Author: admin

Categories
Blog

The Importance of Tailored Policies for Compliance and Risk Management

In compliance and risk management, one size does not fit all. Generic policies and procedures may seem convenient but can lead to compliance risks and potential harm. This is why the Securities and Exchange Commission (SEC) stresses the need for well-designed, tailored policies and procedures in areas such as anti-money laundering (AML) and cybersecurity.

In a recent “Compliance into the Weeds episode,” Tom Fox and Matt Kelly highlighted the importance of tailored policies for compliance, and risk management was discussed in detail. They discussed the case of Deutsche Bank, where the SEC imposed sanctions due to faulty policies. The bank had taken generic policies not specific to their mutual fund obligations and declared them their AML program. This cut-and-paste approach led to compliance risks and inconsistencies that caught the attention of regulators.

The case also serves as a reminder of the potential consequences of misleading marketing practices without proper procedures. The SEC sanctioned DWS $25 million for failures around ESG disclosures and a poor AML program. In both instances, faulty policies and procedures were identified as the root cause of the compliance failures.

The key takeaway from this case is that companies should conduct risk assessments and gap analyses to identify their specific needs and design appropriate policies. A good risk assessment is the foundation for crafting effective policies and procedures. It helps organizations understand their risks, evaluate their controls, and determine the necessary steps to mitigate them.

The impact on employees when designing policies and procedures should be considered. Simply copying and pasting language from regulations without considering the organization’s unique structure, technology, and transactions can lead to confusion and compliance risks. Employees need clear guidance on their duties and responsibilities; generic policies do not provide that clarity.

Compliance officers should create policies and procedures tailored to their organization’s needs and risks to avoid compliance risks and potential harm. Considering the organization’s specific circumstances, resources, and capabilities requires a thoughtful approach. It also requires regular risk assessments, gap analyses, and monitoring of policy effectiveness.

How to do so? The 2020 FCPA Resource Guide, 2nd edition, provided guidance. It stated, “When assessing a compliance program, DOJ and SEC will review whether the company Guiding Principles of Enforcement has taken steps to ensure that the Code of Conduct remains current and effective and whether a company has periodically reviewed and updated its Code.” [emphasis supplied] Some of the questions you should consider are:

  • When was the last time your policies and procedures were released or revised?
  • Have there been changes to your company’s internal controls since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s policies and procedures?
  • Are any of the policies and procedures outdated?
  • What is the budget to create/revise your policies and procedures?

After considering these issues, you should benchmark your current policies and procedures against other companies in your industry. If you decide to move forward, I suggest a process that can be fully documented to include revisions to your compliance policies and procedures.

Get buy-in from the senior leadership of your company. Your company’s highest level must mandate revising compliance policies and procedures. The CEO, GC, CCO, or all three should demand this effort. Whoever gives the order should be consulted at every step of the revision process of the policies and procedures if it involves a change in the direction of key policies.

Establish a core policies and procedures revision committee. It would be best if you had a cross-functional working group that would be ideal to advance your effort to revise your compliance policies and procedures. This group should include representatives from the following departments: legal, compliance, communications, and HR; there should also be other functions that represent the company’s domestic and international business units. Finally, there should be functions within the company described, such as finance and accounting, IT, marketing, and sales.

From this large group, the topics can be assigned for initial drafting to functions based on their relevance or necessity. These functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. You must establish a timetable for the revision process and hold representatives accountable for meeting their revisions.

Conduct a thorough technology assessment. The cornerstone of the revision process is how your company captures, collaborates, and preserves all the comments, notes, edits, and decisions during the entire project. In addition to using technology to revise your compliance policies and procedures, you should determine if they will be available in hard copy, online, or both. There must be a distribution plan, mainly if the Code and compliance policies and procedures are only available in hard copy.

Determine translations and localizations. The 2020 FCPA Resource Guide clarified that your compliance policies and procedures must be translated into the local language for your non-English speaking workforce. The key is that your employees have the same understanding of the compliance policies and procedures regardless of the language.

Develop a plan to communicate the revised policies and procedures. A rollout is always critical because the revised policies and procedures must be communicated to encourage employees to review and use the policies and procedures on an ongoing basis. Your company should use the whole armor of available tools to publicize the revised compliance policies and procedures. This can include a multi-media approach or handing out a copy to all employees at a designated time. You might consider having a company-wide compliance policies and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all things compliance, the three most important aspects are “Document, Document, and Document.” However, when you deliver the new or revised policies and procedures, you must document that each employee received them.

Stay on target and budget. It would be best if you worked to set realistic expectations to stay on deadline and within your budget. This is equally applicable to your policies and procedures revision. Also, remember to keep a close watch on your budget so you do not exceed it.

These points are a valuable guide to not only thinking through how to determine if your policies and procedures need updating but also practical steps on how to tackle the problem. You should begin the process now if it has been more than five years since the last updates. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

There are tradeoffs involved in balancing different factors when designing policies and procedures. Compliance officers need to consider the organization’s staffing, technology, review processes, and the need for human intervention in automated systems. Insufficient resources and inconsistent procedures can lead to compliance gaps and backlogs, increasing the organization’s exposure to compliance risks.

In conclusion, the importance of tailored policies for compliance and risk management cannot be overstated. Generic policies may seem like a quick fix, but they can lead to significant compliance risks and harm. Compliance officers should conduct risk assessments, identify specific needs, and design policies and procedures that address those needs. Employee understanding and guidance are crucial, and policies should be regularly assessed, monitored, and updated as necessary. By taking a tailored approach to compliance and risk management, organizations can minimize their exposure to compliance risks and protect themselves from potential harm.

Categories
31 Days to More Effective Compliance Programs

One Month to A More Effective Compliance Program Through Innovation: Day 14 – Creating an Inventory of Metrics

The 2023 ECCP not only continued to emphasize the importance of monitoring and testing the effectiveness of a compliance program, but it spoke more about a Chief Compliance Officer (CCO) and compliance function utilizing data to engage in continuous monitoring and continuous improvement. For some time, the DOJ has stressed the importance of leveraging data to have objective evidence around whether or not a compliance program is working effectively. Yet, as many CCOs are legally trained, they are still determining what specific areas to consider in establishing quantifiable metrics to monitor for effectiveness.

A methodical review of the 2023 ECCP to identify the different areas where a company could establish and quantify metrics to assess effectiveness is the place to start. Many companies have what Edwards called “metrics on the basics” and noted they “have in place processes whereby their employees review the Code of Conduct and confirm they comply with it either when they first onboard with the company and then periodically on an annual basis, companies are doing just fine at reporting.” But it is now the barest minimum of what compliance professionals must do. For instance, they could consider Quote To Cash (QTC) lifecycles or Procure To Pay (P2P). The key starts with a documented process that can be audited and built from there.


Three key takeaways:

  1. Create an inventory of compliance metrics.
  2. Create your metrics based on the 2023 ECCP.
  3. Use these metrics for continuous monitoring and improvement.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
Diabetes: The Metabolic Bully

Diabetes: The Metabolic Bully – Combining Diet and Exercise for Diabetes Prevention

Welcome to “Diabetes: The Metabolic Bully,” where we delve deep into the world of one of the most prevalent chronic conditions that lurks in our society. Diabetes doesn’t just knock on our doors; it bullies its way into our lives, altering our metabolism and dictating our daily routines. In each episode, we aim to unpack the science and myths surrounding diabetes. From understanding how our bodies succumb to this metabolic bully to the latest research and treatments, our podcast aims to provide listeners with comprehensive insights.

Dr. Byron Black is a seasoned clinical exercise physiologist, boasting a master’s degree in exercise physiology and over 600 clinical hours in various metabolic fields. Dr. Black firmly believes in the pivotal role of clinical exercise physiology in diabetes management, a perspective shaped by his extensive experience working with high-risk individuals with comorbidities. His passion for integrating exercise into diabetes treatment and prevention was ignited in 2004 upon meeting his first diabetic patient. Dr. Black emphasizes the importance of exercise in controlling blood sugar levels and preventing the rapid progression of diabetes, particularly among the mature population. He advocates incorporating exercise into everyone’s daily routine, underscoring its benefits in depleting glycogen or glucose in muscle cells and improving insulin sensitivity. Join Tom Fox and Dr. Byron Black as they delve deeper into this topic in the upcoming Diabetes-the Metabolic Bully podcast episode.

 Key Highlights:

  • Exercise Physiology for Diabetes Management
  • Exercise as a “Vacuum Cleaner” for Cells
  • The Impact of Exercise on Insulin Sensitivity

 Resources:

Medical Fitness Clinic of Kerrville

Categories
Great Women in Compliance

Great Women in Compliance – Lizette Arias – Speaking Out About Speaking Out

Welcome back to the Great Women in Compliance podcast. In today’s episode, Lisa talks with Lizette Arias, who went through this and is now thriving. Today, she is the Director of Ethics and Compliance at Conagra and was recognized as an Emerging Leader in this year’s Diversity MBA Top 100 Under 50.

Providing a safe environment for people to raise concerns is a priority for any Ethics & Compliance officer, but what happens when that person learns first-hand that the safe space does not exist?

Like many of us, she raised concerns about an individual’s expenses. However, her experience was one where she was stonewalled, told to stop investigating, and then suffered from retaliation. During all this, she stood up for what she believed was right, and the lessons she learned made her better understand what a whistleblower goes through. She talks about how she brings that insight and empathy into all her investigations.

Lizette hopes that her willingness to “speak out about speaking out” will inspire others to feel comfortable doing the same, and Lizette and Lisa (as well as Hemma, Sarah, and Ellen) all want to support anyone who has or is going through this and to connect you all.

The Great Women in Compliance Podcast is on the Compliance Podcast Network with other Compliance-related offerings. GWIC is also sponsored by Corporate Compliance Insights, where we have a page where you can hear every episode. If you enjoy this episode, please rate it and/or review it.

Corporate Compliance Insights is a much-appreciated sponsor and supporter of GWIC, including affiliate organization CCI Press, publishing the related book, “Sending the Elevator Back Down, What We’ve Learned from Great Women in Compliance” (CCI Press, 2020). If you enjoyed the book, the GWIC team would be very grateful if you would consider rating it on Goodreads and Amazon and leaving a short review.  Don’t forget to send the elevator back down by passing on your copy to someone who you think might enjoy reading it when you’re done, or if you can’t bear parting with your copy, consider it as a holiday or appreciation gift for someone in Compliance who deserves a treat.

If you enjoyed the book, the GWIC team would be very grateful if you would consider rating it on Goodreads and Amazon and leaving a short review.  Don’t forget to send the elevator back down by passing on your copy to someone who you think might enjoy reading it when you’re done, or if you can’t bear parting with your copy, consider it as a holiday or appreciation gift for someone in Compliance who deserves a treat.

You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it, and we welcome new subscribers to our podcast.

Join the Great Women in Compliance community on LinkedIn here.

Categories
Daily Compliance News

Daily Compliance News: October 18, 2023 – The Not Reckless Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News. All from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

Stories we are following in today’s edition:

  • Davos in the desert.   (NYT)
  • Break up News Corp?  (FT)
  • SBF lawyers say FTX investments ‘not reckless’. (Reuters)
  • HSBC blocks employees from texting. (Bloomberg)
Categories
Compliance Into the Weeds

Compliance into the Weeds: A Deep Dive into Policies and Procedures

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more fully. Are you looking for some hard-hitting insights on sanctions compliance? Look no further than Compliance into the Weeds! In this episode, Tom and Matt deeply dive into the recent enforcement action against Deutsche Bank for AML violations and greenwashing to consider best practices for policies and procedures.

In the complex business world, the importance of tailored policies for compliance and risk management cannot be overstated. Tom Fox and Matt Kelly bring their unique perspectives to this topic, emphasizing the need for well-designed, specific policies and procedures to mitigate compliance risks and potential harm.

Drawing from his experience, Fox believes that generic policies are insufficient and stresses the need for policies specific to a company’s needs, risks, and operations. On the other hand, Kelly criticizes copying and pasting policies from regulations without considering the organization’s unique characteristics and needs. He underscores the importance of conducting risk assessments and gap analyses to design effective policies. Join Tom Fox and Matt Kelly as they delve deeper into this topic on this episode of the Compliance into the Weeds podcast.

 Key Highlights:

  • The Importance of Tailored Policies and Procedures
  • Risks and Consequences of Generic Policies
  • Tailoring Policies and Procedures for Compliance
  • Ongoing Monitoring of Policies and Procedures

Resources:

Matt in Radical Compliance

Tom 

Threads

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
The Hill Country Podcast

Hill Country Podcast – Kristy Vandenberg – Pints, Pumpkins and Pies for Polio

Welcome to the award-winning The Hill Country Podcast. The Texas Hill Country is one of the most beautiful places on earth. In this podcast, Hill Country resident Tom Fox visits with the people and organizations that make these the most unique areas of Texas. Join Tom as he explores the people, places, and activities of the Texas Hill Country. Kristy Vandenberg, the organizer of the Kerrville Rotary Club’s upcoming fundraiser, Pints, Pumpkins, and Pies for Polio, joins me in this episode.

Kristy Vandenberg, originally from Holland, Michigan, is a devoted member of the Rotary Club with a solid commitment to community service. She has a particular perspective on the Rotary Club’s fundraising event for polio eradication, viewing it as a crucial cause that requires attention. Kristy notes that while many in the United States may not consider polio a pressing issue, the Rotary has been actively working to eradicate the disease since 1985. She emphasizes raising funds for vaccinations, particularly for children under six who are most susceptible to the disease. Kristy takes pride in her club’s efforts, including the upcoming Pints Pumpkins and Pies fundraising event, and firmly believes in the Rotary’s potential to impact the fight against polio significantly. Join Tom Fox and Kristy Vandenberg on this episode of the Hill Country Podcast to learn more about this important cause.

 Key Highlights:

  • Polio Eradication Fundraiser with Pies and Pints
  • Rotary Club’s Global Vaccination Campaign
  • Rotary’s Impactful Membership and Diverse Projects
  • Kerrville Rotary Club’s Impactful Community Initiatives

 Resources:

Rotary Club of Kerrville

Pints, Pumpkins, and Pies for Polio

Tom Fox

Threads

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
FCPA Compliance Report

FCPA Compliance Report – Albemarle FCPA Enforcement Action – Holdbacks

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Today, we begin a short podcast series on the Albemarle FCPA enforcement action. Today, Kristy Grant-Hart reviews the holdbacks on the internal control failures and other areas identified in the SEC enforcement action.

In this episode of the FCPA Compliance Report podcast, we delve into clawbacks and consequence management in compliance programs, particularly about the Foreign Corrupt Practices Act (FCPA). Our host, Tom Fox, brings a unique perspective, expressing disappointment over the lack of clawbacks in a recent case but emphasizing the importance of consequence management, such as withholding bonuses from employees involved in misconduct. His extensive experience in the field shapes Fox’s insights, and he underscores the need for businesses to shift their models in response to investigations and compliance violations. He also highlights the significance of a proactive approach to addressing compliance issues and the need for a significant change in the business model. Join Tom Fox as he navigates the complex world of compliance in this enlightening FCPA Compliance Report podcast episode.

 Key Highlights:

  • The Significance of Consequence Management in FCPA Investigations
  • The Significance of Shifting Business Models
  • Holdbacks going forward

Resources

Tom Fox blog post series on the Albemarle FCPA Enforcement Action.

Tom Fox

Threads

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Blog

DAG Monaco on Cooperation and Compliance Incentives for M&A

Early in October at the 2023 SCCE Compliance and Ethics Institute, Deputy Attorney General Lisa Monaco delivered a long-anticipated speech expanding and formalizing the Department of Justice’s (DOJ’s) new Safe Harbor for mergers and acquisitions in the Foreign Corrupt Practice Act (FCPA) context. The latest M&A Safe Harbor expanded on an old and frankly cumbersome Opinion Release from 2008 and some old FCPA enforcement actions from the last decade to create a clear, concise, and most welcomed announcement.

The Halliburton Opinion Release (08-02) gave some very tight deadlines for engaging in due diligence post-acquisition and reporting to the DOJ. The deadlines were 90 days to identify and report high-risk agents, 120 days to identify and report medium-risk agents, and 180 days to identify and report low-risk agents. For those scoring at home, that is three, six, and nine months, which for most corporations is the blink of an eye.

Moreover, while the 2012 FCPA Resource Guide did provide some guidance on what may constitute a safe harbor, the word “may” was a sticking point for corporate management when deciding whether and how to proceed with a potential merger or acquisition. There is a big difference between a theoretical outcome and one that is concrete and presumptively available. Finally, a series of FCPA enforcement actions involved mergers and acquisitions. It was unclear when remediation of any issues must be completed, from 18 months to “as soon as is practicable.”

This new DOJ policy is then aimed at encouraging cooperation and compliance in the corporate world, particularly during acquisitions. This policy allows companies to avoid charges for compliance violations discovered during the acquisition process as long as specific deadlines are met. Compliance officers are crucial in this process, conducting due diligence before and after the acquisition.

Monaco stated, “We are announcing a Department-wide Safe Harbor Policy for voluntary self-disclosures in the mergers and acquisition process context. In the future, acquiring companies that promptly and voluntarily disclose criminal misconduct within the Safe Harbor period, cooperate with the ensuing investigation, and engage in requisite, timely, and appropriate remediation, restitution, and disgorgement will receive the presumption of declination.”

Under this new policy, acquiring companies will not be held accountable for aggravating factors at the acquisition target. This means that the acquiring company will not be responsible if there are compliance issues at the target company. However, there are concerns about how this policy will be executed and its potential impact on different enforcement actions.

A key element is the clear and concise timelines articulated by DAG Monaco. She stated, “To ensure consistency, I am instructing this Safe Harbor policy to be applied Department-wide. Each part of the Department will tailor its application of this policy to fit its specific enforcement regime and consider how it will be implemented.

To ensure predictability, we are setting clear timelines. As a baseline matter, to qualify for the Safe Harbor, companies must disclose misconduct discovered at the acquired entity within six months from the date of closing. That applies whether the misconduct was found pre- or post-acquisition.”

After that, “Companies will have a baseline of one year from the closing date to fully remediate the misconduct. These baselines are subject to a reasonableness analysis because we recognize deals differ and not every transaction is the same. So, depending on the specific facts, circumstances, and complexity of a particular transaction, Department prosecutors could extend those deadlines.”

One essential tradeoff in this policy is the balance between encouraging cooperation and holding companies accountable for their actions. On one hand, the policy incentivizes companies to disclose compliance violations and cooperate with the Justice Department voluntarily. This can lead to more effective enforcement and greater transparency in the corporate world. On the other hand, there is a risk that some companies may take advantage of this policy and try to cover up compliance violations.

Compliance officers also face challenges in this new policy. If they are not involved in pre-acquisition due diligence, it could be a red flag for their career security. There is a concern that unscrupulous management teams may try to close a deal without proper due diligence and then blame the compliance officer if issues arise later on. Compliance officers must proactively ensure their involvement in the acquisition process to protect themselves and their companies.

The enforcement of this policy, particularly in antitrust cases, is also a subject of curiosity and anticipation. It is unclear how the policy will apply to corporate misconduct beyond bribery and corruption or anti-competitive actions. There are questions about whether the default position of the DOJ antitrust division will be a declination or if they will still bring charges against companies involved in antitrust violations.

While this new policy is a step forward for compliance, there are still concerns about its effectiveness and potential abuse. The Justice Department is trying to balance providing incentives for cooperation and holding companies accountable for their actions. However, there is a need for further clarity and guidance on how this policy will be executed in practice.

Overall, the new policy on corporate compliance during acquisitions is an essential development in the corporate world. It highlights the importance of considering compliance issues when making decisions about acquisitions and encourages companies to take proactive steps to address compliance violations. Compliance officers play a crucial role in this process and must be vigilant in ensuring their involvement to protect themselves and their companies. The execution of this policy and its impact on different enforcement actions will be closely watched in the coming months.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Innovation: Day 13 – Consistency as a Compliance Best Practice

The 2023 ECCP emphasized the need for the corporate compliance function to ensure consistency and fairness in monitoring investigations and the resulting discipline. One of the ways the 2020 Update emphasized this was through tracking the investigations and the discipline that may come out of any investigation. Companies’ challenges are that facts and circumstances are always different in every investigation. This makes it sometimes difficult, but if companies treat employees of one country differently in terms of discipline, it does create potential gaps in a compliance program. This can give certain countries a feeling that they can do what they want without the risk of punishment from corporate headquarters. This is why the DOJ re-emphasized monitoring the investigations and ensuring consistent application of discipline as a critical factor in providing an effective compliance program.

The FCPA Resource Guide, 2nd edition, added a new hallmark to the previously titled 10 Hallmarks of an Effective Compliance Program (now it is simply the Hallmarks). The Hallmark added was one that has been around for some time: Root Cause Analysis (RCA). It is familiar because it was subtly considered in the original FCPA Resource Guide and explicitly discussed since at least the original formulation of the Evaluation of Corporate Compliance Programs in February 2017.

The focus on consistency is insightful and instructive as a key element of a best practices compliance program. Consistency forms the basis of both institutional justice and institutional fairness. That, in turn, facilitates a speak-up culture, which is the role of the compliance department to foster.

Three key takeaways:

  1. Consistency is a key part of any compliance program.
  2. Consistency forms the basis of both institutional justice and institutional fairness.
  3. Consistency facilitates a speak-up culture.

For more information, check out The Compliance Handbook, 4th edition, here.