Peter Grossman comes from a publishing and entertainment background, having worked at US Weekly and Rolling Stone. Given this background, he and his partner initially targeted the entertainment industry when they co-founded their production company, Labyrinth Training. However, they were offered the opportunity to work with AB InBev to create compliance training that their employees would actually pay attention to. Since that time, Labyrinth has focused on creating training for the compliance industry. Peter joins Tom Fox on this week’s show to talk about the innovative ideas, strategies and techniques in training and communications that his company brings to the compliance space.

Fixing What’s Wrong With Compliance Training

People love learning, Peter says, but they generally do not like school. The problem with compliance training is that it’s usually built by test takers, with little to no emphasis on engaging learners. Oftentimes you have a situation where compliance training is done in December when employees are the least engaged. That’s not the time to try to shove information down people’s throats, Peter argues. Training should be something that makes a difference, that changes behavior. As such, it should be something people want to do, not just have to do. You need to attach creative and innovative ideas to what you’re trying to convey to grab people’s attention and make it memorable. Essentially, your training should be about engaging your workers year round in a culture change.

Memorable Storytelling

Whenever you roll out a training, it should feel like a cool office party, Peter says. The goal is to have people talking about it afterwards by attaching your policies to storytelling. Tom asks him how he applied this strategy at AB InBev. Peter shares the attention-grabbing narrative they developed for AB InBev’s compliance training program. It was so memorable and relatable that it became a company inside joke. What’s most important, he says, is that workers now remember what to do in certain moments because of that training. “The idea is that when you create characters that resonates with everybody, that’s what sparks the behavior change and gets people remembering it throughout the year,” Peter comments. He advocates bringing storytelling to everything – from broad topics to the most nuanced – because people will remember it.

A New Podcast

Tom mentions that Peter will be joining the Compliance Podcast Network with his new podcast. He asks him to give listeners a preview of what is to come. Peter says the name of the podcast is In The Lab. It’s going to be a very loose, conversational show. He will bring his storytelling background to the show as the format will be about talking to people and hearing their stories.

Resources

LabyrinthTraining.com

peter@gadfly.io

One of the lessons we have learned from various Foreign Corrupt Practices Act (FCPA) enforcement actions over the years is how complexity in business organizations can work to defeat compliance programs. Whether a corrupt employee is working to actively hide a pot of money which can or will be used to pay a bribe or an improper payment slips through the cracks; complexity can work to defeat a best practices compliance program. If a compliance function does not have visibility into a business unit, how it does business and where its payments are going; it may be due to designed or inadvertent complexity.

I was therefore interested in a recent Harvard Business Review (HBR) article which attacked this issue head on. It was entitled “Taming Complexity” by authors Martin Reeves, Simon Levin, Thomas Fink and Ania Levina. The first thing to understand about complexity is that it is not all a bad thing. Complexity can add to organizational resilience and even flexibility. It can also lead to adaptability, as sustained business and compliance performance requires new offerings and capabilities – which can be created by recombining existing elements in fresh ways. Finally, complexity can lead to better coordination by business units across geographic regions and product lines. The bottom line to all of this is that complexity is not only here to stay but in the increasingly global world of business, it is a necessity. How is the compliance professional going to deal with it going forward?

The authors list several ideas and concepts which you can employ. They start with a company using simple, common operating principles. That is, “simple underlying principles with which all elements and connections must comply. That increases the chances that new elements and connections will fit comfortably into the organization and also contains complexity.” They pointed to a company which ran its business on foundational principles, specifically including transparency. If you can move towards both transparency in all of your processes and protocols AND in the human element, so that personnel do not hide information, it can work to reduce complexity or at least make the complex less opaque.

Perhaps counter-intuitively, the authors also suggest relaxing controls. While this may actually sound antithetical to the compliance professional, a deeper analysis reveals this is actually the operationalizing of compliance. Instead of micromanaging each compliance decision, allowing employees the freedom to engage in constant, iterative experimentation can lead to more-powerful compliance outcomes than deliberately designing and tightly managing each step. This is particularly true in organizations whose environments are evolving in unpredictable and unprecedented ways.

The operationalization comes from the emergence of innovations. The more that autonomous small teams and even individual employees are experimenting with new elements and connections, the more options they create for the organization – as long as the innovations are properly codified and made available to all teams and groups. A great example of this was the GeoRegion Compliance Committees developed by BakerHughes Company. However, a critical element is that employees are required to document and then report their recommendations and predict outcomes. From this point, the compliance function can “serve as an enabler and a sounding board for the experimenters rather than to direct them precisely.”

Lastly is a step the authors call “fix, repair and prune.” While this step is closely akin to prevent, detect and remediate, it does present views not normally used by compliance professionals. Yet once again, if you think about it for any length of time, you can see that it will add robustness to a mature compliance program. Here the authors suggest creating a culture that encourages employees to look out for and eliminate obsolete processes. Of course this requires a true speak up culture and fully functioning reporting system. But if you have this the authors believe you will increase both the “level and pace of innovation.” Conversely, if you fail to do so, you might well “reach the point where nobody has a complete understanding of them.”

While it is true that complexity in an organization can accumulate “until it is intractable and hard to reduce through incremental action.” If your organization is in that situation, you will need to develop another set of processes to unstick the complexity and recycle resources to reduce the overall complexity. The authors impart “One way of achieving this is to establish new structures with a finite time horizon, identifying exit strategies in advance. By building in exit options at the beginning, rather than subjecting legacy elements to endless modification, leaders can avoid the accumulation of excessive complexity.”

While the authors believe that most companies say they “prefer simplicity over complexity, but the truth is that complexity is increasingly necessary for viability and competitiveness in today’s dynamic, unpredictable business environment.” I would say this is even more true for the corporate compliance function. As compliance moves into the 2020s, it’s a great decade of innovation and change is in front of us. Compliance is no longer lawyer-driven rules and regulations. Compliance is now properly scene as a business process and properly recognized, is not simply a business innovator but can also be a profit center.

Compliance is now in an era of brisk innovation and evolution. It is prone to technological change and rapid obsolescence of the lawyer-driven, spreadsheet and word document-based compliance program. Going forward the compliance professional needs to understand that a “package of resilience, adaptability, coordination, and inimitability becomes more attractive than the package of efficiency, understandability, manageability, and predictability.” The key is to learn how to harness complexity on a sustainable basis.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2020

Companies have finally come to realize that institutional justice and fairness are perhaps the most basic tenet of any successful workplace. If employees believe they will be treated fairly, it will engender a level of trust that can work to not simply motivate employees but lead to a more successful workplace and, at the end of the day, a more profitable company. This encompasses the entire lifecycle of the employment relationship, from hiring through separation. It works in areas as seeming disparate as compensation and incentives, discipline, promotion and internal reporting.

On this final point, Kyle Welch and Stephen Stubben, in their 2019 paper entitled “Evidence on the Use and Efficacy of Internal Whistleblowing Systems”, noted that a robust whistleblower reporting system speaks to a functioning and ethical corporate culture. Employees who can report issues, in a fair manner, without fear of retaliation are more empowered to make the company run more efficiently and more profitably. Yet an equally interesting finding was where there was robust internal reporting, employees were more likely to speak up to improve overall business processes, thereby making the company more profitable.

The issue of Institutional Justice is most clearly seen in the area of discipline. This can be in the overall application of a compliance program to all employees, Board members and senior managers.

As noted in the 2012 FCPA Guidance, Hallmark Six of the Ten Hallmarks of an Effective Compliance Program: “A compliance program should apply from the board room to the supply room—no one should be beyond its reach. DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropriate and clear disciplinary procedures, whether those procedures are applied reliably and promptly, and whether they are commensurate with the violation.”

 This mandate was brought forward in the 2017 FCPA Corporate Enforcement Policy which stated, “Appropriate discipline of employees, including those identified by the company as responsible for the misconduct, either through direct participation or failure in oversight, as well as those with supervisory authority over the area in which the criminal conduct occurred.” [emphasis supplied]

All of these concepts were continued in the 2019 Guidance, which stated, “Another hallmark of effective implementation of a compliance program is the establishment of incentives for compliance and disincentives for non-compliance. Prosecutors should assess whether the company has clear disciplinary procedures in place, enforces them consistently across the organization, and ensures that the procedures are commensurate with the violations.”

The 2019 Guidance then laid out the following mandates

Human Resources Process – Who participates in making disciplinary decisions, including for the type of misconduct at issue? Is the same process followed for each instance of misconduct, and if not, why? Are the actual reasons for discipline communicated to employees? If not, why not? Are there legal or investigation-related reasons for restricting information, or have pre-textual reasons been provided to protect the company from whistleblowing or outside scrutiny?

 Consistent Application – Have disciplinary actions and incentives been fairly and consistently applied across the organization? Are there similar instances of misconduct that were treated disparately, and if so, why?

One of the areas which Human Resources (HR) can operationalize your compliance program is to ensure that discipline is handed out appropriately and consistently across an organization and to reward those employees who integrate such ethical and compliant behavior into their individual work practices. In addition to providing a financial incentive for ethical behavior, it also provides a sense of institutional justice. Institutional justice comes from procedural fairness and is one area that will bring credibility to your compliance program.

Today, that institutional justice is called the Fair Process Doctrine, which recognizes that there are fair procedures, not arbitrary ones, in processes involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by processes and procedures that are perceived as fair. As you incorporate the Fair Process Doctrine in your compliance program, there are three key areas to focus on.

Administration of discipline. One area where the Fair Process Doctrine is paramount is in the administration of discipline after any compliance related incident. Discipline must not only be administered fairly but it must be administered consistently across the company for the violation of any compliance policy. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

Likewise, there must be real consequences for an employee who violates your compliance program. If the regulators come knocking and you have not disciplined employees for Code of Conduct or compliance program violations in multiple years, the DOJ and SEC will conclude quickly you are not serious about compliance. Fair process means that you must discipline those who engage in compliance violations no matter what their position is within the organization.

Employee promotions. In addition to the area of discipline which may be administered after the completion of any compliance investigation, you must also place compliance firmly as a part of ongoing employee evaluations and promotions. If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates and rewards employees on.

Internal investigations. The third area of the Fair Process Doctrine is around internal company investigations. If your employees do not believe that the investigation is fair and impartial, then it is not fair and impartial. Further, those involved must have confidence that any internal investigation is treated seriously and objectively. One of the key reasons that employees will go outside of a company’s internal hotline process is because they do not believe that the investigation process will be fair. (Another finding of the Welch/Stubben study).

An often-overlooked role of any CCO or compliance professional is to help provide employees with institutional justice. If your compliance function is seen to be fair in the way it treats employees, in areas as varied as financial incentives, to promotions, to appropriate and consistent discipline meted out across the globe; employees are more likely to inform the compliance department when something goes array. If employees believe they will be treated fairly, it will go a long way to more fully operationalizing your compliance program.

Three key takeaways:

  1. The DOJ and SEC have long called for appropriate and consistent application of both incentives and discipline.
  2. The Fair Process Doctrinewill help set institutional justice as the norm in your organization.
  3. Inconsistent application of discipline will destroy your compliance program credibility.

The Department Of Justice (DOJ) and Securities and Exchange Commission (SEC) have both made it clear that they expect companies to be more robust in their use of data analytics in compliance programs. This means using data to not only detect and prevent illegal conduct but also in the remediation prong of any best practices compliance program as well through continuous improvement. This past year, former Deputy Assistant Attorney General Matthew Miner said in a speech that the DOJ will inquire whether compliance departments have access to internal data that could help them identify misconduct and whether compliance officers make adequate use of data analytics in their reviews of companies under investigation. Since at least 2016 in the Foreign Corrupt Practices Act (FCPA) enforcement action involving Key Energy Services, Inc., the SEC has been communicating to compliance professionals of the need for increased use of data and data analytics in any compliance program.

The new DOJ Antitrust Division released its Evaluation of Corporate Compliance Programs in Criminal Antitrust Investigations (Antitrust Guidance), was the clearest regarding this mandate when it stated, “Does the company use any type of screen, communications monitoring tool, or statistical testing designed to identify potential antitrust violations?” For the anti-corruption compliance professional, this means you need to incorporate a statistical analysis into your ongoing monitoring to see if there are any anomalies which could be indications of FCPA violations.

All of this government and regulatory focus on data for a compliance program will require many law school trained compliance practitioners to learn a new skill set to meet this mandate. I was therefore intrigued by a recent Harvard Business Review (HBR) article, entitled “When Data Creates Competitive Advantage”, by Andrei Hagiu and Julian Wright. In the article they laid out several precepts for using corporate data as a competitive advantage. While the authors have focused on customer data you should always remember that the customers of a compliance function are largely corporate employees (and others), I nevertheless, found their piece useful for the compliance professional.

The first thing to consider is the value of obtaining the data. Clearly, the more data a compliance program receives the more information it has in the form of feedback from its customers. This means a higher value add and the higher the value added, the greater the chance that it will create a lasting edge. That edge can be in preventing or detecting conduct which could lead to a FCPA violation, it could be part of continuous monitoring, leading to continuous improvement or it could demonstrate to the DOJ and SEC the robustness of your compliance regime.

Next is how soon do you reach a point where additional data no longer enhances the value of the compliance solution? The more slowly the marginal value decreases, the stronger the solution enhance will be going forward. Fortunately, there is little to no learning drop off for compliance information. The reason is simple, it is a business process and the more data you have and the longer you keep it, the more you can refine your process.

The authors then posed the tangentially related question, “How fast does the relevance of the user data depreciate? If the data becomes obsolete quickly, then all other things being equal, it will be easier for a rival to enter the market, because it does not need to match the incumbent’s years of learning from data.” As the only rival for an effective compliance program in this scenario is an ineffective compliance program, it should not be a construct to overcome.

Next, how well does the data you mine translate into an actionable solution across geographic and business lines? Ideally, it will do both, but the difference between the two is important. When data from one area improves the compliance solution for that section of your business, a company can then customize it across regions or business lines. It can also work to create what the authors term “network effects”. It can also work to make the compliance solution or enhancement both quite “sticky” and also provide a key advantage in competing for new customers.

How fast can you turn the data or its insights into an actionable compliance solution or an upgrade? If you can do so rapidly it can provide faster and greater benefits. But when it takes years or successive product generations to make enhancements based on the data, your compliance solution(s) may well fall by the wayside. This means that competitive advantage from greater data is stronger when the learning translates into more frequent improvements of the compliance solution or enhancement for your current employees rather than simply for future consumers of the compliance solution.

Next, will your data-enabled enhanced compliance solution create true network effects throughout your organization? When learning from one region or business lines translates into a better experience for other employees throughout your organization and when that learning can be incorporated into a compliance solution fast enough to benefit its current users, your employees will care about adopting the product.

The authors caution that “despite these similarities, regular network effects and data-enabled network effects have key differences, and they tend to make advantages based on the regular ones stronger.” First, the cold-start problem is usually less severe with data-enabled network effects, because obtaining data is easier than speculation or worse, no data. This means that  alternative sources of data, even if not perfect, can significantly increase your chances of success.

Second, to produce lasting data-enabled network effects, the firm has to work constantly to learn from your corporate data. Finally, with a data-enabled network, nearly all the benefits of learning from corporate data can be achieved with relatively low numbers of employees participating.

The bottom line is that it is not if but when you begin to incorporate corporate information into your compliance program to make your compliance program more efficient and your business process run more effectively. My suggestion is that you begin now to identify the data you have access to and the data to which you currently do not have access. Find a way to bridge that gap.

One of the key goals of any compliance program is to train employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. While it seems axiomatic that compliance training is a mainstay of any best practices compliance program, the conversation around training has evolved over the years.  The 2012 FCPA Guidance started the conversation stating:

Compliance policies cannot work unless effectively communicated throughout a company. Accordingly, DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.

Beginning in the fall of 2016, through the announcement of the FCPA Enforcement Pilot Program, the DOJ began to talk about whether you have determined the effectiveness of your training. This conversation continued with the 2017 Evaluation where it asked, “How has the company measured the effectiveness of the training?” This point has bedeviled many compliance professionals yet is now a key metric for the government in evaluating compliance training. It evolved further in the 2019 Guidance with the mandate that training must be “truly effective”. Finally, the training must be presented in a language in which the employees understand, which means in a local language, if the training is outside the US or other non-English-speaking countries.

Also raised in the 2017 Evaluation was the focus of your training programs, where the DOJ inquired into whether your training was “tailored” for the audience. This added two requirements. The first was to assess your employees for risk to determine the type of training you might need to deliver by risk ranking your employees. Obviously, the sales force would be the highest risk but there may be others who are deserving of high-risk training as well. From this risk ranking, you were required to develop tailored training for the risks those employees will face.

The 2019 Guidance spells this out in greater detail. Not only in the design but who receives it, all coupled with backend determination of effectiveness. Finally, all of this must be documented. Under Training and Communication, the following questions were posed by the DOJ:

 Risk-Based Training – What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees, including training that addresses risks in the area where the misconduct occurred? Have supervisory employees received different or supplementary training? What analysis has the company undertaken to determine who should be trained and on what subjects?

 Form/Content/Effectiveness of TrainingHas the training been offered in the form and language appropriate for the audience? Is the training provided online or in-person (or both), and what is the company’s rationale for its choice? Has the training addressed lessons learned from prior compliance incidents? How has the company measured the effectiveness of the training? Have employees been tested on what they have learned? How has the company addressed employees who fail all or a portion of the testing?

I would suggest that you start at the beginning with an evaluation of your compliance training and move outward. This means starting with attendance, which many companies tend to overlook. You should determine that all senior management and Board members have attended compliance training. You should review the documentation and confirm attendance. Make your department or group leaders accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.

Some other metrics you should consider in the post-training evaluation phase include an increase in hotline use; are there more calls into the compliance department requesting assistance or even asking questions about compliance? Is there a decrease in compliance violations or other acts of non-compliance?

Consider using surveys to provide feedback on not simply compliance training but to determine effectiveness of a much wider variety of areas for your compliance program. These surveys can provide critical information on the state of your compliance program and provide substantive feedback for further inclusion back into your compliance program. Testing your program and using that information in a feedback loop is another key component of a best practices compliance program.

The importance of determining effectiveness of your compliance program has been enshrined by the DOJ. The 2017 Evaluation and 2019 Guidance demonstrates that the DOJ wants to see evidence of the effectiveness of your compliance program. This is something that many CCOs and compliance professionals still struggle to determine. Both the simple guidelines suggested herein, the more robust assessment and results provide you with a start to fulfill the precepts set out by the DOJ, as you will eventually need to demonstrate the effectiveness of your compliance training going forward.

Three key takeaways:

  1. How and why have you tailored your compliance training?
  2. The DOJ has mandated demonstrating the effectiveness of compliance training.
  3. How is your training presented: both in languages and media?