Categories
Compliance Tip of the Day

Compliance Tip of the Day – Board Questions and Metrics for 3rd Party Risk Management

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider what questions a Board of Directors should ask a CCO and the types of metrics they should ask for in their role of overseeing the compliance program.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Daily Compliance News

Daily Compliance News: November 13, 2024 – The China Problem Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News—all from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • How many companies have a ‘China Problem?’ (Bloomberg)
  • Sending your child to public school ≠ agreeing to arbitration.  (Reuters)
  • How to deal with in-work sickness. (FT)
  • Goodbye to all that. (NYT)

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Great Women in Compliance

Great Women in Compliance – Reflections and Resilience Through a Compliance Career with Karen Bertha

Welcome to the Great Women in Compliance podcast with Hemma Lomax and Lisa Fine, sponsored by Corporate Compliance Insights.   In today’s episode, Lisa speaks with Karen Bertha, who has built world-class programs throughout her career, most recently at V2X.   She has significant acquisition and post-acquisition due diligence expertise, including at V2X.  After that acquisition, she was at a crossroads and needed time to take stock and pause.

Karen reflects on her work with due diligence, including how and when compliance should be involved in due diligence.  They also discuss strategies for post-integration, even if compliance is brought at some point later.  Karen has worked in highly regulated industries, such as government contracting, and those not in highly regulated industries. She shares her experiences and lessons learned.

Karen left V2X after the acquisition when she needed time for herself and other parts of her life.  She talks about how the “power of the pause” has been helpful to her.  She talks about reflecting on her work in the Ethics & Compliance profession, increasing her learning, specifically in compliance-adjacent fields like Human Resources and audit, with time to focus.  She also shares what she has enjoyed during this time, which we at #GWIC hope can inspire those thinking about your next steps or between roles.

Join the Great Women in Compliance community on LinkedIn here.

Categories
Blog

Board Oversight of Third-Party Risk Management: Key Questions and Metrics for Effective Governance

The Telephonica Venezuela FCPA enforcement action reminds us that third-party risk management is one of the most critical components of a corporate compliance program. From suppliers and distributors to agents and joint venture partners, third parties can expose a company to significant compliance risks, including bribery, data security breaches, and regulatory violations. For a Board of Directors, effective oversight of third-party risk management is essential to fulfill its fiduciary duties and ensure that the organization mitigates these potential threats.

For boards, the responsibility involves more than just reviewing policies or compliance assessments. It requires a proactive approach, regularly engaging with the Chief Compliance Officer (CCO) and demanding specific information to confirm that third-party risks are effectively managed. Today, we will consider some key questions a board should ask and key metrics that boards should track to ensure their oversight of third-party risk management.

Key Questions a Board Should Ask About Third-Party Risk Management

To provide effective oversight, board members should ask the CCO a series of targeted questions that illuminate the strengths and weaknesses of the organization’s third-party compliance efforts. These questions can guide discussions around key areas such as due diligence, monitoring, training, and incident response.

  • What is our Third-Party Risk Profile?

This foundational question helps the Board understand the scope of the organization’s third-party network and the inherent risks involved. The CCO should be able to explain how third-party risk is assessed, classified, and prioritized. This includes geographic, industry, and transactional risks that may be more prevalent in high-risk regions or industries such as defense, oil and gas, and healthcare.

  • What Due Diligence Processes are in Place?

The Board should ask about the specific due diligence processes for third parties. This includes initial onboarding assessments, background checks, and ongoing monitoring. Understanding the due diligence process, including who is responsible, the standards used, and whether enhanced due diligence is conducted for high-risk third parties, is critical for oversight.

  • How Do We Ensure Continuous Monitoring of Third Parties?

It is not enough to perform due diligence only once. Continuous monitoring is essential to detect a third party’s risk profile changes. The Board should ask about the tools and technologies used for monitoring, the frequency of updates, and how compliance continuously evaluates third parties for new risks, such as changes in ownership, regulatory status, or financial stability.

  • How Do We Address Identified Risks?

A key component of third-party risk management is having procedures to address identified risks. The Board should inquire about the company’s approach to risk mitigation, including risk-adjusted measures for different risk levels. Are high-risk third parties subject to contract clauses or specific compliance obligations? Does the organization maintain a system to monitor the ongoing effectiveness of risk mitigation efforts?

  • What Training and Awareness Programs Do We Have in Place?

The Board should ask how compliance trains third parties on relevant laws, policies, and expectations, especially concerning anti-corruption, data protection, and ethics. Additionally, internal stakeholders involved in third-party management, such as procurement and finance, should receive specialized training to help them recognize red flags.

  • What is Our Process for Reporting and Escalating Third-Party Compliance Issues?

Knowing that issues will inevitably arise, the Board should ask how the organization reports and escalates third-party compliance concerns. Does the CCO have direct access to the Board in case of serious compliance violations? Is there a protocol for handling third-party incidents that could affect the company’s regulatory standing or reputation?

  • How Do We Measure the Effectiveness of Our Third-Party Risk Management?

The effectiveness of the third-party compliance program is a priority for the Board. Asking for metrics and other objective measures helps ensure that the program is well-designed and functioning as intended. The Board should proactively seek quantitative and qualitative evidence of effectiveness.

Key Metrics for Third-Party Risk Management Oversight

Metrics are invaluable for Board members seeking to monitor the compliance program’s health. The CCO should be able to provide regular updates on the following metrics, each offering insight into specific aspects of third-party risk management.

  • Number of Third Parties by Risk Category

This metric breaks down the organization’s third parties by risk level (e.g., low, medium, high). This provides the Board with a snapshot of the company’s risk exposure and helps them assess whether the program is appropriately resourced to manage the volume of high-risk third parties.

  • Percentage of Third Parties with Completed Due Diligence

Tracking this metric shows whether the company is adhering to its compliance policies. Ideally, 100% of third parties should undergo due diligence before onboarding, and any gaps here could signal significant compliance weaknesses.

  • Average Time to Complete Due Diligence

This metric reveals the efficiency of the due diligence process. Long turnaround times can delay critical partnerships and increase risk exposure, while excessively fast times may suggest that due diligence needs to be sufficiently thorough. Boards should look for a balanced metric that reflects both efficiency and comprehensiveness.

  • Incidents of Non-Compliance Among Third Parties

The Board should be regularly informed of compliance incidents involving third parties. This metric could be broken down by type of violation (e.g., anti-bribery, data privacy, labor practices) and severity. Tracking these incidents over time helps the Board evaluate the program’s effectiveness and whether additional resources are needed.

  • Percentage of High-Risk Third Parties Monitored Regularly

Continuous monitoring is vital to effective risk management, particularly for high-risk third parties. This metric provides insight into how often high-risk third parties are reassessed, which can inform the Board about the level of vigilance being applied to higher-risk partners.

  • Training Completion Rates for Third Parties and Internal Teams

Effective third-party risk management requires third parties and the internal teams who work with them to understand the compliance risks and policies. This metric tracks how many third-party representatives and relevant employees have completed compliance training, an essential factor in reducing risk.

  • Average Time to Resolve Third-Party Compliance Issues

This metric measures the organization’s responsiveness to third-party compliance concerns. Quick resolution times may indicate an efficient and effective response system, while delays might suggest resource constraints or procedural bottlenecks. Boards should look for a metric that balances speed and thoroughness.

  • Costs of Third-Party Compliance Program

The Board should also monitor the financial investment in third-party compliance to assess if the program is adequately funded. This includes costs for due diligence, continuous monitoring, training, and compliance technology. Comparing these costs against third-party risk levels can help determine if the program is appropriately resourced.

Leveraging Metrics for Continuous Improvement

By tracking these metrics, Boards ensure that third-party risks are being effectively managed and can drive continuous improvement in the compliance function. Over time, trends will emerge, highlighting areas where the program may need reinforcement. For instance:

  • Increasing compliance incidents among third parties could indicate a need for enhanced due diligence or more stringent onboarding criteria.
  • Declining training completion rates suggest a lack of engagement from third parties, potentially due to ineffective communication or training methods that must be revisited.
  • Prolonged resolution times for compliance issues might signal the need for process optimization or additional staff in the compliance team.

The Board should encourage the CCO to use these insights to fine-tune the program and prioritize high-impact initiatives. Additionally, boards should expect the CCO to present metrics and narrative insights, offering a holistic view of the third-party compliance landscape and how specific metrics relate to broader compliance goals.

Fostering a Culture of Accountability and Compliance

Board oversight of third-party risk management is no longer a mere checkbox—it’s a crucial part of protecting the organization’s reputation, ensuring regulatory compliance, and building a resilient corporate structure. By asking the right questions and tracking key metrics, Boards can proactively ensure that third-party risks are managed effectively.

An engaged Board that emphasizes the importance of third-party compliance sends a powerful message across the organization and beyond. When Boards hold the compliance function accountable and demand robust third-party oversight, they not only mitigate potential risks but also foster a culture of integrity and accountability that resonates with employees, partners, and stakeholders alike. This, in turn, strengthens the entire organization, building a foundation of trust and resilience that will serve it well in any compliance landscape.

Categories
Compliance Tip of the Day

Compliance Tip of the Day – CCOs Reporting to the Board

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today, we consider what a CCO needs to tell a Board of Directors.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Everything Compliance - Shout Outs and Rants

Everything Compliance, Shout Outs and Rants – Episode 145, 8 Years Later

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In this episode, we discuss a potpourri of topics. Tom Fox is hosting Matt Kelly, Jonathan Armstrong, Karen Woody, Jonathan Marks, and Karen Moore.

  1. Jonathan Marks shouts out to his son Daniel’s football game and rants about the 76ers and their absent star, Joel Embiid.
  2. Karen Moore shouts out to the beauty in the world in times of ugliness.
  3. Matt Kelly shouts out to Congress about Gene Vindman and David Valadao’s elections in the face of Trump’s opposition.
  4. Karen Woody has her first ‘dirge’ in her shout-out and rant to all who have been or will be attacked by Trump and his supporters.
  5. Tom Fox shouts out the Indiana football team and their perfect record in 2024.
  6. Jonathan Armstrong shouts out to election ballot paper machine manufacturers for their remarkable turnaround from zero compliance in 2020 to 100% compliance in 2024, highlighting their hard work in turning a disaster into a triumph.

The members of the Everything Compliance are:

The host and producer, rantor (and sometime panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the award-winning Compliance Podcast Network.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Innovation in Compliance

Innovation in Compliance – Exploring Client-Side Security and PCI DSS Compliance with Rui Ribeiro

Innovation comes in many areas, and compliance professionals must be ready for and embrace it. Join Tom Fox, the Voice of Compliance, as he visits with top innovative minds, thinkers, and creators in the award-winning Innovation in Compliance podcast. Host Tom Fox takes things differently in this episode by welcoming Rui Ribeiro, Co-Founder and CEO at Jscrambler, the podcast’s sponsor.

Rui discusses innovative measures in client-side security and PCI DSS compliance, his professional background, and the significance of the PCI DSS Version 4 update in enhancing client-side environments, mainly focusing on controlling third-party vendors to prevent unauthorized data access. The discussion outlines the strides taken in making transactions secure and offers insights into the broader implications of data privacy and compliance trends. Listeners will gain a comprehensive understanding of the intersection between technology and compliance in the context of data security alongside the evolving regulatory landscape.

Key highlights:

  • Exploring Client-Side Security and PCI DSS Compliance
  • The Importance of PCI DSS Version 4
  • Challenges and Solutions in Client-Side Security
  • Jscrambler’s Role and Customer Engagement
  • Future of Client-Side Security and Compliance

Resources:


Rui Ribeiro on LinkedIn

Jscrambler

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Daily Compliance News

Daily Compliance News: November 12, 2024 – The Science of Corruption Edition

Welcome to the Daily Compliance News. Each day, Tom Fox, the Voice of Compliance, brings you compliance-related stories to start your day. Sit back, enjoy a cup of morning coffee, and listen in to the Daily Compliance News—all from the Compliance Podcast Network. Each day, we consider four stories from the business world: compliance, ethics, risk management, leadership, or general interest for the compliance professional.

  • What science reveals about corruption. (El Pais)
  • End of ESG and crypt initiatives at SEC. (WSJ)
  • FinCEN, corruption, and the real estate industry. (Reuters)
  • Would you trust Mattel to list your website?  (NYT)

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
Blog

What Should a Chief Compliance Officer Report to the Board of Directors?

The Chief Compliance Officer (CCO) role is essential in building an organization that meets regulatory standards and upholds a robust ethical culture. But what should the CCO be reporting to the Board of Directors to ensure they understand the full scope of the company’s compliance landscape? This post will consider the essential elements of an effective Board report from the CCO. These elements will help foster transparency, trust, and accountability between the compliance function and the highest levels of corporate oversight.

  • Overview of Compliance Program Structure and Key Updates

An essential part of a CCO’s responsibility to the Board is to ensure they understand how the compliance function is structured and resourced. This includes an overview of the compliance team, its reporting lines, and any recent structural changes. The CCO should also emphasize that the compliance function has the independence, resources, and support to operate effectively.

For example, it is useful to discuss whether additional resources are needed—such as an increased budget, training for compliance staff, or investments in new technology to improve monitoring. Even more crucial is regularly informing the Board about fundamental personnel changes in the compliance team, including new hires or departures. This assures the Board that the compliance team is fully staffed and led by individuals with the experience and knowledge necessary to accomplish the organization’s compliance goals.

  • Risk Assessment and Emerging Compliance Risks

One of the CCO’s primary duties is to ensure that the Board is aware of the organization’s compliance risks. An annual or quarterly update on the status of these risks—mainly if there are high-priority or emerging risks—is critical. The CCO should discuss the results of any recent risk assessments, including:

  1. The top risks currently facing the organization.
  2. Risks associated with new business ventures or geographic expansion.
  3. Changes in geo-political or regulatory landscapes that may impact risk exposure.

For instance, if the company is expanding operations in a high-risk country for bribery or data privacy, this development should be highlighted, along with any steps the compliance team is taking to mitigate the risk. The goal here is not to overwhelm the Board with excessive detail but rather to provide a clear view of where the most significant vulnerabilities lie and what strategies are in place to address them.

The Board should leave these discussions to understand the nature and scope of the company’s compliance risks and the level of oversight being applied to manage those risks. This will reassure them that the company is not only aware of potential threats but is proactively addressing them.

  • Status of Key Compliance Initiatives and Program Enhancements

Board members must see that the compliance program is not static but a dynamic, continuously improving function. The CCO should regularly report on ongoing compliance initiatives and any recent improvements to the program. This can include initiatives such as:

  1. Enhancing third-party risk processes.
  2. Implementing new training programs.
  3. Developing better monitoring and auditing capabilities.

These initiatives should align with the company’s strategic goals, and the CCO can emphasize how compliance supports and reinforces these objectives. For example, if the company has adopted a new code of conduct or revised anti-corruption policies, the CCO should detail how these updates are being rolled out, communicated, and embedded into the organization’s culture.

Additionally, metrics that measure the success of these initiatives are invaluable. For example, sharing compliance training completion rates, results from employee feedback surveys on compliance topics, or the reduction of hotline reports in specific areas can help the Board understand the program’s impact and areas that may need further attention.

  • Compliance Investigations and Response to Issues

Transparency about compliance investigations and their outcomes is fundamental to the Board’s oversight responsibilities. The CCO should provide a high-level overview of significant compliance incidents, particularly those that pose a financial, operational, or reputational risk to the company. This discussion should include:

  1. The nature of the issue or alleged violation.
  2. The investigative steps taken.
  3. Any corrective actions or disciplinary measures implemented.

The CCO should also clearly explain how these issues were detected—whether through internal audits, whistleblower reports, or monitoring activities—demonstrating that the compliance function effectively catches and addresses problems early. It’s important to note that the Board does not need the names of individuals involved or granular details. Instead, they should receive summaries on patterns, issues encountered, and root causes.

Discussions on trends emerging from investigations—such as recurring issues in specific geographies or business units—can provide the Board with valuable insights into potential vulnerabilities. This information also equips the Board to ask strategic questions about how the company’s compliance efforts address these trends, thus bolstering their understanding and oversight of the compliance program.

  • Compliance Program Metrics and KPIs

Measurable data points—such as Key Performance Indicators (KPIs)—are crucial to effective board reporting. Metrics help the Board understand how well the compliance program is performing and identify areas for potential improvement. Examples of relevant compliance metrics include:

  1. Training effectiveness rates across the organization.
  2. Number of hotline calls and resolution time.
  3. Frequency and outcomes of internal audits.
  4. Employee survey results on compliance culture and awareness.

It is helpful to present these metrics in a clear, accessible format, perhaps in the form of dashboards or visual aids, so the Board can quickly grasp the current state of the compliance program. By monitoring trends in these metrics over time, the Board can see the program’s evolution and any areas where additional focus or resources may be needed.

  • Status of the Compliance Culture and “Tone from the Top”

Building a culture of compliance starts at the top, and the Board plays a critical role in establishing this tone. The CCO should regularly report on the company’s compliance culture, noting any shifts or improvements. This could include:

  1. Results from employee surveys on attitudes towards compliance.
  2. Observations from site visits or engagement with various departments.
  3. Feedback from middle management on employee engagement with compliance.

If the company’s compliance culture has gaps, this is the ideal time to discuss closing steps. The CCO can use this section of the report to highlight the role of senior leaders and managers in reinforcing compliance messages. For instance, showcasing how top executives have engaged in recent compliance campaigns or have visibly supported compliance initiatives demonstrates a commitment to ethical conduct and can serve as a model for others.

  • Resources and Budget: Ensuring Adequate Support

One of the most significant concerns the Board should be aware of is whether the compliance function is adequately resourced. The CCO should use this portion of the report to discuss additional needs, such as funding for new technology, more staff to support compliance efforts in high-risk regions or enhanced training programs.

If budget constraints have affected the compliance program, this is also the time to discuss those challenges with the Board. Clear communication about resource needs can help the Board advocate for the compliance function, ensuring it has the tools to mitigate risks effectively. Adequate funding and resources were mandated in the 2024 Evaluation of Corporate Compliance Programs, and CCOs need to explain to the Board their responsibility to ensure this mandate is met.

  • Regulatory Updates and External Trends

Keeping the Board informed of the latest regulatory developments is also crucial. This includes new or evolving laws that could impact the business, industry trends in compliance and enforcement actions against companies in similar sectors. For example, if a new data protection law exists in a region where the company operates, the CCO should outline how the compliance team is preparing to address it.

This part of the report ensures the Board is aware of potential compliance-related challenges on the horizon and provides context for any new initiatives or policy updates the compliance team may propose in response to regulatory changes.

  • The CCO’s Essential Role in Equipping the Board

The relationship between the CCO and the Board is one of the cornerstones of an effective compliance program. By providing a comprehensive, transparent, and strategic report, the CCO empowers the Board to fulfill its oversight responsibilities, making informed decisions that support and enhance the company’s commitment to compliance and ethical conduct.

An effective board report is about more than compliance updates; it is an opportunity to reinforce the importance of compliance, highlight the program’s successes, and communicate any challenges that lie ahead. By keeping these eight core elements in mind, CCOs can ensure their reports inform and engage the Board, fostering a culture of accountability that permeates the entire organization.

Categories
All Things Investigations

All Things Investigations – Anna Hamati on Key Lessons from the TD Bank AML Enforcement Action

Welcome to the Hughes Hubbard Anti-Corruption & Internal Investigations Practice Group’s podcast, All Things Investigation. In this episode, Anna Hamati, a Hughes Hubbard & Reed LLP lawyer, joins host Tom Fox to discuss the historic anti-money laundering (AML) enforcement action involving TD Bank.

Anna outlines her professional background in compliance and offers a deep dive into the top five takeaways from the extensive consent order related to the TD Bank case. These takeaways highlight key compliance failures, including inadequate resource allocation, insufficient testing and auditing, a weak culture of compliance, poor training programs, and failures in filing accurate and timely CTRs and SARs. The discussion provides critical insights and practical advice for compliance professionals seeking to improve their AML programs.

Anna underscores the importance of allocating sufficient resources to compliance functions, conducting proper testing and auditing, fostering a strong compliance culture from the top, providing comprehensive training, and ensuring the timely and accurate filing of CTRs and SARs. She illustrates the real-world implications of these compliance failures through detailed examples and offers practical guidance for banks and financial institutions to avoid similar pitfalls. This episode is a must-listen for anyone involved in AML and regulatory compliance.

Key highlights:

  • Overview of the TD Bank Case
  • Importance of Adequate Resources
  • Testing and Auditing
  • Culture of Compliance
  • Training Programs
  • Filing Timely and Accurate Reports

Resources:

Hughes Hubbard & Reed LLP Website

Anna Hamati