Tag: CCO

Categories
Into the Chair - Tales from Chief Compliance Officers

Into the Chair, Tales from Chief Compliance Officers: Anh Lam on Navigating Compliance Challenges in a Changing Landscape

Welcome to the latest edition of the Compliance Podcast Network: Into the Chair: Tales from Chief Compliance Officers, which details the journey to and in the role of a Chief Compliance Officer. How does one come to sit in the CCO chair? What are some of the skills a CCO needs to navigate the compliance waters in any company successfully? What are some of the top challenges CCOs have faced, and how did they meet them? These questions and many others will be explored in this new podcast series. Into the Chair: Tales from Chief Compliance Officers is a Comply podcast hosted by Tom Fox and is a production of the Compliance Podcast Network. In this episode, I visit with Anh Lam, Senior Vice President and Chief Compliance Officer at Sandy Spring Bank.

Anh Lam, a seasoned professional in compliance management, brings a unique perspective shaped by her personal and professional experiences. Born and raised in Vietnam, Anh’s interest in wealth management was sparked by her father’s experience with misleading investments in a country with limited regulations. Now serving as the Chief Compliance Officer for Sandy Spring Bank’s wealth divisions, Anh believes in the enduring importance of compliance but also sees a future where technology and artificial intelligence play a significant role in making compliance more efficient and effective. She envisions a future where each firm has its internal AI system integrated with different platforms to adapt to changing regulations and anticipates a global standardization of compliance regulations, akin to the GDPR for privacy regulations. Join Tom Fox and Anh Lam as they delve deeper into these topics on the next episode of the Into the Chair podcast.

Key Highlights:

  •   Protecting Investors’ Money through Compliance Expertise
  •   Navigating Compliance Challenges in a Changing Landscape
  •   The Rise of AI in Compliance

Resources:

Anh Lam on LinkedIn

Comply

Connect with Tom Fox:

Threads

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

Compliance into the Weeds: Szabolcs Fekete and the Consequences of Ethical Breaches

The award-winning Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to explore a subject more thoroughly, looking for some hard-hitting insights on sanctions compliance. Look no further than Compliance into the Weeds! In this episode, Tom and Matt deeply dive into the termination of Citibank employee Szabolcs Fekete over cheating on his expense account, then lying about it and drawing out broad lessons for the compliance professional.

The importance of trust, accountability, and ethics in the workplace cannot be overstated. These elements are the bedrock of a healthy corporate culture and are crucial for maintaining a positive and productive work environment. Tom believes that a broader conversation about these topics is necessary within corporations. He emphasizes the need for employees to understand the importance of trust, accountability, and adherence to policies and procedures.

Matt echoes these sentiments. He shares a poignant story about a CEO who had to fire a cleaner for embezzlement and dishonesty, underlining the critical role of trust in upholding ethical standards. Both Fox and Kelly acknowledge the cynicism among the public and the workforce regarding ethical enforcement, and they advocate for a commitment to doing the right thing, even when it is difficult. Join Tom Fox and Matt Kelly on this episode of the Compliance into the Weeds podcast as they delve deeper into this crucial topic.

 Key Highlights:

  • Expense Report Dishonesty and Wrongful Termination
  • Citibank’s Expense Report Policy and Trust
  • The Consequences of Ethical Breaches
  • The importance of trust and ethical enforcement

 Resources

Matt in Radical Compliance

Jane Croft in the FT

Pilita Clark in the FT

Tom 

Threads

Instagram

Facebook

YouTube

Twitter

Categories
Blog

Adam Balfour on Ethics & Compliance for Humans

I recently sat down with Adam Balfour, author of Ethics and Compliance for Humans. We had a great conversation about his book and the importance of ethics, compliance, and organizational leadership. In addition to a book aimed directly at the Chief Compliance Officer (CCO) and compliance professionals, Balfour emphasized that these principles extend beyond legal backgrounds and encompass various aspects such as sales, marketing, leadership, and culture.

I began by asking Balfour why he wrote the book. He said that it was a goal he had set for himself for some time, wanting to write this book. Further, it has been in the works for quite a few years. Towards the end of last year, Sarah Haddon, publisher of Corporate Compliance Insights, started talking, and it came to life then. Once he had more thoughts and a vision, the book seemed to come together for him. Balfour said that the writing process was a lot of fun, so I also enjoyed that part of the experience. Equally importantly, as a first-time author, Sarah and her team made the process painless and enjoyable.

One of the key takeaways was the role of leaders in promoting ethics and compliance within organizations. Balfour highlighted the need for practical guidance to help leaders effectively navigate ethical dilemmas and ensure that their responsibilities are performed. He emphasized the importance of moving past the perception that ethics and compliance are solely about laws, rules, and regulations. Instead, Balfour suggested that the focus should be on helping guide employees with good intentions to achieve positive outcomes.

We also addressed the challenge of managing negative brand perceptions and humanizing compliance programs. Balfour acknowledged that compliance can sometimes put people in awkward positions, such as when dealing with gifts and entertainment. However, he encouraged organizations to lean into the awkwardness and guide employees on navigating these situations effectively.

One exciting idea that Balfour introduced was the use of pop culture in compliance training to make it more relatable and engaging. By incorporating elements from popular culture, organizations can create a more accessible and enjoyable learning experience for employees.

Balfour also discussed the importance of considering the impact on individuals when making decisions about ethics, compliance, and leadership. He emphasized that there are real human stories and experiences behind the data and metrics. It is crucial not to lose sight of the fact that people are involved and that their experiences can significantly impact their lives and well-being. By incorporating these human stories, Balfour believes that ethics and compliance become more relatable and meaningful to employees.

Balfour highlighted the value that a practical ethics and compliance program can bring to organizations. It goes beyond avoiding fines and penalties or negative headlines. An effective program can contribute to increased return on assets, fewer material lawsuits, and lower settlement amounts. Balfour compared ethics and compliance professionals to midfielders in soccer, playing a crucial role in defense and supporting the organization’s growth.

The book’s main text ends with Balfour calling for a change from a CCO designation to a Chief Purpose Officer. He explained that the concept is something he has been thinking about for some time. There are many different areas and organizations today that he believes are too siloed. He listed ESG, which I think is going through a lot of change and transformation right now. DEI and others, but he drove home the point that “it’s really how you think about what your organization’s purpose is and bringing those functions together under a Chief Purpose Officer.” Further, this Chief Purpose Officer “should have a central place in the C-Suite, helping ensure that the organization stays true to its stated purpose.

He called out Patagonia as an example of a company that is very committed to its purpose. Using the model of Patagonia, which does not have a designated Chief Purpose Officer, leading him to believe “it may not be necessary to create a standalone position.” But “in other organizations, having this idea of a Chief Purpose Officer that supports the CEO supports the CFO in delivering their results. It helps ensure that the organization truly obsesses about its purpose and conducts business correctly and appropriately.”

After the main text ends, Balfour includes excellent resources for every compliance professional. He listed out ways you can tell stories about successful ethical victories from your organization’s history; provides ethics questions and issues inspired by Star Wars; lists some raps and the basic laws of anti-trust; lays out the Speak Up Habit loop; lists specific tactics for bringing compliance into the employee interview process; informs us how Booth’s Law #2 applies to ethics and compliance; and details how to obtain a commitment from newly minted leaders in your organization.

Adam Balfour highlighted the importance of ethics, compliance, and leadership in organizations. Balfour emphasized the need for leaders to go beyond legal thinking and consider various aspects such as sales, marketing, and culture. The episode also highlighted the challenges associated with ethics and compliance, including addressing negative brand perceptions and navigating awkward situations. Organizations can create a more meaningful and effective approach to ethics and compliance by humanizing compliance programs and considering the impact on individuals. I hope you will purchase a copy of Ethics & Compliance for Humans and incorporate its concepts into your compliance program.

Check out Ethics & Compliance for Humans here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Innovation: Day 15 – Leveraging AI in Compliance Investigations

The 2023 ECCP provided clear-cut criteria regarding effective compliance investigations. Unfortunately, many compliance teams fail to promptly substantiate most of the reports they investigate, partly due to their inability to quickly and easily find the evidence they need, especially about harassment and misconduct cases. He stated, “This doesn’t just demonstrate a fundamental lack of effectiveness from the DOJ’s perspective, but a long-term organizational risk that goes well beyond any individual allegation of misconduct.” The reason is not simply legal but also operational. If substantive allegations are indeed violations, they could continue, exacerbating the problem(s) and lengthening the time of legal liability.

All of this is particularly significant in light of the industry research that shows many compliance investigations today are unsubstantiated and can take over 40 days from start to finish. The ability of AI to find and analyze data from the web and social media in this automated fashion will be able to overcome some of those challenges in terms of length of time and overall scope of the investigation. Finally, always remember data preservation. The regulators always want to know if you have the documents and data tied down. This allows a company to have confidence in its papers and, in turn, can make such representations to regulators and prosecutors that the documents are secure. In other words, Document, Document, and Document. 

Three key takeaways:

  1. AI is an appropriate tool for supplementing investigations.
  2. AI can look at large bodies of social media data.
  3. AI can help you decrease your investigation length.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
Blog

The Importance of Tailored Policies for Compliance and Risk Management

In compliance and risk management, one size does not fit all. Generic policies and procedures may seem convenient but can lead to compliance risks and potential harm. This is why the Securities and Exchange Commission (SEC) stresses the need for well-designed, tailored policies and procedures in areas such as anti-money laundering (AML) and cybersecurity.

In a recent “Compliance into the Weeds episode,” Tom Fox and Matt Kelly highlighted the importance of tailored policies for compliance, and risk management was discussed in detail. They discussed the case of Deutsche Bank, where the SEC imposed sanctions due to faulty policies. The bank had taken generic policies not specific to their mutual fund obligations and declared them their AML program. This cut-and-paste approach led to compliance risks and inconsistencies that caught the attention of regulators.

The case also serves as a reminder of the potential consequences of misleading marketing practices without proper procedures. The SEC sanctioned DWS $25 million for failures around ESG disclosures and a poor AML program. In both instances, faulty policies and procedures were identified as the root cause of the compliance failures.

The key takeaway from this case is that companies should conduct risk assessments and gap analyses to identify their specific needs and design appropriate policies. A good risk assessment is the foundation for crafting effective policies and procedures. It helps organizations understand their risks, evaluate their controls, and determine the necessary steps to mitigate them.

The impact on employees when designing policies and procedures should be considered. Simply copying and pasting language from regulations without considering the organization’s unique structure, technology, and transactions can lead to confusion and compliance risks. Employees need clear guidance on their duties and responsibilities; generic policies do not provide that clarity.

Compliance officers should create policies and procedures tailored to their organization’s needs and risks to avoid compliance risks and potential harm. Considering the organization’s specific circumstances, resources, and capabilities requires a thoughtful approach. It also requires regular risk assessments, gap analyses, and monitoring of policy effectiveness.

How to do so? The 2020 FCPA Resource Guide, 2nd edition, provided guidance. It stated, “When assessing a compliance program, DOJ and SEC will review whether the company Guiding Principles of Enforcement has taken steps to ensure that the Code of Conduct remains current and effective and whether a company has periodically reviewed and updated its Code.” [emphasis supplied] Some of the questions you should consider are:

  • When was the last time your policies and procedures were released or revised?
  • Have there been changes to your company’s internal controls since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s policies and procedures?
  • Are any of the policies and procedures outdated?
  • What is the budget to create/revise your policies and procedures?

After considering these issues, you should benchmark your current policies and procedures against other companies in your industry. If you decide to move forward, I suggest a process that can be fully documented to include revisions to your compliance policies and procedures.

Get buy-in from the senior leadership of your company. Your company’s highest level must mandate revising compliance policies and procedures. The CEO, GC, CCO, or all three should demand this effort. Whoever gives the order should be consulted at every step of the revision process of the policies and procedures if it involves a change in the direction of key policies.

Establish a core policies and procedures revision committee. It would be best if you had a cross-functional working group that would be ideal to advance your effort to revise your compliance policies and procedures. This group should include representatives from the following departments: legal, compliance, communications, and HR; there should also be other functions that represent the company’s domestic and international business units. Finally, there should be functions within the company described, such as finance and accounting, IT, marketing, and sales.

From this large group, the topics can be assigned for initial drafting to functions based on their relevance or necessity. These functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. You must establish a timetable for the revision process and hold representatives accountable for meeting their revisions.

Conduct a thorough technology assessment. The cornerstone of the revision process is how your company captures, collaborates, and preserves all the comments, notes, edits, and decisions during the entire project. In addition to using technology to revise your compliance policies and procedures, you should determine if they will be available in hard copy, online, or both. There must be a distribution plan, mainly if the Code and compliance policies and procedures are only available in hard copy.

Determine translations and localizations. The 2020 FCPA Resource Guide clarified that your compliance policies and procedures must be translated into the local language for your non-English speaking workforce. The key is that your employees have the same understanding of the compliance policies and procedures regardless of the language.

Develop a plan to communicate the revised policies and procedures. A rollout is always critical because the revised policies and procedures must be communicated to encourage employees to review and use the policies and procedures on an ongoing basis. Your company should use the whole armor of available tools to publicize the revised compliance policies and procedures. This can include a multi-media approach or handing out a copy to all employees at a designated time. You might consider having a company-wide compliance policies and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all things compliance, the three most important aspects are “Document, Document, and Document.” However, when you deliver the new or revised policies and procedures, you must document that each employee received them.

Stay on target and budget. It would be best if you worked to set realistic expectations to stay on deadline and within your budget. This is equally applicable to your policies and procedures revision. Also, remember to keep a close watch on your budget so you do not exceed it.

These points are a valuable guide to not only thinking through how to determine if your policies and procedures need updating but also practical steps on how to tackle the problem. You should begin the process now if it has been more than five years since the last updates. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

There are tradeoffs involved in balancing different factors when designing policies and procedures. Compliance officers need to consider the organization’s staffing, technology, review processes, and the need for human intervention in automated systems. Insufficient resources and inconsistent procedures can lead to compliance gaps and backlogs, increasing the organization’s exposure to compliance risks.

In conclusion, the importance of tailored policies for compliance and risk management cannot be overstated. Generic policies may seem like a quick fix, but they can lead to significant compliance risks and harm. Compliance officers should conduct risk assessments, identify specific needs, and design policies and procedures that address those needs. Employee understanding and guidance are crucial, and policies should be regularly assessed, monitored, and updated as necessary. By taking a tailored approach to compliance and risk management, organizations can minimize their exposure to compliance risks and protect themselves from potential harm.

Categories
31 Days to More Effective Compliance Programs

One Month to A More Effective Compliance Program Through Innovation: Day 14 – Creating an Inventory of Metrics

The 2023 ECCP not only continued to emphasize the importance of monitoring and testing the effectiveness of a compliance program, but it spoke more about a Chief Compliance Officer (CCO) and compliance function utilizing data to engage in continuous monitoring and continuous improvement. For some time, the DOJ has stressed the importance of leveraging data to have objective evidence around whether or not a compliance program is working effectively. Yet, as many CCOs are legally trained, they are still determining what specific areas to consider in establishing quantifiable metrics to monitor for effectiveness.

A methodical review of the 2023 ECCP to identify the different areas where a company could establish and quantify metrics to assess effectiveness is the place to start. Many companies have what Edwards called “metrics on the basics” and noted they “have in place processes whereby their employees review the Code of Conduct and confirm they comply with it either when they first onboard with the company and then periodically on an annual basis, companies are doing just fine at reporting.” But it is now the barest minimum of what compliance professionals must do. For instance, they could consider Quote To Cash (QTC) lifecycles or Procure To Pay (P2P). The key starts with a documented process that can be audited and built from there.


Three key takeaways:

  1. Create an inventory of compliance metrics.
  2. Create your metrics based on the 2023 ECCP.
  3. Use these metrics for continuous monitoring and improvement.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Innovation: Day 13 – Consistency as a Compliance Best Practice

The 2023 ECCP emphasized the need for the corporate compliance function to ensure consistency and fairness in monitoring investigations and the resulting discipline. One of the ways the 2020 Update emphasized this was through tracking the investigations and the discipline that may come out of any investigation. Companies’ challenges are that facts and circumstances are always different in every investigation. This makes it sometimes difficult, but if companies treat employees of one country differently in terms of discipline, it does create potential gaps in a compliance program. This can give certain countries a feeling that they can do what they want without the risk of punishment from corporate headquarters. This is why the DOJ re-emphasized monitoring the investigations and ensuring consistent application of discipline as a critical factor in providing an effective compliance program.

The FCPA Resource Guide, 2nd edition, added a new hallmark to the previously titled 10 Hallmarks of an Effective Compliance Program (now it is simply the Hallmarks). The Hallmark added was one that has been around for some time: Root Cause Analysis (RCA). It is familiar because it was subtly considered in the original FCPA Resource Guide and explicitly discussed since at least the original formulation of the Evaluation of Corporate Compliance Programs in February 2017.

The focus on consistency is insightful and instructive as a key element of a best practices compliance program. Consistency forms the basis of both institutional justice and institutional fairness. That, in turn, facilitates a speak-up culture, which is the role of the compliance department to foster.

Three key takeaways:

  1. Consistency is a key part of any compliance program.
  2. Consistency forms the basis of both institutional justice and institutional fairness.
  3. Consistency facilitates a speak-up culture.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program: Day 12 – A Seat at the Table

Going into the 2020s and beyond, a corporate compliance function must be integral to your business strategy. One of the key reasons is that the ever-important debate of compliance as a cost center will become more critical in the future in this decade. If compliance programs are ineffective, enforcement actions will continue to be highly costly. Over the last 10 years, there has been an increasing impact on the business where you must have compliance resources focused on remediation and business resources. This has only grown greater with reputational risks amplified by social media.

This is because as significant (and costly) as these regulatory fines and penalties have been, it is the intangible reputational damage that, in the long run, maybe even more expensive. Multiple stakeholders who might not desire to play out on the risk curve might be at higher risk, located in higher jurisdictions, or operating in higher-risk industries. Further, there are other consequential impacts if compliance does not have a seat at the table. Suppose compliance has a seat at the table. In that case, there can be some leeway for compliance officers and firms to figure out how best to roll out a compliance program that is commensurate with the organization’s risk and compliant with the regulations. If compliance is relegated to the back of the (corporate) bus, there will be little chance to do so.

Three key takeaways:

  1. It will be even more important for compliance to sit at the table in the future.
  2. Look for synergies with other types of compliance.
  3. Such synergies can be a big cost savings.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Innovation: Day 11 – Compliance Innovation Through KPIs

Measuring your compliance program’s effectiveness will be a critical criterion going forward. One of the mechanisms to do so is through Key Performance Indicators (KPIs). If you have been working towards your stated goals and reporting success, KPIs are critical in showing compliance program success or failure. And while specific requirements for this kind of reporting have been hotly debated in the industry for some time, KPIs are a regulatory requirement. Your KPIs will be specific and unique to your company and its business. Couple this with what goals you are trying to achieve as a whole as a compliance program, and you will see there is no set list of these metrics.

KPIs provide yet another mechanism for you to monitor and update your compliance program almost continuously. KPIs can be extremely low in cost and, therefore, something you can put in place without much approval from higher-ups in your organization that you might have to go to for budget approval. Finally, innovation can come in many ways. ComTech can be a huge jump forward. But sometimes innovation can occur at much less cost and a much more granular level. KPIs can be such a mechanism for you.

Three key takeaways:

  1. KPIs will be critical to assess a compliance program going forward.
  2. Set your KPIs.
  3. Decide on how to use KPIs and the blueprint for going forward.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program Through Innovation: Day 10 – Connected Compliance

Disconnectedness compliance comes from the fact that there is not one system that connects the disparate strands of the compliance discipline. Connected compliance allows a CCO and all those people in the organization working with compliance to have one central place, a system of record for everything they do. This can be their whistleblowing hotline, case management,  training of their employees, or training of their vendor’s policy. It is literally connecting them all so they are running from one central location, and these disparate systems can be monitored from one central location. A key way to think about it is “getting everything under one roof,” as one of the struggles many compliance officers have is that the information they need is literally siloed across different functions of the company. Information can be contained in the sales function, where there may be employee expense data, information on marketing expenses, or charitable donations in the sales organization, but it could be spread among other corporate functions as well.

All of this is what the DOJ has articulated as operationalizing compliance. It first garnered attention in the February 2017 release of the original Evaluation of Corporate Compliance Programs and has only increased with the 2023 ECCP. Since that time, compliance practitioners have steadily worked to move their compliance programs forward onto the front lines of their business units. Connected compliance is one way to do so, but it clearly requires a human element to not only interpret data but to impart the appropriate or required compliance solution. Operationalizing compliance means that you cannot have an annual or even quarterly update on what’s going on in the program. It must be operationalized in such a way that you are sharing information not only with the regional business units of floating up to the corporate compliance folks but also sharing information back and forth with the other business units, procurement, finance, and reacting in real-time.

Three key takeaways:

  1. Connected compliance moves you towards continuous monitoring.
  2. Compliance under one roof.
  3. Never forget the human element.

For more information, check out The Compliance Handbook, 4th edition, here.