FCPA Compliance and Ethics Blog

July 25, 2011

A Tip of the Hat to Cadel Evans and the Code of Conduct

If you are a cyclist, the most famous Aussie in the world today is Cadel Evans, the first Australian to win the Tour de France. In the compliance world, the other most famous Aussie is still Rupert Murdoch. So today we tip our hat to Cadel for a great three weeks of cycling and the time trial of his life on Saturday to win the Tour.

However, in the compliance world, the Murdochs and News Corp continue to provide a veritable plethora of lessons learned. Today we focus on that most basic step of any compliance program – the Code of Conduct. A written Code of Conduct is one of the key components of a best practices compliance program; whether that compliance program is based upon the US Sentencing Guidelines and the Foreign Corrupt Practices Act (FCPA); UK Bribery Act’s Adequate Procedures; or the OECD Good Practices. However, much more than a written Code of Conduct is required for any compliance program to succeed. I do not think that this statement would be news to any compliance practitioner or even controversial, nevertheless it was apparently news to News Corp. The lead article in Friday’s edition of Ethisphere Corporation’s Daily GRC Digest, discussed the following:

The top story today is that News Corp.’s much touted Code of Conduct is absolutely USELESS, as News Corp. failed to inform and educate employees about it. The new code, released in May, receives a B+ from Ethisphere, which is an improvement from the substandard C its former code, implemented in July 2006, received; however, with no clear communication and training plan, nor any comprehension aids in the code, News Corp.’s Code of Conduct is worthless in preventing wrongdoing like the voicemail-hacking and police-bribing scandal or protecting the company in the event of such malfeasance.

The GRC Digest article linked to an article in the July 19 edition of the Daily Beast by David Graham, where he discussed the 56 page News Corp Code of Conduct in the context of the UK Parliamentary hearings last week where both Rupert and James Murdoch testified. Graham reported that the Murdoch’s referred to the News Corp Code of Conduct as “setting up the code as the cornerstone of ethics at the company, and potentially a “paragon” for journalists across the globe.”

The GRC Daily noted that Ethisphere had graded the News Corp Code of Conduct as B+, which was an improvement over its prior Code of Conduct. However, such a robust 56 page Code of Conduct is not worth much value if, in the words of the GRC Daily, there is “no clear communication and training plan, nor any comprehension aids in the code, News Corp.’s Code of Conduct is worthless in preventing wrongdoing like the voicemail-hacking and police-bribing scandal or protecting the company in the event of such malfeasance.”

So the lesson learned from News Corp’s 56 page B+ rated Code of Conduct is that such a Code is worthless unless trained upon and actually implemented by management. I really don’t think this is news but if your management does not seem to understand this important concept perhaps you can pass this article along to them for easy reference.

=======================================================

Speaking of easy reference, the GRC Digest is yet another tool available to the compliance practitioner at no cost. It comes in a daily email blast, sent to you by Ethisphere, it contains news of the day, with links and highlights upcoming webinars and speaking engagements. It is easy to read, fun to digest and as the name implies, focused on governance, risk and compliance. To subscribe to the GRC Digest, click here.

Lucky Episode 13 of This Week in the FCPA is up. Howard Sklar and I talk about News Corp., Willis Ltd. and McMillan Publishing Company and debarment. To view Episode 13, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

June 9, 2011

Use of an ERM Map to Implement or Enhance Your Compliance Program

For some time I have wanted to write about an Enterprise Risk Management (EMR) Map that I came across. It is put out by a company called MetricStream. This ERM Map is designed to assist the compliance practitioner in either designing or reviewing a company’s Governance, Risk and Management (GRC) by providing a visual representation of the best practices in compliance business processes. It allows a company to either develop a gap analysis or classify gaps in its GRC program by better understanding overall system requirements. The ERM Map lays out these best practices in a visual format; identifying sub-processes within the specific disciplines involved in ERM; and finally separating such practices in Leadership, Organization, Process and Technology. This post will focus on Leadership and Process and I will discuss these in only some of the areas which are identified by discipline on the ERM Map.

I.                Chief Compliance Officer

  1. Leadership-the Chief Compliance Officer (CCO) is responsible is the model for ethical behavior and should link ethics to business success. The CCO should be a part of the Executive Leadership Team and work to create a formal compliance program including a Code of Conduct, Compliance Policy and Compliance Procedures to detail how the program should be conducted throughout the company.
  2. Process-the CCO should develop processes for monitoring of compliance so that if there is a violation, it can be detected and then remedied. There should be some type of ethics certification and creation of an anonymous reporting or helpline. There should be a formal measurement of compliance and ethics risks and a follow-up analysis of compliance failures to determine lessons learned going forward.

II.             Chief Risk Officer

 

  1. Leadership-this role should lead through visibility on the full spectrum of enterprise and operational risk. As risk management is a value generating business process; the role should be a part of the Executive Management Team.
  2. Process-this role is responsible for creating the formal process for analyzing and managing enterprise risk across the company. It assists to ensure that the Internal Audit process is risk driven and that financial processes are risk-based.

III.           Chief Financial Officer

 

  1. Leadership-the Chief Financial Officer (CFO) should focus the department’s efforts on business risk when conducting internal audits. This is broader than simply general audit, Sarbanes-Oxley (SOX) or Foreign Corrupt Practices (FCPA) audits; it should include all business risks. There should be accountability to the company’s Board of Directors.
  2. Process-initially it should be noted that ERM should drive audit priorities and the overall audit process should be repeatable and systematic. There should be consistent processes in place between operational and internal audit. In the area of findings, a summary of findings should be reported to the Board of Directors and there should a collaboration of findings with and recommendations to the persons or departments which are audited.

IV.            Chief Operating Officer

 

  1. Leadership-the Chief Operating Officer (COO) should be responsible for operational risk and should lead the effort to impart that quality and safety are at the core values of the company. This office should be accountable to regulators, industry and legal standards. The COO should lead to achieve consistent compliance and minimize exceptions.
  2. Process-the CCO should lead in the collaboration between quality and regulatory affairs. If there is decentralized accountability, the CCO must consolidate the reporting through centralized record keeping and document control. This role should enhance the collaboration between quality and regulatory affairs.

V.              Chief Information Officer

 

  1. Leadership-with a nod towards my “This Week in the FCPA” partner Howard Sklar who routinely lists data security as a key compliance concern, I will discuss the role of the Chief Information Officer (CIO) within the ERM Map. The role should begin with expertise on the integration of technological controls into business applications. The CIO should be charged with the centralized management of IT governance and should ensure that the IT environment is secure. This would include protection of information security. Finally as a leadership function, the CIO should ensure that data security is a Board of Directors agenda topic.
  2. Process-here the CIO should work to have an overall IT framework assist to drive business processes. There should be a centralized document management and approval system and there should be end-user identity management.

I have but scratched on the surface of the information readily available on the ERM Map. I would urge the compliance practitioner to go to the company’s website and order a complimentary copy of the map. It will give you a very good visual road map to create or enhance a complete company-wide GRC structure or allow you to think through any of the departments I have discussed and several others on the ERM Map which I have not discussed. It is a very valuable and free tool.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Blog at WordPress.com.