Categories
This Week in FCPA

Episode 262 – the No Fans Olympics edition


As the Tokyo Olympics stumble out of the gate and Tom returns to the wilds of the Texas Hill Country, he and Jay are back to take a look at this week’s stories top compliance and ethics stories which caught their interest on This Week in FCPA in the No Fan Olympics edition.
 Stories

  1. Why co-creation is key to design thinking in compliance. Carsten Tams continues his 5-part series on LinkedIn. Check out Tams Part 1 and Part 2 of his great 5-part series.
  2. What’s going on with ESG in Europe. Vera Cherepanova in the FCPA Blog.
  3. What is social risk? Lawrence Heim in com.
  4. What’s the current job market for compliance professionals? Matt Kelly in Radical Compliance.
  5. SFO secures two DPAs. Neil Hodge in Compliance Week (sub req’d)
  6. Responding to parallel investigations. Nicole Sprinzen and Catherine Yun in CCI.
  7. Auditing of SPACs. Francine McKenna takes a deep dive on The Dig. (Sub Req’d)
  8. EU Whistleblower Initiative? Keith Taylor in Navex Global’s Risk and Compliance Matters.
  9. FTC signals more aggressive enforcement. Alexander Paul Okuliar and David J. Shaw NYU’s Compliance and Enforcement
  10. The Enactment of Purpose Initiative. Wachtell, Lipton lawyers in the Harvard Law School Forum on Corporate Governance.

Podcasts and Events

  1. In a sponsored 6-part podcast series Tom visits with folks from Exiger on its ground-breaking TP&SCRM framework, the TRADES Framework. Part 1-Transparency; Part 2-Risk Mitigation; Part 3-Assessing Risk; Part 4-Determining Mitigations; Part 5-Evaluating Uplift; Part 6, Supplier Monitoring.
  2. Tom and Megan Dougherty conclude their series on Loki, in Episode 6, For All Time. Always. They review the concluding episode of Season 1, look back over the entire series, review it in the context of the MCU series WandaVision and the Winter Soldier and Falcon and where the MCMultiverse may be headed.
  3. A new month on The Compliance Life! In July I visit with Asha Palmer, CECO at Convercent. In Episode 1, from Claire Huxable to the DOJ. In Episode 2, ‘What do you think about Abu Dhabi?’ In Episode 3, she moves into compliance consulting and is surprised with what she observed.
  4. Are you a #GWICee? If you are not you should be. Join the co-hosts Lisa Fine and Mary Shirley for their fan fav lightening-round of listener submitted questions in this episode of Great Women in Compliance.
  5. What is the budget process for a corp compliance function? Kortney Nordrum lays it out for your in this episode of Survive and Thrive. Check out the video version on YouTube.
  6. The Compliance Handbook, 2nd edition is released. Learn about it here. Purchase it here.

Tom Fox is the Voice of Compliance and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.

Categories
Daily Compliance News

July 23, 2021 the Extradition edition


In today’s edition of Daily Compliance News:

  • Robinhood rewriting rules for going public? (NYT)
  • Brit Mike Lynch can be extradited to US. (BBC)
  • Insurers behind the times on ESG? (FT)
  • Age discrimination in RTW. (WaPo)
Categories
Compliance Kitchen

Nicaragua Update


The Kitchen heads South to look at what’s happening with Nicaragua as the US revokes visas of some associated with the Ortega-Murillo regime.  EU rolls out a temporary VAT exception – listen in to get more on what products can benefit.

Categories
Innovation in Compliance

The Groundbreaking Guide to Third-Party & Supply Chain Risk Management: How Exiger’s TRADES Framework Revolutionizes TPRM & SCRM in 2021 and Beyond-Part 4, D for Determine Mitigations


Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. In this episode, I visited with Carrie Wibben, Senior Vice President, Exiger Federal Solutions   and Aaron Narva, Senior Vice President, Head of Corporate Markets on determining risk mitigations.
The next critical element of the TRADES framework is around determining the mitigation of risk—what actions or steps can and should be taken to reach a point where the specific risk of a supplier or supply chain element are well enough understood and controlled to move forward with a business relationship? Narva explained, “Determining mitigations is a delicate balance of all of the preceding elements of the TRADES framework—it’s about understanding the specific impacts that risk can have on the specific parts of your third party population, it’s about taking a risk based approach, and it’s about understanding your operational bandwidth to take specific mitigation actions and knowing when to just accept the minimal risk and move on for the operational benefit.” While most compliance professionals will be comfortable with this approach you always need to remember that no one size that fits all.
Risk management and compliance professionals seek out and rely upon frameworks that are multiple priorities, such an approach can be used to get executive stakeholder buy-in and drive budget decisions to invest in critical compliance and risk management tools and program changes to elevate supply chain risk insights and truly transform the way most organizations perform supply chain management.
Wibben noted, “This element is really about problem solving and taking specific actions to remediate risks ultimately to drive a supply chain ecosystem that is secure and resilient, but without compromising operational efficiency.  By this I mean, at this point in the framework, you have set your organization’s objectives and risk thresholds – you have considered what risk are you are willing to accept, what risks can you transfer, segregate, or otherwise mitigate, and what risks you need to immediately take action to remove or avoid altogether.” Moreover, this is the step where you separate the wheat from the chaff. The process has to be driven on a risk-based approach that allows a broad spectrum of mitigations to be used to develop your mitigation plan, to include timelines and milestones to address the supply chain risks that negatively impact the integrity and security of your supply chain.
Mitigating risks requires a high degree of both critical and creative thinking and solutioning.  Wibben said, “That’s really why I personally believe that determining mitigations is one of the most challenging elements of Supply Chain Risk Management because of really two primary things, 1) the complexity, and oftentimes, the ambiguity and constantly evolving nature of the sub-tier supplier ecosystem, and then 2) the secondary and tertiary consequences of risk mitigation work, which includes potential impacts to upstream and downstream cost, schedule, and operations.”
I asked Narva about some of the work Exiger is doing with corporate compliance functions to determine mitigations. He said, “on the corporate side, we are seeing many clients utilizing third party outreach as a form of mitigation. Third parties can provide proof of their controls, whether its corruption, environmental or cyber risk with documentation such as policies and procedures and certifications.” In the age of Covid-19, “some clients are performing an on-site audit in instances of very high risk, but we have seen a lot of that activity move to video calls, which interestingly enough, allows clients to do more of this type of risk mitigation. At the end of the day, our clints approaches to mitigation are as varied as their business models and the risks they face.” Such risk mitigation strategies as contractual clauses, refresh periods, and risk committees are also frequently part of the risk mitigation approach, as is deeper levels of diligence, all the way up and including discreet reputational inquiries in instances where it is justified.
Join us tomorrow, where we discuss the step, evaluate the TRADES Framework uplift with Brandon Daniels and Josh Thiel.
Resources
Exiger TRADES Framework
Exiger Website
Aaron Narva
Carrie Wibben

Categories
Popcorn and Compliance

Loki, Episode 6 – For All Time. Always


Tom Fox and Megan Dougherty are back to review the Disney series starring the Marvel Cinematic Universe character, Loki, in the new series, appropriately enough named Loki. In this episode, they take a look at the final in the series, Episode 6, For All Time. Always. Each episode will feature a review of the sysnopsis, Cookies and other cool stuff and then go through some of the questions they have from each episode. It will be a rollicking great time. Join us for all 6 episodes. Spoiler Alert-if you have not seen the episode, Tom and Megan will be taking a deep dive into all of the storylines. In today’s episode we discuss:

  1. Story Synopsis.
  2. Cookies, easter eggs and other cool items.
  3. Questions about ‘He Who Remains’.
  4. Was it really Miss Manners all along?
  5. Where does Loki fit into the WandaVision, Winter Soldier and Falcon trilogy?
  6. Have we moved from MCU to MCMultiverse?
Categories
12 O’Clock High-a podcast on business leadership

Plutarch’s Lives- Agis and Tiberius Gracchus


12 O’Clock High, a podcast on business leadership brings together stories from history, the arts and movies, research and current events to consider leadership lessons. In this episode, Richard Lummis and Tom Fox are on a 10-part summer series on leadership lessons from biographies found in Plutarch’s Lives. Each week we will pair an ancient Greek and Roman to learn about their lives, the comparison and contrast between the two men and what leadership lessons with might draw from their lives. In today’s episode we look at the Greek (Spartan) Agis and the Tiberius Gracchus, focusing on land reform in Ancient Greece and Rome. Highlights include:

  • Introduction of Plutarch’s Lives as historical work.
  • Lives of Agis and the Tiberius Gracchus.
  • Comparison in the lives of Agis and the Tiberius Gracchus.
  • Land reform in ancient Greece and Rome.
  • The role of the Plebians.
  • What leadership lessons can be drawn from the lives Agis and the Tiberius Gracchus

Resources
Plutarch’s Lives by Bill Thayer

Categories
Daily Compliance News

July 22, 2021 the Fly US edition


In today’s edition of Daily Compliance News:

  • Air Canada US claims not subject to US law (duh). (View from The Wing)
  • Diversity in your Supply Chain? (WSJ)
  • J&J and Distributors settle opioid case for $26bn. (NYT)
  • Biden to push Ukraine President to tackle corruption at White House meeting. (NYPost)
Categories
Compliance Kitchen

EU, OFAC and Venezuela updates


The Minsk agreements continue to go unimplemented, so the EU extends Russia sanctions again; OFAC grants an export license for certain petroleum products destined for Venezuela and the Kitchen is there to look into the details.

Categories
Innovation in Compliance

The Groundbreaking Guide to Third-Party & Supply Chain Risk Management: How Exiger’s TRADES Framework Revolutionizes TPRM & SCRM in 2021 and Beyond-Part 3, A for Assess Current Risks


Welcome to a special six-part podcast series, sponsored by Exiger, on the TRADES Framework, a conceptual, strategic and practical guide for Third-Party and Supply Chain Risk Management designed by Exiger to help organizations achieve supply chain resiliency and optimize risk management at any phase of maturity. In this episode, I visit with Laura Tulchin, ESG Solutions Lead and Peter Jackson, ESG Solutions Lead and Peter Jackson – Director of SCRM Data Management & Innovation on assessing your current risks.
According to Jackson, “The A in the TRADES framework stands for “Asses Current Risks.  In steps One and Two, you have been planning and preparing your supply chain risk assessment; now it’s time to actually carry it out. The more robust your preparation, the easier this step will be, but don’t be concerned if you find it necessary to go back and forth between this step and the previous stages. Sometimes we have expectations about the data that’s available, or we make assumptions about overall risk, that are quicky disproven as we move to actually assess our risk.  When that happens, simply back up and iterate on the planning stage to find another approach. Assessing current risks breaks down into three levels.”
The Strategic Level. Tulchin says you should begin at the Strategic Level in order to “maintain a robust, long-term third-party and supply chain risk management framework, organizations must agree to and document a broad risk appetite statement. Start at the strategic level.” Moreover, “A risk appetite statement is absolutely critical to defining the workflow for you of the outputs of the risk assessment.”
We moved to a risk appetite statement, which Tulchin said, “is going to give you guidelines about what is acceptable risk and what is not. It’s extremely important to put in thresholds and metrics to make the results of the risk assessment actionable – KRIs that tell you when things are moving toward unacceptability and what to do then.” Additionally, “Ultimately, the risk assessment is going to strategically define a workflow for you of the outputs of the risk assessment. Finally, your ”risk assessment methodology should ensure that the risk model meets your business need and risk profile – in other words, align with the way that your organization sees the world.”
The Program Level. Implementing a risk assessment program begins with defining the risk assessment application and prioritization process. From there, organizations need to determine the frequency of risk assessments and establish policies to escalate risk events. Risk thresholds and decision-making processes must be clearly documented.
Jackson said that at this level, “it’s time to buckle down and collect, analyze, and synthesize the data you need to identify your risks and fit them into your risk appetite. Something to keep in mind as you carry out your plan at the program level is that there are both weak points and strong points in any supply chain.” While many aspects of the risk model focus on identifying potential weaknesses or vulnerabilities in a supply chain, the flip side of that analysis is to discover the best and strongest parts of your supply chain as well.
Moreover, the Program Level is “the perfect place to identify what is working well and to investigate why is it working well. Since we use risk as a starting place, we can look at the bottom of the list—the lowest-risk areas—to look for positive practices that can be replicated throughout your supply chain. Program level risk assessment is the right place to drive value creation as well.  Although supply chain risk is focused on reducing vulnerabilities, there is also tremendous potential here for discovering efficiencies and creating significant value capture from your supply chain as well.”
Tactical Level. At a tactical level, the risk assessment process should include application, visualization and a vulnerability evaluation. Individual third-party risk assessments, critical supplier assessments as well as supply chain assessments should all be included as part of an organization’s risk assessment application. That risk should then be visualized to depict third-party and supply chain portfolio risk areas and indicators to provide actionable intelligence and allow for the prioritization of investigation and mitigation efforts in an efficient manner. A high-level comprehensive assessment should evaluate overall vulnerabilities across the complete level.
Here implementing the risk assessment may mean different things for different entities based upon criticality. Tulchin related, “certain types of suppliers may be subject to more stringent data collection that leads to a more comprehensive risk model that brings in a large swath of data.” It could also be that you “want to perform a risk assessment within a given supplier relationship. As defined by the risk model design/methodology, tiering with regard to the need to perform micro or single entity risk assessments.” Finally, there “may be certain suppliers, or a certain high-risk jurisdiction, or a certain critical product that require single-focus risk assessments to bring that data into an overall program review.”
Jackson feels the Tactical Level “is the place where you are most likely to discover the need to iterate on your supply chain risk model design. The tactical level is where you can best identify any persistent information gaps or determine the need for data orchestration.” Yet he cautioned, “It’s also important to keep in mind that the outputs of your assessment will be responsive to your risk priorities.”  Finally, he emphasized that it is “critical to keep in mind that we aren’t assessing just for the sake of assessing. Especially at the tactical level here, always keep in mind how your organization can use the work that you’re doing and put your outputs to immediate use. If your findings are more strategic in nature, then the changes may be sweeping organizational solutions; if your findings are more tactical, then perhaps they will result in only a small tweak to a specific buying pattern or relationship. As you carry out your risk model plans in this step, always keep in mind a clear path ahead for any given outcome.”
Join us in our next episode, where we discuss determining mitigations with Carrie Wibben and Aaron Narva.
Resources
Exiger TRADES Framework
Exiger Website
Laura Tulchin
Peter Jackson

Categories
Great Women in Compliance

The Lightning Round: Surprise Listener Questions for Mary and Lisa


Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley. Lisa and Mary welcome listeners back to a new season with hot seat questions put forward by their audience without time to prepare. They also give a spoiler alert for their next joint episode as something to look forward to and think about your submissions for the future. Here are the questions Lisa and Mary tackled in this episode:

  • How do you continue to learn in order to stay on top of things in your role?
  • “If your ideal compliance leader was an animal, which animal, and why?”
  • When did you realize that GWIC has grown from the podcast to a larger community? Was there a moment for you?
  • If you had an extra $10k and had to spend it within the month- what would you do (personal or professional)?
  • As someone who is a global traveler, when you get to go home to New Zealand, once you recover from the flight, what is the first “local”/hometown thing you want?
  • Is it ever okay for an E&C investigator to employ deception when interviewing a subject? I’ve worked at companies that allow very limited exceptions and others that say “never.” A common exception involves a subject who might figure out who the reporter is (and then retaliate against her/him). As we seek to do everything and anything possible to prevent retaliation against reporters, the investigator might say to the subject during an interview (in a situation where the internal reporter is known to the investigator), “Please make no effort to guess or otherwise identify the reporter. Doing so risks violating our anti-retaliation policy. The reporter may be anonymous or from outside the company–it doesn’t matter. The bottom line is, you must refrain from trying to determine or conclude who it is.” Of course, nothing in this example is a lie, but it is deceptive given the investigator knows the reporter isn’t external or anonymous. Certain countries may have laws or regulations that answer this question but, importantly, the standards of an E&C investigation–at least in the United States–are not the same as a government-led investigation. Also, many E&C investigators are not licensed attorneys, so there are no “licensed professional” restrictions to consider. So, , do you think it’s okay for an E&C investigator, in rare and previously identified instances, to deceive an interviewee when doing so likely could have a material effect on protecting a reporter from retaliation?
  • What’s the biggest area (related to your current role) you are curious about and why?
  • What are some of the things you are researching right now? (Could be personal- could be professional, could be vague)
  • If there was one thing you could change about the way Compliance is perceived by people outside the profession, what would it be?
  • We often hear of the importance of the birds and the bees. But in the compliance world, if you could only pick the attributes of one, which would it be and why?

We hope that you enjoyed this episode and welcome any feedback you may wish to send in to gwicpod@gmail.com.
For those of you in the northern hemisphere, it is the season for beach reads and you may be traveling after a long break.  For your time off, you can pick up a copy (or download)  “Sending the Elevator Back Down: What We’ve Learned from Great Women in Compliance” (CCI Press, 2020).If you’ve already read the booked and liked it, will you help out other women to make the decision to leverage off the tips and advice given by rating the book and giving it a glowing review on Amazon?
As always, we are so grateful for all of your support and if you have any feedback or suggestions for our 2021 line up or would just like to reach out and say hello, we always welcome hearing from our listeners.
You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.
 
Join the Great Women in Compliance community on LinkedIn here.