Where does “tone at the top” start? With any public and most private U.S. companies, it is at the Board of Directors. But what is the role of a company’s Board in compliance? First a Board should not engage in management but should engage in oversight of a CEO and senior management. The Board does this through asking hard questions, risk assessment and identification.

Initially it must be important that the Board receive direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s CCO to either the Audit Committee or the Compliance Committee. Every Board should create a Compliance Committee to deal with compliance issues, as an Audit Committee may more appropriately deal with financial audit issues. A Board Compliance Committee can devote itself exclusively to non-financial compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information the Board can give oversight to any modifications to managing FCPA risk that should be implemented. CCO reporting to the Compliance Committee must be structured carefully to promote ethics and compliance.

Three key takeaways:

  1. A Board Compliance Committee should provide oversight not management.
  2. A CCO should use multiple reports to communicate with the Board Compliance Committee.
  3. Board Compliance Committee oversight makes companies more efficient and at the end of the day more profitable.

Welcome to a special five-part podcast series, A Conversation with Convercent and StoneTurn: From the Code of Conduct to Risk Assessment to Continuous Improvement. This week’s podcast series is jointly sponsored by Convercent and StoneTurn. Over the course of the series we will explore the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). We focus on investigations, data analytics, evaluating compliance programs, internal reporting and corporate culture. Participants in this podcast series include: Asha Palmer, Convercent Chief Ethics and Compliance Officer (CECO) and Executive Vice President (EVP) of CONVERGE; Rex Homme, Michele Edwards, and Stephen Martin, all Partners at StoneTurn. In this first episode, we take a deep dive with Homme into conducting investigations and ensuring consistent outcomes.

We began by considering how the 2020 Update emphasized the need for the corporate compliance function to ensure both consistency and fairness not only in monitoring investigations but also in monitoring the resulting discipline. One of the ways the 2020 Update emphasized this was through tracking the investigations and the discipline that may come out of any investigation. Homme noted, “One of the challenges companies have is facts and circumstances are always different in every investigation. This makes it sometimes difficult, but if companies treat employees of one country different in terms of discipline, it does create potential gaps in a compliance program. This can then give certain countries a feeling that they can do what they want, without the risk of punishment from corporate headquarters.” This is why the DOJ re-emphasized monitoring the investigations and ensuring consistent application of discipline as a critical factor in ensuring an effective compliance program.

We next considered the FCPA Resource Guide, 2nd edition, which added a new hallmark to the previously titled 10 Hallmarks of an Effective Compliance Program, now it is simply the Hallmarks. The Hallmark added was one which has been around for some time and it is Root Cause Analysis (RCA). It is not new because it was subtly considered in the original FCPA Resource Guide and explicitly discussed since at least the original formulation of the Evaluation of Corporate Compliance Programs in February 2017. Homme began by explaining the difference in a RCA from an investigation.

Homme noted, “in my view, the root cause analysis is really driving into what were the gaps in the compliance program, what happened that allowed this behavior to occur. It is certainly a deeper level than just an investigation. Investigation is focused on who, what, when, where, why and how.” A RCA is really then trying to dig into what programs, policies and procedures may have allowed this misconduct to occur. Homme went on to say, “a root cause really digs into the compliance program and all the procedures to understand what was the overriding of controls, or were these gaps in the controls.”

We then turned to how an organization could use a RCA in a different way than you would utilize investigative findings in continuous monitoring/continuous improvement. It allows you to determine the gaps in your compliance program which need remediation. This leads to one of the overlooked uses of the RCA, which is that it is a part of a corporation’s continuous monitoring and continuous improvement.

We concluded with a consideration of why a compliance program should be dynamic and what procedures a company should put in place to keep their compliance program dynamic. Homme believes that one of the fundamental defects in many corporate compliance function is that they do not often “enough look at their program and assess their program to see that it is effective as possible. We all know that even the best compliance program will still have issues. It just happens. My view is the best way to constantly evaluate your program is by doing periodic risk assessments, actually testing transactions. This means not only looking at the policies themselves, but actually testing the transactions to make sure that they are following the procedures that are laid out.”

If there was a compliance failure, even if it did not lead to a legal violation, you must understand what the root cause of the failure was. Based upon that RCA, are there any enhancements you need to make to your compliance program? Are there any adjustments needed to adjust your internal audit programs? Do you need to adjust your third-party due diligence programs? These are all measures that every organization should take to constantly evaluate their compliance program, to make sure it is dynamic and not static. At the end of the day, if your compliance program is static, people will figure it out and people realize where gaps may exist. “If you’re not constantly evolving, constantly changing, you run the risk of having more misconduct occur.”

Join us tomorrow, as Asha Palmer, CECO at Convercent discusses best practices in internal reporting.

Resources

For more information on StoneTurn, check out their website, here.

For more information on Convercent, check out their website, here.

To download a copy of the Convercent Interactive Self-Assessment based on the 2020 Update to the Evaluation of Corporate Compliance Programs, click here.

I recently had the opportunity to visit with  Asha Palmer, Convercent Chief Ethics and Compliance Officer (CECO) and Executive Vice President (EVP) of CONVERGE and Rex Homme, Partner at StoneTurn to consider some of the impacts on corporate compliance programs from the recently released 2020 Update to the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Programs (2020 Update). I was interested that in the areas of investigations and internal reporting they both say consistency is a key component for every compliance professional.

We began by considering how the 2020 Update emphasized the need for the corporate compliance function to ensure both consistency and fairness not only in monitoring investigations but also in monitoring the resulting discipline. One of the ways the 2020 Update emphasized this was through tracking the investigations and the discipline that may come out of any investigation. Homme noted, “One of the challenges companies have is facts and circumstances are always different in every investigation. This makes it sometimes difficult, but if companies treat employees of one country different in terms of discipline, it does create potential gaps in a compliance program. This can then give certain countries a feeling that they can do what they want, without the risk of punishment from corporate headquarters.” This is why the DOJ re-emphasized monitoring the investigations and ensuring consistent application of discipline as a critical factor in ensuring an effective compliance program.

The FCPA Resource Guide, 2nd edition, added a new hallmark to the previously titled 10 Hallmarks of an Effective Compliance Program (now it is simply the Hallmarks). The Hallmark added was one which has been around for some time and it is Root Cause Analysis (RCA). It is not new because it was subtly considered in the original FCPA Resource Guide and explicitly discussed since at least the original formulation of the Evaluation of Corporate Compliance Programs in February 2017. Homme began by explaining the difference in a RCA from an investigation.

Homme noted, “in my view, the root cause analysis is really driving into what were the gaps in the compliance program, what happened that allowed this behavior to occur. It is certainly a deeper level than just an investigation. Investigation is focused on who, what, when, where, why and how.” A RCA is really then trying to dig into what programs, policies and procedures may have allowed this misconduct to occur. Homme went on to say, “a root cause really digs into the compliance program and all the procedures to understand what was the overriding of controls, or were these gaps in the controls.”

We then turned to how an organization could use a RCA in a different way than you would utilize investigative findings in continuous monitoring/continuous improvement. It allows you to determine the gaps in your compliance program which need remediation. This leads to one of the overlooked uses of the RCA, which is that it is a part of a corporation’s continuous monitoring and continuous improvement.

We concluded with a consideration of why a compliance program should be dynamic and what procedures a company should put in place to keep their compliance program dynamic. Homme believes that one of the fundamental defects in many corporate compliance function is that they do not often “enough look at their program and assess their program to see that it is effective as possible. We all know that even the best compliance program will still have issues. It just happens. My view is the best way to constantly evaluate your program is by doing periodic risk assessments, actually testing transactions. This means not only looking at the policies themselves, but actually testing the transactions to make sure that they are following the procedures that are laid out.”

The 2020 Update required a compliance function to take on a more wide-ranging role around institutional justice and institutional fairness when it mandated that compliance confirm consistency in the way a compliance program is administered. Obviously, this is true in the realm of discipline and incentives but also means fairness in the way investigations are handled and in creating a speak up culture. In Palmer’s mind it comes down to one word, consistency.

Palmer said, “This means compliance professionals have to be consistent in how they treat people, whether it’s in Brazil or in the US because people are watching and they want to know that there is a process that’s fair.” This means a process that is open and transparent. It is not outcome driven; it is process driven. Consistent punishment, consistent corrective actions and disciplinary actions when cases arise.

We then turned to how a Chief Compliance Officer (CCO) can enlist key allies such as Human Resources (HR), the General Counsel (GC), Chief Financial Officer (CFO), head of Internal Audit and other executives co-equal with CCOs as heads of corporate disciplines. Palmer said that cross functional collaboration is critical because “we all look at things a little bit differently. There should be coordination and collaboration among departments.” Yet there should be consistency from this level of senior management.

Palmer sees a speak up culture as critical to corporate culture, because again, “we ask people, if you see it, say it, what are you as a CCO going to do about it? How are you going to protect me? And how are you going to make sure this doesn’t happen again? That’s why people speak up.” They want something different to happen. They want change.” This means it is up the compliance function to demonstrate not simply they will listen but they will affect change.

All of this ties back into consistency as the compliance professional must demonstrate that they focused on that change. It also mandates that the corporate compliance function will be focused on protecting them. Moreover, organizational justice cannot be hierarchal. This means the C-Suite has to be obligated to the same standards as a person on the shop floor. This means that a CCO really does have to be ready and empowered to even investigate the Chief Executive Officer (CEO) if that were necessary.

I found it quite insightful and instructive that both Homme and Palmer focused on consistency as a key element of a best practices compliance program. This consistency forms the basis of both institutional justice and institutional fairness. That in turns, facilitates a speak up culture, which is the role of the compliance department to foster.

My Interview with Rex Homme will be available Monday on iTunes here. My interview with Asha Palmer will be available Tuesday on iTunes here.

Where does creativity fit into compliance? In more places than you think. Problem-solving, accountability, communication, and connection – they all take creativity. Join Tom Fox and Ronnie Feldman on Creativity and Compliance, part of the Compliance Podcast Network. In this show, we take a personal journey with Ronnie Feldman as he celebrates the 4th Anniversary for Learnings & Entertainment and reflects back on his journey.

Some of the highlights include:

  • What has Ronnie learned in his journey through compliance?
  • Why does compliance need a bunch of comedians?
  • What are the lessons for the compliance professional?
  • How has the compliance community evolved over the past 4 years?
  • Where is it going?
  • What does Ronnie see for Learning & Entertainment?

Resources:

Ronnie Feldman (LinkedIn)
Learnings & Entertainments (LinkedIn)
Ronnie Feldman (Twitter)

Learnings & Entertainments (Website)

60-Second Communication & Awareness Shorts – A variety of short, customizable, quick-hitter “commercials” including songs & jingles, video shorts, newsletter graphics & Gifs, and more. Promote integrity, compliance, the Code, the helpline and the E&C team as helpful advisors and coaches.

Workplace Tonight Show! Micro-learning – a library of 1-10-minute trainings and communications wrapped in the style of a late-night variety show, that explains corporate risk topics and why employees should care.

Custom Live & Digital Programing – We’ll develop programming that fits your culture and balances the seriousness of the subject matter with a more engaging delivery.

How does Fahrenheit 451 foretell non-compliance regulation in Germany? Tom and Jay brave the surge in Covid cases by staying safe at home to tell the tale. They are back to look at top compliance articles and stories which caught their eye this week.

  1. OFAC focusing on screening errors. Mike Volkov with a 3-part series on Corruption Crime and Compliance. Part 1, Part 2 and Part 3
  2. There is no single panacea for stopping corruption. Matthew Stephenson in GAB.
  3. 5 top steps for data transfer after Schrems III. Neil Hodge in Compliance Week. (sub req’d)
  4. What’s the cost of non-compliance? For Wells Fargo, a staggering $15.8 Billion. Matt Kelly explores on Radical Compliance.
  5. Fahrenheit 451, compliance and German regulators? Rosemary Lark considers in the FCPA Blog.
  6. Coronavirus Comeback planner. Navex Global’s Ethics and Compliance Matters.
  7. A compliance approach to excessive force in policing. Joseph Murphy and Emil Moschella in NYU’s Compliance and Enforcement
  8. Crisis preparedness and the BOD? Joydip Day explores in CCI.
  9. This month on The Compliance Life, I am joined by Louis Sapirman. In Part 1, we looked at Louis personal and professional journey into compliance.
  10. AMI week on Compliance and Coronavirus as Maurice Gilbert discusses the compliance hiring scene Covid-19, Andy Goldstrom on business sustainability; and Laura Petrolino on storytelling for communications.
  11. On the Compliance Podcast Network, Tom begins a new month on 31 Days to a More Effective Compliance Program, this month focusing on the role of the Board in compliance. This week saw the following offerings: Monday-legal obligations of the BOD; Tuesday– prudent discharge of BOD obligations; Wednesday-BOD Compliance Committees; Thursday- OIG guidance for BODs; and Friday-Compliance expertise on the BOD. The month of July is being sponsored by Affiliated Monitors. Note 31 Days to a More Effective Compliance Program now has its own iTunes channel. If you want to binge out and listen to only these episodes, click here.
  12. Join Jay and Tom at Converge20. Convercent’s top compliance conference is going virtual this year. Check at the agenda and register here.

Tom Fox is the Compliance Evangelist and can be reached at tfox@tfoxlaw.com. Jay Rosen is Mr. Monitor and can be reached at jrosen@affiliatedmonitors.com.