FCPA Compliance and Ethics Blog

August 28, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part III

7K0A0129Today, I conclude a three-part series on risk assessments in your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption compliance program. I previously reviewed some of the risks that you need to assess and how you might go about assessing them. Today I want to consider some thoughts on how to use your risk assessment going forward.

Mike Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. Finally, through this risk matrix you should be able to assess relative remediation requirements.

A manner in which to put into practice some of Volkov’s suggestions was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations”. Her article focused on the how Timken Company, assesses and then evaluates the risks the company has assessed. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks. 

LIKELIHOOD 

Likelihood Rating Assessment Evaluation Criteria
1 Almost Certain High likely, this event is expected to occur
2 Likely Strong possibility that an event will occur and there is sufficient historical incidence to support it
3 Possible Event may occur at some point, typically there is a history to support it
4 Unlikely Not expected but there’s a slight possibility that it may occur
5 Rare Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY 

Priority Rating Assessment Evaluation Criteria
1-2 Severe Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4 High Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7 Significant
8-14 Moderate
15-1920-25 LowTrivial Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by Visual RiskIQ, a relationship-analysis based software such as Catelas or other analytical based tools. But you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the DOJ in its FCPA Guidance and in the UK Bribery Act’s Adequate Procedures. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

In an article in Compliance Week Magazine, entitled, “Lessons on Risk Assessments from Winnie The Pooh” Jason Medford articulated that a key use of a risk assessment is to assist the internal audit function in developing their internal audit plan. He cited to the Institute of Internal Auditors (IIA) standard 2010.A1, which states “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually.” He went on to note that “In order to have a truly integrated GRC capability it is necessary for internal auditors to work with other GRC professionals in their organization. They must align their annual audit plan with the organization’s objectives, strategies, and initiatives of the other GRC professionals. They must collaborate, coordinate, and align their audit activities with other GRC professionals to increase visibility, improve efficiency, accountability and collaboration.

Carol Saint, Vice President of Internal Audit for 7-Eleven, who was interview by OCEG President Carol Switzer for the same article said that “We start with a risk assessment, beginning with business units because this is how the organization has designed accountability.  We decompose business units into the processes and sub-processes they own and execute. We evaluate how sub-processes align to achievement of strategic objectives: How do they affect the company’s value drivers? Next, we map financial statement lines to the sub-processes to help prioritize from that lens. Finally, for each sub-process we consider specific risks that could hinder achievement of strategic objectives, as well as fraud risks, significant accounting estimates, benchmarking/ hot topics, and ERM risks. We created an “intensity rating” that measures how often a process/sub-process was mentioned in our stakeholder interviews as a risk to the company. And we also considered how cross-functional a process is so that the element of complexity—a risk accelerator—could help determine audit plan priorities. This year’s plan development process was quite intense, but I think we did a good job of creating a baseline so that future risk assessments are more efficient.”

I hope that you have found this series on risk assessments useful. If you have any questions or better yet would like me to work on a risk assessment for your organization, please contact me.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 5, 2014

Termination of a Third Party or Breaking Up Should Not Be Hard To Do

7K0A0223One of treats each month for the compliance professional is reading the GRC Illustrated column by Carole Switzer, President of the Open Compliance and Ethics Group (OCEG), in the Compliance Week magazine. Not only does Switzer write a highly informative and useful column but she also includes two standard features. The first is an illustrated guide that lays out visually her counsel and the second is that she also includes interviews from a Roundtable of compliance industry participants. In the July edition Switzer discussed an issue that brings much gnashing of teeth to both compliance practitioners, lawyers from the legal department and business folks alike; the situation where you must terminate a third party relationship.

In the article, entitled “Breaking Up Is Hard To Do”, Switzer relates how ‘to avoid pain by planning for the end of a third party relationship’, together with an illustrated diagram of “Third Party Risk Management in Financial Service”; she couples these with a Roundtable on “Financial Sector Third Party Risk” with participants Walter Hoogmoed, Jr., a Principal at Deloitte, Marie Patterson, VP-Marketing at Hiperos, and Billy Spears, Chief Ethics, Privacy and Compliance Officer at Hyundai Capital America.

Switzer begins by noting that it all should begin with “an exit strategy, a transition plan or a pre-nup—whatever the title, it’s best to begin by planning for the end which, in the case of business at least, will always eventually come. Whether due to contract completion or material breach, turning over responsibility to another party, or abandonment of the contracted activity altogether, contract termination is an inevitable phase in the third-party relationship lifecycle.” Planning for the end is important because,  “The more long term and layered the relationship, the more difficult it will be to disentangle. The deeper the third party is embedded in and uses the confidential information of the company and its customers, the greater the risks presented by failing to design a smooth transition process.”

It should originate with clearly specified contract termination rights but that is only the starting point, “ To work out a smooth transition, the plan must also include internal change management processes and policies, designated transition team members, contingencies, and adequate resources and time allowances.” While speaking to risk from cyber-security, Switzer details some of the points for consideration. You should have clear procedures for “data retention or destruction, termination of access control for shared technology, and removal of system connectedness, including consideration of what fourth parties (your third party’s third parties) may have.” Your corporate values must be protected by “clearly designating the disposition of shared intellectual property and infrastructure assets.” Next you need to think through your transition plan by “ensuring rights to hire or continue use of key contractor employees who have been servicing your account, arranging to bringing new contractors or internal managers up to speed, and filing any regulatory or other required notifications.” Finally, bear in mind that your reputation must be protected during this transition process “by controlling and planning for issuance of public statements and social media postings by terminated contractors or their employees, or the best laid transition plans may be for naught.”

In the Illustrated component to her article, Switzer lays out a five-step integrated risk management process, which is a useful view of the entire cycle:

  1. Plan and Organize. Under this step you should develop a plan to evaluate the level and complexity of risk. Switzer suggests some of the things you should consider are the volume of business engaged in by the third party representative, the nature of the risks involved, the extent to which the third party representative will use sub-contractors and any required legal or regulatory approvals required for the geographic areas which the third party representative will conduct business with or for you.
  2. Perform Due Diligence. Here you should assess each third party’s compliance controls relative to the level of risk you have determined is present. Here the standard inquiries are such items as ultimate beneficial owners, anti-corruption compliance and risk management controls currently in place, incident management and reporting and conflicts of interest.
  3. Manage Contracts. This step involves the ongoing review and assessment of the contractual relationship. If new or greater risks arise and they have not been previously addressed, you may need to add new contract terms to address them going forward. In addition to your standard anti-corruption compliance terms and conditions, you should have key performance indicators (KPIs), confidentiality terms and conditions and sub-contractor requirements.
  4. Conduct Ongoing Monitoring. Under this step, you need to “oversee and pro-actively monitor and review each third party relationship at a level commensurate with risk” and “ensure that issues are identified and appropriately escalated for remediation.”
  5. Manage Terminations. If required, you should follow your established plan for transition to ending the relationship and transitioning to another third party representative. You should also consider the need to “protect information, maintain smooth operations and protect reputation during the transition.”

In her Roundtable, Switzer received some very useful information from the participants in a couple of broad areas. The first was the use of sub-contractors by a company’s third party representatives, which Switzer articulated as ‘fourth parties’. Patterson commented that “If the third party is going to sub-contract work, the bank needs to ensure that the third party has adequate controls in place to assess and manage their sub-contractor risk and that the bank has the ability to terminate their relationship with the third party in the event there is an issue with the fourth party.” Hoogmoed emphasized the ‘interdependences’ of the relationships. He said that “contract provisions should be enhanced for clarity of controls and liability, approvals for serial outsourcing should be implemented, and selective testing for fourth/fifth parties should be considered.” Spears pointed not only to due diligence but also strong contract terms as a key to the management of this issue, “Due diligence coupled with a strong legal contract team are crucial. It is very important to develop a minimum standard, in the contract with the third party, to ensure that the third party only does business with fourth parties that meet the first-party requirements… The provisions should include that no sharing beyond a fourth party is allowable. The last critical point of this is to ensure that the first party adds a mechanism for accountability. This mechanism is what prevents this from becoming a rabbit hole.”

Switzer ended the Roundtable by asking what was the most important part about third party risk management? Spears pointed that “having a solid plan for setting the tone with third parties is the key.” From Hoogmoed’s perspective, it all begins with understanding on risk, or as the FCPA Guidance intones, it all begins with a risk assessment. He said, “Developing some advanced risk tiering and assessment methods will help organizations focus their limited resources on managing the risk, compliance, and controls on the most critical/highest risk relationships. Engaging senior management in the risk analysis and reporting is also very important to balance the appropriate level of risk taking with the costs and investments necessary for the business.” Patterson took a different approach focusing on the feedback that Hiperos has received from their customers, and said, “the most important aspects of the recent guidance all deal with impact. The scope of the guidance has been broadened, both in terms of the expansion of what a “critical” activity is and the redefinition from vendor to third party. The importance of these obligations has been elevated with the explicit inclusion of the board at a much deeper level than previously, and the requirement for independent audit to be involved. And finally, the effort has been expanded significantly to include the entire lifecycle of third party management from planning through termination and every step in between.”

As usual, Switzer’s monthly column provides solid information to the compliance practitioner about what you need to know to inform your compliance regime. This month is no different. Although rarely written about, the termination of a third party relationship can be as important a step as any other in the management of the third party lifecycle. While having the contractual right to terminate is a good starting point, it is only the starting point. You not only need to have a compliance and legal plan in place but a business plan in place as well. For if you do not, you may well find yourself in the same place that Switzer started her article, quoting Neil Sedaka that “Breaking Up Is Hard To Do.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

July 23, 2014

Code of Conduct, Compliance Policies and Procedures-Part II

Policies and ProceduresThis week, I am reviewing the importance of a Code of Conduct and anti-corruption compliance policies and procedures in your compliance program and how you should go about drafting or updating Code of Conduct and anti-corruption compliance policies and procedures. Yesterday, I reviewed the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. Today, I want to look at how to go about drafting your Code of Conduct. In subsequent posts, I will consider both anti-corruption compliance policies and procedures and how to assess, review and revise them and your Code of Conduct on a timely basis.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), explored some of these questions in an article in Compliance Week, entitled “The Code of Conduct Conundrum”. As a part of her article, Switzer interviewed Jimmy Lin, Vice President (VP) of Product Management and Corporate Development at The Network, and Kendall Tieck, VP of Internal Audit at Workday, for their thoughts on what makes an effective Code of Conduct.

Tieck views a Code of Conduct as not simply a static piece of paper or document “but as a set of expected behaviors that are integral to the fabric of the business and an organization’s value system. A Code of Conduct is not a compliance activity, but how an entity demonstrates integrity and acquires trust from markets, shareholders, customers, partners, and governments. To achieve these outcomes, a careful plan, aligned with a policy lifecycle management framework, should articulate how the Code is integrated in the core of the company’s activities and culture.”

Switzer believes that one of the key components of a best practices Code of Conduct is to integrate the connection between a business’ objectives, its risk and compliance management. There are numerous factors, which can move a company towards having such an effective integration. Switzer wrote that some of these include, “external stakeholder expectations and pressures, internal culture and context, objectives for the code, process of development and implementation, content of the code, consequences for non-conforming conduct, strength of sub-codes (e.g. policies), and employee character.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving.

A GRC Illustrated series, provided with Switzer’s article, entitled “The Next Generation Code of Conduct”, lays out six steps for the compliance practitioner to think through and implement during a Code of Conduct upgrade or rewrite. These six steps are (1) design; (2) deliver; (3) interact; (4) measure; (5) maintain; and (6) improve.

Design

Under this step, a company needs to define the behavior that it desires to inspire and allow employees to collaborate at all levels. Lin, said that a key aspect was relevancy, “But times change—business environments change, cultures change, risk appetites change. We all need to keep in mind that the Code, the ultimate policy, should not be a stale document on the shelf. It needs to inspire, engage, and change with the organization.” Tieck said that your Code of Conduct should be “considered a part of the entity’s overall policy landscape. Leveraging an effective policy lifecycle management framework will promote integration and alignment across the policy governance landscape.”

Deliver

Switzer also identified the delivery of a Code of Conduct as a key element of its effectiveness. She said, “modern communication methods that allow the user to engage, interact, and research further behind the Code into related policies, procedures, and helplines for additional guidance can be better monitored and measured. Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.” This should also include relevant third parties such as suppliers and sales agents. “And failure to comply with the Code can be better identified and tracked, indicating possible need for clarification, additional training, or better screening of employees.”

Interact

Lin pointed out that a Code of Conduct is both a corporate governance document and a marketing document. As such you will need to create a marketing campaign to get the message of your Code of Conduct out to not only your employee base but also relevant third parties. If you have a large number of non-English speaking personnel or employees without access to online training, these factors need to be considered when determining the delivery method.

Measure

Initially, you should prioritize both qualitative results with positive feedback by including such metrics as speed of completion, reminders, which must be sent to facilitate completion of Code of Conduct training, and the percent of employees and third parties who attest to the review of your Code of Conduct. You should also measure the effectiveness of your communication campaign. Tieck suggests drilling down further because each component of your Code of Conduct sets “an expected behavior. Selecting a few critical behaviors to measure and monitor may be adequate for most organizations. These selected measures might represent an aggregate measure of the overall conformance to the code. Large organizations may be able to mine HR data to capture statistics associated with the identified behaviors. For instance, termination reason codes may be one source.”

Maintain

All commentators note that it is important to keep your Code of Conduct design and content fresh. One of the ways to do so is by employee feedback, which can assist you in identifying if your Code of Conduct is not only effective, but also truly reflective of your company’s culture. Lin points out that to gain these insights you need to incorporate both formal and informal techniques for gauging the relevant employee and third party populations. He states, “Questionnaires, surveys, forms and hotlines can be good anonymous sources, but engaging employees in conversation is just as, if not more, important. Make sure executives and managers alike spend time in small-group and one-on-one conversations. Have these conversations throughout the year and across your employee base to get the “real” story. This helps engage the employees and ensure they know you value their input.”

Improve

OCEG advocates that your Code of Conduct should be evaluated for revision at least every two years. This should be done to keep abreast of the changes in laws and regulations and your own business operations and risk tolerances. Switzer said, “Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 17, 2014

John Bell Hood and the Measurement of Conduct Risk

John Bell HoodReaders of this blog know I am huge Civil War buff. Growing up in Texas, I only focused on the Southern side as a youngster and while this led to a sometime myopic view of events, in my mid-20s when I did begin to study the Northern side of the war, because I had never seriously studied from that perspective an entire panorama opened up for me.

One thing that never changed however, was the disaster that befell the South from the appointment of John Bell Hood to commander of the Army of Tennessee, which opposed General Sherman’s advance into Georgia since his stunning defeat of the Confederate forces at Chattanooga and later Lookout Mountain in Tennessee in late 1863. On this day 150 years, Confederate President Jefferson Davis replaced General Joseph Johnston with John Bell Hood as commander of the Army of Tennessee. Davis, impatient with Johnston’s defensive strategy in the Atlanta campaign, felt that Hood stood a better chance of saving Atlanta from the forces of Union General William T. Sherman. President Davis selected Hood for his reputation as a fighting general, in contrast to Johnston’s cautious nature. Hood did what Davis wanted and quickly attacked Sherman at Peachtree Creek on July 20 but with disastrous results. Hood attacked two more times, losing both and destroying his army’s offensive capabilities. Over the next two weeks in 1864, Hood’s actions not only led to President Abraham Lincoln’s reelection but spelled, once and for all, the doom of the Confederacy.

I thought about the risks of appointing Hood to command when I read a recent article in the Compliance Week Magazine by Carol Switzer, co-founder and President of the Open Compliance and Ethics Group (OCEG), entitled “A Strategic Approach to Conduct Risk”. Her article was accompanied by an entry in the OCEG Illustrated Series, entitled “Managing Conduct Risk in the GRC Context”, and she also presented thoughts from a Roundtable which included John Brown, Managing Principal, Risk Segment, Financial and Risk Division at Thompson Reuters; Tom Harper, Executive Vice President-General Auditor Federal Home Loan of Chicago and Dr. Roger Miles, Behavioral Risk Lead, Thompson Reuters.

In her article, Switzer pointed to the “Ill-advised risk taking” which led to the near-collapse of the financial sector as the genesis for the creation of the UK’s new Financial Conduct Authority (FCA). But she also noted that conduct risk is something that exists in industries far afield from the financial sector where “sales schemes driven by inappropriate incentive plans and outlandish short-term objectives” can cause severe financial consequences to an organization. As an example of the need for change in the financial section, Switzer quoted Clive Adamson, FCA director of supervision, on the need to address conduct risk, “Achieving an effective conduct- or customer-focused culture is challenging for firms, particularly for those whose focus has been primarily on profitability and shareholder returns. … From what we see, there are key drivers that set and re-enforce this conduct-focused culture, with the most important being clear and ongoing leadership from the top of the organization, constant re-enforcement, hiring practices, incentive structures, effective performance management, and penalties for not doing the right thing, all of which should set the tone for a framework for decision making on a day-by-day basis.”

Switzer continued that “Throughout his speech and other materials published by the FCA, there is a theme that returns over and over again to integrity, leadership, culture, the concept of controls over conduct, and strong risk management—all tied to an outcome of business success. What is this? It is a vision of principled performance—a point of view and approach to business that enables organizations to reliably achieve objectives while addressing uncertainty and acting with integrity. And it is refreshing to see leaders (and in some cases past wrongdoers) in the financial sector rising to the occasion and establishing a principled performance approach to conduct risk, even though they may not yet call it that.”

Harper described conduct risk as follows, “Conduct risk embodies elements of the risks that we have been discussing over the past few years, including not only operational and compliance risk, but also reputational risk and tone-at-the-top. The idea that organizations need to ‘do the right thing’ and balance the immediate pressure of short-term growth and revenue along with meeting the aspirations of equity holders and managers is not new. In the past, conduct risk was primarily mitigated by the long-term focus on the goals of the organization of the board and management.”

In the Illustrated Series piece included with the article, Switzer set out four principles for managing conduct risk. These principles are an excellent starting point for the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption compliance practitioner in that it can be used to evaluate, assess and manage conduct risk in such a context.

Assess Conduct Risks

Miles stated that, “The idea of benchmarking “conduct” as a basis for business, or life in general, is actually of course a very old one. Constraints on behavior are exactly the right direction to go in, though it’s not yet clear how these will be framed, let alone policed. Now with the FCA’s new Risk Outlook 2014, there’s a big step forward. They have a deep commitment to sharing understanding about how various elements of behavior feed through into good and bad product design, into selling or mis-selling.” Based on this Switzer believes that you should first identify potential conduct risks in your business. After such identification, you should conduct a risk and control assessment. From this measure, you can best determine the level of inherent and residual risk. Finally, you should carry out an emerging risk workshop to develop a more complete risk profile.

Establish Risk Appetite

Brown pointed towards the increased complexity in financial institutions as a key problem. As part of the solution, Switzer writes that the first step is to connect the risks, controls and other framework elements to your company’s organization chart. From there, you should determine risk capacity, your company’s current risk profile and its risk appetite. Next you should measure your risk appetite adherence. Finally, you will need to align your risk appetite with your company’s risk governance framework.

Measure and Monitor 

Here Switzer suggests that there be a detailed information collection on any issues associated with risk events. It is important from that point, you begin to track key risk indicators. Miles noted that “Managing risks due to behaviors and cultures requires a deep understanding of psychological drivers and developing programs to modify those drivers”; as such measurements would allow your company to begin to move from simple detection and prevention to predictive controls through the use of behavioral and analytical modeling. Finally, you could use the above information to perform scenario analysis on emerging risks.

Communicate and Manage

Switzer advocates that you communicate and train your company’s employees on your organization’s risk culture. You should also work to ensure that employees have accepted their risk conduct appetite metrics. Brown said, “Behavioral drivers will vary around the world based on societal culture. I’ll focus on what might be appropriate for U.S.-based organizations. Most people operate to maximize their personal return, so compensation structures are an obvious avenue to modify conduct. If my bonus or equity compensation is based on specific targets, such as new accounts, loans written, or customer satisfaction index, I will try to maximize those targets.” This is why you should continue to collect all key data about conduct risk in one data repository. Finally, you should also continue to provide reports and analyses on conduct risk to key stakeholders and regulators, if required.

Switzer ended her article with the following quote from Gary Kasparov, “Think about it: After just three opening moves by a chess player, more than 9 million positions are possible. And that’s when only two players are involved in the game. Now imagine all the possibilities faced by companies with a whole host of corporations responding to their new strategies, pricing, and products. The unpredictability is almost unimaginable.” From this she added, “This couldn’t be truer than when facing the myriad challenges presented under the umbrella concern of conduct risk. Masterful strategic planning and execution is essential to stay in the game and win.”

The risks that General Hood was willing to engage in were catastrophic for his army and the Confederacy. If Jefferson Davis had used a risk conduct analysis to think through the effects of elevating Hood to command of the Army of Tennessee the results might have been very different for all involved. Switzer’s article provides a valuable tool for the compliance practitioner to bring to bear on specific conduct which could put a company at risk.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

May 6, 2014

From the Bad Boy Pistons to GRC: The Building Blocks of Compliance

Detroit PistonsI recently watched the ESPN documentary series 30-for-30 on the Bad Boy Detroit Pistons from the late 1980s and early 1990s. It was a great review of a different era of the National Basketball Association (NBA) and the perfect way to get ready for the current playoffs, even if the Rockets did choke their way out of Round 1 as usual. But more than great entertainment, the show focused on the building blocks of a pro basketball team. The Pistons were created player by player who were pieces of the overall team structure. The team then had to become battle hardened by losing some tough playoff games, first in the Eastern Conference to Boson and then in the NBA Championship to the Lakers, before they eventually succeeded in becoming two time NBA champs. In other words, it was a lengthy process, which started in 1982 when the Pistons drafted Isaiah Thomas and it took almost 10 years for them to win the title.

I thought about this process orientation when I read a GRC Illustrated series article in the March issue of Compliance Week, , entitled “The Principled Performance Vision”, by Carole Switzer, co-founder and President of the Open Compliance and Ethics Group (OCEG) and Scott L. Mitchell, the co-founder and Chair of OCEG. In their article, and accompanying GRC Illustrated presentation entitled “Pathway to Principled Performance”, they discuss the need for companies to have a mechanism to address ever-changing business and legal risks in the context of the high performance required by internal and external stakeholders. They articulate “a point of view and approach to business that helps organizations reliably achieve objectives while addressing uncertainty and acting with integrity.”

The biggest problems that they identify are issues of loss of cohesion and insular nature of a management and reporting system between business units within an organization. For instance they point to a wide variety of disciplines within a company, such as “as governance, finance, production, and sales to adjunct areas like performance management, risk management, internal control, compliance, and audit” which must use the same data but often never share the results with each other. The authors posit that a more holistic approach is required and this “can only be achieved by integrating and orchestrating information and functions that, in many organizations, are fragmented and siloed. Then, these integrated capabilities must be supported with strong communication, effective technology, and development of the desired ethical culture.”

Coupled with the article and illustrated framework is a roundtable discussion led by Switzer of several leading compliance practitioners and thought leaders. The participants included Brian Barnier, Principal at ValueBridge Advisors; Paul Liebman, Chief Compliance Officer (CCO) at the University of Texas; Tony Miller, Chief Operating Officer (COO) and Partner at The Vistria Group and Michael Rasmussen, Principal and Chief GRC Pundit at GRC 20/20 Research LLC. Switzer asked them the basic question of how does one get started in such an initiative for a company? Barnier believes that, in large part it is about messaging by “treating it as a business initative to drive profitable revenue and risk-adjusted return” as opposed to “yet another compliance task to achieve while cutting cost.” Liebman focused on the ‘why’ he changed when he noted, “true change depends upon three things: a profound sense of discomfort in the current condition, a vision that things could be better, and a plan to get there. I think the first step is therefore to assess and explain the current level of discomfort—i.e., what is wrong and why.” Moreover, he believes that it is important to “have a vision of the direction you want to go and plan accordingly.” Finally, he said that “Focus on structure and process so that you are constantly moving forward. Slow, incremental but sustainable change in the right direction is far more important than quick, substantial but unsustainable change. Slow, incremental and sustainable change happens by taking advantage of pre-existing organizational processes and mental models that are already working well. Don’t force new or redundant processes but, rather, seek to understand how others are thinking and acting and explain how your vision is really just a logical extension of what they are already trying to accomplish.”

Miller took a somewhat different approach when he said that “Principled performance needs to be part of the culture, reflected in the strategy, and embedded in an organization’s operating systems and processes.” To accomplish this he listed three steps, “(1) the chief executive officer and the senior executive team explicitly acknowledging that this is an important problem that must be addressed; (2) establishing clear metrics and goals for improvement; and (3) assigning point accountability at the executive team level for developing and “owning” the process that will enable the organization to meet the principled performance goals.”

Switzer asked the participants if they could point to situations where there has been a failure to interconnect the various functions of GovernanceRiskCompliance (GRC) which has led to catastrophic consequences. Miller pointed to the siloed nature of the financial services industry when he said, “That’s why we’ve seen significant breaches in the financial services industry with excessive risk taking by traders, the mortgage services industry in lax and exploitive underwriting practices, and the education services industry with overly aggressive student recruitment practices.” Liebman pointed to that well known risk area under the Foreign Corrupt Practices Act (FCPA) by noting, “Third-party relationships are an example where disparate processes and strategic goals can lead to significant non-compliance, waste, and surprise. For example, companies often create a business strategy at a high level and then ask others to implement the strategy with little or no oversight or structure… Accordingly, when a problem surfaces creating a bad reality, such as bribery in the supply chain, and expectations were set too high, the result is significant unhappiness for stakeholders.” Barnier focused on the management of risk without coordination due to the insular nature of management and reporting systems when he observed, “Much of this results from typical silo behavior—especially when reinforced by a control culture with its usual compartments that diminishes individual engagement and end-to-end views. Principled performance, with its focus on outcomes, brings together a range of decisions and activities to improve the likelihood of achieving those objectives.”

While some might find it interesting that the notorious “Bad Boys” of the NBA can teach the compliance practitioner a thing or two, it is clear that their General Manager (GM) Jack McCloskey had a plan in mind when putting the pieces of the team together. That team then had to be molded together and tested. This real world example would seem to be what Rasmussen said when he summed up his views by stating, “A mature GRC program will have an integrated strategy, process, information, and technology architecture that brings efficiency, effectiveness, and agility to GRC across the business and aligned with the business.”

If you have a team left in the NBA playoffs, good luck. Otherwise I hope that you will back me in supporting the Spurs yet again.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 7, 2014

The Federalist Papers and a Federated Approach to GRC

Filed under: Best Practices,compliance programs,Compliance Week,OCEG — tfoxlaw @ 12:01 am
Tags:

Federalist PapersToday we celebrate one of America’s greatest political commentaries, The Federalist Papers. They were penned by James Madison, Alexander Hamilton and John Jay. They presented their three views on why the Federal Constitution should be passed to take the place of the discarded Articles of Confederation, tying together disparate political theories into a coherent whole. Their publication helped sway an uneasy thirteen colonies to form the United States of America, to be governed by the Constitution of the United States.

Noted GRC expert Michael Rasmussen drew inspiration from the The Federalist Papers for a recent GRC Illustrated article in Compliance Week, entitled “GRC Federalist Papers: A Call to Action”. In this article he said that with the modern day complexity of business, “Keeping complexity and change in sync is a significant challenge for boards and executives, as well as governance, risk-management, and compliance professionals (GRC) throughout the business.” He decried GRC which operates in a siloed fashion because it inevitably leads to failure. Equally inane is the GRC system which is some kind of out of the box, one size fits all solution, which attempts to implement a GRC process through a single GRC platform.

Rasmussen believes that both styles end in failure to due the complexity and inter-relatedness of modern business. He believes that the “Complexity of business and intricacy and interconnectedness of GRC requires that we have an integrated approach to business systems, data, and GRC processes. However, the opposite is also a challenge: ‘monarchy’ GRC architecture.” More pointedly he said “The challenge for organizations is how to reconcile homogeneous GRC reporting, risk transparency, performance analysis, and compliance with an operating model that is increasingly heterogeneous as transactions, data, processes, relationships, mobility, and assets expand and multiply. GRC fails when risk is addressed as a system of parts that do not integrate and work as a collective whole. GRC fails when it is thought of as a single platform to manage workflow and tasks. GRC is about the interactions and relationships of cause and effect across strategy, process, transactions, information, and technology supporting the business and requires a GRC architecture approach.”

His solution is a ‘federated’ approach to GRC, which he defines as a “GRC architecture that enables oversight, reporting, accountability, and analytics through integration with business processes, data repositories, and enterprise systems. Let GRC work with and throughout the business and not force parts of the business into a mold that does not fit.” He concludes by noting that a federated GRC approach allows “agility, stimulates operational dynamics, and, most importantly, effectively leverages rather than vainly tries to control the distributed modern enterprise.”

As a part of his article, Rasmussen presented a roundtable discussion with three compliance professional about their thoughts on a federated GRC approach. They were Yo Delmar, Vice President of GRC at MetricStream, Tom Harper, Executive VP /General Auditor, Federal Home Loan Bank of Chicago and Jason Mefford, President Mefford Associates. Rasmussen asked the group about their definition of a federated GRC. Mefford said that “To me, a federated approach means a holistic, integrated, and or­chestrated GRC capability—I mean a common capability with the same pur­pose, but autonomy on how to accom­plish it at a lower level. Not requiring everyone to conform to a common set of practices or technology, but every­one meeting the same overall objec­tives and guidelines. The groups must work together for a common purpose using negotiations and compromise instead of someone dictating the spe­cific direction.”  Delmar put it another way when she said that “GRC, by definition, involves bringing together governance, risk, and compliance disciplines from across what is increasingly becoming a com­plex, extended enterprise with deep interlocks to customer and supplier ecosystems. It simply isn’t realistic to expect organizations to converge on a common set of processes for GRC…A GRC program strives to converge on a com­mon risk and control framework, and perhaps a common issue and remedia­tion process, but will necessarily need to support a wide variety of individual taxonomies, processes, metrics, and workflows.”

To get the entire process going, Harper said that it all begins at the top of an organization to establish an effective GRC, “A very high-level corporate acknowledgment of the need to ex­ecute in a coordinated way. Without long-term support from the C-suite, individual priorities will dominate and coordination and sharing of infrastructure will be stifled. If the C-suite can advocate for the idea that a federated approach will lead to greater business success, as opposed to just being overhead, the initiative will have much greater chances of success.”

Rasmussen ended the roundtable discussion with an interesting question and one which many compliance professionals and others can get stuck, which is “what comes first with feder­ated GRC capability, better communi­cation or better use of resources?” Mefford said that he believe communication comes first, “With good communication I think it’s easier to understand the resources that can be shared and agree on how we will run the GRC capability.” Harper believes that the go “hand-in-hand” because if employees cannot communicate they probably cannot constructively work together. Delmar believes that you have to “strike the right balance” by “building the mission, goals, and objectives for federation collabor­atively with the right stakeholders and communicating these well.” If this balance is achieved, it will support “the maturity, readiness, and strategic intent of key stakeholders, —are more successful than those that don’t make the conscious choice to manage GRC as a program.”

The GRC Illustrated piece provided several examples of governance, risk management, and compliance functions that span layers of the multi-national company. They included:

FEDERATED COMPLIANCE MANAGEMENT. In this area, a federated GRC enables a company to effectively and efficiently identify and manage all of its mandatory requirements and voluntary obligations through a common framework and integrated approach that aligns with business performance and risk management. A federated model strives to harmonize and rationalize requirements at the global, local, and business unit level.

FEDERATED AUDIT MANAGEMENT. Federated GRC allows auditors to provide greater assurance of properly designed and operated controls and insights into business performance, through consistent and reconcilable reports from operational and field audits. A federated model strives to provide greater visibility into emerging risks by enhancing communication between auditors and unit executives.

FEDERATED OVERSIGHT & ASSURANCE. The executive leadership team establishes the program structure and envisions the roadmap to establish and integrate the framework of GRC into enterprise processes and collaboration.

FEDERATED RISK MANAGEMENT. Federated GRC establishes enterprise-wide taxonomies, standards, and methods for risk identification, assessment, management, and reporting while supporting distinct risk methods, taxonomies, and workflows to meet unique needs across the business. Risk information is aggregated, rationalized, and normalized for enterprise risk reporting based on an integrated and flexible framework for documenting and assessing risks, defining controls, managing assessments, identifying issues, and implementing recommendations and remediation plans.

FEDERATED THIRD-PARTY MANAGEMENT. Organizations’ operations are distributed across a maze of business relationships: suppliers, vendors, outsourcers, contractors, and agents. Federated GRC includes the integration and oversight of performance, risk, and compliance across the organization’s third-party relationships and transactions.

As businesses become more complex and larger, yet more inter-related, having a federated GRC system has moved from as aspiration, to a best practice, to a necessary part of your company’s governance and compliance hierarchies. Michael Rasmussen continues to extol the usefulness of such an approach and his article lays out the intellectual underpinnings of such a method. The GRC Illustrated series continues it visual presentations of how a compliance practitioner should think through, create and implement such an approach.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 27, 2014

The Abbey Grange, the Quality of Justice and Codes of Conduct

Abbey GrangeIn honor of the return of Sherlock Holmes to PBS with Season 3, I begin a week of Sherlockian themed posts. Today we consider the quality of justice that Holmes discussed in The Abbey Grange, he allowed a man who murdered a wife-abusing husband to go free. Holmes concern with justice, as opposed to simply following the letter of the law, is an excellent introduction into the subject of Codes of Conduct.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), explored some of these questions in a recent article in Compliance Week, entitled “The Code of Conduct Conundrum”. As a part of her article, Switzer interviewed Jimmy Lin, Vice President (VP) of Product Management and Corporate Development at The Network and Kendall Tieck, VP of Internal Audit at Workday, for their thoughts on what makes an effective Code of Conduct.

Tieck views a Code of Conduct as not simply a static piece of paper or document but “but as a set of expected behaviors that are integral to the fabric of the business and an organization’s value system. A Code of Conduct is not a compliance activity, but how an entity demonstrates integrity and acquires trust from markets, shareholders, customers, partners, and governments. To achieve these outcomes, a careful plan, aligned with a policy lifecycle management framework, should articulate how the Code is integrated in the core of the company’s activities and culture.”

Switzer believes that one of the key components of a best practices Code of Conduct is to integrate the connection between a business’ objectives, its risk and compliance management. There are numerous factors, which can move a company towards having such an effective integration. Switzer wrote that some of these include, “external stakeholder expectations and pressures, internal culture and context, objectives for the code, process of development and implementation, content of the code, consequences for non-conforming conduct, strength of sub-codes (e.g. policies), and employee character.”

In a GRC Illustrated series, provided with Switzer’s article, entitled “The Next Generation Code of Conduct”, lays out six steps for the compliance practitioner to think through and implement during a Code of Conduct upgrade or rewrite. These six steps are (1) design; (2) deliver; (3) interact; (4) measure; (5) maintain; and (6) improve.

Design

Under this step, a company needs to define the behavior that it desires to inspire and allow employees to collaborate at all levels. Lin said that a key aspect was relevancy, “But times change—business environments change, cultures change, risk appetites change. We all need to keep in mind that the Code, the ultimate policy, should not be a stale document on the shelf. It needs to inspire, engage, and change with the organization.” Tieck said that your Code of Conduct should be “considered a part of the entity’s overall policy landscape. Leveraging an effective policy lifecycle management framework will promote integration and alignment across the policy governance landscape.”

Deliver

Switzer also identified the delivery of a Code of Conduct as a key element of its effectiveness. She said, “modern communication methods that allow the user to engage, interact, and research further behind the Code into related policies, procedures, and helplines for additional guidance can be better monitored and measured. Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.” This should also include relevant third parties such as suppliers and sales agents. “And failure to comply with the Code can be better identified and tracked, indicating possible need for clarification, additional training, or better screening of employees.”

Interact

Lin pointed out that a Code of Conduct is both a corporate governance document and a marketing document. As such you will need to create a marketing campaign to get the message of your Code of Conduct out to not only your employee base but also relevant third parties, such as suppliers and agents. If you have a large number of non-English speaking personnel or employees without access to online training, these factors needs to be considered when determining the delivery method.

Measure

Initially, you should prioritize both qualitative results with positive feedback by including such metrics as speed of completion, reminders, which must be sent to facilitate completion of Code of Conduct training, and the percent of employees and third parties who attest to review of your Code of Conduct. You should also measure the effectiveness of your communication campaign. Tieck suggests drilling down further because each component of your Code of Conduct sets “an expected behavior. Selecting a few critical behaviors to measure and monitor may be adequate for most organizations. These selected measures might represent an aggregate measure of the overall conformance to the code. Large organizations may be able to mine HR data to capture statistics associated with the identified behaviors. For instance, termination reason codes may be one source.”

Maintain

All commentators note that it is important to keep your Code of Conduct design and conduct fresh. One of the ways to do so is by employee feedback, which can assist you in identifying if your Code of Conduct is not only effective, but truly reflective of your company’s culture. Lin pointed out that to gain these insights you need to incorporate both formal and informal techniques for gauging the relevant employee and third party populations. Some of these techniques include “Questionnaires, surveys, forms and hotlines can be good anonymous sources, but engaging employees in conversation is just as, if not more, important. Make sure executives and managers alike spend time in small-group and one-on-one conversations. Have these conversations throughout the year and across your employee base to get the “real” story. This helps engage the employees and ensure they know you value their input.”

Improve

OCEG advocates that your Code of Conduct should be evaluated for revision at least every two years. This should be done to keep abreast of the changes in laws and regulations and your own business operations and risk tolerances. Switzer said that “Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving forward and as Holmes did in the Abbey Grange, further your cause beyond the simple letter of the law.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 21, 2014

The Culinary Aspects of Homer’s Odyssey and Compliance Training

Culinary in the Odyessy

I recently came across a fascinating book entitled “The Meaning of Meat and the Structure of the Odyssey” by Egbert Bakker. In this work, Bakker looks at the culinary aspects of Odysseus’ journey home from the Trojan War. Peter Thonemann, writing in the TLS, said that “Bakker’s book is a powerful illustration of the importance of food and culinary practices to past society.” In other words, the eating habits could be used to not only understand the past but also perhaps train those in the present about the “wider moral culpability” found in Homer’s work.

I thought about this different way of learning as I was reading a recent article by the Open Compliance and Ethics Group (OCEG) President Carol Switzer in the Compliance Week magazine, entitled “Playing the Game of Risk in Workplace Education”. Her article was coupled with a roundtable discussion of the subject and another in the OCEG, GRC Illustrated Series entitled “Risk-Based Education and Training”.

In the article, Switzer reminds us “one size does not fit all in deciding the content and intensity of training needs for each role or individual”. Recognizing that it all starts with a risk-based analysis of who needs the training is just the start. Switzer believes that by engaging employees in the training, it can become more effective. She looks to the world of gaming when stating that, “Well-designed games encourage engagement, and more engagement means more reinforcement, and that leads to better recollection and application of the information. Situational decision making drives the player to think, not just act. Making wrong choices and seeing the consequences leads to desire to act the right way and gain rewards, be it advancing to the next level of the game, earning a prize for success, or understanding that in the real workplace world the reward may be achievement of personal and organizational objectives.”

In her roundtable, she posed the question, “How do you suggest companies decide on the appropriate amount of training? Earl Jones, Shareholder at Littler Mendelson PC, responded that a company needs to evaluate where its risks are, “If the company is betting on international expansion, then intensive anti-bribery and corruption intensive training is a necessity for key employees. Also design training to build and protect sources of value. If an intangible asset, like a brand, is an important source of value, thoroughly train employees to identify, understand, and react to events or behavior that could impair the brand.”

When it comes to the scope and style of training, Steve Perreault, Global Head of eLearning GRC for Thomson Reuter, suggested you should assess your training by employee groups. You should “Understand things like: How likely is a group of employees to participate in activity that is related to a particular regulatory area? How complex is that regulation? What controls are in place already? Is this employee group responsible for making sure others comply with policies and regulations? You also have to consider what you will need to provide to evidence to regulators and courts that the program exists and is effective. Once you get that figured out, you must ensure that you stay on top of changes in legislation and enforcement, and revise policy, procedures, and training accordingly.”

Switzer next turned to measuring the effectiveness of training and how a company might determine this. Alisha Lynch, Global Ethics and Compliance Education Leader at Dell Inc., said, “Determining the scope and style of training should have several input sources.  Most organizations have three- to five-year strategic plans, and training programs should be designed to support those plans and initiatives. One good analogy is that a training initiative should be like a physical fitness regime. You cannot exercise the same muscle every time to make significant improvements, and you cannot ignore the diet. A culture is like a diet. If the organization designs and delivers great training but the culture is toxic, probably no improvement will be made.”

In the GRC Illustrated Series, it suggests that companies take a risk-based approach to provide appropriate levels and types of training and education to different individuals across the organization. Some of the factors they suggest you review are the role of the individuals, geography, and their level of exposure to particular risk areas. Such an approach moves away from the ‘tick-the-box’ approach that generally renders such compliance useless. It also helps to ensure that there is a more effective use of budgetary resources by focusing training efforts to maximize the return on the investment. The piece advocates a three-pronged approach.

Define

The first step is to define what you are trying to achieve. The piece recognizes that “while some organizations limit their training programs to what is legally required, more successful ones know that there are many reasons for developing a thoughtful, well-designed approach to employee education.” It puts forward that if training is done right, it will help the organization to achieve several goals. These include: the business Objectives; managing threats and business opportunities; it will address change in positive manner; it can help to ensure integrity and the company’s reputation; it can strengthen the business’s culture and ethical conduct; and, lastly, it can provide evidence that the company has complied with legal requirements such as the US Sentencing Guidelines and the Ten Hallmark’s of an Effective Compliance Program.

Design

The next step is to design the training program, which is further broken down into three steps, which drill down into the specifics of training. By using these three steps, you can help to assure that the training will be effective for the individual but also for the nature of the risk involved.

The first is to design the training program. Steps include the development of curriculum using a risk-based model. You should set uniform methods for acquiring content, maintaining records, and reporting. This should be followed by the establishment of standards for selecting appropriate content, delivery methods, frequency, and assurance based on risk exposure. You can review any technological solutions for both e-learning delivery and documentation. Finally, you will need to consider training content revision when requirements or risk analyses change.

After the design of the training program, the next level is to design the specific training courses. Here you should establish your learning objectives and map the training to legal and competency requirements. You must always remember who is your audience and what their characteristics might be. You need to ensure that the content is timely and the instructors are effective. Finally, you will need to determine not only the most appropriate mechanism to deliver the content but also define the key performance indicators and determine methods to audit them.

The final design level is the individual’s training plan. Here you need to analyze what the person’s role is within the organization and use this to determine mandatory and risk-based training needs. You will need to consider modifying the risk profile based upon assessments given before and after the training is delivered and then adapt the training as an employee’s role and risk profile changes within an organization

Deliver

For the delivery of the training materials, they also have a tripartite scheme. They break it down into high risk exposure roles; medium risk exposure roles and low-risk exposure roles.

  • High Risk Exposure Roles – are defined as those employees whose roles in an organization can significantly impact the company. Here expert subject proficiency is demanded and individuals should be able to act with confidence in a wide range of scenarios and conditions based on a strong understanding of the risks, requirements, and penalties. Training may be repeated frequently using several methods of delivery, have greater assurance through testing and certification of course completion, and include ongoing risk profiling of individuals through assessment of behavior choices in online courses or live simulation exercises.
  • Medium Risk Exposure Roles – are defined as those employees who face risk on regular basis or present a moderate level of negative impact to a company if they mishandle the risk. These individuals should know the risks, requirements, and penalties and should be able to apply their knowledge to common scenarios using standards and tools given to them. Training should have content to make them proficient in the subject, be refreshed periodically, use a mix of modes of delivery, and have methods to prove evidence of understanding.
  • Low Risk Exposure Roles – are defined as those employees with a low likelihood of facing the attendant risk. Persons in this category should be made aware of the risks, requirements, and penalties, as well as the organization’s expectations about how to address it. They should know relevant policies and procedures and where to get assistance in addressing a risk or making a behavior decision.

As with all areas in an anti-corruption compliance program, Switzer and the OCEG suggest that you monitor and audit your program so that you can review it and improve as circumstances warrant. I would add that you should also Document, Document and Document what you are doing for the same reasons. Just as Bakker’s new look at the culinary aspects of the classics can provide new insights into interpretation, it also shows the training that was written into Homer’s Odyssey.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 17, 2014

Naval Theorists and the Measurement of Compliance

7K0A0129If are interested in naval history, strategy and tactics, I have a question for you: Are you a disciple of Alfred Mahan or Julian Corbett? If you are a Mahanian, you probably focus on large naval engagements or the great battle concept. If you are Corbettian, you probably think about a series of smaller engagements, with an offensive-defensive mentality. I pose this as I am currently studying great military strategic thinkers. One thing they both advocate is information collection and analysis as a tool to not only predict potential future outcomes but to remediate defects as they might appear. In other words, measurement.

Why should an organization measure its compliance program? One quick answer is that it is one way to demonstrate that your compliance program is ‘effective’ under the US Sentencing Guidelines for Organizations. But more holistically, such measurements allow a company to know if it is operating within the parameters it has set and in compliance with anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. Further, such metrics can provide more and better information for strategic decision making, help employee engagement with compliance and can aid to produce a clearer picture of compliance risks and requirements.

An article in Compliance Week, entitled “Measuring the Integrity of an Organization”, author Michael Rasmussen explored this issue and then facilitated a roundtable discussion on the topic. Rasmussen’s article was paired with another in the series of Open Compliance and Ethics Group (OCEG) GRC Illustrated pieces entitled, “Integrated Compliance & Ethics Metrics”.

In the roundtable, Patrick Quinlan, Chief Executive Officer (CEO) of Convercent, said, “compliance should be looking at objectively measuring how a location, a department, or employee behavior stacks up against the organization’s values and policies. You should measure to compare, monitor, and pursue participation, engagement, and improvements where needed. Regulators may want to see checked boxes of compliance (percentage of policy attestations and training courses completed; controls in place; responses to incidents). Culture and engagement metrics can serve as valuable indicators of issues that may rise to the surface later. Employees respond to how they are evaluated; making ethical behavior a part of performance evaluations is an important part of instilling compliance at every level.”

Jose Tabuena, Global Compliance & Regulatory Counsel for Orion Health, believes that it is important for a compliance practitioner to “Develop a scorecard to give stakeholders information about the compliance program and where there is risk. Metrics should be gathered from both inside (e.g., investigations, compliance committee meetings, subject matter audits, etc.) and outside (e.g., government agency audits and observations, including fines and penalties). These metrics monitor the program over time and identify legal and other minefields that are ripe for corrective action.” Anita Helpert, Director of Internal Audit at Raytheon, specified four areas that organizations should compare. First, “awareness training completions that answer: Have we equipped attendees to understand expected conduct, to recognize issues, and to feel confident in reporting issues?” Second, you should look at tone-at-the-top: “What evidence supports leaders setting examples and nurturing an environment of ethical behavior?” The third is hotline reporting: “Do reports confirm or deny our “ethics checks” and provide insight on how people ask for guidance or report potential issues?” Fourth, and finally, is ethics metrics: “When we respond to a report or question, what do we find? How does this trend over time, by organizational structure, by leader, by location?”

In the GRC Illustrated compendium, it detailed success factors. These included:

  • Top level support – you can gain the endorsement of management and obtain a larger allocation of resources by “demonstrating how strategic decisions making depends on analysis and timely delivery of information.
  • Employee engagement – by engaging employees you not only make them more comfortable with compliance but also more meaningful and beneficial.
  • Knowing your needs – you need to determine what information is required to assist in “strategic decision making, support established values, improve compliance efforts and better manage resources.”
  • Single source of information – there should be one centralized system to consolidate metrics and ensure increased accuracy for better analysis and decisions.
  • Ease of use – the compliance practitioner needs to “enable quick, simple and meaningful management of data and dashboards for viewing and analysis of metrics.”

An interesting glossary in the GRC Illustrated compendium defined the types of metrics and examples that might be used. They were:

  • Number – you should count the number of incidents, policies, surveys, reports, automated controls, and employee conduct – whether good or bad.
  • Frequency – you should determine how often training and surveys take place, incidents occur, issues are reported and the workforce is surveyed.
  • Flagged – you should identify policies requiring review or individuals, locations, and operations with multiple problems, high-level risks or strength in desired conduct.
  • Ranking – here you should assess the severity of incidents, benchmarking outcomes, employee leadership qualities and the risk ranking of third parties.
  • Trends – you should evaluate metrics for specific areas such as training completion or level of employee engagement over time and relate them to program changes.
  • Relationships – you should consider the controls per risk, incident trends to training frequency or survey completion rates to the number of reminders.

Rasmussen ends his article by noting that these types of approaches to ethics and compliance allow not only the demonstrable proof that regulators such are the Department of Justice (DOJ) or Serious Fraud Office (SFO) are looking for but also “shifts the focus of efforts from being reactive and “checking the box” to proactive and forward-looking. This shift enables compliance to monitor integrity by processing and managing metrics across the organization in the context of rapidly changing business, regulatory, legal, and reputational risks to ensure compliance is operationally effective.”

With this integrated compliance architecture a company can create “an optimized infrastructure to report on metrics, benchmark integrity, and understand compliance in the context of business strategy and execution. Measuring integrity requires that the organization have clear insight into metrics supporting the development and communication of clear policies, continual feedback from employees, effectiveness of training programs, incident reporting, and the engagement of employees with these systems. All of these lead to an efficient and effective compliance program responsible for being the champion of organizational integrity.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 12, 2013

The Lascaux Cave Paintings and Mergers and Acquisitions under the FCPA

Today is the anniversary of one of the greatest finds in ancient archeology. 73 years ago, the Lascaux cave paintings discovered by four teenagers who stumbled upon the ancient artwork after following their dog down a narrow entrance into a cavern. This stunning find, consisting mostly of animal representations which ranged in age from 15,000 to 17,000 years-old, are considered to be among the finest examples of art from the Upper Paleolithic period. The pictures depict, in excellent detail, numerous types of animals, including horses, red deer, stags, bovines, felines, and what appear to be mythical creatures. Archaeologists believe that the cave was used over a long period of time as a center for hunting and religious rites.

Fortunately you do not have to look for something so rare when it comes to the steps you need to take when considering your mergers and acquisitions (M&A) obligations under the Foreign Corrupt Practices Act (FCPA). M&A now rates its own step in the FCPA Guidance’s Ten Hallmarks of an Effective Compliance Program. In No. 10, monikered “Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration”, the Guidance states, “In the context of the FCPA, mergers and acquisitions present both risks and opportunities. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue—with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability.” In other words, good FCPA compliance is also good business.

Auspiciously for all of us Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), has provided a compendium of steps that the compliance practitioner should take, in a Compliance Week article, entitled “How to Boost Your Merger and Acquisition IQ”, together with another in the OCEG Anti-Corruption Illustrated Series, entitled “M&A Corruption Due Diligence”, Switzer breaks the M&A compliance process into three general areas, with the specific steps she recommends under each.

I.                   Advance Risk Assessment

  1. Make Strategic Decisions. Why would you select this opportunity as opposed to others? Here Switzer writes that your company’s risk tolerance should come into play. Are there some markets where the risk of corruption is simply too high. Witness GlaxoSmithKline PLC (GSK) which has implied it may leave the Chinese market after the recent corruption allegations against it. But, more than simply a market analysis, you should consider whether you wish to grow organically or strategically. If through strategic acquisitions, what criteria should you use for your targets?
  2. Identify Top Level Corruption Threats. Here the list is the usual suspects of concepts. Is the operation that you are considering in a high risk country? Does it have multiple government touch points? Is the sales model third party representatives or internal resources? Are a large amount of goods or services moved across borders? How about sales to foreign governments or state owned enterprises? Thinking about GSK in China, is there a history of payments to or entertainment of government officials? Have you looked at the owners, directors and key employees of the target to see if there is any evidence of corruption?
  3. Make Tactical Decisions. Here a company needs to analyze the findings for each target location to answer such questions as to whether it is better to build or buy, what markets a company targets or avoids and other upstream determinations can help to lower the likelihood of selecting acquisition targets with high corruption risks. Switzer writes that “By sniffing out top-level corruption threats in the risk assessment phase, the company can identify and resolve corruption issues earlier and at a lower cost than it would incur when scrambling to react to these same issues later in the transaction process.” I would add that your assessment needs to be documented as well.

II.      Pre-Transaction Activities

  • Dig Deeper. At this point, Switzer states that it is time to begin to dig deeper into the proposed target. After you have established your M&A team members, you should being to assess the target’s compliance awareness and program, the nature of any dealings it has ongoing with foreign governments and determine if compliance related policies and procedures are in place. The next step is to inspect. To accomplish this, hard copies of documents should be obtained and reviewed. In addition to the overall policies and procedures, you should review the accounting records and contracts with third parties, including any due diligence performed. You need to determine and review if there any specific policies and procedures related to the following areas: gifts, entertainment, travel and hospitality.

Next you will need to interview key personnel, including the executive team, high production employees and compliance professionals. You should also perform independent background checks and due diligence on this group. This same exercise should occur with key third party relationships of the target.

From here you should move to transaction testing. Your testing should include sales and business expenditures, payments to third party consultants, related third party transactions, travel and entertainment expenditures, charitable donations and political contributions.

All of this information then needs to be analyzed to determine if you wish to move forward. Switzer advises some of the key considerations should be potential successor liability, unsustainable business models due to corruption and the potential costs of any remediation going forward. Once again you need to document any decisions you make to go forward if red flags have appeared.

III.             Post-Closing Activities

  1.  Analyze. Under this step, Switzer advises that you should begin to determine risks for ongoing business, prioritize ongoing compliance needs of the now acquired company, evaluate in detail the anti-corruption training that the target had provided to its employee basis to determine sufficiency and evaluate in detail all accounting process and policies and procedures if you did not have the opportunity to do so pre-acquisition.
  2. Remediate Outstanding Issues. Now you need to fix any identified shortcomings in the newly acquired entity. This could include the tone at the top, the Code of Conduct, any third party procedures and training.
  3. Integrate. You should use this step to instill a culture of compliance in the newly acquired entity if such was not present, though both training and the implementation of enterprise wide policies. To the extent possible you should establish uniform accounting and technology.
  4. Communicate. In this final step, Switzer suggests that you need to communicate directly with the newly acquired entity so as to enlist their help in managing the change that will go forward. This would include all stakeholders, employees, third party representatives and even customers. Finally, be sure to inform your management, Board of Directors and regulators, such as the Department of Justice (DOJ), as appropriate.

Switzer notes that the earlier you can deploy these steps the better off your company will be at the end of the day. Near the end of her article Switzer quotes from an Ernst & Young white paper, entitled “Increased Oversight of M&A: An Expanding Role for Audit Committees”, that “Failed M&A can destroy a company’s market value, destabilize its financial position and credit ratings, impair its strategic position, weaken the organization and damage the company’s reputation”. She then ends with these words of wisdom, “By treating their deal-drivers as organizational protectors and vice versa, acquiring companies can ace their due diligence and improve their odds of avoiding a failed deal.” To which I can only add – indeed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,655 other followers