Categories
Blog

What is a Root Cause Analysis?

One of the biggest changes in the 2020 FCPA Resource Guide, 2nd edition, is the addition of a new Hallmark, entitled, Investigation, Analysis, and Remediation of Misconduct, which reads in full:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s compliance program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls on a go-forward basis. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.

There are many interesting aspects to this Hallmark, not the least that it begins with “The truest measure of an effective compliance program is how it responds to misconduct.” This builds upon the language found in the “Confidential Reporting and Internal Investigations Hallmark, which stated, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response,”. Now beyond being properly funded, you must have a “well-functioning mechanism” for the “timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents.”

This clearly mandates that once an allegation or even suspicion comes to the attention of compliance, it must be properly triaged, your investigation protocol should kick in with a detailed and effective investigation that is completed in a reasonable time and provide a response to the investigative findings. Moreover, an investigation is not the ending point and should be followed with a robust root cause analysis. This builds upon several sources.

The 2023 ECCP also raised the following questions under “Root Cause Analysis—What is the company’s root cause analysis of the misconduct at issue? Were any systemic issues identified? Who in the company was involved in making the analysis?”

Well known fraud investigator Jonathan Marks, partner at BDO, defined a root cause analysis as “research based approach to identifying the bottom line reason of a problem or an issue; with the root cause, not the proximate cause the root cause representing the source of the problem.” He contrasted this definition with that of a risk assessment which he said “is something performed on a proactive basis based on various facts. A root cause analysis analyzes a problem that (hopefully) was previously identified through a risk assessment.” He went on to note, “Root cause analysis is a tool to help identify not only what and how an event occurred, but also why it happened. When we are able to determine why an event or failure occurred, we can then recommend workable corrective measures that deter future events of the type observed.”

However, there is no one formula for performing a root cause analysis. One protocol, articulated by Health COMPass, advocates a four-step process which includes:

Step 1: Identify possible causal factors. Using the incident(s) to identify causal factors—things that cause or contribute to the compliance failure. It includes asking such questions as:

• What sequence of events leads to the problem?

• What conditions allow the problem to occur? [e.g., traditional values and practices]

• What problems co-exist with the central problem and might contribute to it? [e.g., lack of health facilities]

• Identify as many causal factors as possible. Start with the problem and brainstorm causal factors for that problem by asking “Why?” The root cause analysis team can also ask themselves (based on their own experience) and stakeholders “why” or “so what” questions to identify causal factors.

Step 2: Identify the root cause. To find root causes—the primary sources of the compliance violation—start with the causal factors and ask why. Root causes are seldom found in the most obvious causes. It is important to dig deeper and continue to ask “Why?” until nearly all responses have been exhausted or roots that seem important to address are reached. There are several useful methods for identifying root causes. One is to construct a root cause tree. Start with the problem and brainstorm causal factors for that problem by asking why. Connect them in a logical cause and effect order until arriving at the root of the problem.

Step 3: Identify communication challenges. Now ask which root causes are challenges that compliance can and should address and which are not. Share findings about other root causes with local authorities and leaders or organizations that might be able to address them.

Step 4: Prioritize compliance challenges. If root cause analysis identifies more than one compliance failure, decide which failure to address first. Rank root causes in order, starting with the main cause. To determine rank, consider:

• The potential impact of addressing the compliance failure. The greater the potential impact, the more important it is to address.

• How difficult it will be to reach the audience associated with the compliance failure.

• The mandate attached to the funding.

• If more than one causal factor is linked to the root cause. When a root cause is the source of multiple causal factors, it indicates that addressing the root cause can have far-reaching effects.

Another approach articulated by Marks is the Five Why’s approach. As he explained “Early questions are usually superficial, obvious; the later ones more substantive.” Borrowing from Six Sigma, the folks at iSixSigma.com believe this approach contemplates that “By repeatedly asking the question “Why” (five is a good rule of thumb), you can peel away the layers of symptoms which can lead to the root cause of a problem. Very often the ostensible reason for a problem will lead you to another question. Although this technique is called “Five Whys,” you may find that you will need to ask the question fewer or more times than five before you find the issue related to a problem.”

To use this approach, iSixSigma.com suggests the following protocol. Begin by writing down the specific problem, which assists you to formulate the issue or problem. Then begin asking, “Why?” Ask why the compliance failure occurred write the answer down below the problem. But do not stop there if this first response does not “identify the root cause of the problem that you wrote down in Step 1, ask why again and write that answer down. Loop back to step 3 until the team is in agreement that the problem’s root cause is identified. Again, this may take fewer or more times than five whys.”

Ultimately, performing a root cause analysis is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer that is provided to you, as you might in an internal investigation. As Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they’re doing.”

Categories
31 Days to More Effective Compliance Programs

31 Days to a More Effective Compliance Program – Day 27 – Compliance Function in an Organization

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, 2nd edition, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

This Hallmark was significantly expanded in both the original FCPA Corporate Enforcement Policy and 2023 ECCP. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company.

The 2023 ECCP and 2023 Update to the FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.

 Three key takeaways:

1. How is compliance treated in the budget process?

2. Has your compliance function had any decisions over-ridden by senior management?

3. Beware outsourcing of compliance as any such contractor must have access to company documents and personnel.

For more information on Ethico and a free White Paper on top compliance issues in 2024, click here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – Pre-acquisition Risk Assessment

One of the clearest themes from the original 2012 FCPA Resource Guide was the importance of your pre-acquisition work in any M&A on a target company. In the section on Declinations, the 2012 FCPA Resource Guide provided an example of a company that had received a declination in large part because of its pre-acquisition work, which then served as a basis for its post-acquisition remediation. I find it appropriate to think of the process as a straight line, directly from the pre-acquisition phase to closing and then to remediation, integration, and self-reporting in the post-acquisition phase. These same concepts were brought forward in the 2020 FCPA Resource Guide, 2nd edition.

It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst-case scenarios. A pre-acquisition risk assessment could also be used as a mechanism through which to view the feasibility of the business strategy and help to value the potential target.

The pre-acquisition risk assessment can be critical in any M&A work for compliance. Use this opportunity to see where the target might stand on compliance. Your risk assessment can evolve as you obtain greater information. Finally, use this pre-acquisition risk assessment as a base document to plan, resource, and budget for your post-acquisition remediation, integration, and reporting.

Three key takeaways: 

  1. One never has enough time to engage in all the pre-acquisition reviews you might want to do, so optimize your time and resources.
  2. Consider what you can review to put together a preliminary risk assessment on the target.
  3. As with most compliance initiatives, you are only limited by your imagination, so if you are limited in time and scope, try something new and different.
Categories
FCPA Compliance Report

Tom Fox on Best Seller TV – The Compliance Handbook, 2nd edition


Ed. Note-I was recently interviewed on Best Seller TV about my book, The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, Second Edition. This video of the interview appears with the permission of Best Seller TV.

On this episode of Best Seller T,V Tom Fox, author of The Compliance Handbook: A Guide to Operationalizing Your Compliance Program, Second Edition, addresses what best practices can be put in place for companies to run more efficiently and generate more profits. Fox, who began working in the compliance industry in 2007, was a lawyer by trade, but felt compelled to switch careers because he saw an opportunity to help make a difference and help corporations be more efficient. Fox says the United Nations estimates that $3 trillion are lost annually to corruption. He saw the opportunity to help corporations build first-class best practice compliance programs by complying with the law and run the business side a lot smoother.

Compliance is setting up systems, processes, and procedures that comply with a law and/or regulation. With laws constantly changing, Fox wrote the second edition of the book to instruct readers on the latest compliance laws that might affect them on a regular basis. Since his first edition in 2018, there has been a 40 percent change in laws, especially after the SEC and the Department of Justice made significant changes to the Foreign Corrupt Practices Act. The pandemic also helped exacerbate many more changes.

The book is for a wide variety of readers, starting with compliance professionals, laying out a blueprint on how to build world-class compliance programs or enhance currently existing programs. The book is also for c-suite and senior executives to help educate them on the benefits of compliance and how to stay out of trouble. The compliance industry has evolved significantly in the last decade or so. Fox adds that right now, the industry is more data-driven and, “When you have data, you can actually improve business efficiency.” He continues to say that the backbone of compliance is internal controls, which are financial controls, but are not often called that. If you look at them from a compliance perspective and tweak them enough to have both controls, you can make enough headroom in making a company run more efficiently, leading to greater profitability.

Categories
Fraud Eats Strategy

Operationalizing Compliance

Today’s episode features special guest Tom Fox, founder of the Compliance Podcast Network and Author of The Compliance Handbook: A Guide to Operationalizing Your Compliance Program. Our discussion focuses on the guidance compliance officers can use as a roadmap when architecting their ethics and compliance programs and anti-bribery and corruption compliance programs.

>

Join us each week as we take a deep dive into the various forms of fraud across the world and discuss crime families, penny stock boiler rooms, international money launderers, narco-traffickers, oligarchs, dictators, warlords, kleptocrats and more.

Scott Moritz is a leading authority on white-collar crime, anti-corruption, and in the evaluation, design, remediation, implementation, and administration of corporate compliance programs, codes of conduct. He is also considered an authority in the establishment, training, and oversight of the investigative protocols carried out by financial intelligence, corporate security, and internal audit units.
 

Categories
This Week in FCPA

Episode 260 – the Compliance Handbook, 2nd edition


As Tom celebrates the release of The Compliance Handbook, 2nd edition, he and Jay are back to take a look at this week’s stories top compliance and ethics stories which caught their interest on This Week in FCPA in the Trump Organization Indicted edition.
Stories

  1. The Compliance Handbook, 2nd edition is released. Learn about it here. Purchase it here.
  2. Four ways to update you ABC compliance program right now. Ann-Maire Zell in the FCPA Blog.
  3. John Wood Group DPA with SFO. Tom has a 2-part series on the FCPA Compliance Report. Part 1-deplorable conduct and Part 2-lessons learned.
  4. Alex Cotoia takes a deep dive into the EU Whistleblower Directive in a 4-part series. On Compliance Crime and Corruption.
  5. Emerging trends in 3rd Party Risk Management. Jaclyn Jaeger in Compliance Week (sub req’d)
  6. Mengqi Sun interviews Sherron Watkins in the WSJ Risk and Compliance Journal.
  7. Anti-trust concerns at the Board level. Elizabeth Ising, Stephen Weissman, Cassandra Tillinghast and Chris Wilson in NYU Compliance and Enforcement Blog.
  8. How to avoid buying a FCPA issue. Valerie Charles, Jamen Tyler and Robert Johnston in CCI.
  9. Compliance on the inside v. outside. Amy Landry in CCI.
  10. Compliance officers are disciplinarians (at times). Dick Cassin in the FCPA Blog.

Podcasts and Events

  1. How does history inform compliance? What are the leadership lessons from ancient Greeks and Romans? Find out in this special 10 part podcast series on famous Greeks and Romans from Plutarch’s Lives this week on 12 O’Clock High, a podcast on business leadership, hosted by Richard Lummis and Tom Fox. In Episode 5, they mined Plutarch about the lives of and leadership lessons from the Greek Epaminondas and the Roman Scipio Africanus.
  2. A new month on The Compliance Life! In July I visit with Asha Palmer, CECO at Convercent. In Episode 1, from Claire Huxable to the DOJ.
  3. Tom premiers a new podcast, Greetings and Felicitations. In the inaugural episode, CPN fan fav Dr. Ben Locwin is back to discuss the current state of the Covid-19 pandemic and where we might be headed.
  4. Trekking Through Compliance Returns! Tom reviews all 79 episodes of Star Trek, the Original Series beginning June 1. Each day at 3 PM on the Compliance Podcast Network. This week’s offerings included The Apple, The Doomsday Machine, Catspaw, I, Mudd and Metamorphosis.
  5. On July 13, join K2 Integrity for its Virtual Compliance Conference on Environment, Social, and Governance Compliance Risks for Financial Institutions. Information and Registration here.
  6. Join Tom, Asha Palmer and Stephen Martin for a coming out webinar for The Compliance Handbook, 2nd We will focus on 3rd party risk management. Attendees will receive a special article and offer. Best of all, it’s at no charge. Details and registration here.

Tom Fox is the Voice of Compliance and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.

Categories
Great Women in Compliance

Tom Fox on The Compliance Handbook, 2nd edition


Welcome to the Great Women in Compliance Podcast, co-hosted by Lisa Fine and Mary Shirley.
For those of you who do not know the origin of the Great Women in Compliance podcast, put simply, we are not sure if this podcast would have started without the support and guidance of Tom Fox.  He is known as the Compliance Evangelist and has been that and more to so many in our field.
We have wanted to include him as a guest on the podcast, and this turned out to be the perfect time as he is about to release an update of the Compliance Handbook, 2nd edition (LexisNexis) which pulls off the trick of being a practical how-to guide while also including nuanced analysis of the law and regulations.
Mary and Lisa are both a part of this special interview, where Tom discusses the handbook as well as his experience in building the Compliance Podcast Network and how he keeps up-to-date with so much going on in our space.  He also discusses what advice he would give to new compliance practitioners.
Listeners to this podcast can received PreSale discount of 25% is available for presale purchase. Use the code FOX25 for the presale discount and go here for more information and to order The Compliance Handbook 2nd edition. It  will be available in both print and eBook editions. It will be published in April 2021.
 
You can subscribe to the Great Women in Compliance podcast on any podcast player by searching for it and we welcome new subscribers to our podcast.
Lisa and Mary have extended the Great Women in Compliance brand to the book “Sending the Elevator Back Down: What We’ve Learned from Great Women in Compliance” (CCI Press, 2020) which can be found on Amazon and features valuable wisdom and advice from Great Women in Compliance across the world.
If you’ve already read the booked and liked it, will you help out other women to make the decision to leverage off the tips and advice given by rating the book and giving it a glowing review on Amazon?
As always we are so grateful for all of your support and if you have any feedback or suggestions for our 2021 line up, or would just like to reach out and say hello, we always welcome hearing from our listeners.
Join the Great Women in Compliance community on LinkedIn here.

Categories
FCPA Compliance Report

Mike DeBernardis on 2020 Update to the Evaluation of Corporate Compliance Programs and FCPA Resource Guide, 2nd edition


In the Episode, I am joined by Mike DeBernardis, Counsel at Hughes Hubbard, in the firm’s Washington office and a member of the firm’s Anti-Corruption and Internal Investigations and White Collar & Regulatory Defense practice groups. He represents corporate and individual clients in criminal, civil and administrative enforcement matters, including matters involving the Foreign Corrupt Practices Act and securities and accounting fraud. In this episode we take a deep dive into the DOJ’s 2020 Update to the Evaluation of Corporate Compliance Programs and DOJ and SEC FCPA Resource Guide, 2nd edition.
Some of the highlights include:

  1. What were the top changes DeBernardis observed in 2020 Update to Evaluation of Corporate Compliance Programs?
  2. What were the top changes for you in FCPA Resource Guide, 2nd edition?
  3. How should one read the Resource Guide, 2nd with the 2020 Update? In conjunction, separately or in some other way?
  4. Is there any significance  to the two documents being released so close together in time?
  5. Should you advise clients to do anything different because of these documents?
Categories
Why a Duck

FCPA Resource Guide, 2nd Edition


From Vaudeville to the Silver Screen to the Small Screen, the Marx Brothers made an impact wherever people found them. Now Tom Fox and Mike Volkov have wedded their love of the Marx Brothers with their passion for compliance and bring them into the boardroom to help explain and explore the sometimes-chaotic world of governance, risk-management, ethics and compliance. In this episode Volkov and Fox consider the recently released FCPA Resource Guide, 2nd edition. Highlights from the podcast include:
1.     Is the 2nd edition an update or replacement?
2.     Why was it released now?
3.     What takes precedence; the 2nd Edition or the Evaluation of Corporate Compliance Programs?
4.     What is new in the 2nd Edition?
5.     What are the significant changes from the original FCPA Resource Guide?
6.     The FCPA Resource Guide is the best one volume on all things FCPA. It is a must have for every compliance professional.
Resources
Mike Volkov
Part 1-Introduction
Part 2-New Case Updates
Part 3-Updated DOJ Policies
Part 4-Legal Issues and Clarifications
Part 5-Effective Compliance Programs and Internal Controls
Tom Fox
Part 1-The New Hallmark
Part 2-FCPA Corporate Enforcement Policy
Part 3-the Accounting Provisions
Part 4-DOJ Policy and Case Law Updates
Part 5-Final Thoughts

Categories
This Week in FCPA

Episode 213 – the Second Edition edition


The DOJ/SEC drop the 2nd edition to the FCPA Resource Guide at 5 PM on July 2. As Tom and Jay brave the surge in covid cases to stay safe they are back to look at top compliance articles and stories which caught their eye this week.

  1.  FCPA Resource Guide, 2nd edition released. Tom takes a deep dive in a 5-part blog post series on the FCPA Complinace and Ethics Blog. Part 1-The New Hallmark, Part 2-FCPA Corporate Enforcement Policy, Part 3– the Accounting Provisions, Part 4– Policy and Case Law Updates, Part 5-What does it all mean? Jonathan Marks on Borad and Fraud. Tom and Matt Kelly in Compliance into the Weeds.
  2. After its FCPA settlement, Novatris pays another $678MM for corruption inside the US. Mike Volkov in Corruption Crime and Compliance.
  3. A plan to restore trust in South Africa ABC enforcement. Larry Kirsch guest posts in GAB.
  4. A reassessment of due diligence in China? Jenny Liang opines in the FCPA Blog.
  5. Venezuela can’t get its gold out of England. Jon Rausch in Dipping Through Geometries.
  6. Amazon settles OFAC sanctions enforcement action. Mengqui Sun in the WSJ Risk and Compliance Journal.
  7. How can you make a risk management committee effective? Jim DeLoach shows the way in CCI.
  8. Is Deutsche Bank the world’s most corrupt? Matt Kelly digs in on Radical Compliance.
  9. Going from disaster recovery to business continuity? Carrie Penman in Ethics and Compliance Matters.
  10. On Compliance and Coronavirus, I was joined this week by Paul Mueller on how to reset, restart and accelerate your business in the era of Coronavirus; Ian Denis on employment and communication during Covid-19 and Breeda Miller on caregiving in the era of Covid-19.
  11. On the Compliance Podcast Network, Tom started the topic of 3rd party risk management this month.This week saw the following offerings: Monday-Questionniare; Tuesday-Due Diligence,Wednesday-levels of DD; Thursday-evaluating DD and clearing red flags; and Friday-compliance terms and conditions. The month of July is being sponsored by Affiliated Monitors. Note 31 Days to a More Effective Compliance Program now has its own iTunes channel. If you want to binge out and listen to only these episodes, click here.
  12. Great Upcoming Webinars:

Navigating the Risks of Prescribing Opioids for Chronic Pain in the COVID-19 Era, Jul 22, 2020 12:00 PM in Eastern Time (US and Canada); with Jesse Caplan, Deb Waugh and Amy Fogelman, M.D. Registration and Inforamtion here.
Computer Say ‘No’: Mitigating Legal & Ethical Risks in Public Agency Use of Automated Decision-Making Tools, Jul 28, 2020 12:00 PM in Eastern Time (US and Canada); with David Shonka, Mikhail Reider-Gordon and Jonathan Redgrave. Registration and Information here.
ECI’s Best Practice Forum, a Q&A Session with Brian Rabbitt, Acting Assistant Attorney General for the Criminal Division on the FCPA Resource Guide, 2nd edition, Thursday, July 30 2:00 – 4:00 p.m. EDT. Registration and Information here.
Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.