Author: admin

Categories
Innovation in Compliance

Innovation in Compliance-Part 3: Third Party Expansion

We are on Episode III of special five-part podcast series on an innovative approach to managing third party risk. This week I am joined by James H. Gellert, the Chairman and Chief Executive Officer (CEO) of RapidRatings International Inc. (RapidRatings), the sponsor of this special series. Our conversation is about helping companies manage their third-party supply chains through financial health. The RapidRating approach is incredibly innovative, with a series of products and services that should be considered by the compliance practitioner. In today’ episode, we discuss the issue of third-party expansion.

We began with a consider of the definition of third-party. Gellert related, “Historically, people talked about simply an entity outside of your organization as a third party. However, that definition is broadening, to mean really that entity with which your company works.” Obviously, this can be a supplier or vendor, it can be a service provider, a customer, a joint-venture (JV) partner and/or an intercompany affiliate. A broader view could include intercompany affiliates as third parties, even though many people would see them as just being another entity inside of a business. Gellert said, “the definition of third parties is expanding, which only makes life more complicated for anyone trying to do third party risk assessments and then the tiering just creates an exponential change.”
Specifically, “in supply chain, a tier one supplier is one of the suppliers your organization is directly purchasing from. Next a tier two is one that your company’s tier one is buying directly from. This means for risk managers assessing the various risks of their supply chain have to go deeper and deeper. One way to do so is through trying to understand the connection between tiers one, two, three, four and so on. The problem is there are many risks that companies do not manage because they cannot identify which companies are taking risks.” Gellert further noted, “one of the hottest topics in 2019 for a supply chain and risk managers is trying to get their arms around how to handle this particular question.”
I asked Gellert how would he suggest a supply chain professional began to think through some of these issues articulated but in the context of a global supply chain? He began by stating, “anyone who is involved in third party or supply chain risk management needs to try to map out and understand the suppliers whose exposure they need to assess for their organization.  Obviously, this includes both direct and indirect suppliers but in terms of the tiering, the best way for anyone to understand the supply chain risk is to have really good communication with their tier one suppliers to be able to discuss the risks to both businesses.”
Moreover, “this means communicating with a tier one supplier about who their tier ones are that are providing product or service that are coming to that client. Only with that type of transparency and communication can businesses look through the tier one into the sub tiers to understand the risk your organization has and where there may be a risk concentration. Without effect communication and dialogue, created and fostered as part of the relationship, people are going to fly blind.” Finally, in this global economy with such internationalization and diversification of supply chains, organizations you “really do need to pull out all the stops to try to manage risk. Communication is one of the first places to start.”
Gellert concluded with some thoughts on transparency, which he believes is not only important but “should be applied everywhere.” He said you should begin with your tier ones but the ability “to look deeper into the supply chain is also really important.” Further, Gellert said, “a lot of supply chain risk professionals can go wrong if they use transparency as a bludgeon as opposed to as an opportunity. Then the company they are asking for information from only sees risks in disclosing information as opposed to seeing commercial value and we promote transparency as a means to commercial value.” But it is more about fostering the relationship so that you can adequately assess and then manage the risk. Gellert noted, “that’s the key part, that people have to embrace if they’re going to be able to look deeper into their supply chains.”
Please join us tomorrow when we consider some of the challenges Gellert is seeing in supply chain risk management for 2019 and going forward.
This podcast series is sponsored by Rapid Ratings International, Inc. For more information, check out their website at www.rapidratings.com.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Episode 117-Wells Fargo Update

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly (the coolest guy in compliance) and I take a deep dive into resignation of now former Wells Fargo CEO Tim Sloan. We use his departure as a starting point to discuss some of the issues which continue to bedevil the organization some three years after the original fraudulent accounts scandal broke.

Some of the highlights include:

  • Another tough Congressional hearing, another Wells Fargo CEO resigns.
  • Why can’t Wells Fargo turn around its culture?
  • Should an outsider (IE., non-long term Wells Fargo employee be brought in to right the ship?
  • What is the difference in high-performing and high-pressure organizations?
  • Why does Wells Fargo continue to resist whistleblower retaliation claims?
  • Does Wells Fargo treat its customers as it treats its employees?
  • What draconian sanctions are the OCC and Fed considering?
  • What can Wells Fargo do to actually change its culture?

If you are in Houston on Friday, please plan to attend the South Texas College of Law 2019 Symposium on Compliance in international Corporate Legal Practices – Legal Development and the Talent Needs of the Future. Information and registration details available here.

Categories
Great Women in Compliance

Great Women in Compliance: Life or Death Compliance with Virginia MacSuibhne

In healthcare, compliance isn’t just about following the rules — how do you manage when it’s a matter of life and death? Joining us on this episode is Virginia MacSuibhne, Vice President and Chief Compliance Officer of Roche Molecular Solutions, talking about holding themselves to higher standards, operating on values, and the power of diversity.

Compliance and healthcare
Healthcare is a highly regulated industry that essentially boils down to having a comprehensive quality management system. Tests that detect things such as cancer, or HPV, or the Zika Virus need to work and deliver consistent and accurate results.
So there is no need to explain why compliance is important. The whole company gets it. These are test results that people rely on — it could be you, a parent, a sibling, or a grandparent, waiting to ensure that the test result they get is right. So the people working on this hold themselves to a higher standard and are making sure they cross all the t’s and dot all the i’s because it’s important. There’s a patient — a real person — on the other end of it.
Global values
Having products that need to be delivered all over the world means having to deal with wildly inconsistent regulations, and that’s where Roche values, leadership commitments, and cultural beliefs come into play. Much of their growth also comes from acquisitions, which means the merging of very different workplace cultures. But at the end of the day, everybody is in the healthcare space, and people understand that it’s about doing the right thing.
Diversity of women in compliance
Thirteen out of the fourteen people in Virginia’s team are women, and they have a diverse background of life experiences and skill sets, represent almost every race on the spectrum, speak different languages, married, divorced, single parents, single with no kids, some people with disabilities, and with ages ranging from their 20s to their 60s. Sometimes we think about diversity in pretty narrow terms, but it’s this diversity that brings richness and perspectives into the mix.
Virginia believes that the reason women are more prevalent in the field is because it’s new — there’s no need to start by breaking the glass ceiling, which is empowering.
The future of compliance
Compliance is only becoming more institutionalized. Her advice is to go to the conferences and begin to network. Start thinking about how you can write, speak, present, and share ideas. The best things this community has come up with has come from collaborating with people who share different perspectives and can take our ideas one step further.
In terms of looking forward, social media is changing the compliance landscape, and very rapidly! When a case has media coverage, you don’t have three weeks to prepare a press release. You have five minutes, if that. People are asking for opinions minutes after new laws are released. It’s going to affect our data, information, governance, and privacy.
Resources
Virginia MacSuibhne
Categories
Daily Compliance News

Daily Compliance News: April 3, 2019-the trial of the century begins edition

APRIL 3, 2019 BY TOM FOX

nbsp;
 
In today’s edition of Daily Compliance News:

  • Trial of ex-Malaysian PM Najib Razak to begin. (The Guardian)
  • Shocked, just shocked to find out drug company pushed opioids. (NPR)
  • Former Colombia official convicted of bribing government officials on behalf of Odebrecht. (Colombia Reports)
  • UK’s Financial Reporting Council will examine KPMG. (Wall Street Journal)
Categories
Creativity and Compliance

A Video Isn’t Just a Video


Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – they all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the Compliance Podcast Network to explore these issues. In today’s episode A Video Isn’t a Video – we discuss some of the creative approaches to Ethics & Compliance training and communication videos. We break down some of the different types of videos and the benefits of each creative technique.
Scenario-Based Videos, Narrative (Live Action)
These are the most common and are great for showing real life situations. They can show a slice of life. However, it may be hard to represent your whole company, i.e. hard to show diversity of different environments, different people. Also, they can require context – you may well need to add the lesson. They are the most expensive and the hardest to pull off well and the hardest to successfully enact.
Animation – Scenario-based
The tend to be less real and unfortunately can be cheesy. However, they can be better for diversity and environment. They are usually the same per video, but you can do them one at a time.
Character Monologues (falls in the “real” category
They are a great way to show real people. They are also great for showing different types of personalities or different job functions. There is more telling than showing. Finally, they are less expensive and easier to produce.
Talking Head Videos
These are great for making a personal connection and for highlighting real people. They are best if you add some creativity usually by having an engaging host/personality. Make it a dialogue such as an interview or talk show. You have to work as this format can be boring.
 Involve Your Employee Videos
This format is the best for going viral and for showing “who we are”. At times scenes can be hard to do well and there is the risk of employee embarrassment. The best results tend to be seen when you give employees something simple to do and let them be themselves. Once again it is best if you add some an engaging host/personality to lead interviews. Finally, this format can be an efficient way to generate a lot of content.
Storytelling Videos
This can be a great way to share interesting, real stories. It tends to be more telling than showing. It can easily involve real people or actors and can cover more nuance to share lots of context.
The bottom line is that a video isn’t a video. There are different creative devices that are better for different things. Typical Ethics & Compliance training doesn’t work, because it’s preachy and boring. Education = training and communication and serve two different purposes.
Ronnie Feldman
Ronnie Feldman (LinkedIn)
Learnings & Entertainments (LinkedIn)
Ronnie Feldman (Twitter)
Learnings & Entertainments (Website)
60-Second Communication & Awareness Shorts – A variety of short, customizable, quick-hitter “commercials” including songs & jingles, video shorts, newsletter graphics & Gifs, and more. Promote integrity, compliance, the Code, the helpline and the E&C team as helpful advisors and coaches.
Workplace Tonight Show! Micro-learning – a library of 1-10-minute trainings and communications wrapped in the style of a late-night variety show, that explains corporate risk topics and why employees should care.
Custom Live & Digital Programing – We’ll develop programming that fits your culture and balances the seriousness of the subject matter with a more engaging delivery.

Categories
Innovation in Compliance

Innovation in Compliance-Part 2: Criticality and Extending the Reach of Compliance

In this special five-part podcast series on innovation in managing third party risk, I am joined by James H. Gellert, the Chairman and Chief Executive Officer (CEO) of Rapid Ratings International Inc. (RapidRatings), the sponsor of this special series. Our conversation focuses on helping companies manage their third-party supply chains through financial health. The RapidRatings approach is incredibly innovative, with a series of products and services that should be considered by the compliance practitioner. In Episode 2, we discuss the issue of criticality in supply chain and how to assess and manage that risk to extend the reach of compliance.

Gellert began by relating that the word “criticality” is used quite a bit in supply chain and broadly on third-party risk. He defined it, “as a means of defining for a company which suppliers are most important.” Yet he also noted it can be defined in different ways at different times. Historically, criticality was more about how much money was spent with suppliers. In practice, this meant the top spend suppliers would be the ones that were most critical. Conversely, suppliers where you were spending a small amount of money were seen as less important. However, Gellert cautioned that while such an approach is still an important part of defining risk management programs “’it’s not the end of the story.”
He explained, “Criticality now really stretches out into a whole bunch of other topics, such as which third-parties, irrespective of how much money you spend with them, have the ability to disrupt your business if they are not performing for one reason or another.” Put another way, “Do they have the ability to sidetrack your business? Does it cause you a disruption that not only has a revenue impact on your organization, but may have a reputational impact on you? What about companies that may have access to your internal IT infrastructure and therefore pose security risks? They may not be a big spend, but they may have the ability to cause a cyber problem for you.” This means that cyber risk is one of the newest and most important risks that companies are focused on. Obviously, this means if a company uses, tracks and maintains private information of its customers or others, any supplier that has access to that information has a another set of critical elements to it.
Subsequently, when organizations are trying to evaluate criticality of suppliers, they may segment them in different ways and create different cohorts of suppliers. For instance, you may want to start with those who can create the most business interruption, those that can create the most reputational risk and impact and those that can disrupt revenue and cost the most amount of money. Gellert related, “all of those are elements of credit, quality, and innovation are really just about the movement of product services. Data analytics and business process that allows companies to manage all of those suppliers and all of those risks in a more cohesive way.”
All of this means that supply chain risk is really about an enterprise-wide risk. It includes, “the sourcing, identifying what companies to work with, perhaps many possible ones and then narrowing it down to the one you want to work with and move forward with the due diligence. The next step is ongoing, continuous monitoring to ascertain that the suppliers that can grow with the business. It is important that with the ups and downs of business cycles it can withstand the shock, coupled with the flexibility an organization needs to make the investments; that the supply chain partner continues to be a good business partner. All of those are really important as companies align with the best possible partners.” Risk management is really valuable for the compliance professional to know it is a part of a long continuous process over the lifecycle of working with a company. Gellert stated, “It’s not just about doing something that’s a part of an onboarding process for really, there’s a lot more longevity and value that can be created when looking at suppliers and applying supply chain risk management best practices.”
One of the innovations which RapidRatings has brought is through its Financial Health Rating (FHR). The FHR allows an organization “to look deeply inside a company and compare it against years of public and private company data. And in order to generate an FHR, RapidRating obtains the financial statements from private companies and we use the filing data from public companies.” It is a review of more than simply a company’s financial statement but a more comprehensive look at overall  financial health correlated to lots of other risks that are valuable for people to understand.
One of the key reasons for the innovation of this approach is that, in the past, companies have tended to use payments scores and payment data from companies to understand whether they are good risks or bad. However, this is a “pretty antiquated way now of understanding the health of a company. It is the first opportunity to be able to give people comprehensive coverage of really all of the suppliers that they work with or customers that they work with in a very quick, fast and very precise way.” The FHR helps to make the risk management process more efficient in a workflow process. It does so in a manner at scale for companies around the world, in a very analytically way. This adds tremendous value to the entire process.
Please join us tomorrow when we consider the issue of third-party expansion in supply chain risk management.
This podcast series is sponsored by Rapid Ratings International, Inc. For more information, check out their website at www.rapidratings.com.

Categories
FCPA Compliance Report

IMPACT2019, Amy Edmondson on Creating a Safe Workspace

In this episode I visit with Amy Edmondson about her upcoming keynote speech at IMPACT2019, entitled “The Fearless Organization: Creating Psychological Safety for Learning, Innovation, and Growth”. Some of the highlights from the podcast include:

  1. Beginning in the 1990s Edmondson began research how organizations are made better by creating safe spaces for employees to speak up.
  2. Why listening is the key trait for every leader.
  3. Your organization can have stretch goals but you must have open ears.
  4. How failure to listen to employees who speak up can cause business losses.
  5. Information on why you should attend ECI’s IMPACT2019.

Resources:
Amy Edmondson LinkedIn profile
Registration and Information on IMPACT2019 here.

Categories
Daily Compliance News

Daily Compliance News: April 2, 2019-the FB mea culpa edition

APRIL 2, 2019 BY TOM FOX


In today’s edition of Daily Compliance News:

Categories
Innovation in Compliance

Innovation in Compliance-Part 1: What is Supply Chain Financial Health?

Welcome to a special five-part podcast series on innovation in managing third party risk. This week I am joined by James H. Gellert, the Chairman and Chief Executive Officer (CEO) of Rapid Ratings International Inc. (RapidRatings), the sponsor of this special series. Our conversation is around helping companies manage their third-party supply chains through assessing financial health. The RapidRatings approach is incredibly innovative, with a series of products and services that should be considered by the compliance practitioner. In Episode 1, we begin with a discussion of why managing your supply chain risk is so critical in today’s business environment.
Supply chain risk management as a discipline that has been evolving significantly but still has a long way to go. Gellert began by noting that supply chain risk really means all third-party risk. These risks are getting more diverse from a geographic perspective as well as from a technology perspective. It can come from more aggressive mergers and acquisitions (M&A) activity, organic company expansion or an organization simply getting more creative with outsourcing and working with different kinds of companies for different solution sets. It also means that this group of third parties have the ability to impact businesses, both positively and negatively.
Too many suppliers can certainly be inefficient. This means that many companies are trying to trim down the numbers of third-parties with which they are working. This could be through  adjusting time or implementing lean types of philosophies around supply chain. This makes  each third-party partner more important and criticality is something that can be measured in lots of different ways. Gellert said it raised such questions as: “How much money you spend on a company? How much access will your third parties have access to company information? How much access will they have to your IT systems? All of these things have led to the evolution of a much more complex supply chain that people have to manage and they contain more risks.”
I asked Gellert how managing the risk and supply chain is different than managing on the sales side? He began by noting that there is “definitely overlap when looking at third parties.” Yet the more sophisticated method is a “360 degree” approach which means to look all aspects of the relationship. In the anti-corruption world, the focus has typically been on the sales side. But it can also “mean suppliers all the way through to customers and intercompany affiliates and so forth.” Another approach from the compliance perspective has been upon knowing your customer (KYC). Gellert stated, “Customer risk is inherently more transactional than supply chain risk, in part because of who’s buying and who’s selling. When you are selling to someone, you are evaluating their ability to pay you. In this situation an organization needs to make sure that the company is one you want to do business with, that’s going to be able to pay you on time and in the terms that determined are economical for you”
However, “when you are looking at suppliers, you’re buying from them, whether it’s a supplier of a product or a vendor of a service. You may have a five-year product cycle, a 10-year product cycle. If the suppliers your company is embedding into that portion of your business are not strong for the long-term or are not resilient, then you have problems that you are baking into the ecosystem of companies with which you are working.” Gellert concluded, “I think probably the biggest difference in customer evaluation and supply chain evaluations, you need to be able to understand the risks of those companies over the long haul as well as the short-term risks. So, you can avoid the short-term problems that could arise from a weak supplier.” It also means that you are “baking in the most resilient and strong long-term partners to work with, as you possibly can, into your organization.”
One of the frustrations for compliance professionals is that they do not know how far down the third party or supply chain they should go to either evaluate or manage the risk. They may understand who to go to for a direct counter-party, their immediate counter party, their first party supplier or their first party sales agent, they may certainly understand managing that risk. I asked Gellert how about much farther down the chain a compliance practitioner should begin to look at that issue? He said it can be quite complicated but that is where a technological solution can help.
He began by stating, “it’s not just first tier, second tier, third tier supplier in your supply chain may affect you.” One of the reasons it is so difficult for the compliance professional is there are so many areas you must consider. Gellert said these can include, “fraud detection, anti-money laundering, anti-corruption considerations and making sure that no one appears in a sanctions list. All of these things get more difficult exponentially as you go deeper into a supply chain and the people on supply chain risks sides who have been looking at delivery risk and logistics and other operational aspects including finance and newer elements like cybersecurity It gets really hard when you’ve got to go to your supplier’s supplier.”
The bottom line is that there is not a really good answer for this except that collaboration between a company and its first-tier supplier is really essential to understand what the second and third tier supplier risks will be. Unfortunately, “many times organizations do not even know who their second tier supplier is for particular good or product or service because the tier one supplier has been delivering fine and there has been no need to find out how or where that tier one is getting the parts that they are bringing in.” Gellert conclude by noting, this “is changing but needs to change more. It really does start with collaboration and an understanding between the company and its tier one suppliers that understanding the risk deeper than that is going to be important and beneficial to everybody involved in that chain.”
Please join us tomorrow when we consider the issue of criticality in supply chain risk management.
This podcast series is sponsored by Rapid Ratings International, Inc. For more information, check out their website at www.rapidratings.com.
Categories
FCPA Compliance Report

FCPA Compliance Report-Episode 424, David Childers on the New ECI Self-Assessment Tool

In this episode I visit with David Childers, the Senior Vice President at Ethics & Compliance Initiative (ECI). We discuss ECI’s High-Quality Ethics & Compliance Program (HQP) Self-Assessment Tool.

Some of the highlights from the podcast include:
What are the 5 Principals of a HQP? They include: Strategy, Risk Management, Culture, Speaking Up and Accountability.
What are the 5 operational areas of an E&C program? They include:

  • E&C is central to business strategy
  • E&C risks are identified, owned, managed and mitigated
  • Leaders at all levels across the organization build and sustain a culture of integrity
  • The organization encourages, protects and values the reporting of concerns and suspected wrongdoing
  • The organization takes action and holds itself accountable when wrongdoing occurs

What is the design of the Self-Assessment tool? While the methodology is fairly complex, for the participant it is only 107 multiple choice questions and it takes less than 30 minutes to complete.
What is it designed to measure? The HQP Assessment measures program maturity based on a combination of questions regarding 27 operating components and more than 100 program practices.
What are the four categories of reporting information for each principal? They include:(1) What to measure/review; (2) Questions to consider ; (3) Potential sources of information and (4) Leading practices illustrative of HQPs.
What are the five-point scale for program maturity? Program maturity is based on five levels, which are represented on a 0-100 scale.

  • UNDERDEVELOPED
  • DEFINING
  • ADAPTING
  • MANAGING
  • OPTIMIZING

The HQP Assessment tool is a measure of where an organization believes their E&C program operates based on the five principles.   The assessment can be used in several ways.  We have organizations that are looking for program improvement. The assessment can be a baseline for measured improvement.   It can also be a qualification.  As we said this isn’t about a score.  In some industries, being at the managing level of maturity may be sufficient for their risk.  Most of all it is a great way to create dialog and discussion with your leadership using a definitive measure of your program.
How will ECI use this information going forward? We are already seeing important trend and insights from the data. We will introduce many of these findings are our Annual Conference in Dallas, and we are developing working groups within our membership to explore some the findings to refine best practices and guidelines for program improvement.
For more information on the ECI Self-Assessment Tool, go to www.ethics.org
Registration and Information on IMPACT2019 here.