FCPA Compliance and Ethics Blog

May 2, 2013

Get Out of the Ivory Tower – Using Internal Corporate Resources to Facilitate the Compliance Function

The second day of Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston packed as much solid information into it as did the first day. One of the sessions dealt with utilizing other corporate functions to assist a compliance department in implementing or enhancing a compliance program. There are many resources which currently exist inside your organization and if you are in the position where you must use internal rather than external resources, this post will detail some of the functions which you may be able to call upon inside your organization.

You should start with a basic approach which the speaker termed “Get Out of the Ivory Tower”. He explained that the compliance department must obtain realistic input from geographies, cultures, business units and corporate functions within the company. As he rather succinctly put it to the audience “A procedure which may work in Texas may not work in Indonesia.” He also counseled to train in local languages. This may mean more than translating your talk into one language. He gave the example of his training in Spain where he had dual translations going, from English into Spanish and Catalan.

Part of this translation issue led to his next point, which was not to believe your own story or even worse, your own propaganda. Simply because a Country Manager says something is true means does not mean that it is true. Internal controls, monitoring and auditing are important to test that you are actually doing compliance rather than simply saying you are in compliance.

In determining what other departments might be able to assist the compliance function, the speaker suggested that you should start with three inquiries. They were:

  1. What can yours do? This is the initial assessment that you need to make about what your compliance department can do. What are your resources and budget? Start with this question.
  2. What can theirs do? In looking around your company, next ask this question. What are the functions of the departments? Are there things that they are currently doing which can supplement the compliance function? Are there functions in that department’s core function which can assist the company in the doing of compliance?
  3. How many employees does each of you have? An obvious concern is the number of employees that are available to assist the compliance function.

What are some of the other corporate functions that might assist the compliance department going forward? An obvious starting place is Human Resources (HR). The speaker listed several areas in which HR can bring expertise and, in my experience, enthusiasm to the compliance function. Some of the reasons include the fact that HR is physically located at or touch every site in the company, globally. HR is generally seen as more approachable than many other organizations in a company, unfortunately including compliance. A person’s first touch point with a company is often HR in the interview process. If not in the interview process, it is certainly true after a hire is made. Use this approachability.

Obviously, HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the Document, Document Document portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be on each audit. Further, compliance risks can also be evaluated in this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert so you can turn to them for any of your compliance program requirements which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If you company uses SAP and you make an acquisition of an entity which does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

There are many ways to implement or enhance a compliance program in a company. If you do not have the luxury of creating an entire compliance department with an unlimited budget, you may be able to call upon other areas of corporate expertise to facilitate your role. Do not be an Ivory Tower.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

June 28, 2011

Regulatory Compliance Risk Assessment: Managing Risks with Internal Controls

Ed. Note-I recently posted an article by Mary Shaddock Jones entitled “Suggestions for Starting a Regulatory Compliance Risk Assessment”.   Based on the response to the posting, I asked Mary to drill down a little more in subsequent articles on a few of the steps she suggested outlined in that article.  This is the third  and final posting in this follow up series.

[Remember that the hypothetical in the original article was that you had just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates.] 

As stated in the previous article, we believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis.  In the first article, we discussed identifying Risk Centers and Risk Owners as one way of identifying all of the various legal/regulatory compliance risks that could impact your company.  As discussed in the second article, once the risks are identified, under the ERM Framework, the next step in the process would be to rate the “Significance” and the “Likelihood” of compliance failure in order to establish a Priority Rating.  We believe that the third step in the process it to determine how the various identified risks are managed and/or mitigated using risk specific internal controls.

What do we mean by this?  One definition of “Internal Control” is the following:

Internal control- Systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to (1) conduct its business in an orderly and efficient manner, (2) safeguard its assets and resources; (3) deter and detect errors, fraud, and theft, (4) ensure accuracy and completeness of its accounting data, (5) produce reliable and timely financial management information, and (6) ensure adherence to its policies and plans.

We think most people when they hear the word “internal control” automatically assumes that it is referring to accounting or financial controls.  While that may be true, we believe that internal controls, as systematic measures (such as reviews, checks and balances, methods and procedures) can be used in the compliance risk assessment process.  A few types of internal controls that may be used to mitigate identified compliance risks are the following:  (1) Control Environment, (2) Policies, and, (3) Procedures.  Some of the controls may need to be on an entity-level, while others may be process specific.

Why does all of this matter? The process your company puts into place to identify, prioritize and mitigate and/or manage compliance risks matters in many respects.  First and foremost, it is a systematic driven way of trying to prevent criminal behavior.  Second, the process helps you to put in Compliance and Ethics program which should be considered “effective” under the US. Sentencing Guidelines.

 

 §8B2.1. Effective Compliance and Ethics Program

 (a)    To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall—

 (1)   exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

(b)  Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:

 (1)  The organization shall establish standards and procedures to prevent and       detect criminal conduct.

 (2) (A) The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall  exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.

(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high level personnel shall be assigned overall responsibility for the compliance and ethics program.

  (C)  Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

 (3)  The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.

(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subparagraph (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.

 (B)  The individuals referred to in subparagraph (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.

 (5) The organization shall take reasonable steps—

 (A) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;

 (B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and

(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

 (6)  The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate  incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.

 (7)  After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.

 (c)   In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.

 What should be clear is that the U.S. Sentencing Guidelines do not tell you HOW to identify, assess, prioritize, mitigate or manage risks. It just tells provides guidance on what are the elements of an Effective Compliance and Ethics Program, including, (as a summary only), that  (a) you have to establish standards and procedures to prevent and detect criminal conduct; (b)  you have to have specific individuals (arguably at all levels of the organization) who are knowledgeable and responsible for the program; (c) you communicate the policies and procedures; (d) you have to monitor for compliance; (e) take reasonable actions to respond to criminal conduct and prevent or detect future conduct and (f) periodically assess the risk of criminal conduct and take appropriate steps to design, implement, or modify the controls to reduce the risk of criminal conduct.

We believe that the Enterprise-Wide Risk Management format is an excellent tool to assist your company in creating and maintaining an Effective Compliance Program.   Hopefully,  by utilizing some of the suggestions in this series of articles, the task of performing a regulatory compliance risk assessment in all of the countries that your company currently operates  will  not be as quite as daunting as you originally feared.

Summary:  (1) Identify the Risk Centers; (2) Identify the Risk Owners within each Risk Center; (3) Work with the Risk Centers/Owners to identify the Legal/Regulatory requirements applicable to each of their Risk Centers; (4) Prioritize the risks using a “Significance” and “Likelihood” rating guide; and (5) identify and/or implement internal controls to minimize the identified risks.

 Mary Shaddock Jones, Attorney at Law.  msjones@msjllc.com; 337-515-8527 (c); 337-513-0335 (0)



June 24, 2011

Regulatory Compliance Risk Assessment: Identifying Key Legal/Regulatory Risks

Ed. Note-I recently posted an article by Mary Shaddock Jones entitled “Suggestions for Starting a Regulatory Compliance Risk Assessment”.   Based on the response to the posting, I asked Mary to drill down a little more in subsequent articles on a few of the steps she suggested outlined in that article.  This is the first posting in this follow up series.

Remember that the hypothetical in the original article was that you had just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates. 

We believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) ERM Framework defines ERM as follows:

 

Enterprise risk management is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

 

The key is that ERM is process.  It is not a “one time” exercise.  The same holds true for Legal/Regulatory /Compliance risks facing your company.  Laws and regulations can change on a regular basis.  Keeping up with the myriad of changes can be a difficult task for compliance and legal departments- especially at smaller firms or companies.  This is why we suggest that you need to “divide” the company into various “Risk Centers” and identify the “Risk Owners” within each Risk Center.  Responsibility for monitoring and notifying the Legal/Compliance departments of any change in the legal/regulatory requirements should remain with the “Risk Owner”.

So who are some of the key “Risk Owners” in any organization?  Clearly the Human Resources department is one key “Risk Center”.  There are a myriad of U.S. Federal and State employment laws including, but not limited to: (a) Title VII of the Civil Rights Act of 1964; (b) Age Discrimination in Employment Act; (c) Americans with Disabilities Act; (d) Equal Pay Act; (e) Immigration Reform and Control Act of 1986. In addition, if you are a company operating internationally, you must have a “risk owner” who has responsibilities for the local Human Resources laws.  For instance did you know that the Mexican Constitution (at least at one point in time) contained a “Declaration of Social Rights” that deals with minimum working conditions, salaries, equality of treatment, job security, the right to strike, and mandatory profit sharing?  The Brazilian Labor Code has adopted many of the same principles and has created a system of Labor Courts that are quite favorable to all Brazilian workers – both blue and white collar.  But there are small differences in the employment laws between Mexico and Brazil that require someone with specialized knowledge within your company to “own” the risk.

Another “Risk Center” could be the Logistics or Supply Chain Management Department.  If this Department is responsible for interfacing with Freight Forwarder companies (i.e. A company which is hired to move shipments between foreign and domestic locations, or a portion of the way.  Freight forwarders handle many of the formalities involved in exporting and importing such shipments), then it should “own” the legal/regulatory compliance risks associated with exporting and importing.  Again, there are a myriad of U.S. Federal and State laws and regulations touching upon Import and Export activities including, (a) The Export Administration Act; (b) The Export Administration Regulations (EAR); (c) The International Traffic In Arms (ITAR); (d) Trading with the Enemy Act; (e) Antiboycott Regulations; (f) Foreign Corrupt Practices Act, to name a few.  In addition to the U.S. laws, there are significant local laws in foreign countries that regulate the importation and exportation of goods into the countries.  Did you know that there are different laws for the importation of vessels into Brazil depending upon whether or not the vessel is being used in the oil and gas industry?  Or that there are laws regarding the importation of automobiles into China? The point is that there are so many laws and regulations in every aspect of doing business that the most practical way of ensuring compliance is by having identifiable “Risk Centers” which designate a “Risk Owner” who has the compliance responsibility.  The compliance department can then act as the repository of the information, but the Risk Owner (i.e. that person closest to the risk).

What about Financial Record Keeping and Reporting?  Tom Fox has written numerous blogs regarding the Books and Records requirements contained within the Foreign Corrupt Practices Act.  The FCPA requires “issuers” (any company including foreign companies) with securities traded on a U.S. exchange or otherwise required to file periodic reports with the Securities and Exchange Commission (“SEC”) to keep books and records that accurately reflect business transactions and to maintain effective internal controls.  Another U.S. law which has significant internal Control requirements in the Sarbanes-Oxley Act of 2002.   Clearly, the Accounting/Financial Department(s) are another “Risk Center”.

What are the laws/regulations under each area? What is the appropriate “Risk Center” for each law/regulation for your company? Who is the designated “Risk Owner”?  Mapping out the answers to these questions will clearly be a step in the right direction in performing your Legal/Regulatory Risk Assessment.   Here are a few legal risk areas for your consideration: (a) Antitrust; (b) Bribery, Gifts and Entertainment; Conflicts of Interest; (c) Consumer Protection; (d) Customs, Import and Export Controls; (e) Environmental, Health and Safety; (f) Labor and Employment Law; (g) Financial Record Keeping and Reporting; (h) Government Contracting; (i) Intellectual Property; (j) HIPAA/ Security and Privacy; (k) Records Management; (l) Securities and Insider Trading;  and (m) Anti-Money Laundering.   This doesn’t even touch applicable international laws!  But it should help you get started with your Risk Assessment.  Good Luck!

Mary Shaddock Jones, Attorney at Law can be reached via email at  msjones@msjllc.com or via phone at 337-515-8527 (c); 337-513-0335 (0).

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

June 9, 2011

Use of an ERM Map to Implement or Enhance Your Compliance Program

For some time I have wanted to write about an Enterprise Risk Management (EMR) Map that I came across. It is put out by a company called MetricStream. This ERM Map is designed to assist the compliance practitioner in either designing or reviewing a company’s Governance, Risk and Management (GRC) by providing a visual representation of the best practices in compliance business processes. It allows a company to either develop a gap analysis or classify gaps in its GRC program by better understanding overall system requirements. The ERM Map lays out these best practices in a visual format; identifying sub-processes within the specific disciplines involved in ERM; and finally separating such practices in Leadership, Organization, Process and Technology. This post will focus on Leadership and Process and I will discuss these in only some of the areas which are identified by discipline on the ERM Map.

I.                Chief Compliance Officer

  1. Leadership-the Chief Compliance Officer (CCO) is responsible is the model for ethical behavior and should link ethics to business success. The CCO should be a part of the Executive Leadership Team and work to create a formal compliance program including a Code of Conduct, Compliance Policy and Compliance Procedures to detail how the program should be conducted throughout the company.
  2. Process-the CCO should develop processes for monitoring of compliance so that if there is a violation, it can be detected and then remedied. There should be some type of ethics certification and creation of an anonymous reporting or helpline. There should be a formal measurement of compliance and ethics risks and a follow-up analysis of compliance failures to determine lessons learned going forward.

II.             Chief Risk Officer

 

  1. Leadership-this role should lead through visibility on the full spectrum of enterprise and operational risk. As risk management is a value generating business process; the role should be a part of the Executive Management Team.
  2. Process-this role is responsible for creating the formal process for analyzing and managing enterprise risk across the company. It assists to ensure that the Internal Audit process is risk driven and that financial processes are risk-based.

III.           Chief Financial Officer

 

  1. Leadership-the Chief Financial Officer (CFO) should focus the department’s efforts on business risk when conducting internal audits. This is broader than simply general audit, Sarbanes-Oxley (SOX) or Foreign Corrupt Practices (FCPA) audits; it should include all business risks. There should be accountability to the company’s Board of Directors.
  2. Process-initially it should be noted that ERM should drive audit priorities and the overall audit process should be repeatable and systematic. There should be consistent processes in place between operational and internal audit. In the area of findings, a summary of findings should be reported to the Board of Directors and there should a collaboration of findings with and recommendations to the persons or departments which are audited.

IV.            Chief Operating Officer

 

  1. Leadership-the Chief Operating Officer (COO) should be responsible for operational risk and should lead the effort to impart that quality and safety are at the core values of the company. This office should be accountable to regulators, industry and legal standards. The COO should lead to achieve consistent compliance and minimize exceptions.
  2. Process-the CCO should lead in the collaboration between quality and regulatory affairs. If there is decentralized accountability, the CCO must consolidate the reporting through centralized record keeping and document control. This role should enhance the collaboration between quality and regulatory affairs.

V.              Chief Information Officer

 

  1. Leadership-with a nod towards my “This Week in the FCPA” partner Howard Sklar who routinely lists data security as a key compliance concern, I will discuss the role of the Chief Information Officer (CIO) within the ERM Map. The role should begin with expertise on the integration of technological controls into business applications. The CIO should be charged with the centralized management of IT governance and should ensure that the IT environment is secure. This would include protection of information security. Finally as a leadership function, the CIO should ensure that data security is a Board of Directors agenda topic.
  2. Process-here the CIO should work to have an overall IT framework assist to drive business processes. There should be a centralized document management and approval system and there should be end-user identity management.

I have but scratched on the surface of the information readily available on the ERM Map. I would urge the compliance practitioner to go to the company’s website and order a complimentary copy of the map. It will give you a very good visual road map to create or enhance a complete company-wide GRC structure or allow you to think through any of the departments I have discussed and several others on the ERM Map which I have not discussed. It is a very valuable and free tool.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Blog at WordPress.com.