Spud WebbOn this day 30 years ago, history was made when Spud Webb won the 3rd NBA Slam Dunk contest. Webb joined future Hall-of-Famers Michael Jordan, who won the inaugural contest in 1984, and Dominic Wilkins, who won the second event in 1985, as the Slam Dunk champ. What made Webb’s win so noteworthy? It was his size. He was 5 feet, 9 inches tall and the shortest player in the league at that time. Webb played for 12 seasons in the NBA, mostly with the Atlanta Hawks, but for anyone who tuned in that day, we will never forget when Spud Webb stood the tallest of the all the players.

I thought about Webb, his biggest moment of personal glory and individual responsibility when I read Sunday’s Fair Game column in the New York Times (NYT) by Gretchen Morgenson, entitled “Fixing Banks by Fining the Bankers. Morgenson has written several pieces about the banking scandals coming out of the 2008 financial crisis and beyond, coupled with the lack of personal accountability in all of the settlements with US regulators.

She began her piece with the certain truism, “Ho-hum, another week, another multimillion-dollar settlement between regulators and a behemoth bank acting badly.” The settlement she referenced referred to two financial institutions, Barclay’s and Credit Suisse, who agreed to pay $154.3MM, regarding their misrepresentations to investors around high-frequency trading. But what concerned Morgenson was the following, “As has become all too common in these cases, not one individual was identified as being responsible for the activities. Once again, shareholders are shouldering the costs of unethical behavior they had nothing to do with.”

Morgenson identified the reason behind the continued failings of banks “could not be clearer: Years of tighter rules from legislators and bank regulators have done nothing to fix the toxic, me-first cultures that afflict big financial firms.” She believes it is a failure of banks to change their culture. In her piece she quoted the Chairman of FINRA, Richard Ketchum, who said firms that continue to have violations are because of “poor cultures of compliance”. He finds the opposite to be true stating, “Firms with a strong ethical culture and senior leaders who set the right tone, lead by example and impose consequences on anyone who violates the firm’s cultural norms are essential to restoring investor confidence and trust in the securities industry.”

The rules and regulations of compliance can set down the written standards for employees to follow. Yet for a compliance program to be effective, it is much more than the paper part of the program. Morgenson believes that banks must change their culture to help stop these systemic breakdowns. Yet she did not end her piece there as she explored what regulators can do, more than simply talk, to facilitate this change in culture.

She considered two separate approaches regulators might consider. The first was suggested by Andreas Dombret, a member of the executive board of Deutsche Bundesbank, who noted, “Most companies have codes of ethics, but they often exist only on paper.” To help make the message of doing business ethically and in compliance, he also suggested banking regulators could help encourage a more ethical approach by routinely monitoring how a bank cooperates with the regulatory authorities particularly in an oversight rule. Finally he asked, “How often is the bank the whistle-blower?” He felt this question was important because “Not only to get a lesser penalty but also to show that it won’t accept that kind of behavior. We are seeing more of that.”

These suggestions would seem to be more aligned with an industry with significant oversight, such as banking. So I found the second area she explored more directly applicable to the Foreign Corrupt Practices Act (FCPA. It met her criticisms that it was either the shareholders or perhaps the company D&O insurance carrier who foot the bill for any FCPA violation.

She explored an idea posited by Claire A. Hill and Richard W. Painter, professors at the University of Minnesota Law School, in a new book they published, entitled “Better Bankers, Better Banks”. In this book the law professors urged “making financial executives personally liable for a portion of any fines and fraud-based judgments a bank enters into, including legal settlements. The professors called this “covenant banking.”

This covenant banking plan had some very interesting elements that spoke to the issue of individual v. corporate liability, similar to the discussion compliance professionals have engaged in since the release of the Yates Memo. Morgenson said the covenant banking plan “contains a crucial element, requiring the best-paid bankers in the company to be liable for a fine whether or not they were directly involved in the activities that generated it. Such a no-fault program, the professors argued, would motivate bankers not only to curb their own problematic tendencies but to be on the alert for colleagues’ misbehavior as well.” She quoted the book’s authors stating that this plan would help to change corporate culture as it “discourages bad behavior and its underlying ethos, the competitive pursuit of narrow material gain.”

Moreover, the professors believe, “If bankers aren’t willing to institute a system involving personal liability, regulators and judges could require it as part of their settlements or rulings. Something like covenant banking could be included in nonprosecution agreements. Or a judge overseeing a case in which a company is paying $50 million could require individuals to pay $10 million of that personally.” Finally, “A regulator could give a company the choice of a far lower fine if it were to be paid by managers, not shareholders. A company choosing to pay the higher fine and billing it to the shareholders would have some explaining to do”.

While most banks or non-financial institutions subject to the FCPA might well be reluctant to put such corporate strictures in place, it certainly could be a part of a civil penalty which comes before a court for review and consideration, such as when the Securities and Exchange Commission (SEC) goes to court when filing a Cease and Desist order in a FCPA enforcement action.

The Yates Memo recognized that individual accountability will help to drive compliance with the FCPA. The problem in going after individuals is that it is often difficult to pinpoint any single or series of actions by a senior manager that may have lead to the violation. It can be as nefarious as the General Motors (GM) nod or simply the diffusion of liability was the basis for the original creation of the corporate structure long ago.

Yet, by focusing on corporate culture Morgenson, the banking industry and banking regulators are hitting on a key theme. Paper programs are only that if there is not the culture of compliance set by senior management that the company will follow the rules. I was also intrigued that both FINRA Chairman Ketchum and banker Dombret recognized the business problem which poor cultures of compliance led to, lack of faith in capital markets and the securities industry. If companies will work to enhance culture, they move to addressing this most serious and long-term business issue.

Spud Webb was the first ‘Little Big Man’ in the modern era of the NBA. His 12-year run of success led to players such as the five-foot, five-inch Earl Boykins and five-foot, three-inch Muggsy Bogues. In 2006, 5’9” Nate Robinson of the New York Knicks became the second-shortest player to emerge victorious in the NBA slam-dunk contest. Webb changed NBA culture just as corporate culture can be changed as well.

For a YouTube video clip of Spud Webb at the 1986 Slam Dunk contest, click here.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Data Analysis Quick Start MethodologyToday, I continue my exploration of data analysis with Joe Oringel, co-founder and Managing Director of Visual Risk IQ, a consulting firm that helps audit and compliance people see and understand their data. Today, we look at how to set up a data analysis program and how to use it to help monitor for a compliance program.

I asked Oringel how he helps clients think through a project that involves data analytics. As a lawyer, I was intimidated by the issues of not only how to get the data but how to use it going forward. Oringel then laid out their firm’s five-step process and said that for any Visual Risk IQ analytics project, the steps are: (1) Brainstorming, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Step 1 – Brainstorming

It all begins with Step 1, brainstorming. Any data analysis project in a compliance setting, or any business context, begins by picking the business questions to answer with data. So in an initial meeting, Visual Risk IQ’s team might ask one or more of the following opening questions: What do we expect to find if we do a detailed review of this data? What policies should have been followed? What would a mistake or even fraud look like? The data to be reviewed could be expense reports, accounts payable invoices, or sales contracts. The key to successful brainstorming is to identify the questions you want to ask and answer, and then identify the digital data sources that can best answer these questions. This process should be iterative, with questions being refined based on the available sources of digital data. This brainstorming process that Oringel and his team uses is central to their work with helping clients to develop queries specific to their organization.

Step 2 – Acquire and Map the Data

Acquiring and mapping data can be a technical step, but most modern software can create files that can be easily read by basic data analysis software, such as Microsoft Excel, as well as more advanced tools. Mapping data is simply identifying, naming, and categorizing the data fields (e.g. text, dates, numbers) so that the software tool can best interpret the data for analysis. Many data sources are internal (e.g. sales or expense transactions) but increasingly external sources from vendors and business partners are used too. Even the US Government is an occasional data source for analytics, as various Federal Departments publish watch lists of debarred individuals and companies.

Once the data is loaded into the analysis tool, control totals should be compared to source systems for completeness and accuracy. Oringel recommends comparing record counts, grand totals, and even selected balances for a sample of records to make sure that nothing was lost in translation into the data analysis tool. Once data is confirmed to be complete and accurately loaded and mapped into the analysis tool, then the real fun can begin.

Step 3 – Writing the Queries

Oringel identified Step 3 as writing the queries. Though it can be valuable to double-check the accuracy of reports that are provided from existing internal and external systems, Oringel recommends using data analysis to answer questions that are not readily reported from internal systems. Often comparing data across multiple data files can yield the most interesting results.

While writing queries surely sounds technical, it can be quite simple. Sorting data from oldest to newest or biggest to smallest is often only a few clicks of the mouse. Once sorted by several different columns, business insights can be quick. Writing queries is simply writing the business questions you laid out in the brainstorming session, and using software in a way that makes it easy to understand the answers.

A simple example would be “Show me any purchasing transaction that didn’t have the proper pre-approval.” This answer can be identified by comparing the dates between purchase orders and invoices, and then looking for any vendor invoice date that is prior to the purchase order date. Other query techniques are similarly simple, yet effective.

Step 4 – Analyze and Report Results

Oringel said that Step 4 is to analyze and report the results. I have wondered how a compliance practitioner would be able to not only view but then use such information. He said that Visual Risk IQ’s tagline comes from this notion. “See. Analyze. Act.” has been a part of their firm since 2006. By summarizing results in a way that measure something important, an action step becomes apparent. In the example above, if a vendor’s invoice date pre-dated its purchase order then the action step is to understand if the date it was received may be later than the date on the document itself. Perhaps the vendor has backdated that invoice in hopes of earlier payment, instead of our purchase order having been created after the fact to cover up the lack of required pre-approval.

Oringel recommends summarizing the results of data analysis into visual form, for example by showing color, size, and location in a graph, so that the compliance practioner can understand what has happened, quickly see the data and conclude whether the picture supports a decision of whether the transaction was or was not compliant.

  Step 5 – Refine and Sustain

That brings us to Step 5, which Oringel identified as refine and sustain. Part of this step is about about fixing the root cause of any problem identified through data analysis. I certainly believe one of the key functions for any compliance practitioner, and one of the first things you should do, is to make sure any violations of your policies and procedures do not move to an illegal conduct stage.

Yet there are other remedial steps that Oringel believes are critical at this stage. He said that when a condition or transaction is identified as being a potential issue, documenting the next action step and ensuring its proper completion is important. If an employee incorrectly submitted a personal or duplicate expense (e.g. they claimed $20 for a lunch yet they were listed as having attended a lunch paid by someone else on the same day) and they were reimbursed for a personal expense on a travel expense trip report, then the organization should ask for reimbursement of that expense and ensure thorough follow-up.

Consistent action when these circumstances arise is important. Seeking and obtaining reimbursement for improper expenses should not be based on whether the employee is an officer or a manager or an individual contributor, or even the amount of the error.

I turn briefly to the COSO Framework, which was updated in 2013 and became much more prescriptive with respect to the elements of an effective internal control program. There are five objectives under the COSO Framework and the fifth and final objective is monitoring activities. Monitoring activities are those that management should perform to ensure that the control environment, risk assessment, control activities, information and communication layers have been affected.

The only way that I know to make sure that the principles of effective internal controls have been followed are to do some monitoring. Oringel turned to one of his favorite subjects for an analogy, how his children are performing in school. He believes that he and his wife have set a robust “tone-at-the-top” around the importance of attendance, homework and strong academic performance and that they provide some direction for the children about what is important in terms of their results at school. There are some control activities that he can utilize in terms of reviewing their schedule, homework, how much time they spend studying versus playing video games, but the best technique to make sure they are getting the outcomes that they want for them academically is to do some monitoring and an evaluation of their performance.

A way to do that is to monitor their academic performance through the application, in his hometown called “PowerSchool.” It allows the parents and the students, together or separately, to log on and to answer the questions, “Was the homework assignment turned in?”; “What was the grade on the homework assignment?”; “Was the most recent grade better or worse than last time?”; Oringel said, “We use PowerSchool as a data-driven monitoring tool to make sure that our kids are performing in school the way that we want them to.”

Tomorrow we begin to consider some case studies from projects Oringel and Visual Risk IQ have engaged in and how they demonstrate the use of data analysis in an anti-corruption compliance program.

——————————————————————————————————————————————————————————————————————————————————————————————————

Joe Oringel is a Managing Director at Visual Risk IQ, a risk advisory firm established in 2006 to help audit and compliance professionals see and understand their data. The firm has completed more than 100 successful data analytics and transaction monitoring engagements for clients across many industries, including Energy, Higher Education, Healthcare, and Financial Services, most often with a focus on compliance.
Joe has more than twenty-five years of experience in internal auditing, fraud detection, and forensics, including ten years of Big Four assurance and risk advisory services. His corporate roles included information security, compliance and internal auditing responsibilities in highly-regulated industries such as energy, pharmaceuticals, and financial services. He has a BS in Accounting from Louisiana State University, and an MBA from the Wharton School at the University of Pennsylvania.

Joe Oringel can be reached at joe.oringel@visualriskiq.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016

Winslow AZAs I end my week’s exploration of the intersection of bribery and corruption in international sports, I have also ended a week of solid listening to The Eagles 1970s studio albums. In honor of Glenn Frey, I will also end this week with a final tribute to Frey and his work with this seminal band from the 70s. Today, it is a tribute to the first Eagles hit, Take It Easy. While Jackson Browne was the primary author of this song, Frey stepped in to finish it when Browne could not complete it. The Eagles also opened their first album, titled The Eagles, with this cut.

I cannot think of anyone born after about 1970 who does not instantly recognize the opening cords from Bernie Leadon’s lead guitar on this iconic song. If this song alone does not make you want to go to Winslow Arizona, well probably nothing will. In fact the song made the town so famous that the city of Winslow erected a life-size bronze statue and mural commemorating the song, at the Standin’ on the Corner Park. The statue stands near a lamp post, the male figure securing an acoustic guitar between his right hand and the shoe of his right foot. Above his head, a metal sign, crafted in the style of US Route shields, displays the words “Standin’ on the corner”.

As I have noted this week, the world of sports continues to provide ample lessons to be learned for the Chief Compliance Officer (CCO) or compliance practitioner. Although we no longer have the sad sack Astros to kick around, there are many other candidates out there you can draw inspiration from for your compliance regime. For today, I want recap some of these lessons.

Perhaps the clearest sign from the scandals reviewed this week and the ongoing Fédération Internationale de Football Association (FIFA) scandal is the role of regulators such as the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) in leading the international fight against bribery and corruption. Only the US had the wherewithal to bring the charges against FIFA. While the Swiss have tagged along, they certainly did not take anything like the lead in this matter. Further, the allegations of FIFA’s bribery was publicized in Britain as long ago as 2010 and the Serious Fraud Office (SFO) never brought charges against FIFA or its cronies.

The bottom line is that only the US government has the ability and, more importantly, the will to engage in such a worldwide investigation and coordinate the actions of numerous countries in providing assistance. Do you think the Swiss police would have been so involved if it was not for the US government lead in this investigation? From President Obama on down, the US government has made clear that it will lead the international fight against bribery and corruption. The FIFA indictments are yet one more indication that they will continue to do so.

From the International Association of Athletics Federations (IAAF) scandal there are certain aspects similar to FIFA but made even more invidious. Not only was a there a long entrenched self-serving and self-congratulatory cabal running the organization, but they even out did FIFA by allegedly extorting money from athletes who they expected of using performance enhancing drugs to suppress positive drug tests. These officials were allowed to not only run rampart but also engage in essentially self-government of themselves. Kind of like having the foxes guard the henhouse.

I think the lesson is the checks and balances required in any best practices compliance program that form the basis of compliance. While some of these checks and balances are in the form of multiple internal levels of oversight, such as a Compliance Committee, which might be made up of senior managers from various disciplines; another level is brought about by internal controls and the concept of the segregation of duties (SODs). No one person should be allowed have so much discretionary power that they can approve vendors, approve contracts; then approve invoices for payments on those same vendors and contracts they have previously approved.

In the corporate world this is fairly standard in the US but there continues to be Foreign Corrupt Practices Act (FCPA) enforcement actions, emanating from outside the US, where a Country or Regional Manager can make such multiple approvals. This is not only a recipe for disaster financially but also allows the creation of a pot of money to pay a bribe much easier. Internal controls also work towards having continuous oversight, if a technology solution is used it can facilitate both the prevent and detect prongs of a best practices compliance program.

The lesson for the US company which does not have a compliance program in place is that the basic forms of corporate governance are not only mandatory for a compliance and ethics regime but they are also the basics for any minimums of corporate governance in the 21st century. The level of any fraud, including bribery and corruption under the FCPA, can be low, yet the attendant costs can be far in excess of any fine or penalty. For FIFA and the IAAF, their cost will be played out in the international press and court of world public opinion for some time to come. For the former heads and senior members of those organizations, the cost may well be more pedestrian, with jail terms for felony criminal violations.

Finally, from the allegations around offers of bribes to throw matches in professional tennis is the clear lesson that employees that are offered bribes need to have an avenue to be able to report such conduct. For the CCO, it is important that employees have confidence and trust in the organization so they are willing to make such reports. To stop the scourge of bribery and corruption in any international sports group, the management must take the lead in communicating that such actions will not be tolerated and that anything less would result in expulsion and banishment. That is similar to any top management that must clearly set the expectation that it is more important for employees to follow the law than to make their quarterly numbers. For if management does not do so and communicates that making your quarterly numbers are more important, employees will find a way to make their quarterly numbers.

Moreover, it is important any company knows if a vendor, sales agent or any other party has offered or demanded a bribe to do business. Even if your employees tosses them out of the office on their collective ear, it is incumbent you be made aware of the demand/offer so you can bring it to the attention of the counter-party and take appropriate remedial action. Indeed, in many industries the number of agents or other representatives is small enough that they can be known. If there is a collective refusal to do business with such corrupt third parties, it can be a powerful driver of business behavior.

So I end this week with a fond farewell to Glenn Frey and I hope you are taking it easy about now. For a YouTube clip of The Eagles playing Take It Easy, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2016