After the Russian invasion of Ukraine, the world of business will never be the same again. Deputy Attorney General (DAG) Lisa Monaco recently said that the world’s “geopolitical landscape is more challenging and complex than ever. The most prominent example is of course Russia’s invasion of Ukraine.” It is “nothing less than a fundamental challenge to international norms, sovereignty and the rule of law that underpins our society.” This is even more so in the current business climate.
Over this five-part series, I will consider how business will never again be the same and how a confluence of events of events has changed business forever. I am joined in this exploration by Brandon Daniels, Chief Executive Officer (CEO) of Exiger. We will explore the irrevocable changes in Supply Chain, trade and economic sanctions, anti-corruption, cyber-security and environmental, social and governance (ESG). In Part 4, we continue to explore the changes wrought by the Russian invasion of Ukraine, in the realm of cybersecurity.
The Russian invasion of Ukraine gave everyone else an understanding of how serious cybersecurity really was from a defense perspective and not just from a corporate risk management perspective. According to Daniels, it drove home the clear message in cybersecurity that the United States is in a non-kinetic war with Russia and China. Over the past decade the theft of intellectual property (IP) through cybercrime has steadily increased but Russia and China are essentially “showering the US with attacks” and specifically Russia is attempting to compromise “US facilities and technologies since the crisis” began.
A second and equally important point on cybersecurity, is how interconnected it is to commerce. Countries such as Russia and China are clearly using both state and non-state businesses to further the ambitions of the state. These attacks have been particularly prevalent in supply chain where 80% of the largest cyber-attacks that have occurred, have been supply chain attacks. This means that you may have integrated some software into your organization through a vendor, but somewhere earlier in that software development, in that vendor’s purchasing of under underlying software capabilities, there was a malicious piece of software that was planted by a state-owned actor, a non-state actor or a criminal network. This interconnectedness between third party and supply chain, risk management and cyber risk management was made so much more explicit from the Russian invasion of Ukraine.
Daniels pointed out that companies may have “vendors that are owned one to two degrees away by Russian oligarchs and those Russian oligarchs might be using the fact that we use their software one to two degrees away as an entry point to steal classified information about what the US government is doing in” an area such as critical infrastructure. Once again, the nature of cybersecurity and its interconnectedness with third party and supplier risk management, was “another revelation that came out of this crisis and this conflict.”
One of the continuing themes from the Russian invasion of Ukraine is the interconnectedness of risks which will never be the same. Some of these we have previously explored such as supply chain, trade and economic sanctions and anti-bribery and anti-corruption. There are others such as crypto and ESG as well. This can all lead to a perception of complexity which could overwhelm risk management and other business professions thinking through how to manage these risks.
Daniels suggested an approach which assesses your vendors in their environment for four quadrants of risk: operational, foreign ownership, financial health and reputational risk. After you have established your risk appetite you will need to assess every vendor on an individual and singular basis. You should have a process where each vendor coming through your company’s pipeline follows an onboarding process that manages to your risk appetite and then monitors for risks that could pull a vendor above your risk threshold. If a vendor falls outside of your risk appetite for any of these key areas, you should review the use of that vendor in more detail.
There are other risk profiles you should consider. One is industry risk, which means what critical industries are you relying upon. Daniels noted that a cloud hosting company should be concerned with computing resources, bandwidth, power, or fiber optic resources. He said, “Don’t try to boil the ocean, just look at your critical industries and see where you might have issues that are coming up that could be problematic” for your industry.
Finally, another key risk area to consider is jurisdictional risk. This means reviewing the locations of your facilities. Daniels said, “I look at where my top or most critical products are being manufactured. Again, if I’m a cloud hosting company, it might be the microelectronics that I use to power computing resources, to determine where the concentration of manufacturing locations.” But the key is to take it in bite size chunks by company, industry, and jurisdiction, and then monitor so you can at least maintain a reactive posture on upcoming events. By doing so this enables your company to do continuous maturing and evolution thereby increasing complexity and efficacy to continuously improve that program to start to work towards proactive risk management.
Tag: DOJ
After the Russian invasion of Ukraine, the world of business will never be the same again. Deputy Attorney General (DAG) Lisa Monaco recently said that the world’s “geopolitical landscape is more challenging and complex than ever. The most prominent example is of course Russia’s invasion of Ukraine.” It is “nothing less than a fundamental challenge to international norms, sovereignty and the rule of law that underpins our society.” This is even more so in the current business climate.
Over this five-part series, I will consider how business will never again be the same and how a confluence of events of events has changed business forever. I am joined in this exploration by Brandon Daniels, Chief Executive Officer (CEO) of Exiger. We will explore the irrevocable changes in Supply Chain, trade and economic sanctions, anti-corruption, cyber-security and environmental, social and governance (ESG). In Part 2, we continue to explore the changes wrought by the Russian invasion of Ukraine, in the realm of economic and trade sanctions.
According to Daniels, one of the keys on the nature of sanctions on punitive economic activities, is to endure that you are having the right impact and through a set of comprehensive sanctions. You must do so while “making sure that you’re not hurting your allies and partners that can help unwind some of these undesirable or intolerable geopolitical situations.” This means that when thinking about economic sanctions, it is not simply a consideration of the implemented economic sanctions; it is a broader consideration of “a comprehensive set of economic and trade policies that have been codified into legislation, through regulation and rulemaking, that set the tone for sanctions in the future sanctions and economic prohibitions in the future.”
Two precursors to the development of the US economic and trade sanctions response to the Russian invasion of Ukraine were the increase in economic and trade sanctions utilized by the Trump Administration and, most significantly, the passage of the National Defense Authorization Act on January 1, 2020, which included the Anti-Money Laundering (AML) Law of 2020. This was the first update of federal AML laws since the Patriot Act was passed in the wake of 9/11. Both of these seemingly disparate developments set the stage so that Russia invaded Ukraine and the Biden Administration, along with most western democracies, came down levying economic and trade sanctions in very short order against certain Russian individuals, Russian companies and against Russia itself.
The US government had also been ramping up its economic and trade sanctions enforcement over the past several years. DAG Monaco has said that three such cases have led to over $1 billion in fines and penalties alone over the past 10 years, adding “so we’re by no means starting on a blank canvas.” However, “what you have seen in the last few months is something completely different…The scope of the sanctions imposed on Russia by the United States and its allies and partners are of a new order of magnitude…We are pouring resources into sanctions enforcement, and you have seen and will continue to see results.” Indeed, she categorized economic and trade sanctions enforcement as “the new FCPA.” But it’s not just the war in Ukraine that has prompted a new level of intensity and commitment to sanctions enforcement. We have turned a corner in our approach. Over the last couple of months, I’ve given notice of that sea change by describing sanctions as “the new FCPA.”
Daniels noted that these new rounds of sanctions based upon the Russian invasion of Ukraine are actually broader and more comprehensive because they strive to get at the root of an issue, which is intelligence gathering by state and non-state actors from US businesses. He pointed to the examples of the Chinese companies ZTE Corporation and Huawei Technologies Co., Ltd., which are subject to bans from the Federal Communications Commission (FCC) but who still might be suppling chips to suppliers down your supply chain and more nefariously using those chips to engage in intelligence gathering and industrial espionage.
The economic and trade sanctions, put in place before the Russian invasion of Ukraine and those levied thereafter, are designed to not simply punish Russia but also interdict their ability to wage war. This means sanctions will be used to disrupt the Russian ability to fund the war through its banking sectors. Yet another set of reasons are to change non-democratic and unethical behaviors by making the cost to engage in these behaviors so high through economic and trade sanctions.
One of the most interesting consequences in the area has been the increase in and much more highly publicized increase in whistleblowers. Once again, the AML Law of 2020 set the stage for this by including a bounty provision that any person or entity involved in reporting an economic and trade sanctions violation would be eligible for up to 30% bounty on any recovery. Perhaps the most visible byproduct of this has been the worldwide hunt for the multi-million up to billion-dollar yachts of Russian oligarchs. Whistleblowers and bounty hunters are actively looking for these yachts to turn their locations over to American authorities who can seize them.
But these seizures are only one step. As Daniels noted, because the AML Law of 2020 also helps uncover the companies who own these yachts and the companies who own those companies. In other words, transparency. Here one only need to think of the Panama Papers, the Pandora Papers and the Paradise Papers to understand why the light of day is the best disinfectant for enforcing economic and trade sanctions.
Once again, as with supply chain, the government is now looking for businesses to help in this fight. The US government has enlisted the private sectors as key partners in the implementation of economic and trade sanctions to allow the US government “to go after those who profit from corruption and crime around the world — whether they are sanctions-evading oligarchs or office-holding bribe recipients. Working with our partners, we can ensure that corrupt regimes will be held responsible — whether we’re seizing yachts or freezing slush funds.”
After the Russian invasion of Ukraine, the world of business will never be the same again. Deputy Attorney General (DAG) Lisa Monaco recently said that the world’s “geopolitical landscape is more challenging and complex than ever. The most prominent example is of course Russia’s invasion of Ukraine.” It is “nothing less than a fundamental challenge to international norms, sovereignty and the rule of law that underpins our society.” This is even more so in the current business climate.
Over this five-part series, I will consider how business will never again be the same and how a confluence of events has changed business forever. I am joined in this exploration by Brandon Daniels, Chief Executive Officer (CEO) of Exiger. We will explore the irrevocable changes in Supply Chain, trade and economic sanctions, anti-corruption, cyber-security and environmental, social and governance (ESG). In Part 1, we begin with changes in the supply chain as there may well be no area of businesses which has experienced the tectonic shifts that have occurred in the marketplace over the past couple of years than in Supply Chain.
Daniels identified three key reasons for these shifts. The first began with the realization of the untenable actions of the major player on the US supply chain, China. This realization had begun pre-pandemic, when it became clear of the massive theft of US intellectual property by Chinese businesses which led to a huge counterfeit goods problem coming out of China. Daniels estimated that “70% of the world’s counterfeit market is driven by China.” The second was the slave labor issue with China, particularly the Uyghurs. This extensive use of slave labor gave China an economic advantage which in many cases could not be overcome. It was economic warfare by another name.
All of this was exacerbated by the pandemic and we saw what it meant to have an economic and geopolitical adversary as one of your key suppliers during a true worldwide healthcare crisis. This confluence of events led to several key changes in thinking about supply chain. First, supply chain efficacy is not about weather events, it is not about logistics, it is not about just in time. There are much broader sets of issues for supply chain that had not come to the fore previously but came much more clearly into focus, such as geopolitical tensions. According to Daniels, “we realized that supply chain is multifaceted in terms of issues.”
Next came the recognition of the need for more and greater government oversight and regulation. The need to stamp out modern slavery led to the passage of the Uyghur Forced Labor Prevention Act. This law significantly expanded compliance requirements for companies to certify that goods made with forced labor in the Xinjiang Uyghur Autonomous Region of the People’s Republic of China do not enter the United States. Interestingly, the law created the presumption that all goods produced in Xinjiang were produced using forced labor, with the burden of proof resting on companies to demonstrate that materials, parts, and goods originating in China were not mined, produced, or manufactured wholly or in part in Xinjiang. There was also a business and government realization that many of the key rare earth elements and minerals widely used in US manufacturing process came from China and now Russia.
Daniels put all of this into perspective when he said, “you had this big earthquake in the pandemic, but then you had all these fault lines that we didn’t realize that were on the edge of a precipice. We were in these really brittle places and just all fell apart with the Russian invasion of Ukraine. From rare earth elements like neodymium which is used in securing a F35 to electric car batteries, to metals and heavy metals used in standard manufacturing processes such as aluminum, iron and neon; supply chain disruptions were all acerbated by the Russian invasion of Ukraine on top of the ongoing disruptions from the pandemic and beyond.”
Finally, was a new element to the supply chain calculus, what Daniels termed “the ethical conundrum.” Russia has engaged in a brutal unjustified war that has disrupted the flow of goods and services from both Russia and Ukraine. Neon, a key element for processing chips, is heavily concentrated in Ukraine as are some of our largest outsourced engineering software companies. As the US and EU governments have responded with a series of harsher and more robust economic and trade sanctions the pressures on supply chain have increased. You must look at greater and more ongoing due diligence and greater sustainability.
These issues have moved beyond simply national security issues in the governmental and public sector. As DAG Monaco said, “Increasingly, you and your clients are on the front lines in responding to these geopolitical realities…our goal is not only to hold people accountable, but to disrupt these threats using all the tools available to us.” Private companies must understand they are now a part of what Daniels characterized as “continuous non-kinetic warfare.”
But in addition to this new type of warfare of which every business is now a part of going forward, it all ties back to US economic prosperity. While this was clear in the US adversarial relationship with China pre-pandemic; it accelerated during the pandemic and now after the Russian invasion of Ukraine. If you could not get a mask so that you could go to work during the pandemic, that health issue became an economic issue. If you were doing business with a Russian oligarch, the reputational damage to your top line will negatively impact your company, perhaps in a material manner.
Tomorrow we consider why economic and trade sanctions will never be the same.
Welcome to a special five-part podcast series on compliance insights, sponsored by Traliant. Over this series, we will discuss key issues that Traliant is helping to lead and define the online training industry going forward. Over this five-part series, I will visit with John Arendes, Chief Executive Officer (CEO) at the company, on what is new at New Traliant and what the Department of Justice (DOJ) has communicated to the compliance community regarding its expectations around online training and communications; Maggie Smith, Vice President of Human Resources at Traliant on the role of DEI in your corporate ESG program; and Scott Schneider, Head of Content Development at Traliant on your Code of Conduct and anti-corruption training. In this Episode 4, I visit with Scott Schneider, VP of Innovation at Traliant, on the evolution and importance of the corporate Code of Conduct. Highlights include:
- Culture is the key driver, and your Code of Conduct is the foundation for a broader discussion of what regulators look for in a compliance program.
- How has the Code of Conduct evolved?
- Your Code of Conduct should be more than simply aspirational, and your Code of Conduct training helps drive home values, ethics & culture.
Welcome to a special five-part podcast series on compliance insights, sponsored by Traliant. Over this series, we will discuss key issues that Traliant is helping to lead and define the online training industry in going forward. Over this five part series I will visit with John Arendes, Chief Executive Officer (CEO) at the company on what is new at New Traliant and what the Department of Justice (DOJ) has communicated to the compliance community regarding its expectations around online training and communications; Maggie Smith, Vice President of Human Resources at Traliant on the role of DEI in your corporate ESG program; and Scott Schneider, Head of Content Development at Traliant on your Code of Conduct and anti-corruption training. In this Episode 2, I visit with John Arendes on DOJ communications around its expectations for training. Highlights include:
- In DAG Lisa Monaco’s October 2021 speech, she said the DOJ would focus on corporate culture as a key indicia of compliance.
- The DOJ has made clear that while longer form online training is satisfactory, they expect companies to develop short, direct compliance training for employees.
- Since the release of the Evaluation of Effective Compliance Programs, the DOJ has mandated, effective and targeted compliance training.
Categories
DOJ Training Expectations
Welcome to a special five-part blog post series on the New Traliant, sponsored by Traliant, LLC. Over this series, we will discuss key issues that Traliant is helping to lead and define the online training industry in going forward. I will visit with John Arendes, Chief Executive Officer (CEO), on what is new at Traliant and what the Department of Justice (DOJ) has communicated to the compliance community regarding its expectations around online training and communications; Maggie Smith, Vice President of Human Resources, on the role of diversity, equity and inclusion (DEI) in your corporate environmental, social and governance (ESG) program; and Scott Schneider, Head of Content Development, on your Code of Conduct and anti-corruption training. In Episode 2, I visit with John Arendes on DOJ communications around its expectations for training.
There have been multiple communications from the regulators over the past couple of years about what they expect in training, first at the federal level from the DOJ and the Securities and Exchange Commission (SEC) and second at the stage level as many state regulators have also communicated what their expectations are around training. Last October, the Deputy Attorney General (DAG) Lisa Monaco gave a speech where she announced changes under the Biden administration’s DOJ enforcement of the Foreign Corrupt Practices Act (FCPA) and other white-collar crimes. For the first time the DOJ talked about corporate culture, and Monaco said that companies and compliance officers need to assess culture. Moreover, the DOJ would look at a company’s culture in an enforcement action.
All of this means that companies must strengthen their training and communications. Arendes said, “when you look at the very top of an issue it is always stemming from a culture at the top of an organization.” He believes culture should be inclusive, diverse and respectful. This means moving beyond the standard or even traditional ‘check-the-box’ training. This DOJ assessment of corporate culture will require companies go “beyond just checking the box.” Companies need training which offers practical advice, case studies, and address real life scenarios.
This is key to Traliant training, “it’s based on real life. When we talk with our customers, they also say to us and communicate, here’s our culture and here’s what we’re trying to get to. How do you help us with that?” The Traliant approach is to create an entire program of courses that interlocks to each other, to create a learning and engagement experience that we hope will help a company in either changing their culture or reinforcing it, in a documented effective manner.
Another key that Arendes mentioned for anyone evaluating online training is the granularity of the training. For instance, basic discrimination and harassment training for the healthcare community is different for the restaurant environment. You should begin with your vertical, or specific training. In healthcare that would be training based on the healthcare environment. This means your training is targeted right to the audience. From there you should look for the creation of scenarios with different job positions, doing those different scenarios. Arendes provided the example of a nurse, working with a doctor is different from a receptionist working with the doctor.
We concluded with a discussion of the DOJ mandate for shorter, more focused compliance communications as a supplement to deeper dive training. Here the Traliant approach is called ‘Spark’. In this approach, the training is designed to ‘spark’ a conversation. Organizations will periodically use such communications to challenge the entire organization which can facilitate ongoing conversations about specific aspects of culture. From DEI to safety to ESG, to doing business ethically and in compliance. This also fits directly into the DOJ prescription of short, focused communications which can be effective. These can also be well documented so that if a regulator comes knocking you can quickly and efficiently demonstrate targeted, effective communications.
While Arendes cautioned that such short, focused training should not be seen as a deep drive or comprehensive training, it can supplement deeper and richer training. Shorter training can work well to reinforce deeper training. You can roll out these shorter trainings at multiple times throughout the year to “give reinforcement to spark these conversations.” He concluded, here at Traliant, “We have a whole standard library of those that come right out on the box with our library subscription and people are using them continuously, to do this reinforcement throughout the year. Based on their effectiveness and this new DOJ approach, I see those becoming more and more important to compliance programs.”
Join us for our next episode where we look at DEI training.
Check out the podcast with John Arendes this blog post is based upon here.
Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows. In 2021, Everything Compliance was honored by W3 as a top talk show in podcasting. In this episode, we have the quintet of Jonathan Marks, Karen Woody, Jonathan Armstrong, Tom Fox and Matt Kelly. In this episode, we take up the Glencore FCPA settlement. We conclude with our fan favorite Shout Outs and Rants.
1. Karen Woody takes a deep dive into the history of Glencore, from its founding by Marc Rich in the 1980s through the allegations of bribery, corruption and market manipulation which led to the FCPA and CFTC settlements. Woody shouts out the US National and state parks systems which provide much needed green spaces for Americans.
2. Matt Kelly takes a deep dive into CCO certification issue and what it might mean for individual CCO criminal liability going forward. Kelly has a dual shout out and rant. He shouts out to the Boston Celtics for having the greatest NBA Finals-Game 1 comeback to win the game. He rants about the DOJ failing to post the speech by AAG Kenneth Polite where he announced the new requirement for CCO certification.
3. Jonathan Marks explores the role of internal audit in contributing to the compliance failures and what IA can do to facilitate a culture change at the company. Marks also has a dual shout out and rant. He shouts out to the Philadelphia Phillies for firing manager Joe Girardi and rants about Glencore’s Press Release about their updated compliance which he rants “says nothing”.
4. Tom Fox considers the dual monitor aspect of the resolution and the requirements of the monitorships. Fox reads out the names of the students and teachers who were killed in the recent massacre in Uvalde, TX.
5. Jonathan Armstrong explores the settlement from the UK perspective and considers, what if any charges against individuals that the UK-Serious Fraud Office might bring. Armstrong shouts out to the Queen’s Platinum Jubilee and Sir Andy Murray for speaking out against the murder of school children. Murray is a survivor of a similar event in Scotland.
The members of the Everything Compliance are:
• Jay Rosen– Jay is Vice President, Business Development Corporate Monitoring at Affiliated Monitors. Rosen can be reached at JRosen@affiliatedmonitors.com
• Karen Woody – One of the top academic experts on the SEC. Woody can be reached at kwoody@wlu.edu
• Matt Kelly – Founder and CEO of Radical Compliance. Kelly can be reached at mkelly@radicalcompliance.com
• Jonathan Armstrong –is our UK colleague, who is an experienced data privacy/data protection lawyer with Cordery in London. Armstrong can be reached at jonathan.armstrong@corderycompliance.com
• Jonathan Marks is Partner, Firm Practice Leader – Global Forensic, Compliance & Integrity Services at Baker Tilly. Marks can be reached at jonathan.marks@bakertilly.com
The host and producer, ranter (and sometime panelist) of Everything Compliance is Tom Fox the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the Compliance Podcast Network.
In this episode of the FCPA Compliance Report I visit with Scott Schneider, Head of Content Development at Traliant. Scott has been in the compliance space for over 15 years and is passionate about the building blocks of a best practices compliance program, including Codes of Conduct. This week we take a deep dive into the foundational backbone of every compliance program, the Code of Conduct. Some of the highlights include:
· Importance of Code of Conduct training.
· Types of Code training.
· Why have a Code of Conduct?
· How does a Code of Conduct help establish culture?
· Key areas the Code should cover?
· How should a company develop its Code of Conduct?
· When should a Code be revisited or reassessed?
· The roles of Codes of Conduct and training down the road into 2025 and beyond?
Resources
