Tag: compliance

Categories
31 Days to More Effective Compliance Programs

Day 22 – Internal Reporting and Triaging Claims

The call, email, or tip comes into your office; an employee reports suspicious activity across the globe. That activity might well turn into an FCPA issue for your company. As the CCO, it will be up to you to begin the process, which will determine, in many instances, how the company will respond going forward. This is more than simply maintaining hotlines. Companies have to make real efforts to listen to employees. You need to have managers trained on handling employee concerns; they must be incentivized to take on this compliance responsibility, and you must devote communications resources to reinforcing the company’s culture and values to create an environment and expectation that managers will raise employee concerns. The Monaco Memo’s emphasis on internally detecting such actions and self-reporting makes this more important.

The reason is that a business’s employees are the company’s best source of information about what is going on in the company. It is certainly a best practice for a company to listen to its employees, particularly to help improve its processes and procedures. But more than listening to its employees, a company should provide a safe and secure route for employees to escalate their concerns. This is the underlying rationale behind an anonymous reporting system within any organization. Both the U.S. Sentencing Guidelines and the Organization of Economic Cooperation and Development (OECD) Good Practices list as one of their components an anonymous reporting mechanism by which employees can report compliance and ethics violations. Of course, the Dodd-Frank Whistleblower provisions also heed the implementation of a hotline.

Given the number of ways that information about violations or potential violations can be communicated to government regulators, a robust triage system is an important way for a company to determine what resources to bring to bear on a compliance problem.

Jonathan Marks has articulated a five-stage triage process that allows for an early assessment of any allegations and a manner to think through your investigative approach. Marks cautions you must have an experienced investigator or other seasoned professional making these determinations, if not a more well-rounded group or committee. Next, consider the types of evidence to review going forward. Finally, before selecting a triage solution, understand what tools are available, including forensic and human, to complete the investigation.

 Three key takeaways:

1. The DOJ and SEC put special emphasis on internal reporting lines.

2. Test your hotline regularly to make sure it is working.

3. Every claim should be triaged before starting an investigation.

Categories
Sunday Book Review

January 22, 2023 – Top Ethics Books To Read in 2023 Edition

In the Sunday Book Review, I consider books that interest the compliance professional, the business executive, or anyone who might be curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest me. In today’s edition of the Sunday Book Review, we consider some of the top ethics books which every compliance professional should read in 2023:

·       Ethics for Behavior Analysts by Jon Bailey and Mary Burch

·        Stoic Philosophy and the Control Problem of AI Technology: Caught in the Web by Edward Spence

·       The Rise of Business Ethics by Bernard Mees

·        Business Ethics for Better Behavior by Jason Brennan, William English, John Hasnas, and Peter Jaworski

Resource

20 Best New Ethics Books To Read In 2023 by Annemarie Slaughter

Categories
31 Days to More Effective Compliance Programs

Day 21 – Continuous Improvement in a Compliance Program

The 2020 Update was clear about the need for continuous improvement in any compliance program. It succinctly stated, “One hallmark of an effective compliance program is its capacity to improve and evolve. Implementing controls in practice will necessarily reveal areas of risk and potential adjustment. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure it is not stale.”

Continuous improvement through monitoring or similar techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based on new and updated best practices specified by regulators. A compliance program is, in many ways, a continuously evolving organism, just as your company is. It would be best to build a way to keep pace with the market and regulatory changes to have a truly effective anti-corruption compliance program.

 Three key takeaways:

  1. Your compliance program should be continually evolving.
  2. Monitoring and auditing are different yet complimentary tools for continuous improvement.
  3. Cultural assessment and monitoring are also now required as well.
Categories
31 Days to More Effective Compliance Programs

Day 20 – Responding to Investigative Findings

There is nothing like an internal whistleblower report about a compliance violation, the finding of such an issue, or (even worse) a subpoena from the DOJ or notice letter from the SEC to trigger the Board of Directors and senior management’s attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations, “We are an ethical company.” However, it may be time for a very serious reality check.

 

You may find yourself in a position where you will have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and explain why money must be budgeted for the remediation process.

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. In an interview with Russ Berland, he noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “tricky because you get your fifteen minutes to get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.”

Three key takeaways:

  1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.
  2. Be aware of how your investigation can impact and even inform your remediation efforts.
  3. Be prepared to deal with the dreaded “where else” question.
Categories
31 Days to More Effective Compliance Programs

Day 19 – Your Investigation Protocol

After the internal report comes in and you have properly triaged the matter, you need to scope out and investigate it promptly, thoroughly, and with competent personnel. In the 2020 Update, provided these series of questions about your internal investigations:

Properly Scoped Investigations by Qualified Personnel – How does the company determine which complaints or red flags merit further investigation? How does the company ensure that investigations are properly scoped? What steps does the company take to ensure investigations are independent, objective, appropriately conducted, and properly documented? How does the company determine who should conduct an investigation, and who makes that determination?

 Investigation Response – Does the company apply timing metrics to ensure responsiveness? Does the company have a process for monitoring the outcome of investigations and ensuring accountability for the response to any findings or recommendations?

 Resources and Tracking of Results – Are the reporting and investigating mechanisms sufficiently funded? How has the company collected, tracked, analyzed, and used information from its reporting mechanisms? Does the company periodically analyze the reports or investigation findings for patterns of misconduct or other red flags for compliance weaknesses? Does the company periodically test the hotline’s effectiveness, for example, by tracking a report from start to finish?

In a presentation, Jay Martin, retired Chief Compliance Officer at Baker Hughes, and Jacki Trevino, Senior Director of Advisory Services Group at SAI Global Limited, discussed the specifics of an investigation protocol. It consisted of 1) opening and categorizing the case; 2) planning the investigation; 3) executing the investigation plan; 4) determining appropriate follow-up, and 5) closing the case. If you follow this basic protocol, you should be able to work through most investigations in a clear, concise, and cost-effective manner. Furthermore, you should have a report at the end of the day which should stand up to later scrutiny if a regulator comes looking. Finally, you will be able to “Document, Document, and Document” not only the steps you took but why and the outcome obtained.

Three key takeaways:

  1. A written protocol, created before an investigation, is a key starting point.
  2. Create specific steps to follow so there will be full transparency and documentation going forward.
  3. Consistency in approach is critical.
Categories
Corruption, Crime and Compliance

2022 FCPA Year in Review Featuring Tom Fox

2022 saw higher numbers of FCPA enforcement actions, settlements, and criminal prosecutions of individuals. One of the most important developments was the update of policy in the Monaco Doctrine, which was elaborated on in the Monaco Memo, providing important guidance for compliance professionals. Tom Fox joins Michael Volkov to discuss some of the more interesting cases from the past year.

Tom Fox is hailed as the Voice of Compliance, serving and evangelizing for the compliance community for over 15 years. He is the founder and creator of the Compliance Podcast Network where he hosts various podcasts, such as Innovation In Compliance and the ESG Report, and the Executive Leader at the C-Suite Network. 

 

Some ideas you’ll hear them explore are:

  • The DOJ is getting better at communicating with the compliance community through resolution documents like DPA, NPA, and, occasionally, declinations. These documents provide insight into the DOJ’s thinking and approach to cases, which compliance professionals can use to gain a better understanding of how to approach compliance issues.
  • In Tom’s upcoming book, “FCPA Year in Review 2022,” he highlights the KT Corp bribery case, which went back to the basics in its old-school rendition of corruption: bags of cash money. The lesson here is that bribery can be as simple as a $50 slipped into a handshake.
  • In the curious case of Glencore, the FCPA enforcement action taken against them reflects the DOJ’s focus on defective cultures within companies. This case involved multiple enforcement agencies across multiple countries and multiple bribery schemes, rounding up fines and penalties totalling up to $1.1 billion, with $700M for FCPA violations, and $441M for price and market manipulation. Glencore had a culture that was committed to profit at any cost, and the company paid over $100M to third parties knowing that some of the money would be used to bribe officials in various countries.
  • The Oracle case involving bribery and corruption involving gifts, travel, and entertainment should serve as a reminder to companies to review their gift, travel, and entertainment policies and ensure they are aware of how their business officials are spending their travel, per diem, and entertainment money.
  • Avoid hiring third-parties recommended by or at the direction of a state-owned official or executive.
  • The Lisa Monaco memorandum emphasizes the need for effective compliance programs and the benefits of voluntary disclosure, full cooperation, and timely and appropriate remediation. 

 

KEY QUOTE

“Internal controls are not simply due diligence, distributors, et cetera. It goes down to your payments, schemes and how you pay your vendors should all be a part of your internal controls.” – Tom Fox

 

Resources

Tom Fox on the Web | LinkedIn | Twitter | Blog

Categories
31 Days to More Effective Compliance Programs

Day 15 – How do you evaluate a risk assessment?

After completing your risk assessment, you must translate it into a risk profile. If your estimate of where your bribery risk is greatest is wrong, it will be an effort to address it. As Ben Locwin explained in his  BioProcess International article entitled “Quality Risk Assessment and Management Strategies for Biopharmaceutical Companies”:
Once we have assessed risks and determined a process that includes options to resolve and manage them whenever appropriate, we can decide the level of resources with which to prioritize them. There always will be latent risks: those that we understand are there but that we cannot chase forever. But we need to make sure we have classified them correctly. With a good understanding of each of these, we are better positioned to speak about the quality of our businesses.

William C. Athanas, in his Industry Week article, “Rethinking FCPA Compliance Strategies in a New Era of Enforcement,” posited that companies assume that FCPA violations follow a bell curve in which most employees are responsible for most of the violations. However, Athanas believed that the distribution pattern more closely follows a hockey-stick distribution, where just a few people commit virtually all violations. Athanas concluded by noting that it is this limited group of employees, or what he terms the “shaft of the hockey stick,” to which a company should devote most of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts, such as intensive training sessions or detailed analysis of key financial transactions involving those employees with the greatest means and motive to commit a violation.
The priority risks are the most significant risks with the greatest likelihood of occurring. These become the focus of your most significant risk management efforts, coupled with ongoing audits and monitoring. A variety of tools can be used to monitor risk going forward continuously. Consider providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. It is important to create a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it. Finally, let this risk assessment and evaluation inform your compliance program rather than letting the compliance program inform the risk assessment.
Three key takeaways:

  1. Even after you complete your risk assessment, you must evaluate those risks for your company.
  2. The DOJ and SEC are looking for a well-reasoned approach to how you evaluate your risk.
  3. Create a risk matrix and rank your risks; then remediate and monitor as appropriate.
Categories
Sunday Book Review

January 15, 2023 – The Top Business Books to Read in 2023 Edition

In the Sunday Book Review, I consider books that interest the compliance professional, the business executive, or anyone curious. It could be books about business, compliance, history, leadership, current events, or anything else that might interest me. In today’s edition of the Sunday Book Review, we consider some of the top business books which every compliance professional should read in 2023:

·       How to Win Friends and Influence People by Dale Carnegie

·        Influence, New and Expanded: The Psychology of Persuasion by Robert Cialdini

·       The Compound Effect: Jumpstart Your Income, Your Life, Your Success by Darren Hardy

·        Tools of Titans: The Tactics, Routines, and Habits of Billionaires, Icons, and World-Class Performers by Tim Ferriss

Resource

The Best Business Books to Read in 2023 By Hal Kitzmiller

Categories
31 Days to More Effective Compliance Programs

Day 14 – Risk Assessments

One cannot say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based upon a risk assessment to understand your organization’s business from the commercial perspective, how your organization has identified, assessed, and defined its risk profile, and, finally, the degree to which the program devotes appropriate scrutiny and resources to this range of risks. Yet the 2020 Update added a new emphasis that Risk Assessments should not be done not less than annually but, in reality, should be done each time your risk change. Over the past couple of years, every company’s risks changed from Work From Home to Return to the Office to Hybrid Work environments. Have you assessed these new paradigms for risks from the compliance perspective?

As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance succinctly stated, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.
There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, your protocol must be well thought out. If you use one, some, or all of the above as your basic inquiries for your risk analysis, it should be acceptable for your starting point. 

Three key takeaways:

  1. Since at least 1999, the DOJ has pointed to risk assessment as the start of an effective compliance program.
  2. The DOJ will now consider your risk assessment methodology for identifying risks and gathering evidence.
  3. You should base your compliance program on your risk assessment.
Categories
31 Days to More Effective Compliance Programs

Day 13 – Podcasting for Compliance Training and Communication

If there is one truism from the practice of law which translates to the practice of compliance, you are only limited by your imagination. This holds in the 360-degree realm of communication in compliance, as communication comes in many forms. Many compliance practitioners will well remember the 2012 Morgan Stanley declination. In this first declination made public, the Department of Justice (DOJ) recognized Morgan Stanley for emailing out 35 compliance reminders to Garth Peterson over seven years. Think about the power of 360 degrees of communication in the context of compliance reminders. Now imagine the power of short ethics and compliance video training clips going out over the same time and the effect it would have on your employees and the regulators.

  1. Podcast Storytelling

Why not tell the story of compliance through a podcast? I call it podcast storytelling, and it can be a powerful tool. Each podcast series is 5-part series and constitutes one story arc. The podcasts are about 10-15 minutes in length. The podcast storytelling series can be a variety of interviews led by a noted podcast host such as the Voice of Compliance, yourself as the Chief Compliance Officer (CCO), or anyone from your organization. It can be an interview with one or more people, or it can be a solo podcast.

A series such as this allows your organization to tell a story more effectively and reach a much larger audience than in any other format; live, audio-video, or in-person. Yet there is another reason you should consider this approach for compliance training and communications. It will provide you with the equivalent of market research and feedback. The number of listeners and downloads will give you a reliable data source for other communications and training.

2. Compliance Department Branded Podcasts

Want another option? How about a fully produced branded podcast series for your internal compliance function? It could be two 25–30-minute episodes per month, with the guest selected by your compliance team. This format allows your corporate compliance function to tell the story of its greatest asset, its people, through interviews. Cannot get out of the country to travel? Still, working remotely? Your branded podcasts allow you to reach your employees as we struggle through the Covid-19 variants. You can use the branded podcast to tell the story of compliance successes in your organization; you can also include other departments to share their successes. As with the podcast storytelling series, it would be done collaboratively with your comms team.

3. Compliance News of the Day

Want to make some short and snappy compliance communications? How about ‘Compliance News of the Day’? Have a daily curated news show of 3-4 compliance stories with a summary of each story and how they relate to a compliance perspective of your organization. Make it fun, so your employees want to check in daily. When the DOJ comes knocking and asks how often you send compliance communications, you can point to your Compliance News of the Day as a great starting point.

As a compliance practitioner, you should strive to bring more storytelling into your compliance messaging, training, and communications. If you put the employee in the shoes of the person they’re watching, they will remember it because they will see how it applies to their lives. Training and communication experiences will last much longer than if you drone over a written policy or show a PowerPoint. Marc Havener has called this “expanding your classroom.” Ronnie Feldman calls this bringing memorable storytelling to your compliance communications and training.

Since your imagination only limits you in compliance, why not use some of that to be creative in your compliance training and communications?

 Three key takeaways:

1. Using podcast storytelling to tell longer, more involved stories about compliance.

2. You can use compliance department-branded podcasts to have ongoing communications about compliance.

3. A Daily Compliance News show will drive engagement.