Categories
The Corruption Files

The Corruption Files: Navigating Corporate Governance: The Hutchison Whampoa Scandal

What is stranger than fiction? The stories of worldwide corruption. In this podcast series, co-hosts Tom Fox, the Voice of Compliance and Mike DeBernardis, partner at Hughes Hubbard, discuss some of the most audacious corruption cases in anti-corruption enforcement. More importantly, they will discuss the lessons learned on what your organization can do to prevent running afoul of international anti-bribery laws.

In this episode of Season 2, Tom and Mike explore a unique corporate scandal from early 2000s Hong Kong involving Hutchison Whampoa Limited.

Unlike typical cases, there were no allegations of bribery, corruption, or significant financial penalties. Instead, the scandal revolved around the complex corporate governance issues and the control wielded by billionaire Li Ka-shing. The conversation delves into the importance of robust corporate governance, particularly in safeguarding the interests of minority shareholders in companies dominated by powerful individuals or families.

Tom and Mike highlight the expanding role of compliance professionals in overseeing corporate governance, especially with the rise of Environmental, Social, and Governance (ESG) criteria. They discuss the importance of board independence, the need for effective internal controls, and how compliance professionals can aid in board training. With compelling examples, such as the interlock of directors in the energy sector and the Bluebell Ice Cream scandal, the episode provides a thorough insight into how corporate governance issues can impact reputations and operational integrity.

Key Highlights:

  • Corporate Governance and Compliance
  • The Role of Boards in Risk Management
  • Compliance Professionals and Corporate Governance
  • Importance of Independent Board Members
  • Internal Controls and Compliance
  • Training Boards for Effective Governance

 Resources:

Mike DeBernardis on LinkedIn

HughesHubbardReed

Tom Fox

Instagram

Facebook

Categories
Compliance Into the Weeds

Compliance into the Weeds: Everything Old is New Again – The John Deere FCPA Enforcement Action

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the recent Securities and Exchange Commission FCPA enforcement action involving John Deere.

The case centers on a $10 million civil penalty imposed by the SEC for bribery activities in the Thailand office of a newly acquired subsidiary, Wirtgen Group. This transgression spanned from 2017 to 2020, and despite having a code of business conduct, Wirtgen employees flouted rules by falsifying expenses, entertaining government officials at massage parlors, and engaging in a luxury sightseeing tour under the guise of a factory visit.

A critical issue was John Deere’s delayed integration of Wirtgen into its compliance program, leading to internal control lapses and obvious red flags in expense reports. Although Deere has since taken significant remedial actions, including firing culpable employees and enhancing its compliance and internal audit programs, the situation underscores persistent compliance challenges even for large, sophisticated firms. This episode serves as a reminder of the essential compliance lessons from past decades that firms must steadfastly adhere to.

Key Highlights:

  • Details of the Bribery Scheme
  • Internal Control Violations
  • Pre- and Post-Acquisition Due Diligence Issues
  • Remedial Steps and Improvements
  • Root Cause Analysis and Lessons Learned

Resources:

Matt in Radical Compliance

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Great Women in Compliance

Great Women in Compliance: Internal Controls and Compliance: Building a Successful Partnership

We emphasize the importance of “understanding the business,” in Ethics & Compliance, which is absolutely critical to our success.  One of the topics we discuss less frequently is how to work with other control functions, one of which is internal controls. Lisa is speaking about this topic at the SCCE CEI with Matt Kelly from Radical Compliance. In advance of the conference, Lisa Fine and Ellen Hunt co-hosted a roundtable discussion with Matt Kelly from Radical Compliance and Sarah Lawrence, Sr. Director of Internal Controls at Pearson.

In this episode, they discuss the history and purpose of internal controls and SOX, how they evolved and how they work today.  In particular, they focus on what is financial materiality vs what E&C sees as areas for controls.

The whole group agreed that open lines of communication and coordination are fundamental to both of these control functions working together, and Sarah and Lisa discuss how they have built a collaborative relationship so that both the finance and compliance sides understand each other’s objectives and keep an open line to the benefit of both functions.

#GWIC is proud to announce that it has been nominated for the WomenInPodcastAwards.  This is a people’s choice award and whether you vote for #GWIC or other nominees, we ask that you send the elevator back down by voting. Voting opens August 1, 2024, and details can be found on the #GWIC LinkedIn page at http://www.linkedin.com/groups/12156164

Resources:

Join the Great Women in Compliance community on LinkedIn here.

Categories
Blog

Bank of America’s Corporate Culture Crisis: Part 3 – The Role of Internal Controls

Compliance professionals constantly seek to understand how systemic issues within corporate hierarchies can lead to severe consequences. The recent revelations about Bank of America’s (BoA) persistent workplace culture problems are a powerful reminder of compliance’s critical role in safeguarding employees and the organization.

This week, I will explore the BoA failure around workplace culture from various perspectives articulated by the Everything Compliance gang, including Karen Woody, Jonathan Armstrong, Matt Kelly, Karen Moore, and Jonathan Marks. This exploration will include the failure of internal controls, failures by the Board and senior management, culture failures around highly driven, self-selecting employees, and the cultural miasma that is BoA from a perspective from across the pond. In Part 3, we will consider the role of internal controls.

Internal controls are often seen as the backbone of an organization’s ability to operate efficiently, ethically, and within the bounds of the law. They serve as the safety net that catches errors deters fraud, and ensures that policies are not just theoretical but are put into practice. However, the recent revelations in the Wall Street Journal (WSJ) surrounding the culture of overwork at a major financial institution, where junior bankers were expected to work excessively long hours, shine a spotlight on a critical failure in internal controls—not in their design, but in their execution and monitoring. This blog post will explore the lessons compliance professionals can learn from this situation, focusing on implementing, actively managing, and enforcing internal controls.

Understanding the Control Environment

The control environment is at the heart of any robust internal control system. This includes the corporate culture, employee attitudes toward internal controls, and the tone set by senior management. It’s the foundation upon which all other aspects of internal control are built. When the control environment is weak or toxic, as in the situation under discussion, the entire control structure can crumble.

In this case, BoA had ostensibly implemented controls to prevent overwork—junior bankers were required to self-report their working hours. If they exceeded a certain threshold, this would trigger a review by HR. However, this control was ineffective because those responsible for enforcing it did not take it seriously. Managers instructed their subordinates not to report excessive hours, bypassing control entirely. Additionally, think about the basic conflict of interest (READ: Absurdity) in having the person the control was supposed to monitor input the information for the control to activate.

For the compliance professional, this emphasizes that your control environment is only as strong as the commitment of those enforcing it. Senior management must set the tone and ensure that it resonates throughout the organization. When internal controls are ignored or undermined, it’s often a sign that the control environment is flawed.

The Role of Monitoring and Remediation

Internal controls are not static; they require ongoing monitoring and, when necessary, fine-tuning or remediation. In the BoA situation, the institution needed to adequately monitor the effectiveness of its controls. Even after the tragic death of a junior banker, which should have been a clear signal that the controls in place were not working, there was no significant overhaul or improvement in the control environment.

Monitoring is a critical component of internal control, as it allows an organization to detect weaknesses and address them before they lead to significant issues. In this case, the failure to monitor and remediate allowed a toxic culture to persist for years, ultimately leading to repeated tragedies.

For the compliance professional, the lesson is clear: regular monitoring of internal controls is essential. When weaknesses are identified, they must be addressed promptly and effectively. A failure to remediate control weaknesses leaves an organization vulnerable to risks and can signal to employees that the controls—and the culture—are not taken seriously.

The Flaws of Self-Reporting as a Control

One of the most striking aspects of this case is the reliance on self-reporting as a key control mechanism. While self-reporting can be helpful, it is far from foolproof, especially in environments with significant pressure to conform to unrealistic expectations. In this instance, the control requiring junior bankers to self-report their hours was ineffective because the reporting was neither enforced nor monitored.

The problem with self-reporting as a control is that it places the onus on the individuals being controlled, which can create a conflict of interest. Employees may feel pressured to underreport or falsify their time to meet expectations or avoid repercussions. With independent verification and oversight, self-reporting is likely to be reliable.

For the compliance professional, the starkness of the lesson could not be more profound. Self-reporting should not be relied upon as the sole or primary control in a high-risk environment. It should be supplemented with independent verification methods, such as automated time tracking, regular audits, or cross-referencing with other data sources. This approach ensures that the data collected is accurate and that controls are truly effective.

Automation and Technology in Internal Controls

Given BoA’s size and sophistication, it is somewhat perplexing that more robust, automated controls were not implemented. In today’s technologically advanced world, numerous tools can automatically track employee hours, monitor for signs of overwork, and flag potential issues for review. These tools can remove the burden of self-reporting and provide more accurate, real-time data.

For example, many organizations use software that tracks employee computer activity, monitors login and logout times, and even tracks time spent on specific tasks. This data can then be used to identify patterns of overwork and take proactive measures to prevent burnout or health issues.

For the compliance professional, it is a direct lesson that leveraging technology can significantly enhance the effectiveness of internal controls. Automated systems can provide continuous monitoring, reduce the risk of human error, and offer objective data that can be used to identify and address potential issues before they escalate.

The Importance of a Holistic Approach

Finally, every compliance professional must recognize that internal controls cannot operate in a vacuum. Internal controls must be part of a broader, holistic approach to risk management and compliance. This includes fostering a strong ethical culture, regularly training employees at all levels, and ensuring transparent, accessible channels for reporting concerns.

With BoA, the failure was not just in the specific control related to work hours—it was a systemic failure across the organization. The culture of overwork was allowed to persist because the control environment was weak, monitoring was inadequate, and there was no serious commitment to remediation.

This final lesson learned for the compliance professional is that internal controls are just one piece of the puzzle. To be truly effective, they must be integrated into a comprehensive risk management framework that includes strong ethical leadership, ongoing education, and a commitment to continuous improvement. 

Internal Controls as a Reflection of Corporate Culture

The tragic situation at BoA is a stark reminder of the critical importance of internal controls in maintaining compliance and a healthy and sustainable corporate culture. Internal controls are more than checkboxes—they reflect an organization’s values and priorities. When controls are ignored or undermined, they send a message that compliance, and by extension, employee well-being, is not a priority.

For compliance professionals, the key takeaway is clear: internal controls must be actively managed, monitored, and enforced. They must be part of a broader effort to create a culture of integrity and accountability. Perhaps most importantly, they must be seen as a dynamic system that requires constant attention and adjustment to remain effective. In a world where pressure on employees is greater than ever, robust internal controls are not just a regulatory requirement but a moral imperative.

Categories
Compliance Into the Weeds

Compliance into the Weeds: Toxic Workplace Culture at Bank of America

The award winning, Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the toxic workplace culture at Bank of America (BoA) around hours worked by junior employees, in spite of senior management saying the right things.

BoA’s investment banking division has long been plagued by a toxic work culture, characterized by overworked junior employees and severe health crises, despite repeated assurances of reform. Tom Matt discuss these pervasive issues within BoA’s work environment. Fox highlights the tragic consequences of this toxic culture, such as the deaths of junior employees, and criticizes the company’s failure to implement effective reforms, attributing this to a lack of accountability and ethical leadership. Kelly echoes this sentiment, emphasizing the necessity for senior management to set clear expectations and consequences for middle managers who perpetuate unethical behavior. Both stress the need for senior management to address the deep-seated cultural dysfunction, impose consequences, and foster a healthier, rule-abiding workplace to prevent further tragedies and promote employee well-being.

Key Highlights:

  • Toxic Workplace Culture at Bank of America
  • Proactive Controls for Preventing Employee Overwork
  • Consequences of Middle Managers in Corporate Culture
  • Cultural Impact: Negative Attitudes in Organizations

Resources:

Matt in Radical Compliance

How Bank of America Ignores Its Own Rules Meant to Prevent Dangerous Workloads, by Alexander Saeedy in the WSJ

 Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Tip of the Day

Compliance Tip of the Day: Bank of America, Culture and Internal Controls

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements.

Whether you’re a seasoned compliance professional or just starting your journey, our aim is to provide you with bite-sized, actionable tips to help you stay on top of your compliance game.

Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law.

Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Today we look at the recent report from the WSJ on Bank of America managers instructing junior employees to lie about the hours they work to avoid the 80-hour limit.

For more information on the Ethico ROI Calculator and a free White Paper on the ROI of Compliance, click here.

To check out The Compliance Handbook, 5th edition, click here.

Categories
Blog

Internal Control Lessons from Star Trek: The Doomsday Machine

Last month, I wrote a blog post on the tone at the top, exemplified in the Star Trek, the Original Series episode, Devil in the Dark. Based on the response, some passionate Star Trek fans are out there. I decided to write a series of blog posts exploring Star Trek: The Original Series episodes as guides to the Hallmarks of an Effective Compliance program set out in the FCPA Resources Guide, 2nd edition. Today, I will begin a two-week series looking at the following 10 hallmarks of an effective compliance program laid out by the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in the FCPA Resources Guide, 2nd edition.

Today, I wanted to watch one of my favorite and iconic episodes, The Doomsday Machine. I believe it offers more than just gripping sci-fi action; it provides valuable insights into internal control principles. For compliance professionals and business managers, the narrative unfolds a series of challenges and solutions that mirror real-world scenarios where robust internal controls are crucial. Let us deeply dive into the internal control lessons we can learn from this episode.

In The Doomsday Machine, the USS Enterprise encounters the wreckage of the USS Constellation and a giant, automated weapon of mass destruction known as the “doomsday machine.” Commodore Matt Decker, the sole survivor from the Constellation, is found traumatized and determined to destroy the machine, even at the risk of the Enterprise’s safety. As Captain Kirk and his crew navigate the threat, they must also deal with Decker’s erratic command decisions, ultimately working to regain control and neutralize the menace.

Lesson 1: The Importance of a Clear Chain of Command

When Commodore Decker assumes command of the Enterprise, the established chain of command disruption illustrates the chaos that can ensue when authority is not clearly defined or respected. Decker’s actions, driven by personal trauma and a lack of understanding of the Enterprise’s capabilities, lead to several risky decisions. The internal control lesson is that a transparent chain of command is essential to ensure that decision-making processes are streamlined and effective. Internal controls should clearly define roles and responsibilities, ensuring authority is delegated appropriately. This allows for clarity and mitigates the risk of individuals making decisions beyond their scope of knowledge or capability. 

Lesson 2: Risk Assessment and Management

The Enterprise crew must quickly assess the threat posed by the doomsday machine. Understanding the machine’s power and behavior is critical to formulating an effective response strategy. Kirk and Spock’s ability to analyze the situation and adapt their plans underscores the importance of risk assessment. The internal control lesson is that companies must continuously identify and assess potential risks to their operations. Implementing internal controls involves establishing procedures for risk assessment, including regular evaluations and updates to risk management strategies. This ensures that businesses remain agile and responsive to emerging threats.

Lesson 3: Crisis Management and Decision-Making

As the situation escalates, the Enterprise crew must make rapid decisions to avert disaster. Decker’s emotional state and inability to make rational decisions highlight the need for effective crisis management protocols. The lesson is that effective crisis management is integral to internal controls. Organizations should develop comprehensive crisis management plans that include clear guidelines for decision-making under pressure. Training and simulations can prepare employees to handle crises calmly and efficiently, minimizing the impact on operations.

Lesson 4: Operational Controls and Communication

The interactions between Kirk, Spock, and the rest of the crew emphasize the necessity of clear communication and cooperation. Spock’s adherence to logical reasoning and Kirk’s ability to inspire teamwork highlight how effective communication is crucial to executing complex operations. The internal control lesson is that operational controls rely heavily on clear communication channels within an organization. Ensuring that information flows freely and accurately between departments helps maintain efficiency and reduces the likelihood of errors. Internal controls should establish standardized communication protocols to support coordination and collaboration.

Lesson 5: Monitoring and Adaptability

Throughout the encounter with the doomsday machine, the crew continuously monitors the situation and adapts their strategies. Kirk and Spock’s ability to adjust their tactics based on real-time information is vital to their success. The internal control lesson is that continuous monitoring and adaptability are key to effective internal controls. Businesses should implement systems that allow for ongoing evaluation of processes and outcomes. This enables them to detect issues promptly and adjust strategies to maintain operational integrity.

The Doomsday Machine is a compelling narrative that underscores the importance of strong internal controls in navigating complex challenges. From maintaining a transparent chain of command to ensuring effective communication and crisis management, the lessons drawn from this episode apply to any organization striving for excellence in compliance and operational efficiency.

As business managers and compliance professionals, we can draw inspiration from Captain Kirk and his crew. We recognize that robust internal controls prevent failures and empower organizations to respond effectively to unexpected challenges. By applying these lessons, businesses can create resilient structures capable of withstanding even the most daunting threats.

Join us tomorrow as we consider the lessons on CCO authority, resources, and expertise from the Star Trek episode The Galileo 7.

Categories
FCPA Survival Guide

FCPA Survival Guide – Step 9 – Internal Controls

How can you survive an FCPA enforcement action? In this special podcast series, Tom Fox and Nick Gallo outline the Top 10 things you can do to reduce your overall fine and penalty, perhaps down to a complete declination. All of the actions you can take come from recent DOJ prosecutions under the FCPA and speeches from DOJ representatives. This podcast, sponsored by Ethico, is the companion series to the book The FCPA Survival Guide: Surviving and Thriving a Foreign Corrupt Practices Act Enforcement Action. Today, we discuss lesson number nine: internal controls.

Tom and Nick delve into the importance of internal controls in compliance, emphasizing the pivotal role they play in business operations. After studying the COSO Framework, Tom shares his transformation into a firm believer in internal controls, underscoring that robust financial controls can cover a significant portion of compliance requirements. They discuss real-world examples, including SAP’s lack of payment process controls and ABB’s successful avoidance of a monitor through proactive measures. The episode highlights the necessity of continuous improvement and collaboration between legal, financial, and business units to ensure the effectiveness of internal controls and the appropriate handling of overrides. The session concludes with a nod to the upcoming episode on speak-up, triage, and internal investigation.

Key Highlights and Issues

  • The Importance of Internal Controls
  • Financial Controls and Compliance
  • Continuous Improvement in Internal Controls
  • Effective Collaboration and Overrides

Resources:

Nick Gallo on LinkedIn

Ethico

The FCPA Survival Guide: Surviving and Thriving a Foreign Corrupt Practices Act Enforcement Action

Tom

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Compliance Into the Weeds

Compliance into the Weeds: Major Cybersecurity Incidents and Regulatory Challenges

The award-winning, Compliance into the Weeds is the only weekly podcast that takes a deep dive into a compliance-related topic, literally going into the weeds to more fully explore a subject.

Looking for some hard-hitting insights on compliance? Look no further than Compliance into the Weeds!

In this episode, Tom Fox and Matt Kelly take a deep dive into the dismissal of the SEC’s enforcement action against Solar Winds and CrowdStrike cybersecurity failures.

Tom and Matt begin with UnitedHealth’s costly ransomware attack, a federal judge’s ruling against the SEC’s lawsuit over SolarWinds’ cybersecurity practices, and CrowdStrike’s flawed software update impacting global corporations.

The episode explores the regulatory challenges of enforcing effective cybersecurity controls and the implications for companies and their compliance programs. The discussion highlights the need for better IT general controls and the role of different stakeholders, including Congress, regulatory agencies, and audit firms, in addressing these cybersecurity risks.

Key Highlights:

  • UnitedHealth Ransomware Attack Breakdown
  • SolarWinds Cybersecurity Lawsuit
  • Regulatory Challenges and Implications
  • Operational Risk Management and IT Controls
  • Call to Action for Compliance and Audit Professionals

Resources:

Matt on Radical Compliance

Tom 

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
Everything Compliance

Everything Compliance: Episode 137, The Boeing Pleads Guilty Edition

Welcome to the only roundtable podcast in compliance as we celebrate our second century of shows.

In this episode, we welcome Karen Moore as a permanent panelist.

We have one topic for this episode, the Boeing guilty plea, which we slice and dice from a variety of perspectives. Karen is joined by Jonathan Marks, Jonathan Armstrong, and Matt Kelly as panelists, all hosted by Tom Fox.

  1. Karen Moore considers that there are multiple stakeholders involved with Boeing and will they be covered in the resolution? She shouts out to the UK for their seamless transition of power after the July 4 election and to the Men’s Football team for making the UEFA Cup Final.
  2. Matt Kelly asks multiple questions about the form of the guilty plea and what it may mean for compliance professionals going forward. He rants about Tractor Supply which ditched its DEI and sustainability efforts based on one Twitter campaign.
  3. Jonathan Armstrong takes a look at the Boeing plea deal from his uniquely British perspective, with 3 takeaways. He shouts out to the new British Prime Minister, Sir Keir Starmer.
  4. Jonathan Marks considers corporate governance and internal control failures. He rants about Board members who do not understand Board governance.
  5. Tom Fox shouts out to Pittsburgh rookie Paul Skenes for his great first season and being named the Starting Pitcher for the All-Star Game.

The members of the Everything Compliance are:

The host, producer, rantor (and sometimes panelist) of Everything Compliance is Tom Fox, the Voice of Compliance. He can be reached at tfox@tfoxlaw.com. Everything Compliance is a part of the award-winning Compliance Podcast Network.