Author: admin

Categories
Innovation in Compliance

Innovation in Compliance-Part 2: Criticality and Extending the Reach of Compliance

In this special five-part podcast series on innovation in managing third party risk, I am joined by James H. Gellert, the Chairman and Chief Executive Officer (CEO) of Rapid Ratings International Inc. (RapidRatings), the sponsor of this special series. Our conversation focuses on helping companies manage their third-party supply chains through financial health. The RapidRatings approach is incredibly innovative, with a series of products and services that should be considered by the compliance practitioner. In Episode 2, we discuss the issue of criticality in supply chain and how to assess and manage that risk to extend the reach of compliance.

Gellert began by relating that the word “criticality” is used quite a bit in supply chain and broadly on third-party risk. He defined it, “as a means of defining for a company which suppliers are most important.” Yet he also noted it can be defined in different ways at different times. Historically, criticality was more about how much money was spent with suppliers. In practice, this meant the top spend suppliers would be the ones that were most critical. Conversely, suppliers where you were spending a small amount of money were seen as less important. However, Gellert cautioned that while such an approach is still an important part of defining risk management programs “’it’s not the end of the story.”
He explained, “Criticality now really stretches out into a whole bunch of other topics, such as which third-parties, irrespective of how much money you spend with them, have the ability to disrupt your business if they are not performing for one reason or another.” Put another way, “Do they have the ability to sidetrack your business? Does it cause you a disruption that not only has a revenue impact on your organization, but may have a reputational impact on you? What about companies that may have access to your internal IT infrastructure and therefore pose security risks? They may not be a big spend, but they may have the ability to cause a cyber problem for you.” This means that cyber risk is one of the newest and most important risks that companies are focused on. Obviously, this means if a company uses, tracks and maintains private information of its customers or others, any supplier that has access to that information has a another set of critical elements to it.
Subsequently, when organizations are trying to evaluate criticality of suppliers, they may segment them in different ways and create different cohorts of suppliers. For instance, you may want to start with those who can create the most business interruption, those that can create the most reputational risk and impact and those that can disrupt revenue and cost the most amount of money. Gellert related, “all of those are elements of credit, quality, and innovation are really just about the movement of product services. Data analytics and business process that allows companies to manage all of those suppliers and all of those risks in a more cohesive way.”
All of this means that supply chain risk is really about an enterprise-wide risk. It includes, “the sourcing, identifying what companies to work with, perhaps many possible ones and then narrowing it down to the one you want to work with and move forward with the due diligence. The next step is ongoing, continuous monitoring to ascertain that the suppliers that can grow with the business. It is important that with the ups and downs of business cycles it can withstand the shock, coupled with the flexibility an organization needs to make the investments; that the supply chain partner continues to be a good business partner. All of those are really important as companies align with the best possible partners.” Risk management is really valuable for the compliance professional to know it is a part of a long continuous process over the lifecycle of working with a company. Gellert stated, “It’s not just about doing something that’s a part of an onboarding process for really, there’s a lot more longevity and value that can be created when looking at suppliers and applying supply chain risk management best practices.”
One of the innovations which RapidRatings has brought is through its Financial Health Rating (FHR). The FHR allows an organization “to look deeply inside a company and compare it against years of public and private company data. And in order to generate an FHR, RapidRating obtains the financial statements from private companies and we use the filing data from public companies.” It is a review of more than simply a company’s financial statement but a more comprehensive look at overall  financial health correlated to lots of other risks that are valuable for people to understand.
One of the key reasons for the innovation of this approach is that, in the past, companies have tended to use payments scores and payment data from companies to understand whether they are good risks or bad. However, this is a “pretty antiquated way now of understanding the health of a company. It is the first opportunity to be able to give people comprehensive coverage of really all of the suppliers that they work with or customers that they work with in a very quick, fast and very precise way.” The FHR helps to make the risk management process more efficient in a workflow process. It does so in a manner at scale for companies around the world, in a very analytically way. This adds tremendous value to the entire process.
Please join us tomorrow when we consider the issue of third-party expansion in supply chain risk management.
This podcast series is sponsored by Rapid Ratings International, Inc. For more information, check out their website at www.rapidratings.com.

Categories
FCPA Compliance Report

IMPACT2019, Amy Edmondson on Creating a Safe Workspace

In this episode I visit with Amy Edmondson about her upcoming keynote speech at IMPACT2019, entitled “The Fearless Organization: Creating Psychological Safety for Learning, Innovation, and Growth”. Some of the highlights from the podcast include:

  1. Beginning in the 1990s Edmondson began research how organizations are made better by creating safe spaces for employees to speak up.
  2. Why listening is the key trait for every leader.
  3. Your organization can have stretch goals but you must have open ears.
  4. How failure to listen to employees who speak up can cause business losses.
  5. Information on why you should attend ECI’s IMPACT2019.

Resources:
Amy Edmondson LinkedIn profile
Registration and Information on IMPACT2019 here.

Categories
Daily Compliance News

Daily Compliance News: April 2, 2019-the FB mea culpa edition

APRIL 2, 2019 BY TOM FOX


In today’s edition of Daily Compliance News:

Categories
Innovation in Compliance

Innovation in Compliance-Part 1: What is Supply Chain Financial Health?

Welcome to a special five-part podcast series on innovation in managing third party risk. This week I am joined by James H. Gellert, the Chairman and Chief Executive Officer (CEO) of Rapid Ratings International Inc. (RapidRatings), the sponsor of this special series. Our conversation is around helping companies manage their third-party supply chains through assessing financial health. The RapidRatings approach is incredibly innovative, with a series of products and services that should be considered by the compliance practitioner. In Episode 1, we begin with a discussion of why managing your supply chain risk is so critical in today’s business environment.
Supply chain risk management as a discipline that has been evolving significantly but still has a long way to go. Gellert began by noting that supply chain risk really means all third-party risk. These risks are getting more diverse from a geographic perspective as well as from a technology perspective. It can come from more aggressive mergers and acquisitions (M&A) activity, organic company expansion or an organization simply getting more creative with outsourcing and working with different kinds of companies for different solution sets. It also means that this group of third parties have the ability to impact businesses, both positively and negatively.
Too many suppliers can certainly be inefficient. This means that many companies are trying to trim down the numbers of third-parties with which they are working. This could be through  adjusting time or implementing lean types of philosophies around supply chain. This makes  each third-party partner more important and criticality is something that can be measured in lots of different ways. Gellert said it raised such questions as: “How much money you spend on a company? How much access will your third parties have access to company information? How much access will they have to your IT systems? All of these things have led to the evolution of a much more complex supply chain that people have to manage and they contain more risks.”
I asked Gellert how managing the risk and supply chain is different than managing on the sales side? He began by noting that there is “definitely overlap when looking at third parties.” Yet the more sophisticated method is a “360 degree” approach which means to look all aspects of the relationship. In the anti-corruption world, the focus has typically been on the sales side. But it can also “mean suppliers all the way through to customers and intercompany affiliates and so forth.” Another approach from the compliance perspective has been upon knowing your customer (KYC). Gellert stated, “Customer risk is inherently more transactional than supply chain risk, in part because of who’s buying and who’s selling. When you are selling to someone, you are evaluating their ability to pay you. In this situation an organization needs to make sure that the company is one you want to do business with, that’s going to be able to pay you on time and in the terms that determined are economical for you”
However, “when you are looking at suppliers, you’re buying from them, whether it’s a supplier of a product or a vendor of a service. You may have a five-year product cycle, a 10-year product cycle. If the suppliers your company is embedding into that portion of your business are not strong for the long-term or are not resilient, then you have problems that you are baking into the ecosystem of companies with which you are working.” Gellert concluded, “I think probably the biggest difference in customer evaluation and supply chain evaluations, you need to be able to understand the risks of those companies over the long haul as well as the short-term risks. So, you can avoid the short-term problems that could arise from a weak supplier.” It also means that you are “baking in the most resilient and strong long-term partners to work with, as you possibly can, into your organization.”
One of the frustrations for compliance professionals is that they do not know how far down the third party or supply chain they should go to either evaluate or manage the risk. They may understand who to go to for a direct counter-party, their immediate counter party, their first party supplier or their first party sales agent, they may certainly understand managing that risk. I asked Gellert how about much farther down the chain a compliance practitioner should begin to look at that issue? He said it can be quite complicated but that is where a technological solution can help.
He began by stating, “it’s not just first tier, second tier, third tier supplier in your supply chain may affect you.” One of the reasons it is so difficult for the compliance professional is there are so many areas you must consider. Gellert said these can include, “fraud detection, anti-money laundering, anti-corruption considerations and making sure that no one appears in a sanctions list. All of these things get more difficult exponentially as you go deeper into a supply chain and the people on supply chain risks sides who have been looking at delivery risk and logistics and other operational aspects including finance and newer elements like cybersecurity It gets really hard when you’ve got to go to your supplier’s supplier.”
The bottom line is that there is not a really good answer for this except that collaboration between a company and its first-tier supplier is really essential to understand what the second and third tier supplier risks will be. Unfortunately, “many times organizations do not even know who their second tier supplier is for particular good or product or service because the tier one supplier has been delivering fine and there has been no need to find out how or where that tier one is getting the parts that they are bringing in.” Gellert conclude by noting, this “is changing but needs to change more. It really does start with collaboration and an understanding between the company and its tier one suppliers that understanding the risk deeper than that is going to be important and beneficial to everybody involved in that chain.”
Please join us tomorrow when we consider the issue of criticality in supply chain risk management.
This podcast series is sponsored by Rapid Ratings International, Inc. For more information, check out their website at www.rapidratings.com.
Categories
FCPA Compliance Report

FCPA Compliance Report-Episode 424, David Childers on the New ECI Self-Assessment Tool

In this episode I visit with David Childers, the Senior Vice President at Ethics & Compliance Initiative (ECI). We discuss ECI’s High-Quality Ethics & Compliance Program (HQP) Self-Assessment Tool.

Some of the highlights from the podcast include:
What are the 5 Principals of a HQP? They include: Strategy, Risk Management, Culture, Speaking Up and Accountability.
What are the 5 operational areas of an E&C program? They include:

  • E&C is central to business strategy
  • E&C risks are identified, owned, managed and mitigated
  • Leaders at all levels across the organization build and sustain a culture of integrity
  • The organization encourages, protects and values the reporting of concerns and suspected wrongdoing
  • The organization takes action and holds itself accountable when wrongdoing occurs

What is the design of the Self-Assessment tool? While the methodology is fairly complex, for the participant it is only 107 multiple choice questions and it takes less than 30 minutes to complete.
What is it designed to measure? The HQP Assessment measures program maturity based on a combination of questions regarding 27 operating components and more than 100 program practices.
What are the four categories of reporting information for each principal? They include:(1) What to measure/review; (2) Questions to consider ; (3) Potential sources of information and (4) Leading practices illustrative of HQPs.
What are the five-point scale for program maturity? Program maturity is based on five levels, which are represented on a 0-100 scale.

  • UNDERDEVELOPED
  • DEFINING
  • ADAPTING
  • MANAGING
  • OPTIMIZING

The HQP Assessment tool is a measure of where an organization believes their E&C program operates based on the five principles.   The assessment can be used in several ways.  We have organizations that are looking for program improvement. The assessment can be a baseline for measured improvement.   It can also be a qualification.  As we said this isn’t about a score.  In some industries, being at the managing level of maturity may be sufficient for their risk.  Most of all it is a great way to create dialog and discussion with your leadership using a definitive measure of your program.
How will ECI use this information going forward? We are already seeing important trend and insights from the data. We will introduce many of these findings are our Annual Conference in Dallas, and we are developing working groups within our membership to explore some the findings to refine best practices and guidelines for program improvement.
For more information on the ECI Self-Assessment Tool, go to www.ethics.org
Registration and Information on IMPACT2019 here.

Categories
Daily Compliance News

Daily Compliance News: April 1, 2019-the Not April Fool’s edition

APRIL 1, 2019 BY TOM FOX


In today’s edition of Daily Compliance News:

  • GOP congressmen threaten to kill NAFTA 2. (Washington Post)
  • CBS Credit Union shut down as one employee embezzled $40MM. (Deadline)
  • Scott Moritz on why every college should now perform a root cause analysis. (Protiviti)
  • What does Occam’s Razor have to do with blockchain? (McKinsey White Paper)
Categories
Daily Compliance News

Daily Compliance News: March 30, 2019-the Sackler family sued edition

MARCH 30, 2019 BY TOM FOX


In today’s edition of Daily Compliance News:

Categories
This Week in FCPA

This Week in FCPA-Episode 148 – the Hope Springs Eternal edition

As Opening Day near and the Astros are predicted to unseat Jay’s Red Sox to win the 2019 World Series, both lads are eternally hopeful for their hometown heroes. While debating this issue, they also take a look at some of this week’s top compliance and ethics stories which caught their collective eyes this week.

  1. Former Hong Kong official sentenced for FCPA violations. Harry Cassin reports in the FCPA Blog. Matthew Goldstein reports on how to reduce your FCPA sentence in the New York Times.
  2. SEC awards two whistleblowers $50MM. Kristin Broughton in the WSJ Risk and Compliance Journal. Matt Kelly takes a deep dive in Radical Compliance. Doug Cornelius gets snarky in Compliance Building. Jonathan Marks weighs in on Board and Fraud.
  3. Jonathan Ruschand William Weaver debate whether corruption can be measured. Both on the FCPA Blog.
  4. Was it fraud or was it incompetency? The HP v. Autonomy civil trial begins in London. The BBC
  5. What is the difference in whistleblowing and extortion? Joe Mont explains in Compliance Week. (sub req’d)
  6. What are your supply chain risks? Russ Berland explores in Part 1 of a two-part blog post series on Corporate Compliance Insights.
  7. Looking at enforcement of financial market crimes in Canada and UK. Anita Anand reports in NYU’s Compliance and Enforcement Blog.
  8. What steps can you take to reduce whistleblower retaliation? Matt Kelly opines in Navex Global’s Ethics and Compliance Matters
  9. OECD slams Canadian government for interfering in SNC-Lavalin corruption investigation. Jonathan Rausch reports in Dipping Through Geometries.
  10. Join Tom and AMI’s Jesse Caplan for a 5-part exploration of emerging issues in healthcare compliance and monitoring. Check out the following: Part 1-Opioid Crisis-Legal issue; Part 2– Opioid Crisis-compliance solution; Part 3– the regulators; Part 4-the monitoring healthcare organizations; and Part 5-proactive monitoring. The podcast is available on multiple sites: the FCPA Compliance Report, iTunes, JDSupra, Panoplyand YouTube. The Compliance Podcast Network is now also on Spotifyand Corporate Compliance Insights.
  11. In Houston on April 11? Join the Greater Houston Business and Ethics Roundtable for a presentation for one year look back on GDPR. Registration and information are here.
  12. Check out the latest edition of Great Women in Compliance where Mary Shirley visits with Marianne Ibrahim.

Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is       Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Categories
FCPA Compliance Report

Emerging Issues in Healthcare Compliance-Episode 5, Proactive Monitoring

In this special five-part podcast series, sponsored by Affiliated Monitors, Inc., I visit with AMI Managing Director Jesse Caplan on emerging issues in healthcare compliance and monitoring. In the previous episodes, we considered how healthcare organizations can benefit by having an independent compliance expert – a fresh set of eyes, so to speak – evaluate the organization’s compliance program.  We explored the emerging risks involved in opioid prescribing and how organizations can mitigate that risk by pro-actively assessing the prescribing practices of their physicians and physician extenders.  In this final episode we discuss how an independent integrity review can be helpful for organizations that may be facing actual or potential compliance issues.

Some of the issues we consider are:
Can independent integrity review and monitoring be helpful where a healthcare organization may have reason to believe it has an actual or potential compliance problem, but has not yet been subject to an enforcement action or a corporate integrity agreement imposed by the government?

  1. The use of an independent compliance expert to assess a healthcare organization’s ethics and compliance program at a point in time where the organization has reason to believe it has a compliance problem and is likely to face an enforcement action can have tremendous value to the organization. Where a healthcare organization has reason to believe it has a compliance issue, that organization will be faced with a range of obligations and potential consequences, and the organization and their counsel will likely seek to mitigate those potential consequences to the extent possible.  Using an independent compliance expert to review and assess the organization’s ethics and compliance program, make recommendations for remediation and improvement, and then offering to have that independent expert monitor the organization’s implementation of those remedial measures and improvements can be a useful tool in dealing with the government enforcement agency and convincing that agency to grant the organization some leniency in the sanctions that might otherwise be imposed. 

How engaging an independent integrity monitor in these circumstances can help an organization in dealing with an enforcement agency?

  1. Coming from my enforcement background, and consistent with guidance from the Justice Department and the CMS Inspector General, we know that the government expects – in fact demands – that healthcare organizations self-report certain types of compliance violations – like overpayments they’ve received, or false or fraudulent claims that they’ve billed the government, to certain types of privacy breaches. The government also wants to see that the violation has been investigated and remediated, and just as importantly, that the violation is not indicative of a systematic failure of the organization’s ethics and compliance program.  While the organization can and should investigate compliance violations using internal resources or outside counsel, using an independent compliance expert to assess the ethics and compliance program and culture, make recommendations, and then monitor implementation of those recommendations, provides a level of objectivity and credibility that is more likely to resonate with the government enforcers. 
  1. We have had many engagements where the healthcare organization either directly, or through their legal counsel, engaged our firm to conduct an assessment of the ethics and compliance program and culture, where we made recommendations for improvement and remediation, and where we monitored the organization’s implementation of those recommendations and remedial measures. In many of those cases the organization and their counsel were able to convince the government enforcement agency that the company’s actions in addressing its deficiencies justified leniency – in effect, the organization and its lawyers were able to say to the government: “you don’t have to take our word for it; you can rely on the assessment and monitoring of this independent, objective and credible monitoring firm.”  In some of these cases, using the independent monitor likely meant the difference between the healthcare organization being permitted to continue to participate in government healthcare programs, as opposed to being excluded or having a license revoked. 

Why is it government enforcement and regulatory agencies would prefer not to exclude important health care providers who have compliance issues?  

  1. Ensuring access to sufficient quality health care providers – whether they be behavioral health providers, or providers serving other vulnerable and under-served populations – is a constant challenge for healthcare policymakers. Excluding an important provider with significant compliance issues may address those compliance concerns, but it may raise a different problem and challenge when it means there are not sufficient accessible healthcare resources.  The better solution, of course, is to have providers with compliance issues remediate their problems and implement a sustainable and effective ethical and compliance program so that the healthcare market has the benefit of high-quality, efficient, and transparent providers.  While the government is suspicious of healthcare participants who run afoul of their regulatory and compliance obligations, engaging an independent compliance expert and monitor can provide the government with the tools to temper, if not overcome, those suspicions. 

For more information on Affiliated Monitors, check out their website here.

Categories
Daily Compliance News

Daily Compliance News: March 29, 2019-the out like a lamb edition

MARCH 29, 2019 BY TOM FOX


In today’s edition of Daily Compliance News:

  • JPMorgan under fire for bribery in Nigeria. (New York Times)
  • Black and Decker settle Iranian sanctions case. (Wall Street Journal)
  • Having failed to change its culture, Wells Fargo CEO quits, effective immediately. (NPR)
  • Swedbank President fired over money-laundering scandal. (Wall Street Journal)