In this episode of Excellence in Training, Shawn Rogers provides some thoughts on how training frequency and the amount of training can positively or negatively impact an overall training strategy.

In our previous podcast, we talked about how compliance training is like a car’s windshield wiper system. That podcast was about measuring training effectiveness. In this episode, we extend the analogy of the windshield wipers and discuss how frequently compliance training should be administered. Often, companies have been conditioned to think that compliance training needs to be conducted very frequently, even if it means repeating the same training courses every year.

Today, we challenge that mindset, starting with the windshield wipers. Typically, you only turn on your windshield wipers when it is actually raining. Anytime you drive the vehicle, you know that the wiper system is in place. It’s always ready to be used if needed.

It would not make any sense to run your wipers constantly, even when it is not raining. First, it would be extremely annoying to the passengers if the wipers were always running. And second, eventually it would wear out both the wiper blades and the wiper motor. It would simply be nonsensical. Compliance training should be applied in a similar way. It should be available and ready to be used when the risks are present, and it should be applied in such a way so that it directly addresses those risks. In other words, before a company deploys its compliance training, it needs to know what the risks are, and the training program should be designed (“tailored”) to mitigate those specific risks (“risk-based”).

Requiring overly repetitive training is like running your windshield wipers in clear weather. The learners are going to be annoyed (rightfully), the training will be viewed as a waste of time and energy (which it would be), and the learners won’t take training as seriously when it is really needed to address a specific situation (because it is viewed as a check-the-box exercise).

There is a situation when you use your wipers during clear weather. This is when you want to clean — or “refresh” — your windshield. Over time, dirt can accumulate on the windshield and a little squirt of wiper fluid and a few swipes of the wipers will instantly clean the windshield and clear the driver’s view.

It be fantastic if we viewed compliance training in the same way instead of giving an hour-long course on a topic they have heard before, what if instead employees received a 10-minute “refresher” training just to maintain their awareness and get the message that they should constantly be vigilant?

There are some compliance topics that are so important to a company that training needs to be required fairly regularly, maybe even annually. For instance, at GM, we have decided that it is important to provide reminder training annually on a few topics:

  • The importance of our Code of Conduct;
  • The importance of speaking up when a concern is observed, and how to report the concern;
  • An understanding of the company’s non-retaliation policy;
  • The importance of workplace and vehicle safety; and
  • The requirement to disclose conflicts of interest.

At GM, we are moving towards a less frequent repetition of lengthy training courses for our current employees, and more frequent “refresher” or “reminder” training modules that keep the risk top-of-mind without assuming that lengthy courses need to be repeated every year. It is a very common sense and defensible approach to compliance training.

New GM employees are required to take more detailed courses during their first year so that they are exposed to the key risks in detail. After that, full-length courses are staggered in a three-year interval so we can keep the courses updated and to avoid over-training.

Disclaimer-As a company, GM uses many training vendors. GM’s compliance function primarily uses two vendors. Rogers has worked with other good vendors that currently do not work with GM. Rogers is not promoting any specific vendors, nor is he disparaging any specific vendors in this podcast. And, of course, these opinions are Roger’s alone and opinions that  developed over almost 15 years. He is not speaking on behalf of GM in any way.

We have been getting accountability all wrong in the compliance profession. It’s not a set of tasks – it’s a way of thinking and it has to come from the heart as well as the head. On Accountability: The Heart of Compliance Tom Fox and Sam Silverstein dig into what accountability means to the corporate compliance function and business organizations and most significantly, how to make it an integral part of your culture. In this episode we consider a recent example of the lack of accountability in the corporate world, Wells Fargo and the complete disconnect between what the (former) CEO was saying and the reality on the ground for employee. Some of the highlights include:

  • Why are there disconnects from what senior leadership says or believes and life in the trenches for employees?
  • How does an organization turn things around?
  • Is bringing in a new CEO enough or must an organization do more?
  • Why is transparency is still the best disinfectant?

For more information on Sam Silverstein and his work on accountability, click here.

Halloween is almost upon us and we celebrate the greatest Halloween cartoon in the history of the world, ever, “It’s the Great Pumpkin, Charlie Brown”, which premiered in 1966. As usual, the story revolves around the Peanuts gang, who are preparing for Halloween, Linus writes his annual letter to the Great Pumpkin, despite Charlie Brown’s disbelief, Snoopy’s laughter, Patty’s assurance that the Great Pumpkin is a fake, and even his own sister Lucy’s violent threat to make her brother stop. On Halloween night, the gang goes trick-or-treating. On the way, they stop at the pumpkin patch to ridicule Linus missing the festivities, just as he has done every year. Undeterred, Linus is convinced that the Great Pumpkin will come, and even persuades Charlie Brown’s little sister, Sally, to remain with him to wait. At 4:00 AM the next morning, Lucy awakes up and notices that Linus is not in his bed. She finds her brother asleep in the pumpkin patch, shivering. She brings him home and puts him to bed. Later, Charlie Brown and Linus are at a rock wall, commiserating about the previous night’s disappointments. Although Charlie Brown attempts to console his friend, admitting that he himself has done stupid things in his life also, Linus angrily vows to him that the Great Pumpkin will come to the pumpkin patch next year.

The compliance lesson from Linus’ adventure; it is process validation. Unlike Santa Claus, who we have been repeatedly told “Yes, Virginia there is a Santa Claus”; there has been no process validation for the Great Pumpkin. Linus faints when he thinks he sees the Great Pumpkin rising from his pumpkin patch; unfortunately it is only Snoopy. In the compliance world, process validation comes through oversight. Two of the seven compliance elements in the 1992 US Sentencing Guidelines call for companies to monitor, audit and respond quickly to allegations of misconduct. In the 2012 FCPA Guidance, in Hallmark IX of the Ten Hallmarks of an Effective Compliance Program, it mandated ongoing monitoring to continually update and improve your compliance program. The Department of Justice’s Evaluation of Corporate Compliance Program, 2019 Guidance, made clear that monitoring of your compliance program through reviewing data and looping it back into your system that is a bare minimum for an effective compliance program.

Many companies fall short on effective monitoring. This can sometimes be attributed to confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

I hope that you have the chance to watch It’s the Great Pumpkin, Charlie Brown again this year. I did. When you watch, think about the compliance implications. Will anyone ever set a ‘second set of eyes’ on the Great Pumpkin? If not, will it ever be validated? I hope that if you are trick-or-treating tonight, you will be safe and dry.

Doug Cornelius Responds:

Are you trying to say that the Great Pumpkin is not real?

Just wait ’til next year, Tom Fox. You’ll see!

Next year at this same time, I’ll find a pumpkin patch that is real sincere! And I’ll sit in that pumpkin patch until the Great Pumpkin appears. He’ll rise out of that pumpkin patch and he’ll fly through the air with his bag of toys.

The Great Pumpkin will appear! And I’ll be waiting for him!

I’ll be there! I’ll be sitting there in that pumpkin patch… and I’ll see the Great Pumpkin. Just wait and see, Tom Fox. I’ll see that Great Pumpkin.

I’ll SEE the Great Pumpkin!

Just you wait, Tom Fox.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2019

As Tom steadies himself for the Astros to head to Washington and the Nationals home park, facing an attack of Natitude; he and Jay reflect on some of this week’s top compliance and ethics stories which caught their collective eyes.

  1. SEC examiner (allegedly) steals confidential information on company investigation, then leaves SEC to become company’s CCO. Dylan Tokar reports in WSJ. Matt Kelly opines in Radical Compliance.
  2. What are the data privacy considerations in investigations. Cleary Gottleib lawyers in NYU’s Compliance and Enforcement
  3. Are you looking at your 3rd parties for data protection issues? Adam Hill in NYU’s Compliance and Enforcement
  4. What are the stakes for corporate wrongdoers? Dan Portnoy in the Grand Jury Target.
  5. What are 5 common weaknesses in OFAC Compliance programs. Mike Volkov explains in Navex Global’s Ethics and Compliance Matters
  6. Whats, whys and hows in M&A assessment. Jay starts a new series on CCI.
  7. Why is understanding behavioral science critical for a compliance programs? Jeff Kaplan dissects it in the FCPA Blog.
  8. Why is a speak up culture hard to find. Dick Cassin explains in the FCPA Blog.
  9. AI and internal audits. Kevin Alvero and Randy Pierson on CCI.
  10. Avanir engages in corruption in the US. Not FCPA but FCA violation. Mike Volkov explains on Corruption, Crime and Compliance.
  11. Tom had a great group of top notch podcasts, on the CPN this week. Check out the following lineup: FCPA Compliance Report– Francine McKenna on the KPMG-PCAOB mess; Innovation in Compliance-ReThink Compliance on why content is still king in compliance; #GWIC with Barbara Petitti; 12 O’Clock High– how the leadership of JP Morgan halted the Panic of 1907; Life with GDPR– Brexit and Compliance. The podcast will be available on multiple sites: the FCPA Compliance Report, iTunes, JDSupra, Megaphone, YouTube,  Spotify and theCompliance Podcast Network.

Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is       Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit our sponsor Affiliated Monitors at www.affiliatedmonitors.com.

World Series travel day so no scores to report. However, today I conclude my exploration of some of the films of Val Lewton during his tenure at RKO. Given the trajectory of horror films from the ‘30s and ‘40s, most particularly the Universal classics of Frankenstein, Dracula, The Mummy, The Wolfman and The Invisible Man; Lewton took things in a very different direction. As I have previously noted, the pictures he produced were much more psychological, with the terror occurring largely off-screen, left to the viewers imagination. I find that in many ways, Lewton presaged such films as Halloween, Jason, Nightmare on Elm Street and Friday the 13th in terms of atmospherics, although certainly not in terms of gore.

One of the best examples is the 1945 film, Isle of the Dead. In this movie the horror is a superstitious belief in a vorvolaka, a malevolent force in human form. Lewton once again brings back Boris Karloff to star in an eerie and creepy film where people living on what was thought to a desolated island die off suddenly. The island itself is properly evil and haunted as it the final burial place of victims of the Balkans War of 1912. A doctor on the island believes it is a septicemic plague which causes the deaths but an old Greek woman believes it to be a vorvolaka, in the guise of the red and rosy servant girl living in their midst.

The doctor believes that the plague may be eradicated in one day if the hot, dry sirocco winds arrive to the island. Eventually the sirocco winds do arrive and the plague is eradicated. Yet by then Karloff’s character as well as several others have gone made and either killed each other or killed themselves. The black and white filming allows terrific use of light and shadows. The tension in the movie is so great, Martin Scorsese has called Isle of the Dead, one of the Top Ten horror movies of all time.

I offer this final entrant in my 2019 October HorrorFest series as an introduction into the concept of scoping the role of your Chief Compliance Officer. What should a company do when it desires to hire a CCO? To find out, I visited with Maurice Gilbert, Founder of Conselium Partners LP, one of the country’s top compliance-focused executive recruiting firms. Gilbert believes that it behooves any company to find the right CCO or compliance practitioner for the right position. To do so, a company needs to fully understand and appreciate what it needs from such a position going forward. Unfortunately, many companies do not have this insight at the beginning of the recruitment process.

The process often begins with the company supplied job description, which Gilbert noted is “typically a legacy of various things that are not even updated. It’s a hodgepodge of things that maybe began a few years ago, but it needs to be updated to reflect what’s going on in the company at that particular moment. You have certain business risks. You have certain regulatory risks. You need to be attentive to those risks so that you could build your profile about what those risks need to be addressed presently.” Moreover, “what you’re going to get in a company job description is just a litany of things that actually could be quite disjointed and may not necessarily make sense for what you’re going to be asking the person to do.”

Gilbert brings the key company stakeholders into an initial meeting to help them understand the process. Obviously, this will include HR and others involved in the hiring process for the company. Gilbert gets them to rethink their approach to focus on what they will ask the new hire to accomplish because typically there is a disconnect between what the company thinks it needs and what it really needs.

The next step is developing an appropriate job profile. Gilbert asks the key stakeholders to give him a list of four things they would like the new hire to accomplish in the first year of employment. By limiting to this to four, Gilbert not only ends unrealistic expectations but helps winnow down the inevitable laundry list of wanting the professional to accomplish 30 things within their first year, many of which are inconceivable. “They must be done in the course of several years. When we listen to the response, we are counseling our client as to whether that makes sense or if that’s an unreasonable, let’s say, expectation.”

Gilbert gave an example of a recent search he headed for a client. One of the things he was able to develop at this initial meeting was that the company wanted the CCO “to spend the first two, three months evaluating her staff, to see if she has the appropriate team in place for the rest of the journey. By the way, she’s traveling all over the world doing just that. Evaluating her staff.” However, that task alone could take several months. The company also wanted the CCO to perform a comprehensive risk assessment immediately upon starting the position. It is simply not realistic to expect such disparate and time-consuming tasks to be performed so quickly, all the while the new CCO would be expected to travel to company locations across the globe.

Another important issue in this initial meeting is the professional growth opportunities that the company will present to any candidate. Gilbert explained that this is something companies do not always appreciate in the hiring process. Yet, as he explained, a company is trying to get a seasoned executive to leave a position, so they need to have an attractive package ready to present. It is more than simply salary and benefits. Gilbert said, “we have to capture data such as, “What are career growth options once a person steps in and does a good job for three, whatever, years?” We should capture data. “What is the culture of the company? What is the culture of the compliance department? What are the hot buttons and the management strategy, if you will, of the hiring authority? How does that person like to interface with the individuals?”

A final query to the company is around the sourcing of candidates. Gilbert needs to know if there are any particular competitors, or companies, which the client feels are out of bounds for sourcing candidates from and before he leaves the meeting, he needs to know the companies that his client does not want Conselium to recruit from going forward.

These points are quite illuminating for several reasons. First, a company must be clear on what it wants the new CCO to accomplish and to thoroughly consider what it would need to commit to in terms of resources to have these goals accomplished. Second, the communications flow facilitated learning on the part of both parties. (For the client, this was to have a realistic expectation of the new role. For Gilbert, it was to help develop an appropriate job profile.) It also demonstrated the collaborative nature of the relationship. By engaging in this process, Gilbert can move from simply a third-party executive search firm to a trusted advisor to the client. Moreover, by having such a relationship, Gilbert can deliver a much more focused and valuable service beyond the typical generalist experience available inside a corporation in the hiring process.

From these discussions, Gilbert develops a job profile and presents it to the company to have them sign off on not only the package of what they are looking for in a candidate, but also the package they will be willing to present. Gilbert related that through the capture of an agreement with these points, he is ready to begin the next step, which is to tell the compelling story about the job position on behalf of his client.

I hope you have enjoyed reviewing some of the old classic horror films from the 1940s. It certainly has been a joy for me to rewatch them this October to help prepare the year’s October HorrorFest series. Now get ready for all the ghouls and gobblins of Halloween.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2019