Tag: 31 Days to a More Effective Compliance Program

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations – Specific Benefits of a Hotline: A Case Study

Is your hotline working for you? In an article, entitled, Promoting Effective Use of the Company Compliance Hotline, José Tabuena provided an excellent example of the power of a hotline. He provided a case study of a company that had not integrated its IT function into its regular compliance and ethics training programs. As such there were zero calls into the hotline by IT employees. This dynamic was changed and IT was integrated into the company’s regular compliance and ethics training. Thereafter, the hotline received several calls from IT employees indicating that there were two major areas of complaints.

The favoritism problem. HR led an investigation that included questioning all IT managers about their direct reports and employees of their unit. The company determined that there was only one instance of a manager hiring a family member (a brother-in-law), but that person did not report to the manager and was in a different section of the IT organization. This finding made clear that there were misperceptions in the IT department, which affected the department’s morale.

Manipulation of data for bonuses. The company used the hotline to obtain more information from the callers on “isolating the metrics and the managers in question.” It was determined that the bonuses of a select few IT managers were indeed influenced by a questionable data source, which was controlled by a non-manager with minimal oversight and controls.

Basic tenets of an effective hotline. This case study provided three key tenets of an effective internal reporting system:

• First, a helpline is of no value if the workforce is not aware of it.

• Second, the ethics and compliance office obtained support from the Chief Information Officer (CIO) which likely influenced the success of the training and communications delivered by the ethics and compliance staff.

• Third, the awareness of the helpline is not sufficient to ensure success as you must make sure that issues and allegations are addressed and investigated.

This case study demonstrates the power of a hotline. The company’s Compliance Department “established the credibility of the helpline as a resource to raise issues and report misconduct.

 Three key takeaways:

1. Hotlines can be powerful tools for the compliance professional.

2. Simply because you have no hotline complaints does not mean you do not have any compliance or ethics issues that need review and resolution.

3. Adequate follow-up is a key part of overall hotline effectiveness.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations – Advantages of an Internal Reporting System

While it is clear that the government expects companies to have an internal reporting system, there are benefits far beyond putting you in the government’s good graces. Companies with a more robust internal reporting system generated more reports. Dr. Welch found a group of companies he termed “power users”, which were high-level users of whistleblower reporting systems who had more activity than the average entity. These “power user” companies have several interesting characteristics. First, they are typically firms with higher quality earnings reporting. They are more profitable entities. Finally, these “power user” companies were firms with higher quality governance, as rated by the Entrenchment Index, which is used to measure how entrenched management is in a company.

Conversely, companies which were observed to be a more limited user of whistleblower reporting systems are companies that were seen to have poor governance. They are more prone to financial accounting issues, such as discretionary accruals, which could prove problematic. These tend to be smaller and less mature firms. Their overall compliance programs were generally not seen as robust or as effective as those in larger, more mature organizations. Finally, these firms, probably because they were smaller and less mature, are more prone to extreme growth and the problems associated with trying to scale up quickly.
All of this points to one unmistakable conclusion, a robust whistleblower reporting system facilitates a company’s resolution of problems before they become major problems or legal violations bringing the Securities and Exchange Commission (SEC) or DOJ calling.

Three Key Takeaways

  1. Companies with a robust whistleblower and reporting system had greater profitability and workforce productivity as measured by Return on Assets.
  2. There were fewer material lawsuits brought against the company overall and there were lower settlement costs if a lawsuit did occur.
  3. There were fewer external whistleblower reports to regulatory agencies and other authorities.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations – Introduction

The call, email, or tip comes into your office; an employee reports suspicious activity somewhere across the globe. That activity might well turn into an FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, how the company will respond. This chapter will provide you with the steps you will need to consider going forward.
This chapter will detail the two parts; internal reporting and investigations. It would seem axiomatic that organizations understand the benefits of having an internal reporting system, whether it is called a hotline, helpline, or something else. Just as plainly, a company should understand the need for effective investigations after a report comes in which might lead to a potential violation.

Three key takeaways:

  1. A robust internal reporting system will be one of the key indicia the DOJ considers.
  2. Hotline reporting can bring a visibility to problems.
  3. Hotline reports must be treated fairly and justly.
Categories
31 Days to More Effective Compliance Programs

Day 21 – Continuous Improvement in a Compliance Program

The 2020 Update was clear about the need for continuous improvement in any compliance program. It succinctly stated, “One hallmark of an effective compliance program is its capacity to improve and evolve. Implementing controls in practice will necessarily reveal areas of risk and potential adjustment. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure it is not stale.”

Continuous improvement through monitoring or similar techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based on new and updated best practices specified by regulators. A compliance program is, in many ways, a continuously evolving organism, just as your company is. It would be best to build a way to keep pace with the market and regulatory changes to have a truly effective anti-corruption compliance program.

 Three key takeaways:

  1. Your compliance program should be continually evolving.
  2. Monitoring and auditing are different yet complimentary tools for continuous improvement.
  3. Cultural assessment and monitoring are also now required as well.
Categories
31 Days to More Effective Compliance Programs

Day 20 – Responding to Investigative Findings

There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the Board of Directors and senior management’s attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations, “We are an ethical company.” However, it may be time for a very serious reality check.

 

You may find yourself in a position where you will have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and explain why money must be budgeted for the remediation process.

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. In an interview with Russ Berland, he noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “tricky because you get your fifteen minutes to get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.”

Three key takeaways:

  1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.
  2. Be aware of how your investigation can impact and even inform your remediation efforts.
  3. Be prepared to deal with the dreaded “where else” question.
Categories
31 Days to More Effective Compliance Programs

Day 19 – Your Investigation Protocol

After the internal report comes in and you have properly triaged the matter, you need to scope out and investigate it promptly, thoroughly, and with competent personnel. In the 2020 Update, provided these series of questions about your internal investigations:

Properly Scoped Investigations by Qualified Personnel – How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?

 Investigation Response – Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?

 Resources and Tracking of Results – Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the hotline’s effectiveness, for example, by tracking a report from start to finish?

In a presentation, Jay Martin, retired Chief Compliance Officer at Baker Hughes, and Jacki Trevino, Senior Director of Advisory Services Group at SAI Global Limited, discussed the specifics of an investigation protocol. It consisted of 1) opening and categorizing the case; 2) planning the investigation; 3) executing the investigation plan; 4) determining appropriate follow-up, and 5) closing the case. If you follow this basic protocol, you should be able to work through most investigations in a clear, concise, and cost-effective manner. Furthermore, you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to “Document, Document, and Document” not only the steps you took but why and the outcome obtained.

Three key takeaways:

  1. A written protocol, created before an investigation, is a key starting point.
  2. Create specific steps to follow so there will be full transparency and documentation going forward.
  3. Consistency in approach is critical.
Categories
31 Days to More Effective Compliance Programs

Day 1 – What 2022 Brought To Compliance Programs

Welcome to a special podcast series on the Compliance Podcast Network, 31 Days to a More Effective Compliance Program. Over these 31 days series in January 2023, I will post a key part of a best practices compliance program daily. By the end of January, you will have enough information to create, design or enhancement a compliance program. Each podcast will be short, at 6-8 minutes, with three key takeaways you can implement at little or no cost to help update your compliance program. I hope you will plan to join each day in January for this exploration of best practices in compliance.

2022 was a very significant year for every compliance practitioner and compliance program. While there was a paucity of corporate FCPA enforcement actions, three actions were significant, with multiple lessons for the compliance professional. In ABB, we learned about the costs of a corrupt culture and recidivism. In Glencore, we saw what happens to a company that engages in worldwide systemic bribery and corruption. Finally, in Stericycle, the company had a culture of corruption burned into the DNA of the LATAM business unit, which was so thorough that it was documented via bribery spreadsheets and analysis of revenue based on payments of bribes in LATAM. Yet even with this corrupt culture, the Stericycle enforcement action demonstrated how a company could take advantage of the discounts available under the FCPA Corporate Enforcement Policy by extensive cooperation and remediation during the pendency of the FCPA investigation, as the company obtained a 25% reduction off the bottom of the applicable US Sentencing Guidelines fine range.

September saw the announcement of a significant refinement of Department of Justice (DOJ) enforcement policies on the Foreign Corrupt Practices Act (FCPA) enforcement and corporate compliance programs. It was encapsulated in the Monaco Memo and a speech by Deputy Attorney General Lisa Monaco announcing the Monaco Doctrine. There was additional commentary by Principal Associate Deputy Attorney General Marshall Miller in a speech and by Assistant Attorney General Kenneth A. Polite. Every compliance professional should know them in detail as they significantly turn the heat up on corporate compliance programs. The Monaco Memo is further clarification and guidance for line prosecutors when considering whether to put a monitor in place. While we have seen these factors in a disparate manner, in disparate places, here they are in writing. Perhaps the greatest significance is that the Memo sets down all these matters in writing, which leads to a blueprint for DOJ thinking and a roadmap for anyone who finds themselves in an FCPA investigation or enforcement action. Finally, the Monaco Memo cemented the new DOJ requirement for CCO certification of compliance programs at the end of a resolution.

The final key event for compliance in 2022 was very much under the radar. The DOJ hired Matt Galvan to help develop data analytics expertise and capability for the FCPA Unit and the Fraud Section. Galvan was most recently the CCO at AB InBev and perhaps the top compliance professional in data analytics for a corporate compliance program. It will be most interesting to see where Galvan and the DOJ take this initiative, but it does portend the increasing use of data analytics in FCPA enforcement and compliance.

 Three key takeaways:

1. Key FCPA cases in 2022 were Glencore, ABB, and Stericycle.

2. The Monaco Memo refocused the DOJ’s efforts on FCPA and other white-collar crime and put the heat on compliance programs.

3. The DOJ’s hiring of Matt Galvan will focus on the DOJ’s expertise in data analytics and their employment in compliance programs.

Categories
Blog

Introducing the January 2022 Podcast Series – 31 Days to a More Effective Compliance Program

I have always striven to provide my readers and listeners with the most up-to-date information on what goes into a best practices compliance program. To that end, beginning January 1, and for the next 31 days, I will be exploring the best way to more fully operationalize a compliance program using these resources. The podcast series will provide the compliance practitioner with a thorough grounding in the key aspects of a best practices compliance program based on the latest information from the regulators. Each day I will highlight a new topic based upon the information we learned on compliance programs in 2021. If you are starting out to design, create and implement a best practices compliance program, this series will give you the basics. If you are looking for the most current thinking on how to enhance your compliance program, this series will also benefit you as well.
I hope you will join me as we engage in 31 days to a more effective compliance program. It will be available on the FCPA Compliance Report, iTunes, YouTube and JDSupra.