Categories
31 Days to More Effective Compliance Programs

Day 16 | The third-party risk management process


As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance) devotes an entire prong to third-party management. It begins with the following: A well-designed compliance program should apply risk-based due diligence to its third-party relationships.  Although the degree of appropriate due diligence may vary based on the size and nature of the company or transaction, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions. 
This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2012 FCPA Guidance and in the Ten Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:

  1. Business Justification;
  2. Questionnaire to Third-party;
  3. Due Diligence on Third-party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

  1. Use the full 5-step process for third party management.
  2. Make sure you have business development involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives.
Categories
12 O’Clock High-a podcast on business leadership

Trifecta of Failed Leadership


Richard Lummis and I are back. Today, we take a look at leadership lessons from a trifecta of failed leaders, including Adam Neumann, the founder and former CEO of WeWork, Elizabeth Holmes, founder and former CEO of Theranos and Travis Kalanick, founder and former CEO of Uber.
Highlights of this podcast include:

  1. What happens when charismatic leaders have disruptive visions?
  2. What happens when a brilliant jerk is a CEO?
  3. They all had and maintained asymmetrical power, total control and maintained dual-class ownership structures.
  4. What happens when the CEO creates a cult of personality?
  5. All three valued opaqueness over transparency so that they could control the flow of information.
  6. Where was the Board of Directors?

Resources
Is Your CEO Brilliant, a Jerk or Both?
When to fire the boss?
CEOs are not here to save us

Categories
Daily Compliance News

January 16, 2020, Trump Tried to Repeal FCPA edition

 
In today’s edition of the Daily Compliance News:

  • We always knew he believed in bribery but Trump tried to unilaterally repeal the FCPA. (NYT)
  • Goldman stock falls as 1MDB settlement nears. (WSJ)
  • Red Sox fire Alex Cora, wait for MLB to drop the hammer. (WSJ)
  • What’s wrong with keeping petty cash at home? (Daily Mail)
Categories
31 Days to More Effective Compliance Programs

Day 15 | How do you evaluate a risk assessment?

After you complete your risk assessment, you must then translate it into a risk profile. If your estimate of where your bribery risk is greatest is wrong, it will be an effort to address it. As Ben Locwin explained in his  BioProcess International article, entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”:
Once we have assessed risks and determined a process that includes options to resolve and manage those risks whenever appropriate, then we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are in a better position to speak about the quality of our businesses.

A way to evaluate risks as determined by the company’s risk assessment is through a risk matrix. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of your remedial efforts or for continuous auditing. A variety of solutions and tools can be used to manage these risks going forward, but the key step is to evaluate and rate these risks. All your actions should flow from the risk ranking.
Three key takeaways:

  1. Even after you complete your risk assessment, you must evaluate those risks for your company.
  2. The DOJ and SEC are looking for a well-reasoned approach on how you evaluate your risk.
  3. Create a risk matrix and rank your risks; then remediate and monitor as appropriate.
Categories
Compliance Into the Weeds

Compliance Issues in 2020, Part 2

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Welcome to the first Into the Weeds podcast of the new decade and the new year. In this Part 2 of a two-part podcast series, Matt Kelly and I take a look at ten issues that we think will be significant for the compliance professional in the upcoming year.

Some of the highlights include:

  • The Institutional Shareholder Services lawsuit against the SEC. What will this and other court cases against the Trump Administration’s attempt to gut shareholder protects by the SEC?
  • Effective sanctions compliance programs. Will there be congruity or discrepancies in the interpretation of what constitutes a best practices compliance program by the DOJ and OFAC.
  • Compliance convergence. We are moving to do away with anti-corruption compliance, trade sanction and export control compliance, AML compliance to a role which is simply compliance.
  • Data, data and more data. Regulators now expect data analytics, continuous monitoring and continuous improvement in your compliance program.
  • The ethical edge. How more effective compliance creates more efficient business process equating to greater profitability.

Resources
Matt’s blog post 7 Compliance Items to Watch in 2020 in Radical Compliance.
Tom’s blog post 4 Compliance Insights for 2020 and Beyond in the FCPA Compliance and Ethics Blog.

Categories
Daily Compliance News

January 15, 2020, the Bridge of Sighs edition


In today’s edition of the Daily Compliance News:

  • Businesses take the lead in response to climate change. (NYC)
  • Wells Fargo CEO admits he doesn’t have the answers yet. (Washington Post)
  • Trump Administration orders no discussion of climate change in allowing drilling in national forests. (Houston Chronicle)
  • Will Supreme Court further gut domestic corruption law? (Politico)
Categories
Great Women in Compliance

Kim Yapchai-Transforming Compliance

Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.

In this episode of GWIC, Lisa speaks with Kim Yapchai, who is the Chief Ethics and Compliance Officer for Tenneco.  Kim did not start in the ethics and compliance field by choice – she became responsible for ethics and compliance during the 2008-2009 recession as part of a large staff reduction.
Kim went from an involuntary compliance officer to a leader in the ethics and compliance community by developing a program based on “transformational leadership” – developing a holistic program, working with her team and achieving results in both her prior and current role, both in E&C and in corporate social responsibility.
A great deal of Kim’s career has been in the automotive and manufacturing industries, two  male-dominated industries.  She discusses how she has thrived in these industries as a woman, and a person with a blended heritage.
Kim is also a great supporter of ethics and compliance professionals and discusses how she uses LinkedIn and building her network to help others…and how that is something she enjoys.
Join the Great Women in Compliance community on LinkedIn here.

Categories
31 Days to More Effective Compliance Programs

Day 14 | Risk Assessments

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based upon a risk assessment, to understand your organization’s business from the commercial perspective, how your organization has identified, assessed, and defined its risk profile and, finally, the degree to which the program devotes appropriate scrutiny and resources to this range of risks.

As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.
This language was supplemented in the 2017 FCPA Corporate Enforcement Policy, which stated, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment.
A risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company. The reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.
 Three key takeaways:

  1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.
  2. The DOJ will now consider both your risk assessment methodology for identifying risks and gathered evidence.
  3. You should base your compliance program on your risk assessment.
Categories
Innovation in Compliance

Getting Employees to Pay Attention with Peter Grossman


Peter Grossman comes from a publishing and entertainment background, having worked at US Weekly and Rolling Stone. Given this background, he and his partner initially targeted the entertainment industry when they co-founded their production company, Labyrinth Training. However, they were offered the opportunity to work with AB InBev to create compliance training that their employees would actually pay attention to. Since that time, Labyrinth has focused on creating training for the compliance industry. Peter joins Tom Fox on this week’s show to talk about the innovative ideas, strategies and techniques in training and communications that his company brings to the compliance space. 

Fixing What’s Wrong With Compliance Training
People love learning, Peter says, but they generally do not like school. The problem with compliance training is that it’s usually built by test takers, with little to no emphasis on engaging learners. Oftentimes you have a situation where compliance training is done in December when employees are the least engaged. That’s not the time to try to shove information down people’s throats, Peter argues. Training should be something that makes a difference, that changes behavior. As such, it should be something people want to do, not just have to do. You need to attach creative and innovative ideas to what you’re trying to convey to grab people’s attention and make it memorable. Essentially, your training should be about engaging your workers year round in a culture change. 
Memorable Storytelling
Whenever you roll out a training, it should feel like a cool office party, Peter says. The goal is to have people talking about it afterwards by attaching your policies to storytelling. Tom asks him how he applied this strategy at AB InBev. Peter shares the attention-grabbing narrative they developed for AB InBev’s compliance training program. It was so memorable and relatable that it became a company inside joke. What’s most important, he says, is that workers now remember what to do in certain moments because of that training. “The idea is that when you create characters that resonates with everybody, that’s what sparks the behavior change and gets people remembering it throughout the year,” Peter comments. He advocates bringing storytelling to everything – from broad topics to the most nuanced – because people will remember it.
A New Podcast
Tom mentions that Peter will be joining the Compliance Podcast Network with his new podcast. He asks him to give listeners a preview of what is to come. Peter says the name of the podcast is In The Lab. It’s going to be a very loose, conversational show. He will bring his storytelling background to the show as the format will be about talking to people and hearing their stories. 
Resources
LabyrinthTraining.com 
peter@gadfly.io 

Categories
Daily Compliance News

January 14, 2020, the Astros Hammered edition


In today’s edition of the Daily Compliance News:

  • MLB lays down unprecedented fines on Houston Astros. (com)
  • Astros owner fired GM and Manager. (Houston Chronicle)
  • Former Astros GM declares “I am not a cheater”. (Houston Chronicle)
  • Does MLB have a technology problem? (ESPN)