Categories
GalloCast

Gallocast – Episode 7

Welcome to the GalloCast. You have heard of the Manningcast in football. Now we have the GalloCast in compliance. The two top brothers in compliance, Nick and Gio Gallo, come together for a free-form exploration of compliance topics. It is a great insight on compliance brought to you by the co-CEOs of ComplianceLine. Fun, witty, and insightful with a dash of the two brothers throughout. It’s like listening to the Brothers Gallo talk compliance at the dinner table. Hosted by Tom Fox, the Voice of Compliance.

Tom Fox peppers questions to Nick Gallo and Gio Gallo from Ethico with topics like what companies should consider doing business in Ukraine and how to identify great business risks. They also provide an understanding of compliance, changing human behavior, and techniques to get around ethical controls. Topics are spiced up with references to the recent Pope’s speech and technological advancements. Be sure to tune in, and don’t miss out on the brothers’ educational insights and witty dialogue.

Key Highlights

·       Logistical Challenges of Working in Ukraine –[00:04:00]

·       Compliance as an Opportunity to Manage Business Risk – [00:07:20]

·       The Role of Persuasion in Ethics and Compliance -[00:10:40]

·        US Semiconductor Industry Moves Away from Supply Chains – [00:13:43]

·        Risk Assessment and Crowdsourcing -[00:17:00]

·       The Ineffectiveness of Risk Assessment Strategies – [00:20:30]

·       Behavioral Psychology in Compliance Programs and Compliance Discipline -[00:23:50]

·       CEO Understanding of Compliance and Its Impact on Budgeting -[00:27:00]

·       The Benefits of Exploring Different Perspectives Through Reading -[00:29:52]

·       The Ethical Implications of AI-Generated Content – [00:36:25]

·       The Impact of Technology on the Economy – [00:39:37]

·       The Power of Simplifying Your Policy with Technology –[00:42:40]

·       Pope’s Condemnation of Corruption – [00:46:02]

Resources

Nick Gallo on LinkedIn

Gio Gallo on LinkedIn

Ethico

Categories
FCPA Compliance Report

FTX and Risk: Part 1 – Financial Institutions

Welcome to the award-winning FCPA Compliance Report, the most senior podcast in compliance. In this episode, I begin a 2-part series on the subjects of FTX and risk. I am joined by Gilbert Paiz and Andrew Gay, principals in the Texas Hill Country Advisors. In Part 1, we consider risk and risk management through the lens of US domiciled financial institutions and how their risk management protocols help to not only assess risk, but manage risk throughout the life cycle of a banking customer relationship. In Part 2, we will consider individual risk in investing and what type of background information, questions and due diligence individuals should engage in and how these questions and background investigations apply equally to larger investments made by sophisticated investors, hedge funds  and institutional investors; who should have made them before investing in FTX but they all failed to do so.

Some of the highlights include:

·      How do banks think of risk?

·      What internal processes or controls are in place to help a bank manage its risks?

·      What types of oversight do banks and financial institutions use to help manage risk?

·      Why are levels of review so critical?

·      How do banks think about customers in terms of risk?

·      Who decides how much risk to allow a customer to engage in with a banks money, whether through loans or other capital?

·      Do bank employees receive ongoing training on risk management issues?

·      What tech is in place to facilitate the management of risk?

 Resources

Texas Hill Country Advisors

Categories
Fraud Eats Strategy

Fraud Eats Strategy – Episode 2 – Fraud Has No Place to Hide (in a Down Economy)


In this second episode of Fraud Eats Strategy, Scott Moritz speaks to Neil Barofsky, a partner at Jenner & Block and the former Special Inspector General of the Troubled Asset Relief Program about these issues. We will explore the increased discovery of financial crimes that occur in a down cycle of the economy and how organizations can use fraud risk assessments to identify fraud, pursue avenues of recovery and strengthen their organizations against the potential negative consequences of fraud.

Join us each week as we take a deep dive into the various forms of fraud across the world and discuss crime families, penny stock boiler rooms, international money launderers, narco-traffickers, oligarchs, dictators, war lords, kleptocrats and more.
Scott Moritz is a leading authority on white-collar crime, anti-corruption, and in the evaluation, design, remediation, implementation, and administration of corporate compliance programs, codes of conduct. He is also considered an authority in the establishment, training, and oversight of the investigative protocols carried out by financial intelligence, corporate security, and internal audit units.
 

Categories
Innovation in Compliance

A Conversation with Skillsoft and StoneTurn: Part 3 – Jamen Tyler on Conducting Effective Risk Assessments


Welcome to a special five-part podcast series, A Conversation with Skillsoft and StoneTurn: From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Skillsoft and StoneTurn Group, LLP. In this podcast series we will explore the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). We focus on your Code of Conduct and how it is informed by your Risk Assessment, training on your Code of Conduct, performing a Risk Assessment and conclude with how all this ties to continuous monitoring and continuous improvement. Participants in this podcast series include: from Skillsoft, Charlie Voelker, Director, Compliance Products; John Arendes, Vice President and GM of Global Compliance Solutions; from StoneTurn, Toby Ralston, Managing Director, Jamen Tyler, Managing Director and Stephen Martin, Partner. In this third episode, I visit with Jamen Tyler on conducting an effective risk assessment.
We began with some of Tyler’s top tips for conducting a risk assessment. She began that everyone needs to understand that risk assessments are about putting together and thinking about all of your risks. This means typically thinking about risks falling into kind of four buckets. They are (1) financial, (2) operational (3) legal/regulatory and (4) reputational. While most companies are pretty well versed in conducting risk assessments for financial and operational risks; legal regulatory and reputational can be just as harmful. This means a company needs to think critically about those final two buckets of risk, in addition to the more traditional financial operational risks. This means targeting specific risk areas by subject matter and even breaking it down to specific geographies or business units, can be both more efficient. It can also help to insure you are conducting risk assessments on a timely basis.
Join us tomorrow where I visit with John Arendes, Vice President and GM of Global Compliance Solutions at Skillsoft, who helps us take a deep dive into assessing your risks and using that process to then manage those risks.
Webinar
If you enjoyed today’s podcast, I want to let you know about an upcoming webinar Skillsoft and StoneTurn are hosting. The webinar “Evolving Your Compliance Program” will be held on Wednesday Sept 23 and will explore how companies are leveraging data and information to improve and evolve their compliance programs. Information and Registration click here.
Resources
For more information on Skillsoft’s compliance offerings, click here.
For more information on the Skillsoft/StoneTurn partnership, click here.
For more information on StoneTurn, click here.

Categories
31 Days to More Effective Compliance Programs

Day 14 | Risk Assessments

One cannot really say enough about risk assessments in the context of anti-corruption programs. This is because every corporate compliance program should be based upon a risk assessment, to understand your organization’s business from the commercial perspective, how your organization has identified, assessed, and defined its risk profile and, finally, the degree to which the program devotes appropriate scrutiny and resources to this range of risks.

As far back as 1999, in the Metcalf & Eddy enforcement action, the DOJ has said that risk assessments that measure the likelihood and severity of possible FCPA violations should direct your resources to manage these risks. The 2012 FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.
This language was supplemented in the 2017 FCPA Corporate Enforcement Policy, which stated, “The effectiveness of the company’s risk assessment and the manner in which the company’s compliance program has been tailored based on that risk assessment.
A risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company. The reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face.
 Three key takeaways:

  1. Since at least 1999, the DOJ has pointed to the risk assessment as the start of an effective compliance program.
  2. The DOJ will now consider both your risk assessment methodology for identifying risks and gathered evidence.
  3. You should base your compliance program on your risk assessment.
Categories
This Week in FCPA

This Week in FCPA-Episode 145 – Conferencing in America edition

Tom and Jay were both conferencing this week, albeit in different disciplines. Tom at Podfest Expo and Jay at the ABA White Collar Crime conference. In between they discussed some of this week’s top compliance and ethics stories which caught their collective eyes.

  1. MTS has massive FCPA resolution. Harry Cassin breaks the story in the FCPA Blog. See DOJ Press Release. See SEC Cease and Desist Order.
  2. CTFT to follow DOJ lead on enforcement and SEC lead on Whistleblowers. Dick Cassin reports in the FCPA Blog. See CTFT Press Release.
  3. Hacienda Healthcare is one of the worst corporate governance failures ever. Matt Kelly writes about it in Radical Compliance. Tom and Matt take a deep dive in Episode 113 of Compliance into the Weeds.
  4. Gulnara Karimova charged with conspiracy to commit money laundering in the whooping amount of $866MM. Harry Cassin reports in the FCPA Blog. See DOJ Press Release.
  5. Are consumers the new regulators of global business practices? Richard Young explores in the Navex Global’s Ethics and Compliance Matters
  6. Are Boards getting sufficient information on risk? Kristin Broughton reports in the WSJ Risk and Compliance Journal. Matt Kelly says compliance professionals can help in Navex Global’s Ethics and Compliance Matters.
  7. Is Baker MacKenzie in deep trouble over JBF bribery settlement? Former partner to be deposed over hire of Brazilian prosecutor. Michael Macagnone reports in Law360. The same partner left the firm to join Peirce Bainbridge, Clara Hudson reports in GIR. (sub req’d on both)
  8. Dutch prosecutors have told Shell the company will be criminally indicted over its role in obtain drilling rights in Nigeria. Chloe Taylor reports in CNBC.com.
  9. Jay begins a new role as a Featured Columnist on Corporate Compliance Insights. Check out CCI’s cool new look. (Interview with CCI’s new EIC Sarah Haddon next week).
  10. Rod Rosenstein says farewell to the compliance community. Text of Rosenstein speech here.
  11. Tom returns his periodic podcast series the Opinion Release Papers, with a five-part offering this week. Check out the following: Part 1-Opinion Release 10-03 on charitable donations under the FCPA; Part 2-Opinion Release 10-02 on hiring foreign officials as agents; Part 3– Opinion Release 07-01, travel for foreign officials; Part 4-Opinion Release 07-02, travel for and entertainment of foreign officials; Part 5-Opinion Release 11-01, why should you use the process. The podcast is available on multiple sites: the FCPA Compliance Report, iTunes, JDSupra, Panoplyand YouTube. The Compliance Podcast Network is now also on Spotify. It is now also on Corporate Compliance Insights.

Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is       Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.
For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Categories
Across the Board

Across the Board-Episode 6, Climate Impact-Will Your Assets Be Stranded?

SSGA’s Perspective On Effective Climate Change Disclosure”. While the white paper focused more specifically on climate impact and climate risk to businesses in the energy and mineral extractive industry, it set out a protocol which every Board of Directors can use for a wide variety of risks, including compliance risk.
We consider the purpose & methodology of SSGA’s white paper. We take a deep dive into the four areas of how a Board can better position climate change risk:

  1. Governance and board oversight of climate risk
  2. Establishing and disclosing long-term GHG goals
  3. Disclosing information on carbon price assumptions
  4. Discussing impacts of scenario planning on tong-term capital allocation impact

We then consider the SSGA approach in the context of a broader risk management process through the exploration of such issues as

  1. How broadly do climate related changes impact businesses?
  2. How should businesses prepare for disruption due to climate change or climate impact?
  3. Is there a business opportunity for companies which engage in strategic risk management around climate change?

For more from Rahki Kumar on the SSGA white paper, its application to the anti-corruption compliance practitioner, and management of strategic risk; see my blog post Will Your Assets Be Stranded? The Risk Management Process in ESG and Compliance
[tweet_box design=”default” url=”http://wp.me/p6DnMo-3xI” float=”none”]A robust risk management process provides both risk mitigation and significant business opportunities.[/tweet_box]]]>

Categories
FCPA Compliance Report

FCPA Compliance Report – Episode 344 – Virginia Suveiu

Legal Risk Management Specialized Studies Certificate Program for UCI Extension, where she teaches for that program and the Contract Management Certificate Program. She has published articles on various business law matters, most recently for the National Contract Management Association’s Contract Management Magazine May 2015 issue, as well as for the National Center for State Courts and the Aerospace and Defense Forum. Every corporation and compliance practitioner faces a wide variety of risks. These include regulatory risks, legal risks, reputational risks, safety risks, environmental risks, and many other types of risks. We consider whether there is one process or approach to take to the over-arching concept of risk management or if the approach needs to be fined tuned by an organization. We discuss the Legal Risk Management Specialized Studies Certificate Program, including the program benefits and who should attend. We explore the approach to teaching risk management. We discuss some of her current initiatives on the study of and teaching of risk. In this episode, I discuss with Virginia Suveiu the theories of risk and the process of risk management.

Categories
Blog

Day 16 of One Month to More Effective Internal Controls-COSO Objective II: Risk Assessments

Integrated Framework (Framework Volume) recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner, none of this will sound new or even insightful; however, the COSO Framework requires a component of management input and oversight that was not as well understood. The Framework Volume says, “Management specifies objectives within the category relating to operations, reporting, and compliance with such clarity to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider internal and external changes that can affect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services, which could increase the risk of running afoul of these laws. 

Objective-Risk Assessments

The objective of Risk Assessment consists of four principles. They are: Principle 6 – “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.” Principle 7 – “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.” Principle 8 – “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Principle 9 – “The organization identifies and assesses changes that could significantly impact the internal control system.”

 Principle 6 – Suitable Objectives 

Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, management is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words, your objectives should form the basis for your risk assessments.

Principle 7 – Identifies And Analyzes Risk 

Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”

Principle 8 – Fraud Risk 

Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third-party contracting and payments, and even fraudulent over-charging and pocketing of the differences in sales price. This means that it should be considered an important risk analysis. Any company must follow the flow of money, and if the Fraud Triangle is present, management is placed around such risk.

Principle 9 – Identifies And Analyzes Significant Change

It is true that if there is one constant in business, there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives.” Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external and promptly assess the risks and approaches to mitigate the risk.” 

Discussion 

The SEC has clarified that companies should be expanding their view of risk in implementing the COSO 2013 Framework. Risk assessments are a cornerstone of a best practices compliance program as laid out in the 2012 FCPA Guidance and in the DOJ’s Evaluation of Corporate Compliance Programs, issued in February 2017. The regulators are telling companies specifically that they should see new risks that they need to address because of the changes brought about by the new standard. Howell noted that “in the internal control arena, fraud risk, in particular, has been keen interest because of the opportunity to mask fraud through the judgments made in recognizing revenue, no matter what the revenue recognition standard.” He went on to add other risks that companies should be considering in their risk assessments; “One risk is a company’s business practices do not relate to the accounting that they are providing right now because the business practices are changing and internally the company is not recognizing that the business practices are changing.”

Another example is that sales folks give concessions to customers that are not reflected in their understanding of the contract and its accounting.” Howell went on to add might be other activities that are going on to acquire contracts that aren’t being properly accounted for or even recognized at some level that the concessions are being given at the backend for return that isn’t being reported back into how that affects the estimate of cheap revenue going forward. Finally, risks that a company has misstated or underestimated require determining whether revenue should be recognized over time or estimated what that period is to recognize the revenue if it is a rolling time frame. Howell stated, “For example, the period could be longer, which means that your revenue would be recognized over a longer period. There’s always the risk that revenue could be recognized too early and that cost could be pushed out and spread over too long. As we begin to think about these new judgments that are required, we get into this entirely new level of judgment and risk related to the judgment that the companies need to identify and build both preventative controls and detective controls and have the plan to respond if they discover that the risk has happened and they have a failure.” 

Three Key Takeaways:

  1. Risk assessments are required under the COSO Framework, the 2012 FCPA Guidance, and almost all other best practices compliance programs.
  2. Look at your risks across your organization rather than in a siloed manner.
  3. Risks, determination, and management change over time, so be cognizant of changes in business practices on the ground.

For more information on improving your internal controls management process, visit this month’s sponsor Workiva at workiva.com. Risk assessments are required under the COSO Framework, the 2012 FCPA Guidance, and all other compliance regimes.