Continuous improvement can take many ways, shapes and forms. Typically, when it comes to third-party risks, a Chief Compliance Officer (CCO) or compliance professional will consider the ownership structure to see if there is any involvement by a government official or employee of a state-owned enterprise, or a close friend or family member. There may also be inquiry into knowledge of anti-corruption legal regimes such as the Foreign Corrupt Practices (FCPA) and compliance programs. Other information about criminal and legal history and references, both professional and commercial, may also be required. Hopefully these indicia are reviewed and updated on a regular basis.

One thing that is most generally not considered is the financial health of the third party. It turns out such an oversight may have some significantly ramifications for an accurate picture of a third party. The financial health of third parties as not only a key metric but also a key due diligence tool which allows a more robust assessment prior to contract signing and in managing the relationship after the contract has been signed.

A third party which is in a weakened financial position can come back to damage your business in a variety of ways. Obviously, a company which is under financial strain is more susceptible to cutting corners to obtain business. You can almost begin to see the fraud triangle forming at this point and a rationalization for committing a FCPA violation forming in the mind of a third party.

But it is more than simply being open to potentially illegal conduct such as violating the FCPA to get business. James Gellert, CEO of RapidRatings has noted, “Cyber security is, obviously, a hot topic for everybody. A company that, at the beginning of a working relationship, maybe onboarding or the due diligence procurement event, one may do a series of checks from a compliance and info security perspective and that company looks fine, it gets green lit and it comes on board as a supplier. Over time, if that company is weakening in its financial condition, the chances are likely that they are going to begin under-investing in maintaining the quality of their cyber security program. In a case like that, over time, a company partner of that firm is taking increased risks for cyber security breach, because that company is weakening but because they’re not managing the financial condition of it on an ongoing basis, they’ve missed a leading indicator of that cyber security problem and when that problem actually hits, it’s too late, it’s effecting revenue, it’s effecting reputation, it’s effecting all sorts of things.”

A database of financial health is important because “traditional risk management has focused more on protecting downside risk and detecting downside risk is being able to understand where a company or a partner exists on a spectrum of risks that can be from poor to really good, and that means a user of our data is in a position to be able to do more than just protect from a company’s failing for one reason or another, but be able to align with the strongest partners and that creates resiliency and a third party ecosystem”.

This is considering your third parties in much broader manner which allows a more robust assessment of their strengths and weaknesses. The financial health of a third party may tell you how well that third party will perform. Such information can be useful to you for business planning, particularly around strategic risk. Understanding the financial viability of third parties, be they traditional vendors, business partners, or even fourth parties, can help you meet your compliance requirements, maintain operational stability, through the avoidance of business disruption and support business continuity initiatives. Even better, you can cut through siloes to develop risk management strategies across multiple business functions.

This moves compliance into the business process cycle, creates greater efficiencies and at the end of the day, more profitability. This type of approach allows the compliance function to demonstrate solid return on investment going forward. It also allows compliance to cut through many corporate siloes including such disciplines as business development, supply chain or procurement, manufacturing and finance.

Continuous improvement through monitoring of ongoing financial health is a tool where technological solutions can have an impact. Understanding the financial viability of third parties can help the compliance practitioner meet the Department of Justice (DOJ) requirement to more fully operationalize a compliance program. It can also lead to more and better operational stability and with that ever-sought increase in corporate profitability. As compliance moves into the business process, this type of review should become part of your compliance toolkit going forward.

Three Key Takeaways

  1. What is the financial health of your third-parties? Do you even know?
  2. Poor financial results can open a company to engaging in risky behavior.
  3. Financial health monitoring can be used as continuous improvement.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at http://www.affiliatedmonitors.com/.

In this episode, Matt Kelly and I take a deep dive into the Public Accounting Oversight Board (PCAOB). We consider the role of the PCAOB in both audit standards and internal controls for compliance. What is goodwill, goodwill impairment and how goodwill can be manipulated to create pots of money to pay bribes? We explore the question of whether there the need for a fresh look at SOX 404? We discuss the role of skepticism by auditors. We end with the forthcoming new auditor report format— the SEC is scheduled to approve that new standard regarding a new auditor report format soon and some people want the SEC to veto it. We discuss how new SEC Chair Jay Clayton may handle this by approving it by having a new PCAOB in place which takes a gentler approach to implementation.

For more information on the PCAOB, see Matt’s blog post PCAOB Overhaul Looms

For more on the intersection of compliance, audit and the PCAOB, see Tom’s four-part series with Joe Howell:

PCAOB, audits and compliance-Part I;

PCAOB, audits and compliance-Part II;

PCAOB, audits and compliance-Part III; and

PCAOB, audits and compliance-Part IV

There are multiple areas in the Department of Justice’s Evaluation of Corporate Compliance Programs which intersect with the area of continuous improvement. In addition to Prong 9. Continuous Improvement, Periodic Testing and Review; under Prong 1 Analysis and Remediation of Underlying Misconduct is found the following: Prior Indications Were there prior opportunities to detect the misconduct in question, such as audit reports identifying relevant control failures or allegations, complaints, or investigations involving similar issues? What is the company’s analysis of why such opportunities were missed? This also ties to the 2012 FCPA Guidance made clear that compliance audits, with actionable remediation plans, are a key component of any effective compliance program. Another way to do achieve these multiple and intersecting goals is through voluntary monitoring. when I recently visited with Vincent DiCianni, President and Founder of Affiliated Monitors, Inc. and Eric Feldman, Senior Vice President (SVP) and Managing Director, Corporate Ethics and Compliance Programs also at Affiliated Monitors, Inc. about their views on voluntary monitoring.

According Feldman, voluntary monitoring is an approach where a company “uses the services of an independent monitor to find out how their program is working and to be able to use that data with government regulators and law enforcement to demonstrate their due diligence in creating and continuously improving their corporate ethics and compliance program.” There are at least two different types of voluntary monitoring. Feldman articulated the first as “reactive proactivity” which is the situation where a company determines it has a potential compliance violation and they bring in an independent monitor to address the issue.

The genesis for this type of monitoring is some event, such as a whistleblower report, internal report or investigation or detect control picking up information which warrants additional investigation. Feldman provided a couple of examples. The first might be “where one business unit has a problem and they’re worried about the other business units and they want to get an assessment.” Another situation could be there is a problem in a sector or “industry and they know that that industry is being scrutinized by law enforcement or the regulators and they fully expect the regulators or law enforcement to be coming in and looking at them.” Yet another area could be in a geographic area such as China or another high-risk region.

DiCianni noted there is a second type of voluntary monitorship. It is where a company wants a true independent “to come in to test the quality of the program to see how impactful” the company’s compliance program is operating. It could assess a variety of issues, such as the compliance internal controls to test their benchmarking of a company’s compliance program. In this type of voluntary monitorship, the examiner is not focusing on one issue or region as laid out in the first example but it is broader.

Moreover, it allows a true independent to perform the assessment as DiCianni noted, “it’s very difficult for companies and for compliance officers and their teams to self-assess the strength of their programs. They just have difficulty doing that. It’s just not an easy thing for them to get their hands on, how good a job am I doing? By having an independent come in with no skin in the game, with complete objectivity, neutrality, no judgements, or pre-judging the work, looking at the company’s program, the quality of the program, the makeup of the team, the organizational structure, where it’s placed. All of those kinds of things are parts of this voluntary approach.” 

The benefits of both types of voluntary monitoring are multifold. It certainly helps to meet the Control Testing requirement found in the Evaluation. The 2012 FCPA Guidance stated, “An organization should take the time to review and test its controls, and it should think critically about its potential weaknesses and risk areas.” This type of approach can provide benefits if a company finds itself in FCPA hot water, as both the DOJ and Securities Exchange Commission (SEC) “will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines.” Yet the Guidance intones a business reason for the use of such techniques as voluntary monitoring when it stated, “Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improvement and sustainability.”

Feldman pointed out yet another reason for such a proactive approach is that such an approach can create an administrative record, which a company can use to demonstrate it has remedied the problems. Equally important it establishes the company is maintaining its commitment to doing business in compliance. The key is the independence of the monitoring personnel so they can present an accurate, unbiased opinion.

He presented the example of a company which had been debarred by the US government and needed to demonstrate an acceptable level of compliance to get off the debar list. He and his team performed a baseline assessment and from there developed a remediation plan, which the company implemented. After six months or so, he and his team came back to assess the progress made by the company. From this follow-up assessment, they generated a report which was used in a submission to the government which essentially noted, “We are now ready to be a responsible contractor as defined by the federal acquisition regulations and we propose an administrative agreement with continued monitored that would move it from voluntary monitoring over to mandatory monitoring for the next three years.”

Voluntary monitoring is an excellent technique through which a company can engage in continuous improvement. Nonetheless it has many other benefits as well, including regulatory and evidence in a criminal investigation if needed under anti-corruption laws such as the FCPA. The bottom line is that all those scenarios might justify a company to engage a voluntary monitorship to come in and do a complete ethics and compliance and cultural assessment or audit of their organization. 

Three Key Takeaways

  1. A voluntary monitorship can be reactive proactivity to look at a particular issue.
  2. A voluntary monitorship can be used to test a compliance program.
  3. A voluntary monitorship report can be used in a variety of legal and business manners.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.

Today, I continue a five-part series on what a Chief Compliance Officer (CCO) needs to consider when working through the remediation component of a potential Foreign Corrupt Practices Act (FCPA) compliance violation. I am joined in this exploration by Dan Chapman, well-known in the compliance community for his in-house compliance role a Baker Hughes Inc. and his CCO roles at Parker Drilling and Cameron International. Today I will consider step two: project timing.

While noting this was only an initial step, Chapman believes the first thing you need to consider is “what are your goals” and that you should consider your long-term goals in developing your remediation plan. It begins with two considerations; the first is completing the project on time. The second is to maintain the confidence of the Board and C-Suite level executives.

The timing aspect is not only about your planning but also about setting expectations. You need to plan what you hope to achieve and then scale it out for timing. You must take care the overall length is not beyond what people expect. Chapman noted “If people have expectations that aren’t proper, you want to set them right.” And the sooner you set realistic expectations the better.

I found it interesting that Chapman emphasized confidence as a critical element for success. He noted, “maintaining confidence from your Board, maintaining the confidence of senior management and demonstrating some quick wins is important, because that will allow you to repeatedly show that you have accomplished things, things aren’t just lingering.” This also allows you to keep the confidence level high on the medium and longer term aspects of your remediation plan. You must maintain this confidence on both the medium and longer term deliverables of your remediation plan. Once again, as with timing, you need to ascertain that your stakeholders have the same view of high and lower risk that you do or expectations can become skewed.

To begin Chapman advocated to come right out of the box “burning the candle at both ends”, which he further articulated as “you want to attack the low hanging fruit, or the items that can be completed quickly” within six months. Simultaneously you need to begin on your longest-term remediation projects, such as those which might take up to two years. Then mix in medium term projects with a 12-18 month shelf life. With this approach, in six months you will have demonstrated some early successes, moved halfway through to completing some medium-term projects and then should be one-quarter of the way through the longest-term projects.

Chapman cautioned that throughout this time, you must communicate with the stakeholders and manage expectations. He said, “You have to communicate when you reach, before you reach that six-month period, by the way, we are going to get these six months, short term items and quick wins done, so we can show those to the government authorities, and then we are going to move into a period where we’ll begin our medium term, and we’ll continue progress on our longer-term projects, all of which will conclude around 24 months. I say this knowing that no one is going to want to hear that. If you are a board member you are going to say, “So then what you are saying to me is you are going to start up something that’s going to take two years to do.” You are going to do some things that will take six months, but after six months we are not going to see much progress for the next 18 months.”

You will need to overlay your planning process with the expectations of the stakeholders in another manner; which is around the high, medium and low risk categories of tasks. If your Board or C-Suite level executive “believes that training should be your highest profile and you disagree and you do nothing there until six or 12 months, but you didn’t think that optically, don’t appear so important, but you personally believe are important, you are going to lose the confidence of your Board.”

As a CCO, you should be cognizant of known-unknowns and unknown-unknowns in any remediation project during the pendency of a FCPA investigation. In the planning process, this means you need to plan time for the unknown which may become known to you during the investigation or through your remediation efforts. You need to budget time into your remediation plan for new matters which may arise, because, as Chapman succinctly noted, “that’s what we do in compliance.” Moreover, “If you develop a tight schedule in terms of your remediation plan, you should expect that you will not complete on time, because part of the remediation program necessarily is the discovery of areas of improvement and correction of those areas of improvement.”

Chapman concluded that you must plan for the unexpected and this requires close coordination with your investigative counsel if new matters are discovered which need to be added to your remediation list. It may be that some are high-profile and high-priority, which require more immediate attention. It may be that they can be placed into the medium-term or longer-term buckets for completion. The bottom line is that no CCO can predict on Day One what all the remediation issues will be. You may have a sense that you understand the overall problem or that you are only looking at the tip of the iceberg but you must resist the temptation to declare on Day One that you know what all the issues that require remediation are or will be going forward.

Tomorrow I will consider communications with stakeholders in the remediation process.

 

Dan Chapman can be reached at jdanielchapman@gmail.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2017

Another mechanism for continuous improvement of your compliance program is through risk-based monitoring. Under Prong 5 of the DOJ’s Evaluation of Corporate Compliance Programs, is the following topic and question Manifested RisksHow has the company’s risk assessment process accounted for manifested risks? I found this to focus as much on continuous improvement, as it did with risk assessment through the emphasis on the risks which have been established and demonstrated by the organization. In other words, were you monitoring the risk that you have not only identified but also have revealed themselves to your organization.

I visited with Ben Locwin, Director of Global R&D at BioGen and an operational strategist in pharma and healthcare, to consider risk-based monitoring and how it helps to facilitate continuous improvement in a compliance program. Locwin said, “Risk-based monitoring is really about continuous, ongoing monitoring for those things which provide the most potential future risk to you. In other words, instead of a static risk registry that may come in part with forecasting, where you would say, “We’re trying to anticipate these risks.” By using risk-based monitoring to review issues on an ongoing basis, and the models that are behind the risk-based modeling, risk-based monitoring models, they’re continuously refined based on incoming data.”

The problem for many companies is they are siloed in not only their data but also in the systems. Locwin explained that because of the disparity of data systems, “They may not be tracking rigorous, quantified information all the time.” He cited to an example from the pharmaceutical world where a company could well have 50 worldwide sites where a drug product is being tested. Some patients receive a placebo and some patients receive the medication being tested. As data comes in you begin to note patterns in certain patients and groups, which might actually point towards a variety of testing errors by physicians administering the test.

Through the use of risk-based monitoring, you can begin to see things in “almost real-time, time-based trends of real data that you can then jump on and try to make adjustments before things get really wacky.” The implications to the compliance practitioner? Having access to information around sales, the sales process and corporate largess in things from Corporate Social Responsibility (CSR) work to gifts, travel and entertainment to conferences for customers and end users. Through the use of such risked-based monitoring a compliance professional would have the opportunity see trends developing which could allow an intervention for a prescriptive solution which could prevent an issue from becoming a Foreign Corrupt Practices Act (FCPA) violation.

Yet Locwin cautioned that compliance professionals should guard against bias. In an article by Locwin, entitled “Be Careful When Appraising Industry Trends”, he stated, “Social media has rapidly accelerated the agility with which the public can change allegiance and direction. It used to be that when information dissemination was slower and more compartmentalized within regions and market segments, that the market resistance to fluctuation was more robust. Now well-placed advertising, social commentary, or public response to corporate missteps can swirl into a maelstrom of market changes within hours that is agnostic to region or market segment.”

In today’s world, the speed at which reputational damage reigns out can overwhelm a corporation’s ability to respond. Here one might consider Wells Fargo and how fast the situation spun out of control for them after its $185MM fine was announced. It is through the use of risk-based monitoring, which allows for this almost real-time input, that a response to a forecasted, assessed or even unassessed risk can be developed. In the compliance world, such tools could be brought to bear when considering not only the expense side of such areas as gifts, travel and entertainment but also sales side data. This could be internal company data on its own salesforce and also information developed from or concerning your third-party sales team.

In Locwin’s primary world of pharmaceutical testing and product development, the need for such real-time information can be more critical. Yet through the development of these techniques as compliance tools, the compliance profession can add value to an organization through the use of risk-based monitoring. With the plethora of data on where and how corruption is likely to occur, coupled with meaningful sales and expense data, the compliance professional should be able to move from detect to prevent to prescriptive compliance solutions to prevent legal violations.

Finally, the beauty of all these techniques articulated by Locwin is that they are tools that can make companies more efficient and, at the end of the day, more profitable. They also move compliance into the fabric and DNA of an organization or in the words of Hui Chen, the former DOJ Compliance Counsel, operationalize compliance. Her intonation to operationalize compliance speaks use of a wide variety of tools to input information so you can continuously improve your compliance program. Risk-based monitoring is certainly one mechanism to obtain information and feed it back into your compliance program in both the prevent and detect prongs.

Three Key Takeaways 

  1. How do you monitor manifested risks?
  2. A risk-based monitoring approach allows you to see things in almost real-time.
  3. Management of risk can serve your compliance program in a variety of ways.

 

For more information on how an independent monitor can help improve your company’s ethics and compliance program, visit this month’s sponsor Affiliated Monitors at www.affiliatedmonitors.com.