Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Board – 20 Questions Directors Should Ask about the Board Compliance Committee

In an area of inquiry entitled Oversight, the 2023 ECCP asks three basic questions which we have explored throughout this chapter:

1. What compliance expertise has been available on the Board of Directors?

2. Have the Board of Directors held executive or private sessions with the compliance function?

3. What types of information has the Board of Directors examined in their exercise of oversight in the area in which the misconduct occurred?

To facilitate the answers to these questions, consider this list of 20 questions to reflect the oversight role of directors. These are questions the Board should ask of both senior management and the Board should ask itself. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization.

Part I: Understanding the Role and Value of the Compliance Committee

1. What are the Compliance Committee’s responsibilities and what value does it bring to the Board?

2. How can the Compliance Committee help the Board enhance its relationship with management?

3. What is the role of the Compliance Committee?

Part II: Building an Effective Compliance Committee

4. What skill sets does the Compliance Committee require?

5. Who should sit on the Compliance Committee?

6. Who should chair the Compliance Committee?

Part III: Directed to the Board

7. What is the Compliance Committee’s role in building an effective compliance program within the company? How can the Compliance Committee assess potential members and senior leaders of the company’s compliance program?

8. How long should directors serve on the Compliance Committee?

9. How can the Compliance Committee assist directors in retiring from the Board?

Part IV: Enhancing the Board’s Performance Effectiveness

10. How can the Compliance Committee assist in director development?

11. How can the Compliance Committee help the Board chair sharpen the Board’s overall performance focus?

12. What is the Compliance Committee’s role in Board evaluation and feedback?

13. What should the Compliance Committee do if a director is not performing or not interacting effectively with other directors?

14. Should the Compliance Committee have a role in chair succession?

15. How can the Compliance Committee help the Board keep its mandates, policies and practices up-to-date?

Part V: Merging Roles of the Compliance Committee

16. How can the Compliance Committee enhance the Board’s relationship with institutional shareholders and other stakeholders?

17. What is the Compliance Committee role in CCO succession?

18. How can the Compliance Committee foster great technical impact for compliance function?

19. What role can the Compliance Committee play in preparing for a crisis, such as the discovery of a sign of a significant compliance violation?

20. How can the Compliance Committee help the Board in deciding CCO pay, bonus and resources made available to the corporate compliance function?

 Three key takeaways:

1. The DOJ Evaluation requires active Board of Director engagement around compliance.

2. Board communication on compliance is a two-way street; both inbound and outbound.

3. Has the Board built an effective Compliance Committee for itself?

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Incorporating Compliance into a Long-Term Corporate Strategy

How can a Board work incorporate the compliance function into a long-term business strategy of the organization?

The starting point for a Board of Directors is to develop a framework for incorporating compliance into your long-term strategy. To set up the framework for evaluating compliance into your Board’s long-term strategy is a three-step process, which you can use to determine how comprehensive the Board’s role in your compliance program is as a starting point.

1. Has the company identified the compliance issues relevant to the Board?

2. Has the company assessed and incorporated those compliance issues into its long-term strategy?

3. Has the company communicated its approach to compliance and the influence of those factors on its overall strategy?

From this initial inquiry, you can move into some specific questions that the Board can use to determine the overall state of your company’s compliance program. First, a Board can work to identify compliance issues material to your organization. This can be accomplished with compliance-related KPIs, which a Board should prioritize to elevate their impact on compliance. A Board should consider these through the life cycle of a business line or geographic sales area. Next, the Board should work to move compliance into the company’s long-term strategy and have the CCO detail the long-term strategy for the compliance function.

The Board should oversee incorporating KPIs into senior management performance evaluations and compensation. Once again building upon the 2020 Update, which asks how the company monitors its senior leadership’s behavior and how senior leadership models proper behavior to subordinates, the Board should make certain systems are in place to quantify or measure performance related to compliance issues, should establish performance goals against which they measure compliance achievement and disclose to shareholders the material compliance issues that drive compensation, the specific goals or performance targets that management must achieve and report on the actual performance against established goals to justify compensation payouts.

Finally, the Board should work to communicate the influence of compliance factors on overall corporate strategy by demonstrating how compliance was integrated into the business. Not only is this good from a business perspective and shareholder expectation, but it is also, as the 2020 Update makes clear, what the government expects is the operationalization of compliance going forward.

1. Having a long-term strategy is critical.

2. What is the Board’s framework for assessing compliance?

3. Create KPIs to measure senior management’s actions around compliance.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program with Boards – Legal Requirements of the Board Regarding Compliance

As to the specific role of best practices in general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc., 698 A.2d 959 (Del. S. Ct. 1996) was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.”

In the case of Stone v. Ritter, the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties concerning corporate compliance issues. Second, the Court found that no duty of good faith forms a basis for director liability, independent of the duties of care and loyalty. Rather, Stone v. Ritter 911 A.2d 362 (‎Del. S. Ct. 2006) holds that the question of director liability turns on whether there is a “sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists.”

The Board has the role of monitoring the performance of the compliance function, including monitoring the performance of it using standard economic metrics and overseeing compliance with applicable laws and regulations. While the Board is not responsible for auditing or ferreting out compliance problems, it is responsible for determining that the company has an appropriate system of internal controls. The Board should also monitor company policies and practices that address compliance and matters affecting the public perception and reputation of the company. Every company should ensure that it conducts appropriate compliance training for employees and conducts regular compliance assessments. Finally, the Board must take appropriate action if and when it becomes aware of a material problem it believes management is not properly handling. The Delaware Supreme Court has expanded this obligation in the cases of Marchand v. Barnhill (the “Blue Bell” case),  Clovis Oncology, Hughes, and Boeing.

From the Delaware cases, a Board must have a corporate compliance program in place and actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, additional oversight should exist. In other words, there is an affirmative duty to ask tough questions. However, there has been a significant expansion of the Board’s Caremark obligation.  Delaware courts will be much more scrutinizing of Caremark claims going forward. The evolution of decisions from Marchand to Boeing shows that a company must have robust compliance and risk management oversight but, more importantly, engage in oversight for the company’s signature risk(s). Boards must do so aggressively, not passively.

As Mike Volkov has noted, “At the bottom, the Chancery Court is raising the stakes on board member accountability.”

 Three key takeaways:

  1. The Delaware courts have led the way with the Caremark and Stone v. Ritter decisions.
  2. Boards must have compliance expertise and exercise it.
  3. In a series of recent decisions, the Delaware courts are expanding the Caremark obligations, most recently.

For more information check out The Compliance Handbook, 3rd edition, available from LexisNexis here.

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties- Freight Forwarders

The FCPA world is littered with cases involving freight forwarders, brokers and agents in the shipping and express delivery arena. Both the DOJ and SEC have aggressively pursued third-party business relationships where bribery and corruption have been found. This is particularly true where companies are required to deliver goods into a foreign country through the assistance of a freight forwarder or express delivery service.
If you utilize the services of a third-party for as a freight forwarders, brokers and agents in the shipping and express delivery arena, that company’s actions will go a long way in determining your company’s FCPA liability. You must have a thoughtful process and document that process.

Three key takeaways:

  1. Express delivery services and freight forwarders present unique compliance risks.
  2. There must be a business justification to bring on new express delivery services or freight forwarders in high risk jurisdictions.
  3. Consider constructing a risk matrix in this area.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – Distributor Compensation

One of the issues in any compliance program is the compensation paid to a third party, as FCPA exposure arises when companies pay money, either directly or indirectly, to fund bribe payments. Another area that leads to exposure from third parties is with distributors. In a distributor relationship, the distributor purchases a product, taking the risk of loss and title, at a discount from a manufacturer. The distributor resells at an uplift, and that spread between the purchase price and sales price is the distributor’s income. If a product is purchased at an inflated discounted rate and sold, the difference between the purchase price and resale value could be used for corrupt purposes. Commission payments and excessive distributor discounts can be channeled to pay bribes.

The FCPA Resource Guide, 2nd edition, noted that common red flags associated with third parties include “unreasonably large discounts to third-party distributors.” When companies grant distributors uncommonly steep discounts, bribes can result either: 1) because the company instructs the distributor to use the excess amounts to fund corrupt payments; or 2) because the distributor pays bribes on its own, without the express direction or implicit suggestion from the company, to gain some business advantage.

Three key takeaways:

  1. Creating a well-thought-out process that operationalizes your compliance program around distributor compensation in a manner that documents your decision-making calculus is key.
  2. Require multiple levels of approval for an out-of-range distributor discount.
  3. Tracking distributor discounts globally make your company more efficient.
Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties-Terminating 3rd Parties

At some point, you will be required to terminate a third party and there will be multiple legal, compliance and business issues to navigate through. If you are stuck doing it in the middle of a FCPA or U.K. Bribery Act investigation, there may well be some tension to do so and do so quickly. If you have not thought through this issue and created a process to follow before a crisis occurs, you may well be in for a very tough road. Yet the 2023 ECCP specifically asked that question in the section entitled, Real Actions and Consequences, when it posed the query: Has a similar third party been suspended, terminated, or audited as a result of compliance issues?

The key theme in termination is planning. The Office of Comptroller of the Currency (OCC), OCC Bulletin 2013-29, said that regarding third-party termination, a bank should develop a “contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.”

Although rarely considered, the termination of a third-party relationship can be as important a step as any other in the management of the third-party lifecycle. While having the contractual right to terminate is a good starting point, it is only the starting point. You not only need to have a compliance and legal plan in place but a business plan as well. If you do not, the cost in both monetary and potential business reputation can be quite high.

 Three key takeaways:

1. Termination of third parties is an oft-neglected part of the third-party risk management process.

2. Make certain you have the contractual right to terminate third parties written into your compliance terms and conditions.

3. Have a strategy in place for termination before a crisis arises.

Categories
2 Gurus Talk Compliance

2 Gurus Talk Compliance – Episode 4

What happens when two top compliance commentators get together? They talk compliance, of course. Join Tom Fox and Kristy Grant-Hart in their podcast, 2 Gurus Talk Compliance, as they tackle topics on behavior economics, OFAC settlement lessons, the importance of the user experience in compliance policy creation, and more. They also discuss incorporating behavioral sciences into compliance strategies and the exciting changes in compliance consulting services. With their expertise, they share insights on how data, behavioral science, and innovative approaches can improve compliance programs, business processes, and profitability.

 

Listen as they provide valuable insights on understanding culture by starting a dialogue and the importance of finding someone to give a narrative to. Lastly, they discuss the challenge of bribery and corruption and the need for compliance professionals to be innovative, accept failures, and be comfortable with experimentation. Take advantage of this exciting and informative podcast episode from two renowned compliance experts, Tom Fox and Kristy Grant-Hart.

Highlights Include:

·      Evolution of Corporate Ethics and Compliance Programs

·      Microsoft OFAC Settlement

·      Irritating Emails

·      Behavioral Science in Compliance

·      Messaging Apps and Dept. of Business Denial

·      FTX and its (lack of) Internal Controls

 Notable Quotes

1.      “I don’t want to say the traditional tools are limited, but we’ve really evolved past them.”

2.     When they were specifically talking about the section on learning and training and talking about that frequently shorter in more bursts, more frequently where the learner gets to decide when and how they learn is really a lot not just with behavioral science, but also with adult learning theory.”

3.     “But again, 1 of the things that are so powerful about the enforcement act is that they tell us what we should be doing.”

4.     “Compliance professionals need to look at their sales models and see if they’re using distributors.”

Resources 

1.     Microsoft’s OFAC Settlement Underscores Important Remedial Measures

2.     FTX, Multimillion-Dollar Expenses Were Approved by Emoji

3.     Your Email Does Not Constitute My Emergency

4.     New DOJ policies about messaging apps and clawbacks threaten compliance departments’ standing

Connect with Kristy Grant-Hart on LinkedIn

Spark ComplianceConsulting

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to a More Effective Compliance Program for 3rd Parties – ROI for 3rd Party Risk Management

A study by Forrester Research Inc. compared the user experience, which led to a positive ROI for the technology user around third-party risk management. I found the approach and methodology used persuasive and valuable for the compliance professional to consider evaluating such a process in your organization. Some of the key findings readily translate for the compliance practitioner. The first area was in risk assessments of third parties. If you provide a technological platform, you can enhance the speed and efficiency of your risk assessments on an ongoing basis. This decrease in time, both in terms of length and person-hours, will yield an immediate cost saving for your compliance function.

 

Various other factors could increase your ROI, as detailed in the Forrester report, which includes renewal assessments, ongoing monitoring, and increased business efficiencies for both your organization and the third parties, which would all work to increase ROI. Most critically, you would demonstrate the operationalization of your compliance program into the very fabric of your organization.

Three key takeaways:

1. Why is demonstrating ROI on your third-party risk management program important?

2. Determining ROI helps to demonstrate operationalizing your compliance program.

3. Determining third-party management program ROI can help to tear down compliance siloes.

Categories
31 Days to More Effective Compliance Programs

Day 12 of One Month to Better 3rd Party Management – Auditing of Third Parties

Auditing third parties is critical to any best practices compliance program and an important tool in operationalizing your compliance program. This is a key manner in which a company can manage the third-party relationship after the contract is signed and which the government will expect you to engage in going forward. As stated in the 2020 Update, under the section entitled, Management of Relationships, is the following query: Does the company have audit rights to analyze the books and accounts of third parties and has the company exercised those rights in the past? This means you must not only have audit rights but also exercise them.

 Three key takeaways:

1. Be prepared.

2. It is not an investigative interview but an audit interview.

3. Listen, listen, and listen.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Internal Controls – Code of Conduct as an Internal Control

In 2016, the SEC announced one of the most interesting non-international-focused FCPA enforcement actions. It involved a clear quid pro quo benefit paid out by United Airlines, Inc. to David Samson, the former chairman of the Board of Directors of the Port Authority of New York and New Jersey. This public government entity has authority over, among other things, United’s operations at the company’s huge east coast hub in Newark, New Jersey.

At the time, United’s Code of Conduct prohibited “United employees from directly or indirectly making bribes, kickbacks or other improper payments to government officials, civil servants or anyone else to influence their acts or decisions” and that “[n]o gift may be offered or accepted if it will create a feeling of obligation, compromise judgment or appear to influence the recipient improperly.” Only the United Board of Directors could grant a waiver to the code, and none was sought or obtained by Smisek. The Order concluded, “The [Chairman’s] Route was initiated in violation of United’s policies.”

The company was also sanctioned for not having internal controls to prevent such actions as those taken by Smisek. The SEC also found this was a violation of Section 13. This was in the face of detailing the protocol for the United instituting or reinstituting a route. The Order stated, “United had insufficient internal accounting controls to prevent approval of the South Carolina Route in derogation of United’s Policies.” All the underlying facts, enforcement theories, and remediation point towards the failure of internal controls when domestic bribery corruption occurs.

 Three key takeaways:

1. It is very unusual for the FCPA to form the basis of a domestic bribery violation.

2. A Code of Conduct can be an internal control.

3. Even a CEO must follow internal controls.

For more information on building a best practices compliance program, including internal controls, check out The Compliance Handbook, 3rd edition.