Auditing of third parties is critical to any best practices compliance program and an important tool in operationalizing your compliance program. This is a key manner in which a company can manage the third party relationship after the contract is signed and one which the government will expect you to engage in going forward.

You should plan out four to six weeks in advance, you should perform the audit with your legal counsel’s lead to preserve privilege, work with the business sponsor to establish key business contacts, discuss audit rights and processes with the third party, you should prepare initial document request lists for financial information queries, take the time to review findings from previous audits and resolutions and also review details of opened and closed internal investigations, if there are any Code of Conduct questionnaires available take care to review and finally be cognizant of any related Department of Justice (DOJ) and Securities and Exchange Commission (SEC) enforcement actions.

The next step is to determine the entry points of foreign government involvement; (1) direct and (2) indirect. The direct category includes: customs and duties, corporate taxes and penalties, social security or national insurance issues for employees, obtaining in-country visas and work permits, public official gifts and entertainment, training of and attendant travel for employees of government owned entities, procurement of business licenses and permits to perform work and, finally, areas around police escort and security. In the indirect category, some of the key areas to review are: customs agents and freight forwarders, visa processors, commercial sales agents, including distributors and, finally, those who might be consultants or other channel partners.

Document review and selection is important for this process, you should ask for as much electronic information as possible well in advance of your audit. It is much easier to get database records for internal audits than audits of third parties. Try and obtain records in database or excel format and not simply in .pdf. Request the following categories of documents; trial balance, chart of accounts, journal entry line items, financial and compliance policies, prior audited financial statements, bank records and statements, a complete list of agents or intermediaries and revenue by country and customer.

Your lead interviewer needs to be culturally sensitive, patient and must negotiate a good working relationship with the forensic auditors on your audit team, who will be reviewing the documents from their professional perspective. Regarding potential interviewees, focus on those who interact with government entities, foreign government officials or third parties, including those personnel involved with:

  • Business Leadership
  • Sales/Marketing/Business Development
  • Operations
  • Logistics
  • Corporate Functions: Human Resources, Finance, Health, Safety and Environmental, Real Estate and Legal.

For the interview topics, there are several lines of inquiry. Remember this is an audit interview, not an investigative interview. You should not play ‘got-cha’ in this format. You should avail yourself of the opportunity to engage in training while you are interviewing people. The topics to interview on included:

  • General policies and procedures;
  • Books and records pertaining to FCPA risks;
  • Test knowledge of FCPA and UK Bribery Act including facilitating payments and their understanding of your company’s prohibitions;
  • Regulatory challenges they may face;
  • Any payments of taxes, fees or fines;
  • Government interactions they have on your behalf; and
  • Other compliance areas you may be concerned about or that would impact your company, including: trade, anti-boycott, anti-money laundering, anti-trust.

In the review of the General Ledger (GL) accounts, you should consider commission payments to agents and representatives, any facilitating payments made, all payments around travel, meals and entertainment, payments made around training, gifts, charitable contributions, political donations and sales and promotion expenses. If there were payments made for customs or freight forwarders and other processing agents, permits, licenses, taxes and other regulatory expenses should be reviewed. Additionally any entries pertaining to community contributions and social responsibility payments should be assessed and, finally, a review of any security payments, extortion payments, payments to legal consultants or tax advisors or fines and penalties should be considered.

Regarding bank accounts and cash disbursement controls, you should review the following:

  • Review controls around bank accounts and cash disbursements;
  • Identify and review authorized signers, approval levels, and bank reconciliations;
  • Ensure all bank accounts are included in the General Ledger;
  • Identify and review certain bank and cash disbursement transactions;
  • Identify offshore bank accounts.

In the area of cash funds review the following:

  • Review controls around petty cash funds;
  • Ascertain processes in place regarding disbursement and reconciliation of cash funds;
  • Identify and review payments to government officials, agents, or any unusual or suspicious activities; and
  • Identify and review certain bank transactions and test for any improper payments.

For gifts, travel and entertainment, you should explore payments made through employee-reimbursed expenses, scrutinize for any suspicious expenses submitted, expenses lacking adequate documentation, incorrect posting; and identify and review accounts associated with gifts, meals, entertainment, travel, or promotion. In the area of payroll, consider the risks around the use of ghost employees, hiring of relatives of government employees, and the use of bonus payments and be sure to request a payroll listing and review for any such persons.

You should review GL accounts and expenses for related items. In taking a look at payments under local law, you should obtain list of payments to the government required by local laws and identify and review payments to government authorities or employees, customs authorities or agents, income taxes authorities or license requirements. For payments made to third parties, you should review commission and expense payments for compliance with company policy and also trace payments to the third party’s bank account.

Three Key Takeaways

  1. Be prepared.
  2. It is not an investigative interview but an audit interview.
  3. Listen, listen, listen.

 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.

 

The building blocks of any Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program lay the foundations for a best practices compliance program. For instance in the lifecycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third party management becomes more important. It is also the one where the rubber meets the road of operationalizing compliance.

In an issue of Supply Chain Management Review in an article by Mark Trowbridge, entitled “Put it in Writing: Sharpening Contracts Management to Reduce Risk and Boost Supply Chain Performance”, provided useful insights into the management of the third party relationship. While the focus of the article was having a strategic approach to contracts management, the author’s “five ways to start professionalizing your approach to outsourcing contracts” were an excellent manner to consider steps in the management of third party relationships.

The key is to have a strategic approach to how you structure and manage your third party relationships. This may mean more closely partnering with your third parties to help manage the anti-corruption compliance risk. It would certainly lead towards enabling your company to “control risk while optimizing the performance” of your third parties. To achieve these goals, I have revised Trowbridge’s prescriptions from suppliers to third parties.

Consolidate Third Parties but Retain Redundancy

It is incumbent that consolidation in your third party relationships to a smaller number to “yield better cost leverage.” From the compliance perspective, it also should make the entire third party lifecycle easier to manage, particularly steps 1-4. However, a company must not “over-consolidate” by going down to a single source supplier. You should build a diversified supplier base, with a through “dual-sourcing”. From the compliance perspective, you may want to have a primary and secondary third party that you work with in a service line or geographic area to retain this redundancy.

Keep Tabs on Subcontracted Work

This is one area that requires an appropriate level of management. If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third party relationship has your approved compliance terms and conditions in their contracts with their subcontractors. You will also need to test that proposition. In other words, you must require, trust and then verify.

When Disaster Strikes, Make Sure Your Company is Legally Protected

This is where your compliance terms and conditions will come into play. One of the things that I advocate is a full indemnity if your third party violates the FCPA and your company is dragged into an investigation because of the third party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract. This means that you can legally, under the terms of the contract, terminate it immediately, with no requirement for notice and cure. Once again you may be somewhat constrained by local laws but if you do not have the clause, you will have to give written notice and an opportunity to cure. This notice and cure process may be too long to satisfy the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) during the pendency of a FCPA investigation. Finally, you need a clause that requires your third party to cooperate in any FCPA investigation. This means cooperation with you and your designated investigation team but it may also mean cooperation with US governmental authorities as well.

You also need the ability to move between third parties if the need arises. This is the redundancy issue raised above. You do not want to be stuck with no approved freight forwarders or other transporters in a certain geographic area. If a compliance related matter occurs, you may well need certain contractual rights to move your work and to require your prime third party to cooperate with the transition to your secondary third party.

Keep Track of Your Third Parties’ Financial Stability

This is one area that is not usually discussed in the compliance arena around third parties but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward Red Flag that is raised in such circumstances. Those third parties under financial pressure may be more easily persuaded to engage in bribery and corruption than third parties that stand on a more solid financial footing. You can do this by a simple requirement that your third party provide annual audited financial statements. For a worldwide logistics company, this should be something easily accomplished.

You should take advantage of automated financial tracking tools to keep track of material changes in a third parties’ financial stability. You should also use your in-house relationship manager to regularly visit key third party relationships so an on-the-ground assessment can be a part of an ongoing conversation between your company and your third parties.

Formalize Incentives for Third Party Performance

One of the key elements for any third party contract under the FCPA or UK Bribery Act is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third party. If you have a long-term stable relationship with a third party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance with the FCPA or other anti-corruption compliance regimes.

By linking contractual compensation to performance, there should be an increase in third party performance. This is especially valuable when agreed upon key performance indicator (KPI) metrics can be accurately tracked. This would seem to be low hanging fruit for the compliance practitioner. If you cannot come up with some type of metric from the compliance perspective, you can work with your business relationship team to develop such compliance KPIs.

You should rank third parties based upon a variety of factors including performance, length of relationship, benchmarking metrics and KPIs. This is a way for the compliance practitioner to have an ongoing risk ranking for third parties that can work as a preventative and even proscription prong of a compliance program and allow the delivery of compliance resources to those third parties that might need or even warrant them. 

Three Key Takeaways

  1. Have a strategic approach to third party risk management.
  2. Rank third parties based upon a variety of factors including compliance and business performance, length of relationship, benchmarking metrics and KPIs.
  3. Keep track of the financial stability of your third parties.

 

This month’s podcast series is sponsored by Opus. Opus helps free your business from the complexity and uncertainty of managing the risks associated with your customers, vendors, and third parties. By combining the most innovative Third-Party Risk Management and Know Your Customer Compliance SaaS platforms with unparalleled data solutions, Opus turns information into action so your business can thrive. Opus solutions include Hiperos 3PM accelerator, the leading platform for third party risk management. To learn more, go to www.opus.com.

How does one measure effectiveness? In Wichita, Kansas, in 1876, when it came to town a Deputy Sheriff, the final measure was the elected government. On this day in that year, the town’s Commissioners voted not to extend the employment of Deputy Sheriff Wyatt Earp due to his violent behavior in assaulting a candidate for the town’s Sheriff. Perhaps the Commissioner did him (and his brothers) a favor as they all went on to achieve fame at the OK Corral in Tombstone, Arizona in 1881. However, on this day some five years earlier, the Commissioners of Wichita did not see it quite that way. But, as reported in This Day in History, the town newspaper conceded, “It is but justice to Earp to say he has made an excellent officer.”

Determining effectiveness has been on my mind in large part since the release of the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (Evaluation). Obviously the new by-word from the Evaluation is operationalization but a key in determining operationalization is determining your compliance program effectiveness. Last month, the Health Care Compliance Association (HCCA) and the Department of Health and Human Services, Office of Inspector General (OIG) jointly issued a document to assist the compliance practitioner in this precise task. It is entitled “Measuring Compliance Program Effectiveness: A Resource Guide”. 

The document is an excellent resource on not only “what to measure” but equally important “how to measure” the seven elements of a compliance program as detailed in the US Sentencing Guidelines. While the focus is towards the health care industry, the concepts are broad enough for any industry or compliance practitioner to use to determine the effectiveness of their compliance program. Did I mention the cost – it is available at no charge on the OIG website.

Sourced from the CHC Candidate Handbook for certification in health care compliance, each section, detailing one of the seven elements, begins with a list of issues which should be considered, they are as follows:

  1. Standards, Policies, and Procedures – 18 issues to be considered;
  2. Compliance Program Administration – 24 issues to be considered;
  3. Screening and Evaluation of Employees, Physicians, Vendors and other Agents – 8 issues to be considered;
  4. Communication, Education, and Training on Compliance Issues – 13 issues to be considered;
  5. Monitoring, Auditing, and Internal Reporting Systems – 17 issues to be considered;
  6. Discipline for Non‐Compliance – 9 issues to be considered; and
  7. Investigations and Remedial Measures – 18 issues to be considered.

Once again, although focused on health care compliance, the Resource Guide is practical for the non-health care compliance professional. Further, it ties into many of the concepts articulated in the Evaluation. For example, in the Evaluation, Prong 2. Senior and Middle Management, the following questions appear under the heading Oversight – What compliance expertise has been available on the board of directors? Have the board of directors and/or external auditors held executive or private sessions with the compliance and control functions? What types of information have the board of directors and senior management examined in their exercise of oversight in the area in which the misconduct occurred? 

In the Resource Guide, the following appears under Element 2: Compliance Program Administration, Board of Directors:

  What to Measure How to Measure
2.1 Active Board of Directors · Review minutes of meetings where Compliance Officer reports in‐person to the Audit and Compliance Committee of the Board of Directors on a quarterly basis

· Conduct inventory of reports given to board and applicable committees.

2.2 Board understanding and oversight of their responsibilities · Review of training and responsibilities as reflected in meeting minutes and other documents (training materials, newsletters, etc.). Do minutes reflect board’s understanding?

· Review/audit board education – how often is it conducted? Conduct interviews to assess board understanding.

2.3 Appropriate escalation to oversight body · Review minutes/checklist in compliance officer files
2.4 Commitment from top · Review compliance program resources (budget, staff).

· Review documentation to ensure staff, board and management are actively involved in the program.

· Conduct interviews of board, management and staff.

2.5 Process for escalation and accountability Process review (document review, interviews, etc.). Is there timely reporting and resolution of matters?

In the Evaluation under Prong 3. Autonomy and Resources, the following questions appear under the heading Funding and ResourcesHow have decisions been made about the allocation of personnel and resources for the compliance and relevant control functions in light of the company’s risk profile? Have there been times when requests for resources by the compliance and relevant control functions have been denied? If so, how have those decisions been made?

Under Element 2 in the Resource Guide, in the section entitled “Compliance Budget”, the following appears:

  What to Measure How to Measure
2.6 Appropriate oversight of budget Review charter of governing body (Board) to verify it includes approval of compliance budget
2.7 Budget is based on an assessment of risk and program improvement/effectiveness Is the Board’s approval of the budget based on identified risks and effectiveness evaluation/program improvement?
2.8 Sufficient compliance program resources (budget, staffing) Review budget and staffing to ensure significant risks are managed appropriately

These are a just couple of examples of how a compliance professional can begin to think through the questions laid out by the DOJ in its Evaluation. Moreover, by using the Resource Guide, you will be able to more fully determine the operationalization of your compliance program. The stated purpose is to give compliance professionals “as many ideas as possible, be broad enough to help any type of organization, and let the organization choose which ones best suit its needs.” Yet it is decidedly not a checklist but rather allows any Chief Compliance Officer (CCO) to assess the effectiveness (and operationalization) of their program.

It also allows the tailoring and measurement of how you manage your company’s risks. As the Resource Guide states, “The frequency of use of any measurement should be based on the organization’s risk areas, size, resources, industry segment, etc. Each organization’s compliance program and effectiveness measurement process will be different.”

Both the HCCA and OIG are to be commended for this most useful tool. I urge you to review it and think about how you will demonstrate both your compliance program effectiveness and the operationalization of your compliance program through this or a similar exercise.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

The European concern Airbus has been in the news recently for corruption issues. According to an article in the Financial Times (FT), entitled “Airbus sued by middlemen fired following fraud inquiry, its annual report lists multiple ongoing fraud and corruption investigations which have a risk of a “material impact” on the company’s profits. Yet it was another issue which caught my eye and it was that the company is “being sued by consultants and middlemen who were dismissed as a part of a compliance review initiated following fraud probes around the world.”

At some point, you will be required to terminate a third-party and there will be multiple legal, compliance and business issues to navigate going forward. If you are stuck doing it in the middle of a Foreign Corrupt Practices Act (FCPA) or Bribery Act investigation, such as Airbus is currently under with the UK Serious Fraud Office (SFO), there may well be some tension to do so and do so quickly. If you have not thought through this issue and created a process to follow before it all hits the fan, you may well be in for a very tough road.

The key theme in termination is planning. The Office of Comptroller of the Currency, OCC Bulletin 2013-29, said that regarding third-party termination, a bank should develop a “contingency plan to ensure that the bank can transition the activities to another third party, bring the activities in-house, or discontinue the activities when a contract expires, the terms of the contract have been satisfied, in response to contract default, or in response to changes to the bank’s or third party’s business strategy.”

In an article entitled “Breaking Up Is Hard To Do”, Carol Switzer related how to avoid pain by planning for the end of a third-party relationship. She said it all should begin with “an exit strategy, a transition plan or a pre-nup—whatever the title, it’s best to begin by planning for the end which, in the case of business at least, will always eventually come. Whether due to contract completion or material breach, turning over responsibility to another party, or abandonment of the contracted activity altogether, contract termination is an inevitable phase in the third-party relationship lifecycle.” Planning for the end is important because, “The more long term and layered the relationship, the more difficult it will be to disentangle. The deeper the third-party is embedded in and uses the confidential information of the company and its customers, the greater the risks presented by failing to design a smooth transition process.”

It should originate with clearly specified contract termination rights but that is only the starting point, “To work out a smooth transition, the plan must also include internal change management processes and policies, designated transition team members, contingencies, and adequate resources and time allowances.” Your corporate values must be protected by “clearly designating the disposition of shared intellectual property and infrastructure assets.” Next you need to think through your transition plan by “ensuring rights to hire or continue use of key contractor employees who have been servicing your account, arranging to bringing new contractors or internal managers up to speed, and filing any regulatory or other required notifications.” Finally, bear in mind that your reputation must be protected during this transition process “by controlling and planning for issuance of public statements and social media postings by terminated contractors or their employees, or the best laid transition plans may be for naught.”

You will also need to consider the business risks around the termination of a third-party, particularly on the sales side of your business. This may mean sitting down with a customer or group of customers to explain the reasons behind the termination. Obviously if your business team has not developed a relationship with the end-using customer, this can be a difficult and very problematic conversation.

Unless you are exiting a business sector or territory, you will need to replace the third-party. This means going through the entire five-step process with any potential sales agent or representative. Such planning needs to be built into your termination strategy. If the reason for termination is a contract violation or worse a FCPA violation, there may well be other notifications which are required, both internally and externally to government regulators. You have also been under some type of contractual nondisclosure language and so consultation with your legal counsel, once again both in-house and outside, may be required. Finally, never forgot the reputation damage by releasing such information, or conversely not disclosing it. Both sets of reasons may hurt your business reputation as well.

In addition to the above steps, there are some specific considerations you should take. In the area of data, data privacy and data accessibility, if a third-party has access to your network and systems, such access must be revoked. If your terminated third-party has physical data, you must plan for the return of your data to you in a format that is acceptable to you and is secure. If your data is confidential, you may want to require that it be returned in an encrypted format and via an encrypted channel. You should lay out the time frame for the return of any data.

Alternatively, you can specify that data be destroyed. If this is the route you take with your third-parties, it should be performed in a way which is secure so the data cannot be reconstructed at a later date, through the use of surreptitiously created backup or duplicate data. You should mandate the third-party provide to you a certificate of destruction that confirms the destruction of your data and the methods used for destruction. Information that must be retained should maintain the data protection requirements currently in place, or stronger if the applicable laws change during the time of retention.

Although rarely considered, the termination of a third-party relationship can be as important a step as any other in the management of the third-party lifecycle. While having the contractual right to terminate is a good starting point, it is only the starting point. You not only need to have a compliance and legal plan in place but a business plan as well. If you do not, the cost in both monetary and potential business reputation can be quite high.

As for Airbus, the FT noted that the company said in its annual report it “faced multiple investigations in Germany, Greece, the UK, Romania and Australia. It said that as a result of these inquiries and commercial disputes, it was enhancing its policies procedures and practices, “in particular in respect of sales support activities”.” The company went on to note that it “has significantly reduced the number of middlemen used in foreign sales and last year abolished the Sales and Marketing Organisation that managed these intermediaries.” It also said it was “conducting enhanced due diligence as a precondition for future or continued engagement and to inform decisions on corresponding payments”, the report stated. The company had hired “legal, investigative, and forensic accounting expertise of the highest calibre” to review all of its third-party relationships.”

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

On this day in 1970, Apollo 13 landed safely in the Pacific Ocean four days after disaster struck. 2 days into the mission, some 200,000 miles from Earth, an oxygen tank blew up and Astronaut Swigert reported to Mission Control, “Houston, we’ve had a problem.” The drama was followed by the entire world as both the three-man crew and “Mission Control were faced with enormous logistical problems in stabilizing the spacecraft and its air supply, as well as providing enough energy to the damaged fuel cells to allow successful reentry into Earth’s atmosphere. Navigation was another problem, and Apollo 13‘s course was repeatedly corrected with dramatic and untested maneuvers.” (history.com, 2017)

If you watched the movie or read the story, who will recall it was largely the staff who developed the solutions that brought the spaceship home, not senior management. It was as fine as example of operationalizing a solution as one could hope for in an organization. The key concept from the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Program (Evaluation) is operationalization. For instance, under the query Shared Commitment is the following question – “How is information shared among different components of the company?” Under the Prong relating to Policies and Procedures the Designing Compliance Policies and Procedures asks, “What has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out?” Lastly, under the same Prong is Responsibility for Integration, with the following question “Who has been responsible for integrating policies and procedures?”

These questions point to a Chief Compliance Officer (CCO) or compliance practitioner demonstrating how compliance is being burned into the fabric of an organization. While leadership at and from the top has long been considered by both the DOJ and compliance professionals as a key element to move compliance forward, the Evaluation has also crystalized thinking around compliance leadership from the middle and the bottom. I thought about these concepts when reading a recent Financial Times (FT) article in Employment  Global Best Practice by Andrew Hill, entitled “Leadership from the bottom up”. I was particularly struck by a quote from Shlomo Ben-Hur, a professor at IMD business school, who said, “We teach the top 5 per cent — but the majority of this work is carried out by the other 95 per cent.”

In Ben-Hur’s work he found that many executives came from the middle management ranks. They tended to be persons “with a determination to “take what I have responsibility for and make it truly great.”” Anecdotally, he related “They typically said, ‘I’ve responsibility for the minibus,’ and people then asked them to drive bigger and bigger buses until one day they drove the whole business.”” Think of the military and the responsibility given to front line commanders and how that “is increasingly reflected at large companies.”

The key for companies is that senior management must “find ways to transmit leadership skills to people who do not have ‘leader’ in their job description and will probably never attend a top-level leadership program.” Hill noted, “Ben-Hur’s work has focused on ensuring that managers understand how to assign the right jobs to their team members and motivate them to perform well, using theories of behavioural change that senior executives have typically never learnt on their way to the top. Dedicated managers well below the executive board need to know how to use these tools.”

For the CCO or compliance practitioner, this provides a clear path to help in the operationalizing of compliance by providing the tools to persons far down the organization to put compliance into the operations of a business. One thing Hill writes about is a company should nuture such learning because by doing so, it will both teach practical skills around compliance but also foster a strong internal network of compliance advocates who can move initiatives up and down and organization. Moreover, as these individuals progress through the company ranks, they can take their compliance message with them at each new level.

Building on the writings of Hill and the work of Professor Ben-Hur, my suggestion is to build a Compliance Excellence Center in your company. Bring in middle-managers to focus on understanding not only their roles in compliance but also how to assign the right team members to a compliance initiative and motivate employees going forward. Hill wrote that Airbus has recently established a corporate ‘university’ to spread leadership ideas through the company. Airbus’ theory behind this push is “being a leader isn’t just about being a vice-president; it’s about being able to push the company towards new ways of doing things and executing the things we have to execute. That could [apply to] a blue-collar worker on the shop floor or a VP.”

A key is not simply to train such middle and front line managers on compliance but getting them to consider rollout, effectiveness, testing and improvement. In other words, as Jay Martin would say, it is all about execution. One way to help facilitate this is through exercises using incentives to “make leadership insights stick and change workplace behavior.” Hill also writes that concepts from entrepreneurship can assist in such learning by encouraging managers to “think and act independently” to operationalize compliance. Finally, never forget mentoring as a manner to spread good compliance practices throughout a company if a more formal approach is not possible.

Too often, strategies to move a compliance program or even an initiative come from the top of an organization and are pushed down. To fully operationalize compliance, you must have leadership in compliance further down the organization which (hopefully) has been a part of the design process and can lead the implementation throughout an organization. Do not forget the example of Apollo 13 and the operationalized engineers who developed the solution to bring the damaged spaceship home. If you put a system in place to train your middle managers in compliance it will go a long way towards taking your compliance program from good to great.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017