Tag: compliance programs

Categories
31 Days to More Effective Compliance Programs Uncategorized

One Month to More Effective Reporting and Investigations – Board Investigations

In their article, “Successful Board Investigations”, David Bayless and Tammy Albarrán, offered seven considerations to facilitate a successful Board investigation.

  • Consider whether you need independent outside counsel.
  • Consider hiring an experienced investigator to lead the internal investigation.
  • Consider the need to retain outside experts.
  • Analyze potential conflicts of interest at the outset and during the investigation.
  • Carefully evaluate whistleblower allegations.
  • Request regular updates from outside counsel, without limiting the investigation.
  • Consider whether an oral report at the conclusion of the investigation is sufficient.

The authors conclude their piece by stating, “By keeping in mind the issues addressed above, the Board will be better prepared for the investigation and readily able to exercise good judgment throughout the review. A well-conducted investigation by the Board may spare the company further disruption and costs associated with follow-on investigations by the regulators, or at the very least minimize the company’s exposure.”

Three key takeaways:

  1. Retain the right counsel. Consider conflicts and appearance.
  2. Carefully evaluate all whistleblower allegations and reject retaliation.
  3. Consider receiving oral reports on an ongoing basis and one lengthy oral report at the end of the investigation.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Reporting and Investigations – Specific Benefits of a Hotline: A Case Study

Is your hotline working for you? In an article, entitled, Promoting Effective Use of the Company Compliance Hotline, José Tabuena provided an excellent example of the power of a hotline. He provided a case study of a company that had not integrated its IT function into its regular compliance and ethics training programs. As such there were zero calls into the hotline by IT employees. This dynamic was changed and IT was integrated into the company’s regular compliance and ethics training. Thereafter, the hotline received several calls from IT employees indicating that there were two major areas of complaints.

The favoritism problem. HR led an investigation that included questioning all IT managers about their direct reports and employees of their unit. The company determined that there was only one instance of a manager hiring a family member (a brother-in-law), but that person did not report to the manager and was in a different section of the IT organization. This finding made clear that there were misperceptions in the IT department, which affected the department’s morale.

Manipulation of data for bonuses. The company used the hotline to obtain more information from the callers on “isolating the metrics and the managers in question.” It was determined that the bonuses of a select few IT managers were indeed influenced by a questionable data source, which was controlled by a non-manager with minimal oversight and controls.

Basic tenets of an effective hotline. This case study provided three key tenets of an effective internal reporting system:

• First, a helpline is of no value if the workforce is not aware of it.

• Second, the ethics and compliance office obtained support from the Chief Information Officer (CIO) which likely influenced the success of the training and communications delivered by the ethics and compliance staff.

• Third, the awareness of the helpline is not sufficient to ensure success as you must make sure that issues and allegations are addressed and investigated.

This case study demonstrates the power of a hotline. The company’s Compliance Department “established the credibility of the helpline as a resource to raise issues and report misconduct.

 Three key takeaways:

1. Hotlines can be powerful tools for the compliance professional.

2. Simply because you have no hotline complaints does not mean you do not have any compliance or ethics issues that need review and resolution.

3. Adequate follow-up is a key part of overall hotline effectiveness.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Board – 20 Questions Directors Should Ask about the Board Compliance Committee

In an area of inquiry entitled Oversight, the 2023 ECCP asks three basic questions which we have explored throughout this chapter:

1. What compliance expertise has been available on the Board of Directors?

2. Have the Board of Directors held executive or private sessions with the compliance function?

3. What types of information has the Board of Directors examined in their exercise of oversight in the area in which the misconduct occurred?

To facilitate the answers to these questions, consider this list of 20 questions to reflect the oversight role of directors. These are questions the Board should ask of both senior management and the Board should ask itself. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization.

Part I: Understanding the Role and Value of the Compliance Committee

1. What are the Compliance Committee’s responsibilities and what value does it bring to the Board?

2. How can the Compliance Committee help the Board enhance its relationship with management?

3. What is the role of the Compliance Committee?

Part II: Building an Effective Compliance Committee

4. What skill sets does the Compliance Committee require?

5. Who should sit on the Compliance Committee?

6. Who should chair the Compliance Committee?

Part III: Directed to the Board

7. What is the Compliance Committee’s role in building an effective compliance program within the company? How can the Compliance Committee assess potential members and senior leaders of the company’s compliance program?

8. How long should directors serve on the Compliance Committee?

9. How can the Compliance Committee assist directors in retiring from the Board?

Part IV: Enhancing the Board’s Performance Effectiveness

10. How can the Compliance Committee assist in director development?

11. How can the Compliance Committee help the Board chair sharpen the Board’s overall performance focus?

12. What is the Compliance Committee’s role in Board evaluation and feedback?

13. What should the Compliance Committee do if a director is not performing or not interacting effectively with other directors?

14. Should the Compliance Committee have a role in chair succession?

15. How can the Compliance Committee help the Board keep its mandates, policies and practices up-to-date?

Part V: Merging Roles of the Compliance Committee

16. How can the Compliance Committee enhance the Board’s relationship with institutional shareholders and other stakeholders?

17. What is the Compliance Committee role in CCO succession?

18. How can the Compliance Committee foster great technical impact for compliance function?

19. What role can the Compliance Committee play in preparing for a crisis, such as the discovery of a sign of a significant compliance violation?

20. How can the Compliance Committee help the Board in deciding CCO pay, bonus and resources made available to the corporate compliance function?

 Three key takeaways:

1. The DOJ Evaluation requires active Board of Director engagement around compliance.

2. Board communication on compliance is a two-way street; both inbound and outbound.

3. Has the Board built an effective Compliance Committee for itself?

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Incorporating Compliance into a Long-Term Corporate Strategy

How can a Board work incorporate the compliance function into a long-term business strategy of the organization?

The starting point for a Board of Directors is to develop a framework for incorporating compliance into your long-term strategy. To set up the framework for evaluating compliance into your Board’s long-term strategy is a three-step process, which you can use to determine how comprehensive the Board’s role in your compliance program is as a starting point.

1. Has the company identified the compliance issues relevant to the Board?

2. Has the company assessed and incorporated those compliance issues into its long-term strategy?

3. Has the company communicated its approach to compliance and the influence of those factors on its overall strategy?

From this initial inquiry, you can move into some specific questions that the Board can use to determine the overall state of your company’s compliance program. First, a Board can work to identify compliance issues material to your organization. This can be accomplished with compliance-related KPIs, which a Board should prioritize to elevate their impact on compliance. A Board should consider these through the life cycle of a business line or geographic sales area. Next, the Board should work to move compliance into the company’s long-term strategy and have the CCO detail the long-term strategy for the compliance function.

The Board should oversee incorporating KPIs into senior management performance evaluations and compensation. Once again building upon the 2020 Update, which asks how the company monitors its senior leadership’s behavior and how senior leadership models proper behavior to subordinates, the Board should make certain systems are in place to quantify or measure performance related to compliance issues, should establish performance goals against which they measure compliance achievement and disclose to shareholders the material compliance issues that drive compensation, the specific goals or performance targets that management must achieve and report on the actual performance against established goals to justify compensation payouts.

Finally, the Board should work to communicate the influence of compliance factors on overall corporate strategy by demonstrating how compliance was integrated into the business. Not only is this good from a business perspective and shareholder expectation, but it is also, as the 2020 Update makes clear, what the government expects is the operationalization of compliance going forward.

1. Having a long-term strategy is critical.

2. What is the Board’s framework for assessing compliance?

3. Create KPIs to measure senior management’s actions around compliance.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Legal Requirements of the Board Regarding Compliance

As to the specific role of best practices in general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc., 698 A.2d 959 (Del. S. Ct. 1996) was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.”

In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties concerning corporate compliance issues. Second, the Court found that no duty of good faith forms a basis for director liability, independent of the duties of care and loyalty. Rather, Stone v. Ritter 911 A.2d 362 (‎Del. S. Ct. 2006) holds that the question of director liability turns on whether there is a “sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists.”

The Board has the role of monitoring the performance of the compliance function, including monitoring the performance of it using standard economic metrics and overseeing compliance with applicable laws and regulations. While the Board is not responsible for auditing or ferreting out compliance problems, it is responsible for determining that the company has an appropriate system of internal controls. The Board should also monitor company policies and practices that address compliance and matters affecting the public perception and reputation of the company. Every company should ensure that it conducts appropriate compliance training for employees and conducts regular compliance assessments. Finally, the Board must take appropriate action if and when it becomes aware of a material problem it believes management is not properly handling. The Delaware Supreme Court has expanded this obligation in the cases of Marchand v. Barnhill (the “Blue Bell” case),  Clovis Oncology, Hughes, and Boeing.

From the Delaware cases, a Board must have a corporate compliance program in place and actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, additional oversight should exist. In other words, there is an affirmative duty to ask tough questions. However, there has been a significant expansion of the Board’s Caremark obligation.  Delaware courts will be much more scrutinizing of Caremark claims going forward. The evolution of decisions from Marchand to Boeing shows that a company must have robust compliance and risk management oversight but, more importantly, engage in oversight for the company’s signature risk(s). Boards must do so aggressively, not passively.

As Mike Volkov has noted, “At the bottom, the Chancery Court is raising the stakes on board member accountability.”

 Three key takeaways:

  1. The Delaware courts have led the way with the Caremark and Stone v. Ritter decisions.
  2. Boards must have compliance expertise and exercise it.
  3. In a series of recent decisions, the Delaware courts are expanding the Caremark obligations, most recently.

For more information check out The Compliance Handbook, 3rd edition, available from LexisNexis here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties- Freight Forwarders

The FCPA world is littered with cases involving freight forwarders, brokers and agents in the shipping and express delivery arena. Both the DOJ and SEC have aggressively pursued third-party business relationships where bribery and corruption have been found. This is particularly true where companies are required to deliver goods into a foreign country through the assistance of a freight forwarder or express delivery service.
If you utilize the services of a third-party for as a freight forwarders, brokers and agents in the shipping and express delivery arena, that company’s actions will go a long way in determining your company’s FCPA liability. You must have a thoughtful process and document that process.

Three key takeaways:

  1. Express delivery services and freight forwarders present unique compliance risks.
  2. There must be a business justification to bring on new express delivery services or freight forwarders in high risk jurisdictions.
  3. Consider constructing a risk matrix in this area.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Distributor Compensation

One of the issues in any compliance program is the compensation paid to a third party, as FCPA exposure arises when companies pay money, either directly or indirectly, to fund bribe payments. Another area that leads to exposure from third parties is with distributors. In a distributor relationship, the distributor purchases a product, taking the risk of loss and title, at a discount from a manufacturer. The distributor resells at an uplift, and that spread between the purchase price and sales price is the distributor’s income. If a product is purchased at an inflated discounted rate and sold, the difference between the purchase price and resale value could be used for corrupt purposes. Commission payments and excessive distributor discounts can be channeled to pay bribes.

The FCPA Resource Guide, 2nd edition, noted that common red flags associated with third parties include “unreasonably large discounts to third-party distributors.” When companies grant distributors uncommonly steep discounts, bribes can result either: 1) because the company instructs the distributor to use the excess amounts to fund corrupt payments; or 2) because the distributor pays bribes on its own, without the express direction or implicit suggestion from the company, to gain some business advantage.

Three key takeaways:

  1. Creating a well-thought-out process that operationalizes your compliance program around distributor compensation in a manner that documents your decision-making calculus is key.
  2. Require multiple levels of approval for an out-of-range distributor discount.
  3. Tracking distributor discounts globally make your company more efficient.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties-Terminating 3rd Parties

At some point, you will be required to terminate a third party and there will be multiple legal, compliance and business issues to navigate through. If you are stuck doing it in the middle of a FCPA or U.K. Bribery Act investigation, there may well be some tension to do so and do so quickly. If you have not thought through this issue and created a process to follow before a crisis occurs, you may well be in for a very tough road. Yet the 2023 ECCP specifically asked that question in the section entitled, Real Actions and Consequences, when it posed the query: Has a similar third party been suspended, terminated, or audited as a result of compliance issues?

The key theme in termination is planning. The Office of Comptroller of the Currency (OCC), OCC Bulletin 2013-29, said that regarding third-party termination, a bank should develop a “contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.”

Although rarely considered, the termination of a third-party relationship can be as important a step as any other in the management of the third-party lifecycle. While having the contractual right to terminate is a good starting point, it is only the starting point. You not only need to have a compliance and legal plan in place but a business plan as well. If you do not, the cost in both monetary and potential business reputation can be quite high.

 Three key takeaways:

1. Termination of third parties is an oft-neglected part of the third-party risk management process.

2. Make certain you have the contractual right to terminate third parties written into your compliance terms and conditions.

3. Have a strategy in place for termination before a crisis arises.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 4

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in their podcast, 2 Gurus Talk Compliance, as they tackle topics on behavior economics, OFAC settlement lessons, the importance of the user experience in compliance policy creation, and more. They also discuss incorporating behavioral sciences into compliance strategies and the exciting changes in compliance consulting services. With their expertise, they share insights on how data, behavioral science, and innovative approaches can improve compliance programs, business processes, and profitability.

 

Listen as they provide valuable insights on understanding culture by starting a dialogue and the importance of finding someone to give a narrative to. Lastly, they discuss the challenge of bribery and corruption and the need for compliance professionals to be innovative, accept failures, and be comfortable with experimentation. Take advantage of this exciting and informative podcast episode from two renowned compliance experts, Tom Fox and Kristy Grant-Hart.

Highlights Include:

·      Evolution of Corporate Ethics and Compliance Programs

·      Microsoft OFAC Settlement

·      Irritating Emails

·      Behavioral Science in Compliance

·      Messaging Apps and Dept. of Business Denial

·      FTX and its (lack of) Internal Controls

 Notable Quotes

1.      “I don’t want to say the traditional tools are limited, but we’ve really evolved past them.”

2.     When they were specifically talking about the section on learning and training and talking about that frequently shorter in more bursts, more frequently where the learner gets to decide when and how they learn is really a lot not just with behavioral science, but also with adult learning theory.”

3.     “But again, 1 of the things that are so powerful about the enforcement act is that they tell us what we should be doing.”

4.     “Compliance professionals need to look at their sales models and see if they’re using distributors.”

Resources 

1.     Microsoft’s OFAC Settlement Underscores Important Remedial Measures

2.     FTX, Multimillion-Dollar Expenses Were Approved by Emoji

3.     Your Email Does Not Constitute My Emergency

4.     New DOJ policies about messaging apps and clawbacks threaten compliance departments’ standing

Connect with Kristy Grant-Hart on LinkedIn

Spark ComplianceConsulting

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – ROI for 3rd Party Risk Management

A study by Forrester Research Inc. compared the user experience, which led to a positive ROI for the technology user around third-party risk management. I found the approach and methodology used persuasive and valuable for the compliance professional to consider evaluating such a process in your organization. Some of the key findings readily translate for the compliance practitioner. The first area was in risk assessments of third parties. If you provide a technological platform, you can enhance the speed and efficiency of your risk assessments on an ongoing basis. This decrease in time, both in terms of length and person-hours, will yield an immediate cost saving for your compliance function.

 

Various other factors could increase your ROI, as detailed in the Forrester report, which includes renewal assessments, ongoing monitoring, and increased business efficiencies for both your organization and the third parties, which would all work to increase ROI. Most critically, you would demonstrate the operationalization of your compliance program into the very fabric of your organization.

Three key takeaways:

1. Why is demonstrating ROI on your third-party risk management program important?

2. Determining ROI helps to demonstrate operationalizing your compliance program.

3. Determining third-party management program ROI can help to tear down compliance siloes.