In this episode I caught up with Paula Long, founder and CEO of DataGravity, Inc. at the recently concluded Collision 2017 Conference. Paula has worked in the data and information space for over 30 years and now helps companies with data security and data privacy. We discuss the intersection of these issues with compliance and how they all converge for a CCO or compliance practitioner. The site has some great resources for the compliance practitioner and data professional including white papers on continuous monitoring of sensitive data and detecting and tracking anomalous use and behaviors around data. Check out more about Paula and DataGravity by going to the site DataGravity.com.

In this episode, I visit with Melissa Evans, chairman on the upcoming Third-Party Risk Management & Oversight Summit about the conference. We discuss:

1. The nature of the event.
2. Her prior experiences at last year’s event.
3. Her your role as Lead Quality Systems, Supply Chain Management, Royal Caribbean Cruises?
4. The upcoming Third Party Risk Management and Oversight Conference?
5. Some of the highlights in your mind of the conference?
6. Who should attend the conference?
7. Where can folks go for more information?

For More Information on the Event, click here. Best of all listeners to this podcast will receive a discount to the event. You can receive a 15% discount off the regular price by entering the Code CMP 161. For more information on the event, check out the website by clicking here.

In this episode, Matt Kelly and I discuss the differences between SOX 404 reporting controls and 302 disclosure controls. We then pivot to a discussion of the potential merging of the COSO 2013 Framework for controls with the COSO ERM Framework currently in the public comment period.

Check out Matt’s blogs posts on these topics:

  1. Of Sox Controls and Earnings Reports, click here.
  2. ERM Framework: Govt. Sector Calls for Unity, click here.

Harold Ramis as Dr. SpenglerHarold Ramis died on Monday. For a generation of comedians and fans of comedy he was one of the driving lights of that genre. He was one of the screenwriters of Animal House and wrote the screenplays for both of the Ghostbuster movies, in addition to starring in them. His New York Times (NYT) obituary called him the “Alchemist of Comedy” and quoted from Paul Weingarten, who wrote, in The Chicago Tribune Magazine in 1983, “More than anyone else, “Harold Ramis has shaped this generation’s ideas of what is funny.”” So thanks Harold Ramis for Blutto, Otter, Founder, D-Day, Dr. Spengler and all the rest.

I am currently attending the Society of Corporate Compliance & Ethics (SCCE), 2014 Utilities & Energy Conference. As usual, it is an excellent event for the compliance practitioner. One of the things that I find not only intriguing but also extremely useful about this conference is the pairing of compliance practitioners from the fields of energy and utility. I did not attend the utility focused sessions for the first couple of years but now prefer those sessions because they focus so much on the process of compliance. While the actual compliance issues are not anti-bribery or anti-corruption, the process-oriented approach utilized in the utility energy can be a great set of lessons for the energy industry compliance practitioner to consider when looking at an energy company compliance regime.

On Monday there was a presentation by David Douglass, Federal Energy Regulatory Commission (FERC) Compliance at Kansas City Power & Light Company. Initially, Douglass presented several different compliance models, which the anti-corruption compliance practitioner can use to benchmark or evaluate your company’s compliance program. The first one Douglass termed the Compliance Maturity Model – Compliance at Every Level. It included:

  • Step 1 – Reacting only and engaging in panic. The elements of this level of maturity include the admonition to “Get it done”. Typically under this step compliance is operating in isolation and can only marshal resources as necessary and where ever they might be found.
  • Step 2 – Anticipating and acceptance of compliance. This increased maturity can help to bring about some efficiency, usually through the accepted use of automation. This allows a compliance practitioner to see connections between multiple programs and take steps to plan future approaches to ongoing and ad hoc compliance challenges as they might arise.
  • Step 3 – Collaborating. Under this step, compliance moves to being seen as a collaborative partner with the business units. This allows the identification of risks, the assessment of the company’s exposure to those risks and to prioritizing actions to meet those assessed risk. Finally, the collaboration step can allow for the re-use of technological components for multiple purposes, thus reinforcing great cost savings and value.
  • Step 4 – Orchestrating through and with the rest of the company. Under this ultimate step in the model, compliance works to help set enterprise wide objectives to help to coordinate enterprise wide risk analysis and response. The corporate wide visibility to risk analysis, management and remediation as well as compliance performance.

In addition to the above Compliance Maturity Model, Dougalss discussed two of the programs were set out by federal utility regulators. The first was the FERC’s Effective Compliance Program, which has the following seven standards:

  1.  Internal standards and procedures to prevent and detect violations;
  2. High-level management knowledge and oversight of internal compliance programs;
  3. Reasonable (due diligence) efforts to screen out “poor performers”;
  4. Reasonable internal communications and training efforts;
  5. Reasonable steps to evaluate program effectiveness, including confidential reporting options for employees;
  6. Creating and enforcing compliance incentives and noncompliance sanctions;
  7. After detection of a violation, companies shall take reasonable, responsive steps.

He then cited to the North American Electric Reliability Corporation’s (NERC’s) four hallmarks of effective compliance programs, which included the following:

1.    Senior management / leadership

  • Compliance Program is established in the company.
  • Compliance Program is formally documented and widely disseminated throughout the organization.
  • The Compliance Program is supervised by a high ranking company representative.
  • The head of the compliance function has access to President / CEO and Board.
  • The Compliance Program is designed and managed with independence.
  • There are sufficient resources dedicated to implement Compliance Program.
  • The Compliance Program has the full support of all company leadership

2.    Preventive measures are in place

  • A sufficient frequency of review of compliance program occurs.
  • There is sufficient frequency of training of employees on compliance program.
  • There is sufficiency of subject matter training of employees on compliance program.

3.    Prompt detection, cessation, and self-reporting

  • There is a sustainable process to internally assess compliance with regulations.
  • There is a sufficient response to identification of wrong-doing or misconduct.

4.    Effective remediation

  • There are effective internal controls and procedures present to prevent recurrence of misconduct.

Douglass also discussed the ‘3-lines of defense concept” for a best practices compliance program. Under this concept a properly constructed compliance program has three lines of defense to prevent a compliance incident. These three lines of defense are identified as (1) the Risk Content Owners line of defense; (2) the Risk Process Owners line of defense; and (3) the Risk Content and Content Monitoring Owners line of defense.

 I.                Risk Content Owners

This first line of defense is the business owner(s) who are on the front lines for any company. Their roles include management of day-to-day business risks and to recommend actions to manage and treat that risk. This group also is tasked with complying with the company’s risk management process. Where appropriate, this group will implement risk management processes where applicable and this group will execute risk assessments and identify emerging risk.

 II.             Risk Process Owners

This second line of defense is typically the company legal and compliance departments. Not only are these the standard setters in an organization but they may also be charged with certain monitoring tasks. This group should establish policy and process for risk management. This group is the strategic link for a company in terms of risk. It should provide guidance and coordination among constituencies. It should identify enterprise trends, synergies, and opportunities for change. This group should also initiate change, integration and operationalization of new compliance best practices. Typically this group is the liaison between the third and first lines of defense. Lastly, this group will oversee certain risk areas and in terms of certain enterprise objectives such as compliance with regulations such as Foreign Corrupt Practices Act (FCPA), Export Control, etc.

III.           Risk Content and Monitoring Owners

This third, and final, line of defense is generally thought of as the Assurance Providers and consists of senior management, Internal Audit and up to the Board of Directors. Its roles include either working with or through senior management and/or the Board of Directors. This line of defense is tasked to rationalize and systematize risk assessment and governance reporting so that it is not only transparent but useful and stored in a manner that can be retrieved if a regulator comes calling. It will provide oversight on risk management content/processes, followed by the second line of defense. Finally, it will provide assurance that risk management processes are adequate and appropriate.

This tripartite model is an excellent way for a company to not only think through how to design an overall structure but as an outline to assess how well it may be doing in any one specific compliance area such as anti-corruption compliance under the FCPA. The first line of defense should be driven down to the Business Unit level. This will allow, indeed require, the Business Unit to buy into the overall compliance program. The legal and compliance departments are the key bridge that writes and leads implementation of the overall compliance program through training but also assesses whether the compliance program is effective and remains robust. The role of senior management is to provide overall leadership and deployment of resources throughout this entire process.

I have found that the anti-corruption compliance, or indeed the anti-money laundering (AML) or export-control practitioner can learn quite a bit from their peers in the utility industry. While they may not rise to the level of “Alchemist of Comedy”, as did Harold Ramis, you might want to listen to what they have to say.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

One of the more public and ongoing corruption scandals in the world right now seems to be happening in Turkey. To say the events and facts are confused is an understatement. At this point there are not any international players who have been implicated but given the breadth and scope of what has come out of that country over the past month or so, it would only appear to be only a matter of time. It began in December when, according to the BBC, “The arrests were carried out as part of an inquiry into alleged bribery involving public tenders, which included controversial building projects in Istanbul. Those detained in the 17 December raids included more than 50 public officials and businessmen – all allies of the prime minister. The sons of two ex-ministers and the chief executive of the state-owned bank, Halkbank, are still in police custody.”

The Prime Minister claims that all of these arrests were simply political theater, generated by supporters of Fethullah Gulen, an influential Islamic scholar living in self-imposed exile in the US. Members of Mr. Gulen’s Hizmet movement are said to hold influential positions in institutions such as the police and the judiciary and the AK Party itself. Many believe the arrests and dismissals reflect a feud within Turkey’s ruling AK Party between those who back the Prime Minister, Recep Tayyip Erdogan. On Tuesday the Prime Minister and his supporters struck back at the police by removing approximately 350 police officers from their positions in the capital, Ankara. The Prime Minister and his supporters have also attacked the judiciary leading the investigation, claiming that it is all politically motivated.

In addition to the obvious turmoil based on the above, the country is feeling the fallout in the international monetary arena. In an article in the Financial Times (FT), entitled “Turkey warns of corruption probe risk”, reporter Daniel Dombey said that the country’s currency, the Turkish lira, had dropped 7.5% since the initial arrests back in December. He quoted the country’s Finance Minister, Mehmet Simsek, who said that there had been “some negative implications for the Turkish macro [economy].” Dombey also noted that the Turkish stock market had dropped almost 12% during the same time frame.

In the 2013 Transparency International (TI) Corruptions Perceptions Index (CPI), Turkey had a score of 50 which gave it a rank of 53 out of the 177 countries listed. It generally had better scores than other countries in southeastern Europe such as Greece and the Balkan countries. Other than Cyprus, it had better CPI scores than most other mid-eastern countries. But what about now and what does this mean for the US based multi-national who is currently doing business in Turkey or considering doing so?

One of the things that a compliance program must have is the flexibility to respond to changing events on the ground. Just as last summer’s GlaxoSmithKline PLC (GSK) corruption scandal in China brought attention to those issues in China, these very public events should bring the attention of your compliance team. My former This Week in FCPA co-host Howard Sklar said that a compliance program needed to be nimble in order to respond to such events in far-flung places. Risks change and they must be evaluated on a regular basis or in response to new facts on the ground, such as those which are present in Turkey.

There may also be more than anti-corruption risk at play in any given situation. If a company only looks at one type of risk, such as anti-corruption, rather than others such as export control or anti-money laundering (AML) it can lead to the concept of what is called the “functional trap” of labeling and compartmentalizing risk. In an article in the June issue of the Harvard Business Review (HBR), entitled “Managing Risks: A New Framework”, authors Robert Kaplan and Annette Mikes declare that good risk discussions must be integrative in order for risk interaction to be evaluated. If not, a business “can be derailed by a combination of small events that reinforce one another in unanticipated ways.”

The authors posit that it is difficult for companies to accurately and adequately discuss risk for a variety of reasons. One of these reasons is the aforementioned silo effect which can lead to a lack of discussion by a wide group regarding a number of risks, for example compliance risk; reputational risk; brand risk; credit risk; human resources risk are but a few of the types of risks mentioned in their article. The authors believe that one of the ways to knock down these silos when it comes to a more complete management of risk is to “anchor their discussions in strategic planning, one integrative process that most well-run companies already have” in place.

The authors cautioned that beyond simply introducing a systematic process for identifying and mitigating key risks, companies should also employ a risk oversight structure. The authors discussed the experience of the Indian IT company, Infosys, which uses a dual structure. It consists of a central team that identifies general strategy risks and then establishes central policy, together with a specialized, decentralized functional team. This second team designs and monitors policies and controls in consultation with local business units. These decentralized teams have the authority and expertise to respond to changes in the company’s risk profile coupled with the nimbleness and agility of being in the field to deal with smaller issues before they become larger problems for the central team back in the corporate office.

I believe that the current political turmoil in Turkey provides an example of the diversity your compliance program and risk assessment must maintain. Just as it is important to perform due diligence on third party representatives, before execution of an appropriate contract, the real work is in managing the relationship. In risk management, you must identify and assess the risk but the real work begins in managing the risk. This is where the rubber meets the road.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014