iterative nature of data analytics projects and believes that a successful ethics and compliance program does not necessarily require a large data analytics team, but rather the right roles and support from the IT function. Join Tom Fox and Vince Walden as they delve deeper into these insights with Tapan Debnath and Andrew McBride on this episode of Data-Driven Compliance.

Key Highlights:

  • Navigating Data Privacy Laws Across Jurisdictions
  • Strategic Steps in Ethics and Compliance Analytics
  • Unlocking AI’s Potential in Compliance Analytics
  • Actionable Insights from Data Analytics
  • Leveraging Documentation for Enhanced Compliance and Risk Mitigation

Resources:

Vince Walden on LinkedIn

KonaAI

Tom Fox 

Connect with me on the following sites:

Instagram

Facebook

YouTube

Twitter

Categories
Daily Compliance News

Daily Compliance News: January 23, 2024 – The Gen Z Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • Exxon sues to prevent shareholders climate petitions at Board meeting.  (BBC)
  • Toughening China’s forced labor import ban is coming. (WSJ)
  • Gen Z is taking on more part-time jobs. What are the compliance risks? (WaPo)
  • Binance fights SEC oversight. (Reuters)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Blog

The Investigation Protocol

After the internal report comes in and you have properly triaged the matter, you need to scope out and investigate it, promptly, thoroughly and with competent personnel. In the 2023 ECCP, provided these series of questions about your internal investigations:

Properly Scoped Investigations by Qualified Personnel—How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?

Investigation Response—Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?

Resources and Tracking of Results––Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the effectiveness of the hotline, for example by tracking a report from start to finish?

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hotline, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties, once an allegation is made. This allows the compliance team to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.

Indeed, there are a variety of factors around giving credit to corporate investigations including: Did management, the Board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm?

In a presentation Jay Martin, former Chief Compliance Officer at Baker Hughes, and Jacki Trevino, Director, Relationship Manager at True Office Learning, discussed the specifics of an investigation protocol. It consisted of 1) opening and categorizing the case; 2) planning the investigation; 3) executing the investigation plan; 4) determining appropriate follow-up; and 5) closing the case. If you follow this basic protocol, you should be able to work through most investigations, in a clear, concise and cost-effective manner. Furthermore, you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to “Document, Document, and Document”, not only the steps you took but why and the outcome obtained.

Opening and categorizing the case. This is the first step to categorize a compliance violation. You should notify the relevant individuals, including those on your investigation team and any senior management members under your notification protocols. After notification, you should assemble your investigation team for preliminary meetings and assessments. This step should be accomplished in one to three days after the allegation comes into compliance, either through your reporting structure or other means.

Planning the investigation. After assembling your investigation team, determine the required investigation tasks. These would include document review and interviews. If hard drives need to be copied or documents put on hold or sequestered in any way, or relationships need to be analyzed through relationship software programs or key word search programs, this should also be planned out at this time. These tasks should be integrated into a written investigation or work plan so that the entire process going forward is documented. Also, if there is a variation from the written investigation plan, such variation should be documented, with an explanation provided as to why there was such a variation. Lastly, if international travel is involved this should also be considered and planned for at this step. This step should be accomplished within another one to three days.

Executing the investigation plan. Under this step, the investigation should be completed. I would urge that the interviews not be affected until all documents are reviewed and ready for use in any interviews. Care should be taken to ensure that an appropriate Upjohn warning is issued, and that the interviewee clearly understands that whoever is performing the interview represents the company and not the person being interviewed, whether they are the target of the investigation or not. The appropriate steps should also be taken to preserve the attorney-client privilege and attorney work product ruminations. This step should be accomplished in one to two weeks.

Determining appropriate follow-up. At this step, the preliminary investigation should be complete, and you are ready to move into the final phases. In some investigations, it is relatively easy to determine when the work is essentially complete. For example, if the allegation is both specific and narrow, and the investigation reveals a compelling and benign explanation for the conduct alleged, then the investigation typically is complete, and you are ready to convene the investigation team and the relevant business unit representatives. This group would decide on the appropriate disciplinary steps or other actions to take. This step should be completed in under a week. (Note that at this step, if there are findings of specific or discrete allegations of corruption and bribery, a decision must be made as how to handle such findings going forward.)

Closing the case. Under this final step, communicate the investigation results to the stakeholders and complete the case report. Everything done in the above steps should be documented and stored, either electronically or in hard copy form. The case report should be completed. This step should be completed in under a week.

Categories
31 Days to More Effective Compliance Programs Uncategorized

31 Days to a More Effective Compliance Program – Day 22 – Levels of Due Diligence

Due diligence is generally recognized in three levels: Level I, Level II, and Level III. Each level is appropriate for a different level of corruption risk. The key is to develop a mechanism to determine the appropriate level of due diligence and then implement that going forward.

The 2023 ECCP stated, “A well-designed compliance program should apply risk-based due diligence to its third-party relationships. Although the need for, and degree of, appropriate due diligence may vary based on the size and nature of the company, transaction, and third party, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.”

The question becomes how you use the information you obtained in the business justification and the questionnaire to determine an appropriate level of due diligence for the next step in the five-step process of third-party management. A three-step approach with varying levels of due diligence is the appropriate analysis to take going forward.

There are many different approaches to the specifics of due diligence. By laying out some of the approaches, you can craft the relevant portions of your program. The Level I, II, and III trichotomies appear to have the greatest favor and are ones that you should be able to implement in a straightforward manner. But the key is that you must assess your company’s risk and then manage that risk. If you need to perform additional due diligence to answer questions or clear red flags, you should do so. And do not forget to “Document, Document, and Document” all your due diligence.

Three key takeaways:

1. Level I due diligence should only be used when there is a low risk of corruption.

2. Level II due diligence is sufficient in a high-risk jurisdiction if there are no red flags to be cleared.

3. Level III due diligence is a deep-dive, boots-on-the-ground investigation.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
Corruption, Crime and Compliance

Deep Dive into DOJ and SEC’s SAP FCPA Enforcement Action

Bribery is rampant in many countries around the world, and in this episode of Corruption, Crime, and Compliance, we take a look at a recent FCPA case involving SAP, a global software company. SAP’s violations spanned multiple countries, including South Africa and Indonesia, and resulted in prosecution and a hefty $220 million penalty. However, many people were baffled by the resolution of this case. The DOJ lacked aggressiveness and failed to impose an independent compliance monitor. Join the host, Michael Volkov, as he analyzes the intricacies of this case and the implications for FCPA enforcement in the coming years.

  • The SAP is a recidivist company, but DOJ’s enforcement action against them did not seem to take that into account when holding them accountable for instances of bribery that spanned the globe.
  • As the DOJ seemed to take a step back, the SEC made an aggressive push into holding companies accountable for violating internal controls, which is what happened in the SAP case.
  • SAP’s repeated failure to follow internal control requirements governing third parties serves as a cautionary tale for companies to ensure that their procedures are not only in place but also actively implemented and monitored.
  • Clear Channel’s former Chinese subsidiary, Clear Media, engaged in deceptive practices to fund illegal payments, including creating false invoices and tax records, but even after internal audits, Clear Channel failed to take aggressive remedial actions.
  • Clear Channel demonstrated a clear commitment to addressing the issues in the investigation that followed, highlighting the importance of cooperation as it can lead to more favorable outcomes and potentially mitigate the severity of penalties imposed.

KEY QUOTES:

“DOJ is turning its focus and pulling back on FCPA enforcement.” – Michael Volkov

“The SAP resolution, which totals only $220 million, was far below the amount that a recidivist should have paid for its global bribery operations stretching into multiple countries.” – Michael Volkov

“The SEC’s approach demonstrates a more aggressive application of internal control enforcement.” – Michael Volkov

“If a company is going to craft these internal controls, the company has to enforce those controls or face serious enforcement risks.” – Speaker: Michael Volkov

Resources:

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Categories
Riskology

Riskology by Infortal Episode 18: Houthi Terrorism, The Red Sea and Global Shipping

When conflicts escalate around the world, supply chains are disrupted, and political power shifts, how can companies stay resilient and manage their risk? In this episode of the Riskology Podcast, Dr. Ian Oxnevad and Chris Mason explore the escalating conflict in the Red Sea and its implications for businesses operating in the region. With shipping routes severely impacted by attacks from the Houthi movement in Yemen, companies face significant disruptions and potential financial losses. Ian and Chris share their insights into how companies can navigate these risks, adapt their supply chains, and develop contingency plans to mitigate the impact of the Red Sea conflict.

Infortal Worldwide is a global risk management and investigation firm that specializes in helping businesses navigate complex risk landscapes. The company’s focus extends to various areas, including economics, politics, and geopolitical risk. By delving into these interconnected realms, Infortal Worldwide aims to provide clients with comprehensive insights that empower them to make informed decisions, especially in critical areas such as mergers and acquisitions, private equity investments, and other strategic moves.

You’ll hear Ian and Chris discuss:

  • The conflict in the Red Sea is severely impacting shipping and logistics operations. Attacks from the Houthi movement have led to disruptions in shipping routes, causing delays and increased costs for companies.
  • Companies have been forced to reroute their ships around Africa, which leads to significant delays and increased costs for companies. This not only adds financial strain but also creates congestion in alternative ports, further impacting logistics and supply chain operations.
  • European countries are hesitant to get involved in a coalition to protect international shipping due to their vulnerability to oil flow disruptions and the need to utilize their military strategically, and this lack of coordination poses additional risks for companies relying on the Red Sea route.
  • The impact of the conflict in the Red Sea extends beyond the Middle East, potentially disrupting global supply chains and causing inflationary pressures on consumer prices. With 98% of maritime shipping between Asia and Europe passing through this route, any disruptions can lead to significant delays, increased costs, and shortages of goods. 
  • Companies, especially those heavily reliant on the Red Sea route, need to develop contingency plans and alternative routes to mitigate the risks and disruptions caused by the conflict. Assessing supply chains, identifying alternative transportation options, and establishing partnerships with reliable logistics providers are crucial steps to ensuring business continuity. 
  • Startups and new players are emerging in the logistics industry to address the challenges posed by the conflict, offering alternative overland routes and solutions. These innovative approaches demonstrate the potential for agile and adaptive solutions in times of crisis.
  • Companies must prioritize intelligence gathering, due diligence, and boots-on-the-ground experience to navigate the complex geopolitical landscape and identify reliable partners in affected regions. Understanding the political dynamics, assessing risks, and conducting thorough background checks on potential collaborators are essential for mitigating risks and ensuring compliance with regulations.
  • While the conflict in the Red Sea poses significant challenges, it also opens up opportunities for innovative companies to fill gaps in the market. By embracing dynamic assessment, diversifying supply chains, and exploring new partnerships, businesses can position themselves for success in a rapidly changing global landscape.

Key Quotes:

“To be frank… this is a disaster for shipping.” – Ian

“Every risk is an opportunity. Companies need to start thinking with that mindset.” – Ian

“[This] has really been a great illustration of how quickly supply chains can break down and how important it is to be prepared.” – Chris

“You’re going to need intelligence and boots on the ground, due diligence, and knowing who you do business with.” – Ian

Resources:

Infortal Worldwide

Email

Dr. Ian Oxnevad on LinkedIn

Chris Mason on LinkedIn

Categories
Daily Compliance News

Daily Compliance News: January 22, 2024 – The China in Trouble Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee and listen to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

In today’s edition of Daily Compliance News:

  • The fraud of belts and roads.  (WSJ)
  • ICBC was fined $32MM by DFS. (WSJ)
  • Why was Brexit doomed to fail? (FT)
  • Learn to play office politics or be its victim.  (FT)

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.