The Face of Battle: Sir John Keegan and the Individual in Compliance

On August 2, Sir John Keegan died. He was one of the most influential military historians I have ever read or had the chance to hear speak in person. Keegan was knighted for massive output. In his August 3, 2012 obituary in the New York Times (NYT), David Binder noted that “Sir John’s body of work ranged across the centuries and continents and, as a whole, traced the evolution of warfare and its destructive technology while acknowledging its constraints: the terrors of combat and the psychological toll that soldiers have endured.” For Tip O’Neill, all politics was local, for Sir John Keegan, all military history was individual.

I, probably like most Americans, was introduced to Keegan through his seminal work “The Face of Battle” which launched his publishing career. The Historian J.H. Plumb called it “so creative, so original” and “a huge achievement.” Binder commented that “He examined three battles in the book: Agincourt in 1415, Waterloo in 1815 and the Somme in 1916…all involving the English. His tale was somber and compelling about what happens in the heat of battle, including the execution of prisoners.” Further, “the military historian, on whom, as he recounts the extinction of this brave effort or that, falls an awful lethargy, his typewriter keys tapping leadenly on the paper to drive the lines of print, like the waves of a Kitchener battalion failing to take its objective, more and more slowly toward the foot of the page.”

But for me, he drove home what battle was like for the ordinary soldier. I can still recall his descriptions of the English long bowmen and the French knights they decimated. In another book, entitled “The American Civil War”, he looked at the role of geography in conflict. Once again he approached the subject of military history in a new and fresh way that brought the subject alive to me while challenging me to reconsider the traditional great man view of military history.

I thought about Keegan’s focus on the everyman of battle today while participating in a webinar entitled “A Real-Time Solution to Managing Fraud and Corruption Risk” hosted by the company Oversight, they have a software product which allows continuous monitoring of data. One of the topics covered in the webinar was fraud and employees who commit fraud. Fellow presenter, Jeff Harfenist, who is a CPA, MBA and a Director with the Berkeley Research Group, emphasized that fraud almost always start small, with the participant or participants typically starting out small, then increasing in complexity and aggressiveness. The perpetrators will then often grow the fraud in magnitude, while sometimes increasing the number of participants. Unfortunately they will rarely cease on their own accord. In other words, the concepts Jeff talked about seemed to me to fit into Sir John’s analysis of the everyman of battle: what they did and how they did it.

Jeff further explained that data mining software, such as that by the event sponsor Oversight, coupled with advanced analytics and exception management capabilities added together with established forensic protocols and recognized investigative methods could provide real-time (or near real-time) detection in variety of areas. Some of these could include inefficiencies in purchasing, potentially anomalous transactions, high-risk relationships, compliance failures and circumvention of internal controls.

I often talk about McNulty’s Three Maxims of Compliance: (1) What did you do to prevent it? (2) What did you do to detect it? And (3) When you discovered it, what did you do to remedy it? Control monitoring moves an internal audit function from the second step, “detection”, to the first step “prevention” through the active, ongoing and real time process as it evaluates 100% of the transactions or associated target functions in real-time (or near real-time) which is highly automated and can be repeated on an as frequent basis as required. The continuous monitoring approach allows you to experience what the individuals in your company are doing on a real-time (or near real-time) basis down to the single transactional level on a repeated basis.

Listening to Jeff Harfenist speak, I thought about Sir John and his work. Just as you can learn and experience history by studying the individuals who participated in great events, your compliance program should be aimed at individuals to guide their ethical behavior based upon your company’s compliance regime. So think of Sir John Keegan’s work on the individual in battle in conjunction with what your compliance program is doing to prevent and detect fraud of individuals in your company.

=========================================================================================================================================================

If you were not able to attend the webinar, you can listen to it, while viewing the slides by clicking here.

=========================================================================================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Six Steps to Implementing Continuous Monitoring in your Compliance Program

Anti-corruption, anti-bribery, anti-money laundering programs policies and procedures and even export control systems are seemingly in a constant state of evolution. Many companies are struggling with the challenge of implementing effective controls and monitoring risks across a spectrum that could include the three above listed compliance areas as well as others. One area which is evolving into a minimum best practices requirement for compliance is that of Continuous Monitoring (CM).

While many companies will look at CM as a software solution that can assist your company in managing risk; provide reporting metrics and, thereby, insights across an organization, it should be viewed more holistically. You will need to take many disparate systems, usually across a wide international geographic area, which may seem like an overwhelming process. However help is at hand from an article in the November 2011 issue of the Compliance Week Magazine, entitled “Mission Impossible? Six steps to continuous monitoring”, where author Justin Offen discusses his six-point program to ensure that your “CM solution doesn’t become part of the problem” rather than a solution.

1. Know your global IT footprint. Offen believes that the challenges with integrating “disparate data often prevent CM discussions from even getting off the ground.” Rather it is important to understand how CM will be incorporated into your company’s overall IT strategy as well as your compliance strategy. This advocates that this inquiry begins with understanding what your current IT structure is and what it is anticipated to be in 3 and 5 years. Once you identify your global IT footprint you can determine which system will be the best fit.
2. Define scope and necessary resources. The author believes that you need to determine what your goal is; begin by identifying your needs and then prioritize them. You should perform a risk analysis and then rank the risks. Here a risk ranking is not only helpful but can be critical to enable your company to focus on the needs specific of the organization. Regarding resources, you need to understand the amount of talent you have in your organization, identify who can implement and work with the system and determine your budget, which may need to be increased based upon your need for outside experts and unknown contingencies.
3. Conduct a pilot or proof of concept. Offen suggests that your company does not roll out an entire CM solution, company-wide, in one fell swoop but rather “business units and/or geographies should be prioritized and a phased in approach” utilized. This is one of the benefits of your risk analysis and risk ranking. This phased in approach can be used as a proof of concept, which the author believes “will yield greater operational efficiency throughout your CM solution implementation.” Significantly it should enable you to chalk up an early success to present to the inevitable nay-sayers in your organization.
4. Decrease false positives. Offen notes that it is “important to determine the effectiveness of each test prior to ‘turning it on’ in a CM solution.” This is because improper or incomplete testing may well lead to a larger amount of false positives with which you are required to evaluate and clear. From each test, you can further refine your CM solution to the specific needs of your organization and increase time and efficiency in your overall CM program.
5. Establish your escalation protocol. The author believes that as part of your implementation, you should establish a response protocol when an exception or Red Flag arises. This protocol should include an escalation protocol if the Red Flag suggests that it is warranted or additional investigation determines a wider problem exists. This protocol should include specific individuals and departments that need to be notified, the makeup of your initial and secondary triage team and the accountability for each person in the process. A line should be set up for Board of Directors notification as well as a protocol to determine at what point to bring in outside counsel, if warranted.
6. Demonstrate control through case management. How does your company keep track of it all? I have long maintained that the three most important words in any compliance program are “document, document and document” but this must also include the caveat that you are able to produce the documentation, in a reasonable time, if a regulator requests. Offen suggests that your company should be ready to “respond with appropriate documentation of any transaction that’s been reviewed, showing the level of review and any additional steps taken.”

The author has provided concrete steps which a compliance practitioner can take to implement or enhance a continuous monitoring system in an organization. He also points out the benefits to such a program, the creation of documentation which can lead to a ‘ready response’ by a company to an issue before it becomes a larger problem; coupled with the ability to recall all steps and information when a regulator comes knocking. Internally, using the pilots or proofs of concepts, the compliance department can bring in other stakeholders to see the value of continuous monitoring within the organization.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012