Continuous improvement can take many ways, shapes and forms. Typically, when it comes to third-party risks, a Chief Compliance Officer (CCO) or compliance professional will consider the ownership structure to see if there is any involvement by a government official or employee of a state-owned enterprise, or a close friend or family member. There may also be inquiry into knowledge of anti-corruption legal regimes such as the Foreign Corrupt Practices (FCPA) and compliance programs. Other information about criminal and legal history and references, both professional and commercial, may also be required. Hopefully these indicia are reviewed and updated on a regular basis.

One thing that is most generally not considered is the financial health of the third party. It turns out such an oversight may have some significantly ramifications for an accurate picture of a third party. The financial health of third parties as not only a key metric but also a key due diligence tool which allows a more robust assessment prior to contract signing and in managing the relationship after the contract has been signed.

A third party which is in a weakened financial position can come back to damage your business in a variety of ways. Obviously, a company which is under financial strain is more susceptible to cutting corners to obtain business. You can almost begin to see the fraud triangle forming at this point and a rationalization for committing a FCPA violation forming in the mind of a third party.

But it is more than simply being open to potentially illegal conduct such as violating the FCPA to get business. James Gellert, CEO of RapidRatings has noted, “Cyber security is, obviously, a hot topic for everybody. A company that, at the beginning of a working relationship, maybe onboarding or the due diligence procurement event, one may do a series of checks from a compliance and info security perspective and that company looks fine, it gets green lit and it comes on board as a supplier. Over time, if that company is weakening in its financial condition, the chances are likely that they are going to begin under-investing in maintaining the quality of their cyber security program. In a case like that, over time, a company partner of that firm is taking increased risks for cyber security breach, because that company is weakening but because they’re not managing the financial condition of it on an ongoing basis, they’ve missed a leading indicator of that cyber security problem and when that problem actually hits, it’s too late, it’s effecting revenue, it’s effecting reputation, it’s effecting all sorts of things.”

A database of financial health is important because “traditional risk management has focused more on protecting downside risk and detecting downside risk is being able to understand where a company or a partner exists on a spectrum of risks that can be from poor to really good, and that means a user of our data is in a position to be able to do more than just protect from a company’s failing for one reason or another, but be able to align with the strongest partners and that creates resiliency and a third party ecosystem”.

This is considering your third parties in much broader manner which allows a more robust assessment of their strengths and weaknesses. The financial health of a third party may tell you how well that third party will perform. Such information can be useful to you for business planning, particularly around strategic risk. Understanding the financial viability of third parties, be they traditional vendors, business partners, or even fourth parties, can help you meet your compliance requirements, maintain operational stability, through the avoidance of business disruption and support business continuity initiatives. Even better, you can cut through siloes to develop risk management strategies across multiple business functions.

This moves compliance into the business process cycle, creates greater efficiencies and at the end of the day, more profitability. This type of approach allows the compliance function to demonstrate solid return on investment going forward. It also allows compliance to cut through many corporate siloes including such disciplines as business development, supply chain or procurement, manufacturing and finance.

Continuous improvement through monitoring of ongoing financial health is a tool where technological solutions can have an impact. Understanding the financial viability of third parties can help the compliance practitioner meet the Department of Justice (DOJ) requirement to more fully operationalize a compliance program. It can also lead to more and better operational stability and with that ever-sought increase in corporate profitability. As compliance moves into the business process, this type of review should become part of your compliance toolkit going forward.

Three Key Takeaways

  1. What is the financial health of your third-parties? Do you even know?
  2. Poor financial results can open a company to engaging in risky behavior.
  3. Financial health monitoring can be used as continuous improvement.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at http://www.affiliatedmonitors.com/.

In this episode, Matt Kelly and I take a deep dive into the Public Accounting Oversight Board (PCAOB). We consider the role of the PCAOB in both audit standards and internal controls for compliance. What is goodwill, goodwill impairment and how goodwill can be manipulated to create pots of money to pay bribes? We explore the question of whether there the need for a fresh look at SOX 404? We discuss the role of skepticism by auditors. We end with the forthcoming new auditor report format— the SEC is scheduled to approve that new standard regarding a new auditor report format soon and some people want the SEC to veto it. We discuss how new SEC Chair Jay Clayton may handle this by approving it by having a new PCAOB in place which takes a gentler approach to implementation.

For more information on the PCAOB, see Matt’s blog post PCAOB Overhaul Looms

For more on the intersection of compliance, audit and the PCAOB, see Tom’s four-part series with Joe Howell:

PCAOB, audits and compliance-Part I;

PCAOB, audits and compliance-Part II;

PCAOB, audits and compliance-Part III; and

PCAOB, audits and compliance-Part IV

Today I continue a five-part series on the soft skills a Chief Compliance Officer (CCO) needs to employ when working through the remediation component of a potential Foreign Corrupt Practices Act (FCPA) compliance violation. I am joined in this exploration by Dan Chapman, well-known in the compliance community for his in-house compliance roles at Baker Hughes Inc. and his CCO roles at Parker Drilling and Cameron International. Today I will consider step three: communications with stakeholders in the execution phase of the remediation.

You need to think through the timing of your communications and what is in those communications. Communications with stakeholders have multiple functions, but two key functions are (1) to report facts on the ground so the stakeholders are not surprised and (2) “to establish your credibility and build a level of trust.” Regarding the second point, Chapman notes, “The frequency of significant progress reports will slow as the ‘quick win’ opportunities become more scarce in the longer term. Therefore, your credibility and their level of trust in your ability to make progress will become more important over time.”

If you are engaged with highly focused gatekeepers, with a high level of compliance understanding, you can start off with relatively frequent meetings. Chapman noted, in the “beginning, as you are working through some of the short-term items, I think it may make sense to have more frequent meetings, whether it’s weekly, bi-weekly or monthly.” Here you once again must be respectful of the level of focus of your Board and C-Suite executives, and your communications should always be meaningful and substantive.

However, as you begin to move into the later phases of the remediation, your rate of specific project closures may slow as you move from the short to medium and longer term projects. Your frequency of meetings should probably lessen as well. One thing you do not want to have is a meeting where you essentially have little or nothing in the way of progress to report. There may be little benefit to both you as the CCO and the stakeholders. Chapman cautioned that too frequent meetings with too little progress to report could lead to the stakeholders wondering, “Is the CCO asking the stakeholders to do the CCO’s job? Are you asking them to make the decisions of a compliance expert? I found that it’s much healthier if the day to day running of the compliance function remains with the compliance experts, and Board members should receive reports and provide general oversight. In other words, they hold the CCO accountable, at a very high level, for the compliance function and, if they see something to which they object, they should object.”

Chapman cautioned he would “be conservative” in terms of frequency of communications. You want to make certain you have enough information to support a weekly call, but the pace will probably slow as you move through your remediation as you discover new issues, and they begin to consume more of your time. This can cause your rate of change to slow due to a number of issues that you are addressing in remediation. So, if you begin with 5 issues but then they expand to 15 or 20, this will require more substantive remediation, leaving less time for communications.

Once again, Chapman believes it is critical to set expectations that your rate of communications will slow during the pendency of the remediation. If you do so, this “will give confidence to your Board because they will look at the compliance officer and say, “He saw this coming. We now know that what he tells us is going to happen in the future will happen.”” You develop that credibility by correctly predicting what will happen.

Another issue which can arise in the communications area occurs when a Board member or C-Suite executive insists that an issue is high-priority where you have assessed it as low risk. If you move to remediate what you believe is clearly a secondary issue at best, it will consume both time and resources that you believe could have been used for more high-risk and high-priority remediation items. Yet, as the CCO you are required to address their concerns. Chapman suggested a couple of approaches to employ in this situation.

The first is “to let people know of your concern as politely as possible. Don’t stop reminding people of your concern. It is important to say something along the lines of “I understand that your compliance issue is critical, but this also is inhibiting our ability to deal with our FCPA remediation efforts.”” Because this requirement will take you away from more important high-risks that you have identified, “you must make tough decisions and be highly persuasive if you feel that you may be forced to spend time or resources on a non-risk-based basis.”

Another approach would be to try and address their concerns more directly but in a manner which does not detract from your time as CCO. This could mean additional resources be placed on the topic, such as training or another solution where you might be able to bring in an outside resource to try and deal with concern in a quick and efficient manner, while not diverting you too much from your higher assessed risks. But, as Chapman noted, “Ultimately, you will be held accountable, regardless of what the reasons or the excuses may have been, because in the real-world people do not care about the excuses, they care about performance.”

The frequency of communications and their quantum can be fluid throughout the remediation process. As a CCO, you will have multiple pulls and tugs on your time and resources. You will be required to navigate through many different paths and personalities. Managing your communications will be critical for both the long-term success of your remediation efforts and your efforts to move the compliance program forward.

Tomorrow I will consider the question of ‘how do you know when you are done’ in the remediation process.

 

Dan Chapman can be reached at jdanielchapman@gmail.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

There are multiple areas in the Department of Justice’s Evaluation of Corporate Compliance Programs which intersect with the area of continuous improvement. In addition to Prong 9. Continuous Improvement, Periodic Testing and Review; under Prong 1 Analysis and Remediation of Underlying Misconduct is found the following: Prior Indications Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed? This also ties to the 2012 FCPA Guidance made clear that compliance audits, with actionable remediation plans, are a key component of any effective compliance program. Another way to do achieve these multiple and intersecting goals is through voluntary monitoring. when I recently visited with Vincent DiCianni, President and Founder of Affiliated Monitors, Inc. and Eric Feldman, Senior Vice President (SVP) and Managing Director, Corporate Ethics and Compliance Programs also at Affiliated Monitors, Inc. about their views on voluntary monitoring.

According Feldman, voluntary monitoring is an approach where a company “uses the services of an independent monitor to find out how their program is working and to be able to use that data with government regulators and law enforcement to demonstrate their due diligence in creating and continuously improving their corporate ethics and compliance program.” There are at least two different types of voluntary monitoring. Feldman articulated the first as “reactive proactivity” which is the situation where a company determines it has a potential compliance violation and they bring in an independent monitor to address the issue.

The genesis for this type of monitoring is some event, such as a whistleblower report, internal report or investigation or detect control picking up information which warrants additional investigation. Feldman provided a couple of examples. The first might be “where one business unit has a problem and they’re worried about the other business units and they want to get an assessment.” Another situation could be there is a problem in a sector or “industry and they know that that industry is being scrutinized by law enforcement or the regulators and they fully expect the regulators or law enforcement to be coming in and looking at them.” Yet another area could be in a geographic area such as China or another high-risk region.

DiCianni noted there is a second type of voluntary monitorship. It is where a company wants a true independent “to come in to test the quality of the program to see how impactful” the company’s compliance program is operating. It could assess a variety of issues, such as the compliance internal controls to test their benchmarking of a company’s compliance program. In this type of voluntary monitorship, the examiner is not focusing on one issue or region as laid out in the first example but it is broader.

Moreover, it allows a true independent to perform the assessment as DiCianni noted, “it’s very difficult for companies and for compliance officers and their teams to self-assess the strength of their programs. They just have difficulty doing that. It’s just not an easy thing for them to get their hands on, how good a job am I doing? By having an independent come in with no skin in the game, with complete objectivity, neutrality, no judgements, or pre-judging the work, looking at the company’s program, the quality of the program, the makeup of the team, the organizational structure, where it’s placed. All of those kinds of things are parts of this voluntary approach.” 

The benefits of both types of voluntary monitoring are multifold. It certainly helps to meet the Control Testing requirement found in the Evaluation. The 2012 FCPA Guidance stated, “An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas.” This type of approach can provide benefits if a company finds itself in FCPA hot water, as both the DOJ and Securities Exchange Commission (SEC) “will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines.” Yet the Guidance intones a business reason for the use of such techniques as voluntary monitoring when it stated, “Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”

Feldman pointed out yet another reason for such a proactive approach is that such an approach can create an administrative record, which a company can use to demonstrate it has remedied the problems. Equally important it establishes the company is maintaining its commitment to doing business in compliance. The key is the independence of the monitoring personnel so they can present an accurate, unbiased opinion.

He presented the example of a company which had been debarred by the US government and needed to demonstrate an acceptable level of compliance to get off the debar list. He and his team performed a baseline assessment and from there developed a remediation plan, which the company implemented. After six months or so, he and his team came back to assess the progress made by the company. From this follow-up assessment, they generated a report which was used in a submission to the government which essentially noted, “We are now ready to be a responsible contractor as defined by the federal acquisition regulations and we propose an administrative agreement with continued monitored that would move it from voluntary monitoring over to mandatory monitoring for the next three years.”

Voluntary monitoring is an excellent technique through which a company can engage in continuous improvement. Nonetheless it has many other benefits as well, including regulatory and evidence in a criminal investigation if needed under anti-corruption laws such as the FCPA. The bottom line is that all those scenarios might justify a company to engage a voluntary monitorship to come in and do a complete ethics and compliance and cultural assessment or audit of their organization. 

Three Key Takeaways

  1. A voluntary monitorship can be reactive proactivity to look at a particular issue.
  2. A voluntary monitorship can be used to test a compliance program.
  3. A voluntary monitorship report can be used in a variety of legal and business manners.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Today, I continue a five-part series on what a Chief Compliance Officer (CCO) needs to consider when working through the remediation component of a potential Foreign Corrupt Practices Act (FCPA) compliance violation. I am joined in this exploration by Dan Chapman, well-known in the compliance community for his in-house compliance role a Baker Hughes Inc. and his CCO roles at Parker Drilling and Cameron International. Today I will consider step two: project timing.

While noting this was only an initial step, Chapman believes the first thing you need to consider is “what are your goals” and that you should consider your long-term goals in developing your remediation plan. It begins with two considerations; the first is completing the project on time. The second is to maintain the confidence of the Board and C-Suite level executives.

The timing aspect is not only about your planning but also about setting expectations. You need to plan what you hope to achieve and then scale it out for timing. You must take care the overall length is not beyond what people expect. Chapman noted “If people have expectations that aren’t proper, you want to set them right.” And the sooner you set realistic expectations the better.

I found it interesting that Chapman emphasized confidence as a critical element for success. He noted, “maintaining confidence from your Board, maintaining the confidence of senior management and demonstrating some quick wins is important, because that will allow you to repeatedly show that you have accomplished things, things aren’t just lingering.” This also allows you to keep the confidence level high on the medium and longer term aspects of your remediation plan. You must maintain this confidence on both the medium and longer term deliverables of your remediation plan. Once again, as with timing, you need to ascertain that your stakeholders have the same view of high and lower risk that you do or expectations can become skewed.

To begin Chapman advocated to come right out of the box “burning the candle at both ends”, which he further articulated as “you want to attack the low hanging fruit, or the items that can be completed quickly” within six months. Simultaneously you need to begin on your longest-term remediation projects, such as those which might take up to two years. Then mix in medium term projects with a 12-18 month shelf life. With this approach, in six months you will have demonstrated some early successes, moved halfway through to completing some medium-term projects and then should be one-quarter of the way through the longest-term projects.

Chapman cautioned that throughout this time, you must communicate with the stakeholders and manage expectations. He said, “You have to communicate when you reach, before you reach that six-month period, by the way, we are going to get these six months, short term items and quick wins done, so we can show those to the government authorities, and then we are going to move into a period where we’ll begin our medium term, and we’ll continue progress on our longer-term projects, all of which will conclude around 24 months. I say this knowing that no one is going to want to hear that. If you are a board member you are going to say, “So then what you are saying to me is you are going to start up something that’s going to take two years to do.” You are going to do some things that will take six months, but after six months we are not going to see much progress for the next 18 months.”

You will need to overlay your planning process with the expectations of the stakeholders in another manner; which is around the high, medium and low risk categories of tasks. If your Board or C-Suite level executive “believes that training should be your highest profile and you disagree and you do nothing there until six or 12 months, but you didn’t think that optically, don’t appear so important, but you personally believe are important, you are going to lose the confidence of your Board.”

As a CCO, you should be cognizant of known-unknowns and unknown-unknowns in any remediation project during the pendency of a FCPA investigation. In the planning process, this means you need to plan time for the unknown which may become known to you during the investigation or through your remediation efforts. You need to budget time into your remediation plan for new matters which may arise, because, as Chapman succinctly noted, “that’s what we do in compliance.” Moreover, “If you develop a tight schedule in terms of your remediation plan, you should expect that you will not complete on time, because part of the remediation program necessarily is the discovery of areas of improvement and correction of those areas of improvement.”

Chapman concluded that you must plan for the unexpected and this requires close coordination with your investigative counsel if new matters are discovered which need to be added to your remediation list. It may be that some are high-profile and high-priority, which require more immediate attention. It may be that they can be placed into the medium-term or longer-term buckets for completion. The bottom line is that no CCO can predict on Day One what all the remediation issues will be. You may have a sense that you understand the overall problem or that you are only looking at the tip of the iceberg but you must resist the temptation to declare on Day One that you know what all the issues that require remediation are or will be going forward.

Tomorrow I will consider communications with stakeholders in the remediation process.

 

Dan Chapman can be reached at jdanielchapman@gmail.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017