March 8, 2011

Evaluating Your GRC Program’s Effectiveness

Last week I traveled to Houston to be a part of the SCCE’s 2011 Utilities, Energy Compliance & Ethics Conference. While there, I was fortunate to host a panel discussion with three great compliance professionals representing Schlumberger, ConocoPhillips and Chesapeake Energy for an audience of compliance professionals in the energy industry. During our presentation and following discussion, I was able to electronically survey the audience to learn where they stood on the questions we were discussing as a panel.

Four questions were asked. Each was designed to capture a general understanding from the utilities & energy audience’s perspective and was not intended to be statistically relevant. What we anonymously collected was a frank internal perspective on how they view their current GRC programs.

The multiple choice questions and results are as follows:

Where do you believe your company’s compliance program is in terms of maturity and effectiveness?

No one in the room believed that they had an “optimized” program and most considered their program “a work in progress.”

What drives your desire to assess your program’s overall effectiveness?

While the operational and regulatory risks represented the majority of thoughts in the room, it was great to see 22% of the audience acknowledge that a well-functioning GRC program is, simply, good for business.

What is the biggest hurdle you faced, or are facing, while developing your compliance program?

Tracking consistently with recent surveys I’ve read regarding GRC funding availability in 2011 the lack of “financial support” was not considered a significant hurdle. The “lack of resources” was presented as a combination of “people, process & technology” available to the compliance organization. When the survey results were shown, I asked if “organizational complexity” was a new problem and learned that keeping abreast of employee count, geographies served, number of business units and sub-contractors utilized has long been the most daunting task for this audience.

How are you currently managing your compliance matters?

No real surprises here. This information tracks with several of the recent surveys that state more than 50% of compliance professional operate with off the shelf, or limited tools, to manage their compliance programs.

As the discussion continued, a number of people in the audience engaged with the panel around other GRC-related concerns. They included the transition of the Federal Energy Regulatory Commission (FERC) from regulatory agency to enforcement agency as well as the continued expansion (and conflicts) of global regulatory mandates. FERC concerns are not limited to energy and utility organizations, as most regulatory agencies have moved to an enforcement model. Both concerns underscore the need for a comprehensive compliance program that transcends traditional Enterprise Risk Management (ERM). Successful programs allow organizations to broadly collect and analyze data on their current state of affairs. I have been evangelizing transparency into operational risk events for the past five years because working from the actual risks you face versus the perceived risk you think you might face not only illustrates an effective risk and compliance program, it is simply good for business.

If you had been in the audience in Houston, how would you have respond to the survey about your organization’s compliance program effectiveness?

March 2, 2011

Recent Changes to the UK Bribery Act Parameters

Monday's Daily Telegraph in London disclosed that the Act will loosen its grip on corporate hospitality, be more understanding with facilitation payments – as long as the payments are not considered “serious” – and extends plausible deniability to companies who find themselves involved in questionable joint ventures.

We are still waiting to see how the Ministry of Justice and SFO will outline the adequate procedures, but they are heading in the right direction. These recent adjustments will enable multinational companies with UK interests to operate rationally without eminent fear of retribution.

February 22, 2011

The UK Bribery Act – Hurry Up and Wait

For most multinational organizations the UK Bribery Act has caused a great deal of concern. Not totally dissimilar from the Foreign Corrupt Practices Act, it does have some unique differences such as disallowing facilitation payments and much broader jurisdictional reach. Organizations have accelerated their preparations only to be kept waiting for the official guidelines to be issued by the UK Serious Fraud Office. On February 2, 2011, the Serious Fraud Office announced that the twice delayed April 2011 effective date would now be sometime this “autumn.” This begs the question, why are we still waiting?

Do our colleagues across the pond really need help putting together the guidelines around defining bribery? Or establishing adequate procedures to mitigate bribery and corruption? Riddle me this…we are talking about a concept that is as old as Judas, and the US has been refining the Foreign Corrupt Practices Act (FCPA) for over thirty years! With an active FCPA “template” that has levied fines in the billions of dollars the past three years, developing the UK’s regulatory guidelines around bribery and corruption should not be this arduous. But do they really need the FCPA? The UK signed the anti-bribery convention – and has its language – in accordance with OECD more than 10 years ago. In my mind, there is no technical reason why the UK is having trouble developing a bribery policy.

But observers protest that is only half the problem– what about the defining the guardrails for adequacy in mitigation and potential injunctive relief? No good template you say? Au contraire! The US Sentencing Guidelines – and specifically Chapter 8 of the guidelines – have been around since 1991 and were revised again last year. So what is the hold up?

I could be a bit of an ugly American here and suggest that the Brits are simply distracted from the task and more consumed with high tea, Manchester United’s march to the EPL Championship, or preparing diligently for the Chelsea Flower Show than getting the Act fully promulgated. But my jest aside, this problem is completely political.

The reality is the change in government after the recent election and aggressive lobbying from UK business have created this delay. I have the utmost respect for Vivian Robinson, the General Counsel for the SFO. Robinson is bright, engaged and dedicated to the task. He knows what to do, but he must gain consensus in the UK government before announcing the guidelines. I will be moderating a panel in London the end of March where Robinson will be sharing his views. I sincerely look forward to learning from him and sharing with you after our meeting.

So let me turn the tables. What is keeping corporations who do business in England, Ireland and Scotland from taking appropriate steps to mitigate their impending risk? Multinational companies who contend with FCPA are already 95% compliant. Most do a good job of defining appropriate facilitation payments and controlling them. All indications are that the SFO will be logical with their view to these payments. But what is keeping the rest of these companies doing business in the region, especially the ones who comprise the “extended enterprise” of most multinationals, sitting on the sideline?

The writing on the wall is clear, but it seems that unfortunately we continue to confuse good business practice with regulatory requirement. Mitigation of bribery and corruption is good for business and good for the global economy. So, in my opinion, it is time to do what is right – even without a looming legal mandate.

Does anyone else share my opinion?

February 1, 2011

French Rules on Whistleblower Hotlines are Changing

As many of you operating globally know, the laws and regulations in differing countries can prove tricky to navigate. There have been changes recently in the way an organization can operate whistleblower hotlines in France that will be of interest to our multinational clients. In October 2010, the Commission nationale de l'informatique et des libert├ęs (or CNIL), the French data privacy regulatory body, amended the “single authorization” method for whistleblower hotlines. The amendments included both a clarification and broadening of the scope of acceptable issues organizations can receive through the hotline and still be in compliance with the single authorization.

The October amendments removed the ability to capture issues of “vital interests [to] the company or moral or physical integrity of the employees.” However, the CNIL did broaden the scope of reportable issue types to include issues related to anti-competition practices, Sarbanes-Oxley and Japanese SOX. Accordingly, the CNIL clarified that the single authorization method will allow reporting on all of the following: finance/accounting, banking, fight against corruption, anti-competitive practices and compliance with Section 301(4) of the Sarbanes-Oxley Act and the Japanese Financial Instruments and Exchange Act.

An organization has six (6) months (beginning December 8, 2010) to modify their system to be in line with these new single authorization rules, or apply for formal consideration of their hotline through the CNIL. Operation of a whistleblower hotline outside the scope of the single authorization or without formal approval from the CNIL on a broader scope, puts organizations at risk for criminal sanctions and hefty fines. These criminal sanctions and fines may be issued by the CNIL and the French courts have the authority, in civil litigation, to multiply these sanctions up to 5 times.

For more information, please see the following from the IAPP (requires membership in IAPP to access). Or this article from the Global Regulatory Enforcement Law Blog.

November 9, 2010

Dodd-Frank Section 922

The governance, risk and compliance (GRC) industry has worked hard over the past six years to help corporate America implement effective ethics and compliance programs. GRC procedures have become part of the viable business processes that drive decision making at the highest level of most public corporations.

In response to the most recent financial meltdown, the US Government introduced the Dodd-Frank Act. The critical task for the Dodd-Frank Act is to address the increasing propensity of the financial sector to put the entire system at risk to eventually be bailed out at taxpayer expense. In doing so, it attempts to: identify and regulate systemic risk, propose an end to too-big-to-fail, expand the responsibility and authority of the Federal Reserve, restrict discretionary regulatory interventions, reinstate a limited form of Glass-Steagall (the Volcker Rule) and regulate the transparency of derivatives. As part of the identification and regulation of systematic risk, the Act's Section 922 attempts to protect, encourage and incent whistleblowers to come forward, a tactic that could have decreased the risk of the impending meltdown had whistleblower claims been adequately explored in the years previous.

Dodd-Frank section 922 mandates the establishment of a government-sponsored program to pay awards of up to 30 percent to eligible whistleblowers who voluntarily provide original information about potential securities law violations that lead to sanctions of $1 million or more. While solidifying the value of corporate whistleblowers is certainly important, the requirement potentially undermines the value of internal ethics & compliance departments. This process will create profitable association with the voicing of ethical violations and therefore competition for this vital information. The question then becomes, “How is an internal department expected to keep pace with the promise of millions of dollars in reward money from the SEC?”

As a tax payer, investor, business leader and responsible corporate citizen, I fully appreciate the need for the regulatory environment to evolve in order to protect the stakeholders. Financial fraud has run amok and no one wants a continuation of the current economic turmoil due to deceit performed by the few, but impacting the many. Whistleblower provisions should help protect those bringing misconduct or neglect to light, but provisions under Section 922 tacitly bypass companies who are working diligently to preserve open channels to report wrongdoing internally and create competition to externally report without the careful exploration and care that would be provided by the company itself.

If this appears to be a plea to decrease the avenues open to whistleblowers, consider this: all public entities are under consent decree to report any allegations of wrongdoing, so the corporation is legally bound to be the first reporter of accusations of ethics & compliance violations to the Federal Government already. However, accusations made by whistleblowers under Section 922 are public record, meaning that every complaint lodged with the SEC is publicly available when it’s filed, whether valid or not.

Not only does Dodd-Frank create a competition between the internal compliance department and the whistleblowers to be the "original" reporter of the violation to the SEC (another existing regulatory requirement), but this information also allows Wall Street to react to reported violations without the benefit of due process. Historically the number of whistle blowing complaints that are maliciously filed have been very low. Internal ethics and compliance departments investigate all allegations, and report wrongdoing when they move beyond the allegation phase to a valid complaint. Hard working compliance and legal officers diligently protect their companies and officers from these reports from achieving their intentional harm.

Remember, under Dodd-Frank whistleblowers are under no obligation to report to the ethics and compliance departments before taking their complaints to the SEC. Wall Street has never reacted well to good governance. Good governance requires transparency and Wall Street tends to react to the false perception of risk created by allegations - regardless of proven conduct. It remains to be seen how the SEC will answer these questions and concerns; they are currently taking comment on the whistleblower provisions and a final decision is expected in April 2011. In the meantime, we continue advising clients on the most robust programs to increase trust and dialogues internally.

September 3, 2010

Vehicles and Venues

Today, we are beginning a newsletter at EthicsPoint – send us your email to be added here - where we hope to keep clients better informed of informational and educational opportunities along with company and industry news and this is meant to be a kind of introduction. Likely the best way to do so is outlining the elemental shift in EthicsPoint’s strategy that’s occurred over the past year. While we have historically offered a hotline and case management solution, fundamentally we’ve always felt we were an awareness company – helping customers gain insight into the risks facing their operations through the effective collection, management and analysis of reported issues. As customer needs from a GRC perspective have changed, we’re changing with them – by providing solutions to specific business problems, such as complying with anti-fraud legislation like the Foreign Corrupt Practices and UK Bribery Acts, mitigating the risk posed by third-parties within supply chains, gaining deeper insight into the actual vs. perceived risks throughout your operations, etc.

To that end, we successfully made two acquisitions earlier this year and are close to assimilating both software solutions into our core framework. These acquisitions mark the expansion of our services, providing customers with more robust analytical, tracking and reporting tools, the first of which will be showcased at SCCE’s 2010 Compliance & Ethics Institute in Chicago on Sept 12-15. We’ll be in booth #200, we’d enjoy seeing you stop by for a demonstration!

From the outside it may be hard to perceive the changes we’re continually making at EthicsPoint, but we aim to constantly improve for both our customers and the industry. As always, we welcome your feedback so please feel free to contact me with comments and/or suggestions.

May 28, 2010

Three Things I Know

There aren’t too many weeks in the year that I’m not out speaking somewhere on the importance of integrity in the workplace or sharing benchmark and other statistical data on the risks faced by organizations around the world. These past two weeks were no exception. On May 17th, I traveled to London to attend the Society of Corporate Compliance and Ethics’ (SCCE) conference on “Managing Third Party Anti-Corruption, Compliance and Ethics Risk.” And this past Monday, EthicsPoint hosted a breakfast on the recently passed UK Bribery Act in which we were extremely fortunate to have Vivian Robinson of England’s Serious Fraud Office and Neill Blundell a partner with Eversheds as additional speakers. The event had an incredible turnout of over 100 senior executives from the London area.

Lately, I have been beginning my speaking engagements with the “three things I know.” The first thing I know is that the level of regulations and regulatory pressure on organizations around the world is constantly increasing. The second is that this constant influx of new rules, laws and guidelines makes it very difficult for a multi-national firm because many of these requirements are in conflict. For example, Sarbanes Oxley requires any company listed on a US stock exchange to have an anonymous whistleblowing mechanism for reporting misconduct. However, these types of systems are illegal in Spain and Portugal - this is just one example and unfortunately there are many, many more. The third thing I know is that every regulatory agency has shifted their focus from writing these guidelines to enforcing them with a vengeance - the monetary fines associated with regulatory non-compliance are often upwards of hundreds of millions and can even include jail time for culpable individuals.

This April, the United Kingdom passed the Bribery Act. While similar to the Foreign Corrupt Practices Act (FCPA) in the United States, the jurisdictional reach and view of facilitation payments (legal under the FCPA) is considered bribery under the Bribery Act. This presents a significant conflict between these two Acts.

While addressing the audience in London, I couldn’t help but think it was 2002 all over again, when we were just learning about the potential impact of SOX and the mountain of undefined work ahead of us. Based on the very broad jurisdictional reach of the Bribery Act, a UK company, as well as any non-UK company that conducts business in the country will fall under the scrutiny of the Serious Fraud Office – this provision certainly provides for a great deal of anxiety for obvious reasons.

I had the opportunity to have lunch with Neill following the session and he told me that his multinational clients, especially those from the US, had no real fear of the Bribery Act. This lack of alarm may stem from the fact that companies have become desensitized by the onslaught of regulatory pressures and view the Bribery Act as just one more requirement. On the other hand, the Brits, who have never seen such enforcement, do indeed harbor serious fear, uncertainty and doubt (FUD). The FUD surrounding Sarbanes generated three years of “full employment and empowerment for all US legal and accounting firms” - no doubt it will have a similar affect in the UK.

In 2004, I had the privilege to work with some very bright and dedicated people while helping to craft the original Open Compliance and Ethics Group (OCEG) Red Book guidelines for Sarbanes compliance, I therefore feel I have a solid understanding of what needs to occur in the UK. I have tried to boil it down and I am in the process of completing a white paper on the “Ten Simple Steps to UK Bribery Act Compliance.”

These 10 simplified steps are as follows:

1. Assign an individual the authority and responsibility to understand and address the requirements of the Bribery Act and if/how they apply to your organization

2. Assess and prioritize your risks

a. Look for potential impact areas and stakeholders
b. Devise your organization’s “risk profile” and understand how to apply your organizations unique sensitivities to risk

3. Create, gain approval and communicate your strategy for reacting to these risks

4. Review, revise or create a Code of Conduct that includes all salient requirements of the risk and regulatory requirements your organization faces

a. Build a separate code specifically for vendors, suppliers and agents
b. Don’t overlook the impact of reputational risk when crafting a Code of Conduct

5. Review, revise and train to the policies, procedures and guidelines that support the principles contained in your Code of Conduct

6. Ensure you have a proven and effective means for gaining stakeholder feedback

a. Track “open door policy” communication
b. Create an “alert criteria” for exit interviews
c. Have a publicized and visible “whistleblowing” system

7. Workflow Consistency is the key to the Serious Fraud Office’s satisfaction with your solution

a. Triage all reports according to the same check list
b. Investigate reports of misconduct following a standard workflow
c. Ensure resolution and adjudication is consistent across your geographies
d. Have a system to audit and monitor all the above

8. Create or extend your internal controls to ensure compliance with policies, procedures and guidelines that support the Act

9. Report regularly on the status and impact of your compliance solution

a. Develop incident and trending reports
b. Foster Board of Director access and awareness
c. Publish sanitized reports of misconduct as training aids to your stakeholders

10. Review all of these processes at least once a year and refine any and all that can be improved or enhanced

These steps are merely the product of my experience and are an extrapolation of the Seven Essential Elements found in Chapter 8 of the US Federal Sentencing Guidelines and the OECD Guidelines for Multinational Enterprises. Since 1991, the US Sentencing Commission has worked to revise these guidelines and provide organizations an instruction manual to help mitigate the risk of prosecution. These guidelines have been revised in 2003, 2007 and are currently under review for revision once again in 2010. Our friends across the pond will do well to study these “essential elements” and learn from the mistakes we made formulating a strategy of compliance.

About Me

David Childers
of EthicsPoint

View David Childer's profile on LinkedIn contact david Email Me

Favorite Quotes:

Ronald Reagan
There are no easy answers, but there are simple answers. We must have the courage to do what we know is morally right.

John Quincy Adams
If your actions inspire others to dream more, learn more, do more and become more, you are a leader.

We are what we repeatedly do. Excellence, therefore, is not an act but a habit.

Ray Kroc
The quality of a leader is reflected in the standards they set for themselves.

John Maxwell
The first step to leadership is servanthood.