I recently had the privilege to sit down with Tom Fox. Tom is the author of the award-winning FCPA Compliance and Ethics blog, 18 best-selling books on compliance, including the just-published 2nd Edition of the Compliance Handbook, and publisher of the Compliance Podcast Network – the only network of podcasts for compliance leaders. A renowned expert across all aspects of compliance – corporate, regulatory, ESG, you name it – he’s known by the well-earned names “the Compliance Evangelist” and the “Voice of Compliance.”
As we all contemplate what’s next as we recover from the pandemic, navigate multiple regulations, and adapt to the ever-changing demands of our organizations, I asked Tom his thoughts on what’s trending in compliance today and tomorrow. As always, he had thought-provoking insights to share, including:
- Nothing matters more than document, document, document – except data, data, data
- Risk management is business today – and it’s no longer a once-a-year activity
- ESG is the trend of the year
- Reputation matters: Remember the court of public opinion!
Here’s a lightly edited transcript of our conversation. Thank you, Tom!
Q. Hi Tom, Great to see you! Let’s start with this idea of what’s next. Obviously, we’re all experiencing unprecedented volatility, a tsunami of change. When you think about what’s next for compliance, what are some of the trends and key things that are on your mind as a compliance professional and expert?
TF: Let’s speak about both compliance and risk management. I started a podcast last year called “Compliance and Coronavirus” because I really wanted to focus on what the COVID-19 pandemic meant for people in our profession and really everyone in the corporate world.
Probably the two most propitious things I learned in that about 50 podcast series were one, a gentleman said, I think in October, “We’ve had five years of change in six months of coronavirus.”
The second was the risk management part, where another guy said, “We’ve gone from disaster recovery to business continuity to businesses as usual.” Now the risk management world is business.
You have to prepare for risks from a worldwide pandemic to the Suez Canal being shut down, to riots at the U.S. Capitol, and everything in between. That’s just business now.
So, the types of services that you and I bring to the compliance community have only become more important in all of the things that we used to talk about. They are exponentially more important now. So that’s part one, but part two is where is all of this going down the road? And that part is largely around data and the use of data.
In June 2020, the Department of Justice released an update to the Evaluation of Corporate Compliance Programs. And for the compliance professional, they specifically said a couple of very important things.
- Number one, compliance and the chief compliance officer have to have access to all of the data in your corporation. If it’s siloed, if it’s not structured, it doesn’t matter. Compliance has to have access to it. And even more important is that you use that data.
- Number two, we used to talk about a risk assessment being done every two or three years, and then you plan it out as one, three, and five-year plans to mitigate those risks. But now risk assessment must be conducted not every three years, not even every year, but when your risks change.
And — your risks are going to change. You must put a risk management model in place and then you monitor that risk, all the time. And the data that you garner from that monitoring is looped back into your risk management solution through an ongoing/continuous approach to risk management — risk assessment, continuous monitoring, continuous improvement– all tied by data.
Everyone — from the compliance professional to the risk management professional — now has to utilize data to manage risks. That’s how business is going to survive and thrive going forward.
Q. What about regulations? Are there other specific areas of regulatory compliance or regulations that compliance pros in that area need to be thinking about when it comes to what’s next?
TF: Probably one of the most ubiquitous phrases from 2021 has been ESG. I think that sits directly in the compliance wheelhouse. Also, the chief compliance officer is uniquely suited and situated to lead a corporate ESG effort.
Certainly, for each one of the letters in the ESG — environmental, social, and governance — compliance is well-suited to own it because it’s putting policies and procedures in place. It’s monitoring those policies and it’s getting measurements from that monitoring and reporting.
And that’s just one area from the regulatory sphere. The U.S. Securities and Exchange Commission (SEC) has made it clear that they expect companies to not only have ESG programs in place, but also report on those programs accurately. That is not only a regulatory requirement that could lead to regulatory enforcement, but would also help to meet investor expectations, stakeholder expectations, shareholder lawsuits, and everything in between.
The second perhaps most ubiquitous phrase is SPACs: Special Purpose Acquisition Corporations. Those are utilized to bring a privately held company and make it public. But it’s different than the typical IPO process where you go 12 to 18 months, you have regulatory approval, you have filings with the regulator, you have investors like you, and may have the opportunity to review those filings, to determine if we want to invest in it. And you have an opportunity to put your Sarbanes Oxley or SOX controls in place.
When you’re a SPAC, you don’t have an 18-month run-up. You have “today’s Tuesday, tomorrow’s Wednesday. Go!” You now have all the obligations of a U.S. public company. Are your internal controls in place? Are they effective? Have you tested them? The answer is no.
It’s incredibly important for the risk management professional to think about those things. And if you think you may be acquired by a SPAC you have to be moving towards those.
Those are just a couple of areas that the regulators have made clear that they are going to look at SPACs very closely. If on the day, you become a U.S. public company, you don’t have Sarbanes-Oxley 404 controls in place, the SEC may take a very dim view of that. And certainly, you open yourself up to potential investor and shareholder lawsuits.
But I think that as important as those are, they actually pale beside public opinion. And I think the greatest danger to a corporation now, certainly from a financial perspective, is negative publicity.
The social amplification and speed of social media make it mandatory that you have policies and procedures in place to detect anything and then prevent it. And if not remediate as quickly as possible, then at least be able to communicate that to all of the stakeholders that are now seen as a part of a corporation.
Q. If you had one piece of advice for compliance professionals thinking about what’s next, what would be your summary piece of Tom Fox wisdom?
TF: In the past, I’ve always said the three most important things are: document, document, document.
I’ve amended that out to data, data, data.
You need to have a data expert, a data scientist, or someone who can work with data on your compliance team because either you’re going to have to work with the data or more importantly, have someone who can work with the data. You can help shape the story that the data tells.
As the chief compliance officer, you can certainly see the trends, but you have to be able to work with data. If you don’t have that training and you can’t really pick up those skills in this part of your professional life, you’re going to need to bring those skills into your compliance program.
I see compliance really moving towards a business process and a business function. And that means data and using data to determine if a potential violation is on the horizon and using that same data to tell your story to all of the stakeholders of a corporation–your shareholders, your employees, your third parties, those who you do business with, localities where you may be doing business.
And most importantly, if the government comes knocking, that’s where the “document, document, document” part comes in because you can tell your story to the government as well.
Q. So what are you doing next in your career? You mentioned your book. What’s happening next for Tom?
TF: Well, about a year ago, I was contacted by LexisNexis, the preeminent legal publisher in the United States and the world. I was very honored that they selected me to be their first author to lead their compliance library that they make available. I’m extraordinarily pleased to announce that in June Lexis Nexis published my latest book, the 2nd Edition of Compliance Handbook.
I’m going to continue to grow the Compliance Podcast Network. We’ll have 70 podcasts on the network by the end of summer and I’m looking to grow the network. The thing I love about podcasting is I get to interview the top experts in every form of compliance: IT compliance, HR compliance, anti-corruption compliance, AML compliance, environmental compliance, you name it. I’ve learned so much by interviewing people.
So, I’m going to continue to learn and grow and hopefully be a resource to the compliance community going forward.