Continuous improvement can take many ways, shapes and forms. Typically, when it comes to third-party risks, a Chief Compliance Officer (CCO) or compliance professional will consider the ownership structure to see if there is any involvement by a government official or employee of a state-owned enterprise, or a close friend or family member. There may also be inquiry into knowledge of anti-corruption legal regimes such as the Foreign Corrupt Practices (FCPA) and compliance programs. Other information about criminal and legal history and references, both professional and commercial, may also be required. Hopefully these indicia are reviewed and updated on a regular basis.

One thing that is most generally not considered is the financial health of the third party. It turns out such an oversight may have some significantly ramifications for an accurate picture of a third party. The financial health of third parties as not only a key metric but also a key due diligence tool which allows a more robust assessment prior to contract signing and in managing the relationship after the contract has been signed.

A third party which is in a weakened financial position can come back to damage your business in a variety of ways. Obviously, a company which is under financial strain is more susceptible to cutting corners to obtain business. You can almost begin to see the fraud triangle forming at this point and a rationalization for committing a FCPA violation forming in the mind of a third party.

But it is more than simply being open to potentially illegal conduct such as violating the FCPA to get business. James Gellert, CEO of RapidRatings has noted, “Cyber security is, obviously, a hot topic for everybody. A company that, at the beginning of a working relationship, maybe onboarding or the due diligence procurement event, one may do a series of checks from a compliance and info security perspective and that company looks fine, it gets green lit and it comes on board as a supplier. Over time, if that company is weakening in its financial condition, the chances are likely that they are going to begin under-investing in maintaining the quality of their cyber security program. In a case like that, over time, a company partner of that firm is taking increased risks for cyber security breach, because that company is weakening but because they’re not managing the financial condition of it on an ongoing basis, they’ve missed a leading indicator of that cyber security problem and when that problem actually hits, it’s too late, it’s effecting revenue, it’s effecting reputation, it’s effecting all sorts of things.”

A database of financial health is important because “traditional risk management has focused more on protecting downside risk and detecting downside risk is being able to understand where a company or a partner exists on a spectrum of risks that can be from poor to really good, and that means a user of our data is in a position to be able to do more than just protect from a company’s failing for one reason or another, but be able to align with the strongest partners and that creates resiliency and a third party ecosystem”.

This is considering your third parties in much broader manner which allows a more robust assessment of their strengths and weaknesses. The financial health of a third party may tell you how well that third party will perform. Such information can be useful to you for business planning, particularly around strategic risk. Understanding the financial viability of third parties, be they traditional vendors, business partners, or even fourth parties, can help you meet your compliance requirements, maintain operational stability, through the avoidance of business disruption and support business continuity initiatives. Even better, you can cut through siloes to develop risk management strategies across multiple business functions.

This moves compliance into the business process cycle, creates greater efficiencies and at the end of the day, more profitability. This type of approach allows the compliance function to demonstrate solid return on investment going forward. It also allows compliance to cut through many corporate siloes including such disciplines as business development, supply chain or procurement, manufacturing and finance.

Continuous improvement through monitoring of ongoing financial health is a tool where technological solutions can have an impact. Understanding the financial viability of third parties can help the compliance practitioner meet the Department of Justice (DOJ) requirement to more fully operationalize a compliance program. It can also lead to more and better operational stability and with that ever-sought increase in corporate profitability. As compliance moves into the business process, this type of review should become part of your compliance toolkit going forward.

Three Key Takeaways

  1. What is the financial health of your third-parties? Do you even know?
  2. Poor financial results can open a company to engaging in risky behavior.
  3. Financial health monitoring can be used as continuous improvement.


For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at

In this episode, Matt Kelly and I take a deep dive into the Public Accounting Oversight Board (PCAOB). We consider the role of the PCAOB in both audit standards and internal controls for compliance. What is goodwill, goodwill impairment and how goodwill can be manipulated to create pots of money to pay bribes? We explore the question of whether there the need for a fresh look at SOX 404? We discuss the role of skepticism by auditors. We end with the forthcoming new auditor report format— the SEC is scheduled to approve that new standard regarding a new auditor report format soon and some people want the SEC to veto it. We discuss how new SEC Chair Jay Clayton may handle this by approving it by having a new PCAOB in place which takes a gentler approach to implementation.

For more information on the PCAOB, see Matt’s blog post PCAOB Overhaul Looms

For more on the intersection of compliance, audit and the PCAOB, see Tom’s four-part series with Joe Howell:

PCAOB, audits and compliance-Part I;

PCAOB, audits and compliance-Part II;

PCAOB, audits and compliance-Part III; and

PCAOB, audits and compliance-Part IV

Today I continue a five-part series on the soft skills a Chief Compliance Officer (CCO) needs to employ when working through the remediation component of a potential Foreign Corrupt Practices Act (FCPA) compliance violation. I am joined in this exploration by Dan Chapman, well-known in the compliance community for his in-house compliance roles at Baker Hughes Inc. and his CCO roles at Parker Drilling and Cameron International. Today I will consider step three: communications with stakeholders in the execution phase of the remediation.

You need to think through the timing of your communications and what is in those communications. Communications with stakeholders have multiple functions, but two key functions are (1) to report facts on the ground so the stakeholders are not surprised and (2) “to establish your credibility and build a level of trust.” Regarding the second point, Chapman notes, “The frequency of significant progress reports will slow as the ‘quick win’ opportunities become more scarce in the longer term. Therefore, your credibility and their level of trust in your ability to make progress will become more important over time.”

If you are engaged with highly focused gatekeepers, with a high level of compliance understanding, you can start off with relatively frequent meetings. Chapman noted, in the “beginning, as you are working through some of the short-term items, I think it may make sense to have more frequent meetings, whether it’s weekly, bi-weekly or monthly.” Here you once again must be respectful of the level of focus of your Board and C-Suite executives, and your communications should always be meaningful and substantive.

However, as you begin to move into the later phases of the remediation, your rate of specific project closures may slow as you move from the short to medium and longer term projects. Your frequency of meetings should probably lessen as well. One thing you do not want to have is a meeting where you essentially have little or nothing in the way of progress to report. There may be little benefit to both you as the CCO and the stakeholders. Chapman cautioned that too frequent meetings with too little progress to report could lead to the stakeholders wondering, “Is the CCO asking the stakeholders to do the CCO’s job? Are you asking them to make the decisions of a compliance expert? I found that it’s much healthier if the day to day running of the compliance function remains with the compliance experts, and Board members should receive reports and provide general oversight. In other words, they hold the CCO accountable, at a very high level, for the compliance function and, if they see something to which they object, they should object.”

Chapman cautioned he would “be conservative” in terms of frequency of communications. You want to make certain you have enough information to support a weekly call, but the pace will probably slow as you move through your remediation as you discover new issues, and they begin to consume more of your time. This can cause your rate of change to slow due to a number of issues that you are addressing in remediation. So, if you begin with 5 issues but then they expand to 15 or 20, this will require more substantive remediation, leaving less time for communications.

Once again, Chapman believes it is critical to set expectations that your rate of communications will slow during the pendency of the remediation. If you do so, this “will give confidence to your Board because they will look at the compliance officer and say, “He saw this coming. We now know that what he tells us is going to happen in the future will happen.”” You develop that credibility by correctly predicting what will happen.

Another issue which can arise in the communications area occurs when a Board member or C-Suite executive insists that an issue is high-priority where you have assessed it as low risk. If you move to remediate what you believe is clearly a secondary issue at best, it will consume both time and resources that you believe could have been used for more high-risk and high-priority remediation items. Yet, as the CCO you are required to address their concerns. Chapman suggested a couple of approaches to employ in this situation.

The first is “to let people know of your concern as politely as possible. Don’t stop reminding people of your concern. It is important to say something along the lines of “I understand that your compliance issue is critical, but this also is inhibiting our ability to deal with our FCPA remediation efforts.”” Because this requirement will take you away from more important high-risks that you have identified, “you must make tough decisions and be highly persuasive if you feel that you may be forced to spend time or resources on a non-risk-based basis.”

Another approach would be to try and address their concerns more directly but in a manner which does not detract from your time as CCO. This could mean additional resources be placed on the topic, such as training or another solution where you might be able to bring in an outside resource to try and deal with concern in a quick and efficient manner, while not diverting you too much from your higher assessed risks. But, as Chapman noted, “Ultimately, you will be held accountable, regardless of what the reasons or the excuses may have been, because in the real-world people do not care about the excuses, they care about performance.”

The frequency of communications and their quantum can be fluid throughout the remediation process. As a CCO, you will have multiple pulls and tugs on your time and resources. You will be required to navigate through many different paths and personalities. Managing your communications will be critical for both the long-term success of your remediation efforts and your efforts to move the compliance program forward.

Tomorrow I will consider the question of ‘how do you know when you are done’ in the remediation process.


Dan Chapman can be reached at

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at

© Thomas R. Fox, 2017

There are multiple areas in the Department of Justice’s Evaluation of Corporate Compliance Programs which intersect with the area of continuous improvement. In addition to Prong 9. Continuous Improvement, Periodic Testing and Review; under Prong 1 Analysis and Remediation of Underlying Misconduct is found the following: Prior Indications Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed? This also ties to the 2012 FCPA Guidance made clear that compliance audits, with actionable remediation plans, are a key component of any effective compliance program. Another way to do achieve these multiple and intersecting goals is through voluntary monitoring. when I recently visited with Vincent DiCianni, President and Founder of Affiliated Monitors, Inc. and Eric Feldman, Senior Vice President (SVP) and Managing Director, Corporate Ethics and Compliance Programs also at Affiliated Monitors, Inc. about their views on voluntary monitoring.

According Feldman, voluntary monitoring is an approach where a company “uses the services of an independent monitor to find out how their program is working and to be able to use that data with government regulators and law enforcement to demonstrate their due diligence in creating and continuously improving their corporate ethics and compliance program.” There are at least two different types of voluntary monitoring. Feldman articulated the first as “reactive proactivity” which is the situation where a company determines it has a potential compliance violation and they bring in an independent monitor to address the issue.

The genesis for this type of monitoring is some event, such as a whistleblower report, internal report or investigation or detect control picking up information which warrants additional investigation. Feldman provided a couple of examples. The first might be “where one business unit has a problem and they’re worried about the other business units and they want to get an assessment.” Another situation could be there is a problem in a sector or “industry and they know that that industry is being scrutinized by law enforcement or the regulators and they fully expect the regulators or law enforcement to be coming in and looking at them.” Yet another area could be in a geographic area such as China or another high-risk region.

DiCianni noted there is a second type of voluntary monitorship. It is where a company wants a true independent “to come in to test the quality of the program to see how impactful” the company’s compliance program is operating. It could assess a variety of issues, such as the compliance internal controls to test their benchmarking of a company’s compliance program. In this type of voluntary monitorship, the examiner is not focusing on one issue or region as laid out in the first example but it is broader.

Moreover, it allows a true independent to perform the assessment as DiCianni noted, “it’s very difficult for companies and for compliance officers and their teams to self-assess the strength of their programs. They just have difficulty doing that. It’s just not an easy thing for them to get their hands on, how good a job am I doing? By having an independent come in with no skin in the game, with complete objectivity, neutrality, no judgements, or pre-judging the work, looking at the company’s program, the quality of the program, the makeup of the team, the organizational structure, where it’s placed. All of those kinds of things are parts of this voluntary approach.” 

The benefits of both types of voluntary monitoring are multifold. It certainly helps to meet the Control Testing requirement found in the Evaluation. The 2012 FCPA Guidance stated, “An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas.” This type of approach can provide benefits if a company finds itself in FCPA hot water, as both the DOJ and Securities Exchange Commission (SEC) “will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines.” Yet the Guidance intones a business reason for the use of such techniques as voluntary monitoring when it stated, “Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”

Feldman pointed out yet another reason for such a proactive approach is that such an approach can create an administrative record, which a company can use to demonstrate it has remedied the problems. Equally important it establishes the company is maintaining its commitment to doing business in compliance. The key is the independence of the monitoring personnel so they can present an accurate, unbiased opinion.

He presented the example of a company which had been debarred by the US government and needed to demonstrate an acceptable level of compliance to get off the debar list. He and his team performed a baseline assessment and from there developed a remediation plan, which the company implemented. After six months or so, he and his team came back to assess the progress made by the company. From this follow-up assessment, they generated a report which was used in a submission to the government which essentially noted, “We are now ready to be a responsible contractor as defined by the federal acquisition regulations and we propose an administrative agreement with continued monitored that would move it from voluntary monitoring over to mandatory monitoring for the next three years.”

Voluntary monitoring is an excellent technique through which a company can engage in continuous improvement. Nonetheless it has many other benefits as well, including regulatory and evidence in a criminal investigation if needed under anti-corruption laws such as the FCPA. The bottom line is that all those scenarios might justify a company to engage a voluntary monitorship to come in and do a complete ethics and compliance and cultural assessment or audit of their organization. 

Three Key Takeaways

  1. A voluntary monitorship can be reactive proactivity to look at a particular issue.
  2. A voluntary monitorship can be used to test a compliance program.
  3. A voluntary monitorship report can be used in a variety of legal and business manners.


For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at

Another mechanism for continuous improvement of your compliance program is through risk-based monitoring. Under Prong 5 of the DOJ’s Evaluation of Corporate Compliance Programs, is the following topic and question Manifested RisksHow has the company’s risk assessment process accounted for manifested risks? I found this to focus as much on continuous improvement, as it did with risk assessment through the emphasis on the risks which have been established and demonstrated by the organization. In other words, were you monitoring the risk that you have not only identified but also have revealed themselves to your organization.

I visited with Ben Locwin, Director of Global R&D at BioGen and an operational strategist in pharma and healthcare, to consider risk-based monitoring and how it helps to facilitate continuous improvement in a compliance program. Locwin said, “Risk-based monitoring is really about continuous, ongoing monitoring for those things which provide the most potential future risk to you. In other words, instead of a static risk registry that may come in part with forecasting, where you would say, “We’re trying to anticipate these risks.” By using risk-based monitoring to review issues on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.”

The problem for many companies is they are siloed in not only their data but also in the systems. Locwin explained that because of the disparity of data systems, “They may not be tracking rigorous, quantified information all the time.” He cited to an example from the pharmaceutical world where a company could well have 50 worldwide sites where a drug product is being tested. Some patients receive a placebo and some patients receive the medication being tested. As data comes in you begin to note patterns in certain patients and groups, which might actually point towards a variety of testing errors by physicians administering the test.

Through the use of risk-based monitoring, you can begin to see things in “almost real-time, time-based trends of real data that you can then jump on and try to make adjustments before things get really wacky.” The implications to the compliance practitioner? Having access to information around sales, the sales process and corporate largess in things from Corporate Social Responsibility (CSR) work to gifts, travel and entertainment to conferences for customers and end users. Through the use of such risked-based monitoring a compliance professional would have the opportunity see trends developing which could allow an intervention for a prescriptive solution which could prevent an issue from becoming a Foreign Corrupt Practices Act (FCPA) violation.

Yet Locwin cautioned that compliance professionals should guard against bias. In an article by Locwin, entitled “Be Careful When Appraising Industry Trends”, he stated, “Social media has rapidly accelerated the agility with which the public can change allegiance and direction. It used to be that when information dissemination was slower and more compartmentalized within regions and market segments, that the market resistance to fluctuation was more robust. Now well-placed advertising, social commentary, or public response to corporate missteps can swirl into a maelstrom of market changes within hours that is agnostic to region or market segment.”

In today’s world, the speed at which reputational damage reigns out can overwhelm a corporation’s ability to respond. Here one might consider Wells Fargo and how fast the situation spun out of control for them after its $185MM fine was announced. It is through the use of risk-based monitoring, which allows for this almost real-time input, that a response to a forecasted, assessed or even unassessed risk can be developed. In the compliance world, such tools could be brought to bear when considering not only the expense side of such areas as gifts, travel and entertainment but also sales side data. This could be internal company data on its own salesforce and also information developed from or concerning your third-party sales team.

In Locwin’s primary world of pharmaceutical testing and product development, the need for such real-time information can be more critical. Yet through the development of these techniques as compliance tools, the compliance profession can add value to an organization through the use of risk-based monitoring. With the plethora of data on where and how corruption is likely to occur, coupled with meaningful sales and expense data, the compliance professional should be able to move from detect to prevent to prescriptive compliance solutions to prevent legal violations.

Finally, the beauty of all these techniques articulated by Locwin is that they are tools that can make companies more efficient and, at the end of the day, more profitable. They also move compliance into the fabric and DNA of an organization or in the words of Hui Chen, the former DOJ Compliance Counsel, operationalize compliance. Her intonation to operationalize compliance speaks use of a wide variety of tools to input information so you can continuously improve your compliance program. Risk-based monitoring is certainly one mechanism to obtain information and feed it back into your compliance program in both the prevent and detect prongs.

Three Key Takeaways 

  1. How do you monitor manifested risks?
  2. A risk-based monitoring approach allows you to see things in almost real-time.
  3. Management of risk can serve your compliance program in a variety of ways.


For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at