Nixon Goes to China and Management of Third Party Relationships

Today we honor one of the greatest diplomatic initiatives that occurred in my lifetime, Nixon’s trip to China; where he arrived on this date in 1972. Like most Americans I was caught completely unaware that Nixon was planning to go and create a diplomatic relationship with a country, which since 1949, had been the United States’ mortal enemy. While there are innumerable lessons to be drawn for the entire affair, the one that has resonated with me all these years is that only Nixon could go to China. Due to his hardline credentials in his prior dealings with the Chinese, when they were known in the US as Red China, Nixon had the political cache to make the political opening. While Nixon certainly had his missteps, his China opening was not one of them.

I thought about Nixon’s political acumen, at least in the arena of foreign affairs, when I read an article in this month’s issue of Compliance Week by noted GRC Pundit, Michael Rasmussen, entitled “Business Agility Across the Extended Enterprise”. In his piece, Rasmussen discusses business organization complexity and diversity and the lack of enterprise wide oversight into risk and compliance in the area of third party risk management. Rasmussen says that “The challenge is: “Can you attest that risk and compliance are managed across extended business relationships?” An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak oversight.”

He believes that these deficiencies are found because companies are focusing too much attention at the front end of business relationships and are failing to not only anticipate the issues which might later “cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship.” Rasmussen contends that there are two common mistakes made by businesses along these lines.

The first is that risk is only considered during the onboarding process. This leads to a failure to consider new and additional risks that can arise during the course of the relationship. The second revolves around analytics, as Rasmussen asserts that “Often, metrics are focused on vendor delivery of products and services but do not include monitoring risks such as compliance and ethical considerations.” I often remark that in any process, which your company might use regarding third parties, the real work begins after the contract is signed and you must manage the relationship. Rasmussen’s approach bears this out.

To overcome these deficiencies, Rasmussen lays out a five-step approach, which he articulates will bring “an integrated approach to third-party management that brings together people, process, and technology to deliver not only efficiency and effectiveness but also agility.” Trying to accomplish this through the use of spreadsheets and “document-centric” processes will overwhelm any compliance practitioner or indeed an entire organization, so automation is a key component for success.

1. Define Your Program.  Rasmussen writes that the first step that the compliance professional needs to perform is to define the third party management program. Correctly noting that an individual needs to lead the third party management program, different parts of the organization work with this role. By defining your third party management program you will articulate “understanding board oversight and reporting for third party risk and compliance and a cross-functional team to ensure that the operational, reputational, and compliance risks in business relationships are appropriately addressed. This team needs to work with the relationship owners to ensure a collaborative and efficient oversight process is in place.”

2. Establish Frameworks. The third party management framework should be utilized to to manage and monitor the constantly evolving relationships, risks, and regulatory environments in any long-term or extended business relationships. Rasmussen notes that the “framework starts with developing a list of third party relationships cross-referenced to risks and regulations affecting those relationships. A framework is an organized set of controls used to measure compliance against multiple risks, regulations, standards, and best practices.”

3. Onboarding. While this is something that most companies are at least aware of, the evaluation of risk and compliance needs to be integrated with the process of procurement and the full range of third party relationships. This includes vendors, suppliers, and all other business partner relations. Rasmussen inscribes, “A business relationship is to be evaluated against defined criteria to determine if the relationship should be established or avoided. When there is a high degree of inherent risk, but the relationship still is necessary, manage the risk within tolerance level by establishing compensating controls and monitoring requirements.”

4. Ongoing Monitoring. There are certain many factors that can affect the success or failure of any given business relationship. Rasmussen lists some of these as “the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. The potential risks relevant to each business partner should be taken into consideration to monitor the health and success of business relationships on an individual and aggregate level.” But with this identified wide variety of factors, comes the requisite monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships.

5. Resolve Issues. Rasmussen “believes that even the most successful business relationships encounter issues. These may arise from quality, health and safety, regulatory, environmental, business continuity, economic, fraud, or legal and regulatory mishaps. The fallout from incidents is exacerbated when everyone scrambles because nobody developed defined action and resolution plans ahead of time. Management of risk across extended business relationships should account for issues and plan for containment, mitigation, and resolution.” Or as Paul McNulty might say in McNulty Maxim No. 3, “What did you do when you found out about it?”

Rasmussen concludes his article by noting, “Third-party management is enabled at an enterprise level through implemen­tation of an integrated third-party man­agement platform. This offers the adapt­ability needed as a result of the dynamic nature and geographic dispersion of the modern enterprise. The right third-party management platform enables the organization to effectively manage risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans.” The agility that he advocates is something that I believe we saw in Nixon’s rapprochement with China. But the good news for the compliance practitioner is that unlike the maxim I discerned from Nixon’s achievement; that only Nixon could go to China, you can employ the strategy delineated by Rasmussen for a more complete review, analysis and management of your company’s third party risk.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Money, Money, Money: Use of Big Data in Your Compliance Program

What is No. 2 on the biggest selling rock and roll album of all-time list? It’s Pink Floyd’s Dark Side of the Moon. In addition to learning that there is no “dark side” to the Moon as it is all dark really; my favorite cut off the album was the song Money. I was thinking about that song and how it might have some relevance to the Foreign Corrupt Practices Act (FCPA) or Bribery Act, in a rock and roll sort of way, when I came across an article in the October issue of the Harvard Business Review, entitled “Big Data: The Management Revolution” by authors Andrew McAfee and Erik Brynjolfsson. The authors’ basic premise is that by exploiting vast new flows of information, a company can improve its performance. However, to do so there must be a corresponding change in the company’s decision-making culture. In business today, many companies are concerned about having not the new thing but the new, new thing. In the FCPA world we might call that evolving best practices as it is another way to phrase many of the emerging business techniques and strategies that can have application to the FCPA compliance practitioner.

What is Big Data?

The authors differentiate ‘Big Data’ from other analytics through three key facets. First is the sheer volume of data that is now available to companies. The authors note that “more data comes across the internet every second than were stored in the entire internet twenty years ago.” The second difference is in velocity with the abundance of real-time or “nearly real-time information”. The authors believe that the “speed of data creation is even more important than the volume.” The final difference is in the form of the data; it is not simply numbers from structured databases but “big data takes the form of messages, updates and images posted to social networks, readings from sensors; GPS signals from cell phones, and more.”

A New Culture of Decision Making

While noting that the technical challenges in capturing or storing ‘Big Data’ can be formidable, the authors believe that the managerial challenges can be even greater. When data is scarce, expensive to obtain or not available in digital forms, the authors posit that “it makes sense to let well placed people make decisions, which they do on the basis of experience they’ve built up and patterns and relationships that that they’ve observed and internalized”, in other words “intuition.” The authors believe that when ‘Big Data’ is involved the Highest Paid Persons Opinion (HiPPO) must “be muted.”

There must be a shift in thinking by the decision makers. The authors believe that two key questions should be “What does the data show?” and then follow up with some more specific questions such as “Where did the data come from? “What kinds of analysis were conducted?” and “How confident are we in the results?” However, as important as these questions might be the bigger challenge by any decision maker using ‘Big Data’ is that they “can allow themselves to be overruled by the data”. The authors believe that nothing speaks louder to employees than “seeing a senior executive concede when data has disproved a hunch.”

Five Management Challenges

The authors write that there are five “particularly important areas” in the effective management of change when it comes to ‘Big Data’.

1. Leadership. ‘Big Data’ does not erase the need for leadership’s vision and insight. However companies will succeed using ‘Big Data’ because leadership teams “set clear goals, define what success looks like, and ask the right questions.” The authors believe that the companies who lead the way in the use of ‘Big Data’ will be those who use these time honed techniques while changing the way they make decisions.
2. Talent Management. While data scientists and other similar professionals skilled at working with large amounts of numbers will be important; the authors believe that “cleaning and organizing” the data so that a decision can be made will be equally important. They note that such skills are not currently taught in universities so that company personnel will need to develop the ability in “crossing the gap between correlation and causation.”
3. Technology. The authors recognize that at the end of the day it is people who will analyze the data but that technology is “always a necessary component of a ‘Big Data’ strategy.” They also believe that the tools available to handle ‘Big Data’ are out there in the marketplace but there is still a skill set required that most IT departments do not have, which is to “integrate all the relevant internal and external sources of data.”
4. Decision Making. Here the authors believe the key is that company personnel who understand the problem must be brought together with the right data and that these same personnel must have “problem solving techniques that can effectively exploit” the ‘Big Data’. This requires a company leadership which puts “information and the relevant decision making rights in the same location”. The authors termed it as the “not invented here syndrome” and that employees must work throughout the decision making calculus.
5. Company Culture. In addition to moving away from the HiPPO syndrome noted above, executives must stop claiming that they are using data and analytics to make decisions when they are simply spicing up their reports “with lots of data that supported decisions they have already made”. The authors believe that the first question that a company should ask is not “What do we think?” but “What do we know?” Such an inquiry will allow businesses to gravitate away from making decisions based on “hunches and instinct” to those based upon the data.

What about the application of ‘Big Data’ to FCPA and Bribery Act compliance? I think this article shows the power of not only data analytics but also continuous monitoring. In their article the authors end by stating “Data-driven decisions tend to be better decisions.” The same is true in compliance. Whether you use a software tool, such as Catelas software to pull down large amounts of information and make decisions based upon this data or design a protocol to continually monitor segments of your information through the guys at Visual Risk IQ, cutting edge technology is available to assist the compliance practitioner. But with all data, the key is how to use it and I believe that compliance practitioners who can review large amounts of information from their own internal company and analyze it quickly and efficiently will be able to better protect their companies and keep them in compliance. This will inevitably lead to more complete and better decisions and companies will be able to respond more quickly to compliance challenges as they arise.

And Pink Floyd? Just remember, Money, Money, Money…or listen to the You Tube version by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

The Face of Battle: Sir John Keegan and the Individual in Compliance

On August 2, Sir John Keegan died. He was one of the most influential military historians I have ever read or had the chance to hear speak in person. Keegan was knighted for massive output. In his August 3, 2012 obituary in the New York Times (NYT), David Binder noted that “Sir John’s body of work ranged across the centuries and continents and, as a whole, traced the evolution of warfare and its destructive technology while acknowledging its constraints: the terrors of combat and the psychological toll that soldiers have endured.” For Tip O’Neill, all politics was local, for Sir John Keegan, all military history was individual.

I, probably like most Americans, was introduced to Keegan through his seminal work “The Face of Battle” which launched his publishing career. The Historian J.H. Plumb called it “so creative, so original” and “a huge achievement.” Binder commented that “He examined three battles in the book: Agincourt in 1415, Waterloo in 1815 and the Somme in 1916…all involving the English. His tale was somber and compelling about what happens in the heat of battle, including the execution of prisoners.” Further, “the military historian, on whom, as he recounts the extinction of this brave effort or that, falls an awful lethargy, his typewriter keys tapping leadenly on the paper to drive the lines of print, like the waves of a Kitchener battalion failing to take its objective, more and more slowly toward the foot of the page.”

But for me, he drove home what battle was like for the ordinary soldier. I can still recall his descriptions of the English long bowmen and the French knights they decimated. In another book, entitled “The American Civil War”, he looked at the role of geography in conflict. Once again he approached the subject of military history in a new and fresh way that brought the subject alive to me while challenging me to reconsider the traditional great man view of military history.

I thought about Keegan’s focus on the everyman of battle today while participating in a webinar entitled “A Real-Time Solution to Managing Fraud and Corruption Risk” hosted by the company Oversight, they have a software product which allows continuous monitoring of data. One of the topics covered in the webinar was fraud and employees who commit fraud. Fellow presenter, Jeff Harfenist, who is a CPA, MBA and a Director with the Berkeley Research Group, emphasized that fraud almost always start small, with the participant or participants typically starting out small, then increasing in complexity and aggressiveness. The perpetrators will then often grow the fraud in magnitude, while sometimes increasing the number of participants. Unfortunately they will rarely cease on their own accord. In other words, the concepts Jeff talked about seemed to me to fit into Sir John’s analysis of the everyman of battle: what they did and how they did it.

Jeff further explained that data mining software, such as that by the event sponsor Oversight, coupled with advanced analytics and exception management capabilities added together with established forensic protocols and recognized investigative methods could provide real-time (or near real-time) detection in variety of areas. Some of these could include inefficiencies in purchasing, potentially anomalous transactions, high-risk relationships, compliance failures and circumvention of internal controls.

I often talk about McNulty’s Three Maxims of Compliance: (1) What did you do to prevent it? (2) What did you do to detect it? And (3) When you discovered it, what did you do to remedy it? Control monitoring moves an internal audit function from the second step, “detection”, to the first step “prevention” through the active, ongoing and real time process as it evaluates 100% of the transactions or associated target functions in real-time (or near real-time) which is highly automated and can be repeated on an as frequent basis as required. The continuous monitoring approach allows you to experience what the individuals in your company are doing on a real-time (or near real-time) basis down to the single transactional level on a repeated basis.

Listening to Jeff Harfenist speak, I thought about Sir John and his work. Just as you can learn and experience history by studying the individuals who participated in great events, your compliance program should be aimed at individuals to guide their ethical behavior based upon your company’s compliance regime. So think of Sir John Keegan’s work on the individual in battle in conjunction with what your compliance program is doing to prevent and detect fraud of individuals in your company.

=========================================================================================================================================================

If you were not able to attend the webinar, you can listen to it, while viewing the slides by clicking here.

=========================================================================================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012