Tag: compliance

Categories
Innovation in Compliance

Operationalizing Compliance: Part 1 – Compliance Program Effectiveness Jennifer May

Welcome to a special five-part podcast series on Operationalizing Your Compliance Program, sponsored by Broadcat LLC. We consider various ways to more fully operationalize your compliance regime, including the design and effectiveness of your communications, why the operationalization of compliance is a team sport, why simply data is not the answer, and how to avoid being overwhelmed. In Part 1, I am joined by Jennifer May to consider compliance program effectiveness.

Highlights from this episode include:

·      What is and is not effective?

·      Identify silos and work through them.

·      Compliance is not a closed-book test.

·      Document Document Document

For more information, go to TheBroadcat.com

Categories
FCPA Compliance Report

Tom Fox and Mike Volkov with the 2022 Year in Review for the FCPA, Part 2

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this special episode, I am joined by Mike Volkov, founder of the Volkov Law Group. We conclude with Part 2, looking back on the year 2022 in FCPA and Compliance. We consider the Monaco Memo, the key cases, and some of the important issues which arose in 2022 and how they might impact compliance in 2023.

In this episode, we consider the following:

·      Building trust and credibility in the investigative process

·      The ABB FCPA enforcement action

·      The Honeywell FCPA enforcement action

·      Why the heat is on compliance after the Monaco Memo

·      Corporate incentives and discipline, including clawbacks

·      The Glencore FCPA enforcement action and CCO Certification

Resources

Mike Volkov on LinkedIn

The Volkov Law Group

Categories
Blog

Operationalizing Compliance: Part 1 – Compliance Program Effectiveness

Welcome to a special five-part podcast series on Operationalizing Your Compliance Program, sponsored by Broadcat LLC. Over this series, I visit with Jennifer May, Director of Compliance Advisory; Taylor Edwards,  Director of Sales; Xinia Pirkey, Design Manager; Alex Klingelberger, Chief Executive Officer (CEO) and Jaycee Dempsey, Director of Customer Success. We consider a variety of ways to more fully operationalize your compliance regime, including the design and effectiveness of your communications, why the operationalization of compliance is a team sport, why simply data is not the answer and how to avoid being overwhelmed. In Part 1, I am joined by Jennifer May to consider what is compliance program effectiveness.

We began with one of the most well-worn words in compliance that still challenges compliance professionals, that being ‘effectiveness’. May said that it is not about getting a hundred percent completion on some sort of training module, which unfortunately in many ways has become the benchmark or the metric used. Instead, it is about getting information to individuals so you can get the right outcomes. Effectiveness is not represented by clicks but rather it is about outcomes.

You should start by identifying your highest risk activities. Begin by asking questions, which might include “Are you having good (or bad) outcomes when it comes to those risky activities? And if you’re not, why are you not? Do your employees understand what it is that they are supposed to be doing and when they are supposed to be doing it? What are those behaviors and the outcomes that we want to change or need to change to get to the appropriate outcomes?”

By asking such questions and delivering training and communications on those topics and areas, you begin to see a shift in people. It is not about a click; the result is compliant behavior. Shifting the focus and conversation to what those outcomes are allows you to start thinking about training in a different way and you can start to see how effectiveness can begin to be impacted by solid training that focuses on outcomes.

May analogized it to a closed-book or open-book test. She does not believe employees should think of compliance as a “closed-book test.” Compliant behavior is not something that you should keep behind a curtain. Your information should be out there and available to any employee who needs it in the moment that they need it. If there is a risk to manage; that is when they will need it. But if your employees need such information “the next time and the next time, and every time subsequent to that, then that’s okay too. There’s no reason why keeping that compliance information hidden or keeping it locked away and making them remember it is going to make them more effective or, more appropriately, compliant in their behaviors. Providing that information upfront and always when they need it, is really the key.”

Obviously, compliance folks cannot be everywhere all at once. Your compliance function may be a single person or a small team. Further, they cannot morph themselves into covering every single risk and every single moment of the organization every time. That is why the closed-book test does not do them any good as they cannot “be standing over someone’s shoulder every time talking about why then need to do something, what they need to do and how they need to do it.” Keep an open book approach and make compliance information openly available whenever employees need it.

We concluded with a few thoughts on credibility for your compliance program, which May believes is a very important concept for compliance. and had an interesting take on that issue. She said that credibility “honors employees as professionals in the work that they are doing.” This ties into “being open about the resources that are available, encouraging them to use them, encouraging them to find them, and perhaps, most importantly, encouraging them to reach out when they have a question.” May sees all this as a part of that credibility. This leads to engagement on a level which is about what they do and demonstrating that you, as the compliance professional, are there to support them.

Join us in Part 2 where we look at program design.

Resources

For more information, check out Broadcat here.

Categories
31 Days to More Effective Compliance Programs

Day 22 – Internal Reporting and Triaging Claims

The call, email, or tip comes into your office; an employee reports suspicious activity across the globe. That activity might well turn into an FCPA issue for your company. As the CCO, it will be up to you to begin the process, which will determine, in many instances, how the company will respond going forward. This is more than simply maintaining hotlines. Companies have to make real efforts to listen to employees. You need to have managers trained on handling employee concerns; they must be incentivized to take on this compliance responsibility, and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns. The Monaco Memo’s emphasis on internally detecting such actions and self-reporting makes this more important.

The reason is that a business’s employees are the company’s best source of information about what is going on in the company. It is certainly a best practice for a company to listen to its employees, particularly to help improve its processes and procedures. But more than listening to its employees, a company should provide a safe and secure route for employees to escalate their concerns. This is the underlying rationale behind an anonymous reporting system within any organization. Both the U.S. Sentencing Guidelines and the Organization of Economic Cooperation and Development (OECD) Good Practices list as one of their components an anonymous reporting mechanism by which employees can report compliance and ethics violations. Of course, the Dodd-Frank Whistleblower provisions also heed the implementation of a hotline.

Given the number of ways that information about violations or potential violations can be communicated to government regulators, a robust triage system is an important way for a company to determine what resources to bring to bear on a compliance problem.

Jonathan Marks has articulated a five-stage triage process that allows for an early assessment of any allegations and a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, consider the types of evidence to review going forward. Finally, before selecting a triage solution, understand what tools are available, including forensic and human, to complete the investigation.

 Three key takeaways:

1. The DOJ and SEC put special emphasis on internal reporting lines.

2. Test your hotline regularly to make sure it is working.

3. Every claim should be triaged before starting an investigation.

Categories
Sunday Book Review

January 22, 2023 – Top Ethics Books To Read in 2023 Edition

In the Sunday Book Review, I consider books that interest the compliance professional, the business executive, or anyone who might be curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest me. In today’s edition of the Sunday Book Review, we consider some of the top ethics books which every compliance professional should read in 2023:

·       Ethics for Behavior Analysts by Jon Bailey and Mary Burch

·        Stoic Philosophy and the Control Problem of AI Technology: Caught in the Web by Edward Spence

·       The Rise of Business Ethics by Bernard Mees

·        Business Ethics for Better Behavior by Jason Brennan, William English, John Hasnas, and Peter Jaworski

Resource

20 Best New Ethics Books To Read In 2023 by Annemarie Slaughter

Categories
31 Days to More Effective Compliance Programs

Day 21 – Continuous Improvement in a Compliance Program

The 2020 Update was clear about the need for continuous improvement in any compliance program. It succinctly stated, “One hallmark of an effective compliance program is its capacity to improve and evolve. Implementing controls in practice will necessarily reveal areas of risk and potential adjustment. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure it is not stale.”

Continuous improvement through monitoring or similar techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based on new and updated best practices specified by regulators. A compliance program is, in many ways, a continuously evolving organism, just as your company is. It would be best to build a way to keep pace with the market and regulatory changes to have a truly effective anti-corruption compliance program.

 Three key takeaways:

  1. Your compliance program should be continually evolving.
  2. Monitoring and auditing are different yet complimentary tools for continuous improvement.
  3. Cultural assessment and monitoring are also now required as well.
Categories
31 Days to More Effective Compliance Programs

Day 20 – Responding to Investigative Findings

There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the Board of Directors and senior management’s attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations, “We are an ethical company.” However, it may be time for a very serious reality check.

 

You may find yourself in a position where you will have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and explain why money must be budgeted for the remediation process.

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. In an interview with Russ Berland, he noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “tricky because you get your fifteen minutes to get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.”

Three key takeaways:

  1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.
  2. Be aware of how your investigation can impact and even inform your remediation efforts.
  3. Be prepared to deal with the dreaded “where else” question.
Categories
31 Days to More Effective Compliance Programs

Day 19 – Your Investigation Protocol

After the internal report comes in and you have properly triaged the matter, you need to scope out and investigate it promptly, thoroughly, and with competent personnel. In the 2020 Update, provided these series of questions about your internal investigations:

Properly Scoped Investigations by Qualified Personnel – How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?

 Investigation Response – Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?

 Resources and Tracking of Results – Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the hotline’s effectiveness, for example, by tracking a report from start to finish?

In a presentation, Jay Martin, retired Chief Compliance Officer at Baker Hughes, and Jacki Trevino, Senior Director of Advisory Services Group at SAI Global Limited, discussed the specifics of an investigation protocol. It consisted of 1) opening and categorizing the case; 2) planning the investigation; 3) executing the investigation plan; 4) determining appropriate follow-up, and 5) closing the case. If you follow this basic protocol, you should be able to work through most investigations in a clear, concise, and cost-effective manner. Furthermore, you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to “Document, Document, and Document” not only the steps you took but why and the outcome obtained.

Three key takeaways:

  1. A written protocol, created before an investigation, is a key starting point.
  2. Create specific steps to follow so there will be full transparency and documentation going forward.
  3. Consistency in approach is critical.
Categories
Corruption, Crime and Compliance

2022 FCPA Year in Review Featuring Tom Fox

2022 saw higher numbers of FCPA enforcement actions, settlements, and criminal prosecutions of individuals. One of the most important developments was the update of policy in the Monaco Doctrine, which was elaborated on in the Monaco Memo, providing important guidance for compliance professionals. Tom Fox joins Michael Volkov to discuss some of the more interesting cases from the past year.

Tom Fox is hailed as the Voice of Compliance, serving and evangelizing for the compliance community for over 15 years. He is the founder and creator of the Compliance Podcast Network where he hosts various podcasts, such as Innovation In Compliance and the ESG Report, and the Executive Leader at the C-Suite Network. 

 

Some ideas you’ll hear them explore are:

  • The DOJ is getting better at communicating with the compliance community through resolution documents like DPA, NPA, and, occasionally, declinations. These documents provide insight into the DOJ’s thinking and approach to cases, which compliance professionals can use to gain a better understanding of how to approach compliance issues.
  • In Tom’s upcoming book, “FCPA Year in Review 2022,” he highlights the KT Corp bribery case, which went back to the basics in its old-school rendition of corruption: bags of cash money. The lesson here is that bribery can be as simple as a $50 slipped into a handshake.
  • In the curious case of Glencore, the FCPA enforcement action taken against them reflects the DOJ’s focus on defective cultures within companies. This case involved multiple enforcement agencies across multiple countries and multiple bribery schemes, rounding up fines and penalties totalling up to $1.1 billion, with $700M for FCPA violations, and $441M for price and market manipulation. Glencore had a culture that was committed to profit at any cost, and the company paid over $100M to third parties knowing that some of the money would be used to bribe officials in various countries.
  • The Oracle case involving bribery and corruption involving gifts, travel, and entertainment should serve as a reminder to companies to review their gift, travel, and entertainment policies and ensure they are aware of how their business officials are spending their travel, per diem, and entertainment money.
  • Avoid hiring third-parties recommended by or at the direction of a state-owned official or executive.
  • The Lisa Monaco memorandum emphasizes the need for effective compliance programs and the benefits of voluntary disclosure, full cooperation, and timely and appropriate remediation. 

 

KEY QUOTE

“Internal controls are not simply due diligence, distributors, et cetera. It goes down to your payments, schemes and how you pay your vendors should all be a part of your internal controls.” – Tom Fox

 

Resources

Tom Fox on the Web | LinkedIn | Twitter | Blog

Categories
31 Days to More Effective Compliance Programs

Day 15 – How do you evaluate a risk assessment?

After completing your risk assessment, you must translate it into a risk profile. If your estimate of where your bribery risk is greatest is wrong, it will be an effort to address it. As Ben Locwin explained in his  BioProcess International article entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”:
Once we have assessed risks and determined a process that includes options to resolve and manage them whenever appropriate, we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are better positioned to speak about the quality of our businesses.

William C. Athanas, in his Industry Week article, “Rethinking FCPA Compliance Strategies in a New Era of Enforcement,” posited that companies assume that FCPA violations follow a bell curve in which most employees are responsible for most of the violations. However, Athanas believed that the distribution pattern more closely follows a hockey-stick distribution, where just a few people commit virtually all violations. Athanas concluded by noting that it is this limited group of employees, or what he terms the “shaft of the hockey stick,” to which a company should devote most of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts, such as intensive training sessions or detailed analysis of key financial transactions involving those employees with the greatest means and motive to commit a violation.
The priority risks are the most significant risks with the greatest likelihood of occurring. These become the focus of your most significant risk management efforts, coupled with ongoing audits and monitoring. A variety of tools can be used to monitor risk going forward continuously. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program rather than letting the compliance program inform the risk assessment.
Three key takeaways:

  1. Even after you complete your risk assessment, you must evaluate those risks for your company.
  2. The DOJ and SEC are looking for a well-reasoned approach to how you evaluate your risk.
  3. Create a risk matrix and rank your risks; then remediate and monitor as appropriate.