Tag: 3rd parties

Categories
Compliance Into the Weeds

Lessons from the Biotronik Anti-Kickback Enforcement Action

Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, we take a deep dive into the recent settlement by Biotronik with the DOJ over allegations of the violation of the Anti-Kickback Statue  Highlights include:

  • Background facts.
  • Training programs as cover for bribes.
  • What is lavish entertainment?
  • What were the internal control failures?
  • Controls for high-risk payments.
  • Lessons learned for the ABC compliance professional.

Resources

Tom in the FCPA Compliance and Ethics Blog

Part 1-Background

Part 2-the Bribery Schemes and Lessons Learned

Matt in Radical Compliance

Categories
This Week in FCPA

Episode 295 – the Baseball is Back edition


MLB and the players manage to work out their differences as Tom Brady unretires. Jay and  Tom to look at some of the week’s top compliance and ethics stories in the Baseball is Back edition.

Stories

  1. Is ESG in crisis? Lawrence Heim in practicalESG.

2.     Compliance-The Single. Matt Kelly in Radical Compliance.
3.     Corporate investigations and waiver of privilege. Debevoise lawyers in Compliance and Enforcement.
4.     Fear based compliance. Mike Volkov in Corruption Crime and Compliance.
5.     A view on corruption from the front lines. Tom and Matt interview Tim Khasinov-Batirov on Compliance into the Weeds. Matt blogs in Radical Compliance.
6.     Holistic 3rd party management. Mike Volkov, Susanna Cagle and Carol Williams in Risk and Compliance Matters.
7.     What kind of person resists a bribe? Gary Drevitch in Psychology Today.
8.     Ethisphere announces 2022 WME.  Ethisphere Press Release. Erica Salmon Byrne on the FCPA Compliance Report.
9.     Are cyber whistleblowers different. Kenji Price, Scott Ferber and Mark Schreiber in CCI.
10.  If you are going to IPO, better ESG first. Bob Conlin in Forbes.com.

Podcasts and More

11.  In March on The Compliance Life, I visit with Audrey Harris, Managing Director at AMI, formerly CCO at BHP. In Part 1, she discusses her academic background and early professional career. In Episode 2, Audrey moves to the CCO chair at BHP. In Episode 3, she moves back to private practice.
12.  Tom and Megan Dougherty are back with 2 more episodes of the MCU series. Guardians of the Galaxy Part 1 and Part 2.
13.  Taxman: On the Intersection of Tax and Compliance. A 5-part series with Tracy Howell. Part 1-why compliance needs to talk to tax. Part 2-transfer pricing. Part 3-why tax needs a seat at the table. Part 4-tax and supply chain. Part 5-tax and ESG.
14.  Tom visits with Hill Country Joanne Easley on The Hill Country Podcast.

Categories
Innovation in Compliance

Right Question to the Right Person at the Right Time with Ishan Girdhar


 
Ishan Girdhar is Tom Fox’s guest in this week’s show. He is the CEO and founder of Privva, a cloud-based platform that streamlines data security to enable law firms to easily implement their own risk assessment. Tom and Ishan explore risk management in the new hybrid work era and what compliance professionals need to be thinking about in the coming years in that regard.  
 

 
The New Normal
The new hybrid work environment is here to stay. More companies are going back to the office but with fewer employees on site. This means that company leaders and compliance officers need to find a way to manage risk around virtual collaboration and communication technologies in a remote work environment. They will need to make sure that all employees are connected in a secure way. “When you have people working from home and working remotely, access to sensitive information grew exponentially… Many people have devices like Alexa or Google Home; those are devices that are recording every conversation that’s happening in your home,” Ishan cautions. Implementing policies that ensure employees aren’t working in the vicinity of these devices and making sure that companies lock-on set intervals, will go a long way in mitigating the risk that is posed from working in this environment.
 
Keep Communications Focus
Employees have to act as stewards and maintain and adhere to company policies surrounding risk and compliance. Tom asks Ishan how he keeps a communications focus in his organization, in a way that doesn’t lead to compliance fatigue. Compliance officers need to ensure that they’re actively capturing communication across their organizations, and that they have the tools to do so. “Make sure that your tech stack has the right capabilities to capture information and communication across your network,” Ishan remarks. Communicating the right ways to work with your clients and employees is also something that companies need to be thinking about. Use the right tools and the right steps to make sure your actions are in line with your internal corporate policies; the compliance departments can have access to that information if it’s required.  Make sure that the data is integrated and that all of that dialogue is time-stamped so it can be captured together. 
 
Creating Effective Cybersecurity
“Every product that technology brings to make your lives easier, better, faster, and cheaper for your clients comes with cybersecurity risk,” Ishan tells Tom. In order to mitigate cybersecurity risk, consistent training of your employees is necessary. Cybersecurity needs to be built into the culture of your organization and is a way for you to do your jobs in a timely and efficient way. Compliance professionals should be on top of what’s happening in the market with regard to new threats and risks. Have detailed policy monitoring and reporting requirements, and ensure you’re adapting your policies to the new norm. 
 
Third-Party Risk
Tom posits that third-party risk is beyond company to company, and that it’s actually the entire scope of your communication. Third-party risk is your suppliers, your partners, and your customers. Companies need to think about where their data is hidden, and where it’s going. “How is it leaving your environment? Where is it going? What’s the sensitivity of that data?” These are the questions Ishan implores leaders to think about. The biggest challenge with third-party risk management is that you have a say, but you don’t have full authority in enforcing change. It is also a two-way street in that as a company, you are also a custodian of information and you have to understand your minimum baselines, the security controls that are nonstarters for you, and what risks you’re willing to accept. If you are sending sensitive data to a third party, you have to include management and leadership as part of that conversation and process. 
 
What’s Next
Buying technology that will be sustainable going forward is one of the best ways to respond to cybersecurity risks in the coming future. Privacy is also a big challenge that companies are going to face. “Build out your budget and make sure that you have the right investments in place as you continue to grow and continue to go into the future leading up to 2025,” Ishan advises Tom and the audience. 
 
Resources
Ishan Girdhar | LinkedIn | Twitter
Privva
 

Categories
FCPA Compliance Report

Charles Thomas on the Current State of 3rd Party Risk Solutions


In this Episode of the FCPA Compliance Report, I am joined by Charles Thomas Market Planning Director for LexisNexis Risk Solutions. In this episode we take a look at the current state of risk areas around third parties, the convergence of risk solutions and future developments in 3rd party risk solutions.
Highlights include:

  1. What are the top issues clients have faced over the past 12 months?
  2. What are the key trends in international ABC enforcement?
  3. What is the convergence of compliance, mixing ABC with supply chain, procurement, sanctions and other regimes?
  4. What is the increased focus on third parties and the risks posed by such relationships?

Resources 
Charles Thomas on LinkedIn
LexisNexis Risk Solutions

Categories
The Compliance Handbook

Third Parties with Kristy Grant Hart


Third parties are still perceived as the most prominent high risk for companies. Other than bribery and corruption — modern slavery/human trafficking, data privacy, information and cybersecurity, anti-money laundering, and other areas are requiring third-party integrated risk assessment and planning. Compliance and data privacy law thought leader Kristy Grant-Hart, CEO of Spark Compliance Consulting, offers an innovative approach and inspiring perspective in this conversation.
Major takeaways discussed in the episode:

  • Bribery and Corruption: This remains the most significant problem since the general business population’s perception that what a third party does on your behalf isn’t your problem. Because some countries have laws like that, this built the sensibility that “if I didn’t do it, then it doesn’t matter.”
  • Due Diligence Integration: Every company is different; however, it is crucial to apply a comprehensive and consistent approach to conducting due diligence in all categories in appointing and maintaining relationships with third parties.
  • Scoping: By defining the degree of risk to be reviewed and identifying the highest probable risk scenario, this will be based on the quantitative things that we know, like the CPI score, like the Trafficking in-person report. That’s where you try to start so that you’re looking at the right risk with the right tools.
  • Digital Assets: Many parts of the business are not working together to have that third-party onboarding. The problem is that they don’t want to work together necessarily. Using various technology-enabled solutions for your clients will enable you to clearly and effectively see across the entire risk spectrum.

The “Nuts and Bolts” for Creating a Comprehensive Compliance Plan 
The first chapter of this unique work lays out a succinct yet thorough 31-day approach to operationalizing a company’s compliance regimen. Beginning with a section on what 2020 brought to the compliance landscape, the chapter methodically outlines best practices for everything from establishing policies, procedures, and internal controls, to assessing risk, training, handling investigations, and more. Each day ends with three key takeaways you can implement at little or no cost.
Understanding Compliance Responsibility Across the Organization
The Compliance Handbook also takes a close look at all professionals’ roles with compliance responsibility, from Compliance Officers and Boards of Directors to Human Resources, to Internal Audit and Internal Controls and Communications and Training professionals.
In-Depth Treatment of Hot Topics and Trends
The Handbook provides an in-depth look at the latest thinking and trends for the full range of critical compliance topics, including:
• Compliance and business ventures
• Third-party risk management
• The Board’s Role in Compliance
• Continuous improvement
• Compliance innovation
• And much more
Order your copy OR copies of The Compliance Handbook: A Guide to Operationalizing Your Compliance Program. Save 25% off.
http://www.lexisnexis.com/fox25

Categories
31 Days to More Effective Compliance Programs

Day 17 | Managing your third parties


The building blocks of any compliance program lay the foundations for a best practices compliance program. For instance, in the life cycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third-party management becomes more important. It is also the one where the rubber meets the road of operationalizingcompliance. It is also an area the DOJ specifically articulated in the 2020 Update that companies need to consider.
Managing your third-parties is where the rubber meets the road in your overall third-party risk manage program. You must execute on this task. Even if you successfully navigate the first four steps in your third-party risk management program, those are in reality the easy steps. Managing the relationship is where the real work begins.
Three key takeaways:

  1. Have a strategic approach to third-party risk management.
  2. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs for ongoing monitoring and auditing.
  3. Managing the relationship is where the real work begins.
Categories
31 Days to More Effective Compliance Programs

Day 16 | The third-party risk management process


As every compliance practitioner is well aware, third parties still present the highest risk under the FCPA. The 2020 Update devotes an entire prong to third-party management. It begins with the following:
Prosecutors should also assess whether the company knows the business rationale for needing the third party in the transaction, and the risks posed by third-party partners, including the third-party partners’ reputations and relationships, if any, with foreign officials. For example, a prosecutor should analyze whether the company has ensured that contract terms with third parties specifically describe the services to be performed, that the third party is actually performing the work, and that its compensation is commensurate with the work being provided in  that  industry  and  geographical  region.    Prosecutors  should  further  assess  whether  the company engaged in ongoing monitoring of the third-party relationships, be it through updated due diligence, training, audits, and/or annual compliance certifications by the third party.
This clearly specifies that the DOJ expects an integrated approach that is operationalized throughout the company. This means you must have a process for the full life cycle of third-party risk management. There are five steps in the life cycle of third-party risk management, which will fulfill the DOJ requirements as laid out in the 2020 FCPA Resource Guide and in the Hallmarks of an Effective Compliance Program. They five steps in the lifecycle of third-party management are:

  1. Business Justification by the Business Sponsor;
  2. Questionnaire to Third-party;
  3. Due Diligence on Third-party;
  4. Compliance Terms and Conditions, including payment terms; and
  5. Management and Oversight of Third Parties After Contract Signing.

Three key takeaways:

  1. Use the full 5-step process for third party management.
  2. Make sure you have business development involvement and buy-in.
  3. Operationalize all steps going forward by including business unit representatives.
Categories
31 Days to More Effective Compliance Programs

Use of Data to Manage Third-Parties


In today’s edition of 31 Days to a More Effective Compliance Program, I am joined by Vin DiCianni, founder of Affiliated Monitors. Vin provides insights into how the use of data can facilitate the management of third-parties after the contract is signed.
3 Key Takeaways

  1. the process of collecting data cleans up much risk and provides cost savings.
  2. More reliable data about third-parties will facilitate their more effective management.
  3. Using data to management third-parties will further operationalize your compliance program.
Categories
31 Days to More Effective Compliance Programs

Third-Party Risk Expansion


What is third-party risk expansion and why is it a risk in compliance? Historically, people talked about simply an entity outside of your organization as a third party. However, that definition is broadening, to mean really that entity with which your company works. Obviously, this can be a supplier or vendor, it can be a service provider, a customer, a joint-venture (JV) partner and/or an intercompany affiliate. A broader view could include intercompany affiliates as third parties, even though many people would see them as just being another entity inside of a business. As the definition of third parties expands, this only makes life more complicated for anyone trying to do third party risk assessments and then the tiering just creates an exponential change.
Previously, a tier one supplier was a direct counterparties to your organization, directly through the sales channel. Next a tier two was one that your company’s tier one counterparty is working through. This means for risk managers assessing the various risks now have to go deeper and deeper. One way to do so is through trying to understand the connection between tiers one, two, three, four and so on. The problem is there are many risks that companies do not manage this risk because they cannot identify which companies are taking risks, alleged on their behalf. One of the most difficult issues for compliance professionals and risk managers is trying to get their arms around how to handle this issue.
You should begin with mapping out and understanding the third-parties whose exposure needs to be assessed by your organization. Obviously, this includes both direct and indirect third-parties but in terms of the tiering, the best way for anyone to understand the risk is to have really good communication with their tier one third-parties to be able to discuss the risks to both businesses.
Three key takeaways:

  1. Has your third-party risk management program expanded with your third-parties?
  2. Why is transparency a key for third-party risk management?
  3. What is the financial health of your third-parties?
Categories
31 Days to More Effective Compliance Programs

Third-party risk management ROI


One area that has bedeviled CCOs and compliance practitioners is how to determine the ROI for your compliance program regarding third-parties. While it is still clear that third-parties are the greatest risk in FCPA enforcement actions, senior management often wants to know what is the monetary benefit to the company for this type of risk management.
When you couple the request for ROI with the 2020 Update, it may seem like a doubly daunting task. However, the requirement for operationalization of your compliance program actually lends itself to formulating ROI around the risk management of third-parties. This is because if you move third-party compliance into the organization as a business process, with a technological solution, the ROI becomes not only clearer but easier to calculate going forward.
Three key takeaways:

  1. Why is it important to demonstrate ROI on your third-party risk management program?
  2. Determining ROI helps to demonstrate operationalizing your compliance program.
  3. Determining third-party management program ROI can help to tear down compliance siloes.