GRC 360° - Driving Principled Performance ®

Deferred and Non-Prosecution Agreement Confidentiality

2009-04-20T16:49:00.002-07:00

An excellent piece from the Legal Times Blog was forwarded to me by Ryan McConnell (one of the co-authors of a research paper that we published at the beginning of the year). In short, Williams Co. entered a deferred prosecution agreement with the Justice Department in 2006 during the federal investigation of the California energy crisis. Williams officials admitted its traders misreported information to a commodities journal, and the company agreed to pay a $50 million penalty. One of their executives, Scott Thompson was individually indicted in 2006.

Thompson and his lawyers hope to gain access to all information that Williams Co. furnished to the DOJ during the investigation. This week, the U.S. Court of Appeals for the D.C. Circuit agrees that Thompson should at least be able to present his case for obtaining access to these documents.

BLT write:

An energy company that provided confidential records to the Justice Department as part of a criminal investigation could now be forced to turn the records over to a former employee, who has been indicted for allegedly conspiring to manipulate the price of natural gas.

Lawyers for the Oklahoma-based Williams Co. say the records given to Justice are protected under work-product doctrine and should not be released to the defendant, Scott Thompson. Some of the records have already been given to Thompson’s lawyers. Counsel for Williams Co., Gibson, Dunn & Crutcher partner Andrew Tulumello, is fighting to protect attorney notes, among other documents.

But the U.S. Court of Appeals for the D.C. Circuit today said Thompson is entitled at least to a hearing in U.S. District Court for the District of Columbia to determine whether any of the withheld records are material to his defense. A three-judge panel ruled unanimously to remand the case to the trial court.

See the whole entry here.

Deferred and Non-Prosecution Agreements (DPA / NPA)

2009-03-27T07:52:00.002-07:00

I have written a bit on pre-trial agreements including deferred prosecution and non-prosecution agreements. Recent research from the Open Compliance & Ethics Group (OCEG) indicates that while risk and compliance professionals see the value in reviewing the information contained in pre-trial agreements, that few have actually read these documents.

Preliminary results from the research indicate (n = 362):

61% of professions believe that the contents of pre-trial agreements are important or critical to their program design

YET
20% have actually read and applied this information

We found no significant difference in opinion between public vs. private vs. nonprofit vs. governmental organizations. We found no significant difference in opinion between large vs. small firms.

The Regulation Train Keeps Moving...

2009-03-27T07:20:00.004-07:00

Recent announcements from Treasury Secretary Timothy Geithner indicate that financial institutions will face far-reaching and economically significant regulation.

The New York Times reported that Geithner said, "Our system failed in fundamental ways. To address this will require comprehensive reform. Not modest repairs at the margin, but new rules of the game."

The Financial Times reported that "the heaviest demands would be placed on institutions deemed to be systemically important" to the financial system. What this includes is not only banks, but also insurance companies, significant financing organizations such as GE Capital, and maybe even significant private equity and hedge funds.

Should Executive Pay be Limited by Government?

2009-02-04T08:18:00.003-07:00

Today, a number of newspapers including Reuters, the New York Times and the Wall Street Journal covered an announcement by the Obama administration that it will limit executive compensation at companies that receive "significant" assistance from the government.

The New York Times reports on the front page:

"rules to be announced by the Treasury Department Wednesday, executives would also be prohibited from receiving any bonuses above their base pay, except for normal stock dividends." But, "Crucial details remained unclear on Tuesday night, including whether the restrictions would apply to all companies that receive money under...TARP, or whether they would apply only to the 'exceptional' companies that were being rescued from collapse." Five of the "biggest companies to get help -- Citigroup, Bank of America, the American International Group, General Motors and Chrysler -- are all facing acute problems. And top executives at those companies made far more than $500,000 in recent years."

Officers Share Director Duties: Corporate Governance "Below the Board"

2009-01-28T15:42:00.006-07:00

In a recent case (Gantler v Stephens, Delaware Supreme Court, January 27, 2009) the Delaware Supreme Court issued a major decision where they clarified that officers have the same fiduciary duties as directors (at least in Delaware corporations).

From the Delaware Corporate and Commercial Litigation Blog (Francis G.X. Pileggi)

Importantly, in this decision, the Delaware Supreme Court for the first time explicitly holds, what has been implicitly stated previously and has been also acknowledged by the Delaware Chancery Court, and that is: “officers of Delaware corporations, like directors, owe fiduciary duties of care and loyalty, and the fiduciary duties of officers are the same of directors.” (See footnote 36, but also note footnote 37 which acknowledges that DGCL Section 102(b)(7) does not exculpate officers from liability for breaches of their duty of care in the current statutory provision.)

On the issue of whether a delay in the due diligence process was a breach of the fiduciary duty of the directors, the Supreme Court disagreed with the trial court. The Supreme Court explained that on a motion to dismiss, the trial court is “not free to disregard that reasonable inference, or to discount it by weighing it against other, perhaps contrary inferences that might also be drawn,” making reference to the decision of the trial court that a delay of a couple of weeks could not be the basis for a breach of fiduciary duties.

Pre-Trial Agreement (DPA / NPA) Follow-Up

2009-01-28T14:44:00.004-07:00

We received a number of great reviews and articles about the DPA/NPA research.

Richard Cassin, editor of the high-profile FCPA Blog, interviewed Larry.

Ryan and Larry summarized the research on the Securities Docket blog.

Compliance Week noted our research in a recent article.

Corporate Crime Reporter covered the article.

Thanks everyone for helping to spread the word.

Compliance or Defiance: Analysis of Pre-Trial Agreements

2009-01-23T13:53:00.004-07:00

Lawrence D. Finder (Haynes & Boone LLP). Ryan D. McConnell (United States Attorney's Office) and I recently published a paper entitled "Betting the Corporation: Compliance or Defiance?" that analyzes pre-trial agreements (including deferred prosecution agreements (DPA) and non-prosecution agreements(NPA) but excluding plea deals) and their impact on compliance programs.

The paper contains a bunch of charts and analysis. Enjoy.

Abstract:

In 2008, the U.S. Department of Justice (DOJ) entered into sixteen corporate pre-trial agreements (collectively deferred prosecution agreements (DPA) and non-prosecution agreements (NPA)). This was a sixty percent decline from the forty agreements we saw in 2007. This brings to one hundred and twelve the number of agreements we have found from 1993-2008.

Violations of the Foreign Corrupt Practices Act (FCPA) remained the predominant subject matter addressed by corporate pre-trial agreements with seven of the sixteen agreements resolving FCPA violations. In 2007, roughly a third of the agreements involved FCPA violations. In addition, we saw the first corporate pre-trial agreements resolving immigration work-site enforcement investigations into corporate targets. There were three work-site related corporate pre-trial agreements in 2008.

In 2008, every agreement contained some sort of corporate compliance reform provision-continuing a trend we have seen over the last few years. This trend is the focus of this update. Aside from building on prior observations, this piece attempts to draw empirical observations about the types of compliance programs that come out of corporate pre-trial agreements. The authors recognize there is no one-size fits all template for corporate compliance programs. But by examining compliance programs in the context of DPAs and NPAs, the authors strive to provide a picture of what types of compliance measures are negotiated by the DOJ and corporate targets to resolve internal control and other business deficiencies that resulted in criminal wrongdoing. We hope that this will provide some guidance for attorneys and other professionals who deal with compliance issues.

New SEC Chair Will Change How Ratings Agencies Work

2009-01-16T09:09:00.006-07:00

In the September 2008 issue of Directorship Magazine, I illustrated the "Governance Ecosystem" and showed all of the connections between market participants. By far, the most common feedback that I received about the piece was this odd connection between companies and ratings agencies -- the ratings agency gets paid by the company to rate the company. A clear, though some say unavoidable, conflict.

And, this is not just about equity ratings. Companies pay to get debt rated and even to have their governance structures rated.

The Washington Post reported that Mary Shapiro, Obama's pick to lead the SEC, said that she is looking for ways to revamp how securities are rated.

..she is exploring ways to revamp how securities are rated, calling the current system of companies paying directly for credit ratings a conflict of interest that must be addressed.

...

Speaking at her confirmation hearing, she said a better system might be for financial firms to contribute to a pot of money that would be used to pay for ratings. In the years leading up to the financial crisis, credit-rating firms failed to judge the risk of many complex securities that turned out to be ticking bombs on the balance sheets of banks.

It will be interesting to see some of the options that the SEC will consider. Stay tuned.

2009-01-15T15:03:00.003-07:00

Our friends over at XPLANE put together this interesting video entitled "Did You Know?: The 2009 Inauguration Edition" described as a:

Fun, fast-paced video by XPLANE that visually explores 23 factoids surrounding the upcoming historic inauguration of Barack Obama as well as past inaugurations. One minute 30 seconds in length, the video seems much shorter with its catchy music and wealth of interesting information. Watch and learn something new!

CEO / Board Member Friendships May Impact Corporate Governance

2008-12-06T19:50:00.004-07:00

I just stumbled on a paper by a UCLA professor named Avanidhar Subrahmanyam. He and his team recently studied the impact of social networking on the quality of oversight and other monitoring activities. In short, close social ties decreases the quality of oversight while increasing the quality of evaluating the raw talent of a CEO.

Prof. Subrahmanym's own words:

We analyse frameworks that link corporate governance and firm values to governing boards' social networks and innovations in technology. Because agents create social networks with individuals with whom they share commonalities along the dimensions of social status and income, among other attributes, CEOs may participate in board members' social networks, which interferes with the quality of governance. At the same time, social connections with members of a board can allow for better evaluation of the members' abilities. Thus, in choosing whether to have board members with social ties to management, one must trade off the benefit of members successfully identifying high ability CEOs against the cost of inadequate monitoring due to social connections. Further, technologies like the Internet and electronic mail that reduce the extent of face-to-face networking cause agents to seek satisfaction of their social needs at the workplace, which exacerbates the impact of social networks on governance. The predictions of our model are consistent with recent episodes that appear to signify inadequate monitoring of corporate disclosures as well as with high levels of executive compensation. Additionally, empirical tests support the model's key implication that there is better governance and lower executive compensation in firms where networks are less likely to form

SEC Says that Cutting Compliance Spend is NOT a Good Idea

2008-12-04T09:37:00.002-07:00

In a recent open letter to the CEOs of SEC-Registered firms, director Lori A. Richards urged companies to continue investment in compliance functions.

Your firm's compliance function is critical to assure that your operations comply with the law and rules for industry participation and to ensure that the interests of your customers, clients and shareholders are protected. Moreover, compliance is a vital control function that helps to protect the firm from conduct that could negatively impact the firm's business and its reputation.

While many firms are considering reductions and cost-cutting measures, we remind you of your firm's legal obligation to maintain an adequate compliance program reasonably designed to achieve compliance with the law.

She noted Chairman Cox's recent comments at the SEC headquarters as part of the 2008 CCOutreach National Seminar.

[E]xperience has taught us again and again that giving short shrift to regulatory compliance subjects a company's investors, employees, management, directors, and every other stakeholder to unacceptable risks….[C]ompliance programs have made huge strides in recent years in becoming more formalized and more robust…. Now more than ever, companies need to take a long-term view on compliance and realize that their fiduciary responsibility requires a constant commitment to investors. That means sustaining their support for compliance during this market turmoil, and beyond it as well.

Chairman Cox also noted:

You can't have a strong company without strong compliance, at every level — from strong CEO and executive support for the compliance team, to rigorous standards and processes, to broad financial and organizational resources for you to fully perform your duties.

That latter point bears emphasis. In a profit and loss driven world, there is always a risk that companies facing an uncertain economic future may choose to cut compliance expenses as a shortsighted way to save money. But experience has taught us again and again that giving short shrift to regulatory compliance subjects a company's investors, employees, management, directors, and every other stakeholder to unacceptable risks.

Today, when the future is uncertain, when markets are unstable, when investor confidence is shaken, this is the time — more than ever — when we need a powerful voice for compliance.

When a company cuts compliance, violations will occur. And if violations occur, punitive actions should and will be taken. In the current environment, that is true now more than ever. There will be no favor granted because a company made a cost-cutting decision to minimize their compliance budget. That's because now and always, the interests of investors are inextricably linked to strong compliance.

These comments were primarily intended for investment companies covered by the Division of Investment Management and the Office of Compliance Inspections and Examinations. That said, these comments clearly indicate the SEC's point of view about compliance generally. A point of view that should be carefully considered.

Behavioral Economics

2008-09-19T10:45:00.001-07:00

Over the past few months, we have been exploring the field of behavior economics and how it applies to corporate governance, risk management, compliance, internal control and ethics.

There are a number of fascinating people driving this field. One of my current favorites is Dan Ariely and his recent-ish book Predictably Irrational which has been translated into at least 10 languages. In it, Dan summarizes some of his research into why people behave irrationally -- or at least the conditions under which average people behave irrationally. Some of his original research papers can be found on his blog.

Our Leadership Council recently spoke with Dan on a conference call to discuss the implications of his research -- especially as it applies to corporate misconduct. Here are some thoughts from Dan:

Just after the Enron scandal in 2001, I started wondering what made these people cheat and how pervasive is this tendency. To look into this, we created a series of experiments in which we tempted people to cheat and examined how much money they stole from us and what caused them to cheat more or less.

We found that when people are tempted to cheat, a majority of them do, but only by a “little bit.”

Interestingly, and in opposition to the way we usually think of dishonesty, their cheating doesn’t seem to be related to the amount of money they stand to gain or to the probability of being caught. What does influences the extent to which they cheat? Being asked to recite the Ten Commandments or sign an honor code eliminates cheating altogether, while getting paid in non-monetary currency (tokens that become money a few seconds later) increase cheating dramatically. These finding show that cheating is a function of our conscience at the moment and not a cost-benefit analysis, and that cheating just a little bit allows us to get the benefits of cheating but at the same time consider ourselves honest upright citizens.

I personally find the finding that once we paid people in non-monetary currency they doubled their cheating to be very very worrisome since this is what stock options are, and where society is heading.

We also took the honor code experiment and replicated it with a large insurance company. This company mails their clients a form asking them to report how much they drove in the last year. Some of the customers were mailed a form that asked them to sign the declaration before they filled their mileage and some people were asked to first fill their mileage and only then sign. We expected that the people who sign first will be more honest and will report higher driving mileage, and indeed this is what we found. People who signed at the top "drove" about 20% more.

In my mind if we start to truly understand what causes people to be honest and not honest, we can better create mechanisms that will curb dishonesty.

This is a 6 minute excerpt of a discussion about his book that he gave at a bookstore earlier this year. The full 45 minute discussion is available here.

My perspective on applying these ideas to your work:

Recognize that your work is not about "good guys" versus "bad guys." In the end, good people can and will do sub-optimal things given the wrong incentives and structures around them.
Work more on analyzing the "structure" of your business processes and organization versus "finding and fixing problems" after the fact. In the end, average people will "cheat a little" if the incorrect structures are in place. Some of this cheating will be non-material in the instant -- but massive in the aggregate (take the number of cab rides times the number of "average people" who may have "cheated a little" on the amount of the fare or even the ride altogether).
Avoid and/or carefully monitor non-monetary compensation plans as it may increase noncompliance and cheating.
Have people sign certifications PRIOR to filling out the form rather than after.
Recognize that training a person months before a potential ethical issue will have little if any effect on the ultimate decision that is made. What is more powerful is a simple reminder IMMEDIATELY BEFORE the decision.

In this sense, the role of the chief ethics and compliance officer may be more about being the chief "removing attractive nuisances" officer or chief "remind as many people as possible right before the ethical decision will be made" officer.

Keep your eye on Dan Ariely. He already is and will continue to be a star in this field. His ideas will help you and your organization Drive Principled Performance.

Technorati Tags: behavioral economics,governance,risk management,ethics,compliance,Dan Ariely,Scott L. Mitchell,OCEG

Resolve: Part of Internal Investigations for Control and Compliance Violations (5 of 5)

2008-02-09T15:46:00.001-07:00

Resolve

Once the investigation is complete, the organization must address allegations with all appropriate constituencies. Allegations that are not substantiated should be closed with communications to the individuals who raised the issue and to those who were investigated. When allegations are substantiated, the organization must take consistent action and ultimately resolve the issue including:

Restitution to make harmed parties whole;
Discipline to appropriately warn, demote or even terminate involved parties;
Disclosure as appropriate to the government, customers, suppliers, regulators, shareholders, lenders, employees, insurance and ratings agencies as appropriate; and
Remediation to fix any weakness in the system or improve the system to better prevent, detect and respond to similar issues in the future.

In fact, even when issues are not substantiated, there may be opportunities to improve the system.

Data, Documentation & Discovery

As part of the investigations process, an organization needs a protocol for issuing a “preservation notice” that instructs the workforce to suspend any routine data destruction activities and to proactively preserve information related to the investigation. As important are the actual procedures that ensure that the preservation notice can be affected. Make sure that all back-up and data protection processes will not overwrite critical information once a preservation notice is sent out. This is especially important for automated procedures.

New changes to the Federal Rules of Civil Procedure (FRCP) note the importance of “electronically stored information” and how this information should be handled and shared during an investigation. To the extent that an internal investigation becomes relevant to the government or some third party, the company must be prepared to provide details about where data is stored and how it is created, managed, archived, destroyed, etc. Keep a close watch on this evolving area.

Global Considerations

If all of this is not daunting enough, consider the increased complexity presented by cross-border investigations. Key issues include:

Data Protection. Rules governing how personal information must be handled are different all around the world. For example, the European Union’s Directive on Data Protection restricts the transfer of personal data to non-EU nations that do not meet the European “adequacy” test for privacy protection. Namely, the United States. As such, any information gathered in the EU before or during an investigation may or may not be allowed to be transmitted to a U.S. location for analysis or follow-up. At least two of the major hotline companies have established protocols for overcoming this obstacle.
Evidence Collection Protocols and Witness Rights. In some jurisdictions, management and internal investigators are restricted from collecting information stored on company property once it is in the hands of an employee. One internal investigator noted, “We are not allowed to pull data from our laptops in France, even though the company owns the laptop and we have technical access to the drives.”
Cultural Differences. The most obvious and significant challenge is less technical and more cultural. Local customs may lead employees and witness to share more, or typically less information with investigators. Deep cultural roots of loyalty to one’s boss or the company may lead individuals to be less cooperative when questioned. In some cultures, the notion of “telling on neighbors” may reduce the effectiveness of hotlines. In a recent discussion, the chief compliance and ethics officer of the largest Korean steel company presented an approach whereby individuals were awarded $50,000 for reporting issues that were later substantiated. This, he said, was paramount to breaking through the cultural preference for deference to supervisors and senior executives.

One way to deal with these global considerations is to identify, in advance, a local firm to assist with future investigations. Having a memorandum of understanding in place rarely involves any financial commitment but does require some time to identify and vet local firms.

Investigate: Part of Internal Investigations for Control and Compliance Violations (4 of 5)

2008-02-09T15:44:00.000-07:00

Capture
Filter
Plan & Assign
Investigate <- THIS POST
Resolve (future post)

Investigate

At this point, the right people are in place to conduct the investigation using predefined protocols given the tier to which it was assigned. Regardless of which tier, some common questions must be answered:

What happened / is happening?
Who is involved? How many are involved? How senior are they?
For how long has this been going on?
What was the motive?
What other activities are under this person’s purview? What is their span of control?
Has anything similar happened with this person in the past? Anything at all?
Why did they do it?
Was it carelessness? Was it a mistake in judgment?
Was it a lack of training or clarity in policy, procedures or controls?
Was it pernicious?
Were there “perverse incentives” in place that led this person to commit these acts?
What else could be affected?
How much harm was caused? Who was hurt?

To answer these questions, the investigations team should follow predefined protocols for gathering evidence including interviews, surveillance and other methods. Try to conduct all interviews in person so that nonverbal queues can be analyzed. Review all relevant documentation prior to the interview so that you can corroborate what you already believe to be factual as well as to direct questions to fill in gaps. At the beginning of the interview it is important to provide appropriate warnings:

Upjohn Warning. An employee should be told at the beginning of every interview that the interviewer is representing the company’s interests and not theirs, and that the information being obtained is to provide legal advice to the company. The employee should be told that the interview is covered by attorney-client privilege and that the company, not the employee, may decide to either keep the information confidential and privileged or to waive this privilege in the future. Although there is no ethical obligation to legally advise the employee to obtain an attorney, it is an increasingly common practice to make this suggestion at the beginning of the interview. While, Upjohn is specific to interviews directed by counsel, this protocol is helpful for non-legal interviews as well. In some ways, it is common courtesy to let employees know that the intention behind the questions is to serve the company and not to serve them.

Zar Warning. To the extent that internal investigations are part of, or contemplated to be part of, a government investigation or government disclosure, employees should be informed that information obtained in the interview may be turned over or filed with the government. This is important because any false statements provided as part of an interview that is ultimately filed or disclosed to the government could result in obstruction charges. Some argue that this warning may actually cause more obstruction, or at least less cooperation as discussion about potential felonies can quickly chill a conversation.

As the investigation progresses, it will often take twists and turns. An issue may transform into a different or even multiple issues. At one global technology firm, the chief internal investigator found that, “Last year, two allegations about financial misconduct ended up being little more than lovers’ quarrels. While these are still important issues, they were nothing like what was initially reported.” The opposite can happen as well. Sometimes more minor allegations about a single issue may transform into more pervasive misconduct. At any point during the investigation the team may consider changing the tier and thus approach to the investigation. Always think about whether it needs to be escalated and self-reported to regulators.

It is important to not make premature predictions until the investigation has concluded as they provide nothing more than interesting (or more likely uninteresting) gossip. Reserve and report final judgment once the investigation has concluded.

Know When to Stop

The art of the investigation is knowing when to stop. Knowing when the issue has been thoroughly investigated. Knowing when there are no credible loose ends. Be aware that outside consultants and counsel, through no perniciousness of their own, have an incentive to pursue every last possibility. However, at some point you have to stop digging. Instead of asking “Is it possible?” begin asking “is it probable?”

Plan & Assign: Part of Internal Investigations for Control and Compliance Violations (3 of 5)

2007-11-08T14:44:00.001-07:00

In a recent column, I illustrated the key components of a strong internal investigations capability to address compliance and internal control violations. In fact, I've done a number of these 11x17 illustrations and they can all be found on the OCEG site or on the Compliance Week site.

This is Part 1 of a 5-Part Series:
1. Capture
2. Filter
3. Plan & Assign Based on the alleged and/or confirmed facts, circumstances, nature and seriousness of the issue, the team should assign the issue to the appropriate investigations “work stream” or “tier” as some organizations call it. Using a tiered system ensures that issues of similar nature and seriousness are handled in a similar way. In addition, it allows the organization to allocate scarce capital – both human and financial capital – to investigations.

When assigning issues to a tier and team, an organization should consider:

Nature and seriousness of the issue;
Skills and experience required to obtain and analyze facts (legal, accounting, technology, forensic and other industry expertise);
Independence from the issue at hand (e.g., to not assign a financial investigation to a team that includes staff from the office of the CFO); and
Availability of resources.

I know this last item sounds obvious, but a timely follow-up and investigation is important especially for serious issues that may involve the government.

While an organization may choose to have fewer or additional tier, at least four will be helpful:

Tier 1: Critical Issues. This tier is reserved for “sink the company” issues that are material to either the financial or reputational health of the organization – or issues that involve senior executives. These investigations are directed by the board and involve significant outside assistance to ensure objectivity. Privilege is a must at this level. For public companies, the involvement of the external auditor may be required or at least advised.

Tier 2: Significant Issues. These issues are serious and material to the organization but do not involve allegations of wrongdoing by senior management. As such, senior management directs these investigations with special care and under privilege.

Tier 3: Serious Issues. Most organizations have issues that they, to a certain degree, expect and prepare for, such as a significant theft. Systems have been designed and special investigative staffs have been trained to address these issues.

Tier 4: Operational Issues. These issues, often HR related, warrant the attention of management, but may not require privilege or professional investigators. They are often delegated to management, but could escalate at any phase. Some of these issues are resolved without the need for investigative resources.

While each of these tiers it is important to define who does what. Critical roles include:

Leadership for day-to-day management of the investigation;
An individual charged with communication about the status of the investigation with stakeholders such as the source of the allegation, the media, and most importantly the government; and
Staff and outside consultants who will obtain and analyze the facts.

As a final note, it is wise to limit knowledge that a particular investigation is being conducted. The risk of evidence tampering and destruction increases when it is broadly known that an issue is under investigation.

Filtering Issues: Part of Internal Investigations for Control and Compliance Violations (2 of 5)

2007-11-08T14:39:00.001-07:00

Capture
Filter <- THIS POST
Plan & Assign (future post)
Investigate (future post)
Resolve (future post)

Capture
Filter
Plan & Assign
Investigate
Resolve

Filter
Once information about potential violations is captured, it must be filtered so that the investigations team can focus on what matters most. The goal of filtering is to discard allegations that are not specific and credible; and appropriately act on those that are. It is critical that the individuals charged with this determination are both competent and independent. Some issues may require a level of technical analysis to make this determination. It is wise to have these individuals available in the early stages of filtering. Key questions to answer include:
• How was the issue discovered?
• By whom?
• Is it specific and credible?

If there is not sufficient information captured about a violation, it will be extremely difficult to determine if it is specific and credible. As such, while it is not absolutely necessary, it is helpful if reporters and sources of allegations are able to be contacted for follow-up and clarification. It is also important to discern whether the source has a motive to lodge a frivolous allegation.

Even at this early stage, the team should attempt to determine if the issue should be handled under privilege. Every step not taken under privilege can introduce more risk to the organization as untrained individuals may capture facts and testimony that have no chance of being privileged later on. On the other hand, every issue cannot and should not be vetted and investigated under privilege. For some issues, privilege is simply overkill and, according to one enforcement official, “The obsessive compulsive assertion of privilege is one of the things I look for when I try to determine if an organization is sincere about its need to maintain privilege. It is statistically impossible that everything should require privilege and, thus, I treat organizations that have an ‘everything is privileged’ culture with increased skepticism.”

Another important consideration here is that, even as early as the filter stage, the clock begins to tick. Simply read the Federal Sentencing Guidelines for Organizations, the McNulty Memo and the often overlooked 21(a) Report of Investigation of Seaboard to understand the importance of a spry internal response to serious allegations. A quick response and, if appropriate, disclosure to the government is the only way that the organization can be spared the damage caused by the blunt tools available to the government should they become involved in a matter.

Capturing Issues: Part of Internal Investigations for Control and Compliance Violations (1 of 5)

2007-11-07T08:34:00.001-07:00

Capture <- THIS POST
Filter (future post)
Plan & Assign (future post)
Investigate (future post)
Resolve (future post)

Establishing a clearly defined investigations process helps management quickly respond to allegations of wrongdoing and actual violations in a rational, rather than ad hoc or crisis manner. In other disciplines such as software development, we know that a reactionary response to “bugs” can cost five times more versus a planned response. A recent conversation with a chief compliance officer at a large industrial manufacturer suggests that this rule is applicable to internal control and compliance. He noted, “After we organized our approach to investigations, our costs dropped dramatically – unfortunately, it wasn’t for lack of investigations. As investigations volume went up, our annual costs actually went down 15%.” Multinational organizations will find even more efficiencies as cross-border investigations tend to be even more ad hoc and fragmented. The good news is that it takes relatively little time to define a robust internal investigations process. The same executive above noted, “It took about 200 hours of internal staff time and about 100 hours of external help to nail down our process. In the end, we saved at least that much time in our first investigation.” While a specific internal investigations process may comprise five or fifty steps, the following key phases should be present and clearly defined:

Capture
Filter
Plan & Assign
Investigate
Resolve

Capture
This is the precursor to an internal investigation. It is helpful to have a “big funnel” to channel information to a team charged with filtering and vetting this information. The funnel should comprise a number of “push” and “pull” structures.

Push structures include:

Hotline/Helpline is one of the obvious mechanisms to allow the workforce and other stakeholders to report (confidentially or anonymously) allegations of misconduct. The helpline can also provide input as high volume of questions about a particular subject may indicate confusion about expected conduct and, in turn, increase the risk of actual misconduct.
Employee performance assessments provide an opportunity for management to encourage employees to openly discuss any issues that they observe. Of course, it is unlikely that employees will open up about issues related to the manager asking the questions, but this can lend to the discussion about other issues.
Control violations that are automatically triggered based on threshold conditions can raise “yellow flags” that misconduct may have occurred. Management will most likely have to use human judgment to determine if these violations are actually issue of interest.

Pull structures include:

Confidential employee surveys provide a literal “ask and answer” mechanism to get responses from the workforce about specific issues.
Exit interviews provide an opportunity to find out what is really happening in a department. People tend to be extremely honest as they are walking out the door.
Surveillance including video, audio and physical (e.g., RFID tags) monitoring many be necessary for high risk locations and/or transactions.
Audits and assessments include all of the proactive evaluation of controls and other information on a periodic and ongoing basis.

In addition, management should pay attention to all of the “chatter” in the organization – the formal and informal conversations that take place verbally and via email. Sophisticated email filtering technologies can look for interesting phrases such as, “Do we really want to do this?” or “I don’t feel comfortable putting that in writing.” All of these techniques need to be balanced with the potential of creating a tattletale, gadfly or Big Brother culture which will result in decreased workforce productivity.

In the next few entries, I will delve into each of the other steps.

Consider Outcomes before Benchmarking Internal Controls

2007-09-24T08:19:00.000-07:00

When it comes to financial controls, it’s not about ROI. Effective benchmarking depends on clear outcome expectations.

Following my recent presentation at a conference of financial executives, a member of the audience asked “What is the typical cost of a program for internal control over financial reporting processes?” He continued, “Is there a way to benchmark these costs?”

Good question, and one that certainly can and should be asked about the full range of compliance and internal control processes across the enterprise.

We have a great guide on our site called the OCEG Metrics and Measurement Guide (MMG) which provides a ton of good information on how to measure an internal control and/or compliance program of any type. That said, there are some important things to remember.

Benchmarking. An often-uttered word. One that indicates we are serious executives. That we are doing what it takes to optimize our programs. But how does it really work and what does it really do for us?

The concept of benchmarking is great, but before we can benchmark we need to define the outcomes that we hope to deliver. By way of example, when evaluating call center metrics, the starting point is understanding customer satisfaction (or some similar indicator). Without this top-level indicator of the outcome we hope to generate, it is impossible to evaluate other indicators such as cost. In a vacuum, spending $100 to resolve a customer problem is superior to spending $200 to resolve the same customer problem. However, the “vacuum” does not exist. If the $200 resolution delivers 95% satisfaction and the $100 resolution delivers 50% satisfaction, most executives would choose the former.

So what does that mean for us? As financial professionals, we must define the outcomes that we hope to achieve through our internal control programs, as well as indicators of success. Only then can we even begin to benchmark our costs, cycle times and other program attributes in a meaningful way. To engage in a benchmarking effort without taking the time to first establish clear outcome expectations is putting the cart before the horse – the time and resources spent will be wasted.

While every organization is unique and therefore pursues unique objectives, most organizations strive to achieve growth, profitability, total shareholder return, and key value drivers such as workforce productivity, quality, customer loyalty, and innovation. In the same way, each of our programs for internal financial control will be unique and should strive to achieve unique objectives, but every program should deliver on these universal objectives:

Promote business conduct in-line with business objectives
Prevent noncompliance and weaknesses
Prepare the organization to deal with noncompliance and weaknesses when (not if) they occur
Protect the organization from negative consequences
Detect noncompliance and weaknesses earlier rather than later
Respond to noncompliance and weaknesses more quickly rather than slowly
Improve the program so that similar noncompliance and weaknesses are not repeatedly encountered
Reduce losses due to noncompliance including fines, penalties and investigation costs
Enhance the culture so that, even in the absence of controls, the workforce is inclined to do business within defined boundaries of conduct

Now, undoubtedly, I will get a few emails (mostly from consultants) noting that the benefits of implementing a strong program of internal controls go beyond the outcomes listed above. Fine. Shareholders will be thrilled if our programs deliver more. But at the end of the day, if we cannot demonstrate that our programs deliver on the universal outcomes above, we need to get new day jobs.

Once we have a firm understanding of whether, and the degree to which, our programs are achieving top-level outcomes, we can discuss whether we have optimized the outlay of financial and human capital. In addition, we can thoughtfully analyze whether process improvement (e.g., reducing the cycle time to discover noncompliance of a particular type) is worth the investment.

Benchmarking: Are We Winning the Race or Just Keeping Pace?

2007-09-22T17:13:00.000-07:00

Marathon runners say, “Plan the race, and race the plan.” You need to know what your objectives are and what obstacles you must overcome to develop the right plan of attack. How have others tackled the course? How many hills are there? How fast are your competitors? Is your goal to win, to set a new record or merely to cross the finish line with a personal best time? Only when you answer these questions and more can you determine how to set your speed and decide which runners to pass or pace yourself against.

It all comes down to objectives and obstacles – knowing what they are and how to achieve the first while avoiding the latter. The same applies to the race we are in every day – the one where we seek to meet our company’s objectives, while the obstacles are too many to mention. Just like the runner, we have to stay on track, but for us the boundaries of the course are compliance requirements and standards of conduct that are not always clear. In this race, it is increasingly difficult to judge our own performance or determine where we stand in the field of competition.

There is a lot of talk about the importance of benchmarking – comparing our performance to that of others or against established standards. Critics complain that benchmarking is often poorly done – comparing data that is calculated only because it is easy to collect and not because it measures anything meaningful, or using data that is not truly comparable.

These criticisms are valid. How should we define what to measure and benchmark? How do we know that terms in a benchmarking survey mean the same thing to different respondents? Results have little value if the metrics do not help us evaluate and improve our actions. This happens if survey respondents interpret questions differently or do not organize their information in ways that allow for true comparison.

These problems can be largely avoided, reducing the cost and enhancing the value of benchmarking, when participants use a business process framework that establishes a common vocabulary and standards of performance. Benchmarking can be very valuable when everyone is interpreting the questions the same way and answering with information that is maintained in the same format and language.

Just like the runner, we need to evaluate our own performance and be aware of how our competitors and peers are doing if we want to achieve our goals. Not every company strives for record-setting results every time out of the box. Sometimes our objective is as simple as improving slightly over last year’s performance. In either case, keeping our eye on the field and being able to evaluate what is going on around us is essential to success.

Beware of the Big Stick Carried by the Government

2007-09-20T11:46:00.001-07:00

Beware of the big stick carried by the government. Its called the False Claims Act and contract and environmental managers have long known that they can’t just sign the myriad of required certifications to the government without risk of organizational and personal prosecution. You can’t just cross your fingers and hold your breath, hoping no one notices if your certified statement isn’t true. In many instances, the penalty for admitting a compliance failure or weakness up front may be small, but the cost of filing a false statement or false claim (a false statement tied to a government payment) can be huge. Now, Chief Compliance Officers and other GRC executives are learning it the hard way.

The complaint filed this week against Christi Sulzbach, who was the Associate General Counsel and Corporate Integrity Program Director at Tenet Healthcare Corporation (Tenet) makes that point loud and clear. Sulzbach is alleged to have signed and provided to the Government declarations that falsely stated that to the best of her knowledge and belief, Tenet was in material compliance with all federal program legal requirements, despite her allegedly having received legal opinions to the contrary. The government also alleges that these false declarations allowed Tenet to bill Medicare for millions of dollars in claims that it was not legally entitled to receive.

It’s just a signature on a standard required clause, right? WRONG. It’s a signature that now is exposing Ms. Sulzbach to hundreds of millions of dollars of potential liability PERSONALLY, even after Tenet has settled with the government for more than $920 million dollars.

I used to jokingly call the Chief Compliance Officer job the “designated scapegoat,” but cases like this one highlight the importance of taking the job seriously. Understand what government contract laws and regulations apply to you and your organization. Use a consistent approach to manage compliance. Don’t sign things that put your personal reputation, assets and possibly even freedom on the line – unless you have undertaken the necessary investigations to know that what you are saying is true. Don’t assume that no one checks. Don’t step into the line of the swing of that big stick.

GRC - More than Three Letters

2007-08-24T14:21:00.000-07:00

To be clear, there are substantially more processes than governance, risk and compliance playing critical roles in GRC. But 13-letter acronyms rarely catch on. To understand the complete portfolio of processes related to GRC – processes that help an organization drive toward objectives while staying within boundaries – consider the following areas:

Governance. Processes typically executed by the board, corporate secretary and governance professionals including board management; staying qualified to do business; shareholder / stakeholder relations; setting and evaluating performance against enterprise objectives; vetting strategy; evaluating executive performance; risk oversight; etc.

Strategy. Processes typically executed by the chief executive officer, “c-suite” as a whole and strategy professionals including: setting strategy; designing balanced scorecards; managing corporate performance; merger and acquisition activity; etc.

Risk Management. Processes typically executed by the chief risk officer, business line and other executives including: identifying, assessing and managing all types of risk (strategic risk; financial risk; operational risk; compliance risk, etc.); buying insurance; etc.

Audit. Processes typically executed by the chief audit executive, internal audit, audit committee and external auditors including: managing internal audits; facilitating external audits; executing financial reporting; evaluating internal controls (e.g., internal controls over financial reporting (ICFR), internal controls over other risks); conducting investigations; etc.

Legal. Processes typically executed by the general counsel and legal staff including: defining legal strategy; investigations; litigation; assisting with due diligence for mergers and acquisitions; ensuring legal compliance (see next point); etc.

Compliance. Processes typically executed by the general counsel, chief compliance and ethics officer, compliance professionals and other legal staff including compliance in areas such as: employment; environmental; government contracts; global trade; anti-fraud; anti-corruption; information privacy and security; sales practices (antitrust issues); advertising and marketing; product quality and manufacturing; etc.

Information Technology. Processes typically executed by the chief information officer, privacy officer and/or security officer including: automating controls; managing electronic records; facilitating internal and external reporting; delivering electronic filings; securing information; ensuring privacy; etc.

Ethics & Corporate Social Responsibility. Processes typically executed by the chief ethics officer and chief responsibility officer including: managing the code of conduct; developing ethical leaders; promoting adopted principles and values; crafting public communications and reports; understanding socio-political-economic context; aligning incentives and human behavior; etc.

Quality Management. Processes typically executed by quality professionals throughout the organization such as: integrating “lean” thinking, Six Sigma or other techniques into all enterprise processes; conducting root cause analysis and process improvement projects; etc.

Human Capital & Culture. Processes typically executed by human resource professionals and organizational design and development professionals including: enhancing workforce capabilities; appraising individual and team performance; developing culture of performance, integrity, openness and accountability; etc.

Each of those areas plays a key role in helping an organization drive principled performance. And all of them can benefit from a shared strategy and operational approach and from cross-communication and shared technology.

When I talk about "integrated GRC," I do not mean that all of these processes and functions should be consolidated. Rather, management should take a step back and consider what they all have in common. Where practical, management should adopt a common language and approach to the meta-process that they all share.

IT for GRC vs. GRC for IT

2007-08-15T11:46:00.000-07:00

Yesterday, I met with one of the leading thinkers in the GRC space, Lee Dittmar a principal at Deloitte Consulting. Our conversation covered a number of topics -- however, we spent most of our time discussing IT for GRC and how it is related to but different from GRC for IT.

GRC for IT
There are a number of governance, risk, compliance and internal control (GRC) issues related to information technology (IT). These are well-known:

IT governance
IT controls (general computing controls, access controls, master data controls, etc.)
data privacy
data security
document retention / records management
electronic data management
disaster recovery and business continuity
etc.

These are primarily IT issues that have significant governance, risk management, compliance and internal control implications.

IT for GRC
There are a number of enterprise processes that aim to help keep the organization on track and operating within defined "boundaries" of conduct. Boundaries may be either mandated (laws, rules, regulations) or voluntary (corporate values, contractual obligations, internal policies).

IT for GRC is about enabling all of these processes.

This distinction will be further analyzed and elaborated by the OCEG Technology Council over the next few months.

Antitrust Compliance

2007-08-03T10:42:00.000-07:00

On a recent webcast, I spoke with Michael Horowitz, a commissioner with the United States Sentencing Commission (USSC) and Eric Morehead, the assistant general counsel at the USSC. The topic of discussion was antitrust.

The entire webcast can be found at OCEG.

As always, it was an interesting session where Mr. Horowitz outlined the key dimensions of criminal antitrust (essentially price fixing) and contrasted these issues with civil antitrust issues (such as monopolistic behavior).

A real gem came at the end of the session during the audience Q&A. One participant asked how organizations should structure their compliance training to address antitrust issues. Specifically, they wanted to know where to "draw the line" when it comes to who should be trained.

Mr. Horowitz provided some very insightful advice. While it would be unusual for, say, an executive assistant to engage in product pricing or negotiating activities they should still be trained. The reason being that these are the individuals who book travel and arrange meetings for people who DO engage in pricing and negotiating activities. In fact, often, executive assistants are called as witnesses in antitrust cases.

Mr. Morehead provided some excellent details about how antitrust is addressed in the U.S. Federal Sentencing Guidelines and some statistics about prosecution. A summary follows:

Base Offense Level is 12
Non-Competitive bidding increases the offense level
The “Volume of Commerce” also can adjust the Offense Level upward from 2 to 16 levels
Special instructions for fines – individuals to pay a fine equal to one to five percent of the “volume of commerce”, but never less than $20,000.
Special instructions for sentencing organizations

Volume of Commerce

The “volume of commerce done by” the defendant in “good or services that were affected by the violation”
Cumulative amount that can cover multiple counts or conspiracies
Amount is the commerce affected by the conspiracy

2005 Amendments

Base Offense Level was increased from 10 to 12.
Volume of Commerce Table was enhanced – range went
from $ 400,000 - $ 100,000,000
to $1,000,000 - $1,500,000,000
The adjustments for volume of commerce also increased from a prior maximum of 7 levels to a new maximum of 16 levels, reflecting a new maximum enhancement of for volume of commerce.
These changes reflected the Antitrust Division’s experience of uncovering larger dollar conspiracies and also fostered greater proportionality between antitrust sentencing guidelines and fraud offense guidelines.

Individual Sentences
In FY 2003 In FY 2006
Mean 7.2 Months 8.2 Months
Median 4 Months 9 Months
Number 12 Cases 12 Cases

Organizational Sentences
In FY 2003 In FY 2006
Mean $6.2 MM $46.5 MM
Median $2.7 MM $1.1 MM
Number 10 Cases 15 Cases

Source: 2003 Sourcebook of Federal Sentencing Statistics, U.S. Sentencing Commission; 2006 Sourcebook of Federal Sentencing Statistics, U.S. Sentencing Commission

== slm ==