318 episodes

And this too?

31 Days to a More Effective Compliance Program Thomas Fox

    • Business
    • 5.0 • 1 Rating

And this too?

    Day 31 - Using a root cause analysis for remediation

    Day 31 - Using a root cause analysis for remediation

    The 2020 Update re-emphasized the need for both performing a root cause analysis but equally importantly using it to remediate your compliance program. It stated, “a hallmark of a compliance program that is working effectively in practice is the extent to which a company is able to conduct a thoughtful root cause analysis of misconduct and timely and appropriately remediate to address the root causes.”
    It went on to state, what additional steps the company has taken “that demonstrate recognition of the seriousness of the misconduct, acceptance of responsibility for it, and the implementation of measures to reduce the risk of repetition of such misconduct, including measures to identify future risk”).”
    The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization. Identify current and future needs for organizational improvement. Your solution should be a repeatable, step-by-step processes, in which one process can confirm the results of another. Focusing on the corrective measures of root causes is more effective than simply treating the symptoms of a problem or event and you will have a much more robust solution in place. This is because the solution(s) are more effective when accomplished through a systematic process with conclusions backed up by evidence.
    When you step back and consider what the DOJ was trying to accomplish with its 2020 Update, it becomes clear what the DOJ expects from the compliance professional. Consider the structure of your compliance program and how it inter-relates to your company’s risk profile. When you have a compliance failure, use the root cause analysis to think about how each of the structural elements of your compliance program could impact how you manage and deal with that risk.
    Three key takeaways:

    The key is objectivity and independence.

    The critical element is how did you use the information you developed in the root cause analysis?

    The key is that after you have identified the causes of problems, consider the solutions that can be implemented by developing a logical approach, using data that already exists in the organization.


    Learn more about your ad choices. Visit megaphone.fm/adchoices

    • 10 min
    What Is a Root Cause Analysis?

    What Is a Root Cause Analysis?

    One of the biggest changes in the 2020 FCPA Resource Guide is the addition of a new Hallmark, entitled “Investigation, Analysis, and Remediation of Misconduct”, which reads in full:
    The truest measure of an effective compliance program is how it responds to misconduct. Accordingly, for a compliance program to be truly effective, it should have a well-functioning and appropriately funded mechanism for the timely and thorough investigations of any allegations or suspicions of misconduct by the company, its employees, or agents. An effective investigations structure will also have an established means of documenting the company’s response, including any disciplinary or remediation measures taken.
    In addition to having a mechanism for responding to the specific incident of misconduct, the company’s program should also integrate lessons learned from any misconduct into the company’s policies, training, and controls. To do so, a company will need to analyze the root causes of the misconduct to timely and appropriately remediate those causes to prevent future compliance breaches. 
    Ultimately, performing a root cause analysis is not simply a matter of sitting down and asking a multitude of questions. You need to have an operational understanding of how a business operates and how they have developed their customer base. Overlay the need to understand what makes an effective compliance program, with the skepticism an auditor should bring so that you do not simply accept an answer that is provided to you, as you might in an internal investigation. As Marks noted, “a root cause analysis is not something where you can just go ask the five whys. You need these trained professionals who really understand what they’re doing.”
    Three key takeaways:

    A root cause analysis is now required if you have a reportable compliance failure.

    There is no one process for performing a root cause analysis. You should select the one which works for you and follow it.

    To properly perform a root cause analysis, you need trained professionals who really understand what they’re doing.


    Learn more about your ad choices. Visit megaphone.fm/adchoices

    • 10 min
    Post-acquisition Integration Plan

    Post-acquisition Integration Plan

    Your company has just made its largest acquisition ever and your CEO says they want you to have a compliance post-acquisition integration plan on their desk in one week. Where do you begin? A good place to start would be the 2020 FCPA Resource Guide language:
    Pre-acquisition due diligence, however, is normally only a portion of the compliance process for mergers and acquisitions. DOJ and SEC evaluate whether the acquiring company promptly incorporated the acquired company into all of its internal controls, including its compliance program. Companies should consider training new employees, reevaluating third parties under company standards, and, where appropriate, conducting audits on new business units.
    The bottom line is that you must train the newly acquired employees, reevaluate third parties under your company standards, and conduct compliance audits on new business units. This process should be based your pre-acquisition due diligence and risk assessment. Moreover, the DOJ and SEC clearly view both the pre- and post-acquisition phases of M&A as tied together in a unidimensional continuum. If pre-acquisition due diligence is not possible, you should review the requirements and time frames laid out in Opinion Release 08-02 or the 2020 FCPA Resource Guide, which noted, “pursuant to which companies can nevertheless be rewarded if they choose to conduct thorough post-acquisition FCPA due diligence.” Whatever compendium of steps you utilize for post-acquisition integration, they should be taken as soon as is practicable. 
    The earlier you can deploy these steps the better off your company will be at the end of the day. An acquisition that fails for compliance reasons is a preventable disaster of the first order. One need only consider the Latin Node Inc. FCPA enforcement actions where the acquiring company had to write off its entire investment because it had wholly failed to engage in appropriate pre-acquisition due diligence.
     Three key takeaways:

    Planning is critical in the post-acquisition phase.

    Build upon what you learned in pre-acquisition due diligence.

    You literally need to be ready to hit the ground running when a transaction closes.


    Learn more about your ad choices. Visit megaphone.fm/adchoices

    • 8 min
    Pre-acquisition Due Diligence in Mergers and Acquisitions

    Pre-acquisition Due Diligence in Mergers and Acquisitions

    A company that does not perform adequate due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue - with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability. While most compliance practitioners have been long aware of the requirement in the post-acquisition context, the 2012 FCPA Guidance focused many compliance practitioners of the need to engage in robust pre-acquisition due diligence. 
    The 2020 Update made even more clear the need for a robust compliance presence in the pre-acquisition phase. It stated, “A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.”
    There are multiple red flags which could be raised in this process, which might well warrant further investigation. They include if the target has ineffective compliance program elements in their compliance program or if there were frequent breach of policies and procedures. Obviously, a target which is in financial difficulty would bear closer scrutiny. Structurally, if the company did not have a formal ethics and compliance committee at the senior management or Board of Directors’ level, this could present issues. From the CCO perspective, if the position did not have Board or CEO access or if there were not regular reports to the Board, it could present an issue for compliance. Conversely, if there were frequent requests to waive policies, management over-ride of compliance controls or no consistent consequence management for violations; it could present clear red flags for further investigation.
    Three key takeaways: 

    The results of your pre-acquisition due diligence will inform your post-acquisition integration and remediation going forward.

    Periodically review your M&A due diligence protocol.

    If red flags appear in pre-acquisition due diligence, they should be cleared.


    Learn more about your ad choices. Visit megaphone.fm/adchoices

    • 8 min
    Operationalizing Compliance Through Payroll

    Operationalizing Compliance Through Payroll

    One of the areas articulated in the 2020 Update was around payments and payroll. For the both the compliance professional and the corporate payroll function, there is a significant role to play in the operationalization of a corporate compliance program. The 2020 Update was replete with references to payment and its critical nature to any best practices compliance program. This includes references to payments to foreign officials, payments to third parties and hiding bribes in payments to distributors. The 2020 Update begins with an admonition to stop wasting time on low hanging fruit when there are much higher risks in your business operations.
    The role of payroll in compliance is not often considered in operationalizing your compliance program, yet the monies to fund bribes must come from somewhere. Unfortunately, one of those places is out of payroll. All CCOs need to sit down with his or her head of payroll, have them explain the role of payroll, then review the internal controls in place to see how they facilitate the goals of compliance. From that review, you can then determine how to use payroll to help to operationalize your compliance program.
    The DOJ has now provided its clearest statement on how it expects a company to actually do compliance going forward. Long gone are the days where the DOJ simply considered the inputs of a written program as sufficient to protect companies from compliance violations. Yet the mandate to operationalize a corporate compliance program drives home the concept that compliance is a business process, which should be administered by the appropriate business unit with the requisite SME. When it comes to following the money, payroll is the most well-suited corporate discipline to provide this first level of oversight and controls. 
    Three key takeaways:

    Payroll can be a key prevent and detect control.

    The 2020 Update specified the tying of the corporate compliance function to the corporate payroll function.

    Offshore payments remain a key indicator for a red flag.


    Learn more about your ad choices. Visit megaphone.fm/adchoices

    • 8 min
    Compliance Function in an Organization

    Compliance Function in an Organization

    The role of the compliance professional and the compliance function in a corporation has steadily grown in stature and prestige over the years. When it came to the corporate compliance function, 2020 FCPA Resource Guide, under the Hallmarks of an Effective Compliance Program, simply noted the government would “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
    This Hallmark was significantly expanded in both the FCPA Corporate Enforcement Policy and 2020 Update. In the FCPA Corporate Enforcement Policy, the DOJ listed the following as factors relating to a corporate compliance function, that it would consider as indicia of an effective compliance and ethics program: 1) the resources the company has dedicated to compliance; 2) the quality and experience of the personnel involved in compliance, such that they can understand and identify the transactions and activities that pose a potential risk; 3) the authority and independence of the compliance function and the availability of compliance expertise to the board; 4) the compensation and promotion of the personnel involved in compliance, in view of their role, responsibilities, performance, and other appropriate factors; and 5) the reporting structure of any compliance personnel employed or contracted by the company.
    The 2020 Update and FCPA Corporate Enforcement Policy both demonstrate the continued evolution in the thinking of the DOJ around the corporate compliance function. Their articulated inquiries can only strengthen a corporate compliance function specifically; and the compliance profession more generally. The more the DOJ talks about the independence of the compliance function, coupled with resources being made available and authority concomitant with the corporate compliance function, the more corporations will see it is directly in their interest to provide the resources, authority and gravitas to compliance position in their organizations.
    Three key takeaways:

    How is compliance treated in the budget process?

    Has your compliance function had any decisions over-ridden by senior management?

    Beware outsourcing of compliance as any such contractor must have access to company documents and personnel.


    Learn more about your ad choices. Visit megaphone.fm/adchoices

    • 8 min

Customer Reviews

5.0 out of 5
1 Rating

1 Rating

Top Podcasts In Business

Ramsey Network
NPR
Jocko DEFCOR Network
Andy Frisella #100to0
Marketplace
Guy Raz | Wondery