This week, Jay and I have a wide-ranging discussion on some of the week’s top compliance related stories. We discuss:

  1. Tom reports on Compliance Week 2017. See his articles in Compliance Week, here and here.
  2. If the DOJ releases new information in the form of the Evaluation of Corporate Compliance Programs, does anyone read it. See article in GIR (sub req’d).
  3. Jay discusses the SCCE event he attended last week in San Francisco. See Jay’s recap in his article I Left My #SCCE Heart in San Francisco or I Love It When A Plan Comes Together!
  4. Was the individual enforcement against the MoneyGram CCO significant or much ado about nothing? See article by Dick Cassin in the FCPA Blog and by Sara Kropt in her Grand Jury Blog.
  5. DOJ will embed prosecutors overseas. See article by Sam Rubenfeld in WSJ Risk and Compliance Journal. See full text of speech by Deputy AG Trevor McFadden by clicking here.
  6. Warriors and Cavs meet in the first time, three consecutive title match run. Tom and Jay consider from the compliance perspective.
  7. Tom announces the release of his new book 2016 – The Year in Corporate FCPA Enforcement. For more information and to purchase, click here.

 

Jay Rosen can be reached:

Mobile (310) 729-6746

Toll Free (866)-201-0903

JRosen@affiliatedmonitors.com

Tom Fox can be reached:

Phone: 832-744-0264

Email: tfox@tfoxlaw.com

The key concept from the Department of Justice’s (DOJ) Evaluation of Corporate Compliance Program (Evaluation) is operationalization. For instance, under the query Shared Commitment is the following question – “How is information shared among different components of the company?” Under the Prong relating to Policies and Procedures the Designing Compliance Policies and Procedures asks, “What has been the company’s process for designing and implementing new policies and procedures? Who has been involved in the design of policies and procedures? Have business units/divisions been consulted prior to rolling them out?” Lastly, under the same Prong is Responsibility for Integration, with the following question “Who has been responsible for integrating policies and procedures?”

These questions point to a Chief Compliance Officer (CCO) or compliance practitioner demonstrating how compliance is being burned into the fabric of an organization. While leadership at and from the top has long been considered by both the DOJ and compliance professionals as a key element to move compliance forward, the Evaluation has also crystalized thinking around compliance leadership from the middle and the bottom. I thought about these concepts when reading a recent Financial Times (FT) article by Andrew Hill, entitled “Leadership from the bottom up”. I was particularly struck by a quote from Shlomo Ben-Hur, a professor at IMD business school, who said, “We teach the top 5 per cent — but the majority of this work is carried out by the other 95 per cent.”

In Ben-Hur’s work he found that many executives came from the middle management ranks. They tended to be persons “with a determination to “take what I have responsibility for and make it truly great.”” Anecdotally, he related “They typically said, ‘I’ve responsibility for the minibus,’ and people then asked them to drive bigger and bigger buses until one day they drove the whole business.”” Think of the military and the responsibility given to front line commanders and how that “is increasingly reflected at large companies.”

The key for companies is that senior management must “find ways to transmit leadership skills to people who do not have ‘leader’ in their job description and will probably never attend a top-level leadership program.” Hill noted, “Ben-Hur’s work has focused on ensuring that managers understand how to assign the right jobs to their team members and motivate them to perform well, using theories of behavioural change that senior executives have typically never learnt on their way to the top. Dedicated managers well below the executive board need to know how to use these tools.”

For the CCO or compliance practitioner, this provides a clear path to help in the operationalizing of compliance by providing the tools to persons far down the organization to put compliance into the operations of a business. One thing Hill writes about is a company should nuture such learning because by doing so, it will both teach practical skills around compliance but also foster a strong internal network of compliance advocates who can move initiatives up and down and organization. Moreover, as these individuals progress through the company ranks, they can take their compliance message with them at each new level.

Building on the writings of Hill and the work of Professor Ben-Hur, my suggestion is to build a Compliance Excellence Center in your company. Bring in middle-managers to focus on understanding not only their roles in compliance but also how to assign the right team members to a compliance initiative and motivate employees going forward. Hill wrote that Airbus has recently established a corporate ‘university’ to spread leadership ideas through the company. Airbus’ theory behind this push is “being a leader isn’t just about being a vice-president; it’s about being able to push the company towards new ways of doing things and executing the things we have to execute. That could [apply to] a blue-collar worker on the shop floor or a VP.”

A key is not simply to train such middle and front line managers on compliance but getting them to consider rollout, effectiveness, testing and improvement. In other words, as Jay Martin would say, it is all about execution. One way to help facilitate this is through exercises using incentives to “make leadership insights stick and change workplace behavior.” Hill also writes that concepts from entrepreneurship can assist in such learning by encouraging managers to “think and act independently” to operationalize compliance. Finally, never forget mentoring as a manner to spread good compliance practices throughout a company if a more formal approach is not possible.

Too often, strategies to move a compliance program or even an initiative come from the top of an organization and are pushed down. To fully operationalize compliance, you must have leadership in compliance further down the organization which (hopefully) has been a part of the design process and can lead the implementation throughout an organization. 

Three Key Takeaways

  1. While tone at the top is critical, the tone at the bottom can actually work to more fully operationalize compliance.
  2. 95% of the work is done at this bottom level.
  3. Use HR to come up with a strategy to move compliance into the bottom for more complete operationalization.

 

This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox.

 

 

 

 

 

 

 

This week I have engaged in a series on how a Chief Compliance Officer (CCO) or compliance practitioner might think about operationalizing a compliance program with other corporate functions and disciplines. I have been joined in this exploration by Russ Berland, a well-known compliance commentator and practitioner who recently joined Dematic Inc., a Supply Chain optimization company, as it CCO. Today I conclude my series with how the Controller’s Office can be used to more fully operationalize compliance.

Another area for further operationalization is the corporate controller’s office. The Controller’s Office generally has the responsibility to accurately record and report the financial transactions of the company, to design, implement and execute the financial processes and controls of the company to be both effective and efficient, and to safeguard the financial assets of the company. Some of the compliance responsibilities of the Controller’s Office include: (1) Designing and implementing internal controls that impact legal, ethics and compliance risks; (2) Accurately recording the financial transactions of the company; and (3) Preventing and detecting fraudulent activity. All of this means, in practical terms the Controller’s Office is both being the keeper of the books and records and the implementer of internal controls. Moreover, while many of these internal controls would most probably be viewed financial internal controls, there are additional internal controls which are not financial in nature.

From Berland’s perspective, “Those guys live really in the battle zone. They are constantly looking at financial transactions. They’re evaluating them. They’re figuring out where things go within the books and records. They are implementing the processes that should be keeping fraud from happening, keeping bribery and corruption from happening. When a remediation occurs within a company you often find that a lion share of the remediation is not about the compliance program as such, but about those internal controls that have been implemented by the Controller’s office.”

This means that not only can the Controller’s Office be one of the compliance function’s strongest corporate allies, the role of a Controller’s Office by its nature works to operationalize compliance. This is because to implement the appropriate internal controls around Foreign Corrupt Practices Act (FCPA) compliance, the Controller’s office must know the specific requirements of the FCPA, know what kinds of issues are likely to come up that might create a risk of bribery and corruption, all leading to an appropriate understanding of the appropriate compliance internal controls to implement.

A concrete example is in the area of offshore payments, which are generally defined as payments made to a location other than the home domicile of the party or the location where the services where delivered. If a Tunisian agent who performs services in Dubai asks for payment in a location other than Dubai or Tunisia, that would qualify as an offshore payment. If you train people who are in the Controller’s group on this issue, “all of a sudden you’ll get someone in the Controller’s Office who’ll give you a phone call and say “Hey, we just saw a request for a payment to this guy in this Middle Eastern country and we’re just not sure what it’s for.” That’s where the controls are really working, as opposed to that person just really dealing with it on an administrative level instead of keeping your antenna up.” Those are the types of communications, when properly documented, demonstrate that your compliance program is operationalized into the fabric of the organization.

Another way to view it is if there is a Controller’s Office control for such a scenario which notes the exception and requires the clearance of a red flag through additional investigation, elevation for approval and documentation of the entire process. This is a financial control which acts as a compliance control as well. It strengthens the company’s internal controls to both prevent and detect key compliance risks going forward.

Another area would on a company’s Vendor Master List (VML). Some obvious internal controls are that no person or third party gets paid unless they are properly on the VML; no person or third party is admitted to the VML unless they have gone through the appropriate level of due diligence, which varies by task and function and country. The Controller’s Office can also put internal controls in place when employees attempt “workarounds when someone can’t get a vendor paid and wants to.” Such apparent financial controls might well include those around the manual check process and your internal requirements for international wire transfers. Finally, even to this day petty cash continues to be a source of funds to fuel bribery and corruption. The Controller’s Office is on the front lines for petty cash.

These issues are usually dealt with what are generally viewed as internal controls specific to controlling the outflow of money to third parties and requiring that those third parties have gone through your due diligence processes. As Berland noted, they are “all sitting right in the Controller’s Office.” Additional benefits to the corporate compliance function include the retrieval and analysis of financial data and design of internal controls. It allows the compliance function to rely on actual financial expertise rather than “home grown” financial expertise within the compliance department. It extends the compliance function influence through the Controller’s Office. Finally, the compliance function is made aware of relevant concerns found by recording transactions, executing internal controls and financial monitoring.

These benefits are not a one-way street for compliance as a Controller’s Office benefits from a closer relationship with the corporate compliance function as well. The Controller’s Office can leverage compliance resources. The compliance function can bring its observations and insights from investigations and emerging risks to the Controller’s Office. A closer collaboration will broaden awareness of compliance risks which relate to the company’s financial processes.

By more fully integrating compliance into the Controller’s Office function a more robust picture of enterprise risk emerges, one which encompasses legal, compliance, ethics, internal controls, financial, business and governance risks.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

One of the ways that Human Resources (HR) can help to operationalize compliance is to assist each level of an organization to have a proper tone. While the top of an organization rightly gets much of attention, the tone about doing business ethically and in in compliance is equally important in the middle of an organization.

A company must have more than simply a good ‘Tone-at-the-Top’; it must move it down through the organization from senior management to middle management and into its lower ranks. This means that one of the tasks of any company, including its compliance organization, is to get middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization.

Adam Bryant, in a NYT article, entitled “If Supervisors Respect The Values, So Will Everyone Else”, explored this topic when he interviewed Victoria Ransom, the Chief Executive of Wildfire, a company which provides social media marketing software. Ransom spoke about the role of senior management in communicating ethical values when she was quoted as saying “Another lesson I’ve learned as the company grows is that you’re only as good as the leaders you have underneath you. And that was sometimes a painful lesson. You might think that because you’re projecting our values, then the rest of the company is experiencing the values.” These senior managers communicate what the company’s ethics and values are to middle management. So while tone at the top is certainly important in setting a standard, she came to appreciate that it must move downward through the entire organization. Bryant wrote that Ransom came to realize “that the direct supervisors become the most important influence on people in the company. Therefore, a big part of leading becomes your ability to pick and guide the right people.”

Ransom said that when the company was young and small they tried to codify their company values but they did not get far in the process “because it felt forced.” As the company grew she realized that their values needed to be formalized and stated for a couple of reasons. The first was because they wanted to make it clear what was expected of everyone and “particularly because you want the new people who are also hiring to really know the values.” Another important reason was that they had to terminate “a few people because they didn’t live up to the values. If we’re going to be doing that, it’s really important to be clear about what the values are. I think that some of the biggest ways we showed that we lived up to our values were when we made tough decisions about people, especially when it was a high performer who somehow really violated our values, and we took action.” These actions to terminate had a very large effect on the workforce. Ransom said, “it made employees feel like, “Yeah, this company actually puts its money where its mouth is.””

Ransom sought to ensure that everyone knew what senior management considered when determining whether employees were “living up to the company culture.” The process started when she and her co-founder spent a weekend writing down what they believed the company’s values were. Then they sat down with the employees in small groups to elicit feedback. Her approach was to look for what they wanted in their employees. They came up with six.

  • Passion: Do you really have a thirst and appetite for your work?
  • Humility and Integrity: Treat your co-workers with respect and dignity.
  • Courage: Speak up – if you have a great idea, tell us, and if you disagree with people in the room, speak up.
  • Curiosity: They wanted folks who would constantly question and learn, not only about the company but about the industry.
  • Impact: Are you having an impact at the company?
  • Be outward-looking: Do good and do right by each other.

Ransom had an equally valuable insight when she talked about senior management and ethical values. She believes that “the best way to undermine a company’s values is to put people in leadership positions who are not adhering to the values. Then it completely starts to fall flat until you take action and move those people out, and then everyone gets faith in the values again. It can be restored so quickly. You just see that people are happier.”

What should the tone in the middle be? Put another way, what should middle management’s role be in the company’s compliance program? This role is critical because the majority of company employees work most directly with middle, rather than top management and, consequently, they will take their cues from how middle management will respond to a situation. Moreover, middle management must listen to the concerns of employees. Even if middle management cannot affect a direct change, it is important that employees need to have an outlet to express their concerns. Therefore your organization should train middle managers to enhance listening skills in the overall context of providing training for what she termed their ‘Manager’s Toolkit’. This can be particularly true if there is a compliance violation or other incident that requires some form of employee discipline. Ransom believes that most employees think it important that there be “organizational justice” so that people believe they will be treated fairly. Ransom further explained that without organization justice, employees typically do not understand outcomes but if there is perceived procedural fairness that an employee is more likely accept a decision that they may not like or disagree with.

So think about your lines of communication and your communication skills when conveying your message of compliance down from the top into the middle of your organization.

Three Key Takeaways

  1. While tone at the top is critical, the tone in the middle can actually work to more fully operationalize compliance.
  2. How do you train middle managers?
  3. What compliance tool kit do you provide to middle managers?

 

This month’s series is sponsored by Advanced Compliance Solutions and its new service offering the “Compliance Alliance” which is a three-step program that will provide you and your team a background into compliance and the FCPA so you can consider how your product or service fits into the needs of a compliance officer. It includes a FCPA and compliance boot camp, sponsorship of a one-month podcast series, and in-person training. Each section builds on the other and provides your customer service and sales teams with the knowledge they need to have intelligent conversations with compliance officers and decision makers. When the program is complete, your teams will be armed with the knowledge they need to sell and service every new client. Interested parties should contact Tom Fox.

 

 I. Compensation, Incentive and Compliance

In this episode, Roy Snell and myself discuss how incentives are integral to the compensation plans of a wide range of workers. Many experts point to their value in rewarding behavior that is in the interest of the organization and for keeping workers focused on activities that help the bottom line. At the same time, however, the incentives can pose great risks.

Many corporate scandals have shown that workers and corporate leaders may give in to the temptation to cheat to make their numbers, doing whatever they can to achieve their goals and reap the rewards. As a consequence, incentive plans may turn out to be a roadmap for compliance risk.

This danger argues for the compliance department having a role in reviewing incentive plans, if nothing else than to develop controls that ensure the numbers are hit properly, without violating policies, procedures, the law, and ethical norms.

To better assess the role of the compliance team in reviewing incentive plans, in April 2017 the Society of Corporate Compliance and Ethics and the Health Care Compliance Association fielded a survey among compliance professionals. The results indicate that, despite the risks, compliance rarely plays a role in evaluating incentive programs. For the recent SCCE/HCCA survey on this issue, click here.

For additional writings by Tom see the following blog posts:

Incentivizing Compliance

Executives and Compliance Compensation Incentives

Sales Incentives and Compliance

II. Compliance and the Board of Directors

On a second topic, Roy and I discuss the need that a true compliance expert sit on a company’s Board of Directors. The presence of a such a compliance professional with subject matter expertise on the Board sends a strong message about the organization’s commitment to compliance, provides a valuable resource to other Board members, and helps the Board better fulfill its oversight obligations.

Almost every Board has a former Chief Financial Officer (CFO), former head of Internal Audit or persons with a similar background and often times these are also the Audit Committee members of the Board. Such a background brings a level of sophistication, training and subject matter expertise that can help all companies with their financial reporting and other finance based issues. So why is there not such compliance subject matter expertise at the Board level?

Roy sees it through the prism of the compliance profession and has said, “If you ask most companies if they have compliance expertise on their Board… most would say yes. When asked who the compliance expert is they typically point to a lawyer, auditor, risk manager, or an ethicist. None of these professions are automatically compliance experts. All lawyers have different specialties.” He goes on to state that what regulators want to see is specific compliance expertise at the Board level. He noted, “the government is looking for is not generic compliance expertise. They are looking for compliance program management expertise.

For Roy’s further thoughts on this issues, see his blog post, Compliance Expertise Needed on Your Board”.

For Tom’s writing on the subject see his blog post, “Compliance Expertise Needed on the Board”.