FCPA Compliance and Ethics Blog

July 23, 2014

Code of Conduct, Compliance Policies and Procedures-Part II

Policies and ProceduresThis week, I am reviewing the importance of a Code of Conduct and anti-corruption compliance policies and procedures in your compliance program and how you should go about drafting or updating Code of Conduct and anti-corruption compliance policies and procedures. Yesterday, I reviewed the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. Today, I want to look at how to go about drafting your Code of Conduct. In subsequent posts, I will consider both anti-corruption compliance policies and procedures and how to assess, review and revise them and your Code of Conduct on a timely basis.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), explored some of these questions in an article in Compliance Week, entitled “The Code of Conduct Conundrum”. As a part of her article, Switzer interviewed Jimmy Lin, Vice President (VP) of Product Management and Corporate Development at The Network, and Kendall Tieck, VP of Internal Audit at Workday, for their thoughts on what makes an effective Code of Conduct.

Tieck views a Code of Conduct as not simply a static piece of paper or document “but as a set of expected behaviors that are integral to the fabric of the business and an organization’s value system. A Code of Conduct is not a compliance activity, but how an entity demonstrates integrity and acquires trust from markets, shareholders, customers, partners, and governments. To achieve these outcomes, a careful plan, aligned with a policy lifecycle management framework, should articulate how the Code is integrated in the core of the company’s activities and culture.”

Switzer believes that one of the key components of a best practices Code of Conduct is to integrate the connection between a business’ objectives, its risk and compliance management. There are numerous factors, which can move a company towards having such an effective integration. Switzer wrote that some of these include, “external stakeholder expectations and pressures, internal culture and context, objectives for the code, process of development and implementation, content of the code, consequences for non-conforming conduct, strength of sub-codes (e.g. policies), and employee character.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving.

A GRC Illustrated series, provided with Switzer’s article, entitled “The Next Generation Code of Conduct”, lays out six steps for the compliance practitioner to think through and implement during a Code of Conduct upgrade or rewrite. These six steps are (1) design; (2) deliver; (3) interact; (4) measure; (5) maintain; and (6) improve.

Design

Under this step, a company needs to define the behavior that it desires to inspire and allow employees to collaborate at all levels. Lin, said that a key aspect was relevancy, “But times change—business environments change, cultures change, risk appetites change. We all need to keep in mind that the Code, the ultimate policy, should not be a stale document on the shelf. It needs to inspire, engage, and change with the organization.” Tieck said that your Code of Conduct should be “considered a part of the entity’s overall policy landscape. Leveraging an effective policy lifecycle management framework will promote integration and alignment across the policy governance landscape.”

Deliver

Switzer also identified the delivery of a Code of Conduct as a key element of its effectiveness. She said, “modern communication methods that allow the user to engage, interact, and research further behind the Code into related policies, procedures, and helplines for additional guidance can be better monitored and measured. Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.” This should also include relevant third parties such as suppliers and sales agents. “And failure to comply with the Code can be better identified and tracked, indicating possible need for clarification, additional training, or better screening of employees.”

Interact

Lin pointed out that a Code of Conduct is both a corporate governance document and a marketing document. As such you will need to create a marketing campaign to get the message of your Code of Conduct out to not only your employee base but also relevant third parties. If you have a large number of non-English speaking personnel or employees without access to online training, these factors need to be considered when determining the delivery method.

Measure

Initially, you should prioritize both qualitative results with positive feedback by including such metrics as speed of completion, reminders, which must be sent to facilitate completion of Code of Conduct training, and the percent of employees and third parties who attest to the review of your Code of Conduct. You should also measure the effectiveness of your communication campaign. Tieck suggests drilling down further because each component of your Code of Conduct sets “an expected behavior. Selecting a few critical behaviors to measure and monitor may be adequate for most organizations. These selected measures might represent an aggregate measure of the overall conformance to the code. Large organizations may be able to mine HR data to capture statistics associated with the identified behaviors. For instance, termination reason codes may be one source.”

Maintain

All commentators note that it is important to keep your Code of Conduct design and content fresh. One of the ways to do so is by employee feedback, which can assist you in identifying if your Code of Conduct is not only effective, but also truly reflective of your company’s culture. Lin points out that to gain these insights you need to incorporate both formal and informal techniques for gauging the relevant employee and third party populations. He states, “Questionnaires, surveys, forms and hotlines can be good anonymous sources, but engaging employees in conversation is just as, if not more, important. Make sure executives and managers alike spend time in small-group and one-on-one conversations. Have these conversations throughout the year and across your employee base to get the “real” story. This helps engage the employees and ensure they know you value their input.”

Improve

OCEG advocates that your Code of Conduct should be evaluated for revision at least every two years. This should be done to keep abreast of the changes in laws and regulations and your own business operations and risk tolerances. Switzer said, “Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 17, 2014

John Bell Hood and the Measurement of Conduct Risk

John Bell HoodReaders of this blog know I am huge Civil War buff. Growing up in Texas, I only focused on the Southern side as a youngster and while this led to a sometime myopic view of events, in my mid-20s when I did begin to study the Northern side of the war, because I had never seriously studied from that perspective an entire panorama opened up for me.

One thing that never changed however, was the disaster that befell the South from the appointment of John Bell Hood to commander of the Army of Tennessee, which opposed General Sherman’s advance into Georgia since his stunning defeat of the Confederate forces at Chattanooga and later Lookout Mountain in Tennessee in late 1863. On this day 150 years, Confederate President Jefferson Davis replaced General Joseph Johnston with John Bell Hood as commander of the Army of Tennessee. Davis, impatient with Johnston’s defensive strategy in the Atlanta campaign, felt that Hood stood a better chance of saving Atlanta from the forces of Union General William T. Sherman. President Davis selected Hood for his reputation as a fighting general, in contrast to Johnston’s cautious nature. Hood did what Davis wanted and quickly attacked Sherman at Peachtree Creek on July 20 but with disastrous results. Hood attacked two more times, losing both and destroying his army’s offensive capabilities. Over the next two weeks in 1864, Hood’s actions not only led to President Abraham Lincoln’s reelection but spelled, once and for all, the doom of the Confederacy.

I thought about the risks of appointing Hood to command when I read a recent article in the Compliance Week Magazine by Carol Switzer, co-founder and President of the Open Compliance and Ethics Group (OCEG), entitled “A Strategic Approach to Conduct Risk”. Her article was accompanied by an entry in the OCEG Illustrated Series, entitled “Managing Conduct Risk in the GRC Context”, and she also presented thoughts from a Roundtable which included John Brown, Managing Principal, Risk Segment, Financial and Risk Division at Thompson Reuters; Tom Harper, Executive Vice President-General Auditor Federal Home Loan of Chicago and Dr. Roger Miles, Behavioral Risk Lead, Thompson Reuters.

In her article, Switzer pointed to the “Ill-advised risk taking” which led to the near-collapse of the financial sector as the genesis for the creation of the UK’s new Financial Conduct Authority (FCA). But she also noted that conduct risk is something that exists in industries far afield from the financial sector where “sales schemes driven by inappropriate incentive plans and outlandish short-term objectives” can cause severe financial consequences to an organization. As an example of the need for change in the financial section, Switzer quoted Clive Adamson, FCA director of supervision, on the need to address conduct risk, “Achieving an effective conduct- or customer-focused culture is challenging for firms, particularly for those whose focus has been primarily on profitability and shareholder returns. … From what we see, there are key drivers that set and re-enforce this conduct-focused culture, with the most important being clear and ongoing leadership from the top of the organization, constant re-enforcement, hiring practices, incentive structures, effective performance management, and penalties for not doing the right thing, all of which should set the tone for a framework for decision making on a day-by-day basis.”

Switzer continued that “Throughout his speech and other materials published by the FCA, there is a theme that returns over and over again to integrity, leadership, culture, the concept of controls over conduct, and strong risk management—all tied to an outcome of business success. What is this? It is a vision of principled performance—a point of view and approach to business that enables organizations to reliably achieve objectives while addressing uncertainty and acting with integrity. And it is refreshing to see leaders (and in some cases past wrongdoers) in the financial sector rising to the occasion and establishing a principled performance approach to conduct risk, even though they may not yet call it that.”

Harper described conduct risk as follows, “Conduct risk embodies elements of the risks that we have been discussing over the past few years, including not only operational and compliance risk, but also reputational risk and tone-at-the-top. The idea that organizations need to ‘do the right thing’ and balance the immediate pressure of short-term growth and revenue along with meeting the aspirations of equity holders and managers is not new. In the past, conduct risk was primarily mitigated by the long-term focus on the goals of the organization of the board and management.”

In the Illustrated Series piece included with the article, Switzer set out four principles for managing conduct risk. These principles are an excellent starting point for the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption compliance practitioner in that it can be used to evaluate, assess and manage conduct risk in such a context.

Assess Conduct Risks

Miles stated that, “The idea of benchmarking “conduct” as a basis for business, or life in general, is actually of course a very old one. Constraints on behavior are exactly the right direction to go in, though it’s not yet clear how these will be framed, let alone policed. Now with the FCA’s new Risk Outlook 2014, there’s a big step forward. They have a deep commitment to sharing understanding about how various elements of behavior feed through into good and bad product design, into selling or mis-selling.” Based on this Switzer believes that you should first identify potential conduct risks in your business. After such identification, you should conduct a risk and control assessment. From this measure, you can best determine the level of inherent and residual risk. Finally, you should carry out an emerging risk workshop to develop a more complete risk profile.

Establish Risk Appetite

Brown pointed towards the increased complexity in financial institutions as a key problem. As part of the solution, Switzer writes that the first step is to connect the risks, controls and other framework elements to your company’s organization chart. From there, you should determine risk capacity, your company’s current risk profile and its risk appetite. Next you should measure your risk appetite adherence. Finally, you will need to align your risk appetite with your company’s risk governance framework.

Measure and Monitor 

Here Switzer suggests that there be a detailed information collection on any issues associated with risk events. It is important from that point, you begin to track key risk indicators. Miles noted that “Managing risks due to behaviors and cultures requires a deep understanding of psychological drivers and developing programs to modify those drivers”; as such measurements would allow your company to begin to move from simple detection and prevention to predictive controls through the use of behavioral and analytical modeling. Finally, you could use the above information to perform scenario analysis on emerging risks.

Communicate and Manage

Switzer advocates that you communicate and train your company’s employees on your organization’s risk culture. You should also work to ensure that employees have accepted their risk conduct appetite metrics. Brown said, “Behavioral drivers will vary around the world based on societal culture. I’ll focus on what might be appropriate for U.S.-based organizations. Most people operate to maximize their personal return, so compensation structures are an obvious avenue to modify conduct. If my bonus or equity compensation is based on specific targets, such as new accounts, loans written, or customer satisfaction index, I will try to maximize those targets.” This is why you should continue to collect all key data about conduct risk in one data repository. Finally, you should also continue to provide reports and analyses on conduct risk to key stakeholders and regulators, if required.

Switzer ended her article with the following quote from Gary Kasparov, “Think about it: After just three opening moves by a chess player, more than 9 million positions are possible. And that’s when only two players are involved in the game. Now imagine all the possibilities faced by companies with a whole host of corporations responding to their new strategies, pricing, and products. The unpredictability is almost unimaginable.” From this she added, “This couldn’t be truer than when facing the myriad challenges presented under the umbrella concern of conduct risk. Masterful strategic planning and execution is essential to stay in the game and win.”

The risks that General Hood was willing to engage in were catastrophic for his army and the Confederacy. If Jefferson Davis had used a risk conduct analysis to think through the effects of elevating Hood to command of the Army of Tennessee the results might have been very different for all involved. Switzer’s article provides a valuable tool for the compliance practitioner to bring to bear on specific conduct which could put a company at risk.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

May 6, 2014

From the Bad Boy Pistons to GRC: The Building Blocks of Compliance

Detroit PistonsI recently watched the ESPN documentary series 30-for-30 on the Bad Boy Detroit Pistons from the late 1980s and early 1990s. It was a great review of a different era of the National Basketball Association (NBA) and the perfect way to get ready for the current playoffs, even if the Rockets did choke their way out of Round 1 as usual. But more than great entertainment, the show focused on the building blocks of a pro basketball team. The Pistons were created player by player who were pieces of the overall team structure. The team then had to become battle hardened by losing some tough playoff games, first in the Eastern Conference to Boson and then in the NBA Championship to the Lakers, before they eventually succeeded in becoming two time NBA champs. In other words, it was a lengthy process, which started in 1982 when the Pistons drafted Isaiah Thomas and it took almost 10 years for them to win the title.

I thought about this process orientation when I read a GRC Illustrated series article in the March issue of Compliance Week, , entitled “The Principled Performance Vision”, by Carole Switzer, co-founder and President of the Open Compliance and Ethics Group (OCEG) and Scott L. Mitchell, the co-founder and Chair of OCEG. In their article, and accompanying GRC Illustrated presentation entitled “Pathway to Principled Performance”, they discuss the need for companies to have a mechanism to address ever-changing business and legal risks in the context of the high performance required by internal and external stakeholders. They articulate “a point of view and approach to business that helps organizations reliably achieve objectives while addressing uncertainty and acting with integrity.”

The biggest problems that they identify are issues of loss of cohesion and insular nature of a management and reporting system between business units within an organization. For instance they point to a wide variety of disciplines within a company, such as “as governance, finance, production, and sales to adjunct areas like performance management, risk management, internal control, compliance, and audit” which must use the same data but often never share the results with each other. The authors posit that a more holistic approach is required and this “can only be achieved by integrating and orchestrating information and functions that, in many organizations, are fragmented and siloed. Then, these integrated capabilities must be supported with strong communication, effective technology, and development of the desired ethical culture.”

Coupled with the article and illustrated framework is a roundtable discussion led by Switzer of several leading compliance practitioners and thought leaders. The participants included Brian Barnier, Principal at ValueBridge Advisors; Paul Liebman, Chief Compliance Officer (CCO) at the University of Texas; Tony Miller, Chief Operating Officer (COO) and Partner at The Vistria Group and Michael Rasmussen, Principal and Chief GRC Pundit at GRC 20/20 Research LLC. Switzer asked them the basic question of how does one get started in such an initiative for a company? Barnier believes that, in large part it is about messaging by “treating it as a business initative to drive profitable revenue and risk-adjusted return” as opposed to “yet another compliance task to achieve while cutting cost.” Liebman focused on the ‘why’ he changed when he noted, “true change depends upon three things: a profound sense of discomfort in the current condition, a vision that things could be better, and a plan to get there. I think the first step is therefore to assess and explain the current level of discomfort—i.e., what is wrong and why.” Moreover, he believes that it is important to “have a vision of the direction you want to go and plan accordingly.” Finally, he said that “Focus on structure and process so that you are constantly moving forward. Slow, incremental but sustainable change in the right direction is far more important than quick, substantial but unsustainable change. Slow, incremental and sustainable change happens by taking advantage of pre-existing organizational processes and mental models that are already working well. Don’t force new or redundant processes but, rather, seek to understand how others are thinking and acting and explain how your vision is really just a logical extension of what they are already trying to accomplish.”

Miller took a somewhat different approach when he said that “Principled performance needs to be part of the culture, reflected in the strategy, and embedded in an organization’s operating systems and processes.” To accomplish this he listed three steps, “(1) the chief executive officer and the senior executive team explicitly acknowledging that this is an important problem that must be addressed; (2) establishing clear metrics and goals for improvement; and (3) assigning point accountability at the executive team level for developing and “owning” the process that will enable the organization to meet the principled performance goals.”

Switzer asked the participants if they could point to situations where there has been a failure to interconnect the various functions of GovernanceRiskCompliance (GRC) which has led to catastrophic consequences. Miller pointed to the siloed nature of the financial services industry when he said, “That’s why we’ve seen significant breaches in the financial services industry with excessive risk taking by traders, the mortgage services industry in lax and exploitive underwriting practices, and the education services industry with overly aggressive student recruitment practices.” Liebman pointed to that well known risk area under the Foreign Corrupt Practices Act (FCPA) by noting, “Third-party relationships are an example where disparate processes and strategic goals can lead to significant non-compliance, waste, and surprise. For example, companies often create a business strategy at a high level and then ask others to implement the strategy with little or no oversight or structure… Accordingly, when a problem surfaces creating a bad reality, such as bribery in the supply chain, and expectations were set too high, the result is significant unhappiness for stakeholders.” Barnier focused on the management of risk without coordination due to the insular nature of management and reporting systems when he observed, “Much of this results from typical silo behavior—especially when reinforced by a control culture with its usual compartments that diminishes individual engagement and end-to-end views. Principled performance, with its focus on outcomes, brings together a range of decisions and activities to improve the likelihood of achieving those objectives.”

While some might find it interesting that the notorious “Bad Boys” of the NBA can teach the compliance practitioner a thing or two, it is clear that their General Manager (GM) Jack McCloskey had a plan in mind when putting the pieces of the team together. That team then had to be molded together and tested. This real world example would seem to be what Rasmussen said when he summed up his views by stating, “A mature GRC program will have an integrated strategy, process, information, and technology architecture that brings efficiency, effectiveness, and agility to GRC across the business and aligned with the business.”

If you have a team left in the NBA playoffs, good luck. Otherwise I hope that you will back me in supporting the Spurs yet again.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 7, 2014

The Federalist Papers and a Federated Approach to GRC

Filed under: Best Practices,compliance programs,Compliance Week,OCEG — tfoxlaw @ 12:01 am
Tags:

Federalist PapersToday we celebrate one of America’s greatest political commentaries, The Federalist Papers. They were penned by James Madison, Alexander Hamilton and John Jay. They presented their three views on why the Federal Constitution should be passed to take the place of the discarded Articles of Confederation, tying together disparate political theories into a coherent whole. Their publication helped sway an uneasy thirteen colonies to form the United States of America, to be governed by the Constitution of the United States.

Noted GRC expert Michael Rasmussen drew inspiration from the The Federalist Papers for a recent GRC Illustrated article in Compliance Week, entitled “GRC Federalist Papers: A Call to Action”. In this article he said that with the modern day complexity of business, “Keeping complexity and change in sync is a significant challenge for boards and executives, as well as governance, risk-management, and compliance professionals (GRC) throughout the business.” He decried GRC which operates in a siloed fashion because it inevitably leads to failure. Equally inane is the GRC system which is some kind of out of the box, one size fits all solution, which attempts to implement a GRC process through a single GRC platform.

Rasmussen believes that both styles end in failure to due the complexity and inter-relatedness of modern business. He believes that the “Complexity of business and intricacy and interconnectedness of GRC requires that we have an integrated approach to business systems, data, and GRC processes. However, the opposite is also a challenge: ‘monarchy’ GRC architecture.” More pointedly he said “The challenge for organizations is how to reconcile homogeneous GRC reporting, risk transparency, performance analysis, and compliance with an operating model that is increasingly heterogeneous as transactions, data, processes, relationships, mobility, and assets expand and multiply. GRC fails when risk is addressed as a system of parts that do not integrate and work as a collective whole. GRC fails when it is thought of as a single platform to manage workflow and tasks. GRC is about the interactions and relationships of cause and effect across strategy, process, transactions, information, and technology supporting the business and requires a GRC architecture approach.”

His solution is a ‘federated’ approach to GRC, which he defines as a “GRC architecture that enables oversight, reporting, accountability, and analytics through integration with business processes, data repositories, and enterprise systems. Let GRC work with and throughout the business and not force parts of the business into a mold that does not fit.” He concludes by noting that a federated GRC approach allows “agility, stimulates operational dynamics, and, most importantly, effectively leverages rather than vainly tries to control the distributed modern enterprise.”

As a part of his article, Rasmussen presented a roundtable discussion with three compliance professional about their thoughts on a federated GRC approach. They were Yo Delmar, Vice President of GRC at MetricStream, Tom Harper, Executive VP /General Auditor, Federal Home Loan Bank of Chicago and Jason Mefford, President Mefford Associates. Rasmussen asked the group about their definition of a federated GRC. Mefford said that “To me, a federated approach means a holistic, integrated, and or­chestrated GRC capability—I mean a common capability with the same pur­pose, but autonomy on how to accom­plish it at a lower level. Not requiring everyone to conform to a common set of practices or technology, but every­one meeting the same overall objec­tives and guidelines. The groups must work together for a common purpose using negotiations and compromise instead of someone dictating the spe­cific direction.”  Delmar put it another way when she said that “GRC, by definition, involves bringing together governance, risk, and compliance disciplines from across what is increasingly becoming a com­plex, extended enterprise with deep interlocks to customer and supplier ecosystems. It simply isn’t realistic to expect organizations to converge on a common set of processes for GRC…A GRC program strives to converge on a com­mon risk and control framework, and perhaps a common issue and remedia­tion process, but will necessarily need to support a wide variety of individual taxonomies, processes, metrics, and workflows.”

To get the entire process going, Harper said that it all begins at the top of an organization to establish an effective GRC, “A very high-level corporate acknowledgment of the need to ex­ecute in a coordinated way. Without long-term support from the C-suite, individual priorities will dominate and coordination and sharing of infrastructure will be stifled. If the C-suite can advocate for the idea that a federated approach will lead to greater business success, as opposed to just being overhead, the initiative will have much greater chances of success.”

Rasmussen ended the roundtable discussion with an interesting question and one which many compliance professionals and others can get stuck, which is “what comes first with feder­ated GRC capability, better communi­cation or better use of resources?” Mefford said that he believe communication comes first, “With good communication I think it’s easier to understand the resources that can be shared and agree on how we will run the GRC capability.” Harper believes that the go “hand-in-hand” because if employees cannot communicate they probably cannot constructively work together. Delmar believes that you have to “strike the right balance” by “building the mission, goals, and objectives for federation collabor­atively with the right stakeholders and communicating these well.” If this balance is achieved, it will support “the maturity, readiness, and strategic intent of key stakeholders, —are more successful than those that don’t make the conscious choice to manage GRC as a program.”

The GRC Illustrated piece provided several examples of governance, risk management, and compliance functions that span layers of the multi-national company. They included:

FEDERATED COMPLIANCE MANAGEMENT. In this area, a federated GRC enables a company to effectively and efficiently identify and manage all of its mandatory requirements and voluntary obligations through a common framework and integrated approach that aligns with business performance and risk management. A federated model strives to harmonize and rationalize requirements at the global, local, and business unit level.

FEDERATED AUDIT MANAGEMENT. Federated GRC allows auditors to provide greater assurance of properly designed and operated controls and insights into business performance, through consistent and reconcilable reports from operational and field audits. A federated model strives to provide greater visibility into emerging risks by enhancing communication between auditors and unit executives.

FEDERATED OVERSIGHT & ASSURANCE. The executive leadership team establishes the program structure and envisions the roadmap to establish and integrate the framework of GRC into enterprise processes and collaboration.

FEDERATED RISK MANAGEMENT. Federated GRC establishes enterprise-wide taxonomies, standards, and methods for risk identification, assessment, management, and reporting while supporting distinct risk methods, taxonomies, and workflows to meet unique needs across the business. Risk information is aggregated, rationalized, and normalized for enterprise risk reporting based on an integrated and flexible framework for documenting and assessing risks, defining controls, managing assessments, identifying issues, and implementing recommendations and remediation plans.

FEDERATED THIRD-PARTY MANAGEMENT. Organizations’ operations are distributed across a maze of business relationships: suppliers, vendors, outsourcers, contractors, and agents. Federated GRC includes the integration and oversight of performance, risk, and compliance across the organization’s third-party relationships and transactions.

As businesses become more complex and larger, yet more inter-related, having a federated GRC system has moved from as aspiration, to a best practice, to a necessary part of your company’s governance and compliance hierarchies. Michael Rasmussen continues to extol the usefulness of such an approach and his article lays out the intellectual underpinnings of such a method. The GRC Illustrated series continues it visual presentations of how a compliance practitioner should think through, create and implement such an approach.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 27, 2014

The Abbey Grange, the Quality of Justice and Codes of Conduct

Abbey GrangeIn honor of the return of Sherlock Holmes to PBS with Season 3, I begin a week of Sherlockian themed posts. Today we consider the quality of justice that Holmes discussed in The Abbey Grange, he allowed a man who murdered a wife-abusing husband to go free. Holmes concern with justice, as opposed to simply following the letter of the law, is an excellent introduction into the subject of Codes of Conduct.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), explored some of these questions in a recent article in Compliance Week, entitled “The Code of Conduct Conundrum”. As a part of her article, Switzer interviewed Jimmy Lin, Vice President (VP) of Product Management and Corporate Development at The Network and Kendall Tieck, VP of Internal Audit at Workday, for their thoughts on what makes an effective Code of Conduct.

Tieck views a Code of Conduct as not simply a static piece of paper or document but “but as a set of expected behaviors that are integral to the fabric of the business and an organization’s value system. A Code of Conduct is not a compliance activity, but how an entity demonstrates integrity and acquires trust from markets, shareholders, customers, partners, and governments. To achieve these outcomes, a careful plan, aligned with a policy lifecycle management framework, should articulate how the Code is integrated in the core of the company’s activities and culture.”

Switzer believes that one of the key components of a best practices Code of Conduct is to integrate the connection between a business’ objectives, its risk and compliance management. There are numerous factors, which can move a company towards having such an effective integration. Switzer wrote that some of these include, “external stakeholder expectations and pressures, internal culture and context, objectives for the code, process of development and implementation, content of the code, consequences for non-conforming conduct, strength of sub-codes (e.g. policies), and employee character.”

In a GRC Illustrated series, provided with Switzer’s article, entitled “The Next Generation Code of Conduct”, lays out six steps for the compliance practitioner to think through and implement during a Code of Conduct upgrade or rewrite. These six steps are (1) design; (2) deliver; (3) interact; (4) measure; (5) maintain; and (6) improve.

Design

Under this step, a company needs to define the behavior that it desires to inspire and allow employees to collaborate at all levels. Lin said that a key aspect was relevancy, “But times change—business environments change, cultures change, risk appetites change. We all need to keep in mind that the Code, the ultimate policy, should not be a stale document on the shelf. It needs to inspire, engage, and change with the organization.” Tieck said that your Code of Conduct should be “considered a part of the entity’s overall policy landscape. Leveraging an effective policy lifecycle management framework will promote integration and alignment across the policy governance landscape.”

Deliver

Switzer also identified the delivery of a Code of Conduct as a key element of its effectiveness. She said, “modern communication methods that allow the user to engage, interact, and research further behind the Code into related policies, procedures, and helplines for additional guidance can be better monitored and measured. Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.” This should also include relevant third parties such as suppliers and sales agents. “And failure to comply with the Code can be better identified and tracked, indicating possible need for clarification, additional training, or better screening of employees.”

Interact

Lin pointed out that a Code of Conduct is both a corporate governance document and a marketing document. As such you will need to create a marketing campaign to get the message of your Code of Conduct out to not only your employee base but also relevant third parties, such as suppliers and agents. If you have a large number of non-English speaking personnel or employees without access to online training, these factors needs to be considered when determining the delivery method.

Measure

Initially, you should prioritize both qualitative results with positive feedback by including such metrics as speed of completion, reminders, which must be sent to facilitate completion of Code of Conduct training, and the percent of employees and third parties who attest to review of your Code of Conduct. You should also measure the effectiveness of your communication campaign. Tieck suggests drilling down further because each component of your Code of Conduct sets “an expected behavior. Selecting a few critical behaviors to measure and monitor may be adequate for most organizations. These selected measures might represent an aggregate measure of the overall conformance to the code. Large organizations may be able to mine HR data to capture statistics associated with the identified behaviors. For instance, termination reason codes may be one source.”

Maintain

All commentators note that it is important to keep your Code of Conduct design and conduct fresh. One of the ways to do so is by employee feedback, which can assist you in identifying if your Code of Conduct is not only effective, but truly reflective of your company’s culture. Lin pointed out that to gain these insights you need to incorporate both formal and informal techniques for gauging the relevant employee and third party populations. Some of these techniques include “Questionnaires, surveys, forms and hotlines can be good anonymous sources, but engaging employees in conversation is just as, if not more, important. Make sure executives and managers alike spend time in small-group and one-on-one conversations. Have these conversations throughout the year and across your employee base to get the “real” story. This helps engage the employees and ensure they know you value their input.”

Improve

OCEG advocates that your Code of Conduct should be evaluated for revision at least every two years. This should be done to keep abreast of the changes in laws and regulations and your own business operations and risk tolerances. Switzer said that “Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving forward and as Holmes did in the Abbey Grange, further your cause beyond the simple letter of the law.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 21, 2014

The Culinary Aspects of Homer’s Odyssey and Compliance Training

Culinary in the Odyessy

I recently came across a fascinating book entitled “The Meaning of Meat and the Structure of the Odyssey” by Egbert Bakker. In this work, Bakker looks at the culinary aspects of Odysseus’ journey home from the Trojan War. Peter Thonemann, writing in the TLS, said that “Bakker’s book is a powerful illustration of the importance of food and culinary practices to past society.” In other words, the eating habits could be used to not only understand the past but also perhaps train those in the present about the “wider moral culpability” found in Homer’s work.

I thought about this different way of learning as I was reading a recent article by the Open Compliance and Ethics Group (OCEG) President Carol Switzer in the Compliance Week magazine, entitled “Playing the Game of Risk in Workplace Education”. Her article was coupled with a roundtable discussion of the subject and another in the OCEG, GRC Illustrated Series entitled “Risk-Based Education and Training”.

In the article, Switzer reminds us “one size does not fit all in deciding the content and intensity of training needs for each role or individual”. Recognizing that it all starts with a risk-based analysis of who needs the training is just the start. Switzer believes that by engaging employees in the training, it can become more effective. She looks to the world of gaming when stating that, “Well-designed games encourage engagement, and more engagement means more reinforcement, and that leads to better recollection and application of the information. Situational decision making drives the player to think, not just act. Making wrong choices and seeing the consequences leads to desire to act the right way and gain rewards, be it advancing to the next level of the game, earning a prize for success, or understanding that in the real workplace world the reward may be achievement of personal and organizational objectives.”

In her roundtable, she posed the question, “How do you suggest companies decide on the appropriate amount of training? Earl Jones, Shareholder at Littler Mendelson PC, responded that a company needs to evaluate where its risks are, “If the company is betting on international expansion, then intensive anti-bribery and corruption intensive training is a necessity for key employees. Also design training to build and protect sources of value. If an intangible asset, like a brand, is an important source of value, thoroughly train employees to identify, understand, and react to events or behavior that could impair the brand.”

When it comes to the scope and style of training, Steve Perreault, Global Head of eLearning GRC for Thomson Reuter, suggested you should assess your training by employee groups. You should “Understand things like: How likely is a group of employees to participate in activity that is related to a particular regulatory area? How complex is that regulation? What controls are in place already? Is this employee group responsible for making sure others comply with policies and regulations? You also have to consider what you will need to provide to evidence to regulators and courts that the program exists and is effective. Once you get that figured out, you must ensure that you stay on top of changes in legislation and enforcement, and revise policy, procedures, and training accordingly.”

Switzer next turned to measuring the effectiveness of training and how a company might determine this. Alisha Lynch, Global Ethics and Compliance Education Leader at Dell Inc., said, “Determining the scope and style of training should have several input sources.  Most organizations have three- to five-year strategic plans, and training programs should be designed to support those plans and initiatives. One good analogy is that a training initiative should be like a physical fitness regime. You cannot exercise the same muscle every time to make significant improvements, and you cannot ignore the diet. A culture is like a diet. If the organization designs and delivers great training but the culture is toxic, probably no improvement will be made.”

In the GRC Illustrated Series, it suggests that companies take a risk-based approach to provide appropriate levels and types of training and education to different individuals across the organization. Some of the factors they suggest you review are the role of the individuals, geography, and their level of exposure to particular risk areas. Such an approach moves away from the ‘tick-the-box’ approach that generally renders such compliance useless. It also helps to ensure that there is a more effective use of budgetary resources by focusing training efforts to maximize the return on the investment. The piece advocates a three-pronged approach.

Define

The first step is to define what you are trying to achieve. The piece recognizes that “while some organizations limit their training programs to what is legally required, more successful ones know that there are many reasons for developing a thoughtful, well-designed approach to employee education.” It puts forward that if training is done right, it will help the organization to achieve several goals. These include: the business Objectives; managing threats and business opportunities; it will address change in positive manner; it can help to ensure integrity and the company’s reputation; it can strengthen the business’s culture and ethical conduct; and, lastly, it can provide evidence that the company has complied with legal requirements such as the US Sentencing Guidelines and the Ten Hallmark’s of an Effective Compliance Program.

Design

The next step is to design the training program, which is further broken down into three steps, which drill down into the specifics of training. By using these three steps, you can help to assure that the training will be effective for the individual but also for the nature of the risk involved.

The first is to design the training program. Steps include the development of curriculum using a risk-based model. You should set uniform methods for acquiring content, maintaining records, and reporting. This should be followed by the establishment of standards for selecting appropriate content, delivery methods, frequency, and assurance based on risk exposure. You can review any technological solutions for both e-learning delivery and documentation. Finally, you will need to consider training content revision when requirements or risk analyses change.

After the design of the training program, the next level is to design the specific training courses. Here you should establish your learning objectives and map the training to legal and competency requirements. You must always remember who is your audience and what their characteristics might be. You need to ensure that the content is timely and the instructors are effective. Finally, you will need to determine not only the most appropriate mechanism to deliver the content but also define the key performance indicators and determine methods to audit them.

The final design level is the individual’s training plan. Here you need to analyze what the person’s role is within the organization and use this to determine mandatory and risk-based training needs. You will need to consider modifying the risk profile based upon assessments given before and after the training is delivered and then adapt the training as an employee’s role and risk profile changes within an organization

Deliver

For the delivery of the training materials, they also have a tripartite scheme. They break it down into high risk exposure roles; medium risk exposure roles and low-risk exposure roles.

  • High Risk Exposure Roles – are defined as those employees whose roles in an organization can significantly impact the company. Here expert subject proficiency is demanded and individuals should be able to act with confidence in a wide range of scenarios and conditions based on a strong understanding of the risks, requirements, and penalties. Training may be repeated frequently using several methods of delivery, have greater assurance through testing and certification of course completion, and include ongoing risk profiling of individuals through assessment of behavior choices in online courses or live simulation exercises.
  • Medium Risk Exposure Roles – are defined as those employees who face risk on regular basis or present a moderate level of negative impact to a company if they mishandle the risk. These individuals should know the risks, requirements, and penalties and should be able to apply their knowledge to common scenarios using standards and tools given to them. Training should have content to make them proficient in the subject, be refreshed periodically, use a mix of modes of delivery, and have methods to prove evidence of understanding.
  • Low Risk Exposure Roles – are defined as those employees with a low likelihood of facing the attendant risk. Persons in this category should be made aware of the risks, requirements, and penalties, as well as the organization’s expectations about how to address it. They should know relevant policies and procedures and where to get assistance in addressing a risk or making a behavior decision.

As with all areas in an anti-corruption compliance program, Switzer and the OCEG suggest that you monitor and audit your program so that you can review it and improve as circumstances warrant. I would add that you should also Document, Document and Document what you are doing for the same reasons. Just as Bakker’s new look at the culinary aspects of the classics can provide new insights into interpretation, it also shows the training that was written into Homer’s Odyssey.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 17, 2014

Naval Theorists and the Measurement of Compliance

7K0A0129If are interested in naval history, strategy and tactics, I have a question for you: Are you a disciple of Alfred Mahan or Julian Corbett? If you are a Mahanian, you probably focus on large naval engagements or the great battle concept. If you are Corbettian, you probably think about a series of smaller engagements, with an offensive-defensive mentality. I pose this as I am currently studying great military strategic thinkers. One thing they both advocate is information collection and analysis as a tool to not only predict potential future outcomes but to remediate defects as they might appear. In other words, measurement.

Why should an organization measure its compliance program? One quick answer is that it is one way to demonstrate that your compliance program is ‘effective’ under the US Sentencing Guidelines for Organizations. But more holistically, such measurements allow a company to know if it is operating within the parameters it has set and in compliance with anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. Further, such metrics can provide more and better information for strategic decision making, help employee engagement with compliance and can aid to produce a clearer picture of compliance risks and requirements.

An article in Compliance Week, entitled “Measuring the Integrity of an Organization”, author Michael Rasmussen explored this issue and then facilitated a roundtable discussion on the topic. Rasmussen’s article was paired with another in the series of Open Compliance and Ethics Group (OCEG) GRC Illustrated pieces entitled, “Integrated Compliance & Ethics Metrics”.

In the roundtable, Patrick Quinlan, Chief Executive Officer (CEO) of Convercent, said, “compliance should be looking at objectively measuring how a location, a department, or employee behavior stacks up against the organization’s values and policies. You should measure to compare, monitor, and pursue participation, engagement, and improvements where needed. Regulators may want to see checked boxes of compliance (percentage of policy attestations and training courses completed; controls in place; responses to incidents). Culture and engagement metrics can serve as valuable indicators of issues that may rise to the surface later. Employees respond to how they are evaluated; making ethical behavior a part of performance evaluations is an important part of instilling compliance at every level.”

Jose Tabuena, Global Compliance & Regulatory Counsel for Orion Health, believes that it is important for a compliance practitioner to “Develop a scorecard to give stakeholders information about the compliance program and where there is risk. Metrics should be gathered from both inside (e.g., investigations, compliance committee meetings, subject matter audits, etc.) and outside (e.g., government agency audits and observations, including fines and penalties). These metrics monitor the program over time and identify legal and other minefields that are ripe for corrective action.” Anita Helpert, Director of Internal Audit at Raytheon, specified four areas that organizations should compare. First, “awareness training completions that answer: Have we equipped attendees to understand expected conduct, to recognize issues, and to feel confident in reporting issues?” Second, you should look at tone-at-the-top: “What evidence supports leaders setting examples and nurturing an environment of ethical behavior?” The third is hotline reporting: “Do reports confirm or deny our “ethics checks” and provide insight on how people ask for guidance or report potential issues?” Fourth, and finally, is ethics metrics: “When we respond to a report or question, what do we find? How does this trend over time, by organizational structure, by leader, by location?”

In the GRC Illustrated compendium, it detailed success factors. These included:

  • Top level support – you can gain the endorsement of management and obtain a larger allocation of resources by “demonstrating how strategic decisions making depends on analysis and timely delivery of information.
  • Employee engagement – by engaging employees you not only make them more comfortable with compliance but also more meaningful and beneficial.
  • Knowing your needs – you need to determine what information is required to assist in “strategic decision making, support established values, improve compliance efforts and better manage resources.”
  • Single source of information – there should be one centralized system to consolidate metrics and ensure increased accuracy for better analysis and decisions.
  • Ease of use – the compliance practitioner needs to “enable quick, simple and meaningful management of data and dashboards for viewing and analysis of metrics.”

An interesting glossary in the GRC Illustrated compendium defined the types of metrics and examples that might be used. They were:

  • Number – you should count the number of incidents, policies, surveys, reports, automated controls, and employee conduct – whether good or bad.
  • Frequency – you should determine how often training and surveys take place, incidents occur, issues are reported and the workforce is surveyed.
  • Flagged – you should identify policies requiring review or individuals, locations, and operations with multiple problems, high-level risks or strength in desired conduct.
  • Ranking – here you should assess the severity of incidents, benchmarking outcomes, employee leadership qualities and the risk ranking of third parties.
  • Trends – you should evaluate metrics for specific areas such as training completion or level of employee engagement over time and relate them to program changes.
  • Relationships – you should consider the controls per risk, incident trends to training frequency or survey completion rates to the number of reminders.

Rasmussen ends his article by noting that these types of approaches to ethics and compliance allow not only the demonstrable proof that regulators such are the Department of Justice (DOJ) or Serious Fraud Office (SFO) are looking for but also “shifts the focus of efforts from being reactive and “checking the box” to proactive and forward-looking. This shift enables compliance to monitor integrity by processing and managing metrics across the organization in the context of rapidly changing business, regulatory, legal, and reputational risks to ensure compliance is operationally effective.”

With this integrated compliance architecture a company can create “an optimized infrastructure to report on metrics, benchmark integrity, and understand compliance in the context of business strategy and execution. Measuring integrity requires that the organization have clear insight into metrics supporting the development and communication of clear policies, continual feedback from employees, effectiveness of training programs, incident reporting, and the engagement of employees with these systems. All of these lead to an efficient and effective compliance program responsible for being the champion of organizational integrity.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 12, 2013

The Lascaux Cave Paintings and Mergers and Acquisitions under the FCPA

Today is the anniversary of one of the greatest finds in ancient archeology. 73 years ago, the Lascaux cave paintings discovered by four teenagers who stumbled upon the ancient artwork after following their dog down a narrow entrance into a cavern. This stunning find, consisting mostly of animal representations which ranged in age from 15,000 to 17,000 years-old, are considered to be among the finest examples of art from the Upper Paleolithic period. The pictures depict, in excellent detail, numerous types of animals, including horses, red deer, stags, bovines, felines, and what appear to be mythical creatures. Archaeologists believe that the cave was used over a long period of time as a center for hunting and religious rites.

Fortunately you do not have to look for something so rare when it comes to the steps you need to take when considering your mergers and acquisitions (M&A) obligations under the Foreign Corrupt Practices Act (FCPA). M&A now rates its own step in the FCPA Guidance’s Ten Hallmarks of an Effective Compliance Program. In No. 10, monikered “Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration”, the Guidance states, “In the context of the FCPA, mergers and acquisitions present both risks and opportunities. A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue—with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability.” In other words, good FCPA compliance is also good business.

Auspiciously for all of us Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), has provided a compendium of steps that the compliance practitioner should take, in a Compliance Week article, entitled “How to Boost Your Merger and Acquisition IQ”, together with another in the OCEG Anti-Corruption Illustrated Series, entitled “M&A Corruption Due Diligence”, Switzer breaks the M&A compliance process into three general areas, with the specific steps she recommends under each.

I.                   Advance Risk Assessment

  1. Make Strategic Decisions. Why would you select this opportunity as opposed to others? Here Switzer writes that your company’s risk tolerance should come into play. Are there some markets where the risk of corruption is simply too high. Witness GlaxoSmithKline PLC (GSK) which has implied it may leave the Chinese market after the recent corruption allegations against it. But, more than simply a market analysis, you should consider whether you wish to grow organically or strategically. If through strategic acquisitions, what criteria should you use for your targets?
  2. Identify Top Level Corruption Threats. Here the list is the usual suspects of concepts. Is the operation that you are considering in a high risk country? Does it have multiple government touch points? Is the sales model third party representatives or internal resources? Are a large amount of goods or services moved across borders? How about sales to foreign governments or state owned enterprises? Thinking about GSK in China, is there a history of payments to or entertainment of government officials? Have you looked at the owners, directors and key employees of the target to see if there is any evidence of corruption?
  3. Make Tactical Decisions. Here a company needs to analyze the findings for each target location to answer such questions as to whether it is better to build or buy, what markets a company targets or avoids and other upstream determinations can help to lower the likelihood of selecting acquisition targets with high corruption risks. Switzer writes that “By sniffing out top-level corruption threats in the risk assessment phase, the company can identify and resolve corruption issues earlier and at a lower cost than it would incur when scrambling to react to these same issues later in the transaction process.” I would add that your assessment needs to be documented as well.

II.      Pre-Transaction Activities

  • Dig Deeper. At this point, Switzer states that it is time to begin to dig deeper into the proposed target. After you have established your M&A team members, you should being to assess the target’s compliance awareness and program, the nature of any dealings it has ongoing with foreign governments and determine if compliance related policies and procedures are in place. The next step is to inspect. To accomplish this, hard copies of documents should be obtained and reviewed. In addition to the overall policies and procedures, you should review the accounting records and contracts with third parties, including any due diligence performed. You need to determine and review if there any specific policies and procedures related to the following areas: gifts, entertainment, travel and hospitality.

Next you will need to interview key personnel, including the executive team, high production employees and compliance professionals. You should also perform independent background checks and due diligence on this group. This same exercise should occur with key third party relationships of the target.

From here you should move to transaction testing. Your testing should include sales and business expenditures, payments to third party consultants, related third party transactions, travel and entertainment expenditures, charitable donations and political contributions.

All of this information then needs to be analyzed to determine if you wish to move forward. Switzer advises some of the key considerations should be potential successor liability, unsustainable business models due to corruption and the potential costs of any remediation going forward. Once again you need to document any decisions you make to go forward if red flags have appeared.

III.             Post-Closing Activities

  1.  Analyze. Under this step, Switzer advises that you should begin to determine risks for ongoing business, prioritize ongoing compliance needs of the now acquired company, evaluate in detail the anti-corruption training that the target had provided to its employee basis to determine sufficiency and evaluate in detail all accounting process and policies and procedures if you did not have the opportunity to do so pre-acquisition.
  2. Remediate Outstanding Issues. Now you need to fix any identified shortcomings in the newly acquired entity. This could include the tone at the top, the Code of Conduct, any third party procedures and training.
  3. Integrate. You should use this step to instill a culture of compliance in the newly acquired entity if such was not present, though both training and the implementation of enterprise wide policies. To the extent possible you should establish uniform accounting and technology.
  4. Communicate. In this final step, Switzer suggests that you need to communicate directly with the newly acquired entity so as to enlist their help in managing the change that will go forward. This would include all stakeholders, employees, third party representatives and even customers. Finally, be sure to inform your management, Board of Directors and regulators, such as the Department of Justice (DOJ), as appropriate.

Switzer notes that the earlier you can deploy these steps the better off your company will be at the end of the day. Near the end of her article Switzer quotes from an Ernst & Young white paper, entitled “Increased Oversight of M&A: An Expanding Role for Audit Committees”, that “Failed M&A can destroy a company’s market value, destabilize its financial position and credit ratings, impair its strategic position, weaken the organization and damage the company’s reputation”. She then ends with these words of wisdom, “By treating their deal-drivers as organizational protectors and vice versa, acquiring companies can ace their due diligence and improve their odds of avoiding a failed deal.” To which I can only add – indeed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

September 11, 2013

You Can Tune a Piano but You Can’t Tune a Fish – Fine Tuning Your Compliance Program

While I grew up, and went to undergraduate school, in Texas, I went to professional schools up north, in Michigan. There I was introduced to the Mid-West rock sound. It was certainly different than the Texas or Southern rock sound that I grew up listening to. And I became a fan, even embracing REO Speedwagon, particularly after they released their iconic album, You Can Tune a Piano But You Can’t Tune a Fish in 1978. I thought about that album and some good old 4/4 Mid-Western rock and roll music when I read an article in the Compliance Week magazine by Carol Switzer, President of the Open Compliance and Ethics Group, entitled “Retuning Compliance”.

In this article Switzer addressed the issues of gaps in compliance coverage, the high risks for noncompliance, both from issues known and unknown, the self-created complexity, and wasted resources in compliance. Switzer believes that there is not “enough consistency, enough insight and, most importantly, not nearly enough confidence that we know what our compliance obligations are and that we are addressing them correctly, let alone cost effectively.” She termed this “The Disheveled State of Compliance.”

To overcome this, Switzer draws from the world of music. She wrote that, “Just like a musical composition, a well-designed approach to managing compliance obligations has many moving and interrelated parts built on a specific structure, and each piece must work in harmony with the others. While the structure of a song includes many parts—the verse, the chorus, the bridge, the hook, and so on—the structure of an effective approach to compliance similarly must be well developed and designed.” However, to pen a “harmonious tune, or orchestrate a symphony, the composer not only has to be able to identify what is wrong with each subsequent draft, he or she also needs to know what structure to put in place and how to coordinate the key elements that will fix it, to retune it if you will, and the same is true for fixing a discordant approach to management of compliance obligations.” She ends her musical metaphor with the following, “Songs that are well structured and make the best coordinated and creative use of key elements such as lyrics, melody, and harmony are the ones that flow from one part to the next almost seamlessly.” Such is the creation and maintenance of an effective compliance program.

Switzer suggests there are five steps that an organization can use to provide a synergistic approach to “retune the compliance program, mitigate risk, and satisfy regulators, auditors, directors, and other stakeholders.” They are:

  1. Continuous Requirements Tracking. Under this point, Switzer says that ongoing monitoring of changes in risks, influencers and requirements is essential. She advocates the use of subject matter experts to assist a company to identify and track changes in the obligations. These can include “the mandated requirements and the voluntary commitments that each organization faces, methods for auditing and improving, and overall an integrated workflow that enables quick exchange of relevant information across and throughout the structure.” Switzer quoted Paul Liebman, Chief Compliance Officer (CCO) of the University of Texas at Austin, for the following, “Each organization should act based on its own unique geographical and operational risks and the management capabilities and preferences of its leadership. Some may concentrate their efforts on addressing regulatory requirements while others may focus on legal as well as regulatory requirements. Still others may incorporate non-legal/non-regulatory ethics in the form of institutional mission and values.”
  2. Transformative Workflow. Here Switzer suggests that dynamic work­flows can automate the routing of requirements and utilize rules, conditions and permissions to provide greater efficiency and operational performance. This would allow management actions and controls that respond to address each compliance obligation as it arises. Here Switzer turned to David Childers, Chief Executive Officer (CEO) of Compli, for the following observation, “Most organizations struggle with where to start in the process of achieving an effective COM [compliance obligation management] posture…Historically organizations often believe that they can achieve this type of cross-functional data interchange and audibility through internal processes and spreadsheet-type information consolidation. Because most organizations employ a number of point solutions like, HRIS, ERM, CRM, computer-based training, records management, etc., developing an internal tool to consolidate and track the diversity of COM data is very difficult.”
  3. Effective Reporting. Here Switzer recommends that companies report across business or operational units to ensure that business users can design, maintain, and publish reports to improve the organization’s ability to make strategic decisions. This will facilitate the identification and reporting of issues and potential for failures to conform before they become reportable events. Switzer quoted Scott Roney, Special Counsel for CSLG, for the following, “In addition to prioritizing risks and allocating resources, a big challenge is to determine whether the needle is moving—are the resources you are putting into risk reduction actually having the desired impact. Compliance officers tend to measure processes, like training, code certifications, etc., but connecting those processes to substantive risk reduction is a leap. That ties into the challenge of showing an ROI [return on investment] on compliance department activities. If you can’t show the data and how compliance management is adding value, then executives are reluctant to continue to make the investment.”
  4. Managed Audit Process. Switzer ends her process steps by noting that any organization can improve its internal and external systems through audits. Such audits would review operational history. An added benefit is similar to the Fair Process Doctrine but under Switzer’s example she states that the “general process understanding can strengthen two-way communication and inspire teamwork based on trust. Whether it is compliance, quality, safety, environment, or data security, audit reports are necessary to improve business operations.”

In her penultimate paragraph Switzer returns to her musical metaphor for the following story, “When I was in college, I had a friend who was a harpist studying under the foremost harp teacher in the world. On her wall was a quote from her teacher that read: “Focus on technique. The notes will follow.”” Switzer believes that this means a company should “develop the skill to design, structure, and operate a compliance capability that uses the right technology that you operate to its best advantage.” At the end of the day, “the success of a piece of music is highly dependent on the synergistic skills of the composer and the group of musicians who work together to perform it.” Switzer ends by noting this is the same in the compliance management process as it is dependent on coordination of skillful people, well-designed processes and high-performing technology to make it sing. Without structure, skill, and synergy, our compliance efforts will remain badly out of tune.

So I think the musical metaphor does hold and while you can tune a piano but may not be able to tuna a fish; you certainly can tune your compliance program.

On a more solemn note, today is 9-11 so please take a minute to remember all those who lost their lives or lost loved one on this date 12 years ago.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

June 18, 2013

How to Assess Suspicious Financial Activity

The banking world is littered with institutions that have paid astronomical fines for their failures around anti-money laundering (AML) legislation. Much has been written and said about these events. However one of the areas that has received perhaps less attention is the programs that banks and other financial institutions have set up to comply with the ever-growing increase in AML regulations. But just as crooks tend to follow the money, sophisticated lawbreakers, who tend to engage in crimes such as money-laundering will try and move their operations to business and industries with less robust protections around AML. That is why I found this month’s article by Carole Switzer, President of the Open Compliance and Ethics Group (OCEG), in the June issue of Compliance Week, entitled “The Battle to Balance Vigilance and Suspicion”, to be instructive for the anti-corruption/anti-bribery practitioner who typically focuses on Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance.

In the article Switzer makes clear that she believes that “the most effective AML programs are based on the understanding that financial institutions have an obligation to all of their stakeholders to remain vigilant about AML risks. Banks are not required to prove money laundering; rather they are required to strike the right balance in their vigilant reporting of suspicious activity.” She recognizes that “banks must file a suspicious activity report (SAR) when suspicious activity arises. What qualifies as a suspicion often is a difficult question—as is the determination of whether or not to file a SAR.” Yet Switzer also notes that “filing of too many (and/or incomplete) SARs can overwhelm regulatory agencies, reducing their ability to address genuine criminal activity” and that filing “too few SARs and a company can turn a blind eye to potential money laundering, opening itself and, in some cases, its top managers to significant penalties.” I would posit that the dynamic tension would appear for any company; whether financial institution or other commercial operation. Hence, I believe that Switzer’s thoughts can be used by a non-financial concern to help protect it from violation of US or UK AML laws.

As usual, Switzer has provided a road map to illustrate her thoughts, entitled “Suspicious Activity Investigation Lifecycle”. In the diagram Switzer notes that it is important to understand each step in the lifecycle, so that a company can exploit “opportunities for technology and automation”. Technology, coupled with the human element, which recognizes the signs of suspicious AML activity can help your company protect itself and “hear through the noise.” She counsels that the “focus is to identify suspicious activity and report it, not to prove criminality; law enforcement will take it from there, blending your information with information from other institutions before making a decision on how to proceed.” She lists the following four steps.

1.      Triage – Switzer believes that “understanding and managing your inbound alerts can be an intimidating task. High alert volume and false-positives can abound, often at a 50:1 ratio (False/True).” A company should also focus on automated solutions that allow you to invest human capital into exception cases. Finally, remember to consistently review and modify the system until your organization can hear through the noise.

2.      Investigation – As an investigation process can tax your resources, you should strive to ascertain that you are making the right inquiries documenting the process at every turn. Some of the questions that Switzer suggests you focus on include “Do you understand the context? Are your procedures applicable to the product used? How does the processing channel affect the investigation? What history does the customer or organization have with your institution? Are you truly investigating or just documenting?”

3.      Action – After you have ­finished conducting research, obtained an understanding of the suspicious activity, its context, and the implications, Switzer advocates that this is the time to react. She believes that it is important to have a protocol in place. Some of her suggestions include placing the party on a continued Watch List, or you could “kick off your Enhanced Due Diligence cycle, or offboard the customer altogether.” She notes that the key here is “expediently limiting risk and exposure and promptly notifying regulatory authorities.” To which I would add: document, document, and document.

4.      Feedback/Review – As with any process you need validation or ‘a second set of eyes.” Switzer proposes that you should review your actions and reports for accurateness. Some questions that you may wish to keep in mind are the following: “Was your investigation fruitful? What did you learn? Is our current process sound and comprehensive? Learning what you have done, how it has affected your risk profi­le, and how you have reacted is critical to ongoing success.” A rigorous system would “constantly challenge assumptions and work to refine the process. Evaluate how your customers, products, and business are changing, and develop new scenarios.”

Switzer notes some of the more common mistakes made include failure to document your compliance efforts and missing of key internal and external deadlines for reporting. She cautions against tipping off customers directly during the inquiry process or indirectly through sending questions to a third party which may convey such information. Finally, training is important so that any report which is generated is not of such poor quality, incomplete or overly vague as to be useless and miss important information.

As with other areas of compliance, there are best practices which are fairly well known. Switzer reminds us that your suspicious activity program should constantly challenge your ongoing assumptions and evaluate the accuracy of your program. You should regularly review and adjust thresholds amounts for such investigations and study new typologies. Tone at the top is key in the suspicious activity area of AML compliance so your company should create a culture of compliance, ensure the staff is aware and empowered to do the right thing. Your compliance program should incorporate ongoing monitoring and outcome analysis. Lastly, do not forget to train.

Most non-financial enterprises do not look at potential AML issues, certainly not as thoroughly as financial institutions. However, I believe that this may well be the next area that corrupt persons and parties will try to exploit from otherwise law-abiding entities. The time to prepare is sooner rather than later. Switzer has laid a protocol which you can implement and which can go a long way down the road to protecting your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,537 other followers