Most readers know of my love for Rock & Roll. That love extends to those who write about the genre too. Today, I want to pay tribute to one of my favorite early writers on Rock & Roll, Nick Tosches, who died at his home this weekend. According to his New York Times (NYT) obituary, Tosches, “and his fellow music writers Richard Meltzer and Lester Bangs were labeled “the Noise Boys” for their wild, energetic prose, a world away from fan magazines such as Tiger Beat” and Seventeen. He wrote for Creem, where he and Bangs created some of the most personal profiles of rock legends. He later moved on to biographies, writing about characters as diverse as Jerry Lee Lewis and Sonny Liston. My favorite Tosches novel was one where he imagined a (fictional) Nick Tosches being called upon to authenticate a previously unknow Dante tract.

How should a compliance professional think about managing risk? How about senior management? Even the Board of Directors is being called upon more and more to manage risk from its oversight perspective. I recently revisited a seminal Harvard Business Review (HBR) article on this subject, entitled “Managing Risks: A New Framework”, by Robert S. Kaplan and Anette Mikes. The authors posit that “risk management is too often treated as a compliance issue that can be solved by drawing up lots of rules and making sure that all employees follow them. Many such rules, of course, are sensible and do reduce some risks that could severely damage a company. But rules-based risk management will not diminish either the likelihood or the impact of a disaster.” To help avoid this situation, the authors laid out their version of a 6-Part Tool for ranking and assessing risks.

Many compliance officers, like myself, came to compliance from the General Counsel’s (GC) office. We tended to think that risk could be managed by a set of rules. This certainly formed the basis of Foreign Corrupt Practices Act (FCPA) compliance programs from 2004 forward. Early on they were written by lawyers, for lawyers. Obviously, this approach has evolved and now compliance programs are much more holistic in their approach to risk management.

The authors identify FCPA risk and a wide variety of other risks as internal risks. By this, they mean risk “arising from within the organization, that are controllable and ought to be eliminated or avoided… To be sure, companies should have a zone of tolerance for defects or errors that would not cause severe damage to the enterprise and for which achieving complete avoidance would be too costly. But in general, companies should seek to eliminate these risks since they get no strategic benefits from taking them on.” Interestingly, the authors recognized that “a rogue trader or an employee bribing a local official may produce some short-term profits for the firm, but over time such actions will diminish the company’s value.” In other words, at the end of the day, the cost of such behavior and activity far outweighs the gain.

The next type of risk the authors discuss is strategy risks. They believe that this type of risk category is quite different from internal risks “because they are not inherently undesirable. A strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential gains.” This means that if your compliance program is more nimble and agile it can help to facilitate a level of risk management.

The authors believe that you need a “risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur. Such a system would not stop companies from undertaking risky ventures; to the contrary, it would enable companies to take on higher-risk, higher-reward ventures than could competitors with less effective risk management.” For instance, if your mergers & acquisition (M&A) team has a full compliance component, you are able to not only move more quickly but identify and manage a high-risk region, opportunity or business line.

Finally, is the risk which is not only the most difficult to plan for but often the most difficult to manage, which the authors identify as external risks. These are risks which “arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts.” It can also be when a competitor is caught in a scandal so massive the blowback hits your company. This means that external risks mandate another risk-management strategy approach. The authors conclude that as “companies cannot prevent such events from occurring, their management must focus on identification (they tend to be obvious in hindsight) and mitigation of their impact.”

The best example of external risk I can put forward is something similar to what the German auto manufacturing industry faced after the Volkswagen (VW) emissions-testing scandal broke in 2015. It was so large it damaged not only VW’s competitors but also the German national brand of quality and honesty. It all involved the Made in Germany brand. Ulrich Grillo, the president of the BDI, the German global industry association, was quoted in Financial Times (FT) when he urged companies to check their “management processes, including compliance and control systems.” He suggested the question to ask should be “Are we doing everything right?”. It was the risk management strategy of compliance he suggested as the primary way for other German car companies to combat the negative publicity around VW.

Companies should tailor their risk-management processes to these different categories. Join me tomorrow where I take a look at how companies can begin to think through strategies for managing each type of risk and the role the compliance professional plays in this overall approach.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2019

In this episode of Excellence in Training, Shawn Rogers provides some of this thoughts on measuring training effectiveness.

As a GM employee, Shawn has exposed to the beauty and complexity of today’s automobiles.  Think back to the first automobile that you drove 20 or 30 or 40 years ago, and you’ll recognize how far the technology has progressed to make automobiles more efficient, more comfortable, and more safe. Compliance programs have come a long way as well. Joe Murphy recently tweeted that “in the old days, once a month the General Counsel would walk over to the Marketing Department, open the door, and yell “stop that!”

There are many subsystems that make up an automobile. One subsystem reminds me of a compliance training program — the windshield wiper system. This might seem odd, but it provides an interesting analogy. The windshield wiper system is critical to vehicle safety. Nobody would want a car that didn’t have windshield wipers. The wipers are a subsystem of the car’s overall safety system. The car’s entire safety system is designed to (1) prevent crashes, and (2) protect the occupants when a crash occurs.

Similarly, a compliance training program is very important. No company executive would ever say a company does not need to conduct compliance training. However, compliance training is just one part of the overall compliance program. It is not the entire program. The compliance program is designed to (1) prevent compliance violations, and (2) protect the company when a compliance issue occurs.

The windshield wiper system helps prevent crashes by making sure the driver has good visibility. A compliance training program has a very similar purpose. A good compliance training program provides clarity to the employees on how they are to behave in their daily jobs. When properly implemented, compliance training helps employees stay within the guardrails. The compliance training program fulfils a very specific purpose, but there are other parts of the compliance program that have to be in place as well to prevent compliance lapses to keep the company safe.

If you wanted to measure the effectiveness of a windshield wiper system, you would not try to come up with a metric that measured how many crashes the wiper system prevented. That measurement is too far removed from the specific function of the wipers, but it would be a good measurement of the overall safety system. The effectiveness of the wiper system must be measured by its ability to keep the windshield clear of visual obstruction when it is raining.

You would never measure the effectiveness of the wiper system by counting how many times the wipers were turned on, or how many window swipes were performed. The number of swipes reveals nothing about a wiper’s effectiveness. It could be a completely accurate metric, but it is also irrelevant to the question of whether the windshield was clear.

To measure the effectiveness of a compliance training program, you can’t come up with a metric that measures how many violations it prevented. Everybody knows intuitively that training helps prevent compliance violations. Again, that measurement is too far removed from the purpose of the compliance training program. However, it would be a good metric for the overall training program if you could figure out how to do it.

But how often do you see companies reporting the number of classes that were delivered? Or how many hours of compliance training were completed? It happens all the time. It could be a completely accurate statistic. It could be a measure of compliance program efficiency. It could be an indicator of an active compliance training program. But it in no way shows if the compliance training is effective.

But there are ways to measure training effectiveness. You can show that the training was aligned to the company’s risk profile. With user surveys and focus groups you can measure whether the learners feel that the training is applicable to their role and you can measure user satisfaction. You can ask learners to give examples of how they have changed the way they do their jobs.

Why don’t companies do a better job in measuring the effectiveness of compliance training? Because it’s very challenging to do. But there are ways to do it. Shawn conclude with one of his current ‘most favorites’ implemented at GM this year.

At GM there is a cybersecurity course that explains how to avoid phishing email scams. It is required of all employees that have a GM email account. To measure how effective the training was, the IT function came up with a method of sending out emails to random batches of employees that should have been recognized as phishing emails if they had paid attention to the training. If the employee recognized that the email was suspicious and clicked on the “Report Phishing” button, they were congratulated on reporting the email as suspicious. However, if they clicked on the link in the email, the IT team knew that the training had not met its objective. And, those employees that clicked on the link were kindly informed that they had failed the competency test and were provided with immediate feedback on how to avoid phishing scams.

Disclaimer-As a company, GM uses many training vendors. GM’s compliance function primarily uses two vendors. Rogers has worked with other good vendors that currently do not work with GM. Rogers is not promoting any specific vendors, nor is he disparaging any specific vendors in this podcast. And, of course, these opinions are Roger’s alone and opinions that  developed over almost 15 years. He is not speaking on behalf of GM in any way.

In this episode I visit with Parth Chanda, CEO of Lextegrity, a leading technology platform that combines the up-front due diligence approval of planned third-party spend with the analysis of actual spend — focused on fraud, corruption and conflicts of interest. Some of the highlights include:

  • Professional background for Chanda, with nearly 20 years in compliance.
  • Some of the problems the Lextegrity Integrity platform is addressing with for compliance professionals?
  • What traditional challenges do CCO’s face when they try to deploy compliance monitoring solutions? They include:
  1. Employees lacking sufficient tools to assess risk and take ownership of their own compliance.
  2. Complex reports or analytics for the business users not user-friendly or intuitive.
  3. Too few legal, compliance, IT and anti-fraud resources to support the business or continuous monitoring efforts.
  4. Disorganized and disparate data stores.
  5. Risks managed in multiple systems that don’t “talk to each other” or require duplicate entry or manual data input processes.
  6. Not having real-time analytics, reporting or monitoring, which leads to missed anomalies and patterns.
  • In September’s FRAUD Magazine innovation column authored by Vincent Walden he quoted you for the following, “Avoiding professional biases in your fraud risk management program”. How does the Lextegrity platform help avoid bias and integrating typical compliance functions with traditional internal audit functions?
  • How does the Lextegrity platform integrate both pre-approvals and monitoring? What are the benefits to that as compared to what’s in the market?
  • What’s the benefits to General Counsels and heads of investigations from the platform and about how the machine learning aspects help companies be more strategic and effective?
  • What advice do you have for CCOs and General Counsels when they are evaluating the use of data analytics into their compliance program?
  • Where can listeners go for more information? 

Resources

Parth Chanda

Lextegrity website

Article “Avoiding Bias in Your Fraud Management Program” by Vince Walden in September/October issue of Fraud Magazine

Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – they all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the Compliance Podcast Network. In this show, we interview Ula Ubani, Chief Ethics & Conduct Officer for BMO Financial Group who is going to discuss the creative integrity and speak up program BMO developed by working with Ronnie Feldman and Learnings and Entertainment.

The program is entitled the BMO-On-The-Street With Actions Matterly a custom man-on-the-street-style integrity and Speak Up communications campaign, where real employees to championed the cause of compliance. It is the fascinating picture of how a traditionally conservative financial institution recognized the value of trying a more entertaining approach to ensure that employees pay attention to this important subject. They were rewarded by being the only Canadian bank to be recognized as a Worlds Most Ethical Company.

Some of the highlights include:

  • What is the BMO-On-The-Street With Actions Matterly?

o It is man-on-street style videos, interviewing employees and getting them to champion the cause

o  It was named after the BMO theme that Words and Actions Matter

o BMO wanted to be able to tackle the tough subjects

  • Why did BMO take this approach?

o We wanted to involve employee

o We wanted it to be fun and interesting because this can be a tough subject to get at.

  • Was BMO worried about using entertainment and humor and how did you handle that?

o We were careful to make sure that we never made fun of the issue. We made the character interesting/quirky allowing employees to be the heroes of the piece.

  • What was it about the campaign that made it such a success?
  • What have been the results, both expected and unexpected?
  • What advice would you give to others thinking about trying something creative like this…what lessons have you learned?

Resources:

Ronnie Feldman (LinkedIn)
Learnings & Entertainments (LinkedIn)
Ronnie Feldman (Twitter)

Learnings & Entertainments (Website)

60-Second Communication & Awareness Shorts – A variety of short, customizable, quick-hitter “commercials” including songs & jingles, video shorts, newsletter graphics & Gifs, and more. Promote integrity, compliance, the Code, the helpline and the E&C team as helpful advisors and coaches.

Workplace Tonight Show! Micro-learning – a library of 1-10-minute trainings and communications wrapped in the style of a late-night variety show, that explains corporate risk topics and why employees should care.

Custom Live & Digital Programing – We’ll develop programming that fits your culture and balances the seriousness of the subject matter with a more engaging delivery.

I am in a multipart series on the Framework for OFAC Compliance Commitments (Framework). Every compliance professional of any stripe needs to read, understand and implement some of the key concepts of the Framework into your corporate compliance program. It does not matter if its trade controls, anti-corruption or anti-money laundering (AML). This Framework has much to offer that you should consider. Mike Volkov has called it a “game-changer” and said, “Together with its aggressive enforcement of economic sanctions, OFAC has set a new standard for [sanctions compliance programs] SCPs, and has “strongly encourage[d]” companies and individuals subject to OFAC jurisdiction to implement a “risk- based approach to sanctions compliance by developing, implementing and routinely updating a SCP.” In this blog post we will consider Element 3 of the Framework, Internal Controls.

Not surprisingly under the Framework, it is necessary that an effective compliance program have internal controls, including policies and procedures, to prevent, detect, escalate and report compliance program compliance activity. Much to warm my heart, OFAC also specifies a key reason is to Document, Document, and Document these actions in any compliance regime. Internal controls are designed to define procedures and processes regarding trade sanction compliance and minimize the risks identified in your risk assessments.

The Framework recognizes the dynamic nature of compliance programs. It mandates that “policies and procedures should be enforced, weaknesses should be identified and remediated, and internal and/or external audits and assessments of the program should be conducted on a periodic basis.” In other words, your compliance program should have the ability to adjust rapidly to changes.

Under the Framework, Internal controls are systematic measures, such as reviews, checks and balances, methods and procedures, instituted by an organization that performs several different functions. These functions include allowing a company to conduct its business in an orderly and efficient manner; to assist an organization ensuring the accuracy and completeness of its trade sanction information and data; to enable a business to produce reliable and timely management information; and to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties and others. They should be entity wide. For compliance purposes, controls are measures specifically to provide reasonable assurance that any assets or resources of a company are not sold to any prohibited party or shipped out to a designated country.

To implement effective internal controls, the Framework lays out seven prongs which should be met. They include:

  1. Written policies and procedure. Design and implement written policies and procedures outlining the compliance program. These policies and procedures should be relevant to the organization, capture your organization’s day-to-day operations and procedures and are set out in plain English and not legalese. It is interesting to see OFAC view policies and procedures as internal controls. This is analogous to the Securities and Exchange Commission (SEC) view that a Code of Conduct is an internal control in its enforcement action involving United Airlines and its former Chief Executive Officer (CEO) Jeff Smisek.
  2. Controls follow your risk assessment. Implement internal controls which sufficiently address the results of your organization’s risk assessment. In other words, your internal controls should enable prevent, detect, escalate and report compliance program compliance activity. It also requires calibration of the controls “in a manner that is appropriate to address its risk profile and compliance needs”. It is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within the operations of a company. There is a clear need for rigor in your internal controls protocols and adherence to that rigor can increase operationalization around the internal controls a company should consider including gifts, travel and entertainment expenses. Finally, you should routinely test your controls to ensure effectiveness.
  3. Testing of your controls. The effectiveness and adherence to your policies and procedures should be tested through both internal and external audits. This process should allow you to compare the internal controls current or actual performance to its expected performance to determine whether it is meeting its objectives and using its resources effectively. Moreover, it is a technique that businesses use to determine what steps need to be taken to move from their current state to their desired future state.
  4. Document, Document, and Document. Ensure that you document your policy, both design and retention, and adequately document your compliance program. You need to report your findings with the appropriate data and analysis presented, showing the strategic objectives, current standing, deficiencies, and whether the current situation is acceptable. Finally, all your analysis will be backed up with the data gathered during the analysis.
  5. When you learn of a lack of or the existence of a control weakness relating to trade compliance, take immediate and effective action, to the extent possible, to identify and implement controls until the root cause of the weakness can be determined and remediated. If the situation is unacceptable, you should present a course of action for improvement.
  6. You should clearly communicate your policies and procedures to all relevant staff, including compliance personnel, gatekeepers and business units operating in high-risk areas and to external parties performing compliance program responsibilities on behalf of your organization.
  7. Responsible Personnel. You must have personnel to integrate these policies and procedures into the operations of the organization. This includes relevant business units and you must work to make sure that the employees in any high-risk areas understand your organizations policies and procedures.

The internal control requirement under the Framework is not something new to the compliance practitioner. However, the seven prongs OFAC has laid out is a good way to think through the design, creation and implementation of your internal controls around trade sanctions.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2019