Over this three-part series, I will be visiting with Ben Locwin on how to more fully operationalize your compliance program. In Part I, we consider how embedding compliance as a key component of the business equation and the role of forecasting can aide in operationalizing compliance. 

The Benefits of Embedding Compliance

It all begins with setting up a process which is fully documented and is fully auditable. While many businesses will use their first available dollars on Research and Development (R&D), new product or service offerings, QA/QC or a similar exercise, I believe that by operationalizing compliance you can achieve many significant stakeholder goals. This is short-sighted as many compliance issues can grind businesses to a halt as expeditiously as a safety hazard or on-site workplace injury. However, the landscape is changing from traditional and omni-present corporate scandals to more cross-cultural movements such as #MeToo. Now the unfortunate thing about this reality is that the landscape is unlikely to change unless we, the participants and practitioners of this, make the change.

Locwin drove the point closer to home when he related the all-too-often story about the homeowner who purchases flood insurance after a hurricane hits his hometown. Yet the insurance industry exists in order to  insulate yourself from risk. Yet the all too human reaction of waiting until after the event to purchase the insurance to protect you from the event is  absolutely contrary to the whole notion of how insurance works. Locwin noted this is the same for a compliance program. If you are not operationalizing compliance and making it a key part of the business equation you are simply planning to fail. On “average there will be a compliance gap of note, whether it’s relatively small or absolutely critical, there’s something that’s going to happen and making compliance non-discretionary prevents these issues from rearing their heads.”

On the practical level, Locwin believes you need to move compliance down into all the levels of the organization; from the lowest levels to the highest levels and across all the verticals. This provides the compliance function with its greatest visibility and impact because if you do embed compliance,  you will see a lot of different things coming from different levels in the organization. This will work to expand the reach of your compliance function so compliance is not just the job of a Chief Compliance Officer (CCO) or just a handful of people in the corporate office trying to scan across the business, which may operate in many countries.

Embedding compliance acts as a key means to expand the reach of your program in other ways as well. Locwin stated, “detectability is one of the key problems within compliance. You simply cannot possibly detect all of the issues you need to know about and be aware of from the corporate office. For multinational companies, there is a great likelihood that many of the things that are potentially going wrong do not have adequate detectability. By embedding compliance across all the functions and down into the levels, it provides you, the CCO, with a mechanism where you are able to uncover issues when they happen and hopefully earlier than you ever would have uncovered them before.”

Another reason for embedding compliance is the professional backgrounds of many compliance professionals, who came out of the General Counsel’s office. While their training was legal, it did not focus on the more quantitative components of business processes. By embedding compliance at the operational level, you can draw on not only the process experience of your front-line troops but also quantitative nature of your sales team. Your front-line people not only do compliance, but by embedding it makes their business processes more efficient. This can be a key part of the business equation of operationalizing compliance not only embedded but actually a business positive for the organization.

Locwin agreed, noting that in addition to the corporate office not having the “bandwidth to be able to see everything that needs to be seen and uncover everything that needs to be uncovered, after you embed the process closer to the front line of the business and you train those persons in doing compliance; the entire process will become more efficient.” Embedding compliance allows the front lines of an organization to assess and manage risks more closely and take the information from risk-based monitoring and loop it back into your compliance process. I have found that by embedding compliance more closely to the business frontline, you actually have the ability to be more agile and nimble to manage risk more efficiently at the end of the day.

The Role of Forecasting in Operationalizing Compliance

Most compliance practitioners understand the roles of risk assessments and risk-based monitoring in a holistic risk management strategy. However, they often miss the first prong of the three parts, forecasting. Moreover, without forecasting it can be difficult to more fully operationalize your compliance program.

Dwight Eisenhower once said, “Planning is everything, in the plan is nothing.” The verb of planning is the important aspect full of cognitive horsepower, the piece of paper with a plan on it. The problem is that not everyone can take the paper plan and operationalize it to make it do what it was designed to do, but all the people in the planning session who sweated the details could explain the context of the risk they are seeking to manage. The intersection of planning as a verb and forecasting is assessing certain events which may well occur and continuously adjust your plan.

Locwin believes the reason forecasting is so important is because forecasting identifies events which are likely to occur in the business environment and this can be in the next couple of weeks, month, quarter, year or further down the road. It is important to realize that forecasting is not 100% accurate because if it was, we could call it prediction. Locwin stated, “I think it’s important to realize that when we do strategic planning, we should not come at it from a point of saying we can’t possibly know what’s going to happen next month, so therefore I don’t have any sort of plan in place.”

The forecasting process should start with what Simon Sinek, author of “Start With Why.” This means you need to first understand what it is you are trying to solve. According to Locwin, you should “come at it from a perspective of we’re looking to detect, find, solve, de-risk the organization in the following areas.” Data inputs and metrics at this point are obviously useful as well as a second set of eyes from a third party not associated with the forecasting team.

The Department of Justice (DOJ), in its Evaluation of Corporate Compliance Programs (Evaluation), emphasized the need for a feedback loop of information throughout the risk management process. This means that after forecasting and risk assessment comes risk-based monitoring and the information secured should be looped back into your forecasting to update and refresh it. The quicker you can get real time information and feed it back through this loop, the better. Locwin stated, “The idea is the faster you can accelerate a current state results back into the process to say “let’s course correct now” the less of a lag time there is, the more likely you are to have an important and meaningful impact on future iterations of the process design and what you’re detecting.”

It is the final component, the feedback loop, which the regulators are placing greater focus on. Yet through this feedback loop, you not only more fully operationalize your compliance program but make it more efficient, moving from detect to prevent to prescriptive. From the process perspective, Locwin said, “I think the most important feature there is make sure you have accurate and timely data which you are feeding back into the process as quickly as possible so that you can keep up with the ever-changing external environment. If you need to change the process, the sooner you know you need to change it, the more quickly and effectively can make those changes.” This means that if you are not making the changes in a timely way there is the potential for higher risks to the organization.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

 

Jonathan Marks is a leading fraud expert. He’s helped companies across multiple markets uncover fraud. Jonathan has innovated compliance by creating the Fraud Pentagon. His innovation builds upon work that was done years ago, the fraud triangle. Jonathan takes it to new levels that are in line with today’s sophisticated, technology-saturated world. Today, he and Tom talk about how you can use the Fraud Pentagon in the field.

  • Jonathan dispels a common myth about the fraud triangle, why it was created, and what types of companies it targeted. He explains why this is no longer enough in today’s world. One of the biggest reasons is that fraud is happening in huge corporations like Enron.
  • The Fraud Pentagon includes the following points: pressure, opportunity, rationalization, arrogance, competence. Jonathan explains his two new additions, arrogance and competence, and why they apply on new levels based on a deeper understanding of fraudsters, their mental states, and their technological know-how.
  • Four of the five points on the pentagon are human factors which lead to stereotyping, or at least the adherents to the fraud triangle believed. And their fear of stereotyping led them to overlook some of the most telling characteristics of fraudsters. Jonathan looks at the Fraud Pentagon as profiling and explains how profiling – not stereotyping – is necessary.
  • The Fraud Pentagon is great in theory, but how is it in action? Jonathan points at a huge difference between the triangle and pentagon. The triangle looks at WHY fraud occurs. The pentagon reveals how he, as a fraud practitioner, uses the framework to advise companies on their policies, procedures, and more, by looking at the gatekeepers. Books and records don’t commit fraud. People do.
  • The Fraud Pentagon is much further reaching than a single risk situation. Jonathan and Tom discuss where else it can be used to find corruption and malfeasance. It doesn’t just apply to fraud practitioners; it can also apply to boards and committees.

If you want to stay up to date on the newest innovations coming to compliance, make sure to subscribe, and leave a review!

In this episode of the FCPA Compliance Report, I visit with Laura Perkins, a partner at Hughes Hubbard & Reed. Perkins formerly worked with the Department of Justice, FCPA Unit, departing in September 2017. We discuss the decision of self-disclosure of a potential FCPA violation to the Justice Department. Some of the highlights include:

  • What should a company expect after it makes a decision to self-disclose the to DOJ? What information should be in the initial self-disclosure?
  • What should be in the initial investigation plan they present to the DOJ?
  • When should remediation begin and how much information does the government want to know about in this area?
  • What should a company do to satisfy the government it has secured all documents and communications?

We next turned to the resolution phase and discussed several topics including:

  • When is a company ready to present information to the DOJ that it believes the matter should be closed?
  • Whether through declination or charging document?
  • How is the final penalty decided? and
  • Is it through negotiation or simply presented to the company?

For more information on Laura Perkins and Hughes Hubbard & Reed, check out the firm’s website, here.

There is not much more iconic in the US than Starbucks. As such they present some very visible and public lessons learned for the compliance practitioner. Recently Starbucks generated extremely negative news for having Philadelphia police arrest two persons who were waiting for a third person for a meeting. I want to use this most recent black eye for Starbucks and an earlier incident to help explain the need for a nimble and agile risk management process in any best practices compliance program. This risk management process includes forecasting, risk assessments and risk-based monitoring.

Within the context of an anti-corruption compliance program, you are trying to make adjustments based on the risks of violation of the law, out in the marketplace. For instance, in a compliance forecast, third-party risk should be considered at the top of your ordinal list of risk and you should consider a multitude of factors such as the operating procedures, processes and systems and training. Of course, the execution of that process is a critical component as well.

All these things, to some degree, should appear in a risk assessment for the organization. Meaning, at the corporate level, what happens if your core product becomes something different than simply a consumer product, such as coffee? There should be a risk assessment node which has a component that notes these changes so that you can adapt as necessary. A robust risk management process should be designed to elevate these new issues. If something does change, the next step would be to take appropriate course of action to address any of those risks.

The most recent story involved the arrest of two African-American men who were waiting for a third person at a Philadelphia Starbucks. As Matt Kelly noted in his Radical Compliance blog entitled “Starbucks and Policy Management Perils”, the story was “two black men, Rashon Nelson and Donte Robinson, entered a Starbucks in downtown Philadelphia to meet an acquaintance for a business appointment. Nelson first asked the manager to use the bathroom; the manager declined and said the bathroom is reserved for paying customers only. The men then sat at a table without ordering anything, waiting for their acquaintance to arrive. The manager, who is white, came to their table and asked if they wanted to order anything. They said no. Two minutes later, the manager called the police to evict Nelson and Robinson from the store. The police arrived and arrested them for suspicion of trespassing.” After spending several hours in jail, the two men were released.

Matt detailed many of the issues from the compliance policy and procedures perspective. However, I see another lesson for the company. Starbucks was initially a coffee shop, selling coffee and the coffee experience. If you have ever been to the original Starbucks across from Pike Place Market in Seattle, it is the consummate coffee shop experience as it does not even provide seating. The most recently opened Starbucks in Houston is gorgeously laid out with comfortable chairs and full working tables for those writing blogs.

With its ubiquitousness and growth the company has largely become the meeting place of America. Starbucks’ design has made itself America’s public space with clean, welcoming and open stores. It is certainly one thing if you have a coffee shop with limited seating to request persons there purchase a cup of joe but that type of approach is inconsistent with being America’s greenspace, open and welcoming to all. If you have made yourself that deeply embedded into America’s consciousness as the gathering spot to wait for meetings or even type out and post a blog (as Matt did for his blog on the subject) your risk profile has rather dramatically changed.

This means your forecast and risk assessment must take into account there will be racism and racial profiling by Starbucks store managers. This event did not happen in the South where many similar attitudes still exist but in a major Northern metropolitan center. Starbucks should have not only forecast this risk but it should have been more closely assessed in both its hiring practices and ongoing training. As to the latter, Starbucks has announced a one-half day nationwide store closure for training on racial discrimination issues. While some may say this is too little, too late; at least it is a start.

The differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As risk management specialist Ben Locwin has explained, “What you’re trying to do then is decide on how you would address these. Risk assessments will percolate to the top of the list, your risk registry. Those items which are most consequential for your organization, whatever it happens to be. Again, just like forecasting, risk assessments apply to every organization.”

Starbucks had previously provided another example which illustrated the differences between forecasting and a risk assessment, yet how the two are complimentary. During a past winter, when I began purchasing hot coffee products from Starbuck, as opposed to the cold drinks I buy during the hotter parts of the year, I discovered that baristas’ no longer put sleeves on coffee cups but required you to ask for one. The second time I had to ask for a sleeve, I inquired from the barista why I had to do so. She replied that corporate had changed the policy for environmental reasons and that she could only provide a sleeve at the specific request of the customer. When I pointed out that it slowed the line down and was much less efficient in the delivery of Starbuck’s coffee, she replied, “You’re absolutely right. I hate it. Would you please email Starbucks and tell them of your dissatisfaction?”

Locwin noted, “what you’ve put your finger on is the crux of the balance of forecasting versus risk assessment. They’re two very different things, but at the same time, as they weave through time, they interchange. For example, Starbucks would potentially say, “We forecast that consumers are going to be more concerned about paper use, sleeves, the economic costs to the world, of extra paper waste and things. We’re going to, in certain locations, let’s say across Texas, we’re going to pilot that we don’t give out sleeves unless they’re asked for.” In their risk assessment, which I can tell you didn’t change from that forecast, what they then should have had was a commensurate line item which said, “If consumers start to have a problem with what’s being done at these locations, our immediate contingency plan is to do the following, to strip it away immediately, full stop, so that every cup gets a sleeve, so that they’re not slowing down lines, consumers say you heard us immediately, and then the organization is back on track.

Their forecast plans something, the risk assessment should have had countermeasures to address, and instead if they didn’t have this in place, they’re going to have to wait until they start to have a Twitter feed that blows up… The risk assessment model should say, “Then we will do the following. Texas was dissatisfied by this change and same in our pilot in Wisconsin. Let’s stop not giving out sleeves… Then eventually that starts to dissipate and they get rid of this whole new silly paradigm.””

The differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As Locwin explained, “What you’re trying to do then is decide on how you would address these. Risk assessments will percolate to the top of the list, your risk registry. Those items which are most consequential for your organization, whatever it happens to be. Again, just like forecasting, risk assessments apply to every organization.”

The furor over the arrest of the two men at Starbucks may well last for some time. As noted at least Starbucks did not try and hide behind the rogue employee argument. It is stopping its business for a half-day to address the problems in its own organization. I hope every compliance practitioner can learn from Starbucks mistakes and responses.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

Today I conclude my two-part series on the role of a Compliance Committee Chair. However, first I wanted to honor Barbara Bush, who died Monday. She was as beloved a First Lady as America has seen, certainly in my lifetime. In Houston, she was a near mythic figure for her generosity, love and commitment to the city after the Bushes returned in 1993. According to her obituary in theNew York Times(NYT), “the Bushes had celebrated their 73rd wedding anniversary in January, making them the longest-married couple in presidential history.”

Personally, Mrs. Bush “was regarded as unpretentious, a woman who could wear fake pearls, enjoy takeout tacos, walk the dog in her bathrobe and make fun of herself. Perhaps adding to her appeal, she conformed to the popular view of an old-fashioned grandmother, with her white hair and matronly figure; though she was almost a year younger than her husband, many thought she looked much older.” My personal favorite Barbara Bush one-liner was when she announced to her husband “Watch out or I will tell who was my favorite president”. Perhaps the final word should come from Mrs. Bush herself, who once said, ““I want to be known as a wife, a mother, a grandmother. That’s what I am. And I’d like to be known as someone who really cared about people and worked very, very hard to make America more literate.””

The role of a Chief Compliance Officer (CCO) is that of a doer. However, if you move up to the Board of Directors and become the Compliance Committee Chair, your role changes. This post will consider the remaining points from Stanislav Shekshnia’s Harvard Business Review (HBR) article, entitled “How to Be a Good Board Chair”, from the perspective of the Chair of a Board of Director’s Compliance Committee.

  1. Measure the inputs, not the outputs

This prong clearly sets out one of the key differences in being a CCO and a Compliance Committee Chair. At the Board level, the key is to measure the quality of your inputs so that you can develop better oversight. These include people, committee agendas, committee materials, committee processes and committee minutes. Of these by far the most important is the people part; that is, a Compliance Committee needs real compliance expertise. If there are knowledge gaps in this area, the nominating committee should be engaged to find such an individual.

The remaining inputs can be assessed through Compliance Committee evaluations and your outside consultants’ reviews. As Compliance Committee Chair, you should ask how your agendas cover compliance strategy, compensation and succession, investments, risk, and disclosure. You should ask the other members to evaluate the Compliance Committee meetings for length, candor, airtime allocation, engagement level, and resolutions. Finally, you should seek “feedback on his own performance: How well does he frame questions, facilitate exchanges, articulate decisions, and conduct reviews?”

  1. Be the Chair, not the boss

It may be tempting to see the role of the Compliance Committee Chair as the boss of the CCO. However that is not the proper perspective. As a Chair, your role is to represent the Compliance Committee and full Board. You should keep the other Compliance Committee members well-informed and be a conduit for information and subject matter expertise to the full Board. It is the role of the Compliance Committee to be the collective boss of the CCO and make sure it “provides the goal, resources, rules, and accountability” the CCO needs within the organization.

To do so, you need to provide what every boss should provide to their subordinates: motivation, control, advice, and mentoring. You should organize the Compliance Committee content and the communication process so that the CCO has these tools and understands them. If you are a retired senior compliance executive, you can mentor the CCO but understand it should be based on your experience in communications and leadership from the CCO role, not as a substitute for the current CCO.

  1. Be a representative with the shareholders not a player

While the Board Chair will be the public interface of the company, as the Compliance Committee Chair, you may be called on to fulfill that role for the area of ethics and compliance. Here regulations may require limited communications but even if they do, you must ensure equal and fair treatment for all shareholders, both big and small. These communications must be the collective voice of the Compliance Committee and not simply the Compliance Committee Chair as an individual.

Properly viewed shareholder input is not to be feared and can be a valuable asset. The Compliance Committee can benefit from their experience, knowledge, networks, and other resources, if they stay out of the boardroom. The key is engagement in a meaningful way through listening (another leadership skill), by posing appropriate questions and reporting this information back to the Compliance Committee and if warranted, the full Board. In this #MeToo era, I think it is incumbent that shareholders be communicated with fully on the Compliance Committee’s response to this issue.

The author concludes by noting that ultimately, the challenge for the Compliance Committee is not really about traditional leadership at all and certainly not the leadership they may have exhibited as a CCO. This is not to demean or lessen a key Compliance Committee function: counseling and supervising the CCO and overall compliance regime. However as a Committee that responsibility is collective, and the Compliance Committee Chair’s job is to enable the full Compliance Committee to be effective. This is done through facilitation and not command. The Compliance Committee Chair role is to create the conditions under which the entire committee can have productive group discussions. Finally, “good chairs recognize that they are not first among equals. They are just the people responsible for making everyone” a good member.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018