One of the critical elements found in the Evaluation of Corporate Compliance Programs (Evaluation) is the need to use the information you obtain, whether through risk assessment, root cause analysis, investigation, hotline report or any other manner to remediate the situation which allowed it to arise. In an interview with Matt Kelly on the Radical Compliance podcast, former Department of Justice (DOJ) Compliance Counsel Hui Chen has said about the Evaluation, “We wanted people to see that we put a lot of emphasis on evidence and data. Don’t just tell us that you have a hotline. Show us how you know it’s working and how you’re using the information that you gain from these hotlines. When you say you have a great compliance portal, don’t just show us screenshots of it. Show us the hit rates and how you use that data to help you refine how you communicate with your audience.”

The same was true for the requirement of strong leadership by senior management and tone from the top. Chen related, “If you tell us you have a strong, talented top, show us what concrete actions your leaders have taken personally to demonstrate that. It’s not just some words that they say” but show the evidence. (Here please note the three most important things in compliance still matter: Document, Document, and Document).

Chen emphasized the Evaluation is not simply to be used or even considered as a checklist. It is designed to have Chief Compliance Officers (CCOs) and compliance professionals think about their compliance programs by asking questions. She explained, “Questions invite people to think. I like to call them evaluation questions. My goal is really to get people to really think about what they’re doing, what is the goal they’re trying to accomplish, how are they going to measure the results, how do they know it’s working. I’m a big fan of asking questions. The result of that, I’m hoping is that people really get to think about what they’re doing and why they’re doing it and how do they know that they’re successful at it.”

The Evaluation stated, under Prong 9 Continuous Improvement, Periodic Testing and Review, the following:

Evolving Updates How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?

One of the questions for the compliance practitioner is how to put into practice these requirements laid out in the Evaluation and expounded on by Chen in her remarks about it. It was detailed in a chapter in an eBook, entitled “Planning for Big Data – A CIO’s Handbook to the Changing Data Landscape, by the O’Reilly Radar Team. The chapter was authored by Alistair Croll, entitled “The Feedback Economy. Croll believes that big data will allow innovation through the “feedback economy”. This is a step beyond the information economy because you are using the information that you have generated and collected as a source of information to guide you going forward. Information itself is not the greatest advantage but using it to make your business more agile, efficient and profitable is the greatest advantage.

Croll draws on military theory to illustrate his concept of a feedback loop. It is the OODA loop, which stands for observe, orient, decide and act. This comes from military strategist John Boyd who realized that combat “consisted of observing your circumstances, orienting yourself to your enemy’s way of thinking and your environment, deciding on a course of action and then acting on it.” Croll believes that the success of OODA is in large part “the fact it’s a loop” so that the results of “earlier actions feedback into later, hopefully wiser, ones.” This should allow combatants to “get inside their opponent’s loop, outsmarting and outmaneuvering them” because the system itself learns. For the CCO, this means that if your company can collect and analyze information better, you can act on that information faster.

Croll believes one of the greatest impediments to using this OODA feedback loop is the surplus of noise in the data; “We need to capture and analyze it well, separating the digital wheat from the digital chaff, identifying meaningful undercurrents while ignoring meaningless flotsam. To do this we need to move to more robust system to put the data into a more usable format.” Croll moves through each of the steps in how a company collects, analyzes and acts on data.

The first step is data collection where the challenge is both the sheer amount of data coming in and its size. Once the data comes in it must be ingested and cleaned. If it comes into your organization in an unstructured format, you will need to cut it up and put into the correct database format for use. Croll touches on the storage component of where you place the data, whether in servers or on the cloud.

A key insight from Croll is the issue of platforms, which are the frameworks used to crunch large amounts of data more quickly. His key insight is to break up the data “into chunks that can be analyzed in parallel” so the data can be considered and acted upon more quickly. Another technique he considers is “to build a pipeline of processing steps, each optimized for a particular task.”

Another important component is machine learning and its importance in the data supply chain. Croll observes, “we’re trying to find signal within the noise, to discern patterns. Humans can’t find signal well by themselves. Just as astronomers use algorithms to scan the night’s sky for signals, then verify any promising anomalies themselves, so too can data analysts use machines to find interesting dimensions, groupings or patterns within the data. Machines can work at a lower signal-to-noise ratio than people.”

Yet Croll correctly notes that as important as machine learning is in big data collection and analysis, there is “no substitute for human eyes and ears.” However, for many business leaders, displaying the data is most difficult because it is not generally in a readable form. It is important to portray the data in more visual style to help convey the “dozens of independent data sources” into navigable 3D environments.

Of course, having all this data is of zero use unless you act on it. Big data can be used in a wide variety of decision making, from employment evaluations around hiring and firing decisions, to strategic planning, to risk management and compliance programs. But it does take a shift in compliance thinking to use such data. It advocates “fast, iterative learning.” Big data allows you to make a quicker assessment of the impact of measured risks.

Croll ends his chapter by noting that the “big data supply chain is the organizational OODA loop.” But unlike the OODA loop, it is more than simply about the loop and plugging information as you move through it. He believes “big data is mostly about feedback”; that is, obtaining the impact of the risks you have accepted. For this to work in compliance, a company’s compliance discipline needs to both understand and “choose a course of action based upon the results, then observe what happens and use that information to collect new data or analyze things in a different way. It’s a process of continuous optimization”.

Whether you consider the OODA loop or the big data supply chain feedback, this process, coupled with the data that is available to you, should facilitate a more agile and directed business. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of innovation, I do not know what does.

The bottom line for every CCO is that your compliance is dynamic not static. You must continually review, refine and update your compliance program based upon new information made available to you. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of innovation, I do not know what does. 

Three Key Takeaways

  1. Innovation can come through a new way to think about and use data going forward.
  2. The OODA loop stands for observe, orient, decide and act.
  3. Always remember with machine learning and analysis, there is no substitute for human eyes and ears.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

After having seen the Moody Blues feature Days of Future Passed last week, my wife and I caught John Fogarty in concert over the weekend (yes, it is beginning to look like the rock and roll compliance blogger is back). As you might expect they were very different experiences, with Fogarty clearly reveling in rocking out, most particularly with two of his sons who joined him on stage. He also told a story, which informs today’s blog post as well. It fits into today’s theme of greater success by obsessing on less.

After Fogarty’s band, Creedence Clearwater Revival, broke up in 1973, Fogarty literally gave away his favorite guitar, a Rickenbacker model 325 to a 12-year-old. This was the guitar that he had used on all the Creedence albums, he had taken around the world on tour and that he had played at Woodstock. Fogarty was quoted in a Rolling Stone piece by Andy Greene ““I was just detached and numb at that point. I think I gave it away to sort of end that chapter of my life.”” Some 40 years later, Fogarty casually mentioned to his wife he would like it back. Green wrote, “Without telling him, she launched an extensive search to track it down that ultimately led to Gary’s Classic Guitars in Loveland, Ohio.”

His wife, Julie, gave it to him as a Christmas present, wrapping it in one of his trademark plaid shirts. Green noted, “On his wife’s urging, he removed the shirt and began peeling back the wrapping paper, revealing a Rickenbacker guitar case. Tears began welling up as he realized what he was about to see. “I was immediately struck dumb,” Fogerty says. “I turned to my wife and said, ‘Am I about to get overwhelmed here?’” He opened the guitar case and began sobbing uncontrollably.”

I thought about that story when I read a recent On management column by Andrew Hill in the Financial Times (FT), entitled “A resolution to achieve more: try to obsess over less”, where he took the opposite tact of most professionals in their New Year’s resolutions. While many resolve to achieve more at the start of a New Year, Hill advised to try and take something away. His approach was more sophisticated than simply resolving to say ‘No’ more in 2018 but more efficiently manage the time you do have to get things done through refocusing and prioritization. Put another way, Hill suggested taking on less but obsessing more over it.

He presented a fascinating example which he pulled from the book Great at Work by Morten Hansen on the race to the South Pole. Englishmen and most Americans focus on Robert Falcon Scott and his tale of heroic failure, which of course is very English. Norwegian explorer Roald Amundsen who actually won the race to the South Pole is generally given short shrift in this tale. Amundsen beat Scott to the Pole, and on Scott’s return to his base camp, he and his team were caught in blizzard and all the team perished.

Yet Hill posits that Amundsen won the race to the pole because he simplified and obsessed over his transport. Scott, who had a larger crew, “set off with multiple options, including motorised sleds, ponies and dogs. But the complexity of the Scott approach — in an ominous insight, the naval officer referred to his “disorganised fleet” — proved fatal.”  Amundsen focused on the best sled “dogs, best handlers and best training and was far quicker” to the pole than Scott. This allowed Amundsen to return to his base camp sooner. Hill quoted Hansen that when you do less, you must obsess more “because if you don’t obsess, you don’t have an advantage over people who do more things.”

In the compliance world, this is akin to what Dresser-Rand Chief Compliance Officer (CCO) Jan Farley often says, “Don’t sweat the small (compliance) stuff.” Farley often speaks about the need not to waste your scarce compliance resources on areas or matters that are low compliance risks. But to do this, you need to understand what are your highest compliance risks. Since you will not have additional resources to perform such an analysis, I would suggest now would be a very good time for you to assess your compliance program and your business model to see what are your highest risks. If you believe there are several, you can prioritize them. This exercise will give you the basis to deliver your ever-scarcer compliance resources to your highest risk areas.

While I do not believe the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) will be sympathetic to some unsubstantiated claim along the lines of ‘I did my best with what I had’; they also made clear in the 2012 FCPA Guidance that “An effective compliance program promotes “an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Such a program protects a company’s reputation, ensures investor value and confidence, reduces uncertainty in business transactions, and secures a company’s assets. “A well-constructed, thoughtfully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” (emphasis supplied)

For 2018, this means focus on your highest compliance risks, risk-rank them, then prioritize them through a robust risk management process lifecycle. One of the key elements in this process is to put information developed in your risk-based monitoring into your compliance program through a feedback loop. By focusing on these highest risks and not worrying about trying to manage all risks, you will have a more robust compliance regime. Hill ended his piece with the following, “Sometimes, though, the best approach may be to simplify a process, cut the size of a team, or impose a new strategic focus. How can you and your team achieve more this year? Try taking something away.”

While the DOJ and SEC will not accept your bald-faced claims that our company simply did not have the money to spend on compliance, they will most-probably consider a compliance program where you have looked at your risks and delivered the compliance resources you do have to those risks. But the key is Document, Document, and Document your decision-making calculus and your implementation.

You might also explain to them about Julie Fogarty and her obsessive search for a 40-year-old lost guitar.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2018

Today I visit with James Shields, the Creative Director for Twist and Shout Communications, a UK company which creates training video using comedy as the touchstone. You can check out a selection of the company’s offerings on its sight, Tuesday’s with Bernie. I visit with Shields about the creative process his company uses, how comedy can translate across a wide variety of cultures and language to be an effective training tool. The company has found that comedy generates a visceral reaction, a reaction based on feeling rather than intellect. Because of this reaction, employees are more interested and more engaged in compliance training; all of which makes it more effective. 

The company believes that both culture and behavioral change is an emotional process, not just ‘training’, and internal communication done properly can change a culture. Whether the subject is as dull as anti-corruption compliance or as fundamental as transformational change in the business, comedy will make employees sit up and take notice. They believe that by focusing on humor, the training will help break down both the individual training against compliance training as well as work to strengthen the overall corporate culture.

But more than simply stand-alone videos, the company seeing compliance training as a process. From the creative side the process includes an integrated story line which will engage employees, third parties and other relevant stakeholders. Shields also believes that putting comedy into context is important – the audience needs to relate to what they are seeing on screen so the environment and characters should feel familiar. That is when the message feels authentic and resonates much more strongly.

Finally Shields and the company have put together an entire training campaign structure. Why don’t you think about your training like you would a movie or other marketing campaign. They lay it out in White Paper entitled, “Engaging the YouTube Generationwhich you should definitely check out.

Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs which listed three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions. Your program must demonstrate continually improvement.

Internal Audit What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?

Control Testing Has the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How are the results reported and action items tracked? What control testing has the company generally undertaken? 

Evolving Updates How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? 

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. 

Three Key Takeaways

  1. Your compliance program should be continually evolving.
  2. Monitoring and auditing are different, yet complimentary tools for continuous improvement.
  3. DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered.

 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

There is nothing like an internal whistleblower report about a FCPA violation, the finding of such an issue or (even worse) a subpoena from the DOJ to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However, it may well be the time for a very serious reality check. Responding to your investigation findings is critical.

The DOJ Evaluation of Corporate Compliance Programs focuses on this question in Prong 7 with the following: Response to Investigations What has been the process for responding to investigative findings? You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to initiate the talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.

One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. Russ Berland, the Chief Compliance Officer at Dematic Inc., has noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and from then on, you’re fighting with everybody else for their attention, like the normal things in business life.”

You need to explain the costs to the Board and senior management. The bottom line is that your return on investment here is going to be very high if you put the resources into remediation and it do this well. This is easier with the information that was provided in the 2017 FCPA Corporate Enforcement Policy as it demonstrated how much discount a company can receive below the minimum range of the US Sentencing Guidelines for remediation.

Dan Chapman, former CCO at Parker Drilling and Cameron International, also believes that costs must be adequately discussed to set proper expectations. These include both direct and, even more importantly, indirect costs to the company. He noted that “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “everything stops to focus on the investigation.” This indirect cost comes largely through the time commitment of senior management, because “if senior management has to commit 20% of their time, that’s 20% that’s not going towards revenue generating, shareholder value protecting activities.”

You can explain the upside of compliance and do that in a manner that juxtaposes the cost. Chapman said you could mention things such as, “If you have clear policies and people know what to do, think how much easier your life would be. Instead of having to make calls and figure it out on your own every single time, you had clear policy.” The same types of arguments come into play in areas generally considered the purview of Human Resources (HR), i.e. recruiting and retention.

While there will be a desire by some folks to not give out any information about the investigation until it is completed and there is a final report, you must resist this at all costs. If the results of the investigation are not made available to you as the CCO or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because, “you’re just going off suppositions and guesses.”

He advocates there be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed.

Such an approach can also be a recipe for disaster. First, and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the 2017 FCPA Corporate Enforcement Policy. Moreover, the executive attention will have dissipated, or, as Berland notes, “When you’ve got the energy, use it.”

Three Key Takeaways

  1. A serious FCPA allegation gets the attention of the Board and senior management. Use this time to move the compliance program forward.
  2. Be aware of how your investigation can impact and even inform your remediation efforts.
  3. How do you deal with the dreaded ‘where else’ question?

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.