Tag: compliance

Categories
31 Days to More Effective Compliance Programs

Day 31 – Using a Root Cause Analysis for Remediation

The 2020 Update re-emphasized the need to perform a root cause analysis and, equally importantly, use it to remediate your compliance program. It stated, “a hallmark of a compliance program that works effectively in practice is the extent to which a company can conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”
It went on to state what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).”

The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach using data already in the organization. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step process in which one method can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event, and you will have a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.

When you step back and consider what the DOJ was trying to accomplish with its 2020 Update, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.

Three key takeaways:

  1. The key is objectivity and independence.
  2. The critical element is how you used the information you developed in the root cause analysis.
  3. The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach using data already in the organization.
Categories
31 Days to More Effective Compliance Programs

Day 30 – What is a Root Cause Analysis?

One of the most significant changes in the 2020 FCPA Resource Guide, 2nd edition, was the addition of a new Hallmark entitled “Investigation, Analysis, and Remediation of Misconduct,” which reads in full:

The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.

In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches.

Ultimately, performing a root cause analysis is not simply sitting down and asking many questions. It would be best if you had an operational understanding of how a business operates and how they have developed its customer base. Overlay the need to understand what makes an effective compliance program with the skepticism an auditor should bring so that you do not simply accept an answer provided to you, as you might in an internal investigation. Marks noted that “a root cause analysis is not something where you can ask the five whys. You need these trained professionals who understand what they’re doing.”

Three key takeaways:

  1. A root cause analysis is required if you have a reportable compliance failure.
  2. There is no one process for performing a root cause analysis. You should select the one which works for you and follow it.
  3. To properly perform a root cause analysis, you need trained professionals who understand what they’re doing.
Categories
The ESG Report

Why Compliance Should Lead the Corporate ESG Effort with Kristy Grant-Hart

What does remodeling a home have to do with ESG? In this episode of the ESG Report, Tom Fox and Kristy Grant-Hart discuss the role of compliance in leading the ESG initiative within a corporation. Kristy, the founder of Spark Consulting, explains how compliance professionals can expand their role to lead the E, S and G components of ESG. She also shares her personal experience of remodeling her new home with her husband and how it relates to ESG.

Kristy Grant Hart is a well-known figure in the compliance field. She is the founder and CEO of Spark Consulting, a global compliance and ethics consultancy that recently celebrated its 6th anniversary. Spark Consulting now has locations in Chicago, New York, Los Angeles, and London. The company also recently released a business simulation game called Compliance Competitor, which has been picked up by many companies. Kristy has over 15 years of experience in compliance and governance, working with clients across multiple industries. She is also the author of four books, including How To Be A Wildly Effective Compliance Officer and The Compliance Entrepreneurs Handbook, which was written with Kirsten Liston and Joseph Murphy.

 

You’ll hear Tom and Kristy talk about:

  • ESG is a bridge between compliance, governance, and board relationships.
  • ESG can be a huge driver for change and reputation enhancement.
  • CCOs are skilled at bringing together people and putting programs into a framework, and this lends itself well to running a successful ESG program. 
  • The renewed focus on G (Governance) is a positive development, as better governance leads to more ethical behavior and compliance. Compliance has a relationship with the board, the Audit and Risk Committee, and it makes sense for compliance to expand its remit of reporting and talk about different stakeholders in different ways for better board management.
  • The push for gender diversity on boards is a step towards greater perspective and understanding of different stakeholders.
  • Supply chain management is an important aspect of the compliance function.
  • The June 2020 Update to the Evaluation of Corporate Compliance Programs from the Department of Justice emphasizes the importance of institutional justice and fairness within corporations, which ties into ESG principles.
  • The compliance function and CCO must have access to all corporate data, not just compliance data, in order to effectively lead ESG efforts.
  • The S in ESG, which stands for social, encompasses issues such as diversity, equity and inclusion, and responsible sourcing in the supply chain.
  • The evolution of supply chain compliance and its integration into ESG efforts has been growing in recent years.
  • Compliance professionals already have a wide range of skills and experience that can be applied to leading E efforts within ESG. They have an important role to play, even if they are not experts in the field.
  • Remodeling a home can also be a valuable learning experience: her personal experience of learning new construction skills aligns with the idea that compliance professionals can learn and lead the E component of ESG.

 

KEY QUOTE

“I think that the more that we see diversity on boards, the better companies will do, but also the opportunities become more expansive and that’s something that I’m passionate about and feel that’s incredibly important. I also think compliance should have much more of a seat on boards.” – Kristy Grant Hart

 

Resources:

Kristy Grant-Hart on Website | LinkedIn | YouTube  

Kristy Grant-Hart books

Spark Compliance

Categories
31 Days to More Effective Compliance Programs

Day 29 – Post-acquisition Integration Plan

Your company has just made its largest acquisition, and your CEO says they want you to have a compliance post-acquisition integration plan on their desk in one week. Where do you begin? An excellent place to start would be the 2020 FCPA Resource Guide, 2nd edition language:
Pre-acquisition due diligence is usually only a portion of the compliance process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.

The bottom line is that you must train the newly acquired employees, reevaluate third parties under your company standards, and conduct compliance audits on new business units. This process should be based on your pre-acquisition due diligence and risk assessment. Moreover, the DOJ and SEC view both the pre-and post-acquisition phases of M&A as tied together in a unidimensional continuum. If pre-acquisition due diligence is impossible, you should review the requirements and time frames laid out in Opinion Release 08-02 or the 2020 FCPA Resource Guide, which noted, “pursuant to which companies can nevertheless be rewarded if they choose to conduct thorough post-acquisition FCPA due diligence.” Whatever compendium of steps you utilize for post-acquisition integration, they should be taken as soon as is practicable.

The earlier you can deploy these steps, the better off your company will be at the end of the day. An acquisition that fails for compliance reasons is a preventable disaster of the first order. One need only consider the Latin Node Inc. FCPA enforcement actions where the acquiring company had to write off its entire investment because it had failed to engage in appropriate pre-acquisition due diligence.

Three key takeaways:

  1. Planning is critical in the post-acquisition phase.
  2. Build upon what you learned in pre-acquisition due diligence.
  3. You literally need to be ready to hit the ground running when a transaction closes.
Categories
31 Days to More Effective Compliance Programs

Day 27 – Operationalizing Compliance Through Payroll

One of the areas articulated in the 2020 Update was around payments and payroll. The compliance professional and the corporate payroll function have a significant role to play in the operationalization of a corporate compliance program. The 2020 Update was replete with references to payment and its critical nature to any best practices compliance program. This includes payments to foreign officials, payments to third parties, and hiding bribes in payments to distributors. The 2020 Update begins with an admonition to stop wasting time on low-hanging fruit when there are much higher risks in your business operations.

The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with their head of payroll, have them explain the role of payroll, then review the internal controls in place to see how they facilitate compliance goals. From that review, you can then determine how to use payroll to help to operationalize your compliance program.

The DOJ has provided its clearest statement on how it expects a company to do compliance in the future. Gone are the days when the DOJ considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process, that the appropriate business unit should administer with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and controls.

Three key takeaways:

  1. Payroll can be a key prevention and detection control.
  2. The 2020 Update specified tying the corporate compliance function to the corporate payroll function.
  3. Offshore payments remain a key indicator for a red flag.
Categories
Innovation in Compliance

Operationalizing Compliance: Part 5-Overwhelmed, yet? with Taylor Edwards

Welcome to a special five-part podcast series on Operationalizing Your Compliance Program, sponsored by Broadcat LLC. Over this series, we consider a variety of ways to more fully operationalize your compliance regime, including the design and effectiveness of your communications, why the operationalization of compliance is a team sport, why simply data is not the answer and how to avoid being overwhelmed. In our Part 5 conclusion, I am joined by Taylor Edwards to discuss how compliance professionals can prevent from being overwhelmed by all of ‘this’.

Highlights from this episode include:

·      Unpack your program through critical examination.

·      Know your history and understand how you got where you are.

·      Face data but do not be paralyzed by it. .

·      It’s about being real and accountable.

For more information go to TheBroadcat.com

Categories
Blog

Operationalizing Compliance: Part 5-Overwhelmed, yet?

Welcome to a special five-part podcast series on Operationalizing Your Compliance Program, sponsored by Broadcat LLC. Over this series, I have visited with Jennifer May, Director of Compliance Advisory; Taylor Edwards,  Director of Sales; Xinia Pirkey, Design Manager; Alex Klingelberger, Chief Executive Officer (CEO) and Jaycee Dempsey, Director of Customer Success. We consider a variety of ways to more fully operationalize your compliance regime, including the design and effectiveness of your communications, why the operationalization of compliance is a team sport, why simply data is not the answer and how to avoid being overwhelmed. In our Part 5 conclusion, I am joined by Taylor Edwards to discuss how compliance professionals can prevent from being overwhelmed by all of ‘this’.

Compliance professionals can be overwhelmed by all the information coming out of the regulators such as the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). In 2022, this included the Monaco Memo and several major Foreign Corrupt Practices Act (FCPA) enforcement actions. Edwards suggested starting from the position of “how does that apply to me?” From there you can “get real with yourself about where things may not be perfect, but also provide insights into where you can start to work on your program.” He added that the key is “recognizing that it’s OK not to have a perfect program.” What the DOJ wants is for you to assess your own program, spot the weaknesses, rank them and then remediate your ranked list going forward. Edwards concluded; you should determine “what’s the next one thing I can work on? Sometimes it’s a matter of taking small baby steps, but just recognizing that there are needed to be taken.”

One of the key components of the Monaco Memo was the cementing of corporate culture as a factor the DOJ would evaluate in any enforcement action. This formalized the remarks made by Deputy Attorney General Monaco in October 2021. Edwards maintains that a “big aspect of this is the listening function of an organization.” He will often engage a client with the questions about listening, “Have you done any listening within the organization? Have you surveyed, have you had a focus group? Have you had some kind of forum for employees? Have you gathered or crowdsourced any of that from within the organization?”

Unfortunately, that answer is often no. Edwards believes that if you recognize the need to understand and to work within the landscape of your company culture, you must  accept the fact you will be required to do a better job of getting out into the business and understanding what the culture looks like outside of the corporate compliance office. He added, “listening plays a huge role.” Having conversations “across different parts of the business help inform not only your understanding of the culture, but then how you can go in and influence it for the better, influence it to be more ethical and compliant.”

We then turned to the DOJ’s 2020 Update to the Evaluation of Corporate Compliance Programs mandates around risk assessments, which move from biennial or even annual risk assessments to risk assessments when your risks change. This is a key area where compliance professionals often feel overwhelmed. Here Edwards suggested taking ‘bite sized or small chunks” to improve your program. Edwards pointed to training as the DOJ has moved far beyond the prior metric of completion rates.  He said, “if you are focused on a 100% completion rate and that is the outcome you’re trying to achieve, then your focus will be on a Learning Management Systems tool that allows you to easily assign modules to a 100% of your workforce. However, if the outcome you are really focused on is compliance, good behavior, making sure that laws and regulations do not get breached, then your focus should be how do I influence behavior as opposed to having a hundred percent completion rate?”

This means you need to emphasize the behavioral element. You can start to do things like “monitoring, which can seem overwhelming for a lot of groups, and it typically gets underinvested in.” But if your focus is on the prevention aspect, then you need to “go out there and see what people are doing wrong currently so you can an address it and stop it.” This can be down with a process mindset; “on a risk-by-risk basis, on a task-by-task basis or a on a process-by-process basis where you peel back the onions of the organization to see if there are any potential pitfalls in our current process.”

The bottom line is there are a variety of approaches you can take to move your program forward. The key is to identify your program weaknesses and begin the remediation process.

For more information go to TheBroadcat.com

Categories
31 Days to More Effective Compliance Programs

Day 26 – Compliance Function in an Organization

The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, the 2020 FCPA Resource Guide, under the Hallmarks of an Effective Compliance Program, noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.” The Monaco Memo and 2023 changes to the Corporate Enforcement Policy have made this all the more critical going forward.

This Hallmark was significantly expanded in the FCPA Corporate Enforcement Policy and 2020 Update. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company.

The 2020 Update, Monaco Memo, and 2023 update to the Corporate Enforcement Policy all demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority, and gravitas to compliance position in their organizations.

Three key takeaways:

  1. How is compliance treated in the budget process?
  2. Has your compliance function had any decisions overridden by senior management?
  3. Beware of compliance outsourcing, as any such contractor must have access to company documents and personnel.
Categories
Innovation in Compliance

Operationalizing Compliance: Part 4 – Effectiveness, Redux with Alex Klingelberger

Welcome to a special five-part podcast series on Operationalizing Your Compliance Program, sponsored by Broadcat LLC. Over this series, we consider various ways to more fully operationalize your compliance regime, including the design and effectiveness of your communications, why the operationalization of compliance is a team sport, why simply data is not the answer, and how to avoid being overwhelmed. In Part 4, I am joined by Alex Klingelberger, CEO at Broadcat, where we deeply dive into effectiveness.

Highlights from this episode include:

  • Compliance training must stay away from the patronizing training material.
  • The DOJ pronouncements on clawbacks put pressure on senior management.
  • Bilateral communication is a critical component of a best practices compliance program.
  • Compliance engagement is more than between your compliance function and employees. It is when employees engage each other about compliance topics as well.

For more information, go to TheBroadcat.com.

Categories
Blog

Operationalizing Compliance: Part 4-Effectiveness, Redux

Welcome to a special five-part podcast series on Operationalizing Your Compliance Program, sponsored by Broadcat LLC. Over this series, I visit with Jennifer May, Director of Compliance Advisory; Taylor Edwards,  Director of Sales; Xinia Pirkey, Design Manager; Alex Klingelberger, Chief Executive Officer (CEO) and Jaycee Dempsey, Director of Customer Success. We consider a variety of ways to more fully operationalize your compliance regime, including the design and effectiveness of your communications, why the operationalization of compliance is a team sport, why simply data is not the answer and how to avoid being overwhelmed. In Part 4, I am joined by Alex Klingelberger, where we take a deep dive into effectiveness.

We began with a question about data and data analytics. I asked Klingelberger what might a CEO question a Chief Compliance Officer (CCO) about when the CCO brings data about the compliance program. He explained that it is not simply data but “data, plus.” He would further inquire into such areas as, “How did you collect the data? Who are the people that are involved in the data? What did you ask them? What was the data that you have collected and how it going to prove to both regulators and the business folks how to use it.”

He provided the example of annual compliance training program, where the effectiveness is measured with a “single yes or no question that says, did all the constituents certify that they had completed the annual compliance training program; so that you ended up with a score of 100% completion.” Alex said his first question would be, “what is that worth to us?” This is because the data “simply conveys a unidirectional, transmission of information to the people in the business and you have not necessarily improved the quality of those individuals understanding of their business.”

We also discussed the danger of “patronizing communications”. This is a type of communication which is oversimplified to the point where any person, not just a person who’s working in that business would implicitly understand what is right and what is wrong and therefore know the answer they are supposed to get. Something like “Is bribery bad?” is not something you need to train employees on. What employees need is something more useful which addresses given situations, about what bribery looks like and provides a pattern recognition for employees to avoid it.”

That you are really looking for in effectiveness is engagement. Klingelberger noted it is “instrumental that engagement to form the basis for better bilateral communicating between compliance folks and business folks on the frontline. But it is more than communications up and down, from compliance to employee and back. It is using training and communications to facilitate discussions between employees, their managers, their mentors and others about specific situations; how we should be acting and what things that we should and should not be doing in the course of business.” He believes such discussions are the essence of compliance communications and training.

We turned to the user experience as delivering compliance information in topic focused or risk-based bite-sized pieces, on a more periodic and frequent basis is a better way to deliver compliance training. This can facilitate your employees engaging with not only compliance, but it also engagement with managers and fellow employees so that the communication or training fosters an ongoing conversation on a variety of topics; outside of interactions with the compliance function. “This is the outcome you should desire with your communications or training. Something that is going to engage employees, be thought-provoking or thoughtful; yet if they have a question, they can either raise their hand and contact the compliance function or compliance can direct them to a resource within the company such as on a website or FAQs.”

We concluded by tying back to where we began, with some thoughts on data and effectiveness. Klingelberger considers that effectiveness also informs how compliance should be collecting data and providing it to business leaders. He believes, to the extent possible, your compliance function should “use the same systems and software that your business uses to collect data, to collect your compliance data.” He provided some examples; “if you’re a sales shop, a HubSpot shop, if you primarily work on Excel, maybe those are the systems that you should be using to collect your compliance data rather than a completely separate standalone program that both you and your employees only see once a year and generates limited output.” The key is to “make it easier for your business leader through the data that you are providing them by using data which is familiar to them.”

Join us as we conclude with Part 5 where we discuss how to avoid being overwhelmed.

For more information go to TheBroadcat.com