Categories
Blog

Note Navy Seals Way: Moving from Continuous Monitoring to Continuous Improvement

Decision making is a critical skill for any Chief Compliance Officer (CCO) or compliance professional. Continuous monitoring and continuous improvement are now accepted as standard components of any table stakes compliance program. The Department of Justice (DOJ), in the 2020 Update to the Evaluation of Corporate Compliance Programs, made clear the need for continuous improvement in any compliance program. It stated quite succinctly, “One hallmark of an effective compliance program is its capacity to improve and evolve. The actual implementation of controls in practice will necessarily reveal areas of risk and potential adjustment. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the applicable industry standards. Accordingly, prosecutors should consider whether the company has engaged in meaningful efforts to review its compliance program and ensure that it is not stale.”

Indeed, the 2020 Update posed the following questions that the DOJ might ask a company under a Foreign Corrupt Practices Act (FCPA) investigation, “How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?”But one question not posed is around your decision-making process in when to move from continuous monitoring to continuous improvement. I was therefore interested in a recent FastCompany.com article, entitled “3 Steps Navy SEALs Use to Make Decisions”, by Stephanie Vozza. Vozza quotes former Navy SEAL and Chief Executive Officer (CEO) of ADS, Inc., Ryan Angold who said, “With so much information out there, a lot of people get analysis paralysis. You want to do your research and you want to access all the resources you have so you can make the right decision. But you can’t sit in analysis paralysis forever. Ultimately, there’s no 100% perfect decision.”

For her piece she also interviewed former Navy and current VMWare Chief Digital Transformation Officer Mike Hayes and author of the book, Never Enough: A Navy SEAL Commander on Living a Life of Excellence, Agility, and Meaning, who laid out a framework he used as an active SEAL for decision making.

  1. Gather Input

When you are a CCO or compliance professional in a corporate compliance function, you most probably have created experiences from which you can draw. Angold noted, “The requirement in SEAL teams is that you have you’ve gone through multiple different scenarios, you’ve trained for the most extreme environment, the most challenging environment, the worst-case scenarios. These reference points are helpful. You can say, ‘Okay, we’ve seen something like this before.’ Maybe this isn’t the exact scenario—it never is. But you’ve learned how the team works and can make quick decisions.”

Both Jonathan’s from the award-winning Everything Compliance gang, Jonathan Armstrong and Jonathan Marks, talk about not simply crisis and scenario planning but practice as well. Such practice not only gives you the muscle memory of what to do when a true crisis appears but also provide the types of experiences that Angold references that the SEALs then use in missions.

Hayes added that you should listen to difference voices or inputs, noting, “Too often, we tend to seek out like-minded input. Artists tend to hire artists and engineers hire engineers. By getting input from people who don’t think like us and by having a culture that celebrates differences and raising other ideas, you help people be comfortable saying things like, ‘Hey, sir, I don’t think that’s a great idea. Here’s how I would do it.’ That framework enables the best possible decisions.” Note that Hayes’ remarks also illuminate the importance and benefits of a true “Speak-Up Culture”.

  1. Decide When to Decide

 Most interestingly, the first thing you have to determine is when to make your decision. Hayes said, “The first decision is when to make your decision. That’s the thing that most people get wrong.” Obviously in combat your decision-making window can be quite short, but the same principle applies in the corporate world. Here Hayes noted, “At some point, the value of those extra inputs in your input streams costs more than the time associated with getting more inputs. At that inflection point is when you want to make your decision. You start losing value by waiting longer.”

But this point is where experience can become more paramount. In the corporate compliance world, you will likely get information, which is both quantitative and qualitative, particularly through continuous monitoring. Do not become paralyzed at this point, and you can rely on your gut or, as Hayes said, “there are other times where you need to operate in instinct. Instinct is really a set of experiences that you can’t quite crystallize, but that you extract logic from.”

  1. Be Willing (and ready) to Course Correct

Here a key CCO and compliance professional soft skill, that of humility, both “intellectual and real will help you get to the right decision.” Do not let your ego get in the way or start considering your sunk costs. You may garner new information which gives new input. Even John Maynard Keynes said, “When my information changes, I alter my conclusions. What do you do, sir?

Hayes said this is “the ultimate sign of leadership because it’s a sign of comfort in your own skin and not needing to look good in front of an organization. Instead, you’re putting the organization before self and doing the right thing.” Angold phrased it as “It takes a lot of humility for someone to be able to recognize it was the wrong call,” he says. “That’s where the communication is important and having that transparency with your team. You can gain a lot of additional trust from your team, when you acknowledge a wrong decision.”

Continuous improvement through continuous monitoring or other similar techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. By using this three-step approach, you can best determine how to move from the monitoring to the improvement phase.

Categories
Everything Compliance

Episode 94, the National Archives Edition


Welcome to the only roundtable podcast in compliance. The entire gang was also recently honored by W3 as a top talk show in podcasting. In this episode, we have the full gang of Jonathan Marks, Karen Woody, Jonathan Armstrong, Tom Fox, Matt Kelly and Jay Rosen. We discuss a potpourri of issues. We conclude with our fan favorite Shout Outs and Rants.

  1. Karen Woody reviews the recent HeadSpin SEC enforcement action, explaining how the SEC has jurisdiction over a private company, the significance of an enforcement action with no fine or penalty and the corporate governance issues involved. Karen shouts out to the Super Bowl Halftime show for throwing love on 90s music and musical stars.
  1. Jay Rosen discusses the recently released Commission on Combatting Synthetic Opioid Trafficking Report. Rosen shouts out to celebrity chef Jose Andreas for creating the Gazpacho Police in the 1990s long before Marjorie Green Taylor accused Nancy Pelosi of doing so and for inviting Rep. Taylor to join, provided she is vaccinated and wears a mask to the restaurant.
  1. Matt Kelly looks at the Joe Rogan and Spotify imbroglio, focusing the attempts of Spotify CEO Daniel Ek to focus the spotlight on Rogan and not Spotify. Kelly shouts out to that unknown US criminal enforcement agency, the National Archives which raided Mar-A-Lago where the former President had purloined some 15 boxes of Presidential papers and materials. He also gives a minor shout out to New York Times columnist Maggie Haberman who in an upcoming book reported the former President flushed documents down the toilets at the White House.
  1. Jonathan Marks discusses continuous controls monitoring and continuous auditing as best practices for compliance, risk management and fraud prevention programs. Marks shouts out to the Philadelphia 76ers for getting rid of Ben Simmons who refused to play for them. He implores Simmons to get a new agent for his disastrous handling of the entire situation.
  1. Jonathan Armstrong discusses the civil verdict for HP in its case against Autonomy and the Extradition Order delivered by the Home Secretary for Mike Lynch to go to America to stand for a US criminal trial. Armstrong shouts out to Queen Elizabeth II for her 70-year reign on the English throne.
  1. Tom Fox has a melancholy shout out to the University of Michigan School of Law and greater legal education profession, which lost two stalwart professors recently; Yale Kamisar, Father of Miranda and Terrance Sandalow, former Dean of the Law School. 

The members of the Everything Compliance are:

  • Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
  • Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
  • Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
  • Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at armstrong@corderycompliance.com
  • Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at marks@bakertilly.com

The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.

Categories
31 Days to More Effective Compliance Programs

Day 24 | Updates and feedback

One of the critical elements found in the 2020 Update is the need to use the information you obtain, whether through risk assessment, root cause analysis, investigation, hotline report or any other manner to remediate the situation which allowed it to arise. Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they have noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.
It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will put a mechanism in place to demonstrate your company’s commitment to compliance by following through on intentions as set forth in your strategic plan. What should you do with this information? Put a strategic plan in place ready to implement your findings of continuous improvement, by using the following:

  • Review the goals of the strategic plan. This requires that you arrange a time for the CCO and team to review the goals of the Strategic Plan, which the CCO should lead to determine how this goal in the Plan measures up to its implementation in your company.
  • Design an execution plan. The KISS method (Keep it Simple Sir) is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straight forward plan to ensure that the goal in question is being addressed.
  • Put accountabilities in place. In any plan of execution, there must be accountabilities attached to them. This requires the CCO or other senior compliance department representatives to put these in place and then mandate a report requirement on how the task assigned is being achieved.
  • Schedule the next review of the plan. There should be a regular review of the process. It allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis.

Continuous monitoring is a key step but it is only the first step. It is not simply that you tested your compliance program but that you did something with the information you obtained to improve your program.
Three key takeaways:

  1. Innovation can come through a new way to think about and use data going forward.
  2. Have a plan in place to use the information garnered in your monitoring incorporated back into your compliance program.
  3. Always remember that Document Document Document is critical if the regulators come knocking.
Categories
31 Days to More Effective Compliance Programs

Day 2 | Continuous Monitoring and Continuous Improvement


I want to next focus specifically on the tactical steps of moving towards both continuous monitoring and continuous improvement of your compliance program. These twin concepts are perhaps the biggest modifications in the 2020 Update. The changes began in Section 1- Risk Assessments. The question-by-question analysis begins with “Is the periodic review limited to a “snapshot” in time or based upon continuous access to operational data and information across functions?” Do you have access to continuous and real time transactional data at your organization? How about across silos within your organization. Most likely the answer to both is “no”. This means you no longer have a best practices compliance program at this point in time. How can you garner such information?
While there is only one question in the Lessons Learned section, it is a compound question. It not only inquiries about data you may have obtained through your own work but also from other company’s in your industry operating in the same geo-region. Without commenting on the potential anti-trust aspects of this issue, if there is public source information available to you (and there always is), how are you using this information in your compliance regime. But this can be simply having your fully operationalized employee base keeping their eyes and ears open at trade show or any other gatherings of industry employee.
The next area for continuous monitoring and continuous improvement was in an area of compliance which is not normally associated with those concepts, Policies and Procedures. The final area in the 2020 Update for consideration is appropriate called Continuous Improvement, Periodic Testing and Review and is found in the subsection monikered Evolving Updates. It reads:
How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? Has the company undertaken a gap analysis to determine if particular areas of risk are not sufficiently addressed in its policies, controls, or training? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?
Similar to the language under Risk Assessment, this compound question considers the adaptation of a compliance program from your own lessons learned but also from other companies. The distinction now is that phrase is “other companies facing similar risks”? Think about how this language would apply to any company operating in China, West Africa or any other high-risk region in the globe. I would interpret this to mean every Chief Compliance Officer (CCO) and compliance practitioner needs to stay abreast of international anti-corruption enforcement actions where your company may be doing business.
Three key takeaways:

  1. What is your process for continuous monitoring?
  2. What is your process for continuous Improvement?
  3. What source of information do you use that are outside your organization?
Categories
Innovation in Compliance

A Conversation with Skillsoft and StoneTurn: Part 5 – Stephen Martin on Continuous Monitoring and Continuous Improvement


Welcome to a special five-part podcast series, A Conversation with Skillsoft and StoneTurn: From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Skillsoft and StoneTurn Group, LLP. Over the course of this series we have explored the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). Focused on your Code of Conduct and how it is informed by your Risk Assessment, training on your Code of Conduct, performing a Risk Assessment and conclude with how all this ties to continuous monitoring and continuous improvement. Participants in this podcast series include: from Skillsoft, Charlie Voelker, Director, Compliance Products; John Arendes, Vice President and GM of Global Compliance Solutions; from StoneTurn, Toby Ralston, Managing Director, Jamen Tyler, Managing Director and Stephen Martin, Partner. In this fifth and final episode, I conclude with Stephen Martin on continuous monitoring and continuous improvement.
A new focus in the 2020 Update and FCPA Resource Guide, 2nd edition, was the new mandate for continuous monitoring and continuous improvement. But it all begins with your risk assessment. Martin said, “they are the most critical part of your compliance program because they frame what you are supposed to do overall in your compliance regime.” What has changed recently, with the 2020 Update is the emphasis around continuous program improvement and that it should be “guided by your risk assessment, which is something new.” This means that you must look at more than “simply a limited snapshot in time, but using risk assessment, that is based on continuous operational data and information across a number of functions so that you can have real time risk assessment and improvement of your compliance program.”
All of these developments have led to the clear conclusion that your compliance program should be a living breathing document. Martin said, “I think it’s more important today, given the guidance that came out, before you would talk a risk assessment that would be done once a year or once every couple of years, or perhaps you would do a program assessment. Now, what you’re expected to do is continually be evaluating your program and looking at data and information.” From there compliance officers and companies need to gather the data and look at is as an “ongoing review to update your policies, procedures, and controls, and tracking the information to incorporate into their risk assessments.”
Webinar
If you enjoyed today’s podcast, I want to let you know about an upcoming webinar Skillsoft and StoneTurn are hosting. The webinar “Evolving Your Compliance Program” will be held on Wednesday Sept 23 and will explore how companies are leveraging data and information to improve and evolve their compliance programs. Information and Registration click here.
 Resources
For more information on Skillsoft’s compliance offerings, click here.
For more information on the Skillsoft/StoneTurn partnership, click here.
For more information on StoneTurn, click here.

Categories
Innovation in Compliance

A Conversation with Convercent and StoneTurn: Stephen Martin on Evaluating Compliance Programs


Welcome to a special five-part podcast series, A Conversation with Convercent and StoneTurn: From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Convercent and StoneTurn. Over the course of the series we have explored the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). We focus on investigations, data analytics, evaluating compliance programs, internal reporting and corporate culture. Participants in this podcast series include: Asha Palmer, Convercent Chief Ethics and Compliance Officer (CECO) and Executive Vice President (EVP) of CONVERGE; Rex Homme, Michele Edwards, and Stephen Martin, all Partners at StoneTurn. In this fifth and final episode, I am joined by Martin for a discussion of evaluating compliance programs.
Resources
For more information on StoneTurn, check out their website, here.
For more information on Convercent, check out their website, here.
To download a copy of the Convercent Interactive Self-Assessment based on the 2020 Update to the Evaluation of Corporate Compliance Programs, click here.

Categories
31 Days to More Effective Compliance Programs

Designing a process for continuous monitoring


Most CCOs and compliance practitioners understand the need for continuous monitoring. Whether it be as a part of your overall monitoring of third-parties, employees, or to test the overall effectiveness of internal controls and compliance, continuous monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied for continuous monitoring, they may not be as aware of how to engage in the process. Put another way, how do you develop a methodology for building a continuous controls monitoring process that yields sustainable, repeatable results?
Joe Oringel, co-founder and principal at Visual Risk IQ uses a five-step process. The steps are: 1) brainstorm, 2) acquire and map data, 3) write queries, 4) analyze and report, and 5) refine and sustain. If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of continuous monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show to any regulators who might come knocking.
 Three key takeaways: 

  1. Create a process to monitor your controls.
  2. Use a compliance SME to work with your internal controls specialist to develop queries from the compliance perspective.
  3. Finally, do not forget the feedback loop nature of the process by integrating your results going forward.