One of the critical elements found in the Evaluation of Corporate Compliance Programs (Evaluation) is the need to use the information you obtain, whether through risk assessment, root cause analysis, investigation, hotline report or any other manner to remediate the situation which allowed it to arise. In an interview with Matt Kelly on the Radical Compliance podcast, former Department of Justice (DOJ) Compliance Counsel Hui Chen has said about the Evaluation, “We wanted people to see that we put a lot of emphasis on evidence and data. Don’t just tell us that you have a hotline. Show us how you know it’s working and how you’re using the information that you gain from these hotlines. When you say you have a great compliance portal, don’t just show us screenshots of it. Show us the hit rates and how you use that data to help you refine how you communicate with your audience.”

The same was true for the requirement of strong leadership by senior management and tone from the top. Chen related, “If you tell us you have a strong, talented top, show us what concrete actions your leaders have taken personally to demonstrate that. It’s not just some words that they say” but show the evidence. (Here please note the three most important things in compliance still matter: Document, Document, and Document).

Chen emphasized the Evaluation is not simply to be used or even considered as a checklist. It is designed to have Chief Compliance Officers (CCOs) and compliance professionals think about their compliance programs by asking questions. She explained, “Questions invite people to think. I like to call them evaluation questions. My goal is really to get people to really think about what they’re doing, what is the goal they’re trying to accomplish, how are they going to measure the results, how do they know it’s working. I’m a big fan of asking questions. The result of that, I’m hoping is that people really get to think about what they’re doing and why they’re doing it and how do they know that they’re successful at it.”

The Evaluation stated, under Prong 9 Continuous Improvement, Periodic Testing and Review, the following:

Evolving Updates How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries?

One of the questions for the compliance practitioner is how to put into practice these requirements laid out in the Evaluation and expounded on by Chen in her remarks about it. It was detailed in a chapter in an eBook, entitled “Planning for Big Data – A CIO’s Handbook to the Changing Data Landscape, by the O’Reilly Radar Team. The chapter was authored by Alistair Croll, entitled “The Feedback Economy. Croll believes that big data will allow innovation through the “feedback economy”. This is a step beyond the information economy because you are using the information that you have generated and collected as a source of information to guide you going forward. Information itself is not the greatest advantage but using it to make your business more agile, efficient and profitable is the greatest advantage.

Croll draws on military theory to illustrate his concept of a feedback loop. It is the OODA loop, which stands for observe, orient, decide and act. This comes from military strategist John Boyd who realized that combat “consisted of observing your circumstances, orienting yourself to your enemy’s way of thinking and your environment, deciding on a course of action and then acting on it.” Croll believes that the success of OODA is in large part “the fact it’s a loop” so that the results of “earlier actions feedback into later, hopefully wiser, ones.” This should allow combatants to “get inside their opponent’s loop, outsmarting and outmaneuvering them” because the system itself learns. For the CCO, this means that if your company can collect and analyze information better, you can act on that information faster.

Croll believes one of the greatest impediments to using this OODA feedback loop is the surplus of noise in the data; “We need to capture and analyze it well, separating the digital wheat from the digital chaff, identifying meaningful undercurrents while ignoring meaningless flotsam. To do this we need to move to more robust system to put the data into a more usable format.” Croll moves through each of the steps in how a company collects, analyzes and acts on data.

The first step is data collection where the challenge is both the sheer amount of data coming in and its size. Once the data comes in it must be ingested and cleaned. If it comes into your organization in an unstructured format, you will need to cut it up and put into the correct database format for use. Croll touches on the storage component of where you place the data, whether in servers or on the cloud.

A key insight from Croll is the issue of platforms, which are the frameworks used to crunch large amounts of data more quickly. His key insight is to break up the data “into chunks that can be analyzed in parallel” so the data can be considered and acted upon more quickly. Another technique he considers is “to build a pipeline of processing steps, each optimized for a particular task.”

Another important component is machine learning and its importance in the data supply chain. Croll observes, “we’re trying to find signal within the noise, to discern patterns. Humans can’t find signal well by themselves. Just as astronomers use algorithms to scan the night’s sky for signals, then verify any promising anomalies themselves, so too can data analysts use machines to find interesting dimensions, groupings or patterns within the data. Machines can work at a lower signal-to-noise ratio than people.”

Yet Croll correctly notes that as important as machine learning is in big data collection and analysis, there is “no substitute for human eyes and ears.” However, for many business leaders, displaying the data is most difficult because it is not generally in a readable form. It is important to portray the data in more visual style to help convey the “dozens of independent data sources” into navigable 3D environments.

Of course, having all this data is of zero use unless you act on it. Big data can be used in a wide variety of decision making, from employment evaluations around hiring and firing decisions, to strategic planning, to risk management and compliance programs. But it does take a shift in compliance thinking to use such data. It advocates “fast, iterative learning.” Big data allows you to make a quicker assessment of the impact of measured risks.

Croll ends his chapter by noting that the “big data supply chain is the organizational OODA loop.” But unlike the OODA loop, it is more than simply about the loop and plugging information as you move through it. He believes “big data is mostly about feedback”; that is, obtaining the impact of the risks you have accepted. For this to work in compliance, a company’s compliance discipline needs to both understand and “choose a course of action based upon the results, then observe what happens and use that information to collect new data or analyze things in a different way. It’s a process of continuous optimization”.

Whether you consider the OODA loop or the big data supply chain feedback, this process, coupled with the data that is available to you, should facilitate a more agile and directed business. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of innovation, I do not know what does.

The bottom line for every CCO is that your compliance is dynamic not static. You must continually review, refine and update your compliance program based upon new information made available to you. The feedback components in both processes allow you to make adjustments literally on the fly. If that does not meet the definition of innovation, I do not know what does. 

Three Key Takeaways

  1. Innovation can come through a new way to think about and use data going forward.
  2. The OODA loop stands for observe, orient, decide and act.
  3. Always remember with machine learning and analysis, there is no substitute for human eyes and ears.

This month’s podcast sponsor is Convercent. Convercent provides your teams with a centralized platform and automated processes that connect your business goals with your ethics and values. The result? A highly strategic program that drives ethics and values to the center of your business. For more information go to Convercent.com.

Are you regularly assessing your internal controls? This requirement was set out in the 10 Hallmarks of an Effective Compliance Program and was brought forward into the Evaluation of Corporate Compliance Programs. In the Evaluation, Under Prong 9 Continuous Improvement, Periodic Testing and Review, it stated “Control Testing Has the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How are the results reported and action items tracked? What control testing has the company generally undertaken? 

Fortunately, the COSO 2013 Internal Controls Framework considered assessing compliance internal controls. In its Illustrative Guide, entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (‘the Illustrative Guide’), COSO laid out its views on “how to assess the effectiveness of its internal controls”. It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements that can only be met through such a structured post. First, each of the five components are present and functioning. Second, are the five components “operating together in an integrated approach”. One of the most critical components of the COSO Framework is that it sets internal control standards against those which you can audit to assess the strength of your compliance internal controls.

As the COSO 2013 Framework was designed to apply to a wider variety of corporate entities, your audit should be designed to test your compliance internal controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward.

The Illustrative Guide suggests using a four-pronged approach in your assessment. (1) Make an overall assessment of your company’s system of compliance internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.” (2) There should be a component evaluation. Here you need to more deeply evaluate any deficiencies that you may turn up and whether or not there are any compensating compliance internal controls. (3) Assess whether each principle of your compliance internal controls is present and functioning. The task here is determine if a deficiency exists and it so what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis.

Another way to think through the approach is through a component evaluation which rolls up the results of the component’s principle evaluations and allows a re-evaluation of the severity of any deficiency in your compensating controls. Lastly, an overall Effectiveness Assessment that would look at whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment.

The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It went onto define ‘major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” Having a major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.”

Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For objective criteria such as written policies in categories as laid out in the FCPA 2012 Guidance, (the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments), if you do not have such controls; it would preclude management from “concluding that the entity has met the requirements for effective internal controls in accordance with the Framework.” Fortunately such a standard is easily met. 

However, if there are no objective criteria, as laid out in the FCPA 2012 Guidance, to evaluate your company’s compliance internal controls, what steps should you take? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.”

The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, Document feature is critical in any best practices anti-corruption or anti-bribery compliance program. With the Illustrative Guide COSO has given the compliance practitioner a very useful road map to begin an analysis into your company’s internal compliance controls. When the SEC comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the FCPA’s internal controls provisions.

Three Key Takeaways

  1. An effective system of internal controls provides reasonable assurance of achievement of the company’s objectives, relating to operations, reporting and compliance.
  2. There are two over-arching requirements for effective internal controls. First, each of the five components are present and function. Second, are the five components operating together in an integrated approach.
  3. For an anti-corruption compliance program, you can use the Ten Hallmarks of an Effective Compliance Program as your guide to test against.

 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

 

Under Hallmark Nine of Ten Hallmarks of an Effective Compliance Program as articulated in the 2012 FCPA Guidance, it stated, “Finally, a good compliance program should constantly evolve.” This insight was carried forward in the Department of Justice’s 2017 Evaluation of Corporate Compliance Programs which listed three types of continuous improvement: (1) internal audit, (2) control testing, and (3) evolving updates; each was category further refined with multiple attendant questions. Your program must demonstrate continually improvement.

Internal Audit What types of audits would have identified issues relevant to the misconduct? Did those audits occur and what were the findings? What types of relevant audit findings and remediation progress have been reported to management and the board on a regular basis? How have management and the board followed up? How often has internal audit generally conducted assessments in high-risk areas?

Control Testing Has the company reviewed and audited its compliance program in the area relating to the misconduct, including testing of relevant controls, collection and analysis of compliance data, and interviews of employees and third-parties? How are the results reported and action items tracked? What control testing has the company generally undertaken? 

Evolving Updates How often has the company updated its risk assessments and reviewed its compliance policies, procedures, and practices? What steps has the company taken to determine whether policies/procedures/practices make sense for particular business segments/subsidiaries? 

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the 2012 FCPA Guidance, two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Continuous improvement through continuous monitoring or other techniques will help keep your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. 

Three Key Takeaways

  1. Your compliance program should be continually evolving.
  2. Monitoring and auditing are different, yet complimentary tools for continuous improvement.
  3. DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered.

 

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.

In this episode, Jay Rosen and myself take a look at some of the top compliance stories over the past week.

  1. Are CCOs at risk? Indeed is should the entire compliance industry be running for cover. Adam Dobrik explores explore in GIR. Court Golumbic explores in “The Big Chill”: Personal Liability and the Targeting of Financial Sector Compliance Officers” in the NYU Compliance and Enforcement Blog.
  2. Tom and Mike Volkov argue the new FCPA Corporate Enforcement Policy has ended, once and for all, the debate around amending the FCPA to add a compliance defense. See Tom’s article in Compliance Week Magazine and listen to Mike Volkov’s podcast.
  3. The FCPA will be with us for years to come, argues Jaclyn Jaeger in her Compliance Week piece, “How the FCPA withstands the test of time
  4. Teva Pharmaceuticals resolves bribery case with Israel authorities. Chiam Gelfand reports in a guest post on the FCPA Blog.
  5. Ben DiPietro considers whether AI will have machine executable rules, in the Wall Street Journal Risk and Compliance Report.
  6. Roy Snell publishes a heartfelt letter to retiring Pat Kelly, the FBI Integrity and Compliance Officer in the SCCE Blog.
  7. Matt Kelly explore the salary misconduct penalty in two posts on his Radical Compliance blog, The Salary Penalty for Misconduct and More Thoughts. Matt & I explored the issue on the most recent episode of Compliance into the Weeds.
  8. Jonathan Marks explains why skepticism is an auditor friend in Skepticism – a Weapon to Fight Fraud in his Board and Fraud blog.
  9. Join Tom’s monthly podcast series on One Month to a More Effective Compliance Program, sponsored this month by Convercent. In January, I bring together the entire year of compliance program best practices with 31 days to a more effective compliance program. It is available on the FCPA Compliance Report, iTunes, Libsyn, YouTube and JDSupra.
  10. Tom announces his next Compliance Master Class, sponsored by Marcum LLP. It will be held on February 12 & 13 at Marcum’s offices in Miami, FL. More information or a copy of the agenda, or to register, will be available on my website, FCPA Compliance Report or at Marcum LLP.
  11. Join Tom and Dun & Bradstreet CCO Louis Sapirman for a SCCE Webinar on 360-Degrees of Compliance Communication. Registration and information is available here.
  12. Jay is too worried about Tom Brady’s hand to get out a weekend report. Should he be? Jacob Feldman reports in Sports Illustrated.
  13. We preview this week’s NFL playoffs.

Focusing on investigations under Prong 7 in the Evaluation it stated, Properly Scoped Investigation by Qualified Personnel How has the company ensured that the investigations have been properly scoped, and were independent, objective, appropriately conducted, and properly documented? Moreover, with the advent of the SEC Whistleblower Program, courtesy of Dodd-Frank, it is imperative that a company quickly and efficiently investigate all hotline reports. This means you need an investigation protocol in place so that the entire compliance function is on the same page and knows what to do.

Your company should have a detailed written procedure for handling any complaint or allegation of bribery or corruption, regardless of the means through which it is communicated. The mechanism could include the internal company hot-line, anonymous tips, or a report directly from the business unit involved. You can make the decision on whether or not to investigate with consultation with other groups such as the Audit Committee of the Board of Directors or the Legal Department. The head of the business unit in which the claim arose may also be notified that an allegation has been made and that the Compliance Department will be handling the matter on a go-forward basis. Through the use of such a detailed written procedure, you can work to ensure there is complete transparency on the rights and obligations of all parties, once an allegation is made. This allows the Compliance Department to have not only the flexibility but also the responsibility to deal with such matters, from which it can best assess and then decide on how to manage the matter.

Indeed, the SEC considers a variety of factors around giving credit to corporate investigations including: Did management, the board or committees consisting solely of outside directors oversee the review? Did company employees or outside persons perform the review? If outside persons, have they done other work for the company? If the review was conducted by outside counsel, had management previously engaged such counsel? How long ago was the firm’s last representation of the company? How often has the law firm represented the company? How much in legal fees has the company paid the firm?

In a presentation by Jay Martin, Vice President, Chief Compliance Officer (CCO) and the Senior Deputy Counsel for Baker Hughes Incorporated and Jacki Trevino, Senior Consultant, Advisory Services at SAI Global entitled, “FCPA Compliance Best Practices: Success Stories of Robust and Effective Anti-Corruption Compliance Programs in High Risk Markets” they discussed the specifics of an investigation protocol.

Step 1: Opening and Categorizing the Case. This first step, to categorize a compliance violation. You should notify the relevant individuals, including those on your investigation team and any senior management members under your notification protocols. Step 1 should be accomplished in one to three days after the allegation comes into compliance.

Step 2: Planning the Investigation. After assembling your investigation team, determine the required investigation tasks. These would include document review and interviews. If hard drives need to be copied or documents put on hold or sequestered in any way, this should also be planned out at this time. Step 2 should be accomplished with another one to three days.

Step 3: Executing the Investigation Plan. Under this step, the investigation should be completed. Step 3 should be accomplished in one to two weeks.

Step 4: Determining Appropriate Follow-Up. At this step, the preliminary investigation should be completed and you are ready to move into the final phases. This group would decide on the appropriate disciplinary steps or other actions to take. Step 4 should be completed in one day to one week.

Step 5: Closing the Case. Under this final step, communicate the investigation results to the stakeholders and complete the case report.   

Three Key Takeaways

  1. A written protocol, created before an investigation is a key starting point.
  2. Create specific steps to follow so there will be full transparency and documentation going forward.
  3. Consistency in approach is critical.

As the leading provider of ethics and compliance cloud software, Convercent connects ethics to business performance by weaving ethics and values into everyday operations in more than 600 of the world’s largest companies. Its Ethics Cloud Platform, provides a suite of applications: Convercent Insights, Convercent Helpline, Convercent Campaigns, Convercent Disclosures and Convercent Third Party. For more information go to Convercent.com.