This week I have engaged in a series on how a Chief Compliance Officer (CCO) or compliance practitioner might think about operationalizing a compliance program with other corporate functions and disciplines. I have been joined in this exploration by Russ Berland, a well-known compliance commentator and practitioner who recently joined Dematic Inc., a Supply Chain optimization company, as it CCO. Today I conclude my series with how the Controller’s Office can be used to more fully operationalize compliance.

Another area for further operationalization is the corporate controller’s office. The Controller’s Office generally has the responsibility to accurately record and report the financial transactions of the company, to design, implement and execute the financial processes and controls of the company to be both effective and efficient, and to safeguard the financial assets of the company. Some of the compliance responsibilities of the Controller’s Office include: (1) Designing and implementing internal controls that impact legal, ethics and compliance risks; (2) Accurately recording the financial transactions of the company; and (3) Preventing and detecting fraudulent activity. All of this means, in practical terms the Controller’s Office is both being the keeper of the books and records and the implementer of internal controls. Moreover, while many of these internal controls would most probably be viewed financial internal controls, there are additional internal controls which are not financial in nature.

From Berland’s perspective, “Those guys live really in the battle zone. They are constantly looking at financial transactions. They’re evaluating them. They’re figuring out where things go within the books and records. They are implementing the processes that should be keeping fraud from happening, keeping bribery and corruption from happening. When a remediation occurs within a company you often find that a lion share of the remediation is not about the compliance program as such, but about those internal controls that have been implemented by the Controller’s office.”

This means that not only can the Controller’s Office be one of the compliance function’s strongest corporate allies, the role of a Controller’s Office by its nature works to operationalize compliance. This is because to implement the appropriate internal controls around Foreign Corrupt Practices Act (FCPA) compliance, the Controller’s office must know the specific requirements of the FCPA, know what kinds of issues are likely to come up that might create a risk of bribery and corruption, all leading to an appropriate understanding of the appropriate compliance internal controls to implement.

A concrete example is in the area of offshore payments, which are generally defined as payments made to a location other than the home domicile of the party or the location where the services where delivered. If a Tunisian agent who performs services in Dubai asks for payment in a location other than Dubai or Tunisia, that would qualify as an offshore payment. If you train people who are in the Controller’s group on this issue, “all of a sudden you’ll get someone in the Controller’s Office who’ll give you a phone call and say “Hey, we just saw a request for a payment to this guy in this Middle Eastern country and we’re just not sure what it’s for.” That’s where the controls are really working, as opposed to that person just really dealing with it on an administrative level instead of keeping your antenna up.” Those are the types of communications, when properly documented, demonstrate that your compliance program is operationalized into the fabric of the organization.

Another way to view it is if there is a Controller’s Office control for such a scenario which notes the exception and requires the clearance of a red flag through additional investigation, elevation for approval and documentation of the entire process. This is a financial control which acts as a compliance control as well. It strengthens the company’s internal controls to both prevent and detect key compliance risks going forward.

Another area would on a company’s Vendor Master List (VML). Some obvious internal controls are that no person or third party gets paid unless they are properly on the VML; no person or third party is admitted to the VML unless they have gone through the appropriate level of due diligence, which varies by task and function and country. The Controller’s Office can also put internal controls in place when employees attempt “workarounds when someone can’t get a vendor paid and wants to.” Such apparent financial controls might well include those around the manual check process and your internal requirements for international wire transfers. Finally, even to this day petty cash continues to be a source of funds to fuel bribery and corruption. The Controller’s Office is on the front lines for petty cash.

These issues are usually dealt with what are generally viewed as internal controls specific to controlling the outflow of money to third parties and requiring that those third parties have gone through your due diligence processes. As Berland noted, they are “all sitting right in the Controller’s Office.” Additional benefits to the corporate compliance function include the retrieval and analysis of financial data and design of internal controls. It allows the compliance function to rely on actual financial expertise rather than “home grown” financial expertise within the compliance department. It extends the compliance function influence through the Controller’s Office. Finally, the compliance function is made aware of relevant concerns found by recording transactions, executing internal controls and financial monitoring.

These benefits are not a one-way street for compliance as a Controller’s Office benefits from a closer relationship with the corporate compliance function as well. The Controller’s Office can leverage compliance resources. The compliance function can bring its observations and insights from investigations and emerging risks to the Controller’s Office. A closer collaboration will broaden awareness of compliance risks which relate to the company’s financial processes.

By more fully integrating compliance into the Controller’s Office function a more robust picture of enterprise risk emerges, one which encompasses legal, compliance, ethics, internal controls, financial, business and governance risks.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

One of the ways that Human Resources (HR) can help to operationalize compliance is to assist each level of an organization to have a proper tone. While the top of an organization rightly gets much of attention, the tone about doing business ethically and in in compliance is equally important in the middle of an organization.

A company must have more than simply a good ‘Tone-at-the-Top’; it must move it down through the organization from senior management to middle management and into its lower ranks. This means that one of the tasks of any company, including its compliance organization, is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization.

Adam Bryant, in a NYT article, entitled “If Supervisors Respect The Values, So Will Everyone Else”, explored this topic when he interviewed Victoria Ransom, the Chief Executive of Wildfire, a company which provides social media marketing software. Ransom spoke about the role of senior management in communicating ethical values when she was quoted as saying “Another lesson I’ve learned as the company grows is that you’re only as good as the leaders you have underneath you. And that was sometimes a painful lesson. You might think that because you’re projecting our values, then the rest of the company is experiencing the values.” These senior managers communicate what the company’s ethics and values are to middle management. So while tone at the top is certainly important in setting a standard, she came to appreciate that it must move downward through the entire organization. Bryant wrote that Ransom came to realize “that the direct supervisors become the most important influence on people in the company. Therefore, a big part of leading becomes your ability to pick and guide the right people.”

Ransom said that when the company was young and small they tried to codify their company values but they did not get far in the process “because it felt forced.” As the company grew she realized that their values needed to be formalized and stated for a couple of reasons. The first was because they wanted to make it clear what was expected of everyone and “particularly because you want the new people who are also hiring to really know the values.” Another important reason was that they had to terminate “a few people because they didn’t live up to the values. If we’re going to be doing that, it’s really important to be clear about what the values are. I think that some of the biggest ways we showed that we lived up to our values were when we made tough decisions about people, especially when it was a high performer who somehow really violated our values, and we took action.” These actions to terminate had a very large effect on the workforce. Ransom said, “it made employees feel like, “Yeah, this company actually puts its money where its mouth is.””

Ransom sought to ensure that everyone knew what senior management considered when determining whether employees were “living up to the company culture.” The process started when she and her co-founder spent a weekend writing down what they believed the company’s values were. Then they sat down with the employees in small groups to elicit feedback. Her approach was to look for what they wanted in their employees. They came up with six.

  • Passion: Do you really have a thirst and appetite for your work?
  • Humility and Integrity: Treat your co-workers with respect and dignity.
  • Courage: Speak up – if you have a great idea, tell us, and if you disagree with people in the room, speak up.
  • Curiosity: They wanted folks who would constantly question and learn, not only about the company but about the industry.
  • Impact: Are you having an impact at the company?
  • Be outward-looking: Do good and do right by each other.

Ransom had an equally valuable insight when she talked about senior management and ethical values. She believes that “the best way to undermine a company’s values is to put people in leadership positions who are not adhering to the values. Then it completely starts to fall flat until you take action and move those people out, and then everyone gets faith in the values again. It can be restored so quickly. You just see that people are happier.”

What should the tone in the middle be? Put another way, what should middle management’s role be in the company’s compliance program? This role is critical because the majority of company employees work most directly with middle, rather than top management and, consequently, they will take their cues from how middle management will respond to a situation. Moreover, middle management must listen to the concerns of employees. Even if middle management cannot affect a direct change, it is important that employees need to have an outlet to express their concerns. Therefore your organization should train middle managers to enhance listening skills in the overall context of providing training for what she termed their ‘Manager’s Toolkit’. This can be particularly true if there is a compliance violation or other incident that requires some form of employee discipline. Ransom believes that most employees think it important that there be “organizational justice” so that people believe they will be treated fairly. Ransom further explained that without organization justice, employees typically do not understand outcomes but if there is perceived procedural fairness that an employee is more likely accept a decision that they may not like or disagree with.

So think about your lines of communication and your communication skills when conveying your message of compliance down from the top into the middle of your organization.

Three Key Takeaways

  1. While tone at the top is critical, the tone in the middle can actually work to more fully operationalize compliance.
  2. How do you train middle managers?
  3. What compliance tool kit do you provide to middle managers?

 

This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox.

 

 I. Compensation, Incentive and Compliance

In this episode, Roy Snell and myself discuss how incentives are integral to the compensation plans of a wide range of workers. Many experts point to their value in rewarding behavior that is in the interest of the organization and for keeping workers focused on activities that help the bottom line. At the same time, however, the incentives can pose great risks.

Many corporate scandals have shown that workers and corporate leaders may give in to the temptation to cheat to make their numbers, doing whatever they can to achieve their goals and reap the rewards. As a consequence, incentive plans may turn out to be a roadmap for compliance risk.

This danger argues for the compliance department having a role in reviewing incentive plans, if nothing else than to develop controls that ensure the numbers are hit properly, without violating policies, procedures, the law, and ethical norms.

To better assess the role of the compliance team in reviewing incentive plans, in April 2017 the Society of Corporate Compliance and Ethics and the Health Care Compliance Association fielded a survey among compliance professionals. The results indicate that, despite the risks, compliance rarely plays a role in evaluating incentive programs. For the recent SCCE/HCCA survey on this issue, click here.

For additional writings by Tom see the following blog posts:

Incentivizing Compliance

Executives and Compliance Compensation Incentives

Sales Incentives and Compliance

II. Compliance and the Board of Directors

On a second topic, Roy and I discuss the need that a true compliance expert sit on a company’s Board of Directors. The presence of a such a compliance professional with subject matter expertise on the Board sends a strong message about the organization’s commitment to compliance, provides a valuable resource to other Board members, and helps the Board better fulfill its oversight obligations.

Almost every Board has a former Chief Financial Officer (CFO), former head of Internal Audit or persons with a similar background and often times these are also the Audit Committee members of the Board. Such a background brings a level of sophistication, training and subject matter expertise that can help all companies with their financial reporting and other finance based issues. So why is there not such compliance subject matter expertise at the Board level?

Roy sees it through the prism of the compliance profession and has said, “If you ask most companies if they have compliance expertise on their Board… most would say yes. When asked who the compliance expert is they typically point to a lawyer, auditor, risk manager, or an ethicist. None of these professions are automatically compliance experts. All lawyers have different specialties.” He goes on to state that what regulators want to see is specific compliance expertise at the Board level. He noted, “the government is looking for is not generic compliance expertise. They are looking for compliance program management expertise.

For Roy’s further thoughts on this issues, see his blog post, Compliance Expertise Needed on Your Board”.

For Tom’s writing on the subject see his blog post, “Compliance Expertise Needed on the Board”.

This week I am engaging in a week-long series on how a Chief Compliance Officer (CCO) or compliance practitioner might think about operationalizing a compliance program with other corporate functions and disciplines. I am joined in this exploration by Russ Berland, a well-known compliance commentator and practitioner who recently joined Dematic Inc., a Supply Chain optimization company, as it CCO. Today I want to demonstrate how the Internal Audit (IA) function can be used to more fully operationalize compliance.

The Department of Justice (DOJ) clearly feels IA is an important mechanism for compliance to use to operationalize compliance. In its Evaluation of Corporate Compliance Programs (Evaluation), Prong 9 it asks the following questions: “Internal Audit What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?”

According to the Institute of Internal Auditors, IA “is an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Some of the key compliance activities of IA are to maintain its independence; to conduct auditing activity of awareness and adherence to policies, procedures, internal controls and corporate governance, including those relating to legal, compliance and ethics risks; to ensure there is follow up of recommendations made in IA reports, including those relating to compliance and ethics risks, including to track and report on management follow up; assist and collaborate on internal investigations, including having IA provide audit expertise in dealing with internal controls and financial data; assist in both design and auditing of internal controls and follow up as required. Clearly this is function which is and should be integrated into compliance.

Berland noted that IA is doing compliance “all the time” as it acts as the watchdog for a company in a variety of areas. IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various compliance requirements or policies and procedures. In performing such audits, IA could look at the questions of whether the employees are aware of standards of business conduct; whether they aware of the anti-corruption policies; what controls are in place; and whether they are effective in the implementation locally.

It should be apparent there are numerous benefits to compliance having closer and more robust integration with IA. Some of the more obvious ones include some of the topics I have previously explored this week such as leveraging compliance and ethics resources, strong investigation resources to explore risk and internal controls issue, broad awareness of compliance risks as they relate to the process or audit issues, an overall strengthening of the IA network throughout the company. Another area is through the leveraging of joint vendor resources that would be available to both, such as professional development, forensic accounting and other professional consultants, having ethics and compliance insights when recommending or making recommendations that are derived from internal audits.

One area which IA brings insight to that is critical to compliance but not well understood by compliance practitioners, particularly those with a legal background, is in internal controls, which form the very backbone of a best practices compliance program. Indeed, the Evaluation, Prong 4 asks the following, “Gatekeepers Has there been clear guidance and/or training for the key gatekeepers (e.g., the persons who issue payments or review approvals) in the control processes relevant to the misconduct? What has been the process for them to raise concerns?”

When an audit around controls is performed at the country, region, or business unit level, there should be coordination between compliance and IA on the audit plan. By doing so, it allows compliance to impart the need to determine how the internal controls, their design and effectiveness might impact issues around bribery and corruption under the Foreign Corrupt Practices Act (FCPA). Of course, ancillary compliance topics such as money laundering, trade sanctions, data privacy and data security can also be seamlessly considered by IA so an audit plan is as strong as possible given the time and resources available to pursue the audit.

From the compliance aspects, IA is “really kind of the watchdog or monitoring facility for the entire company”. This dovetails explicitly into this ‘gatekeeper’ function. Additionally and depending on the risk profile of the company and the way in which the audit schedule is set, IA can assist to operationalize compliance in other ways. For instance, IA could be looking at what steps are being taken to comply with HR policies, what steps are being taken to comply with various legal requirements or compliance requirements. Berland noted, “I have certainly seen numerous opportunities, or numerous instances where internal audit in doing a country audit in a country in Europe, would make some of the following inquiries: “Are these people aware of standards of business conduct?; Are they aware of the anti-corruption policies; and What controls are in place and are those effective in the implementation locally?”” Depending on the answers to these audit inquiries, compliance or better yet, compliance in conjuction with audit and HR could develop a remediation plan.

With such integration both groups benefit. IA can perform stronger investigations around to enterprise risks and internal controls issues, through a broader awareness of compliance risks which might occur related to audit issues or audit processes.  Such integration can work to strengthen IA’s network throughout company, leverage joint vendor resources such as professional development, internal controls, forensic accounting and other consultants and provide additional compliance insights when making recommendations following internal audits.

For its part, the compliance function can leverage IA resources and professionals, on audit techniques and analysis of internal controls. Equally such integration extends the corporate compliance influence through the company’s IA network using existing IA resources such as ACL and other ERP systems and IT query systems. Finally, it allows the corporate compliance function to be made aware of relevant concerns uncovered during audits so compliance is more fully able to participate in recommendations and follow up.

Tomorrow I will conclude this week long series with a look at operationalization of compliance through the corporate Controller’s Office.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

The role of Human Resources (HR) in anti-corruption compliance programs, is often underestimated. If your company has a culture where compliance is perceived to be in competition or worse yet antithetical to HR, the company certainly is not hitting on all cylinders and maybe moving towards dysfunction. Another way you can operationalize compliance is in HR’s involvement of employee promotion. In Prong 8 of the Evaluation of Corporate Compliance Programs it asks the following question, Have there been any examples of actions taken (e.g., promotions or awards denied) as a result of compliance and ethics considerations?

The 2012 FCPA Guidance expounded further, “[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts is short-term profitability, and that cutting ethical corners is an ac­ceptable way of getting there, they’ll perform to that measure. To cite an example from a different walk of life: a college football coach can be told that the graduation rates of his players are what matters, but he’ll know differently if the sole focus of his contract extension talks or the decision to fire him is his win-loss record. In other words make compliance significant for professional growth in your organization and it will help to drive the message of doing business in compliance.

I thought about these concepts when I read an article in the Corner Office column of the Sunday New York Times (NYT), where columnist Adam Bryant interviewed Sally Smith, the Chief Executive of Buffalo Wild Wings, the restaurant chain. She had some interesting concepts not only around leadership but thoughts on the hiring and promotion functions, which are useful for any Chief Compliance Officer (CCO) or compliance practitioner striving to drive compliance into the DNA of a company.

Here Smith had some thoughts put in a manner on promotions not often articulated. One of her cornerstones is to search out the best person for any open position, whether through an external hire or internal promotion. Bryant stated that Smith said “We use the phrase “wait for great” in hiring. When you have an open position, don’t settle for someone who doesn’t quite have the cultural match or skill set you want. It’s better to wait for the right person.”

Smith articulated some different skills that she uses to help make such a determination. Once a potential hire or promotion gets to her level for an interview, she will assume that person is technically competent but “I assume that you’re competent, but I’ll probe a bit to make sure you know what you’re talking about. And then I’ll say, “If I asked the person in the office next to you about you, what would they say?””

Passion and curiosity are other areas that Smith believes is important to probe during the hiring or promotion process. In the area of passion, Smith will “Often ask, “What do you do in your free time?” If they’re passionate about something, I know they’re going to bring that passion to the workplace.” Smith believes curiosity is important because it helps to determine whether a prospective hire will fit into the Buffalo Wild Wings culture. Bryant wrote, “I look for curiosity too, because if you’re curious and thinking about how things work, you’ll fit well in our culture. So I’ll ask about the last book they read, or the book that had the greatest impact on them.” Smith also inquires about jobs or assignments that went well and “ones that went off the tracks. You ask enough questions around those and you can determine whether they’re going to need a huge support team.”

I found these insights by Smith very useful for a compliance practitioner and the hiring and promotion functions in a compliance program. By asking questions about compliance you can not only find out the candidates thoughts on compliance but you will also begin to communicate the importance of such precepts to them in this process. Now further imagine how powerful such a technique could be if a Chief Executive asked such questions around compliance when they were involved in the hiring or promotion process. Talk about setting a tone at the top from the start of someone’s career at that company. But the most important single item I gleaned from Bryant’s interview of Smith was the “Wait for great” phrase. If this were a part of the compliance discussion during promotion or hiring that could lead to having a workforce committed to doing business in the right way.

Three Key Takeaways

  1. Denying a promotion or award due to an employee’s ethical lapses.
  2. Use promotions to reinforce your company’s commitment to compliance and ethics.
  3. Should you wait for great?

 

This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox.