It’s Not Fraud, But it Can’t be Ignored

compliance-week-red

This session was a “dark session” so I am not sharing my notes, but will share a few themes that emerged.

Most hotline complaints are for incidents that are not true compliance or ethics issues. Most studies show that HR issues tend to be almost half of the complaints.

There were two camps of thoughts. Those that thought everything should go into one central location and those that thought there should be segregated systems. Largely, this hinged on the issue of attorney-client privilege. Some felt it better to keep this information hidden away to keep from plantiff’s lawyers.

One recommendation that I liked was to use the term “incident reporting system” instead of whistleblower hotline. To me this sounds likeit would remove some of the psychological impediments to using the system. It sounds more user friendly to me.

Richard Ketchum Keynote from the Compliance Week Conference

compliance-week-green

My notes, live, from the Richard Ketchum keynote at the Compliance Week Conference. Mr. Ketchum is the newly named chairman and CEO of FINRA.

It is a terribly important time as financial markets are in the process of transformation. It was two years ago when the first signs of the credit crisis appeared. The silver lining is that the crisis offers an opportunity to reform the financial markets.

Mr. Ketchum moved onto the idea of a systemic risk regulator. He thinks some regulator will be in place. As to whether it is a single entity or a council of regulators, Mr. Ketchum stated that some of the risk and problems came from loosely regulated entities and in transactions that were not transparent. He thinks value of a systemic regulator is good but thinks we need to focus on the function of this new regulator. He wants to avoid duplication and also to avoid things falling through the cracks.

He looked to the Federal Reserve as regulator that had a broad mandate to see big problems. They were less able to focus on the detail of regular reporting and maintenance. He thinks the new systemic regulator should not replace existing regulators. He also did not seem to like the idea of breaking up the SEC. They are very involved in many aspects of the markets and have a breadth of experience and controls in place.

He moved on to the issue of short selling in the marketplace.  There are several proposals being reviewed as a result of the fierce short-selling that happened in September and October. He thinks the selling that happened during that time was most long sellers, not short sellers. Short selling may have caused the disappearance of any buyers. He seems to be leaning toward a circuit-breaker when a company’s stock is under pressure. He did not seem to give a straight answer.

He moved onto the subject of derivatives. The market provides a great deal of leverage, has a great deal of inefficiency and is very transparent. The derivatives markets also react quicker than the equity markets. He thinks the key is transparency so we can see the movement and the risk. The opacity of the derivatives markets contributed to the plunge in the investment markets.

He moved onto the lessons we could learn from volatile markets. He thinks we need to revisit diligence and reduce our reliance on ratings to get a better understanding of the security (in particular asset-backed securities). You need to keep the creators of the securities away from the ratings of the securities.

He thinks compliance needs to be infused into more functions. He thinks compliance officers can look at the risks and not rely on assumptions. You need to make sure that decisions that benefit the company do not come at the expense of the company’s clients or customers.

Nobody feels good about the implosion of the financial markets. FINRA is re-evaluating their internal processes to see what they could do better. He pointed out the new FINRA Whistleblower hotline. FINRA is looking at ways to make sure things do not fall through the cracks.

He thinks the biggest gap is the different regimes between broker-dealers and investment advisers. He thinks investment advisers need to be more regulated and more closely examined. he does recognize that there are different risks and different concerns. You can’t throw the same rulebook at them, but he thinks you need to keep a closer eye on them.

The keystone moving forward is winning back the trust of investors. Without trust, the markets are paralyzed. Fraud impoverishes the few; distrust impoverishes many.

In the chat session, Matt put the Madoff scenario in front of Mr. Ketchum. He thinks that is the great example of having different regimes for broker-dealers and investment advisers. FINRA could not look over the wall at the advisory side of the business.

There is no definition of a systemic risk. Mr. Ketchum thinks it is one that can impact the financial marketplace as a whole and not just an individual institution.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Self-Assessments: Criteria and Procedures for Evaluating GRC Programs

compliance-week-dark-blue

My notes, live, from Self-Assessments: Criteria and Procedures for Evaluating GRC Programs, with Gracie Fisher Renbarger, Chief Ethics and Compliance Officer of Dell; Nan Stout, Vice President Business Ethics of Staples; and Carole Stern Switzer, President of OCEG.

Carole started off with two observations:

  • Designing, implementing, and improving a governance, risk management and compliance (GRC) system is a time and resource-intensive proposition.
  • Periodically evaluating the design and operation of the system is essential to demonstrate that the organization’s GRC initiatives are delivering outcomes that really matter.

Carole pointed out that GRC is more than Governance, Risk and Compliance, but it is really awkward to have a 13 letter acronym.

She turned to design effectiveness. “Given our objectives and all of the risks and requirements related to these objectives, do we have controls, incentives and other structures in place that will provide reasonable assurance that we will meet these objectives?” You can also have less ambitious goals for our evaluation:

  • I’d like a “gut check” on how my hotline is designed
  • I’d like a high-level assessment of whether our risk identification has captured all of the right risks and requirements compared with my peers

Or more ambitious goals:

  • Is this compliance program deemed “effective” by an enforcement agency or external monitor?

How do you evaluate to address effectiveness? Start by determining what to evaluate and the scope of the risk assessment. One of the issues is that your effectiveness is based on the negative. It is hard to prove that something did not happen because of the program.

You want to ask:

  • Do we have SOMETHING in place?
  • Do we have the ENOUGH in place?
  • Do we have TOO MUCH in place?

The next step is to design for performance. You want to be effective, but you also want to be efficient and responsive. “There’s no point in measuring something you can’t fix.”

Carole used a standard for performance called SMART:

  • Specific/simple
  • Measurable
  • Actionable
  • Relevant
  • Timely

Not having data available is a challenge in some organizations. You need to measure perception and compare it to facts. You can say that you have a non-retaliation policy. But that does not do any good if people perceive that they will be fired for reporting a problem.

Next up was Nan to talk about their beta test of OCEG’s Burgundy Book. She thought is was important to give employees multiple ways to report problems, but wanted to store all of that information in one place.

Gracie shared her experiences with the OCEG certification at Dell. The objective of Dell’s FCPA Compliance Program is to be “Effective” and “Aligned.” “Effective” means program meets the US Federal Sentencing Guidelines’ definition of an effective compliance program. “Aligned” means program activities address actual risks and are aligned to Dell’s business objectives.

The following Elements are assessed:

Culture:

  • Processes established to monitor and address cultural indicators to ensure program is operating in a culture of integrity (i.e., employee surveys, compliance training tracking, etc.)
  • Defined program goals and objectives that align to organization objectives and strategic business initiatives (i.e., supports Dell’s profit and business goals related to “emerging market” expansion, etc.)

Organize & Oversee:

  • Defined roles and responsibilities for program oversight, assurance and day-to-day management (i.e., AC, GECC, Ethics & Compliance Office, etc.)

Assess & Align:

  • Process for identifying and assessing FCPA risk (i.e., identify whether operating in countries with high level of perceived corruption, etc.)
  • Plan to deploy program initiatives in response to risk assessment results (i.e., education rollout in China, etc.)

Prevent & Promote:

  • Existence of Code of Conduct and FCPA Compliance Policy
  • Process for policy development (i.e., executive management approval, etc.)
  • Process for deployment of policy (i.e., website repository and blog communication, etc.)
  • Education plan (i.e., maximum, heightened, general awareness, etc.)

Detect & Discern:

  • Intake and investigations (i.e., employee reporting, investigation process, etc.)

Respond & Resolve:

  • Infrastructure for intake, investigation and resolution of incidents (i.e., staffing, case management system, etc.)
  • Remediation (i.e., discipline, recommended preventative controls, etc.)

Monitor & Measure:

  • Monitor feedback and strive for continuous improvement of the program (i.e., feedback to Ethics Managers and formal employee inquiry/response process, etc.)

Inform & Integrate:

  • Process for communicating program (i.e., blog, cascaded communications, etc.)

A question from the audience: Can you measure the change in culture? It is hard. You need to always look for indicators. Some are lead indicators and some are trailing indicators. One goal of GRC is to pull as much information as possible into one place so those indicators are in one place.

The emphasis of the session was not to advocate a specific framework, but the importance of having a process.

A key to modifying behavior is to make non-compliance more painful than compliance. But you want more than a fear of being caught. You want your employees to strive for better behavior.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Vetting Business Partners

compliance-week-blue

My notes, live, from Vetting Business Partners, with Alexandra Wrage of Trace International to talk about how leading companies have approached this challenge in a global company.

Due diligence on business partners is one of the most important things a company can do, but also one of the least interesting things. She points out that the FCPA has a “should have known” standard. So ignorance is not a defense.

Sales consultants are some of the higher risk because they are usually paid on a commission basis. Consultants, paid by the hour, are a lesser risk merely because of the different compensation model. Distributors and resellers can be a risk. Merely having a third party in between your company and the corrupt official is still bad and is not a defense to charges.

Resellers are a new problem. The take title to your product and are your customer. But if there is evidence that the resellers are paying bribes to their customers, your company can be potentially be pulled in.

She turned to focus on some problem areas in due diligence when working with third parties.

Ownership – This is the most important and should be a deal-breaker if true beneficial ownership is not disclosed. (You can also work in the negative- not a government official or blocker person. This is not a good practice. The hidden identity should be a red flag. It would certainly be a red flag in a government investigation.)

Government relations. You need to find out if a clse relative is in the government. It is not a deal-breaker, but you need to be aware of the relationship.

Expertise. What is this person being paid to do if they do not have any particular expertise.

Financial stability. If they are acting as your agent, their financial failing will rub off on you.

Media searches. You need to know if your business partner is in the headlines.

Training. You need to letting them know what they need to do.

Periodic review and certifications. You want to make sure that you update things when the contract is renewed. You also want to check periodically to make sure there has not been a big change in the business partner. Certifications can be included on each invoice so they certify each time they paid that they have not bribed a foreign official.

It is important to keep red flags in mind, but you should standardize your contracts and review and not target specific areas. Many of the biggest FCPA cases have come from individuals acting in countries that are not known for being corrupt.

You can have a tiered due diligence program, depending on the nature of the relationship, the basis of compensation,and  the reputation of the company. The most common is three tiers: not risky, standard, and more risky. That allows you to target your resources.

She sees the divide in the DOJ cases where companies are either do due diligence or not doing any diligence. Not doing diligence almost moves you into a strict liability position. You have no defense.

There has been a surge in FCPA cases over the last few years. Most involved problems with intermediaries.

She points out that corruption due diligence is a two-way street. Increasingly, foreign companies are conducting due diligence on American companies.

She also takes a controversial position that you may be better off not having audit rights if you do not intend to actually do audits. She advocates triggered audit rights instead of a matter of course if you are not going audit on a regular basis. You want to have a meaningful conversation with your intermediary that these audit rights are real.

There is an increasing turf battle on international enforcement. The SFO (Britain’s version of the DOJ) has stated that reporting to the DOJ first is not a voluntary disclosure for their purposes and reserve the right to still enforce.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Luis Aguilar Keynote at Compliance Week Conference

compliance-week-purple

My notes, live, from the keynote by SEC Commissioner Luis A. Aguilar:

James Doty of Baker Botts introduced the Commissioner. (A disclaimer from the Commissioner: the speech is his opinion alone and not necessarily the view of the SEC.)

The Commissioner titled his presentation “Reversing Course: Putting Investors First.” The focus should be on protecting investors and restoration of stability to the capital markets. We need to restore trust in the markets. That means regulatory reform.

First, we need a search and inquiry into the cause of the crisis. Blaming the regulatory market is not responsive. Perhaps it was an unwillingness to exercise their management and look deeper into the markets. He is enthusiastic about a bi-partisan panel to look into the crisis. Too much regulatory reform focused on how it would help the financial firms and not how they would help investors. We need to look at the intrinsic risks and conflicts in the system. He saw pattern of de-regulation that help financial firms with little examination of how they would affect investors. Modernization of the markets has been used as a disguise for de-regulation.

He moved onto the need for a systemic risk regulatory body. He thinks we need some clarity on what we mean by systemic risk. He does not like the focus on “Too big to fail” and its focus on particular entities. He thinks the focus needs to be key functions in the market not the entity. He would want to isolate these functions in the entity.

Instead of a new regulatory body, he prefers a council of different regulators with different expertise would work better. It is better to have several sentries instead of just one monolithic guard. It would also avoid the conflicts inherent in the mandates of a particular regulator. There is a question of the particular powers of the council and the procedures for the council.

He moved onto the idea of a financial product safety commission. There is an idea that financial products get rated as safe or unsafe. The Commissioner does not like this idea. He draws a line between investment financial products and non-investment financial products. For non-investment products like credit cards and mortgages, the terms are set at the outset. However, with an investment financial product has values that will fluctuate and the risks will change over the course of time.

Investor protection is different than consumer protection. Removing products from a regulatory scheme could result in regulatory arbitrage.

What about a U.S. FSA, a single regulator for all of the financial markets? Commissioner Aguilar has concerns about this model. Could a regulator responsible for keeping financial institutions viable also be aggressive in pursing consumer claims of misdeed against the institution? The Commissioner does not think so. It can also increase systemic risk. If the single regulator gets it wrong, there is no fall back protection or other bodies to step into the gap.

He does like the idea of a single regulator for all of the capital markets. He does not like the split between the CFTC and SEC with the regulation of derivatives separate from the regulation of the underlying securities.

He advocates self-funding the SEC. He alludes to reductions in the budget of the SEC has affected the effectiveness of the SEC.

The Commissioner think the staff of the SEC has been unduly tarnished.

After his speech, the Commissioner sat down for a fireside chat with Matt Kelley, the Editor-in-Chief of Compliance Week, taking questions from the audience.

He expects enforcement to be quicker than in the past.

He went back to the self-funding part of this speech. He compares the big staff of the FDIC to the SEC. The FDIC has more people and keeps tabs on fewer institutions. The SEC needs more resources.

It sounds like the IFRS may be a lesser priority under the new administration.

It was a nice speech and chat by the Commissioner.

(These notes are taken live, so I apologize if I left out anything or misquoted someone. Please forgive any typos or grammatical errors.)

Illinois Pension Reform Legislation in Public Act 096-0006

illinois locator map with us

Illinois Public Act 096-0006 became effective on April 3, 2009, making significant changes to the operations of Illinois retirement systems, pension funds and investment boards. The Act imposes increased oversight and accountability requirements on the boards of trustees, fiduciaries and investment advisers, managers and consultants. The provisions apply not only at the state level, but at the local level, including pension systems of the City of Chicago and other local governments.

The Act amends the Illinois Pension Code (40 ILCS 5/1-101 et seq.), the Illinois Governmental Ethics Act (5 ILCS 420/1-101 et seq.), the State Officials and Employees Ethics Act (5 ILCS 430/1-1 et seq.), and the State Treasurer Act (15 ILCS 505/0.01 et seq.).

References:

Image is from the US Census and can found in Wikimedia: Illinois Locator Map with US.

New MBAs and Their Code of Ethics

Harvard Business School

I respect the ambition of a group of recently graduated Harvard Business School MBA’s to promulgate a code of ethics. A story in the New York Times publicized this initiative. “When a new crop of future business leaders graduates from the Harvard Business School next week, many of them will be taking a new oath that says, in effect, greed is not good.”

The oath is a voluntary pledge for graduating MBAs to “create value responsibly and ethically.” The long-term goal is to transform the field of management into a true profession, one in which MBAs are respected for their integrity, professionalism, and leadership.

The short version of the MBA Oath:

“As a manager, my purpose is to serve the greater good by bringing people and resources together to create value that no single individual can create alone. Therefore I will seek a course that enhances the value my enterprise can create for society over the long term. I recognize my decisions can have far-reaching consequences that affect the well-being of individuals inside and outside my enterprise, today and in the future. As I reconcile the interests of different constituencies, I will face choices that are not easy for me and others.”

There are some references to a professional code of conduct for MBA’s, similar t0 the oaths taken by lawyers and doctors. But the legal profession and medical profession operate under more than just an oath.  You  must past a test to prove a minimum level of competency to get licensed. There is also the coercive power of government behind these professions, prohibiting the unlicensed practice of medicine or law. It does not seem that these junior MBAs are proposing to go that far in advancing management as a profession. An oath without out some consequences for breaking it seems to lack authority.

Like Chris MacDonald, I question the title of the New York Times article and do not think we are in an era of immorality. I do not see the recent implosion in the financial markets as something caused by a lack of morals. There were many factors that caused the implosion. Personally, I think morality was merely a minor factor.

References:

Timekeeping with Lego Bricks

lego_timetrack_workweek

The life of a law firm lawyer typically involves a great deal of time-keeping. During my thirteen years at a big law firm I saw lots of different systems. All were flawed and all had weaknesses. Certainly, none were fun.

But this Lego brick time keeping system looks like fun! As the author points out, one big flaw is someone coming into your office and reassembling your time bricks into new sculptures.

Now if you could just figure out a way to incorporate the ABA Task Codes into the system. . .

Generational Differences in the Use of Workplace Technology

lexisnexis

Is there a gap between generations of legal and white collar professionals in terms of technology in the workplace? LexisNexis conducted a survey to see if there really is a gap and how big it is: LexisNexis Technology Gap Survey (.pdf).

After looking at the survey results, I see that there clearly is a gap. But it is not as big as most people think. There are statistically significant differences but not the tidal wave of change. I also think that some of the differences can be attributed to the level on seniority, not the generational difference. The Baby boomers are more likely to have more senior roles than Gen X and especially Gen Y.

For example one question asked “how many times do you access a social networking site during the day?” The percentage of those who said zero was 86% for Baby boomers. But was still 38% for Gen Y. Certainly, there is a big gap. But  you should not assume that every Gen Y is on rabid user of social networking and that Baby Boomers do not know what it is.

This difference was one of the biggest in the result. Most of the other data show a much narrower gap in the use and perception of technology in the workplace.

References: