Tag: compliance

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – Financial Review of Your Business Venture Partner

One area not usually considered around your business ventures is the financial health of JV partner, teaming partner, strategic partner or any other type of business partner or relationship which might occur in a business venture. It turns out such an oversight may have some significant ramifications for an accurate picture of a business venture partner. The financial health of a business venture partner as not only a key metric but also a key tool which allows a more robust assessment prior to contract signing and in managing the relationship after the contract has been signed.
A business venture partner which is in a weakened financial position can come back to damage your business in a variety of ways. Obviously, a company which is under financial strain is more susceptible to cutting corners to obtain business. You can almost begin to see the fraud triangle forming at this point and a rationalization for committing a FCPA violation forming in the mind of a business venture partner.

Continuous improvement through monitoring of ongoing financial health is a tool where technological solutions can have an impact. Understanding the financial viability of third-parties can help the compliance practitioner meet the DOJ requirement to more fully operationalize a compliance program. It can also lead to more and better operational stability and with that ever-sought increase in corporate profitability. As compliance moves into the business process, this type of review should become part of your compliance toolkit going forward.
Three key takeaways: 

  1. What is the financial health of your business venture partners? Do you even know?
  2. Poor financial results can open a business venture partner to engaging in risky behavior.
  3. Financial health monitoring is key for monitoring business venture partners.
Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 3: Kairi Isse on Implementation and Maintenance

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, I will visit with Michael Parker, the Director of Consulting and Advisory Services; Stephanie Font, Director, Operations Optimization Group; Kairi Isse, Group Manager of Managed Services Group, Productions; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, Regulatory Compliance Manager from the Volkov Law Group. In this Part 3, I visited with Kairi Isse on the implementation of your third-party risk management program after the contract is executed.

Learning about the risk posed by third-party vendors to a company’s compliance program can be an eye-opening experience. However, through an AI-based ongoing monitoring search tool with customizable features and auditable trails, for third-party risk management, an organization can ensure that their compliance programs are effective and reduce their risks of fines and reputational damage during the implementation stage after a contract is executed.

Key Highlights

·      How can modern companies effectively manage third-party risk and protect their reputation?

·      What are the best ways to monitor third parties in a stable vendor ecosystem?

·      How can AI and machine learning make third-party management more efficient and effective?

Notable Quotes 

1.     “The key to this effective risk management is truly the follow-up, the ongoing follow-up to ensure that all the controls are in place and, if needed, are changed.”

2.     “The key to effective risk management is the ongoing follow-up to ensure all the controls are in place and, if needed, are changed.”

3.     “It’s not the most data; it’s the right data.”

4.     “Everything is audited in there; there are audits for the third-party profiles, and there are audits for each case.”

 Resources

Kairi Isse on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Blog

Compliance Lessons from the SVB Failure

The recent events surrounding Silicon Valley Bank have been both shocking and eye-opening. From the depositors who faced near death experiences, the shareholders who lost all their money, and the taxpayers who supported the bailout, it’s clear that there were multiple levels of oversight that failed to stop this disaster from happening. In this week’s episode of Compliance into the Weeds, Matt Kelly and myself explored the roles of KPMG, the Board of Directors and management, institutional investors, and the regulators, to uncover the lessons the compliance professional can take away from this debacle.

There were three key areas that SBV and those who advised it failed in. They included:

  1. Failures in identifying the poor risk management practices and the lack of assurance around the bank’s ability to access emergency cash.
  2. Failures by the Board of Directors and senior in responding to the red flags raised by the BlackRock consultants.
  3. Failures by SVB who was not prepared with a plan to resolve the crisis when it occurred.

Poor Risk Management Practices

The first step in understanding the lack of assurance around the bank’s ability to access emergency cash is to identify its poor risk management practices. KPMG, the banks’s auditors, may have given an anodyne report that stated there was no material risk of misstatement, but they could not have predicted the strategic risks that SVB was taking.  SVB got into trouble around its financial assets,  namely low-interest rate loans that SVB issued in the late 2010s. When the Federal Reserve started jacking interest rates to cool down inflation, the value of those loans fell. It put the bank in a precarious position. It is not clear what the bank’s management did but whatever it was, it was clearly insufficient.

Board and Senior Management Failure to Address Red Flags

Both the Board and senior management failed to respond adequately to the red flags raised by the BlackRock consultants, who SVB hired in late 2020, to look at their risk management practices. According to the report, SVB failed 11 of 11 criteria for risk management, indicating that there were serious issues present. This assessment should have been a red flag for management and the board’s risk committee, which met 18 times in 2022. It is not clear whether they discussed the BlackRock consultants’ report, but it is clear that the risk of rising interest rates and the lack of hedging to offset these risks was ignored. Despite this, the bank declined to pursue the opportunity for improvements.

Moreover by this time, the San Francisco Fed had already given Silicon Valley Bank at least six citations for poor risk management practices and not doing enough to assure easy access to emergency cash. This should have been a warning sign to both regulators and investors, yet it seems that no one was prepared for the eventual collapse of the bank. This oversight deficit points to a lack of communication and assurance from the board and management to the public, which is a key compliance lesson for other organizations.

 Lack of a Plan

Clearly, SVB was not prepared with a plan to resolve the crisis when it occurred. There was a clear lack of communication between the board and management of Silicon Valley Bank, it’s audit firm, and the regulators. The board and management of Silicon Valley Bank were aware of the risks that their strategies posed, as evidenced by their hiring of BlackRock consultants to assess their risk management processes. However, they failed to take the necessary steps to address the issues identified by the consultants, leaving the bank exposed to the risk posed by rising interest rates. The auditors also failed to point out the strategic risk of the bank’s holdings, instead offering an anodyne report that did not indicate any risk of material misstatement or substantial doubt about the bank’s ability to continue as a going concern. Finally, the regulators, such as the San Francisco Fed, had raised multiple red flags about Silicon Valley Bank’s risk management practices and potential lack of access to emergency funding, yet they failed to create a plan to address these issues before the crisis occurred. As a result, the public, investors, and depositors were left in the dark, without a plan to respond to the crisis.

The collapse of Silicon Valley Bank is a stark reminder that organizations need to take effective steps to ensure proper oversight and risk management. This includes both board and management members being aware of the risks posed by their strategies, engaging with auditors to assess the risks, and having a plan in place to deal with potential crises. The Silicon Valley Bank case serves as an example of what can happen when these steps are not taken and the consequences of such a failure. It is up to organizations to learn from this case and take the necessary steps to ensure that a similar disaster does not occur again. Despite the gravity of the situation, there is still hope that organizations can achieve the same level of compliance and oversight by following the lessons from this case.

Check out the full episode of Compliance into the Weeds, here.

Categories
Compliance Into the Weeds

SVB Failure – Lessons for Compliance

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt and I continue our exploration of the collapse of Silicon Valley Bank (SVB) and take a deeper dive into the compliance angles. Silicon Valley Bank had taken some big risks which led to depositors having a near-death experience, shareholders losing all their money, and taxpayers ultimately supporting the bank’s bailout. Despite the auditors giving an anodyne report on the bank’s risk management, the board, management and regulators all missed the big strategic risks. As a result, the bank collapsed, leaving Matt to question whether stakeholders were given the right assurance on the right things.

Key Highlights

·      What risk management strategies did SVB senior management and Board miss or ignore that could have prevented the financial disaster?

·      Why did SVB’s management decline to pursue improvements to their risk management practices after being warned by BlackRock consultants?

·      Did regulators miss the red flags raised by the San Francisco Fed examiners 18 months before the collapse of SVB?

Notable Quotes:

1.     “We should remember that really, the auditors’ report is going to give assurance on two points: Number one, is there a risk of material misstatement in the financial statements? And number two, does the audit firm have any substantial doubt about the organization’s ability to continue as a going concern for roughly the next twelve months or so? That’s how long it is. But it’s those two things.”

2.     “When you have Elizabeth Warren and conservatives both raising hell at the same time, it’s a valid issue to go and look at then because that does not happen too often.”

3.    “It’s like nobody had thought about this when really once we rolled back DoddFrank protections and supervisory constraints specifically for mid-sized banks, which Republicans pushed through in 2018, once that happened, that became the systemic risk that regulators had to think about.”

4.    “Everybody kind of sort of knew there was a problem, but a whole lot of finger pointing and not enough planning and assurance and communication to the public at large and to investors.”

 Resources

Matt  on LinkedIn

Matt on Radical Compliance

Tom on LinkedIn

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program -Implementation and Maintenance

Are you a compliance professional tasked with managing third-party risk relationships? Are you overwhelmed with the sheer amount of data that comes with that responsibility? How do you engage in implementation and maintenance. To answer these and other questions, I recently visited with Kairi Isse, Diligent’s Managed Services Group Manager, to discuss why the step of management after the contract is signed is the most important part of the third-party risk management cycle. She discusses the importance of ongoing monitoring and why it is critical for modern companies to understand the risks posed by their third parties. We consider the uses of an AI-driven ongoing monitoring search tool, allowing a customizable, auditable way to ensure compliance and reduce risk. Join us as we explore this most critical step on the life cycle of the third-party risk management—managing the relationship after the contract is signed. Here are the steps you need to follow to manage relationships with third-parties after the contract is signed:

  1. The importance of ongoing monitoring for third party risk management to minimize risks of data breach, bribery, and fines.
  2. Design and implement an effective ongoing monitoring program that works in practice.
  3. Utilize AI-driven ongoing monitoring search tools to focus on the right data for your organization.
  4. Create an audit trail to demonstrate the company’s continuous improvement based upon ongoing monitoring.
  1. The importance of ongoing monitoring

Ongoing monitoring for third-party risk management is key to minimizing risks of data breaches, bribery, and fines. Through proper monitoring and management of third parties, companies can ensure that their vendors are not putting them in a vulnerable position. In this interconnected world, third party risk is a significant compliance threat and can cause damage to a company’s reputation, leading to potentially hefty fines and perhaps more importantly reputational damage. Utilizing an AI-driven ongoing monitoring search tool can help reduce the haystack of data and find the needle, as well as a human element to review and analyze the watch list screen results. The key is to ensure their ongoing monitoring is effective and efficient throughout the entire life cycle of their third-party relationships.

 2. Design and implementation of ongoing monitoring

Designing and implementation of ongoing monitoring that works in practice is a critical step in managing a third-party relationship after the contract is signed. Utilizing AI-driven ongoing monitoring search tools is essential for a successful third-party risk management relationship. It is important to customize the search to focus on the right data for your organization, as this will make it easier to find the needle in the haystack. An AI-driven search tool should include all the big databases and sanctions watch lists, as well as adverse media, to ensure that the third party poses no regulatory risk; all after the contract is signed. There should also be transaction monitoring which reviews the sales or other transactions by the third-party. Finally, never forget the human element, to ensure that the data is correct and validated before final decisions are made.

  1. Analyze and validate thru AI-driven search tool

To analyze and validate watch list screen results and consider only true matches for further review, utilize an AI-driven ongoing monitoring search tool that includes all the major databases, sanctions watch lists, and adverse media. You should customize usage to your company’s risk profile, industry, and regulations your organization is required to comply with. Next review the search to determine if they are true matches or false positives. This helps to reduce the amount of noise and unnecessary data, as well as provides an auditable trail for every action. These actions will help create an auditable document trail which can be presented to auditors or regulators.

  1. Continuous improvement through ongoing monitoring

The next step is continuous improvement based upon your organization’s ongoing monitoring. Here an audit trail to demonstrate the company’s maintenance of ongoing monitoring, is critical. The Fox Maxim of Document Document Document, is still alive and well in the era of AI. Moreover,

This allows your organization to customize their search to focus on the right data for their organization and industry, eliminating the noise from irrelevant data sets. Once again the human factor comes into play through the review and analysis any potential matches from the AI searches to validate true matches. All of these steps should be auditable, recording every action taken in the system, allowing a company to demonstrate their continuous improvement based upon ongoing monitoring.

Managing your third-party relationship after the contract is signed is still the most a critical step any successful third-party risk management protocol. A well-designed and implemented compliance program should include regular screening of global databases and adverse media, even after the contract is signed. Transaction monitoring should also be used to test individual sales for any issues. An AI-driven ongoing monitoring search tool that can help reduce the haystack of data and find the needle, as well as a human element to review and analyze the watch list screen results. With these steps, your organization can be confident that your third-party risk management program is effective and efficient throughout the entire life cycle of your third-party relationships.

For more information, on Diligent’s Third Party Risk Management solution, click here.

Listen to Kairi Isse on the podcast series here.

Categories
31 Days to More Effective Compliance Programs

The Corp Controller and Business Ventures

One area not often considered by the CCO as a key part of any compliance regime is the Corporate Controller. The Controller generally has the responsibility to accurately record and report the financial transactions of the company, to design, implement and execute the financial processes and controls of the company to be both effective and efficient, and to safeguard the financial assets of the company. Some of the compliance responsibilities of the Controller include: 1) Designing and implementing internal controls that impact ethics and compliance risks; 2) Accurately recording the financial transactions of the company; and 3) Preventing and detecting fraudulent activity. All of this means, in practical terms the Controller is both being the keeper of the books and records and the implementer of internal controls. Moreover, while many of these internal controls would most probably be viewed financial internal controls, there are additional internal controls which are not financial in nature.

Russ Berland, has noted, “Those guys live really in the battle zone. They are constantly looking at financial transactions. They’re evaluating them. They’re figuring out where things go within the books and records. They are implementing the processes that should be keeping fraud from happening; keeping bribery and corruption from happening.”

These benefits are not a one-way street for compliance as a Controller benefits from a closer relationship with the corporate compliance function as well. They can leverage compliance resources. The compliance function can bring its observations and insights from investigations and emerging risks to the Controller. A closer collaboration will broaden awareness of compliance risks which relate to the company’s financial processes. By more fully integrating compliance into the Controller function a more robust picture of enterprise risk emerges, one which encompasses legal, compliance, ethics, internal controls, financial, business and governance risks.

Three key takeaways: 

  1. CCOs need to integrate the function of the Controller into their compliance regime.
  2. Offshore payments must be flagged for further investigations.
  3. The Controller is both the keeper of the books and records and the implementer of internal controls.
Categories
Innovation in Compliance

Third-Party Management: A Risk-Based Approach – Part 2: Stephanie Font on Questionnaires and Due Diligence

Welcome to a special 5-part podcast series sponsored by Diligent. Over this series, we will consider a risk-based approach to third-party risk management. Over this series, I will visit with Michael Parker, the Director of Consulting and Advisory Services; Stephanie Font, Director, Operations Optimization Group; Kairi Isse, Group Manager of Managed Services Group, Productions; Adam Bailey, Senior Vice President, Product Management and Alexander Cotoia, Regulatory Compliance Manager from the Volkov Law Group. In this Part 2, I visit with Stephanie Font on the need for evaluation of potential third-party through questionnaires and determination of the necessary due diligence investigations to comply with regulations while navigating using questionnaires to uncover the truth.

What is the importance of understanding regulations and risk factors when creating questionnaires to help with due diligence? Through understanding the risk model and what specific regulations the company needs to comply with, creating effective questionnaires to help with due diligence can become easier. Stephanie also found out that having a due diligence risk management system can automate some of the processes and help flag any potential risk factors. With the help of questionnaires and due diligence, Stephanie was able to learn how to effectively document and investigate potential third parties.

Key Highlights

  • How questionnaires can be used to comply with regulations and inform a risk model.
  • How due diligence investigations can help to uncover risk factors in a potential third party.
  • How a third-party risk management system can automate parts of the process.

 Notable Quotes

 1.     “Knowing what you’re trying to comply with and thinking of those questions that are going to get you there is probably the top thing.”

2.     “Don’t lose your common sense and listen if your gut tells you something’s wrong.”

3.     “Documentation is key to creating an internal audit trail and having something to show to regulators.”

4.     “Know your own risk model and build the risk model into the system to flag any potential risk factors.”

 Resources

Stephanie Font on LinkedIn

Check out Diligent’s 3rd party products and services here.

Categories
Blog

Reprioritizing Your Third-Party Risk Management Program-Questionnaire and Due Diligence

Are you considering a third-party questionnaire for your organization? With so much debate around what should be asked, and how detailed you should be, it can be hard to know where to start. In this 5-part blog post series, sponsored by Diligent, I will consider the full range of third-party risk management. Today, we consider the third-party questionnaire and I am joined by Stephanie Font, the director of the Operations Optimization Group at Diligent as we discuss third party questionnaires and due diligence investigations.

With so much debate around what should be asked in your questionnaire and how detailed your questionnaire should be, it can be hard to know where to start. It is important that every compliance professional understand your risk profile to all crafting of the right due diligence process to ensure compliance. Here are the steps you need to follow to also get compliance and  risk.:

  1. Questionnaire: Gathering basic information about the third party and what regulations need to be complied with.
  2. Due Diligence Investigation: Investigating the third party based on their answers to the questionnaire and other risk factors.
  3. Documenting: Keeping records of the due diligence investigations to be used in the future.

Questionnaire: Gathering basic information about the third party and what regulations need to be complied with.

The first step to managing third parties is to create a questionnaire to gather basic information about the third party and what regulations need to be complied with. When creating the questionnaire, it is important to understand the organization’s risk model and what it is trying to achieve. The questionnaire should be tailored to the specific risk factors the organization is trying to address, as well as the regulations that need to be complied with. Questions should include items such as the size of the company, where they do business, and the type of relationship they have. Additionally, the questionnaire should ask questions that will alert to any potential risk factors, such as if they do business in a highly sanctioned country. Once the questionnaire is sent and responses are received, the answers can be used to inform the next step of the due diligence process. Your third-party risk management system should automate some of the process by flagging risk factors and indicating what level of investigation is needed. Lastly, it is important to document the process and create an audit trail that can be used for various reasons, such as compliance and internal review.

Due Diligence Investigation: Investigating the third party based on their answers to the questionnaire and other risk factors.

The second step of third-party due diligence is the due diligence investigation. This step involves investigating the third party based on their answers to the questionnaire and other risk factors. The best approach to this investigation is to first understand the company’s risk and what it is trying to accomplish. This allows the company to create a risk model and tailor the questionnaire to fit their needs. The questionnaire should include questions about the size of the company, where it does business, and other risk factors that may arise. After the questionnaire is complete, the next step is to assess the risk factors and determine the appropriate level of investigation needed. This could range from a baseline screening for sanctions list and other global databases to an enhanced due diligence investigation which involves boots on the ground to ask questions about the company’s reputation and verify a manufacturing site. Additionally, it is important to document the process to create an audit trail for internal stakeholders and regulators. This process should be tracked in a third-party risk management system to ensure everything is done correctly.

Documenting: Keeping records of the due diligence investigations to be used in the future.

Documenting is an important step in the due diligence process, as it helps to create an audit trail of the activities and decisions that were taken. When it comes to due diligence, it is important to keep records of all investigations that were conducted, as these records can be used in the future to defend any decisions that were taken. This allows for all the necessary information to be stored in a secure location and can even track any changes or updates to the investigations over time. Additionally, the system can be used to flag any potential risks that come up in the investigations, and it can also automate the process of deciding which type of investigation is necessary based on the risk model. Finally, it is important to keep all documents related to the due diligence process, such as the questionnaire, investigation reports, and any other relevant documents, to create an audit trail and ensure that all compliance regulations are met.

Third party due diligence is a crucial part of any compliance program. A thorough questionnaire and a detailed due diligence investigation can help organizations to mitigate risk and ensure compliance with applicable regulations. Additionally, it is important to document the process, as this creates an audit trail that can be used in the future. With the right tools and processes in place, organizations of any size can successfully manage third party risk and create a robust compliance program. With the right information and guidance, you too can create a successful third-party due diligence process for your organization.

For more information, on Diligent’s Third Party Risk Management solution, click here.

Listen to Stephanie Font on the podcast series here.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – Know Your Customer

Do FCPA considerations come into play for customers? How should you think about your obligations under the FCPA for a group not traditionally associated with FCPA liability or even FCPA risk? These questions and perhaps others are raised by the FCPA investigation into certain transactions in Venezuela by Derwick Associates (Derwick) and a U.S. company ProEnergy Services (ProEnergy). ProEnergy supplied turbines that Derwick resold to the Venezuelan government and then installed in that country. This investigation demonstrates why businesses need to be more concerned with not only who they do business with but how their customers might be doing business. In banking and financial services parlance, you now need to ramp up your organization’s Know Your Customer (KYC) information to continue throughout a seller-purchaser relationship, in the context of the FCPA.

There does not have to be a direct bribe or other corrupt payment made by a U.S. company to have liability under the FCPA. FCPA enforcement is littered with companies that have paid bribes through third-parties. However, as the Fifth Circuit said in US v. Kay, “[W]e hold that Congress intended for the FCPA to apply broadly to payments intended to assist the payor, either directly or indirectly,” [emphasis mine]. While at first blush, ProEnergy may appear to be at the edge of potential FCPA liability; if it knew, had reason to know, or should have taken steps to know about some nefarious conduct by its customer, it does not take too many steps to get to some FCPA exposure. The FinCEN rules on customer due diligence for financial institutions are a good starting point for other commercial entities to base their compliance program for customers around.

Three key takeaways:

  1. Non-banking and non-financial service entities need to consider their KYC obligations in the context of FCPA risk.
  2. FinCEN rules on customer due diligence are a good starting point for the non-financial institution.
  3. Ongoing monitoring should be used and the information incorporated into your customer risk profile going forward.
Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Compliance for Business Ventures – Tying it all Together for Joint Ventures

I want to emphasize again the risks JVs pose under the FCPA. Mike Volkov has stated, “A joint venture requires the integration of disparate company cultures. It can be successful and is usually one of the significant reason for the joint venture itself.” Both parties should assess each other and decide that the JV is a good fit, meaning that each side will benefit. Too much time is spent on looking at the JV partner’s compliance toolbox (i.e., policies, procedures, and controls), and not enough time is spent on identifying compliance strengths and weaknesses. You must bring it all together with one format.

Indeed the 2020 Update to the Evaluation of Corporate Compliance Programs posed the following questions under the category, “Process Connecting Due Diligence to Implementation” What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures, and conducting post- acquisition audits, at newly acquired entities? Remember a “newly acquired entity” can be a joint venture.
Three key takeaways: 

  1. It all starts with a Relationship Manager.
  2. Have company oversight of all JVs. Couple this with a COC for a second set of eyes.
  3. Audit, monitor, and remediate (as appropriate) your JVs on an ongoing basis.