Categories
FCPA Compliance Report

FCPA Compliance Report -The Culture Audit™ for Culture Assessments

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Sam Silverstein to talk about the new software product, The Culture Audit™ which allows a compliance professional to perform a culture assessment as required by the Department of Justice.

In the ever-evolving corporate world, the importance of assessing and improving corporate culture cannot be overstated. This is the focus of The Culture Audit™, a software tool that provides a comprehensive assessment of a company’s culture, identifying potential risks and areas for improvement, developed by Sam Silverstein and the Accountability Institute. Tom views The Culture Audit™ as a valuable tool, especially in light of the Department of Justice’s focus on corporate culture in white-collar enforcement actions. He sees culture as a risk that can be assessed, managed, and continuously improved.

Sam shares this perspective and with his extensive experience in accountability and leadership, he emphasizes the importance of regular culture assessments, which can lead to a better bottom line by fostering a culture of high ethics, employee engagement, and quality decision-making. To learn more about the Culture Audit and how it can benefit your organization, join Tom Fox and Sam Silverstein on this episode of the FCPA Compliance Report podcast.

 Key Highlights

  • Culture Assessment and Risk Identification Tool
  • Multilingual Communication Tool for Global Organizations
  • Creating a Data-Driven Workplace Culture
  • The Culture Audit™: Assessing and Improving Workplace Culture
  • Measuring Relational Commitments for Organizational Success

Resources

Culture Audit

Set up a call to discuss the Culture Audit, click here

Sam Silverstein and the Accountability Institute

Sam Silverstein on LinkedIn

 Tom Fox

Instagram

Facebook

YouTube

Twitter

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Culture: Day 6 – Attributes of a Toxic Culture

Corporate culture is finally being acknowledged as a key ingredient in a successful business, particularly one that operates ethically and in compliance. But what are some indicia of good culture and more importantly what are some indicia of a toxic culture? A recent article in the MIT Sloan Management Review provided some guidance. In Why Every Leader Needs to Worry About Toxic Culture, the authors posited that by pinpointing the elements of toxic culture in a company, its leaders focus on addressing the issues that lead employees to disengage and quit. These ideas have significant importance for the compliance function as it navigates corporate culture, both in assessing and improving it.

Moreover, the Chief Compliance Officer and corporate compliance function were identified in the 2023 3 Evaluation of Corporate Compliance Programs as the keepers of institutional justice and institutional fairness. This means recognizing and then preventing a toxic culture from spreading and infecting your entire organization squarely in the compliance wheelhouse. The article lays out key red flags for every CCO and compliance professional to look for in assessing culture. Finally, for any company with a toxic culture, the chances are much greater to be defrauded by its own employees or to defraud others through bribery and corruption by violating such laws as the Foreign Corrupt Practices Act (FCPA).

The authors identify behaviors that they call “the Toxic Five attributes”, being “disrespectful, noninclusive, unethical, cutthroat, and abusive – poison corporate culture in the eyes of employees. While organizational culture can disappoint employees in many ways, these five elements have by far the largest negative impact on how employees rate their corporate culture and have contributed most to employee attrition throughout the Great Resignation.” As a CCO or compliance professional you need to be on the watch for them and take steps to remedy them if you see or hear about them.

 Three key takeaways:

1. Are the attributes of a toxic culture present in your organization?

2. The 2020 Update to the Evaluation of Corporate Compliance Programs mandated the compliance lead this effort.

3. Does your organization have abusive behavior?

Check the free webinar on the new tool, The Culture Audit with Tom Fox and Sam Silverstein on Tuesday, November 28, 12 CT. For more information and registration, click here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Innovation: Day 15 – Leveraging AI in Compliance Investigations

The 2023 ECCP provided clear-cut criteria regarding effective compliance investigations. Unfortunately, many compliance teams fail to promptly substantiate most of the reports they investigate, partly due to their inability to quickly and easily find the evidence they need, especially about harassment and misconduct cases. He stated, “This doesn’t just demonstrate a fundamental lack of effectiveness from the DOJ’s perspective, but a long-term organizational risk that goes well beyond any individual allegation of misconduct.” The reason is not simply legal but also operational. If substantive allegations are indeed violations, they could continue, exacerbating the problem(s) and lengthening the time of legal liability.

All of this is particularly significant in light of the industry research that shows many compliance investigations today are unsubstantiated and can take over 40 days from start to finish. The ability of AI to find and analyze data from the web and social media in this automated fashion will be able to overcome some of those challenges in terms of length of time and overall scope of the investigation. Finally, always remember data preservation. The regulators always want to know if you have the documents and data tied down. This allows a company to have confidence in its papers and, in turn, can make such representations to regulators and prosecutors that the documents are secure. In other words, Document, Document, and Document. 

Three key takeaways:

  1. AI is an appropriate tool for supplementing investigations.
  2. AI can look at large bodies of social media data.
  3. AI can help you decrease your investigation length.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to A More Effective Compliance Program Through Innovation: Day 14 – Creating an Inventory of Metrics

The 2023 ECCP not only continued to emphasize the importance of monitoring and testing the effectiveness of a compliance program, but it spoke more about a Chief Compliance Officer (CCO) and compliance function utilizing data to engage in continuous monitoring and continuous improvement. For some time, the DOJ has stressed the importance of leveraging data to have objective evidence around whether or not a compliance program is working effectively. Yet, as many CCOs are legally trained, they are still determining what specific areas to consider in establishing quantifiable metrics to monitor for effectiveness.

A methodical review of the 2023 ECCP to identify the different areas where a company could establish and quantify metrics to assess effectiveness is the place to start. Many companies have what Edwards called “metrics on the basics” and noted they “have in place processes whereby their employees review the Code of Conduct and confirm they comply with it either when they first onboard with the company and then periodically on an annual basis, companies are doing just fine at reporting.” But it is now the barest minimum of what compliance professionals must do. For instance, they could consider Quote To Cash (QTC) lifecycles or Procure To Pay (P2P). The key starts with a documented process that can be audited and built from there.


Three key takeaways:

  1. Create an inventory of compliance metrics.
  2. Create your metrics based on the 2023 ECCP.
  3. Use these metrics for continuous monitoring and improvement.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Innovation: Day 10 – Connected Compliance

Disconnectedness compliance comes from the fact that there is not one system that connects the disparate strands of the compliance discipline. Connected compliance allows a CCO and all those people in the organization working with compliance to have one central place, a system of record for everything they do. This can be their whistleblowing hotline, case management,  training of their employees, or training of their vendor’s policy. It is literally connecting them all so they are running from one central location, and these disparate systems can be monitored from one central location. A key way to think about it is “getting everything under one roof,” as one of the struggles many compliance officers have is that the information they need is literally siloed across different functions of the company. Information can be contained in the sales function, where there may be employee expense data, information on marketing expenses, or charitable donations in the sales organization, but it could be spread among other corporate functions as well.

All of this is what the DOJ has articulated as operationalizing compliance. It first garnered attention in the February 2017 release of the original Evaluation of Corporate Compliance Programs and has only increased with the 2023 ECCP. Since that time, compliance practitioners have steadily worked to move their compliance programs forward onto the front lines of their business units. Connected compliance is one way to do so, but it clearly requires a human element to not only interpret data but to impart the appropriate or required compliance solution. Operationalizing compliance means that you cannot have an annual or even quarterly update on what’s going on in the program. It must be operationalized in such a way that you are sharing information not only with the regional business units of floating up to the corporate compliance folks but also sharing information back and forth with the other business units, procurement, finance, and reacting in real-time.

Three key takeaways:

  1. Connected compliance moves you towards continuous monitoring.
  2. Compliance under one roof.
  3. Never forget the human element.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 9 – Dynamic Compliance Policies

One of the key changes coming out of the Covid-19 pandemic is the need for dynamism on corporate policies. This message was driven home in a  MIT Sloan Management Review article,“Turbulent Times Demand Dynamic Rules”. The authors believe, “Circumstances can change rapidly in an uncertain world — organizational rules should be designed to change along with them.”

This concept is most appropriate in the compliance arena in the area of risk management. As your risks change, your management of those risks should adapt to the new reality. This is why the DOJ intoned in the 2023 Evaluation of Corporate Compliance Programs (ECCP) that you should assess your risks as they change, modify your risk protocols, monitor your risk management strategy and then update your compliance programs through continuous monitoring.

This dynamic policy process can build dynamic rules to enhance your company’s ability to anticipate and cope with risk changes. When the corporate compliance function embraces experimentation and learning in the creation and reformulation of policies, it builds flexibility into the organization’s structure, processes, and practices. This type of flexibility is essential as we have moved from disaster recovery to business resiliency to business as usual, especially in the field of risk management.

Three key takeaways:

1. After Covid-19, your policies must be as dynamic as your business.

2. There are three general areas to improve the dynamic features of policy creation and improvement; transparency, experimentation and innovation.

3. Garner feedback from your users on the effectiveness of your compliance policies.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
Blog

Navigating Transformational Changes: The Intersection of E&C and ESG

Today I would like to explore the intersection thought of ethics and compliance (E&C) and environmental, social, and governance (ESG) efforts. In a recent podcast on Report from IMPACT 2023, we explored the crucial role of ethics in guiding organizations through transformational changes. With data-driven insights and practical advice, considered the challenges, opportunities, and strategies for success in this evolving landscape.

In the face of rapid technological advancements, the importance of ethics cannot be understated. The need to build safeguards to prevent potential crashes or negative consequences. Much akin to car racing, this world has the need to moving forward with technology in a safe and responsible manner. Further and just like a skilled racer, organizations must navigate the track of progress while ensuring the ethical implications of their actions are considered. Finally always remember that brakes are not on a car to slow it down but so that you can drive fast.

As power dynamics shift and new technologies emerge, the establishment of checks and balances in this arena becomes paramount. This means that organizations need to distribute power internally both wisely and ensure ethical decision-making processes are in place. By doing so, they can safeguard against potential abuses and ensure that transformative changes are guided by integrity. I often use the visual of the billboard announcing the Eyes of Dr. T J Eckleburg from The Great Gatsby as the best way to think about having a second set of eyes on your process for process validation.

In a world undergoing rapid transformation, continuous education and expanding horizons are crucial for organizations and individuals alike. For Chief Compliance Officers (CCOs) and other compliance professionals, the importance of being adaptable and open to learning cannot be overstated. Our profession is changing as fast as any other corporate function and it is coupled with the needs of our customers changing. Who are the customers of a corporate compliance program? You can start with the multiple stakeholders identified by the Business Roundtable in their seminal Statement on the Purpose of a Corporation. It can be employees, shareholders, third-parties, vendors and business partners and those who may live in localities where your organization does business.  By embracing new perspectives and staying informed, CCOs, compliance professionals and corporate compliance functions can effectively navigate the challenges of a changing world.

A significant development highlighted in the podcast is the convergence of ESG and E&C. This integration presents a strategic risk and opportunity standpoint for organizations. By aligning environmental, social, and governance considerations with ethical and compliance practices, companies can create a holistic approach that benefits both their bottom line and society at large. Equally importantly is the mandate that the CCO and corporate compliance function should lead this effort. There is no other corporate function which has such a wide mandate, as set out by the regulators as the corporate compliance programs. One need only consider the 2019 Evaluation of Corporate Compliance Programs which led to the 2023 Evaluation of Corporate Compliance Programs to see that a corporate compliance function (and CCO) must have visibility literally across your entire corporate organization.

The demand for businesses to take positions on social issues is growing louder, both from employees and stakeholders. It well known within the compliance community and wider corporate world of the importance of both the CCO and compliance function not remaining silent on these matters. You may call this speaking truth to power but in the wider ESG world, businesses must recognize the power they hold to effect change and leverage it responsibly. By aligning their values with those of their workforce and society, they can build purpose-filled organizations that resonate with the younger generations.

I speak with many Human Resource (HR) and talent specialists and they all say that the acquisition and retention of talent will be the key market differentiator for business by mid-century. From Baby Boomers to through GenXers to Millennials and now Genders; the values and mindset of the current and upcoming workforce differ significantly from those of previous generations. To motivate and attract these individuals, organizations must listen to their ideas and incorporate them into the company’s values and purpose. By engaging with the younger generations and understanding their perspectives, board members can foster an environment that aligns with their aspirations. Businesses which try to enforce well-known and well-debunked tropes such as there is no such thing as climate change will be consigned to the dustbin of corporate failures.

Building transformative leadership and engaging forward-thinking board members pose challenges but are necessary for success. Just as talent acquisition and retention will be one of the most critical aspects of corporate survival, the importance of recruiting board members who understand current and future challenges and the need for an integrated approach will be equally critical. Critically this also means diversity on the Board. While seasoned experience is valuable, finding individuals who can bridge the gap between traditional values and the demands of a changing world is crucial. It also means new and different subject matter expertise will be critical. The Department of Justice (DOJ) has noted that a Board needs to have a compliance resource on it. The logical step is for a Board to have a Compliance Committee, chaired by a seasoned compliance professional.

It might even lead to a broader concept of a true risk management professional on the Board. Given the paradigm shift coming out of the Pandemic from disaster recovery to business resiliency to business as usually; a Board having the ability to have that strategic discussion  and lead through oversight will be a critical element as well.

Recognizing the pivotal role that ethics and compliance play in guiding organizations through transformational changes is something that is gaining traction in the corporate world. In a world that is evolving at an unprecedented pace, it is imperative to build ethical safeguards, establish checks and balances, provide appropriate oversight and adapt to the values and mindset of the younger generations. By embracing continuous education, converging ESG and E&C efforts, and taking a stand on social issues, organizations can navigate the inflection point we find ourselves in and thrive in the future.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 2 – Clearly Articulated Written Standards

The written standard requirements have long been memorialized in the U.S. Sentencing Guidelines, which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements, the DOJ has crafted its minimum best practices compliance program, which is now attached to every DPA and NPA issued. These requirements were incorporated into the 2012 FCPA Guidance and brought forward in the 2023 ECCP and FCPA Corporate Enforcement Policy. The U.S. Sentencing Guidelines assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e., a Code of Conduct.

Following your Code of Conduct is written policies and procedures required for a best practices compliance program are well- known and long established. The role of compliance policies is to provide guidance and to protect companies, despite an occasional hick-up. Policies provide a basic set of guidelines for employees to follow. They can include general do’s and don’ts, work process flows, specific issue guidelines. By establishing what is and is not acceptable compliance behavior, a company can mitigate the compliance risks posed by employees who might make foolish decisions or otherwise engage in unethical behavior.

There are numerous reasons to put some serious work into your Code of Conduct, policies and procedures. They are certainly a first line of defense when the government comes knocking. This means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Written policies, signed by employees provide a vital layer of communication. Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the “Document, Document, Document” mantra applies just as strongly to this area of anti-corruption compliance.

Three key takeaways:

  1. A Code of Conduct, together with policies and procedures, have long been recognized as cornerstones of a best practices compliance policy.
  2. Each level of written standards builds upon one another, so consider this integration step.
  3. The Fair Process Doctrine applies to your written standards.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program in Training and Communications – Envisioning Your Compliance Training Program

How can you begin to think through a best practices compliance training program? I asked Shawn Rogers, training guru, expert, and maven. Rogers advised that you ‘envision’ what your training would like as a first step. He stated, “A common mistake is jumping right to the question is which courses you want and how to deploy them. However, you must consider several things before building the program.”

You should develop some principles on what your compliance training will look like. A key way to start is by reference to the Training and Communications section of the 2023 ECCP, which states, “Prosecutors should assess the steps taken by the company to ensure that policies and procedures have been integrated into the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners. Prosecutors should also assess whether the company has relayed information in a manner tailored to the audience’s size, sophistication, or subject matter expertise.

Some companies, for instance, give employees practical advice or case studies to address real-life scenarios, and/or guidance on obtaining ethics advice on a case-by-case basis as needs arise.” Some of these principles include the following, What are the Guiding Principles of your compliance training? What are you trying to communicate? Is it a broad set of values you want to speak to every employee about what your organization stands for? As noted in the 2023 ECCP, a company should “examine whether the compliance program is being disseminated to, and understood by, employees in practice to decide whether the compliance program is “truly effective.”

Three key takeaways:

  1. The 2023 ECCP has a strong emphasis on compliance training.
  2. Create a set of Principles for your compliance training programs.
  3. You should always use the Guiding Principles of your compliance training program to make decisions.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Due Diligence

Most companies fully understand the need to comply with the requirements around third parties, as they represent the greatest risks for bribery and corruption. However, most companies are not created out of new cloth but are ongoing enterprises with a fully up-and-running business. This means they may need to bring resources to bear while continuing to operate an ongoing business. This can be particularly true in performing due diligence on third parties. Many companies understand the need for a robust due diligence program to investigate third parties but have struggled with creating an inventory to define the basis of third-party risk and perform the requisite due diligence required.

It is stated in the 2023 ECCP that: “Risk-Based and Integrated ProcessesHow has the management of the company’s third-party process corresponded to the nature and level of the enterprise risk identified by the company? How has this process been integrated into the relevant procurement and vendor management processes?”

Getting your arms around due diligence can sometimes be bewildering for the compliance practitioner. The information you gathered in Steps 1-Business Justification and 2-Questionnaire of the third-party management process should provide the initial information to consider the level of due diligence needed. This leads to Step 3 of the third-party management process: due diligence. The 2020 Resource Guide stated, “As part of risk-based due diligence, companies should understand the qualifications and associations of their third-party partners, including its business reputation, and relationship, if any, with foreign officials. The degree of scrutiny should increase as red flags surface.”

 Three key takeaways:

1. Risk rank your third parties and use this as a basis for adequate due diligence.

2. Any red flags which appear must be cleared, and there must be documented evidence of such clearance.

3. There must be documented evidence of a review of the due diligence.