Wrap Up of Compliance Week Conference

compliance-week-conference

It was a great few days in Washington D.C. at my first Compliance Week Conference.  The conference was packed with great presentations and discussions over its three days. In particular, it was great to spend time with Bruce Carton, Francine McKenna, Scott Cohen, Matty Kelly and Alex Howard.

Below are links to some stories from the conference:

For Compliance Week subscribers:

Fighting a cold during the conference, I was the guy generating the cacophony of coughs.  But I did manage to keep notes during the sessions I attended:

I am looking forward to Compliance Week 2010.

UPDATED with new links

Compliance Week Keynote from David Ogden

compliance-week-sepia
My notes, live, from the keynote address by David Ogden, the Deputy Attorney General.

As we confront the current financial crisis and try to restore trust and accountability, we have a shared responsibility to make sure justice is done. Responsible corporate behavior must be encouraged and rewarded. There will continue to enforcement action on financial crimes.

The FBI has doubled the number of investigators looking into mortgage fraud. There is also going to be an emphasis on healthcare fraud. They are looking to get better access to financial records and information in the healthcare industry.

With the $4 trillion of TALF funds, there is a potential for fraud in procurement and the use of those funds. (It sounds like there will be a lot of investigations into the recovery efforts.)

The DOJ needs to be relentless in its enforcement activity. They need to ensure the integrity of the financial markets and preserve the public fisc.

He pointed out an emphasis on training the department attorneys on discovery and electronic records.

The new principles that are part of the DOJ handbook emphasizes the importance of the attorney-client privilege. Cooperation is based on sharing information. No longer is waiver of the privilege a requirement to get cooperation credit. Prosecutors may not request that a company deny advancement of attorney fees or hiring attorneys to defend individuals involved in wrong-doing.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Structuring Internal Investigations

compliance-week-dark-blue

My notes, live, from the presentation by Neal Stephens and Bill Freeman of Cooley Godward Kronish on the top ten problems and how to avoid them. The focus of the session was to help companies who must conduct an internal investigation avoid pitfalls that add expense, embarrassment and exposure.

There are many problems that come from internal investigation failures. Cost is a big item. Expenses can get out of control. You could end up with a loss of credibility with the public and the government. You want to avoid re-opening the investigation in response to shareholder attacks.

Failing to Establish the Right Investigative Body

You want to make the investigator is sufficiently independent and has the necessary powers. If it is serious, you will want an impartial committee from the board of directors. For an independent investigation, you may need to pick a new law firm. If the law firm has represented other board members or been involved in the subject transaction, you should not use them.

Failing to Preserve Evidence

You have to immediately notify record custodians. Often the document destruction ends up being a greater offense the original transgression. It is important to document the entire preservation and collection process. The SEC will typically send you a preservation notice before they send a subpoena.

Don’t forget about home computers and mobile devices. If people are doing business on their home computer, you need to preserve the information on them.

Failing to Get Buy-In from the Government and Outside Auditors

You want to make sure the people with the handcuffs agree to the scope, methods, timing and the sharing of information.  You want to make sure you do not have to go back and cover the same information again. That increases costs.

Failing to Supervise Vendors

You want to train your document reviewers. You have to educate the investigators about legal means of obtaining information. Vendors need to be educate on what to reveal to who. Messing up document review is embarrassing and can taint the case as a whole.

Treating Witnesses Differently

Consistency is very important. You can’t treat one group with kid gloves and another with rubber hoses. The way to protect the company is letting the evidence to take you where it goes rather than presuming innocence of a party.

Jumping to Conclusions

You have to follow the evidence. You need to understand the company policies and practices at issue. Consider placing employee on leave during the investigation, instead of termination. The DOJ typically does not care that much. They want you to find the facts and properly punish the offender. You do not have to give the government a head on the platter to appease them. Just do the investigation right.

Mishandling Privilege Issues

You need to advise witnesses of their legal rights. Make sure they realize that the attorney represents the company and may turn the information over to the government. You need to anticipate third party challenges to information shared with the government or auditors.

Give the corporate Miranda. Employees typically still talk to investigators. But you don’t want them to think that the attorney represents the employee.

Mishandling the Flow of Information

Always update the board committee first. Get their approval before revealing information to the government, auditors or senior management.

Failing to Anticipate the Mid-Investigation “Show Stopper”

Something else always pops up or evidence of a cover up appears. At some point a witness realizes they are in trouble and will withhold information. You are also likely to see witness intimidation or collusion.

Failing to Communicate Carefully to Outsiders

Statements in 8K’s will be attacked. Statements to opposing counsel must be considered “on the record.” Statements to the government must be complete and accurate.

Much of the conversation was couched in how these two had just defended Kent Roberts, the former general counsel of McAfee in a stock back-dating case. It was a useful combination of practical advice, war stories, and theory.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Third Party Risks

compliance-week-red

My notes, live, from Third Party Risks with Matt Tanzer of Tyco International and Chris Nowak of Wyndham Worldwide.

For Tyco they have 110,000 employees around the world, most outside the United States.  Their first step was to identify all of the third parties. This was a big task. They went to their master vendor lists and master customer lists. The the broke them into groups based on risks.

Then they conducted a preliminary risk assessment using a few factors, such as geography, types of payments and payment structure.  With all of that information they took the next step of rationalization and consolidation of the third parties. In higher risk areas, they want to reduce the number of third parties they work with. They will conduct enhanced due diligence on high risk third parties.

They have imposed stricter payment procedures. They require a valid tax invoice, wire transfers (no cash), and only to the actual service provider. It is key to look at the underlying contract to verify the payment amount and type of service.

They have a new program for new vendors:

  • Business Sponsor
  • Business Justification
  • FCPA Certification
  • Questionnaire
  • Risk Assessment/DD
  • Written Agreements
  • Training

Not all elements are required for all third parties. If it is a low-risk type of vendor in a low risk country, they will not require all. High risk parties in high risk parties get an enhanced look.

Chris took over to give his perspective. His company is dealing with land owners, hotel owners, time share owners and employees around the world.

Know your third party:

  • Screen the parties against the OFAC’s SDN list
  • Conduct reviews of their financial statements
  • Learn their reputation
  • Investigate litigation
  • Check for current licenses
  • Understand their Culture

Chris offered some mitigation techniques:

  • SAS 70 Certifications
  • Code of Conduct – The are putting together a code specifically for vendors
  • Other Policies – You want to make sure you understand local law
  • Good Behavior Certification – Failure to certify is a warning sign.
  • Training – You need face to face training to get attention, especially as you move up in corporate seniority
  • Contract language
  • Insurance
  • Stay Involved!!! You need to keep emphasizing the importance of good behavior.

Make sure that the questions you ask are questions that you are also willing to answer. Simply things to make sure you could certify if someone asked you.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

McNulty Keynote on a Tale of Two Sectors

compliance-week-green

My notes, live, from former U.S. Deputy Attorney General Paul McNulty Keynote on A Tale of Two Sectors: The Challenges of Corporate Compliance – When Enforcement Increases and the Economy Declines. Mr. McNulty is now a partner at Baker & McKenzie. He is the author of the McNulty Memo on the government’s perspective on prosecuting organizations.

This issue of compliance has changed the corporate landscape. There is a sobering reality with a contrast between the government’s aggressive enforcement of white collar crime while the corporate sector is in a defensive position trying to cut costs and survive the economic downturn.

How can a company survive in this enforcement and economic environment? How can they move into emerging markets with corruption issues?

Enforcement is rising sharply. There is more effort being put into catching and punishing economic crime. FCPA is a hot issue because of a combination of increased disclosure, increased communication, and increased international cooperation. These factors are not unique to FCPA. That is why we are seeing an increase in other financial crime enforcement.

There is a lot of effort of punishing individuals, not just organizations.

How do we respond to this environment? There are several “must haves.”

  • Leadership with a strong tone and strong structure.
  • A risk based strategy, looking at where you are doing business and how you are doing business.
  • Standards and controls to provide evidence that there is commitment and it is translated to specific things
  • Training is essential. You need to get the word out.
  • Monitoring so that you can see what is working and what is not working.

The cost of non-compliance is great. If you think compliance is expensive, try non-compliance.

If you are the target of a government action there are some things you should do. You want to have a thorough and cost effective investigation. You want the government to feel that they do not need to conduct their own investigation. You need to be credible and sufficiently independent. It also needs to be timely. Cost control is an issue. There is some tension between thoroughness and cost. You want to focus on the scope. You don’t want it to be too narrow, but if it is too broad the costs will be excessive. Create an investigation plan at the outset. Keep a close eye on your auditors and attorneys.

You want to get your “compliance credit.” In his memo (and the others) one of the factors is the existence of a strong compliance program. Make sure that if you think you had a strong compliance program that the government sees that there is a strong program.

You want to get your “cooperation credit.” The key is to be able to cooperate without waiving the attorney-client privilege. You want to avoid derivative lawsuits from other non-government parties.

You want to avoid a monitor. The government is looking for a hedge to avoid the risk that there is something more going on inside the organization. That means you need to convince the government that the organization wants to know the whole truth and will immediately take the steps to cure the problem.

Will prosecutors look at a decreased compliance budget as a bad mark? Maybe. You can be more effective with a smaller budget, but it means being more effective and revisiting the structure of your program. The risk increases when there are fewer resources dedicated to the program.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

The S&P Assessments

compliance-week-blue

My notes, live, from the Compliance Week Conference session by Steven Dreyer who is overseeing Standard & Poor’s program to assess corporate ERM efforts as part of credit ratings. Standard & Poor’s To Apply Enterprise Risk Analysis To Corporate Ratings (.pdf)

S&P’s ERM review for non-financial companies will be based primarily on information provided by issuers in public disclosures and through discussions with S&P analysts. S&P does not require written responses to these questions, but will certainly consider them if provided to supplement or make more efficient our in-person discussions.

  • What are the company’s top risks, how big are they, and how often are they likely to occur? How often is the list of top risks updated?
  • What is management doing about top risks?
  • What size quarterly operating or cash loss has management and the board agreed is tolerable?
  • Describe the staff responsible for risk management programs and their place in the organization chart. How do you measure success of risk management activities?
  • How would a loss from a key risk impact incentive compensation of top management and on planning/budgeting?
  • Tell us about discussions about risk management that have taken place at the board level or among top management when making strategic decisions.
  • Give an example of how your company responded to a recent “surprise” in your industry and describe whether the surprise affected your company and others differently.

All S&P cares about is the ability of the company to repay its debt. Corporate social responsibility is nice, but does not affect credit. S&P does not lower a credit rating on an airline because of a plane crash. They care about cash flow. They do care if a risk is a risk to cash flow. S&P is not a missionary for ERM.

So why are they adding ERM to credit ratings to non-financial institutions?

  • Enhance Analytical Process & Focus
  • Create More Forward-Looking Ratings
  • Better Insights and Communication on Management
  • Differentiate Better

Non-financial institutions tend to die very slow deaths. Financial institutions have the potential to fall off a cliff and disappear quickly. For non-financial institutions, ERM is a means to see inside the enterprise to see how they may be able to bounce back from issues and crises.

Every company has an appetite risk and a tolerance for risk. By focusing on risk management, there is some insight about how they treat risk, the appetite and the tolerance.

What Is S&P Not Looking For… (These mindsets can actually hinder effectiveness):

  • Eliminating all risks
  • Cramming together disparate policies
  • Solely compliance/disclosure requirements
  • Replacement for internal controls
  • A shiny new software program
  • Naming a CRO and calling it a day

“The reviews will focus predominantly on risk-management culture and strategic risk management, two universally applicable aspects of ERM.” – Standard & Poor’s To Apply Enterprise Risk Analysis To Corporate Ratings, May 7, 2008

Culture = Communications, Frameworks, Roles, Policies, Metrics, Influence

Strategic = Identification and Updating Process, Impact on Key Decisions

Here are some ERM discussion topics he offered:

  • How are key risks identified, updated, and dealt with?
  • How is risk tolerance defined and communicated?
  • Who “owns” risk in the organization and how is success measured?
  • What is the board’s involvement in risk management?
  • How did your company respond to _______________ ?

Ultimately, they are looking for evidence of effectiveness. They are planning to release the criteria during the fourth quarter of 2009. They are currently in the process of benchmarking and comparing information. They are thinking about using a rating scale, but there is a concern that people will focus on the number and not the nuances that went into the number.

A counter-intuitive result was that the companies that responded quicker to questions were more accurate than those that took longer. The quick result was because they had better access to their information. The longer response was because the information was hard to find and less reliable.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Assessing the Effectiveness of Compliance and Ethics Programs

compliance-wek-purple

My notes, live, from Jack Holleran of Ernst & Young  and Patricia Prince-Taggart of CA on ways to measure program effectiveness, with an analysis of qualitative and quantitative measures.

Jack put forth three primary objectives to compliance programs:

  • To prevent non-compliance
  • To detect non-compliance
  • To enhance business processes and decision-making

He offered the following as the benefits of measurement:

  • Enables you to “know where you are”
  • Enables you to demonstrate effectiveness to Executive management
  • Enables you to demonstrate effectiveness to Audit committee
  • Enables you to demonstrate effectiveness to Regulators
  • Enables you to identify and prioritize opportunities for improvement in ethics and compliance program (design and execution)
  • Enables you to demonstrate business case, or value, that ethics and compliance program provides to the business

He offered this as his illegible diagram of a compliance program:

ernst-framework

Qualitative measures

  • Provide some indication of awareness of ethics and compliance program
  • Tend to be subjective in nature
  • Useful in identifying trends

Quantitative measures

  • Provide objective insights into program effectiveness
  • Tend to be hard data
  • Useful for benchmarking your company to other organizations or within industry

Measuring effectiveness – the role of auditing and monitoring:

Evaluate each control for adequacy:

  • As designed, will it prevent / detect? Alone, or with other controls?
  • If design is adequate, test to verify control is operating as designed

Testing examples:

  • Field work: policy application within business units
  • Continuous testing: review of helpline calls, customer complaints
  • Transaction reviews for red flags
  • Risk-based reviews (e.g., FCPA, environmental)
  • Surveys/focus groups to measure awareness, attitudes, knowledge

Establish procedures for conducting investigations:

  • Confidentiality
  • Case resolution procedures
  • Post-resolution surveys of callers
  • Checking for possible retaliation

You want to determine the “Effectiveness Gap”: the difference between the inherent risk and management’s effectiveness.

Ethics and compliance, like any business function, faces the internal challenge of demonstrating return on investment (ROI). Measuring effectiveness can enhance your ability to demonstrate ROI. Trending over time can produce insights.

Starting is the most important part of effectiveness. Doing nothing is not effective. You can’t be afraid to find out information.

Here are some other resources they recommended:

Metrics Qualification Tool
www.oceg.org/view/mqt

The Elephant in the Room: Program Evaluation & Performance Measurement
www.oceg.org/view/elephant

Measurement & Metrics Guide: Performance Measurement Approach and Metrics for a Compliance & Ethics Program www.oceg.org/view/MMG

Metrics Full Listing
www.oceg.org/view/mmglisting

Metrics & Measurement Guide Presentation: Beyond Effectiveness
www.oceg.org/view/MMGPreso

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Harvey Pitt on Ethical Cultures in a Down Economy – Compliance Week Keynote

compliance-week-conference

My notes, live, from the Compliance Week keynote speech by Harvey Pitt on Ethical Cultures in a Down Economy:

After a very brief introduction (especially compared to yesterday’s keynote) by Scott Cohen, Mr. Pitt dove into an entertaining and informative speech.

Learning from history is in fact virtually impossible. The only thing we only learn from history is that we never learn from history. It is the science of what never happens twice.

Cutting corners may have some short term benefits, but endanger your long term success. This century has barely begun and we already have plethora of financial scandals. So many high-flying companies have come crashing down, destroying the companies and the investors. We have to avoid failures at all corporate levels that every person within the company is responsible for being a watchdog for transgressions.

It seems that we never learned from the Enron era scandals. Business scandals are inevitable, as is the follow-up government action. But those too often only focus on the last crisis and do not look ahead to potential new issues. SOX did not prevent the current economic crisis and its failures of corporate governance. It is inevitable that new laws will come out to address the crisis that just happened. Mr. Pitt seems skeptical that they will prevent the next set of crisis and failures.

Mr. Pitt thinks directors will be held accountable for the failures of their organization and the failure of their risk management. he thinks the answer is simple. The long term success of a company is the ability to survive under “Corporate Darwinism.” Only those with the best governance and the most ethical culture will survive. The regulatory and prosecutorial environment is going to be hostile for the foreseeable future. Being law-abiding only gets you so far. It is not same as acting honestly and ethically.

Something always go wrong.

Good corporate ethics is not just talking the talk, but also walking the walk. You need to recognize that an ounce of prevention is worth a pound of cure. You need to minimize risk and continually assess the risk. You need to deal with the risk before the next crisis.

Be a Boy Scout and “Be Prepared.” It is better to be ahead of the curve and ready for what may be coming.

Knowledge is power. You need full and complete information in order to assess risk and govern the organization. The most dangerous risk is the risk you are nor aware of. You need to make sure that information flows up the chain and throughout the organization.

Don’t shoot the messenger. Risk management should not be thought as a cost center.

Make sure that everyone is “invested” in the organization. It is part of everyone’s job description to be alert for potential problems, addressing problems and resolving problems. You need to engage all employees in developing and running the program.

There is no such thing as a “small” ethical problem. They always grow into a big problem if left unaddressed. Not every breach is a hanging offense, but they all need to be treated seriously.

It’s the quality not the quantity that counts. You can have binders full of policies. But they are useless if employees are not aware of them and ignore them.

Pay for integrity. If boards want to show the importance of ethics, they need to tie compensation to it. They need to place a cost for failures as well.

Trust, but verify. Ask the tough questions and examine the underlying premise of their information. You need to make sure your conclusions are sound.

The third little pig had it right. You can’t build your house out of flimsy materials.

Treat everyone who cries wolf as if they are credible. It is the warning you ignore that is more likely to hurt your organization. It’s not how complaints are raised. The only issue is whether there is any truth to the claims. You need to find the truth. The only way to find out is to respond to the call and investigate.

If you manage for the short term, you will not be around in the long term.

At the end of his speech, Mr. Pitt sat down with Mr. Cohen.

Mr. Pitt pointed out that government failed to have effective risk management during the current financial crisis.

He thinks SOX was hastily drafted. It was necessary because of the upheaval and government needed to show that it would put up with that kind of behavior. He thinks SOX has been ineffective. It is approached as a liability issue and treated with a check the box mentality. We would not have had the most recent crisis if SOX was effective.

What me need now is not more regulation or less regulation, it is smarter regulation. Businesses sit back and wait for government to tell them what they are doing wrong and then don’t like what the government tells them to do. Businesses need to discover problems before they become a problem.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

The SEC’s Radical Disclosure Overhaul

compliance-week-sepia

My notes, live, from Dr. William Lutz on The SEC’s Radical Disclosure Overhaul. (Disclaimer: The presentation represents the views of Dr. Lutz and not necessarily the views of the SEC.)

He started off with a definition of “Information”: That which reduces uncertainty. (From Shannon and Weaver’s  Mathematical Theory of Communication) If it’s not information, it’s noise. You only want the information that you want.

He says the 10-Q is noise. Lots and lots of noise. Plus there is all the trouble of searching in EDGAR to find the filing. He likes the Hittites tablets that last hundreds of years. There is no difference between the Library of Alexandria and EDGAR. Both have data that are locked down and inaccessible, full of noise. In looking at a 10K for a company in 1996 it was 263 pages. In 2009, it was 1,376 pages.

How do you give investors access to high quality information?

Each year, the SEC collects the address of the filing company 14 times. And not always in the same format.

He advocates having a “company file” with a central repository of information: static company information, periodic information and transaction information. The information needs to be structured and accessible. He then said the magic word: XBLR.

He pointed out that Israel has already deployed this system with true electronic filing. Not just a paper filing turned into text, but the tagging of data to the system. It allows a mash-up of different information from different companies to allow for easier manipulations of the data. he cited an example of finding an insider trading scandal using this data tagging.

This creates more transparency. With this information, everyone can be an accountant and understand the finances of a company. And easily compare that information with other companies.

How do we give investors access to the data they need? In a way that they can use the data?

There is a need to move from a print society to an information society.

More information:

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

It’s Not Fraud, But it Can’t be Ignored

compliance-week-red

This session was a “dark session” so I am not sharing my notes, but will share a few themes that emerged.

Most hotline complaints are for incidents that are not true compliance or ethics issues. Most studies show that HR issues tend to be almost half of the complaints.

There were two camps of thoughts. Those that thought everything should go into one central location and those that thought there should be segregated systems. Largely, this hinged on the issue of attorney-client privilege. Some felt it better to keep this information hidden away to keep from plantiff’s lawyers.

One recommendation that I liked was to use the term “incident reporting system” instead of whistleblower hotline. To me this sounds likeit would remove some of the psychological impediments to using the system. It sounds more user friendly to me.