Categories
FCPA Compliance Report

FCPA Compliance Report: Evie Wentink on Making Compliance Training Practical

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance.

In this edition of the FCPA Compliance Report,  Tom Fox has a fascinating visit with Iveta (Evie) Wentink, a 15-year compliance veteran. Evie has worked in the public and private sectors and has expertise in compliance training, hotlines, government contract compliance, data privacy, reporting, & due diligence.

Evie has one of the most unique opening lines for hotline training, which is ‘Do You Know Your Hotline Number?” This simple yet incredibly important question encapsulates Evie’s approach to compliance training: make it simple, direct, and practical for the listeners. (Or, as Carsten Tams would say, ‘It’s all about the UX’).

Our conversation focuses on the critical role of hotline numbers in corporate compliance programs, emphasizing the need for employees to know and trust the hotline. Evie shares insights from her career, highlights the significance of marketing compliance hotlines effectively, and discusses the broader culture of compliance and non-retaliation in organizations. She shares practical tips for improving hotline awareness and usage, making this episode a valuable resource for compliance professionals and organizations alike.

Highlights in this Episode:

  • Enhancing Trust through Active Compliance Reporting
  • Promoting Reporting Culture Through Creative Marketing
  • Ethical Culture: Encouraging Compliance Reporting Safely
  • Enhancing Compliance Programs Through Anonymous Hotlines

Resources:

Evie Wentink on LinkedIn

Evie’s Top 10 Compliance Back to Basics

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

 

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Sustainability and Managing 3rd Party Risk

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into a recent report by Prevalent on Third Party Risk Management in 2024 and Microsoft’s 2024 Environmental Sustainability Report.

Tom and Matt discuss the challenge companies face in aligning their sustainability goals with their supply chain management. They question whether sustainability functions within a company have the authority to influence supply chain decisions, such as rejecting suppliers that do not meet sustainability criteria.

We discuss the  Microsoft Report, noting that while the company acknowledges it has not yet achieved the ability to reject non-compliant suppliers, it suggests a target of improvement by 2030. The core issue highlighted is whether sustainability initiatives will have significant influence over supply chain decisions in the future. 

Key Highlights:

  • Intersection of Supply Chain Risk Management and Sustainability
  • The Role of Sustainability in Supply Chain Decisions
  • Microsoft’s Journey Towards Sustainable Supply Chain Management
  • The Energy Industry Model

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Week Conference Podcast

Compliance Week 2024 Speaker Preview Podcasts – Rodney Campbell on Managing 3rd Parties

In this episode of the Compliance Week 2024 Speaker Preview Podcasts series, Rodney Campbell discusses his presentation at Compliance Week 2024, “Empowering TPRM Compliance: Transformative Strategies in Third-Party Risk Management.” Some of the issues he will discuss in this podcast and his presentation are:

  • Why managing third parties is a critical element in your TPRM program
  • Leveraging your business unit to help manage third parties
  • New ideas for the compliance program from Compliance Week 2024

I hope you can join me at Compliance Week 2024. This year’s event will be held April 2-4 at The Westin Washington, DC, Downtown. The line-up for this year’s event is first-rate, with some of the top ethics and compliance practitioners around.

Gain insights and make connections at the industry’s premier cross-industry national compliance event, offering knowledge-packed, accredited sessions and take-home advice from the most influential leaders in the compliance community. Back for its 19th year, join 500+ compliance, ethics, legal, and audit professionals who gather to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs. Compliance, ethics, legal, and audit professionals will gather safely face-to-face to benchmark best practices and gain the latest tactics and strategies to enhance their compliance programs, among many others, to:

  • Network with your peers, including C-suite executives, legal professionals, HR leaders, and ethics and compliance visionaries.
  • Hear from 80+ respected cross-industry practitioners who are CEOs, CCOs, regulators, federal officials, and practitioners to help inform and shape the strategic direction of your enterprise risk management program.
  • Hear directly from panels on leadership, fraud detection, confronting regulatory change, abiding by cross-border rules and regulations, and the always-favorite fireside chats.
  • Bring actionable takeaways to your program from various session types, including cyber, AI, Compliance, Board obligations, data-driven compliance, and many others, for you to listen, learn, and share.
  • Compliance Week aims to arm you with information, strategy, and tactics to transform your organization and career by connecting ethics to business performance through process augmentation and data visualization.

I hope you can join me at the event. For information on the event, click here. As an extra benefit to listeners of this podcast, Compliance Week is offering a $200 discount on the registration price. Enter the discount code TFOX2024 for $200 off.

The Compliance Week 2024 Preview Podcast series is a production of the Compliance Podcast Network. Compliance Week is the sponsor of this series.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 17 – Policies for Third-Parties

As every compliance practitioner is well aware, third-parties still present the highest risk under the FCPA. The DOJ 2023 ECCP devotes an entire prong to third-party management. It begins with the following: A well-designed compliance program should apply risk-based due diligence to its third-party relationships.  Although the degree of appropriate due diligence may vary based on the size and nature of the company or transaction, prosecutors should assess the extent to which the company has an understanding of the qualifications and associations of third-party partners, including the agents, consultants, and distributors that are commonly used to conceal misconduct, such as the payment of bribes to foreign officials in international business transactions.
This set of queries clearly specifies the DOJ expects an integrated approach that is operationalized throughout the company. This means your compliance program must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party management: 1) business justification; 2) questionnaire to third-party; 3) due diligence on third-party; 4) compliance terms and conditions, including payment terms; and 5) management and oversight of third parties after contract signing.
I continually give my mantra of compliance, which is “Document, Document, and Document”. Each of the steps you take in the management of your third parties must be documented. Not only must they be documented but they must be stored and managed in a manner that you can retrieve them with relative ease. The management of third parties is absolutely critical in any best practices compliance program.

Three key takeaways:

  1. Use the full five-step process for third-party management.
  2. Make sure you have Business Development involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
Blog

Building a Stronger Culture of Compliance Through Targeted and Effective Training: Part 4-A Training Program for 3rd Parties

Welcome to a special 5 part blog post series on building a stronger culture of compliance through targeted and effective training, sponsored by Diligent. Over this series I will visit with Kunal Agrawal, Director of Customer Success at Diligent; Kevin McCoy, Customer Success Manager at Diligent; Jessica Czeczuga, a Principal Instructional Designer; Andrew Rincon, Global Accounts Management Advisor at Diligent; and David Greenberg, former CEO and Special Advisor at LRN and Director at International Seaways. Over this series, we will consider the importance of ongoing communications, the value of targeted training, training third-parties, and the role of the Board of Directors. In this Part 4, we discuss how to put together a training program for third parties with Andrew Rincon.

In today’s global business landscape, third-party compliance training are more crucial than ever. Ensuring that your organization’s distributors, vendors, and other third-party affiliates adhere to necessary regulations can minimize legal and financial risks, protect your company’s reputation, and foster a culture of ethical business practices. As compliance professionals responsible for training these third parties, it’s essential to stay informed about cutting-edge strategies and techniques for effective risk management. This blog will explore practical steps that can be implemented to improve your third-party compliance training and due diligence processes, allowing you to uphold your organization’s regulatory standards and contribute positively to the industry. Here are the steps to get Improved third-party compliance training and due diligence processes.:

1. Assess third-party risk during onboarding.

2. Utilize micro training videos for efficiency.

3. Customize training materials for specific regions.

Assess third-party risk during onboarding. Due Diligence on and assessing third-party risk is not a ‘one size fits all’ process. This critical step allows organizations to identify high-risk distributors, vendors, and other third parties that may pose potential threats to the business in terms of bribery, corruption, and other regulatory violations. By conducting a thorough risk assessment, organizations can effectively mitigate these risks and ensure that they are partnering with ethical and responsible businesses, ultimately fostering a strong culture of compliance throughout their sales or supply chain ecosystem. Moreover, such an approach is critical throughout the lifecycle of the relationship. Rincon emphasized the importance of proactive ongoing due diligence measures, such as automated screenings and monitoring, sending out attestations, and conducting regular training courses.

Effectively educating, resellers, agents distributors and other third-parties on compliance policies and expectations is critical and cannot be overstated. Providing proactive training not only helps in preventing compliance violations but also demonstrates to regulators your organization’s commitment to maintaining high ethical standards. This, in turn, can mitigate penalties in case of inadvertent violations and foster a trust-based relationship with regulatory authorities. By adopting these practices and leveraging technology to automate certain processes, organizations can ensure that they are partnering with ethical third parties, minimize their exposure to regulatory risks, and foster a strong culture of compliance across their entire network. By doing so, they not only protect their businesses from potential harm but also contribute to a more transparent and ethical global marketplace.

Utilize micro training videos for efficiency. In the field of compliance, training third parties remains a critical aspect of managing and mitigating risks associated with regulatory and legal frameworks such as the Foreign Corrupt Practices Act (FCPA). With the increasing need for efficient and effective compliance processes, it becomes essential for compliance professionals to employ innovative strategies to achieve their objectives while minimizing disruptions to business operations. By leveraging this method, companies can ensure that their distributers and internal client gatekeepers receive consistent and easily digestible information, enhancing their understanding of compliance policies and expectations.

Rincon said that by breaking down complex topics into easily understandable portions, micro training videos enable organizations to communicate the essential aspects of their compliance policies and expectations in a concise and engaging manner. Through the ability to cater to different audiences, these training resources contribute to a more comprehensive approach towards addressing third-party risk. The adoption of micro training videos as a tool for third-party compliance education serves an essential purpose for compliance professionals. By incorporating this method, companies can enhance their third-party risk management processes and ensure that their partners are aware of the applicable legal and regulatory frameworks. This leads to improved adherence to compliance policies, reduced likelihood of violations, and overall risk mitigation.

Customize training materials for specific regions. Effective third-party compliance training often involve the customization of training materials for specific regions. This ensures that the training is relevant, relatable, and impactful for third parties, taking into account regional differences, languages, and sensibilities. Customizing training materials also fosters a deeper and more nuanced understanding of the compliance policies and expectations towards each party, thereby mitigating the risks associated with inadequate understanding or implementation of compliance standards. Furthermore, cultural sensitivities and regional variations can be taken into account when designing training, ensuring a more engaging and effective learning experience for the target audience.

Rincon micro-training video shorts can be easily customized for different regions and translated into multiple languages. With such versatile tools, compliance professionals can promote clear and concise messaging to their third-party partners, thus reinforcing the importance of compliance policies and due diligence throughout the duration of the business relationship. Customizing compliance training materials for specific regions not only makes the training more effective, engaging and relevant but also supports robust risk management and streamlined third-party due diligence processes.

For compliance professionals dedicated to training third parties, the effectiveness of your compliance and due diligence processes plays a significant role in safeguarding your organization from potential risks. The steps discussed, including customizing training materials for specific regions, agents, reseller, distributors and other business parnters on compliance policies and using technology to track irregularities, can greatly enhance your efforts to ensure that your third parties meet and maintain compliance expectations. With diligent application of the guidance provided, you can foster a well-informed and compliant network of third parties, ultimately ensuring your organization’s ongoing success.

For more information go to http://diligent.com/compliancetraining.

Join us tomorrow where we review the role of the Board of Directors in a compliance regime.

Categories
Innovation in Compliance

Building a Stronger Culture of Compliance Through Targeted and Effective Training: Part 4 – A Training Program for 3rd Parties

Welcome to a special 5 part podcast series on building a stronger culture of compliance through targeted and effective training, sponsored by Diligent. Over this series, I will visit with Kunal Agrawal, Director of Customer Success at Diligent; Kevin McCoy, Customer Success Manager at Diligent; Jessica Czeczuga, Director, Compliance and Ethics at Diligent; Andrew Rincón, Client Director at Diligent; and David Greenberg, former CEO and Special Advisor at LRN and Director at International Seaways. Over this series, we will consider the importance of ongoing communications, the value of targeted training, training third parties, and the role of the Board of Directors. In this Part 4, we discuss how to put together a training program for third parties with Andrew Rincón.

Join Tom Fox in an exciting episode about building a stronger culture of compliance through targeted and effective training as he interviews Andrew Rincón. Discover how the compliance industry has evolved and how technology has significantly improved compliance programs. Find out how efficient compliance processes create goodwill for compliance professionals and make them true partners of the business with the help of technology and reliable due diligence partners. Andrew Rincón shares Diligent’s screening and monitoring options for third-party suppliers and the customized anti-bribery and anti-corruption training, available in multiple languages, also perfect for bite-sized, animated micro-learnings. Tune in to learn how to educate distributors and internal gatekeepers on compliance and useful resources for compliance professionals, only on a training program for 3rd parties.

Highlights Include:

  • The Role of Compliance with Distributors
  • Efficient Due Diligence for Distributors
  • Diligent’s Anti-Bribery and Sanctions Screening Solutions
  • Compliance Training & Internal Controls for Distributors
Notable Quotes

“And commission sales agents are certainly recognized as, if not the highest, a high risk, under the FCPA and other compliance regimes.”

“One area the thinking has evolved on, and it sounds like your career and my career, is that due diligence alone is insufficient.”

“So being as efficient as a process. And nowadays, everything moves at the speed of light.”

“But nowadays, with the amount of information that gets published every single day throughout the world, where there’s so much content out there.”

For more information, go to Diligent.com

Join us tomorrow as we conclude our series with a look at the role of the Board of Directors in a compliance program.

Categories
FCPA Compliance Report

FCPA Compliance Report – Brad Hibbert on Prevalent’s 2023 3rd Party Risk Management Report

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. Today, Tom visits Brad Hibbert, COO/CSO at Prevalent, as they discuss the surprising findings of Prevalent’s annual third-party risk management study. Discover why so many organizations still rely on spreadsheets and manual processes for managing third-party risks. Brad recommends an integrated approach to third-party risk management that considers the entire lifecycle of the relationship with third parties.

The podcast highlights the top five key findings of the report, including data breaches as the top concern, security driving the program, and the increased involvement of IT in the process. Learn how to minimize cyber exposure and risks associated with third-party management by breaking down silos, automating processes, and focusing on reducing risks associated with third parties. Listen to Brad’s practical advice on how to prioritize risks and plan your risk management program and visit prevalent.net for more compliance mandates and best practices. With exciting insights and actionable advice, this podcast is a must-listen for anyone interested in managing third-party risks.

Key Highlights:

·      Prevalent’s annual third-party risk management study

·      Integrated Third Party Risk Management

·      Top Challenges for Organizations in Data Security

·      Third Party Risk Management Survey and Findings

·      Minimizing Cyber Breaches

·      Effective Response to Breaches and Third-Party Programs

·      Managing Business Risks for Compliance

Notable Quotes:

“The top concern driving third-party risk management programs is security, with 71 percent indicating it as their main priority.”

“Data breaches continue to be a top concern, with 41 percent of the respondents indicating that they were impacted by a third-party data breach in the last 12 months and had to perform some remedial activity.”

“About 70 percent reported increased involvement from the IT group, while 71 percent indicated that infosec owns the program.”

“Identifying and mitigating risks before the company is impacted.”

“Customs put together this enforcement dashboard that contains all of these statistics on how they’ve been enforcing the UFLPA.”

Resources

Brad Hibbert on LinkedIn

Prevalent

3Rd Party Risk Management Report

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

 

Categories
Innovation in Compliance

Improving Third – Party Risk Management with Paul Valente

In today’s interconnected world, businesses rely on third-party vendors for various products and services. While these partnerships bring great benefits, they also expose companies to a range of risks such as cyber threats, compliance issues, and reputational damage. In this episode, Tom Fox interviews Paul Valente, the co-founder and CEO of VISO Trust. Paul shares valuable insights into how businesses can mitigate risks posed by third-party vendors, the importance of continuous monitoring, and how VISO Trust’s platform helps companies manage risks effectively.

Paul Valente is the CEO and co-founder of VISO Trust, a company that provides automated third-party cyber risk management solutions. Prior to founding VISO Trust, Paul was the Chief Information Security Officer (CISO) at several companies, including Restoration Hardware, Lending Club, and ASAPP. He is a longtime technologist and security professional with experience in highly regulated industries.

 

You’ll hear Tom and Paul talk about:

  • Companies have more sensitive data on other companies’ infrastructure than they do internally, which increases risk and augments the need for a robust risk management strategy.
  • Boards have a duty of oversight to proactively monitor their third-party risk management programs. They should also keep abreast of emerging threats.
  • Automation is a key component in a third-party risk management solution for cybersecurity. The standard approach of using questionnaires to assess third-party security is slow, labor-intensive, and ineffective.
  • VISO Trust’s patented first-to-market Document Intelligence removes friction for vendors and provides a comprehensive risk assessment that tells customers everything they need to know to make qualified risk decisions about their third-party relationships.
  • Compliance requires auditability.
  • How VISO Trust helps companies manage risk after the contract is signed.
  • Risk management and cybersecurity data is often siloed within an organization. VISO Trust helps centralize the information by providing a dashboard where customers can have complete understanding of their overall third-party risk, and allowing them to make that data available across the organization.

 

KEY QUOTES:

“There’s companies today that have nothing internally – that are 100% cloud native. What that means typically is that there’s many copies of their data essentially with various other companies, perhaps all over the world… That just increases what we call a tax service … which just means more risk.” – Paul Valente

 

“I think [boards] need to be asking essentially what the risks are for their organization from a cybersecurity standpoint. They need to ask for those to be regularly reported on, regularly updated, and regularly tracked. …They also need to be aware themselves, both externally as well as relying on the executives within the company to keep them aware of emerging threats.” – Paul Valente

 

“…our dashboards essentially allow you to list all of your third-party relationships in one single place and easily report on the status of assessments as well as report on inherent risk.” – Paul Valente

 

Resources:

Paul Valente on LinkedIn | Twitter

VISO Trust

Categories
31 Days to More Effective Compliance Programs

Third-Parties as Compliance Innovation Partners

It is universally recognized that third parties are your highest FCPA risk. Could you turn your third party from liability under the FCPA to an innovation partner for your compliance program? This is an area that only a few compliance professionals have mined, but once again, in compliance, you are only limited by your imagination. In a Supply Chain Management Review article by Jennifer Blackhurst, Pam Manhart, and Emily Kohnke, entitled “The Five Key Components for Supply Chain Innovation,” the authors identified five components common to the most successful innovation partnerships. They are:

Don’t settle for the status quo. This means you should not settle for simply the status quo in compliance.

Hit the road to hit your metrics. To understand your compliance risk from third parties, you must get out of the ivory tower and hit the road.

Send prospectors, not auditors. While an audit clause is critical in any third-party contract, from a commercial and FCPA compliance perspective, you can establish a “point of contact as an innovation manager for your third parties.”

Show and tell. As with all relationships, trust plays an important role in third-party compliance innovation, as “Firms in successful innovations discussed a willingness to share resources and rewards and to develop their partners’ capabilities.”

Who’s running the show? This means “who is doing what, but also what each firm is bringing to the relationship regarding resources and capabilities.”

Three key takeaways:

  1. Use your third parties as innovators to assist your compliance program.
  2. Change your thinking about third parties and make them your partners.
  3. Do not settle for the status quo.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Ongoing Monitoring of 3rd Parties

One of the key themes in the Evaluation of Corporate Compliance Programs is the use of data and data analytics in a best practices compliance program. This has specific application to third-parties. In the section entitled, Risk-Tailored Resource Allocation, the following question was posed, Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Under the section entitled, Control Testing, the following question was posed, Has the company reviewed and audited its compliance program in the area relating to the misconduct? More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third parties does the company undertake? Finally, under the section entitled, Payment Systems was the following query, How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?

All of these questions make clear that the DOJ expects data analytics to be used to help detect or prevent bribery and corruption where the primary sales force used by a company is third-parties. A clear majority of FCPA violations and related enforcement actions have come from the use of third-parties. While sham contracting (i.e., using a third-party to channel the payment of a bribe) has lessened in recent years, there are related data analysis that can be performed to ascertain whether a third-party is likely performing legitimate services for your company and is not a sham. There are several more complex analytics that can be run in combination to identify suspicious third-parties, and some of the simplest can be to look for duplicate or erroneous payments. This final concept of finding patterns that can be discerned through the aggregation of huge amounts of transactions, is the next step for compliance functions. Yet data analysis does far more than simply allowing you to follow the money. It can be a part of your third-party ongoing monitoring as well by allowing you to partner the information on third-parties who might come into your company where there was no proper compliance vetting. Such capabilities are clearly where you need to be heading.

Three key takeaways:

  1. Always remember to follow the money to see where a pot of money could be created to fund a bribe.
  2. Transaction monitoring techniques around fraud monitoring translate to data analysis for compliance.
  3. Do not forget to check names against known PEP and SDN lists.