Categories
Compliance Tip of the Day

Compliance Tip of the Day – Boards and Operationalizing Compliance

Welcome to “Compliance Tip of the Day,” the podcast where we bring you daily insights and practical advice on navigating the ever-evolving landscape of compliance and regulatory requirements. Whether you’re a seasoned compliance professional or just starting your journey, we aim to provide bite-sized, actionable tips to help you stay on top of your compliance game. Join us as we explore the latest industry trends, share best practices, and demystify complex compliance issues to keep your organization on the right side of the law. Tune in daily for your dose of compliance wisdom, and let’s make compliance a little less daunting, one tip at a time.

Your Board must work to operationalize compliance at all levels of your organization entirely.

For more information on the Ethico Toolkit for Middle Managers, available at no charge, click here.

Check out the full 3-book series, The Compliance Kids, on Amazon.com.

Categories
FCPA Compliance Report

FCPA Compliance Report: Unlocking Financial Gains Through Proactive Compliance: Insights with Nicolas Tollet

Welcome to the award-winning FCPA Compliance Report, the longest running podcast in compliance. In this edition of the FCPA Compliance Report, Tom Fox cross post the first episode of a new podcast series from Nicolas Tollet, partner at Hughes, Hubbard and Reed

In this episode, Tollet delves into the substantial financial benefits stemming from robust compliance measures. Tollet recounts a company’s journey through two deferred prosecution agreements (DPAs) related to bribery and corruption allegations in Africa and Brazil, detailing how proactive compliance actions saved the company approximately $100 million. He emphasizes the crucial role of an independent monitor and in-depth compliance reviews in identifying and mitigating misconduct. Tollet explores the implementation of compliance policies and training programs, drawing comparisons with high-profile cases like Walmart’s FCPA settlement, to illustrate the long-term financial stability and operational integrity gained through early compliance investment.

Highlights in this Episode:

  • The First Deferred Prosecution Agreement (DPA)
  • The Second DPA and Lava Jato Investigation
  • Compliance as a Competitive Advantage
  • Detecting and Addressing Misconduct
  • Remediation and Strengthening Compliance
  • Financial Benefits of Compliance
  • Comparing with Walmart FCPA Case

 Resources:

Nicolas Tollet at Hughes Hubbard & Reed

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

For an audio/video version of the Compliance Kids book, Speaking Up is AWESOME, contact Tom Fox.

Categories
Blog

Operationalizing Compliance Through Payroll

One of the areas articulated in the 2023 ECCP was around payments and payroll. The compliance professional and the corporate payroll function have a significant role to play in operationalizing a corporate compliance program. The 2023 ECCP was replete with references to payment and its critical nature to any best practices compliance program. This includes references to foreign officials, payments to third parties, and hiding bribes in distributor payments.

The 2023 ECCP begins with a warning to stop wasting time on low-hanging fruit when there are much higher risks in your business operations. It states:

Risk-Tailored Resource Allocation—Does the company devote a disproportionate amount of time to policing low-risk areas instead of high-risk areas, such as questionable payments to third-party consultants, suspicious trading activity, or excessive discounts to resellers and distributors? Does the company give greater scrutiny, as warranted, to high-risk transactions (for instance, a large-dollar contract with a government agency in a high-risk country) than to more modest and routine hospitality and entertainment?

It then drills down into the payment and payroll systems, stating:

Appropriate Controls—How does the company ensure a proper business rationale for using third parties? If third parties were involved in the underlying misconduct, what was the business rationale for using those third parties? What mechanisms exist to ensure that the contract terms specifically describe the services to be performed, that the payment terms are appropriate, that the described contractual work is performed, and that compensation is commensurate with the services rendered?

Payment Systems—How was the misconduct in question funded (e.g., purchase orders, employee reimbursements, discounts, petty cash)? What processes could have prevented or detected improper access to these funds? Have those processes been improved?

These questions may not seem new, innovative, or even different from what payroll currently does for an organization. However, the 2023 ECCP demonstrates the role of payroll in compliance. The 2023 ECCP requires that payroll not only form a part of any best practices compliance program, but when it comes to the specific subject matter expertise, payroll is on the front lines of any attempts to prevent, detect, and remediate anti-corruption compliance violations.

The FCPA prohibits “anything of value” from being provided to foreign government officials or employees of state-owned enterprises to obtain or retain business. This “anything of value” is almost always money, and that money must come from somewhere inside the company. While the Watergate intonation to “follow the money” remains valid in any compliance issue, the 2023 ECCP speaks much more depth about payroll’s responsibility in a corporate compliance program. There must be verifiable controls that not only detect fraudulent payments but also work to prevent any such payments.

Yet when the inquiries are read together, they paint a broader picture than simply tasking payroll with the responsibility to prevent fraudulent leakage of money that could be used to fund bribes. The questions around the approval and certification process should be a standard part of any payroll system. This has the effect of operationalizing the responsibility up and down the management chain, from the individual employee up through their manager(s) and eventually to the highest level of management involved in the process. This level of operationalization is designed not only to put a set of brakes in place but also to work to put a second set of eyes on the entire payroll process.

Finally, payment systems have a role in the remediation phase of any best practices compliance program. If a payroll control failure led to or even allowed a compliance violation, what was done to fix the control issue? Here, payroll should work to perform a root cause analysis of what led to the control failure and then enhance or upgrade the control to provide a solution going forward. Of course, there should be a fully documented audit trail for this work to provide to the government should they ever come knocking, or even to your corporate auditors.

This means that not only can payroll be one of the compliance function’s strongest corporate allies, but that the role of payroll, by its nature, works to operationalize compliance. This is because to implement the appropriate internal controls around compliance, payroll must know the specific requirements of the FCPA and know what kinds of issues are likely to come up that might create a risk of bribery and corruption, all leading to an understanding of the appropriate compliance internal controls to implement around payroll and payments.

This is particularly true around offshore payments, generally defined as payments made to a location other than the home domicile of the payee or the area where the services were delivered. If a Tunisian agent who performs services in Dubai asks for payment in a location other than Dubai or Tunisia, that would qualify as an offshore payment. If you train people on the payroll on this issue, they may well pick up the phone and notify compliance when they see a request for payment in a geographic location separate from one of the two standard payment venues. Those are the types of communications, when properly documented, that demonstrate your compliance program is operationalized into the fabric of the organization.

Another way to view it is if there is a payroll control for such a scenario that notes the exception and requires the clearance of a red flag through additional investigation, elevation for approval, and documentation of the entire process; it operates as both a financial control and a compliance control as well. It strengthens the company’s internal controls to both prevent and detect compliance risks going forward.

There are several specific internal payroll controls that will facilitate a company operationalizing its compliance program, as required under the 2023 ECCP. These controls help keep an eye on the money trail, as the money to pay a bribe is usually hidden in some company expenditures. The four general areas of payroll control should include: 1) segregation of duties; 2) accountability, authorization, and approval; 3) security of assets; and 4) review and reconciliation.

To meet these four general goals, consider using a selection of the following controls for payroll systems, irrespective of how timekeeping information is accumulated or how employees are paid:

Audit. Have either internal or external auditors conducted an annual audit of payroll accuracy?

Change authorizations. Only allow a change to an employee’s marital status, withholding allowances, or deductions if the employee has submitted a written and signed request for the company to do so. Any change request should be reviewed and approved by a senior manager.

• Change the tracking log. If you are processing payroll in-house with a computerized payroll module, have secure change tracking to provide an audit trail.

Expense trend lines. This is your data, and it is within your company somewhere. Look for changes in payroll-related expenses in the financial statements and then investigate if warranted.

Issue payment reports to supervisors. Request supervisors review payroll summaries for correct payment amounts and unfamiliar names.

Restrict access to records. Prevent unauthorized access to payroll records.

Segregation of duties. You should never allow one person to prepare the payroll, authorize it, and create payments.

The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with their head of payroll, have them explain the role of payroll, and then review the internal controls in place to see how they facilitate compliance goals. From that review, you can then determine how to use payroll to help operationalize your compliance program.

The DOJ has now provided its clearest statement on how it expects a company to actually comply going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process that should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and control.

Categories
FCPA Compliance Report

FCPA Compliance Report – Carlos Villagrán Muñoz on Implementing Effective Compliance Programs in Latin America

Welcome to the award-winning FCPA Compliance Report, the longest-running podcast in compliance. In this episode, Tom Fox welcomes Carlos Villagrán Muñoz, Chief Compliance Officer at CMPC in Chile. We discuss operationalizing compliance at CMPC and in Latin America.

Carlos Villagrán Muñoz is a seasoned Chilean attorney with considerable experience in implementing and advancing compliance programs in Latin America. His perspective on the subject is shaped by his extensive experience and understanding of the unique challenges in the region. Carlos identifies two major hurdles in implementing effective compliance programs in Latin America: the need to tailor programs to both global and local contexts due to cultural nuances and differing perceptions of corruption and the pressing issue of money laundering, fueled by illegal activities such as corruption, drug trafficking, and human trafficking. He believes that Latin America lags in anti-money laundering efforts, which are crucial in combating corruption, and advocates for compliance programs that address these issues while considering cultural differences. Join Tom Fox and Carlos Villagrán Muñoz as they delve deeper into these topics and more in this episode of the FCPA Compliance Report podcast.

 Key Highlights

·      CMPC’s Compliance Program Addressing Antitrust Infringement

·      Navigating Cultural Nuances and Money Laundering: Compliance Challenges in Latin America

·      CMPC’s Comprehensive Compliance Training Program

·      The Rise of Technologically Savvy Compliance Experts in Chile

·      Dynamic Networking Opportunities for Compliance Professionals

Resources

Carlos Villagrán Muñoz on LinkedIn

The FinCEN Report Company

Tom Fox

Instagram

Facebook

YouTube

Twitter

LinkedIn

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective Written Standards: Day 6 – Operationalization of your Code of Conduct

How can you work to operationalize your Code of Conduct as articulated in the DOJ 2023 Evaluation of Corporate Compliance Programs (ECCP)? The 2023 ECCP focuses not on whether a company has a paper compliance program but whether a company is actually doing compliance. A company does compliance by moving it into the functional business units as a part of an overall business process. That is what makes a compliance program effective at the business level. There are several different parts of the 2023 ECCP that touch upon your Code of Conduct.
The Code of Conduct design and implementation process enshrine your company’s values. Those are set by senior management and their input and support for any code project, whether initial draft or update, is critical. This gets to the heart of operationalization and demonstrates how a Code of Conduct can work to meet the DOJ requirements. As an early part of your design and drafting process, you should assemble a cross-functional team. This is important for several reasons. First, diversity in your team will help produce a more well-rounded final product. But having such team diversity will also assist in your benchmarking effort, coupled with those who are going to help you out looking at designs and maybe helping forge the design of the code. Finally, you can use a group to help in the drafting, redrafting and editing process. This diversity will help you to answer all of the DOJ questions from the 2019 Guidance in a manner consistent to support operationalization.
All of these requirements point to getting out and making your Code of Conduct a part of the very fabric of your organization. By using some or all of these strategies, you will have a good starting point. But it is more than simply rollout and training. There must be ongoing communications as well.

Three key takeaways:

  1. What has been the role of senior management in the creation or update of your Code of Conduct?
  2. How have you worked with employees outside the compliance function to lay the groundwork for fully operationalizing your Code of Conduct?
  3. How have you measured the effectiveness of your Code of Conduct training?

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
Blog

Operationalizing Compliance With 10 Questions for HR

Operationalizing compliance is the crucial step in creating an effective compliance program within an organization. It involves cascading compliance goals to all levels of the organization and fostering a culture of compliance. This process requires clarity and comparability of goals, focusing on high-risk areas first, and gradually expanding initiatives. Ethical business conduct should be a top priority, with HR playing a key role in attracting and developing talent. Continuous improvement and performance tracking are also crucial for identifying gaps and developing key compliance indicators.

Root cause analysis is a key process in identifying the reasons behind compliance failures and implementing effective solutions. It involves understanding what allowed the compliance issue to arise, rather than simply assigning blame, and addressing the core issues to prevent future compliance failures. It goes beyond assigning blame and focuses on finding solutions to prevent future failures. Understanding the root cause allows organizations to address the core issues and implement effective measures to ensure compliance.

To operationalize compliance effectively, organizations need to consider several key factors. One of the first factors is the interconnectedness of targets. Compliance goals should be cascaded down to individual workers, ensuring that everyone understands their role in achieving compliance objectives. While tone at the top is important, it is equally crucial to establish an appropriate tone in the middle and at the bottom of the organization.

Clarity and comparability of goals is another important factor. Compliance targets should be clearly communicated and understood by all employees. Complex goals can lead to confusion and hinder the operationalization process. Focusing on high-risk areas first and gradually expanding initiatives can help manage risks effectively and ensure a systematic approach to compliance.

The role of HR in operationalizing compliance cannot be overstated. HR should take the lead in showing that attracting and developing talent who will engage in ethical business conduct is a top priority. By creating the appropriate mindset of doing business the right way throughout the organization, HR can contribute to the successful operationalization of compliance.

Continuous improvement and performance tracking are essential for identifying gaps in the compliance program. Monitoring compliance programs in real-time and reacting quickly to remediate them is crucial. Auditing and monitoring should work in tandem to uncover and evaluate risks. Key compliance indicators, such as hotline or helpline reports, can provide valuable insights into the effectiveness of the compliance program.

While operationalizing compliance is essential, organizations must also consider the impact on employees. Talent acquisition and retention is a critical business function. Retaining top employees who engage in ethical business conduct is crucial for the long-term success of the compliance program. By promoting and rewarding employees who adhere to the code of conduct, organizations can create a culture of compliance and operationalize it fully.

Balancing these factors can be challenging. Organizations must weigh the tradeoffs involved in cascading compliance goals, clarifying goals, and addressing high-risk areas. They must also consider the challenges associated with monitoring and auditing, as well as the importance of root cause analysis and employee retention.

What are the 10 questions you should ask to test, monitor and improve these issues?

  1. How are compliance goals cascaded down to individual workers?
  2. Does anyone complain that your compliance targets are too complex?
  3. How do you deal with repeated compliance failures in a specific business segment or compliance program area?
  4. How does your company show that attracting and developing talent who will engage in ethical business conduct is a top priority?
  5. How long is compliance underperforming tolerated?
  6. What makes it distinctive to work at your company?
  7. How do compliance programs that are not working typically get exposed and remediated?
  8. What key compliance indicators do you use for compliance tracking?
  9. For a given compliance problem, how do you identify the root cause?
  10. What are you doing to retain your top employees from the compliance perspective?

In conclusion, operationalizing compliance is a key component of an effective compliance program. By considering the interconnectedness of targets, clarity and comparability of goals, the role of HR, continuous improvement and performance tracking, root cause analysis, and employee retention, organizations can successfully operationalize compliance and prevent future compliance failures. It is crucial to strike a balance between these factors and consider the impact on employees when making decisions about operationalizing compliance and root cause analysis.

Categories
31 Days to More Effective Compliance Programs

One Month to More Effective HR in Compliance: Day 1 – The Role of HR in Compliance

When it comes to operationalizing a successful compliance program, HR is an essential part of the equation. HR has many touch points with employees, from interviews to onboarding, and can be used to connect the dots in many divergent elements of a compliance and ethics program. HR can take the lead in operationalizing compliance at each of these touch points, such as pre-employment screening and interviewing, onboarding training, annual assessments and reviews, and promotions to exit strategies.

The Compliance Podcast Network’s One Month to a More Effective Compliance Program provides four steps to ensure an effective compliance program. These steps include establishing a consistent application of disciplinary actions and incentives across the organization, utilizing an incentive system to incentivize compliance and ethical behavior, and providing examples of actions taken, such as promotions and awards denied as a result of compliance and ethical considerations. Additionally, it is important to determine who determines the compensation, including bonuses, as well as discipline and promotion of compliance personnel.

HR can help operationalize a compliance program by getting the message out through their distribution channel. They can also utilize their expertise and talent to more fully communicate compliance concepts. This could include ongoing communications with prospective, newly hired, and seasoned employees about the need for ethical dealings and compliance with company values. It is also important to have a shared commitment requirement found in the commitment of senior management as well as the requirements around incentives and discipline.

The 2023 guidance from the Department of Justice Evaluation of Corporate Compliance Programs listed several HR touch points as best practices for a successful compliance program. These include senior leaders and middle management stakeholders, such as business and operational managers, finance, procurement, legal, and human resources, demonstrating their commitment to compliance and remediation efforts. HR can be one of the linchpins in spreading a company’s commitment to doing business ethically and in compliance throughout the employee base.

Incentive and discipline processes should involve participants in making disciplinary decisions for the type of misconduct at issue. Reasons for discipline should be communicated to employees. Compliance should be operationalized into the very fabric of a business. Have a cup of coffee with the head of corporate HR to find out what they do, how they do it, and what they do on a daily basis. This will help you to better understand how HR can help operationalize your compliance program.

By following the four steps outlined in the Compliance Podcast Network’s One Month to a More Effective Compliance Program, you can ensure your compliance program is successful and that your employees are aware of their responsibilities. HR can be a powerful tool in operationalizing your compliance program, and by utilizing their expertise and talent, you can more effectively communicate compliance concepts and spread the company’s commitment to doing business ethically and in compliance throughout the employee base.

Three key takeaways:

  1. What are the HR-employee touchpoints at your company?
  2. HR professionals can bring new, dynamic and innovative techniques to compliance
  3. Go down and have a cup of coffee with the head of your corporate HR department. Find out what they do and how they do it.

For more information, check out The Compliance Handbook, 4th edition, here.

Categories
Innovation in Compliance

Operationalizing Compliance: Part 5-Overwhelmed, yet? with Taylor Edwards

Welcome to a special five-part podcast series on Operationalizing Your Compliance Program, sponsored by Broadcat LLC. Over this series, we consider a variety of ways to more fully operationalize your compliance regime, including the design and effectiveness of your communications, why the operationalization of compliance is a team sport, why simply data is not the answer and how to avoid being overwhelmed. In our Part 5 conclusion, I am joined by Taylor Edwards to discuss how compliance professionals can prevent from being overwhelmed by all of ‘this’.

Highlights from this episode include:

·      Unpack your program through critical examination.

·      Know your history and understand how you got where you are.

·      Face data but do not be paralyzed by it. .

·      It’s about being real and accountable.

For more information go to TheBroadcat.com

Categories
Blog

Operationalizing Compliance: Part 5-Overwhelmed, yet?

Welcome to a special five-part podcast series on Operationalizing Your Compliance Program, sponsored by Broadcat LLC. Over this series, I have visited with Jennifer May, Director of Compliance Advisory; Taylor Edwards,  Director of Sales; Xinia Pirkey, Design Manager; Alex Klingelberger, Chief Executive Officer (CEO) and Jaycee Dempsey, Director of Customer Success. We consider a variety of ways to more fully operationalize your compliance regime, including the design and effectiveness of your communications, why the operationalization of compliance is a team sport, why simply data is not the answer and how to avoid being overwhelmed. In our Part 5 conclusion, I am joined by Taylor Edwards to discuss how compliance professionals can prevent from being overwhelmed by all of ‘this’.

Compliance professionals can be overwhelmed by all the information coming out of the regulators such as the Department of Justice (DOJ) and Securities and Exchange Commission (SEC). In 2022, this included the Monaco Memo and several major Foreign Corrupt Practices Act (FCPA) enforcement actions. Edwards suggested starting from the position of “how does that apply to me?” From there you can “get real with yourself about where things may not be perfect, but also provide insights into where you can start to work on your program.” He added that the key is “recognizing that it’s OK not to have a perfect program.” What the DOJ wants is for you to assess your own program, spot the weaknesses, rank them and then remediate your ranked list going forward. Edwards concluded; you should determine “what’s the next one thing I can work on? Sometimes it’s a matter of taking small baby steps, but just recognizing that there are needed to be taken.”

One of the key components of the Monaco Memo was the cementing of corporate culture as a factor the DOJ would evaluate in any enforcement action. This formalized the remarks made by Deputy Attorney General Monaco in October 2021. Edwards maintains that a “big aspect of this is the listening function of an organization.” He will often engage a client with the questions about listening, “Have you done any listening within the organization? Have you surveyed, have you had a focus group? Have you had some kind of forum for employees? Have you gathered or crowdsourced any of that from within the organization?”

Unfortunately, that answer is often no. Edwards believes that if you recognize the need to understand and to work within the landscape of your company culture, you must  accept the fact you will be required to do a better job of getting out into the business and understanding what the culture looks like outside of the corporate compliance office. He added, “listening plays a huge role.” Having conversations “across different parts of the business help inform not only your understanding of the culture, but then how you can go in and influence it for the better, influence it to be more ethical and compliant.”

We then turned to the DOJ’s 2020 Update to the Evaluation of Corporate Compliance Programs mandates around risk assessments, which move from biennial or even annual risk assessments to risk assessments when your risks change. This is a key area where compliance professionals often feel overwhelmed. Here Edwards suggested taking ‘bite sized or small chunks” to improve your program. Edwards pointed to training as the DOJ has moved far beyond the prior metric of completion rates.  He said, “if you are focused on a 100% completion rate and that is the outcome you’re trying to achieve, then your focus will be on a Learning Management Systems tool that allows you to easily assign modules to a 100% of your workforce. However, if the outcome you are really focused on is compliance, good behavior, making sure that laws and regulations do not get breached, then your focus should be how do I influence behavior as opposed to having a hundred percent completion rate?”

This means you need to emphasize the behavioral element. You can start to do things like “monitoring, which can seem overwhelming for a lot of groups, and it typically gets underinvested in.” But if your focus is on the prevention aspect, then you need to “go out there and see what people are doing wrong currently so you can an address it and stop it.” This can be down with a process mindset; “on a risk-by-risk basis, on a task-by-task basis or a on a process-by-process basis where you peel back the onions of the organization to see if there are any potential pitfalls in our current process.”

The bottom line is there are a variety of approaches you can take to move your program forward. The key is to identify your program weaknesses and begin the remediation process.

For more information go to TheBroadcat.com

Categories
Innovation in Compliance

Operationalizing Compliance: Part 3 – Jaycee Dempsey on Operationalizing Compliance

Welcome to a special five-part podcast series on Operationalizing Your Compliance Program, sponsored by Broadcat LLC. Over this series, we consider various ways to more fully operationalize your compliance regime, including the design and effectiveness of your communications, why the operationalization of compliance is a team sport, why simply data is not the answer, and how to avoid being overwhelmed. In Part 3, I am joined by Jaycee Dempsey to discuss operationalizing your compliance program through employee engagement and participation.

Highlights from this episode include:

·      Compliance is a team sport.

·      The DOJ pronouncements on clawbacks put pressure on senior management.

·      Middle managers are where the rubber meets the road.

·      Document Document Document

For more information, go to TheBroadcat.com