Tag: continuous improvement

Categories
31 Days to More Effective Compliance Programs

Day 2 | Continuous Monitoring and Continuous Improvement


I want to next focus specifically on the tactical steps of moving towards both continuous monitoring and continuous improvement of your compliance program. These twin concepts are perhaps the biggest modifications in the 2020 Update. The changes began in Section 1- Risk Assessments. The question-by-question analysis begins with “Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions?” Do you have access to continuous and real time transactional data at your organization? How about across silos within your organization. Most likely the answer to both is “no”. This means you no longer have a best practices compliance program at this point in time. How can you garner such information?
While there is only one question in the Lessons Learned section, it is a compound question. It not only inquiries about data you may have obtained through your own work but also from other company’s in your industry operating in the same geo-region. Without commenting on the potential anti-trust aspects of this issue, if there is public source information available to you (and there always is), how are you using this information in your compliance regime. But this can be simply having your fully operationalized employee base keeping their eyes and ears open at trade show or any other gatherings of industry employee.
The next area for continuous monitoring and continuous improvement was in an area of compliance which is not normally associated with those concepts, Policies and Procedures. The final area in the 2020 Update for consideration is appropriate called Continuous Improvement, Periodic Testing and Review and is found in the subsection monikered Evolving Updates. It reads:
How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
Similar to the language under Risk Assessment, this compound question considers the adaptation of a compliance program from your own lessons learned but also from other companies. The distinction now is that phrase is “other companies facing similar risks”? Think about how this language would apply to any company operating in China, West Africa or any other high-risk region in the globe. I would interpret this to mean every Chief Compliance Officer (CCO) and compliance practitioner needs to stay abreast of international anti-corruption enforcement actions where your company may be doing business.
Three key takeaways:

  1. What is your process for continuous monitoring?
  2. What is your process for continuous Improvement?
  3. What source of information do you use that are outside your organization?
Categories
Innovation in Compliance

A Conversation with Skillsoft and StoneTurn: Part 5 – Stephen Martin on Continuous Monitoring and Continuous Improvement


Welcome to a special five-part podcast series, A Conversation with Skillsoft and StoneTurn: From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Skillsoft and StoneTurn Group, LLP. Over the course of this series we have explored the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). Focused on your Code of Conduct and how it is informed by your Risk Assessment, training on your Code of Conduct, performing a Risk Assessment and conclude with how all this ties to continuous monitoring and continuous improvement. Participants in this podcast series include: from Skillsoft, Charlie Voelker, Director, Compliance Products; John Arendes, Vice President and GM of Global Compliance Solutions; from StoneTurn, Toby Ralston, Managing Director, Jamen Tyler, Managing Director and Stephen Martin, Partner. In this fifth and final episode, I conclude with Stephen Martin on continuous monitoring and continuous improvement.
A new focus in the 2020 Update and FCPA Resource Guide, 2nd edition, was the new mandate for continuous monitoring and continuous improvement. But it all begins with your risk assessment. Martin said, “they are the most critical part of your compliance program because they frame what you are supposed to do overall in your compliance regime.” What has changed recently, with the 2020 Update is the emphasis around continuous program improvement and that it should be “guided by your risk assessment, which is something new.” This means that you must look at more than “simply a limited snapshot in time, but using risk assessment, that is based on continuous operational data and information across a number of functions so that you can have real time risk assessment and improvement of your compliance program.”
All of these developments have led to the clear conclusion that your compliance program should be a living breathing document. Martin said, “I think it’s more important today, given the guidance that came out, before you would talk a risk assessment that would be done once a year or once every couple of years, or perhaps you would do a program assessment. Now, what you’re expected to do is continually be evaluating your program and looking at data and information.” From there compliance officers and companies need to gather the data and look at is as an “ongoing review to update your policies, procedures, and controls, and tracking the information to incorporate into their risk assessments.”
Webinar
If you enjoyed today’s podcast, I want to let you know about an upcoming webinar Skillsoft and StoneTurn are hosting. The webinar “Evolving Your Compliance Program” will be held on Wednesday Sept 23 and will explore how companies are leveraging data and information to improve and evolve their compliance programs. Information and Registration click here.
 Resources
For more information on Skillsoft’s compliance offerings, click here.
For more information on the Skillsoft/StoneTurn partnership, click here.
For more information on StoneTurn, click here.

Categories
Innovation in Compliance

A Conversation with Convercent and StoneTurn: Stephen Martin on Evaluating Compliance Programs


Welcome to a special five-part podcast series, A Conversation with Convercent and StoneTurn: From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Convercent and StoneTurn. Over the course of the series we have explored the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). We focus on investigations, data analytics, evaluating compliance programs, internal reporting and corporate culture. Participants in this podcast series include: Asha Palmer, Convercent Chief Ethics and Compliance Officer (CECO) and Executive Vice President (EVP) of CONVERGE; Rex Homme, Michele Edwards, and Stephen Martin, all Partners at StoneTurn. In this fifth and final episode, I am joined by Martin for a discussion of evaluating compliance programs.
Resources
For more information on StoneTurn, check out their website, here.
For more information on Convercent, check out their website, here.
To download a copy of the Convercent Interactive Self-Assessment based on the 2020 Update to the Evaluation of Corporate Compliance Programs, click here.

Categories
31 Days to More Effective Compliance Programs

Conclusion to continuous improvement in a compliance program


Over the course of this month, I have presented a variety of specific tools and techniques for the compliance practitioner to utilize to continuous improve their compliance regime. They include financial audit, the culture audit, controls monitoring, various risk management strategies which can become continuous monitoring. The tools are both quantitative and qualitative. Pick and choose the right tools for your company’s business and compliance profile.
Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The 2012 FCPA Guidance makes clear the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.”
Three key takeaways:

  1. Your compliance program should be continually evolving.
  2. There are a variety of tools for continuous improvement which will enhance both your compliance and business processes.
  3. DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered.
Categories
31 Days to More Effective Compliance Programs

Continuous Improvement Through Compliance Program Upgrades


Continuous improvement can come in many different, shapes, sizes and packages. As with all things compliance, you are only limited by your imagination. Have you ever thought about a tech implementation as a way for continuous improvement? Probably not but it is also a way forward for continuous improvement. Think about that for a moment as this is taking the concept of continuous improvement and adding an ongoing tech solution. This is one of the areas both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) discussed in their jointly issued 2012 FCPA Guidance, as Hallmark 9 in the Ten Hallmarks of an Effective Compliance Program. This is not simply taking data from your compliance program and feeding it back in to create continuous improvement, but it is using a tech solution to not only make your compliance program run more efficiently but using that same tech solution to help continuously improve your compliance program.
Such an approach uses the subject matter expertise (SME) of the tech solution provider to help the compliance professional come up with a more effective compliance program. For the compliance professional it is expanding out their reach and scope through the use of not only this tech SME but with the information from their own compliance program to create greater efficiencies and effectiveness.
 Three key takeaways: 

  1. Even in continuous improvement, you are only limited by your imagination.
  2. The delivery of a tech solution for compliance can be beneficial in multiple ways.
  3. Start your analytics at the transaction level and move upwards.
Categories
31 Days to More Effective Compliance Programs

Using Data For Continuous Improvement


Vince Walden has posited that “the black box is dead”. He meant that there is no single tool to use to identify high-risk transactions, customer, employees or third parties. Yet, it is now even easier to ask big insightful questions from your data. Every compliance professional should embrace this.
Properly seen, compliance is a business process. As such you should keep in mind certain queries, such as:

  • What are the company’s high compliance and ethics risks?
  • Who within the organization is responsible for managing these risks?
  • What controls are in place to manage these risks?
  • Are these controls working? Are they effective?
  • How do you know (or not) this?

The key is that through greater data mining and asking more insightful questions of that data you can truly move from a reactive-detect mode to a proactive-prescriptive mode.
Three key takeaways:

  1. The black box is dead.
  2. What is driving your risk scoring?
  3. Compliance as a business process must be driven by data.
Categories
31 Days to More Effective Compliance Programs

Monitoring for continuous improvement


Another mechanism for continuous improvement of your compliance program is through risk-based monitoring. Under the topic of Control Testing DOJ’s 2019 Guidance posed the following questions, Has the company reviewed and audited its compliance program in the area relating to the misconduct?  More generally, what testing of controls, collection and analysis of compliance data, and interviews of employees and third-parties does the company undertake?  How are the results reported and action items tracked?
Finally, the beauty of all these techniques articulated by Locwin is that they are tools that can make companies more efficient and, at the end of the day, more profitable. They also move compliance into the fabric and DNA of an organization or operationalize compliance. Her intonation to operationalize compliance speaks to the use of a wide variety of tools to input information, so you can continuously improve your compliance program. Risk-based monitoring is certainly one mechanism to obtain information and feed back into your compliance program in both the prevent and detect prongs.
 Three key takeaways:

  1. How do you monitor manifested risks?
  2. A risk-based monitoring approach allows you to see things in almost real-time.
  3. Management of risk can serve your compliance program in a variety of ways.
Categories
31 Days to More Effective Compliance Programs

Day 21 | Continuous improvement in a compliance program


The Evaluation of Corporate Compliance Programs – Guidance Document (2019 Guidance) was very clear about the need for continuous improvement in any compliance program. It stated quite succinctly, “One hallmark of an effective compliance program is its capacity to improve and evolve.  The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment.  A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards.  Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.”
This was further specified in the DOJ’s 2019 Guidance which listed three types of continuous improvement, each further refined with multiple attendant questions. It also added a new area of inquiry that every compliance practitioner needs to incorporate into their assessment, improvement and management cycles; culture.
 Three key takeaways:

  1. Your compliance program should be continually evolving.
  2. Monitoring and auditing are different, yet complimentary tools for continuous improvement.
  3. Culture assessment and monitoring are also now required as well.
Categories
FCPA Compliance Report

FCPA Compliance Report-Episode 434, Brandon Daniels on Using Investigations to Drive Continuous Improvement

In this episode of the FCPA Compliance Report, I visit with Brandon Daniels, who is the President of Global Technology Markets for Exiger. Daniels is regulatory expert and technology practitioner, bringing more than 15 years in senior management across the financial services, life sciences and energy sectors. He has a reputation for technological innovation in regulatory investigations and compliance management. Some of the highlights include

  1. Daniels’ professional background, how he got to Exiger and his current role at the company.
  2. Some of the key technological innovations Daniels has recently seen in the way in which investigations are being handled?
  3. We discuss how can Exiger’s technological solutions help a CCO get their arms around the unstructured data which is available to them inside their organization?
  4. How can technology be used to create predictive models to rank offshore companies for potential tax and corruption risk?
  5. How can a technological solution can be used to help perform a compliance risk assessment?
  6. How do Exiger technological solutions assist compliance professionals to improve their corporate culture?

For more information on Exiger, check out the firm’s website here. For more information on Brandon Daniels, check out his firm profile here.

Categories
Blog

Day 2 of One Month to More Effective Continuous Improvement-the Compliance Audit

Internal Audit – What types of audits would have identified issues relevant to the misconduct? Did those audits occur, and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board regularly? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?

Interestingly, Foreign Corrupt Practices Act (FCPA) compliance follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in US corporations. The safety committee and safety audits became the mainstays of any company’s best practices in the area of safety. These techniques inform any anti-corruption best practices compliance program under the FCPA, UK Bribery Act, or any other anti-corruption regime. Indeed, audits are delineated explicitly in the 2012 FCPA Guidance to assist in continuously monitoring your compliance regime. Such an audit can be thought of as a systematic, independent, and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. Three factors are critical for a compliance audit to have a chance for success: (1) an effective audit program that specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited. Auditing can take several different forms in an anti-compliance program. Of course, you should audit the compliance program in your organization. A forensic audit can collect and analyze accounting and internal-control evidence in your compliance regime. This information can produce a fact-based report informing the decision-making process in inquiries, investigations, and dispute resolution. The by-products of a forensic audit can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur.

Further, an internal audit can review compliance processes to determine if employees follow prescribed procedures or internal controls. In addition to collecting and analyzing evidence, an auditor’s objective is to attest to the credibility of assertions under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. One of the functions of such an audit is to determine if further investigation is warranted. Once again, this situation points out the difference between having a paper compliance program and the actual doing of compliance. Even with an appropriate oversight structure, you must do the work in the future. Another area ripe for audit in your compliance program is your third parties. While there is no one specific list of transactions or other items which should be audited when it comes to your third parties, below are some of the areas you may wish to consider reviewing:

  • Contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party.
  • Review the compliance training program for any third party, both the substance of the program and attendance records.
  • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so, how are such reports maintained? Review any reports of compliance violations or issues that arose through an anonymous hotline or any other reporting mechanism.
  • Does the third party have written employee discipline procedures? If so, have any employees been disciplined for any compliance violations? If yes, review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review expense reports for employees in high-risk positions or high-risk countries.
  • Testing for gifts, travel, and entertainment that were provided to or for foreign governmental officials.
  • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer, to whom, and how does that compliance officer report? How is the third-party vendor’s compliance program designed to identify risks, and what has resulted from any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
  • Concerning any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and use analytical procedures and testing.

Auditing is a more limited review that targets a specific business component, region, or market sector during a timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. In other words, the protocol is simple, and everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.

Three Key Takeaways

  1. Auditing takes a deep dive into your high-risk compliance areas.
  2. Internal audits should test your key FCPA risk areas as a part of their regular auditor rotation.
  3. The findings uncovered in an audit must be used in your compliance regime.

The compliance audit is a key component in the continuous improvement of a compliance program. [/tweet_box] For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor, Affiliated Monitors, at www.affiliatedmonitors.com.