Continuous improvement can take many ways, shapes and forms. Typically, when it comes to third-party risks, a Chief Compliance Officer (CCO) or compliance professional will consider the ownership structure to see if there is any involvement by a government official or employee of a state-owned enterprise, or a close friend or family member. There may also be inquiry into knowledge of anti-corruption legal regimes such as the Foreign Corrupt Practices (FCPA) and compliance programs. Other information about criminal and legal history and references, both professional and commercial, may also be required. Hopefully these indicia are reviewed and updated on a regular basis.

One thing that is most generally not considered is the financial health of the third party. It turns out such an oversight may have some significantly ramifications for an accurate picture of a third party. The financial health of third parties as not only a key metric but also a key due diligence tool which allows a more robust assessment prior to contract signing and in managing the relationship after the contract has been signed.

A third party which is in a weakened financial position can come back to damage your business in a variety of ways. Obviously, a company which is under financial strain is more susceptible to cutting corners to obtain business. You can almost begin to see the fraud triangle forming at this point and a rationalization for committing a FCPA violation forming in the mind of a third party.

But it is more than simply being open to potentially illegal conduct such as violating the FCPA to get business. James Gellert, CEO of RapidRatings has noted, “Cyber security is, obviously, a hot topic for everybody. A company that, at the beginning of a working relationship, maybe onboarding or the due diligence procurement event, one may do a series of checks from a compliance and info security perspective and that company looks fine, it gets green lit and it comes on board as a supplier. Over time, if that company is weakening in its financial condition, the chances are likely that they are going to begin under-investing in maintaining the quality of their cyber security program. In a case like that, over time, a company partner of that firm is taking increased risks for cyber security breach, because that company is weakening but because they’re not managing the financial condition of it on an ongoing basis, they’ve missed a leading indicator of that cyber security problem and when that problem actually hits, it’s too late, it’s effecting revenue, it’s effecting reputation, it’s effecting all sorts of things.”

A database of financial health is important because “traditional risk management has focused more on protecting downside risk and detecting downside risk is being able to understand where a company or a partner exists on a spectrum of risks that can be from poor to really good, and that means a user of our data is in a position to be able to do more than just protect from a company’s failing for one reason or another, but be able to align with the strongest partners and that creates resiliency and a third party ecosystem”.

This is considering your third parties in much broader manner which allows a more robust assessment of their strengths and weaknesses. The financial health of a third party may tell you how well that third party will perform. Such information can be useful to you for business planning, particularly around strategic risk. Understanding the financial viability of third parties, be they traditional vendors, business partners, or even fourth parties, can help you meet your compliance requirements, maintain operational stability, through the avoidance of business disruption and support business continuity initiatives. Even better, you can cut through siloes to develop risk management strategies across multiple business functions.

This moves compliance into the business process cycle, creates greater efficiencies and at the end of the day, more profitability. This type of approach allows the compliance function to demonstrate solid return on investment going forward. It also allows compliance to cut through many corporate siloes including such disciplines as business development, supply chain or procurement, manufacturing and finance.

Continuous improvement through monitoring of ongoing financial health is a tool where technological solutions can have an impact. Understanding the financial viability of third parties can help the compliance practitioner meet the Department of Justice (DOJ) requirement to more fully operationalize a compliance program. It can also lead to more and better operational stability and with that ever-sought increase in corporate profitability. As compliance moves into the business process, this type of review should become part of your compliance toolkit going forward.

Three Key Takeaways

  1. What is the financial health of your third-parties? Do you even know?
  2. Poor financial results can open a company to engaging in risky behavior.
  3. Financial health monitoring can be used as continuous improvement.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at http://www.affiliatedmonitors.com/.

In this episode, I visit with Mike Skopets, from Miller & Chevalier on the firm’s Summer 2017 FCPA Report. We discuss the background to the Report and begin with what macro trends the firm identified. We discuss the numbers of resolutions, declinations and investigations and what they might demonstrate. We go into the Linde Gas and CDM Smith declinations with disgorgement and what these two superior decisions portend for the compliance practitioner. We consider the Kokesh decision by the US Supreme Court and what it may mean for not only FCPA enforcement but the compliance professionals decision making calculus for self-disclosure. It is a very interesting wrap up of the first six months of the FCPA world in 2017.

Miller & Chevalier’s Summer 2017 FCPA Report is available at no cost on the firm’s website. You can obtain a copy by clicking here.

In this episode, I visit with Mike Skopets on Miller’s Summer 2017 FCPA Report.

Jay and I return for a wide-ranging discussion on some of the week’s top compliance and ethics related stories, including:

  1. The SEC charges KPMG and partner with blown oil and gas company audit. See Dick Cassin’s blog post in the FCPA Blog.
  2. BSRG raises its head again as company chief Beny Steinmetz was detained in Israel. See article in the FCPA Blog.
  3. What should be the response of the compliance community to the events in Charlottesville and the administration’s response. Tom and Matt Kelly explored in this week’s edition of Compliance into the Weeds. See Matt Kelly’s blog post, Trump Tests Corporate America’s Values. See Tom’s blog post Time For Compliance to Take a Stand. Finally for a perspective from the compliance profession, see the statement from the Ethics and Compliance Initiative entitled, To the Members and Stakeholders of the ECI Community
  4. Jeff Kaplan considers whether lawyers can be whistleblowers. See Jeff’s article in the Conflict of Interest blog.
  5. Can you do any business in Iran? A new treasury ruling complicates the matter (think Catch 22). Sam Rubenfeld reports in the WSJ Risk and Compliance Journal.
  6. Roy Snell reflects on 20 years in the compliance profession in an interview with Ben DiPietro in the WSJ Risk and Compliance Journal.
  7. This month’s podcast series on One Month to a More Effective Compliance Program is in full production. In August I am reviewing how to have greater continuous improvement in your compliance program. This week’s topics include voluntary monitoring, keeping track of current events, the Desktop Risk Assessment, using big data and controls testing. Affiliated Monitors is this month’s sponsor. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.

In this episode, I explore why Wells Fargo needs a true compliance expert on its Board of Directors. The Wells Fargo Board needs someone with compliance expertise to oversee of the role of the Chief Compliance Officer (CCO) and the bank’s compliance function which clearly was not up to the task of preventing illegal or even unethical conduct. With Board oversight of compliance, the senior executives provide the Board with a certain level of information and reporting which is an outcome of how senior management and the C-Suite has defined the compliance risk appetite.

My plea to the company is to hire someone with direct compliance experience for this final seat on the Board of Directors. While some Directors has experience in the regulatory world is very different from experience in the compliance realm which focuses on the mission, vision and values of a corporation through the tripartite process of prevent, detect and remediate. In addition to getting its regulatory house in order, Wells Fargo has one very large culture problem which needs compliance expertise. Even for a former Bank president, the issue of compliance is at the absolute forefront of Wells Fargo’s miasma.

In a New York Times (NYT) Dealb%k article, entitledWells Fargo Vice Chairwoman to Succeed Departing Chairman”, Stacy Cowley reported that the Wells Fargo Board of Directors Chairperson, Stephen W. Sanger, will retire at the end of the year and will be succeeded by Elizabeth Duke, a former Federal Reserve Board governor. Also, standing down are Cynthia H. Milligan and Susan G. Swenson, both who joined the Board in the 1990s. In addition to the elevation of Duke to the Chairperson role, retired PricewaterhouseCoopers (PwC) executive Juan A. Pujadas, will join the board next month. These departures leave at least one seat still open on the Wells Fargo Board.

In addition to Duke succeeding Sanger, the Board also announced that “the board’s risk committee, which is responsible for watching for potential problems, will soon be under new leadership. Next month, Karen B. Peetz, a retired Bank of New York Mellon president who joined Wells Fargo’s board this year, will take over as chairwoman of the committee, the bank said on Tuesday. Ms. Peetz will succeed Enrique Hernandez Jr., who had led the committee since 2012. He was re-elected to the bank’s board by shareholders four months ago with 53 percent of the vote, the lowest total of any director.”

My plea to the company is to hire someone with direct compliance experience for this final seat on the Board of Directors.

Ms. Duke’s experience in the regulatory world was one of the reasons touted in her elevation to the Chairperson’s role. However, experience in the regulatory world is very different from experience in the compliance realm which focuses on the mission, vision and values of a corporation through the tripartite process of prevent, detect and remediate. In addition to getting its regulatory house in order, Wells Fargo has one very large culture problem which needs compliance expertise. Even for a former Bank president, the issue of compliance is at the absolute forefront of Wells Fargo’s miasma.

The Wells Fargo Board needs someone with compliance expertise to oversee of the role of the Chief Compliance Officer (CCO) and the bank’s compliance function which clearly was not up to the task of preventing illegal or even unethical conduct. With Board oversight of compliance, the senior executives provide the Board with a certain level of information and reporting which is an outcome of how senior management and the C-Suite has defined the compliance risk appetite.

Some of the questions the Board should ask include how would management review compliance and monitor the key compliance risk of the bank? Every company and bank have a compliance risk appetite and based on that risk appetite different metrics would be set up on the different compliance risk dimensions that impact the company. How would you measure that risk? What are the benchmarks that the bank would set up? What are some of the sheet maps that they would do to gauge the sensitivity of the risk? The information would vary, yet it is geared around the outcome of the overall compliance risk appetite that the company has set up. The compliance expert would help the Board to oversee, review and monitor that risk.

In addition to the compliance risk there are the mission, vision and values types of risks which could be thought of as a peoples’ risk, reputational risk, technology risk and cyber risk. There are different risk dimensions that impact the company and having true compliance expertise leads to overall Board accountability for compliance risk, brings in someone who can understand and oversee compliance risk management systems; compliance internal controls; the information flow up to the Board and back down to the CCO; and finally, can guide the Board in shaping an appropriate tone from the very highest parts of the organization to try and restore the Bank’s tarnished reputation.

What are some of the skills and background such a person could bring to the Wells Fargo Board? The person would need good in-depth knowledge and understanding of financial institutions and their business models so they appreciate the risk challenges. Obviously financial expertise for scenarios and framework and then you need to have some technical ability to understand the stress testing dynamics and the measurement tools. The position needs to be filled by someone who has worked at the highest levels of banking or a financial institute both as an executive and a Board member. Finally, the position needs to be occupied by someone who has been in the compliance field for a significant amount of time, i.e. 20+ years. Think that is a tall order? I am certain such a person exists and Wells Fargo needs that person now.

More generally, the Office of Inspector General (OIG) has called for greater compliance expertise at the Board. In 2015, OIG said that a Board can raise its level of substantive expertise with respect to regulatory and compliance matters by adding a compliance member to the Board. The presence of a such a compliance professional with subject matter expertise (SME) on the Board sends a strong message about the organization’s commitment to compliance, provides a valuable resource to other Board members, and helps the Board better fulfill its oversight obligations.

Mike Volkov looked at it from both a practical and business perspective and has stated, “I have witnessed firsthand that companies that have a board member with compliance expertise usually have a more aggressive and effective compliance program. In this situation, a Chief Compliance Officer has to answer to the board for the company’s compliance program, while receiving the resources and support to accomplish compliance tasks.”

Roy Snell sees it through the prism of the compliance profession and has said, “If you ask most companies if they have compliance expertise on their Board… most would say yes. When asked who the compliance expert is they typically point to a lawyer, auditor, risk manager, or an ethicist. None of these professions are automatically compliance experts. All lawyers have different specialties.” He has stated that what regulators want to see is specific compliance expertise at the Board level. He noted, “What the government is looking for is not generic compliance expertise. They are looking for compliance program management expertise.”

Hui Chen, the former Department of Justice (DOJ) Compliance Counsel, continually talked about the need for companies to operationalize their compliance programs. Having a Board member with specific compliance expertise, heading a Board Level Compliance expert can provide a level of oversight and commitment to achieving this goal.

In the NYT piece, Cowley cited to, a professor at the University of Richmond School of Law, who noted Duke’s elevation “is a sign that the board — which has drawn criticism from some shareholders for not doing more to watch for or prevent the bank’s misdeeds — plans to continue on its current path”. He went on to state, “Things just keep coming out of the woodwork”. Clearly the bad news continues to hang a pall over Wells Fargo. By bringing in a true compliance expert, the bank can demonstrate it has begun to chart a new path which hopefully move it to an institution known for its compliance.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017