The New Era of Regulatory Enforcement: A Comprehensive Guide for Raising the Bar to Manage Risk

Chapter 2 Raising the Bar: A Framework for Managing Risk

Timothy P. Hedley
Richard H. Girgenti

Managing Risk and Building a Values-Based Culture

As discussed in Chapter 1, with the bar raised, companies today face unprecedented challenges in managing risk in the new era of regulatory enforcement. To thrive, leading organizations must devote effort and resources into ensuring they have appropriate and effective programs and processes in place to build a framework for managing this risk effectively and to foster and support a culture of integrity. There are regulatory frameworks, discussed in this chapter, that offer general guidance from which organizations can select the specific practices that best support compliance in light of their unique culture and risk profile. When management designs compliance activities within these frameworks, it needs to put into motion a strategic and practical plan that is integrated and aligned with business strategy and operations. Management will then need to position the right resources, implement controls, and develop a strong corporate culture of ethics and integrity, not only to effectively manage risk, but also to foster a high-performing organization.

A culture of ethics and integrity is the intangible that is reflected in the choices and behaviors of an organization’s employees as they respond to the espoused values, goals, and priorities that management uses to define an entity’s success. Building the right culture is certainly, at a minimum, about helping, encouraging and ensuring that members of an organization are committed to and embrace the organization’s code of conduct and obey the law and applicable regulations. However, it is this and much more. A corporate culture is the overall professional environment of a company that reflects its values, customs and traditions. A culture of integrity is marked by specific values such as integrity, trust, and respect for the law; fostering an environment that places a premium on the organization’s unique purpose; and timely identification, assessment, and mitigation of emerging risks. The right corporate culture provides a basis for decision making in every aspect of a business’s activities and dealings and is a foundation for success. The specific programs and control elements that help create the framework for such a culture and that make up an effective compliance program are described in the following pages. The specific programs and control elements that help create the framework for such a culture and that make up an effective compliance program are described in the following pages.

Three Lines of Defense

An effective compliance effort must be embraced by all parts of an organization and operates best in a framework that has strong governance, robust risk identification and mitigation processes, and a properly functioning and resourced compliance function. This governance, risk, and compliance (GRC) framework requires an infrastructure that supports accountabilities, practical oversight, and a compliant culture at all organizational levels. To accomplish the objectives of the GRC framework, leading organizations will most likely operate along three lines of defense that allocate responsibility across the organization for who will own and manage risk, which functions will oversee and provide guidance on how to mitigate the risk, and which will ensure its effectiveness by providing independent assurance that the program is functioning as intended.

The three lines of defense model clarifies the essential roles and duties of key parts of the organization, from the board of directors, to management and operations (first line of defense), to the compliance function (second line of defense), and the internal audit function (third line of defense). This organizational construct requires the first line of defense to identify key risks to the organization; put in place ongoing processes, systems, and programs against defined standards (regulations, guidelines, policies, and procedures); and create an environment that builds a culture of integrity. The second line of defense is responsible for driving the overall design and implementation of the organization’s compliance function, advising management and the board, and assessing the effectiveness of the organization’s control environment to ensure that the business is designing and implementing effective controls to mitigate risks. The third line of defense (internal audit) conducts audits in key risk areas to assess the effectiveness of key controls to mitigate risk.

Regulatory and Evaluative Frameworks

The challenge for leading organizations is to design the roles and responsibilities of the three lines of defense described above and have them hardwired into both the organization’s culture and its strategic planning process. Fortunately, there are a variety of non-prescriptive regulatory and evaluative frameworks that provide high-level guidance on key controls. Leading companies use these models in the context of designing, implementing, and evaluating an overall corporate compliance program and related risk management controls to prevent, detect, and respond to regulatory risk.

For example, the U.S. Federal Sentencing Guidelines for Organizational Defendants (FSG or the Guidelines) establishes minimum compliance and ethics program requirements for organizations seeking to mitigate penalties for corporate crimes. First adopted in 1991 and amended in 2004 and 2010, the FSG make it explicit that organizations are expected to promote a culture of ethical conduct, tailor each compliance program element based on compliance risk, and periodically evaluate program effectiveness. Specifically, the FSG calls upon organizations to:

Promote a culture that encourages ethical conduct and a commitment to compliance with the law
Establish standards and procedures to prevent and detect criminal conduct
Ensure that the board and senior executives are knowledgeable and exercise reasonable oversight over the compliance program
Assign a high-level individual within the organization to ensure that the organization has an effective compliance program and delegate day-to-day operational responsibility to individuals with adequate resources and authority and direct access to the board
Ensure that high-level individuals and those with substantial discretionary authority are knowledgeable about the program, exercise due diligence in performing their duties, and promote a culture that encourages ethical conduct and a commitment to compliance with the law
Use reasonable efforts and exercise due diligence to exclude from positions of substantial authority individuals who have engaged in illegal activities or other conduct inconsistent with an effective compliance program
Conduct effective training programs for directors, officers, employees, and other agents and provide such individuals with periodic information appropriate to their respective roles and responsibilities relative to the compliance program
Ensure that the compliance program is followed, including monitoring and auditing to detect criminal conduct
Publicize a system, which may include mechanisms for anonymity and confidentiality, under which the organization’s employees and agents may report or seek guidance regarding potential or actual misconduct without fear of retaliation
Evaluate periodically the effectiveness of the compliance program
Promote and enforce the compliance program consistently through incentives and disciplinary measures
Take reasonable steps to respond appropriately to misconduct, including making necessary modifications to the compliance program

Other regulatory and evaluative frameworks take many of the concepts contained in the Guidelines and refine them for their specific needs. For example, both the New York Stock Exchange and the National Association of Securities Dealers Automated Quotations adopted corporate governance rules for listed companies. While the specific rules for each exchange differ, each includes standards that require listed companies to adopt and disclose codes of conduct for directors, officers, and employees and disclose any code of conduct waivers for directors or executive officers. In addition, the rules of each exchange require listed companies to adopt mechanisms to enforce the codes of conduct.

Moreover, other frameworks aim to provide guidance on many of the same compliance program elements. For example, the Department of Justice (DOJ) has recently amended its guidelines related to the federal prosecution of business organizations in cases involving corporate wrongdoing. While the guidance states that a compliance program does not absolve a corporation from criminal liability, it does provide factors that prosecutors should consider in determining whether or not to charge an organization or only its employees and agents with a crime. These factors include evaluating whether:

The compliance program is merely a paper program or has been designed and implemented in an effective manner
Corporate management is enforcing the program or tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives
The corporation has provided for a staff sufficient to audit and evaluate the results of the corporation’s compliance efforts
The corporation’s employees are informed about the compliance program and are convinced of the corporation’s commitment to it

Select legislation also provides guidance in the context of organizational efforts to enhance the control environment—for example, the U.S. Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank or the Act), which affects all U.S. financial institutions, many non-U.S. financial institutions, and many nonfinancial companies, altering practices in banking, securities, derivatives, executive compensation, consumer protection, and corporate governance. Among others, Dodd-Frank establishes a bounty program for whistleblowers who raise concerns with the U.S. Securities and Exchange Commission (SEC). The SEC has adopted a final rule to implement the Act’s whistleblower award provisions, permitting individuals who provide the SEC with high-quality tips that lead to successful enforcement actions to receive a portion of the SEC’s monetary sanctions while attempting to discourage them from sidestepping their internal reporting systems.

The road map for this chapter is summarized graphically in the compliance transformation wheel shown in Figure 2.1. Each of the elements included in the wheel will be explored, staring with governance and culture and expanding through the three lines of defense. This will provide a clear understanding of how the regulatory and evaluative frameworks come together to help organizations meet the challenges of managing risk in a new era of enforcement.

Figure 2.1. The Compliance Function Framework

Governance

The regulatory and evaluative frameworks discussed above provide management with guidance on the building blocks of an effective program to prevent, detect, and respond to fraud, misconduct, and compliance violations. The actual responsibility for putting in place the critical building blocks is given to management, the first line of defense. However, the starting point for setting it all in motion is an organization’s governing authority—the board of directors.

Board of Directors

Board members have individual fiduciary obligations for the organizations they serve and are the primary stakeholders of the organization’s compliance risk management efforts. To sustain the organization’s culture for ethics and integrity, the board provides the oversight to ensure that management sets the core values and expectations for the organization and defines those behaviors that are consistent with the entity’s values and expectations. The board is responsible for helping to (1) set the organization’s risk appetite, (2) validate management’s risk strategy, (3) evaluate strategic risks, and (4) provide checks and balances on management’s decisions. The board’s role is vitally important because it helps secure organization-wide support for management’s compliance initiatives. In fact, enforcement and regulatory authorities often seek evidence of high-level support for organizational risk management, and direct involvement by the board can help fulfill this need. As Deputy Attorney General James Cole explains, the board “cannot simply go through the motions and hope that the company’s compliance program works. They must make clear to employees that compliance is important and mandatory.”¹

As a practical matter, the board typically delegates principal oversight for risk management to a committee (e.g., the audit committee), which is then tasked with:²

Reviewing the organization’s compliance strategy and risk oversight processes, ensuring that risk management efforts are sufficiently resourced
Receiving reports and key performance indicators on the effectiveness of the program
Reviewing the organization’s risk profile and process for identifying emerging risks
Reviewing delegations of oversight responsibility
Reviewing technology-related risks
Periodically assessing whether or not the organization’s culture and incentive compensation structures are in line with the goals of the compliance program
Reviewing the organization’s emergency response plans
Discussing with the internal and external auditors their findings on the effectiveness of the organization’s risk management programs and controls
Establishing procedures for the receipt and treatment of questions or concerns regarding questionable accounting or auditing matters³

While the board provides general oversight for the organization’s compliance program and risk management activities, day-to-day management of such efforts is typically delegated to other individuals, for example to a chief compliance officer (CCO), who serves as part of the organization’s second line of defense. Through its oversight responsibility, the board is uniquely positioned to support the CCO, helping to safeguard the independent aspect of the CCO’s position and enhance its influence. The board can do so by providing the CCO with unfettered access to the board via a dotted-line reporting relationship, as well as requiring the board’s agreement to the hiring or firing of the CCO.

The CCO plays an important role in helping the board exercise its oversight responsibility by providing timely reports on the effectiveness of compliance-related activities. While the level of detail in such reports may vary, the board should typically receive regular updates on the activities of the compliance function in the form of key performance metrics, compliance audits, and risk assessment results and the outcome of efforts to evaluate the effectiveness of the organization’s compliance activities.

The Compliance Function

Designating a Chief Compliance Officer. As stated above, the compliance function is typically led by a chief compliance officer (CCO) who is a high-level individual within the organization. The CCO ensures program effectiveness and functions as the chief coordinator and facilitator for compliance. The CCO can be a full-time position or an added-task position for an existing high-level position. Depending upon the size of an organization, the CCO may be assisted by a deputy and is further guided by subject-matter experts who advise on matters related to program implementation. It is not uncommon for organizations to struggle when determining who would be an appropriate high-level individual that can lead compliance efforts.

Fundamentally, such an individual must be seen as a senior member of management, with unrestricted access to information necessary to pursue compliance goals (e.g., involvement in strategic planning that may include new acquisitions as well as internal audit or investigative findings). The CCO must also be in a position to advise other executives on ethical matters—illustrating the ethical dimensions of business decisions and helping drive integrity into business processes.⁴ But more than all such attributes, the thought process about whether or not the CCO is high-level enough should include an assessment of the CCO’s upward reporting relationships, as these can be crucial in determining whether the individual truly has the requisite authority to serve as head of a compliance function.

Optimally, a CCO would report directly to the highest levels of management (e.g., to the CEO or another member of the executive team such as the general counsel) and, as discussed above, would have unfettered access to, and a reporting relationship with, the board of directors. A CCO who has no such reporting relationships may not be deemed to have an appropriate level of authority and independence to bring about required organizational change. Nevertheless, the CCO’s reporting responsibilities often depends upon the organization’s industry norms and its litigious environment. For example, CCOs in financial services organizations may in fact report to a chief risk officer, while organizations that are subject to a corporate integrity agreement with the government may be required to have the CCO report directly to the board of directors rather than within the legal function.

Irrespective of reporting obligations, the CCO is responsible for working together with other compliance staff and designated subject matter experts from relevant functions (e.g., legal, human resources, internal audit) to coordinate the organization’s approach to preventing, detecting, and responding to compliance and integrity violations. When misconduct and integrity issues arise, the CCO should draw together the right resources to address the problem and make the necessary operational changes. The CCO, as head of the compliance function, is responsible for driving the overall design and implementation of the organization’s compliance function by:

Developing communications and training materials that explain to employees their compliance-related roles and responsibilities
Coordinating the organization’s risk assessment
Assisting in auditing and monitoring activities
Establishing internal reporting mechanisms for employees to seek advice or report potential issues
Responding appropriately to allegations of misconduct
Evaluating the effectiveness of controls to mitigate identified risk
Reporting to the chief executive officer (CEO), the board, and/or the audit committee on risk management activities

The experience and background necessary for the position of CCO vary across industries, and there is no universally agreed-upon background that such an individual should have. While legal and human resources are perhaps the most common background for a CCO, the CCO may also come from internal audit or operations. While some organizations hire their CCO from outside the organization (with the advantage of freeing the individual from possible cultural baggage accumulated after many years with the same organization), other organizations often prefer to add this task to a high-level insider. In any case, the real test of the CCO’s effectiveness is the ability to function effectively within the organization’s culture and in the context of the regulatory framework(s) for the industry and jurisdiction(s) in which the organization operates.

Note that when the CCO’s compliance responsibilities are an added task, rather than a full-time appointment, or in a larger organization, the board may appoint a full-time subordinate to oversee the day-to-day operational administration of the program. Generally, such a deputy compliance officer (DCO) is thought of as a full-fledged stand-in for the CCO in day-to-day matters. In those organizations where the DCO has day-to-day operational responsibility for the program, it is important for him or her to be the one providing the board with data on the implementation and effectiveness of the program. This is because the Guidelines offer an increased potential for a company to receive credit for its compliance program (even when high-level personnel were involved in misconduct) if the individual who is tasked with day-to-day operational responsibility for the program has direct reporting obligations to the governing authority (e.g., board or audit committee).⁵

The commentary to the Guidelines characterizes such a direct reporting obligation as the express authority to communicate personally with the governing authority promptly on any matter involving criminal conduct or potential criminal conduct and no less than annually on the implementation and effectiveness of the program. So, the specific language does not clarify whether the individual with operational responsibility “must” or merely “may” report to the governing authority. But organizations that seek to enhance the potential credibility of their program should consider requiring that the individual with operational responsibility for the program (e.g., the DCO who is a stand-in for the CCO) have at least one annual, mandatory, documented report on program effectiveness presented in person to the board or audit committee.

Evaluating the Compliance Program. It is also the responsibility of the compliance function to evaluate the organization’s risk mitigation efforts and provide the board and management with key performance metrics on the effectiveness of risk management activities. While many of these metrics are quantitative and one-dimensional (e.g., number of calls to a hotline) or multidimensional (e.g., number of identified hotline calls versus anonymous calls), organizations should also seek to collect and benchmark qualitative metrics. These may be difficult to gather, but they can provide important effectiveness criteria.

Qualitative performance metrics are best gleaned by conducting employee interviews, focus groups, and workshops, as well as fielding an employee perception survey. A survey can help the organization evaluate subjective data points such as employees’ comfort level in using available advice and reporting mechanisms; propensity to use one mechanism over another; perception of the ethical tone-at-the-top from senior leaders, local managers, and supervisors, etc. A third category of metrics that can be provided to compliance stakeholders is often referred to as forward-looking metrics (Figure 2.2), which can alert the organization to future risks.

Figure 2.2. Sample of Forward-Looking Metrics

The Corporate Compliance Committee. In order to ensure the smooth operation of the compliance program and related risk management activities, an organization’s board and executive management often form a corporate compliance committee, which is chaired by a senior-level member of management (often the CCO). The committee’s membership should reflect a mix of functions with an eye toward helping ensure that key skill sets support the CCO’s efforts (e.g., legal, audit, human resources). Operational leaders are included as members to help ensure that compliance is informed by a real-world perspective of the organization’s operations and to facilitate integration of compliance into those activities. The corporate compliance committee has among its goals the following responsibilities:

Establishing policies, procedures, and standards of acceptable business practice
Overseeing the design and implementation of compliance program controls
Coordinating the organization’s risk assessment efforts
Reporting to the board and/or the audit committee on the results of risk management activities

While the frequency of the committee’s meetings depend upon a variety of factors, it is often the case that such a committee meets at least quarterly, and more frequently during the design and implementation of compliance program initiatives.

Designing and Implementing the Compliance Function. As mentioned earlier, management serves as the first line of defense with responsibility for implementing organizational controls. The second line of defense rests with the compliance function, which is tasked with assisting in the design and implementation of risk management controls helping to ensure employee compliance with applicable laws, regulations, and the organization’s own standards, policies, procedures, and practices.

As executives design and implement the organization’s compliance function and program, they often struggle with how to do so and achieve maximum effectiveness. For example, should the compliance function be managed centrally out of corporate headquarters, or should it be driven geographically in organizations that have dispersed operations? Is there a hybrid option that may make sense for some organizations? The reality is that an effective compliance function structure depends upon the organization’s risk profile, culture, operations, and resources. For example, an organization with relatively homogenous operations that are spread across a contiguous geography may choose a centralized approach to compliance and risk management efforts. By contrast, organizations that operate across multiple geographies may choose a decentralized model. In other organizations, a hybrid model might work best.

Moreover, because compliance initiatives should reach all employees, organizations that are geographically dispersed or have business units and functional areas of different sizes and uneven levels of maturity often find it effective to design a compliance function infrastructure that includes not only staffing at the headquarters level but also compliance coordinators (also called “liaisons” or “ambassadors”) at various key locations. By designating field compliance personnel with substantive responsibilities, the organization can extend the influence of its compliance initiatives.

Although compliance may not be a full-time role for field-based compliance personnel, they should be empowered to draw on the authority and resources of the CCO and act as the CCO’s representative. Moreover, as part of this wide network of compliance personnel, organizations may also find it useful to designate subject matter experts to provide support in specific (and often complex) compliance areas. For instance, if a local manager has expertise in export compliance, he or she may be designated as a point-person to whom others may go when in need of help.

Business Unit, Functional, and Operational Compliance Because effective risk governance at all levels of the organization is critical to the success of risk management efforts, senior management must actively embrace and promote the program and ensure that it is adopted throughout the enterprise. Senior executives help sustain the organization’s culture for ethics and integrity by setting the ethical “tone-at-the-top” of the organization, helping to promote a common view of risk at the operational level by influencing the organization’s risk culture, which in turn determines how the entity identifies and mitigates key compliance risks.

Tone at the top begins at the very top with the organization’s CEO, who is ideally positioned to influence employee actions through executive leadership, specifically by providing a personal example for the ethical tone of the organization and playing a crucial role in fostering a culture of high ethics and integrity. As Procter & Gamble’s CEO Bob McDonald explains, “Tone-from-the top is really critical . . . and it starts with me as the CEO. . . . I hold myself accountable; I hold my leadership team accountable; I hold the leaders of the business accountable.”⁶

Moreover, functional senior leaders such as department heads (e.g., product development, marketing, regulatory affairs, human resources) also have important responsibilities in providing tone-at-the-top and implementing the organization’s risk management strategy. Such individuals are expected to oversee areas of daily operations in which risks arise and serve as subject matter experts to assist the CCO in their particular areas of expertise or responsibility.

Equally as important, but often overlooked with respect to compliance program implementation, are the organization’s middle managers, and especially those who have discretionary authority for compliance activities. Middle managers provide the organization with what has been coined as the “tone-in-the-middle,” enforcing the organization’s core values, expectations, and standards of conduct; managing workplace behaviors; and taking a role in risk management activities. In fact, management at this level is often where employees will turn to when they are seeking help related to an integrity issue or when they want to report misconduct.

Middle managers are also important contributors to compliance efforts because they help distribute and manage organizational resources, require their direct reports to communicate regularly with their employees on matters related to the organization’s compliance program, and hold employees accountable for compliance violations. Further, lower-level operational managers have a special responsibility for identifying and assessing key risks, designing and implementing risk management controls, and taking actions to mitigate risks. In doing so, operational managers monitor (1) processes, systems, products, and services to help ensure that they remain in compliance; and (2) entity and process level controls to help ensure that they are operating effectively through systems testing, management review and approval, self-inspections, etc.

The Internal Audit Function

Working alongside the organization’s second line of defense is the third line of defense—internal audit, typically reporting to senior management and independently to a committee of the board. Traditionally, internal audit has served as management’s and the board’s proxy for evaluating the organization’s internal controls—those policies and procedures established to provide reasonable assurance that organizational goals will be achieved. While the historical focus of such efforts has been the organization’s ability to report financial data, the role has expanded to performing operational and efficiency reviews and audits of compliance with applicable laws and regulations, as well as communicating the result of such evaluations to senior management and the board. Generally, internal audit’s compliance related duties include, among others:

Assisting in planning and conducting risk-based evaluations of the design and operating effectiveness of compliance programs and controls
Assisting in conducting internal investigations into allegations of misconduct
Assisting in the organization’s compliance risk assessment and helping draw conclusions as to appropriate mitigation strategies
Considering the results of the risk assessment when developing the annual internal audit plan
Reporting to management and the audit committee on internal control assessments, audits, investigations, and related activities

The CCO and director of internal audit should work together to ensure that all employees responsible for conducting audits (including departmental self-audits) have the necessary knowledge and experience to adequately perform an assigned compliance audit. Since internal audit is a key, albeit independent, participant in risk management activities, supporting management’s approach to compliance, auditors must understand the organization and have sufficient training and experience to evaluate competently key compliance-related risks and controls.

Often, the entity’s own managers can become capable auditors, as they are closely familiar with operations (e.g., technical requirements such as the operating procedures for a particular process), the controls in place to prevent and detect errors, and the laws and regulations that apply to the process at hand. Those managers also typically have good knowledge of how management interacts with employees in the area in question, as well as any irregularities that may exist.

Compliance Program Controls

Effective business-driven compliance risk management controls are designed, implemented, and evaluated with three objectives in mind:

Prevention: controls designed to reduce the risk of misconduct and compliance violations
Detection: controls designed to discover misconduct and compliance violations when they occur
Response: controls designed to take corrective action and remedy the harm caused by the misconduct or compliance failure

Preventative Controls

These controls are designed to reduce the risk of misconduct from occurring in the first place. Here, we cover some of the most important preventative controls.

Compliance Risk Assessment

Like a more conventional operational risk assessment, the organization’s compliance function should conduct a compliance risk assessment to help the board and senior executives understand the legal and regulatory risks that are unique to the organization, identify gaps or weaknesses in controls, and develop a practical plan for targeting the right resources and controls to mitigate such risks. Management is often challenged by how a compliance risk assessment should be conducted. All too often, risk assessments are undertaken in an ad hoc manner and using stale risk-assessment data as a starting point for their efforts. Figure 2.3 below provides typical process steps for conducting a risk assessment.

Figure 2.3. Risk Assessment Process Steps

For the risk assessment to be effective, it is imperative for management to view the assessment process as a regular, from the ground up, adaptive exercise that has mileposts and deliverables due each business quarter and that uses fresh input data throughout. The ongoing nature of risk assessments, refreshed periodically (e.g., as new regulations arise, enforcement actions are taken, or there is an understanding of changes in leading practices) is essential to the effectiveness of the process. Moreover, such a risk assessment should be futuristic in character, taking into consideration the future risks of the enterprise (and not merely present day risks).

In doing so, management should take into consideration forward-looking key performance indicators (KPIs) that can alert the organization as to future risks. While members of management are typically responsible for performing the risk assessment and considering its results in evaluating control effectiveness, the audit committee, and often the compliance function, typically have an oversight role in this process. The audit committee and the compliance function are responsible for reviewing management’s risk assessment and ensuring that it remains an ongoing effort across the entire organization.

Global organizations often conduct the compliance risk assessment on a global scale and, in doing so, find themselves challenged to ensure the quality and consistency of assessments conducted overseas. For example, some international locations may suffer from a lack of risk assessment methodologies, as well as a lack of trained and experienced resources to competently evaluate organizational risks. Companies can mitigate such challenges by enlisting and training appropriate local country resources and providing them with a consistent risk assessment methodology. Additional challenges in conducting a compliance risk assessment are discussed in Figure 2.4.

Figure 2.4. Risk Assessment Challenges and Solutions

Codes of Conduct and Risk-Specific Policies and Procedures

An organization’s code of conduct is one of the most important communication vehicles that management can use to educate employees about the key standards that define acceptable business conduct. In the words of Leslie R. Caldwell, assistant attorney general for the Criminal Division, “[a] company should have a clearly articulated and visible corporate compliance policy memorialized in a written compliance code . . . [and] employees need to know what to do—or not do—when faced with a tough judgment call involving business ethics.”⁷

A well-written and communicated code is typically developed by an organization’s compliance and legal functions, in consultation with and with the approval of management. Beyond restating company policies, such a document should set the tone for the organization’s culture of strict adherence to the code, raising awareness of management’s commitment to integrity and informing employees of the resources available to them to help achieve management’s compliance goals.⁸

The organization should also have detailed and risk-based internal policies and operating procedures for each key business process and function. These detailed policies and procedures are typically designed and implemented by management and may or may not incorporate compliance with specific laws and regulations. It is important that the organization revise regularly such policies and procedures to ensure that they are audited, incorporate compliance, reflect current regulations, and are implemented by employees.

Codes historically were distributed in a paper-based format; today organizations typically provide their employees with simple URL links to downloadable electronic copies of the code, which reside in an easy-to-update format on the organization’s intranet. Moreover, as a result of the enactment of the U.S. Sarbanes-Oxley Act, organizations that are required to comply with this Act must now make their codes publicly available, such as on their Internet websites or as exhibits to annual reports filed with the SEC.

While some organizations choose to apply the code of conduct only to employees, an increasing number of organizations also choose to develop and distribute a separate code of conduct (which is often smaller than the organization’s main code) for agents, suppliers, and relevant third parties or, in lieu of that, provide their codes to such third parties and require them to certify that they agree to abide by the standards contained therein. For example, Google’s code of conduct advises that, although the document “is specifically written for Google employees and Board members, we expect Google contractors, consultants and others who may be temporarily assigned to perform work or services for Google to follow the Code in connection with their work for us. Failure of a Google contractor, consultant or other covered service provider to follow the Code can result in termination of their relationship with Google.”⁹ A well-designed code of conduct typically includes the following attributes:

High-level leadership endorsement, underscoring a commitment to ethics and integrity
Guidance on values, principles, or strategies aimed at guiding business decisions and behaviors
Simple, concise, and positive language that can be readily understood by all employees
Topical guidance based on each of the company’s major policies or compliance risk areas
Practical guidance on risks based on recognizable scenarios or hypothetical examples
A visually inviting format that encourages readership, usage, and understanding
Ethical decision-making tools to assist employees in making the right choices
Mechanisms that employees can use to report concerns or seek advice without fear of retaliation
A method for employees to periodically certify that they have received the code, agree to abide by the standards contained therein, and pledge to disclose any known or suspected code violations

Organizations often spend significant resources designing and implementing a code; however, many are challenged in understanding whether the document is actually effective in achieving its purpose. All too often, a code that is rolled out with much fanfare ends up languishing on a dusty workspace shelf. Therefore, it is important for organizations to periodically measure the effect that their code is having on employees in order to obtain critical data that can help enhance its effectiveness.

Such an evaluation can generally be accomplished using a variety of tools, including interviews, focus groups, and employee surveys. And organizations are typically well served by choosing several of these information gathering methods to augment their assessment efforts. Regardless of what method is used, the assessment inquiry should center on determining, among others, the degree to which employees are familiar with and rely upon the code to guide them in their day-to-day activities, as well as their perceptions of whether the code is taken seriously by company managers and employees.

Challenges for Global Organizations

Many organizations with a global footprint are challenged when they attempt to implement a U.S.-centric code of conduct in overseas operations. Increasingly, they are learning that in some jurisdictions their code may need to be translated to be enforced, or that employees may not be compelled to certify that they have read and understood the document. Managers often resolve such challenges by creating a code that can bridge numerous countries’ laws, regulations, and customs. Organizations that do a good job in designing and implementing effective global codes, which take into consideration each overseas location’s laws, regulations, and enforcement priorities, as well as local values and cultural norms, generally find that their codes engender a higher level of employee acceptance and comprehension.

Due Diligence

Employee Due Diligence. An important component of an effective risk management strategy is exercising an appropriate level of caution or investigation prior to the hiring, retention, and promotion of employees. Without conducting such due diligence, organizations run the risk of hiring individuals who may otherwise be disposed to commit misconduct. Organizations are often challenged in conducting due diligence, especially when employees reside or operate in higher-risk geographic locations, have discretionary authority over the financial reporting process, or have authority in discreet compliance areas.

While the scope and depth of the due diligence process typically varies from jurisdiction to jurisdiction, it should be tailored to the organization’s identified risks, the job function and level of authority, and the specific laws where the organization and/or the employee resides.¹⁰ But how often should the screening of employee backgrounds be performed? While the frequency of background screening will vary by job function or industry, organizations would be well advised to consider performing such screening not only once, at the time of hire, but also upon promotion or transfer into a position that calls for such a background check. For most organizations, it is customary for due diligence to begin at the start of employment and continue periodically thereafter.

While the factors included as part of background checks vary by job function or industry and should be confirmed by the organization’s in-house or external counsel, they may include the following:

Criminal histories
Regulatory or professional trade disciplinary actions
Credit or bankruptcy histories
Civil litigation histories
Substance abuse screening
Driving records
Credential verification
Previous performance evaluations or disciplinary actions (if with the same employer)
Reference checks

Third-Party Due Diligence. Globalization and regulatory pressures require organizations to examine their business relationships in order to assess risk, make informed decisions, and comply with relevant laws and regulations. A growing number of governments globally are tightening regulations or introducing new ones. Many jurisdictions are also demanding high standards of business integrity, and an organization’s failure to adequately scrutinize clients, vendors, agents, and business partners, and to know who they are and how they operate, could expose the enterprise to reputational damage, operational risk, government inquiry, monetary penalties, and even criminal liability.

As organizations enter and operate in new markets, they are especially vulnerable because of their reliance on third-party intermediaries (TPI), many of whom operate far from headquarters, in a foreign language, and with different customs and ways of conducting business. Such TPIs can often pose a great risk to operations. For example, a recent survey by KPMG International found that although a very high proportion of illegal bribes are typically paid by such TPIs, many companies reported that they are not monitoring their intermediaries for anti-bribery and corruption risk.¹¹ Increasingly, regulators both in the United States and elsewhere are making it a high priority to police business relationships with TPIs, and when something goes wrong, the penalties can be significant. As such, organizations would be well served by designing and implementing an effective third-party risk program, which requires the business to undertake the following efforts, among others:

Identify the universe of TPIs and those that the organization determines to be within scope (i.e., to be included in the risk program)
Conduct an assessment of the risk posed to the organization by the TPI
Assign a risk score to each key TPI (e.g., high, medium, and low) and conduct enhanced due diligence on those TPIs with a high risk score
Conduct ongoing monitoring of certain TPIs, especially those with a high risk score

Organizations are also often aided in screening third parties by technology tools that can offer good solutions to conduct such screening in a robust and cost-effective manner. For example, online due diligence tools that use advanced technology to search an extensive range of online public data sources can help management obtain information and proactively manage the risk associated with customers, agents, brokers, and counterparties. Sample sources to be searched include global sanctions and regulatory enforcement lists, corporate records, court filings, and press/media archives to gather important integrity and reputational information on subjects. Analyzing this data can identify apparent red flags or integrity warning indicators that can help an organization assess significant, high-profile, or high-risk transactions or business relationships.

It is important to note that the ability of the business to conduct third-party due diligence does vary from one country to another, due to differing privacy and data protection laws. Therefore, it is important for the organization to seek legal advice and clarification on local laws and regulations before undertaking due diligence abroad or on foreign-based TPIs.

Challenges for Global Organizations. Global companies may face challenges in conducting due diligence on employees and third parties residing overseas. In the United States companies are free to practice due diligence in the hiring and retention of employees, agents, and suppliers (such due diligence is stressed in U.S. governmental compliance models and is typically subject to certain legal restrictions). However, many international jurisdictions restrict or limit the type of background information that may be collected. For instance, collecting criminal records is illegal in some European countries, and EU data privacy laws can impose severe restrictions on the availability of information for background checks. Global companies should seek legal advice and check the laws and regulations for each country in which a background check is to be conducted.

Performance Evaluations and Incentives

Adherence to standards of high ethics, integrity, and compliance with the law should be a criterion for all performance evaluations. Doing so conveys to employees an awareness that their failure to contribute to a high-integrity culture or follow organizational standards will have a significant impact on careers and compensation. Moreover, organizations should seek out creative methods for preventing misconduct, for example by looking to rewards and positive incentives as a means of ensuring the effectiveness of compliance efforts, creating a culture of high ethics and integrity, and fostering an atmosphere where compliance policies and guidelines are followed.

To help build the organization’s culture for ethics and integrity, regulatory and evaluative frameworks often advise management to offer financial and nonfinancial incentives to all levels of employees, rewarding behaviors that support the organization’s core values and expectations, and using corrective actions to deal with behaviors that do not model the entity’s aspirations. There are many types of incentives that management can use to encourage good employee behaviors, and these should be tailored to each organization’s specific business, culture, and regulatory environment.

All incentives that reward ethical behavior and compliance with the law should be developed in much the same way that rewards and incentives are developed by the business to encourage operational results. Examples of such employee incentives include:

A percentage of a human resources manager’s performance review or bonus can be tied to his or her success in promoting a particular behavior or cause
Employees can be evaluated on how well they represent their department in an ethical, informed, and courteous manner
Management can issue public commendation letters to deserving employees
Employees can win a small, discretionary cash bonus or gift if their work unit achieves an agreed upon organizational goal for a set period of time

Similarly, if employees fail to follow compliance-related standards or requirements (e.g., failing to complete required compliance training), they should become ineligible to share in the organization’s discretionary bonus pool and incentives.

Communication and Training

Communication and training provide all employees with guidance on the organization’s core values and expectations, as well as the consequences for failure to uphold them. Because management typically requires compliance to be everyone’s responsibility, all employees are required to participate in risk management activities, which require frequent, persistent, and effective training and communication efforts that help align employees with the organization’s risk culture and strategy. Having said that, many organizations wrongly assume that publishing a code of conduct and distributing it to all employees constitutes an effective communication strategy. However, studies and experience show that a code, standing alone, is relatively ineffective at influencing employee behavior and buy-in. It is only when surrounded by a wide-ranging communications and training strategy that a code can become a unifying and respected source of compliance guidance.

Making employees aware of their obligations to mitigate organizational risks begins with practical communication and training. Efforts to do so in an ad hoc manner or by using a one-size-fits-all approach may fail to educate employees or provide them with a clear message that their risk management responsibilities are to be taken seriously. Managers should consider developing a wide-ranging strategy and plan that calls for frequent, relevant, and appropriate communication and training for all relevant employees in key risk areas (e.g., discrimination, sexual harassment, environmental health and safety, conducting business with government officials, acceptable sales practices, and accepting gifts and entertainment).

Developing such a detailed strategy and plan often takes careful thought, planning, and coordination; however, when done well, the strategy can help ensure that specific individuals receive communications and training in areas most relevant to their job functions. Also, gaps or overlaps in coverage are minimized, and staff time and other resources are used efficiently. In preparing such a plan, the organization should take into consideration the following:

Results of a risk assessment that inform on key risks appropriate for communications and training
Real examples and scenarios from the organization’s workforce
Relevant topics for potential communications and training (e.g., advice and reporting mechanisms, standards of conduct, and related policies and procedures)
Training needs of specific individuals based upon their job function and risk areas

Because communicating and training individuals identically in all job functions will inevitably result in inefficiency, lack of focus, and poor understanding, organizations must tailor their communication and training efforts to individuals’ respective roles and responsibilities. Therefore, organizations should develop a separate topic-specific training plan to determine the training needs for each group of employees based on their specific job function and risk areas. For example, senior members of management have different communication and training needs from frontline supervisors, and these two groups in turn have different needs from employees who work in, for instance, the organization’s finance and accounting function.

Senior Managers. An organization’s senior managers are expected to set the ethical “tone-at-the-top” for the organization and, as such, should receive communication and training to help them succeed in fostering an organizational culture that values workplace ethics and integrity.
Frontline Supervisors. Supervisors are critical sources of information for employees and important in shaping employee perceptions of the organization’s culture. In fact, respondents to KPMG’s Integrity Survey of more than 3,500 employees (spanning all levels of job responsibility, 16 job functions, 12 industries, and 5 thresholds of organizational size) reported that they would feel most comfortable seeking advice and counsel from supervisors and local managers (76 percent and 67 percent, respectively), underscoring the need for organizations to ensure that the latter are well prepared to respond appropriately to employee questions.¹² Training for such individuals should focus on their responsibilities for addressing employee concerns when they seek advice or report misconduct and generally promoting compliance program aims (e.g., by distributing compliance-related guidance and discussing compliance issues at regular staff meetings).
Current Employees. Existing employees often present a greater hurdle to communication and training as they typically know the organization closely and have usually developed their own perceptions. They also invariably sit in different functional and operational areas of the organization. Accordingly, communication to and training for them should be frequent and regular, as well as directly tailored and linked to their day-to-day job.
New Personnel. Starting with orientation, an organization has the ability to set the tone of a desired corporate culture, and management should take advantage of this window of opportunity to help new employees understand the specific rules that apply to performing their jobs, as well as the resources available to them to answer questions or report problems.

No matter how effective the training is, some individuals may never fully buy into the compliance program. However, frequent communications, required training, and various control systems that tie commitment to compliance and the carrying out of compliance responsibilities to the performance review and compensation process can help motivate many individuals to support the compliance program aims, helping to ensure that employees receive the right messages. In other words, it is important to foster a strong culture of compliance and adherence to ethical values.

Detective Controls

Advice and Reporting Mechanisms

Employees are more likely to raise concerns and report misconduct when they know where to turn for help, feel comfortable doing so without fear of retaliation, and believe that management will be responsive to their raising the issue. Those organizations that have a better chance of detecting misconduct early are ones that have built a culture where employees believe they have a stake in the company and have an affirmative responsibility to raise their hands and report improper conduct.

An important attribute of an organization’s culture of ethics and integrity is the willingness of its employees to report misconduct without fear of retaliation. Research has shown, in fact, that such employee reports are by far the most common detection method for misconduct, as illustrated by the results of a recent KPMG survey where participants reported that: (1) more than 40 percent of all cases of organizational fraud were detected by an employee’s tip—more than twice the rate of any other detection method; and (2) employees accounted for almost half of all tips that organizations used to discover fraud.¹³

Recent enforcement actions and reports by the SEC and other federal and state agencies have made it clear that the government has found whistleblower programs to be a valuable enforcement tool and that enforcement agencies have increasingly paid bounties to employees and others who came forward with information to help identify organizational misconduct.¹⁴ In light of the government’s increasing reliance on whistleblowers as a source of information on potential misconduct, organizations would be remiss if they neglected to offer their own whistleblower mechanism to employees (e.g., a telephone hotline or webline) to increase the likelihood that employee whistleblowers voice their complaints internally rather than with government regulators who will seek to trigger a time-consuming and resource-intensive regulatory investigation.

In typical organizations, employees can seek advice or report misconduct in various ways—for example by contacting board members, senior executives, supervisors, local managers, compliance resources, and human resources professionals. While employees should be encouraged to use whichever mechanism is most appropriate given the particular situation at hand, they are typically most comfortable reporting misconduct to their immediate superiors. This is well illustrated by the results of KPMG’s survey where respondents opined that they would feel most comfortable reporting misconduct to supervisors and local managers (76 percent and 62 percent, respectively).¹⁵ Importantly, the option that tied for second place for reporting misconduct was the organization’s ethics or compliance telephone hotline (62 percent).

Some version of a telephone or Internet (web) hotline is used at most large organizations, typically providing a viable method whereby employees, as well as other key third parties (e.g., agents, customers, vendors, suppliers, etc.), can communicate concerns about potential misconduct and seek advice when the appropriate course of action is unclear. A well-designed hotline typically includes the following features:

Organization-wide Availability. Employees at international locations are able to use the hotline through features such as real-time foreign language translation and toll-free call routing (or alternatively, have access to local hotlines in specific countries or regions).
Anonymity. The organization’s policies allow for the anonymous submission and resolution of calls. For instance, callers who wish to remain anonymous are given a case tracking number that they can later use to provide additional details related to their question or allegation and/or check the status or outcome of their call. Note that Section 301 of the Sarbanes-Oxley Act requires that the audit committee of an organization listed on a U.S. exchange take steps to establish procedures for the receipt, retention, and treatment of employee complaints, as well as a way for employees to submit confidential and anonymous concerns regarding questionable accounting or auditing matters.¹⁶
Confidentiality. All matters reported via the hotline are treated confidentially. Hotline operators inform callers that relevant safeguards will protect caller confidentiality—for instance, limiting access to personal information (if volunteered). Hotline operators disclose to callers any limitations the organization may have in preserving caller confidentiality (e.g., callers should have no expectation of confidentiality if the call leads to a government investigation).
Nonretaliation. The organization’s policies prohibit retaliation against employees who in good faith seek advice or report misconduct. Such retaliation may be overt (e.g., terminating the reporting employee) or covert (e.g., failing to provide the employee with a well-deserved promotion, raise, bonus, or even a desirable work assignment). The organization requires a follow-up with employees periodically after the hotline case has been closed (e.g., at one-, three-, and six-month intervals) to ensure that they have not experienced retaliation. The company encourages the employees to report any instances of retaliation and takes swift action against those who do retaliate. In tandem with the development of such mechanisms, management should also design and implement a monitoring program that can continuously monitor employees and other third parties (e.g., witnesses) reporting misconduct, to see if there are significant changes in their organizational success factors that may indicate they are experiencing retaliation (e.g., monitoring of red flags such as productivity, revenue generation, performance ratings, career advancement, compensation awards).
Real Time Assistance. The hotline is designed to provide an immediate, “live” call response to facilitate thorough and consistent treatment of a caller’s report of misconduct or to provide immediate guidance (if the hotline offers such assistance). Thus, hotline operators need to be appropriately qualified, trained, and, in some situations, authorized to provide advice.
Data Management Procedures. The organization uses consistent protocols to gather relevant facts, manage and analyze hotline calls, and report key performance indicators to management and the board. This is often accomplished, for example, by using a computerized, back-end case management system to store, organize, prioritize, and route employees’ reports. Later in the chapter we discuss using technology to better mitigate compliance risks.
Classification of Financial Reporting Concerns. The hotline includes protocols whereby qualified individuals (e.g., internal audit, legal, security) can determine whether the nature of an allegation could trigger a financial reporting risk or a regulator/compliance risk.
Audit Committee Notification. The hotline includes protocols that specify the nature and timing of allegations that are escalated to the audit committee (particularly important for companies that must comply with the requirements of the U.S. Sarbanes-Oxley Act).
Prominent Communications. The organization publicizes its hotline prominently. Such communications may include, among others: (1) describing the hotline within the code of conduct, in key company publications and training, and at management “town hall” type meetings; (2) featuring the hotline telephone number on posters, banners, wallet cards, screen savers, telephone directories, or desk calendars; and (3) communicating illustrative case studies based on hotline calls to employees (e.g., in newsletters, training programs, or intranet sites) to demonstrate that the organization values hotline calls and is able to provide assistance to those who use the hotline.

Multinational organizations are often challenged to design and implement a hotline that can be used in their various international operations. For example, language and cultural barriers may hinder a hotline’s effectiveness (e.g., in some paternalistic societies, going around one’s supervisor by calling a hotline may be regarded as a demonstration of a lack of respect). Moreover, there may be legal restrictions overseas associated with having employees blow the whistle on misconduct; for example in some international locations a hotline policy cannot be implemented in its entirety due to legal limitations.

The challenge for organizations is to create a borderless culture of compliance that encourages (or at least tolerates) reporting of improper conduct, and this can be achieved by designing and implementing customized hotline policies and procedures for each international jurisdiction, providing effective training and communications in each key native tongue, and generally remaining attuned to the cultural nuances and sensitivities inherent in conducting business overseas.

Auditing and Monitoring

Auditing and monitoring systems that are reasonably designed to detect misconduct are important tools that management can use to determine whether the organization’s controls are working as intended. Since it is impossible for the internal audit function to audit every risk, management should develop a comprehensive auditing and monitoring plan that is based on risks identified through a risk assessment process.

To carry out effective auditing and monitoring, organizations should consider following broad design elements. First, an organization should design its auditing and monitoring activities around overall priorities for compliance-related activities, as well as both short- and long-term organizational objectives. Some questions that may be helpful in this regard include the following:

How is leadership’s commitment to compliance integrated into business goals, strategies, decisions, and day-to-day practices?
What methods does management use to promote, reward, and enforce a culture of high ethics and integrity and commitment to the organization’s core values?
How are specific compliance policies, programs, and controls intended to operate?
How are authorities and accountabilities delegated to various functions so that they may achieve ethics and compliance objectives?
How are compliance resources budgeted and allocated?
How are key performance indicators (KPIs) used to measure the effectiveness of ethics and compliance activities?
How does the organization ensure that professional standards, industry practices, and regulatory expectations are adhered to?

Second, effective implementation of auditing and monitoring initiatives can help ensure that senior management receives persuasive data regarding the effectiveness of key controls to mitigate risks. Despite the fact that different organizations have different policies, procedures, programs, controls, and risk tolerances, the following key implementation considerations often remain constant:

Is there clear support from the board of directors and senior management?
Are there well-established objectives for auditing and monitoring initiatives?
Are reporting lines well established, with direct access to the board, if applicable?
Has an assessment been performed to identify any barriers to success, including a remediation plan to overcome identified barriers?
Have sufficient resources been provided to help ensure that auditing and monitoring efforts are not merely window dressing?
Are auditing and monitoring activities performed by personnel who have the requisite skills and training?
Have existing organizational structures been taken into account? (e.g., a highly decentralized structure may make it difficult for centralized auditing and monitoring functions to succeed.)
Have key stakeholders (e.g., HR, legal, compliance, security, accounting, operations) been consulted in planning auditing and monitoring activities?
Is there an established timeline for the implementation of auditing and monitoring activities?
Is there a process for evaluating the success of such implementation efforts?

Third, reports on the results of auditing and monitoring activities should be designed such that they ensure effective communication to relevant corporate stakeholders. Such reports should include not only sufficient detail on observed findings, but also guidance on how to evaluate the severity of deficiencies and the effectiveness of subsequent remediation efforts. Three key elements for an effective communication process include prioritizing findings, reporting findings to the appropriate oversight level, and detailing subsequent remediation actions.

While the process for auditing and monitoring focuses on both the likelihood and impact of potential fraud and misconduct, the scope for such activities should include the entire organization, including its significant business units, operational divisions, and accounts. Those controls that are not periodically assessed for relevance and practicality may deteriorate over time. Consequently, regular auditing and monitoring of controls often leads to organizational efficiencies and reduced costs associated with public reporting on internal control. Accordingly, identification of control deficiencies should be addressed proactively, rather than reactively, to help ensure efficient resolution.

Technology and Compliance Innovation

Despite the growing maturity of the compliance profession, most CCOs and their teams still find themselves with precious little time and/or resources to conduct a thorough and meaningful analysis of the millions of data points their companies collect or have at their disposal. Instead of letters, journals, or newspapers, or even word-of-mouth rumors, most of our information now travels at the speed of light in simple binary code of 0s and 1s, and yet they hold potentially critical insights into an organization’s compliance profile.

The problem companies struggle with is the explosion of data creation in the past several years; consider the following evolution—kilobyte to megabyte to gigabyte. One estimate by IBM is that 2.5 quintillion bytes of data are being created every day; and it’s commonly accepted that 90 percent of the data in the world today has been created in the past two years alone.¹⁷

The reality, unfortunately, is that many companies have critical data in multiple formats or files and in multiple company silos—human resources, audit, compliance, security, operations, sales, and finance, to name but a few, all have their own sets of data, which often overlap as each function does its part to prevent and detect possible misconduct. Gaining access to such information is often difficult, and some compliance teams encounter classic internal turf battles and turf mindsets. Even if given access, as mentioned above, many functions lack the staff to assess the data thoroughly.

Many companies in the compliance field offer clients configurable dashboards that aggregate and highlight key data generally derived from helpline allegations, investigations, and enterprise compliance training. While these are extremely important areas to track and monitor, such dashboards tend to be backward-looking assessments—events that have been concluded, or soon will be—and fall short of what is now possible with emerging software applications.

In the past several years, technology has transformed the way many compliance functions have executed communications and training strategies. Mobile devices and phones have created new avenues for short burst communications messages, or even training refreshers. Training in particular has become more technology based and segmented, directing the right message in the right dose to the right target audience. In many ways, compliance and human resource teams are the beneficiary of the advances in technology and the developing science around adult learning. The time has come for compliance professionals to avail themselves of similarly new technologies and software applications to open doors for program measurement and assessment, as well as potentially provide an early warning to an unhealthy culture or potential misconduct.

Data and Analytics In many ways we are just at the start of a new wave of technology advancements, data analytics, and connectivity, forces that will help manage data from across the globe virtually instantaneously. The world of big data will become infinitely more challenging and complex, whether we are ready for it or not. And this includes tying in social media outlets to one’s internal data to more proactively manage potential risk. Fortunately, the growing capabilities of the data and analytics (D&A) discipline, currently used by many sales, marketing, supply chain, and finance functions, can now be applied to compliance data. These business functions have pioneered, and thus tested the capabilities of D&A, and have ultimately paved the way for ethics and compliance (E&C) functions to follow.

Simply put, D&A provides insights that enable executives to see quickly the interrelationships between disparate parts of the business. Recent survey research shows that experts in the analytics space believe that the companywide benefits of a robust D&A initiative include enhanced corporate performance, improved risk management, and a better customer experience—all of which can, and do, apply to the scope of the compliance function, particularly if one considers employees to be “customers.”

In order for compliance teams to get the most out of their available data, it helps to understand and use the language of the evolving D&A profession. Think of D&A along a maturity continuum comprising four different stages:

Descriptive: simply understanding current conditions (where many compliance functions may find themselves trapped)
Diagnostic: retrospective analysis to understand drivers of an outcome that occurred (many current compliance metrics fall into this category, such as investigations and outcomes, training completed)
Predictive: the use of current and historical data and drivers analysis, combined with advanced analytical modeling, to understand potential ranges of outcomes
Prescriptive: development of models incorporating predictive analytics to optimize solutions

Moving from descriptive to diagnostic involves data integration and is a critical first step, one that many compliance teams regrettably still struggle with today. To move from diagnostic to predictive begins to engage true analytics capabilities, the 1.0 version of D&A for compliance functions today. The last step in the chain, moving from predictive to prescriptive, draws on true culture change as it relates to the use and analysis of a company’s data; this may in fact be version 2.0 for compliance in the not-too-distant future.

Companies who self-identified as “market leaders” in a recent KPMG survey were more likely (59 percent) to apply D&A to the management of enterprise risk and performance than companies who self-identified as “non–market leaders” (47 percent). While the percentage gap in application is significant, D&A experts believe it will quickly shrink once the early adopters share their successes, helping the later adopters to make more compelling business cases for following that same path. While it is too early to present similar research focused on compliance leaders, many believe that day is coming soon.

What are the current barriers to the expansion of early adoption of D&A by companies and/or functions like compliance? Here, compliance leaders have the benefit of learning from the challenges facing other business leaders in their D&A efforts. Research indicates there are two main challenges: (1) too many D&A initiatives and/or opportunities creating difficulty in focusing on the priority initiatives; and (2) an apparent lack of support from executive management for the suggested D&A proposals, which may stem from a basic lack of understanding of the way to use D&A. Clearly these barriers are connected and require business leaders to make better links to overall business strategies and to better explain the full benefits of a D&A application.

Today several software providers offer configurable platforms that allow the compliance function to develop a multilayered data environment that for the first time brings together diverse data sets in a way that is tailored for trend analysis. These software systems generally sit inside a company’s firewall, lowering cost and easing implementation barriers. Of critical importance, the software systems can also manage sensitive data via encryption, and various levels of access permissions can be configured for eventual users.

How does it all come together? First and most important, the compliance team must gain the trust and support of sister functions, particularly information technology, legal, human resources, and audit, early in the process, otherwise the initiative is likely to fail. Convincing them of the functional and enterprise benefit of consolidating data into a single analytics repository in many cases will take considerable time, and compliance officers need to factor this into their development plans. Certainly if the company has engaged D&A in other disciplines, the E&C business plan ought to maximize that experience for enhanced insights and cost/time savings when advocating for a similar innovation for the compliance function.

After securing the support of senior management and functional leadership, corporate compliance teams often work with third-party advisory firms to guide the software providers in the planning and development stage of the project. These collaborative teams establish the working framework for the D&A application, scope the available data sets, define security and access protocols, design the dashboard interface, create implementation plans, and ultimately test the systems before going live.

While not quite artificial intelligence, predictive systems can be configured to allow for manual data selection/sorting fields; once the comparative data sets are selected, the D&A trend analysis can be run (and create management reports and/or PowerPoint slides for internal reporting purposes). Compliance staff can benefit from the dynamic reporting powered by a D&A engine. Staff time and attention shifts from trying to capture, collate, and understand the data to incorporating the data analysis into active response strategies, either to reinforce processes and procedures and training, or to proactively launch a targeted mitigation strategy.

As the software platforms become more sophisticated, machine learning will be implemented, allowing for the continual review of data sets, with alerts and notifications going out to prepopulated internal subject matter experts. Imagine a simple data set with appropriate feeds into the D&A application, such as corporate offices/locations, business units, employee headcount and personnel numbers, functional assignment, helpline allegations, investigations, outcomes, and disciplinary actions that can be quickly and easily sorted by a compliance leader who conducts historical trend analysis (for six months, one year, or multiple years, depending on the available data) on a particular data point, and then quickly exports the data analysis into a presentation template.

In the case of a recent acquisition, these same data points can be fed into the D&A tool and see problematic areas of the newly acquired business, matched against the existing company profile. Tracking these outlier data points against mitigation strategies helps assure that the right resources are applied against real potential risk. Thus far, these examples are relatively straightforward tasks for the underlying software, yet they can save compliance staff countless hours of heretofore manual data gathering and analysis.

The real power of these D&A applications is how simple it is to add additional layers of complexity and context simply by linking new data feeds—say, the results of the last several employee surveys or employee tenure. Matching the previous results with positive and/or negative survey results begins to shed new light on the actual culture that may exist across a given enterprise, and the profile of persons who report potential wrongdoing and the profile of those who may be found in violation of company policy or the law.

Prevent, Detect, and Respond D&A is about more than connecting the obvious dots; it’s about finding additional insights from themes sometimes beyond the conventional wingspan of the compliance office. First, let’s look at the cultural component from the FSG’s Section 8(a)(2), which states that “[an organization shall] otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”

A compliance team might consider running a trend analysis of near misses and/or notices of violations from a company’s facility and operations team, a sign of a potentially growing culture problem. Or, if there are no factories, a CCO might consider filtering employee turnover and exit interview data; unusually high turnover in a given function or office may align with the high number of helpline calls, low employee satisfaction and/or fear of retaliation, and low management trust. Indeed, the D&A platform is flexible enough to accept data feeds from social media monitoring software, again, adding a layer of input and insight into corporate risk exposure. Triangulating these multiple data points could lead to a mitigation or intervention strategy.

For example, the compliance team could commit, with local human resources, to conduct employee focus groups and/or interviews that may help further identify underlying issues and potentially lead directly to a local management improvement plan. Ultimately, such initiatives might reverse the employee exodus trend, prevent injuries, improve morale, and either rehabilitate or terminate an underperforming leader.

Let’s take another example—compliance officers and management must take care in the hiring and promoting of key staff per the FSG’s statement in Section 8(b)(3), which states that “[t]he organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.” A compliance officer, utilizing the power of D&A and in partnership with human resources, can easily run the list of employees in line for potential promotions against the helpline allegation database, starting with current cases and going back one or more years. Such a data sort can easily be done with unique employee identification numbers and an agreed definition of positions within the company that constitute “substantial authority personnel.”

Consider the outcome: Certainly if a senior leader is working under a performance improvement plan for a policy violation via the compliance or HR group, management may think twice about the timing of a promotion. In large, decentralized organizations such a potential disconnect on promotions between compliance, line management, and human resources is unfortunately quite probable. A disciplined approach supported by processes, procedures, and management and an underlying D&A application will help reduce the likelihood of such an occurrence. Moreover, for key positions, the organization may consider an additional step by running an external criminal background check.

And to the point raised above on social media and how D&A can incorporate external data feeds, it is possible for the D&A application to reach out externally and proactively to search certain databases, such as state and federal criminal convictions in the United States, thereby providing a constant mitigation strategy. This is particularly important in industries like transportation and logistics where a DUI violation can, in fact, disqualify a driver from continued active driving. As in most cases of regulatory violation, ignorance is not a defense for the corporation; rather it’s likely a violation if that driver is found to be behind the wheel following a DUI conviction.

Consider when there is a reduction in force where human resources generally partners with the affected business units and designs a legally appropriate list of employees scheduled for separation. In most cases, because of the confidential nature of investigations, employees involved are unknown to the business leaders and HR team looking at candidates for separation. Compliance teams utilizing the capabilities of a D&A application could run that separation list against current and historical cases or investigations. Employees who raised issues or participated in investigations as a witness could be among those slated for separation, and potentially raise a retaliation concern (more on this below). Such a discovery would lead to informed discussions with HR, legal, compliance, and management about the timing of separation at the very least. Similarly, what if the case is under active investigation? Would it be prudent to terminate a reporter or potential key witness to a matter that could result in litigation or increased loss to the company?

Next, consider a company’s obligation to employees to create a retaliation-free workplace, certainly the most important commitments compliance teams and senior management can make to employees after their physical safety and well-being. D&A can again help compliance teams monitor for potential retaliation by tracking all reporters and investigation witnesses (again utilizing their unique employee ID numbers) for a period of years. The timing may vary according to company policy, leading industry practice, regulatory requirements, and regulator expectations. They can cross-check this list for potential terminations, transfers, reassignment, performance improvement plans, and of course annual performance reviews. This process requires disciplined coordination between human resources and compliance, but in the interest of protecting employees from retaliation and to ensure the integrity of the corporate compliance commitment to all employees, a coordinated effort is simply the right thing to do.

Responsive Controls

Conducting Internal Investigations

When information relating to actual or potential misconduct is uncovered, a second line of defense functions (e.g., compliance, in association with legal and HR) should be prepared to conduct a comprehensive and objective internal investigation. The purpose of such an investigation is to gather facts leading to an objective and credible assessment of the suspected violation and allow management to decide on a sound course of action. By conducting an effective internal investigation, management can address a potentially troublesome situation and have an opportunity to avert a potentially intrusive government investigation. A well-designed investigative process will typically include the following considerations, among others:

Oversight by the audit committee, or a special committee of the board, either of which must comprise independent directors who are able to ward off undue pressure or interference from management
Direction by outside counsel, selected by the audit committee, with little or no ties to the entity’s management team, and that can perform an unbiased, independent, and qualified investigation
Activities undertaken by investigators who understand the legal dimensions of the matter at hand, as well as the necessary investigatory skills
Briefing the organization’s external auditor so that the latter can consider the proposed scope of work in the audit of the organization’s financial statements
As an expectation of cooperation with investigators, allowing no employee or member of management to obscure the facts that gave rise to the investigation
Reporting protocols that provide management, the board, external auditors, regulators, and, where appropriate, the public with information relevant to the investigation’s findings in the spirit of full cooperation, self-disclosure, and transparency

Challenges for Global Organizations

The challenge for global organizations in conducting investigations is that as rapid advances in global trade increase the risk of cross-border misconduct, they face mounting pressures to develop or enhance their cross-border investigative capabilities. For instance, international subsidiaries may not follow effective investigatory protocols, or even have access to internal or external resources with the requisite experience and training to follow multiple international regulatory directives, requirements, and laws.

At the same time, enforcement authorities, such as the Criminal Division of the DOJ, are busy reaching out to their international counterparts, as explained by Marshall L. Miller, principal deputy assistant attorney general: “Today, in the Criminal Division, we are capitalizing on the cooperative relationships we have developed with foreign prosecutors, law enforcement, and regulatory agencies to better access evidence and individuals located overseas. Even more significantly, we have dramatically increased our coordination with foreign partners when they are looking at similar or overlapping criminal conduct—so that when we engage in parallel investigations, they complement, rather than compete with, each other.”¹⁸ Although global organizations should enhance their ability to conduct a global investigation, they must also take care that their investigations do not violate local law. For example, in some international jurisdictions, government and enforcement authorities may consider an organization’s internal investigation to be an obstruction of justice if it is undertaken contemporaneously with an ongoing government investigation.

Enforcement and Accountability Protocols

A consistent and credible disciplinary system is a key control that can be effective in deterring misconduct. Appropriate discipline is also a requirement under leading regulatory and evaluative frameworks. By mandating meaningful sanctions, first line of defense managers can send a signal to both internal and external stakeholders that the organization considers managing misconduct risk a top priority. As such, organizations do well to establish and communicate to employees a well-designed disciplinary process that includes company wide guidelines that promote:

Progressive sanctions consistent with the nature and seriousness of the offense (e.g., verbal warning, written warning, suspension, pay reduction, location transfer, demotion, or termination)
Uniform and consistent application of discipline regardless of job level, tenure, or job function

Holding managers accountable for the misconduct of their subordinates is another important consideration. Managers should be disciplined in those instances where they knew, or should have known, that misconduct might be occurring, or when they:

Directed or pressured others to violate company standards to meet business objectives or set unrealistic goals that had the same effect
Failed to ensure employees received adequate training or resources
Failed to set a positive example of acting with integrity or had a prior history of missing or permitting violations
Enforced company standards inconsistently or retaliated against others for reporting concerns

Disclosure Protocols

Voluntary self-disclosure to the government of criminal misconduct, followed up by cooperation with law enforcement investigations, has long been considered favorably by the government in reducing criminal penalties for convicted corporations. In a recent speech, a top DOJ enforcement official reinforced this practice by opining that “if there is no cooperation, we will continue to investigate and prosecute the old-fashioned way. And companies will face the consequences. . . . [I]f a corporation wants credit for cooperation, it must engage in comprehensive and timely cooperation; lip service simply will not do.”¹⁹ The policy of receiving credit for cooperation is also illustrated by various governmental compliance models, including the False Claims Act, where the government’s maximum claim is reduced if the organization makes a full disclosure about the false claims, and the FSG, which leave the potential for a reduction in sanctions for those organizations that disclose violations and cooperate with enforcement authorities.

Because of the potential importance of self-reporting, senior management executives and the board, in consultation with second line of defense functions (e.g., compliance and legal) should consider designing formal, principles-based protocols for voluntary and prompt disclosure of violations of law to the government, as appropriate. When misconduct surfaces and the question of whether to report arises, existence of self-disclosure mechanisms will suggest what the right answer is and foster an environment of openness and cooperation. Note, however, that the existence of self-disclosure is never a guarantee against indictment. Self-disclosing criminal misconduct may still result in an enforcement action and eventual collateral litigation by private parties.

Moreover, in certain situations, investigations uncover activities that may trigger financial statement disclosures. For example, illegal acts may have an effect on the amounts presented by management in the entity’s financial statements. In this regard, loss contingencies resulting from illegal acts that may be required to be disclosed should be evaluated. Likewise, a disclosure in the financial statements may be triggered by an investigation uncovering an illegal act that may have an effect on the entity’s operations. If material review or earnings are derived from transactions involving illegal acts, or if illegal acts create significant unusual risks associated with material revenue or earnings, such as the loss of a significant business relationship, such information should be considered for disclosure. If such cases arise, management must discuss potential disclosures with counsel and the entity’s public auditors.

Remedial Action Protocols

Once misconduct has occurred, senior executives and the board, in consultation with second line of defense functions (e.g., compliance and legal) should consider taking action to remedy the harm caused. For example, the organization may wish to consider taking the following steps where appropriate:

Voluntarily disclosing the results of the investigation to the government or other relevant body (e.g., to law enforcement or regulatory authorities)
Remedying the harm caused (e.g., initiate legal proceedings to recover monies or other property, compensate those injured by the misconduct, etc.)
Examining the root causes of the relevant control breakdowns, ensuring that risk is mitigated and that controls are strengthened
Administering discipline to those involved in the inappropriate actions as well as to those in management positions who failed to prevent or detect such events
Communicating to the wider employee population that management took appropriate, responsive action

Although public disclosure of misconduct may be embarrassing to an organization, management may nonetheless wish to consider such an action in order to combat or preempt negative publicity, demonstrate good faith, and assist in putting the matter to rest. Moreover, when an organization experiences a substantial integrity breakdown and agrees to cooperate with government enforcement authorities,²⁰ the latter may allow the organization to enter into a government settlement agreement (GSA) and postpone, or avert entirely, prosecution for the alleged misconduct.²¹ Under the terms of a typical GSA, the organization agrees to a list of substantial government demands as an alternative to trial. Such demands may include the requirement for the organization to agree to some or all of the following conditions: conduct an internal investigation or cooperate fully with the government’s own investigation; accept full responsibility for the underlying misconduct; agree to pay a fine; undertake substantial changes to the organization’s internal controls to help ensure the misconduct is not repeated in the future.

As part of its remediation efforts, the offending organization may also be required to host (and pay for) a corporate monitor to oversee the implementation of the GSA’s terms. Such a monitorship may last for a period of years (e.g., a three- to five-year term), overseeing and providing annual reports on the organization’s efforts to design and implement a variety of internal controls. Such controls may include drafting an organizational code of conduct; creating a compliance officer position or compliance function; implementing policies to prevent the misconduct from occurring again; conducting compliance training related to the particular risk area in question; establishing anonymous advice and reporting mechanisms (e.g., a hotline or webline). It is important to note that while the incentives to entering a GSA are substantial, so are the organizational resources typically expended to meet the agreement’s conditions.

Conclusion

In this chapter we outlined a path that started with understanding the criticality of having the right governance, risk, and compliance framework and an organizational culture that guides decision making at all levels, reflects the company’s core values and encourages a commitment to ethical conduct and compliance with the law. We moved out from there and explained how the first line of defense designs and implements the critical policies, programs, and controls needed to support accountability, practical oversight, and a compliant culture at all organizational levels. From there we moved out to establishing a compliance function that is tasked with assisting in the design and implementation of risk management controls to help ensure employee compliance with applicable laws, regulations, and the organization’s own policies.

Finally, the path takes you to internal audit and the third line of defense. Internal audit provides assurance on the effectiveness of governance, risk management and internal controls.²² These activities also provide assurance on the way in which the first and second lines of defense achieve their compliance objectives.²³

It is important to note that managing organizational compliance is not something that is done once, nor is the effort complete once the compliance program and its attendant internal controls have been designed and implemented, as discussed above. Rather, the real work begins once the program becomes fully operational. At that point, management and the board must provide oversight and leadership for others to follow, the organization should allow internal controls to operate under a watchful monitoring eye, employees must be engaged with meaningful training and communications, and adjustments to the program should be made based upon realities in the field.

All these endeavors (and others) are essential and must be undertaken if the organization’s compliance efforts are to be successful. While it will always be impossible to control the behavior of every employee or to entirely eliminate all forms of misconduct, making sure that compliance efforts are constantly renewed and failures are viewed as part of the learning process will allow organizations to reap the rewards of a good record for compliance and a sustainable culture of ethics and integrity.

________________

Ori Ben-Chorin was a major contributor to the content of this chapter. Mr. Ben-Chorin is a director in KPMG’s Forensic practice in Washington, DC, where he advises clients on the design, implementation, and evaluation of corporate ethics and compliance programs and related antifraud programs and controls.

Chapter 2

Raising the Bar: A Framework for Managing Risk

Timothy P. HedleyRichard H. Girgenti

Managing Risk and Building a Values-Based Culture

Three Lines of Defense

Regulatory and Evaluative Frameworks

Governance

Board of Directors

The Compliance Function

The Internal Audit Function

Compliance Program Controls

Preventative Controls

Compliance Risk Assessment

Codes of Conduct and Risk-Specific Policies and Procedures

Challenges for Global Organizations

Due Diligence

Performance Evaluations and Incentives

Communication and Training

Detective Controls

Advice and Reporting Mechanisms

Auditing and Monitoring

Technology and Compliance Innovation

Responsive Controls

Conducting Internal Investigations

Challenges for Global Organizations

Enforcement and Accountability Protocols

Disclosure Protocols

Remedial Action Protocols

Conclusion

Timothy P. Hedley
Richard H. Girgenti