The Berlin Airlift and Different Approaches to Compliance Issues

As the USA played Germany in the World Cup yesterday, it is perhaps appropriate that we look back at another June 26^th event that involved the US as we celebrate one of the great relief efforts in post-war Europe and the Cold War, the Berlin Airlift. On June 26, 1948, US and British pilots begin delivering food and supplies by airplane to Berlin after the city is isolated by a Soviet Union blockade. Though some in President Truman’s administration called for a direct military response to this aggressive Soviet move, the President was concerned that such a response would trigger another world war. As an alternative, he coordinated a massive airlift operation under the control of General Lucius D. Clay, the American-appointed military governor of Germany. The first planes took off from England and western Germany on June 26, loaded with food, clothing, water, medicine and fuel. By July 15, an average of 2,500 tons of supplies was being flown into the city every day. The massive scale of the airlift made it a huge logistical challenge and at times a great risk, with planes landing at Tempelhof Airport every four minutes, round the clock for the next 15 months. This broke the Soviet blockade.

I thought about this alternative approach that Truman employed, a supply line rather than a military response, when I read MIT Sloan Management Review article, entitled “What Businesses Can Learn From Sports Analytics”, by Thomas H. Davenport. In his article, Davenport explored how “the use of analytics in the sports world has much to teach managers about alignment, performance improvement and business ecosystems.”

For his article, Davenport “interviewed more than 30 representatives of teams, sports analytics vendors and consultants for a report on the state of the art in sports analytics,” in which he “focused on three different areas of activity, each of which is growing rapidly. In order of decreasing prevalence, they are: team and player performance analytics, sports business analytics, and health and injury prevention analytics.” From this research, he developed five key lessons that almost any business could adopt. However I thought about his points in the context of compliance ecosystems rather than business ecosystems so I will use his article as a starting point to consider what compliance can learn from sports analytics.

1. Align leadership at multiple levels 

Davenport believes “In sports, key decisions — which players to acquire, how much to pay them, and which strategies to adopt for better athletic and business performance — must be made and overseen at multiple levels. As a result, alignment along different management levels is crucial.” Based on his research I believe the message for Chief Compliance Officers (CCOs), compliance practitioners and analytical practitioners is to work together closely and consult frequently.

2. Focus on the human dimension 

Davenport’s key finding about sports teams is that they realize that their players are both their most important and expensive resources and that sports teams focus on the human dimension of performance in a variety of ways. “First, they address individual-level game performance by monitoring points scored, rebounds gathered, batting averages and other increasingly sophisticated measures of both offensive and defensive performance… Second, teams are beginning to assess not just individual performance, but performance in context.” They will also assess a team’s performance “with and without a combination of players.”

However, if companies say they focus on their employees as their most valuable resource, they typically only focus their analytics on “operational or marketing issues and not on the human dimension of performance.” The key insight here is for compliance to focus on more of a team aspect by investigating a group’s compliance performance “with or without a particular person’s presence could be a valuable insight.” This could be expanded to reviewing wider sales teams in a region, country or product/service line.

3. Exploit video and locational data 

In Major League Soccer (MLS), players wear a GPS-based locational device that captures all movements around the field. In the NBA, six cameras in the ceiling of each arena capture all movements of the players and ball. All Major League Baseball (MLB) stadiums have cameras that track every pitch, and many teams also track every hit and fielding play with video cameras. This allows a more complete view of the raw numbers that metrics generates.

While it may not seem readily apparent, this type of approach can also benefit the compliance function. The key is that it looks at raw numbers in a different way. So transaction monitoring could be pared with relationship monitoring or other indicia. Also travel and communications could be considered to show what might be happening in locations that are not readily apparent. The key takeaway is that there is more information available by obtaining more types of data.

4. Work within a broader ecosystem

Davenport found that “Professional sports teams are relatively small businesses, with much of their revenue going toward player salaries, leaving just nominal funds for any data and analytics projects. As a result, teams often need to work within a broader ecosystem of data, software and services providers.” Based on this he believes that a “key in these partnerships is to draw as much as possible from the partner while maintaining key internal capabilities.”

For the compliance professional, you should try to develop relations with key vendors because there are just too many different techniques, types of data and other aspects of analytics to exploit, and even the largest corporation can’t excel on its own. The GRC Pundit, Michael Rasmussen has observed that in GRC there is more than one technology. The same holds true in the compliance space. Jon Rydberg, founder of the Orchid Advisors, has called this the “Compliance Ecosystem Transformation” which he defines as “The coordinated development of compliance activities that transcend your entire supply chain, from suppliers – to manufacturers – to distributors – to retailers.”

5. Support “analytical amateurs”

Finally, Davenport found that “Some professional athletes have begun to analyze their own performance in depth using public or team data and reports. Specifically, a number of soccer and football players have become assiduous reviewers of their video and GPS data, although the most frequent users have been professional baseball players, particularly pitchers.”

For the compliance professional, this translates that they could also benefit from becoming such ‘analytical amateurs”. Moreover, they could work with business unit personnel to could keep track of their own scores on compliance measures and use that information to improve their performance. Analytics-minded salespeople and managers could, for example, use the extensive data from compliance management management systems to assess and improve their performance.

I found Davenport’s article to be quite thought provoking. For just as President Truman was able to come up with a different approach for a situation that could have led to World War III or at the very least a completely communist dominated unified Berlin, there are different ways to look at problems and find solutions. Using the analytical approach that has become so prevalent in the sports world may lead you to new and different thinking in the compliance arena.This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

From the Bad Boy Pistons to GRC: The Building Blocks of Compliance

I recently watched the ESPN documentary series 30-for-30 on the Bad Boy Detroit Pistons from the late 1980s and early 1990s. It was a great review of a different era of the National Basketball Association (NBA) and the perfect way to get ready for the current playoffs, even if the Rockets did choke their way out of Round 1 as usual. But more than great entertainment, the show focused on the building blocks of a pro basketball team. The Pistons were created player by player who were pieces of the overall team structure. The team then had to become battle hardened by losing some tough playoff games, first in the Eastern Conference to Boson and then in the NBA Championship to the Lakers, before they eventually succeeded in becoming two time NBA champs. In other words, it was a lengthy process, which started in 1982 when the Pistons drafted Isaiah Thomas and it took almost 10 years for them to win the title.

I thought about this process orientation when I read a GRC Illustrated series article in the March issue of Compliance Week, , entitled “The Principled Performance Vision”, by Carole Switzer, co-founder and President of the Open Compliance and Ethics Group (OCEG) and Scott L. Mitchell, the co-founder and Chair of OCEG. In their article, and accompanying GRC Illustrated presentation entitled “Pathway to Principled Performance”, they discuss the need for companies to have a mechanism to address ever-changing business and legal risks in the context of the high performance required by internal and external stakeholders. They articulate “a point of view and approach to business that helps organizations reliably achieve objectives while addressing uncertainty and acting with integrity.”

The biggest problems that they identify are issues of loss of cohesion and insular nature of a management and reporting system between business units within an organization. For instance they point to a wide variety of disciplines within a company, such as “as governance, finance, production, and sales to adjunct areas like performance management, risk management, internal control, compliance, and audit” which must use the same data but often never share the results with each other. The authors posit that a more holistic approach is required and this “can only be achieved by integrating and orchestrating information and functions that, in many organizations, are fragmented and siloed. Then, these integrated capabilities must be supported with strong communication, effective technology, and development of the desired ethical culture.”

Coupled with the article and illustrated framework is a roundtable discussion led by Switzer of several leading compliance practitioners and thought leaders. The participants included Brian Barnier, Principal at ValueBridge Advisors; Paul Liebman, Chief Compliance Officer (CCO) at the University of Texas; Tony Miller, Chief Operating Officer (COO) and Partner at The Vistria Group and Michael Rasmussen, Principal and Chief GRC Pundit at GRC 20/20 Research LLC. Switzer asked them the basic question of how does one get started in such an initiative for a company? Barnier believes that, in large part it is about messaging by “treating it as a business initative to drive profitable revenue and risk-adjusted return” as opposed to “yet another compliance task to achieve while cutting cost.” Liebman focused on the ‘why’ he changed when he noted, “true change depends upon three things: a profound sense of discomfort in the current condition, a vision that things could be better, and a plan to get there. I think the first step is therefore to assess and explain the current level of discomfort—i.e., what is wrong and why.” Moreover, he believes that it is important to “have a vision of the direction you want to go and plan accordingly.” Finally, he said that “Focus on structure and process so that you are constantly moving forward. Slow, incremental but sustainable change in the right direction is far more important than quick, substantial but unsustainable change. Slow, incremental and sustainable change happens by taking advantage of pre-existing organizational processes and mental models that are already working well. Don’t force new or redundant processes but, rather, seek to understand how others are thinking and acting and explain how your vision is really just a logical extension of what they are already trying to accomplish.”

Miller took a somewhat different approach when he said that “Principled performance needs to be part of the culture, reflected in the strategy, and embedded in an organization’s operating systems and processes.” To accomplish this he listed three steps, “(1) the chief executive officer and the senior executive team explicitly acknowledging that this is an important problem that must be addressed; (2) establishing clear metrics and goals for improvement; and (3) assigning point accountability at the executive team level for developing and “owning” the process that will enable the organization to meet the principled performance goals.”

Switzer asked the participants if they could point to situations where there has been a failure to interconnect the various functions of GovernanceRiskCompliance (GRC) which has led to catastrophic consequences. Miller pointed to the siloed nature of the financial services industry when he said, “That’s why we’ve seen significant breaches in the financial services industry with excessive risk taking by traders, the mortgage services industry in lax and exploitive underwriting practices, and the education services industry with overly aggressive student recruitment practices.” Liebman pointed to that well known risk area under the Foreign Corrupt Practices Act (FCPA) by noting, “Third-party relationships are an example where disparate processes and strategic goals can lead to significant non-compliance, waste, and surprise. For example, companies often create a business strategy at a high level and then ask others to implement the strategy with little or no oversight or structure… Accordingly, when a problem surfaces creating a bad reality, such as bribery in the supply chain, and expectations were set too high, the result is significant unhappiness for stakeholders.” Barnier focused on the management of risk without coordination due to the insular nature of management and reporting systems when he observed, “Much of this results from typical silo behavior—especially when reinforced by a control culture with its usual compartments that diminishes individual engagement and end-to-end views. Principled performance, with its focus on outcomes, brings together a range of decisions and activities to improve the likelihood of achieving those objectives.”

While some might find it interesting that the notorious “Bad Boys” of the NBA can teach the compliance practitioner a thing or two, it is clear that their General Manager (GM) Jack McCloskey had a plan in mind when putting the pieces of the team together. That team then had to be molded together and tested. This real world example would seem to be what Rasmussen said when he summed up his views by stating, “A mature GRC program will have an integrated strategy, process, information, and technology architecture that brings efficiency, effectiveness, and agility to GRC across the business and aligned with the business.”

If you have a team left in the NBA playoffs, good luck. Otherwise I hope that you will back me in supporting the Spurs yet again.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Interview with Michael Kleef on the Use of Technology in Compliance Programs

ED. Note-today we continue the series on compliance thought leadership. Today is Michael Kleef, EVP of Convercent, who has some interesting observations on understanding the uses of technology in the compliance arena.

Where did you grow up?

I’m a native Australian, born in Melbourne, Victoria and spent most of my life and technology career in Perth, Western Australia. Since the Malaysia Airlines crash everyone seems to know where Perth is now! Moved to the USA about 6 years ago along with my wife and kids. It’s a scary moment as a parent dropping off your daughter, not only to a new school, but a new school in a completely different country and wondering if she will be ok!

You are relatively new to the compliance space, what was your prior professional life?

Prior to Convercent, aside from a stint at another startup, I worked at Microsoft for 11 years.

Microsoft is what brought us to the USA – did a variety of roles there with the last one in technical marketing. So my prior life is not actually compliance, it’s enterprise IT software. The move to Convercent has been like drinking from a fire hose, learning all about compliance challenges. That said, Microsoft has a very robust compliance program so I had a good idea what I was getting into, but from the employee end, doing yearly compliance training and completing policies.

What are some of the biggest surprises you have seen since moving over into the compliance space?

The biggest surprise I’ve had since moving into the compliance world is that in most cases companies do not leverage purpose built technology to manage their processes and reduce compliance risk. Most companies still utilize paper trails, Excel, SharePoint, and non-integrated software to administer their compliance programs. Having witnessed so many other departments move past these simple tools and manual processes toward applications fit for purpose, I know it’s only a matter of time before the majority of Compliance teams do the same—the risk is simply becoming too great not to.

From your prior positions, did what similar transitions did you see take place in other disciplines?

This isn’t a new problem – the transition to purpose built technology. In the past, finance teams struggled with the challenge of transitioning from spreadsheets and word documents to finance solutions such as SAP and Oracle Financial. They struggled to build the business case for replacing manual processes that were cumbersome but appeared to work. What eventually tipped the scales toward technology was the increasing pressure on CFOs to cut organizational costs. With Enterprise finance software, finance teams were able to manage budgets more effectively and enforce areas such as purchasing and expense processes. Despite the fact that financial software is often the most expensive technology companies will buy, the overall business benefits provided have proven to make this spend nearly universal for companies of all sizes. No-one even asks to justify it. It’s a must have.

Sales teams also made the shift from using basic tools like the rolodex (yep remember those?!) to purchasing Customer Relationship Management (CRM) systems like SalesForce.com and Microsoft Dynamics CRM. By entering customer, prospect and deal data into these applications, sales managers could more effectively manage a sales team’s pipeline. By understanding average time to close, while aggregating large amounts of deal oriented data, sales executives could better predict quarterly revenue, allowing teams to plan and pivot quicker and better. By connecting this data to the previously mentioned finance systems, CFO’s could now more effectively predict overall P&L on a monthly, quarterly and annual basis.

Slightly later, marketing teams began the shift from agency based advertising and uncoordinated email spam to using technology driven techniques delivered in Marketing Automation Programs (MAP). Search engine optimization (SEO), and extremely targeted personalized advertising allowed marketing teams to target buyers with personalized, relevant and engaging content, all while leveraging data for advanced analytics to help sales teams understand how to message to high probability buyers.

Across most departments at any given company, it’s easy to see how technology now underpins how people work. Software drives increased business agility through rapid access to data, helping companies make decisions promptly, while moving into new markets to better take advantage of new business opportunities. Today though, it’s not enough to just collect data. The true value of cutting edge software is in giving teams the ability to draw conclusions from the patterns in the data—or the ability to become truly predictive. Becoming predictive also allows teams to mitigate risk a whole lot more effectively.

Departments that embrace predictive analytics and intelligent workflow software no longer ask questions about the return on investment (ROI) of respective technologies because they plainly understand the value of what these systems enable. Tech savvy executive teams see how integrated data flows from marketing to sales to finance systems, relying on the positive impact of modelling this information in real time, at a single glance.

Can you draw any parallels from these experiences to the compliance discipline?

Absolutely! Many compliance, audit, risk, and legal professionals struggle daily with spreadsheets, paper and Word documents. Those lucky enough to have a GRC technology point solution, (like an independent ethics hotline and policy management system,) often struggle to connect data sets together. This inability to connect data sets and draw meaningful conclusions in real-time hampers the likelihood companies will figure it out when “Morgan Stanleyesque” FCPA issues occur. Can your compliance program isolate a rogue employee that has been trained, signed off on policies, and still chooses to bribe officials? And even if this employee is caught is it possible to drill down into how long this went on before you knew about it and could resolve and communicate the issue?

Unfortunately most compliance management solutions can’t do this because related data is not really connected. Without the ability to link related data and functions like policy, learning, and case management, you will never get to the point of being truly predictive. But the good news is that software vendors are rapidly innovating already. Companies like Convercent (among others) have already developed integrated next generation solutions that deliver real-time reporting to support increased oversight. We believe this is just the beginning towards predictive analytics that will supercharge how you manage your compliance program.

You see, it’s all about the workflow and how you manage the data – is it working for you or against you? The moment you have to spend hours or days struggling to get information or being able to understand your true picture of risk at a glance – you have a problem begging for a solution. And I’m hearing that regulators take a dim view when you can’t clearly prove that your compliance program is measurable and that you’ve taken adequate steps to implement it consistently.

From these prior experiences, I believe purpose built technology will shortly change the way you work. Technology will be the enabler that so many of you are looking for, helping you build and scale out an effective compliance program.

How do I know this? Because it’s already happened in nearly every business unit at the company you’re working for! The patterns are the same…generic, non-specialized software supporting critical decision making, manual and disconnected processes delivering non-integrated data sets, the inability to make data-driven real time judgments, increasing risk from burgeoning regulations demanding immediate action…

I hope you’re excited at how technology will enable GRC. I’m excited to see the difference it will make for you!

Micheal Keef can be reached at michael.kleef@convercent.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Three Lines of Defense for FCPA Compliance: Lessons from a Holistic GRC Model

In a session at Compliance Week 2011 entitled, “Implementing a Compliance Program in a Global Business Using a Holistic GRC Model”, the speakers, John Farrell and James Littley, both of KPMG and Robert Brewer, Chief Compliance Officer of Office Depot presented a model to consider for a Foreign Corrupt Practices Act (FCPA) compliance system. Overall it was an excellent session and they presented an interesting concept for the FCPA compliance practitioner under the general rubric of “A Holistic GRC (GoveranceRiskCompliance) Model to Drive Compliance Programs Effectiveness –Three Lines of Defense.”

Their thesis was that a properly constructed compliance program, in any area, such as the FCPA, Export or Customs Control, Immigration Control or any similarly regulated area has three lines of defense to prevent a compliance incident. They identified the three lines of defense as (1) the Risk Content Owners line of defense; (2) the Risk Process Owners line of defense; and (3) the Risk Content and Content Monitoring Owners line of defense.

I.                Risk Content Owners

This first line of defense is the business owners who are on the front lines for any company. Their roles include management of day-to-day business risks and to recommend actions to manage and treat that risk. This group also is tasked with complying with the company’s risk management process. Where appropriate, this group will implement risk management processes where applicable and this group will execute risk assessments and identify emerging risk.

The key roles/responsibilities for this first line of defense are:

• The company’s Enterprise Risk Management (ERM) Steering Committee should be made up of Vice Presidents who manage risks daily in their individual departments and Business Units.

• Each ERM Heat Map risk is assigned to the Executive Committee members who are either most impacted by the risk or who have the most opportunity to influence the risk.

• The ERM Steering Committee and Executive Committee are responsible for prioritizing risks and identifying emerging risks.

• The Board of Directors is responsible for oversight of how well management is managing the risks of the company.

II.             Risk Process Owners

This second line of defense is typically the company legal department and compliance department. Not only are these the standard setters in an organization but they may also be charged with certain monitoring tasks. This group should establish policy and process for risk management. This group is the strategic link for a company in terms of risk. It should provide guidance and coordination among constituencies. It should identify enterprise trends, synergies, and opportunities for change. This group should also initiate change, integration, operationalization of new compliance best practices. Typically this group is the liaison between third line of defense and first line of defense. Lastly this group will oversee certain risk areas and in terms of certain enterprise objectives such as compliance with regulations such as FCPA, Export Control, etc.

The key roles/responsibilities for this second line of defense are:

•The ERM Manager should establish quarterly cross-functional meetings and reporting processes to drive regular discussion of risks at the Vice President and Executive levels.

•There should be a linkage of ERM to the Company’s Strategic Plan.

•There should be a linkage of ERM to Annual Audit Risk Assessment, development of the Audit Plan and resource to audit teams as they perform audits.

•The ERM Manager must keep abreast of current events, audit issues, SOX compliance, legal issues, loss prevention and data security issues and upcoming legislation in order to facilitate dialog on important topics at the ERM Steering Committee and Executive Committee.

III.           Risk Content and Monitoring Owners

This third and final line of defense is generally thought of as the Assurance Providers and consists of senior management, Internal Audit and up to the Board of Directors. Its roles include either working with or through senior management and/ or the company’s Board of Directors. This line of defense will is tasked to rationalize and systematize risk assessment and governance reporting so that it is not only transparent but useful and stored in a manner that can be retrieved if a regulator comes calling. It will provide oversight on risk management content/ processes, followed by second line of defense. Finally it will provide assurance that risk management processes are adequate and appropriate.

The key roles/responsibilities for this third line of defense are:

•All risk focused functions report up through the Chief Compliance Officer, therefore cooperation and leveraging of information between these groups must be robust. These functions include: Internal Audit, Loss Prevention, Enterprise Risk Management and Insurable Risk Management.

•The ERM Manager should aggregate & synthesize information gathered from across the organization and reports it up to the Executive Committee and the Audit Committee or Compliance Committee of the Board of Directors quarterly.

•Internal Audit should consider ERM risks related to each area under audit and tests mitigating controls when appropriate.

This tri-parte model is an excellent way for a company to not only think through how to design an overall GRC structure but an outline to assess how well it may be doing in any one specific compliance area such as the FCPA. The first line of defense should be driven down to the Business Unit level. This will allow, indeed require, the Business Unit to buy into the overall compliance program. The legal/compliance department is the key bridge that writes and leads implementation of the overall compliance training through training but also assesses whether the compliance program is effective and remains robust. The role of senior management is to provide overall leadership and deployment of resources throughout this entire process. We recommend that you consider integrating this type of analysis into your company or using it as an assessment tool.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011