Capturing Issues: Part of Internal Investigations for Control and Compliance Violations (1 of 5)

In a recent column, I illustrated the key components of a strong internal investigations capability to address compliance and internal control violations. In fact, I've done a number of these 11x17 illustrations and they can all be found on the OCEG site or on the Compliance Week site.

This is Part 1 of a 5-Part Series:

1. Capture <- THIS POST
2. Filter (future post)
3. Plan & Assign (future post)
4. Investigate (future post)
5. Resolve (future post)

Establishing a clearly defined investigations process helps management quickly respond to allegations of wrongdoing and actual violations in a rational, rather than ad hoc or crisis manner. In other disciplines such as software development, we know that a reactionary response to “bugs” can cost five times more versus a planned response. A recent conversation with a chief compliance officer at a large industrial manufacturer suggests that this rule is applicable to internal control and compliance. He noted, “After we organized our approach to investigations, our costs dropped dramatically – unfortunately, it wasn’t for lack of investigations. As investigations volume went up, our annual costs actually went down 15%.” Multinational organizations will find even more efficiencies as cross-border investigations tend to be even more ad hoc and fragmented. The good news is that it takes relatively little time to define a robust internal investigations process. The same executive above noted, “It took about 200 hours of internal staff time and about 100 hours of external help to nail down our process. In the end, we saved at least that much time in our first investigation.” While a specific internal investigations process may comprise five or fifty steps, the following key phases should be present and clearly defined:

1. Capture
2. Filter
3. Plan & Assign
4. Investigate
5. Resolve

Capture
This is the precursor to an internal investigation. It is helpful to have a “big funnel” to channel information to a team charged with filtering and vetting this information. The funnel should comprise a number of “push” and “pull” structures.

Push structures include:

• Hotline/Helpline is one of the obvious mechanisms to allow the workforce and other stakeholders to report (confidentially or anonymously) allegations of misconduct. The helpline can also provide input as high volume of questions about a particular subject may indicate confusion about expected conduct and, in turn, increase the risk of actual misconduct.
• Employee performance assessments provide an opportunity for management to encourage employees to openly discuss any issues that they observe. Of course, it is unlikely that employees will open up about issues related to the manager asking the questions, but this can lend to the discussion about other issues.
• Control violations that are automatically triggered based on threshold conditions can raise “yellow flags” that misconduct may have occurred. Management will most likely have to use human judgment to determine if these violations are actually issue of interest.

Pull structures include:

• Confidential employee surveys provide a literal “ask and answer” mechanism to get responses from the workforce about specific issues.
• Exit interviews provide an opportunity to find out what is really happening in a department. People tend to be extremely honest as they are walking out the door.
• Surveillance including video, audio and physical (e.g., RFID tags) monitoring many be necessary for high risk locations and/or transactions.
• Audits and assessments include all of the proactive evaluation of controls and other information on a periodic and ongoing basis.

In addition, management should pay attention to all of the “chatter” in the organization – the formal and informal conversations that take place verbally and via email. Sophisticated email filtering technologies can look for interesting phrases such as, “Do we really want to do this?” or “I don’t feel comfortable putting that in writing.” All of these techniques need to be balanced with the potential of creating a tattletale, gadfly or Big Brother culture which will result in decreased workforce productivity.

In the next few entries, I will delve into each of the other steps.

Consider Outcomes before Benchmarking Internal Controls

When it comes to financial controls, it’s not about ROI. Effective benchmarking depends on clear outcome expectations.

Following my recent presentation at a conference of financial executives, a member of the audience asked “What is the typical cost of a program for internal control over financial reporting processes?” He continued, “Is there a way to benchmark these costs?”

Good question, and one that certainly can and should be asked about the full range of compliance and internal control processes across the enterprise.

We have a great guide on our site called the OCEG Metrics and Measurement Guide (MMG) which provides a ton of good information on how to measure an internal control and/or compliance program of any type. That said, there are some important things to remember.

Benchmarking. An often-uttered word. One that indicates we are serious executives. That we are doing what it takes to optimize our programs. But how does it really work and what does it really do for us?

The concept of benchmarking is great, but before we can benchmark we need to define the outcomes that we hope to deliver. By way of example, when evaluating call center metrics, the starting point is understanding customer satisfaction (or some similar indicator). Without this top-level indicator of the outcome we hope to generate, it is impossible to evaluate other indicators such as cost. In a vacuum, spending $100 to resolve a customer problem is superior to spending $200 to resolve the same customer problem. However, the “vacuum” does not exist. If the $200 resolution delivers 95% satisfaction and the $100 resolution delivers 50% satisfaction, most executives would choose the former.

So what does that mean for us? As financial professionals, we must define the outcomes that we hope to achieve through our internal control programs, as well as indicators of success. Only then can we even begin to benchmark our costs, cycle times and other program attributes in a meaningful way. To engage in a benchmarking effort without taking the time to first establish clear outcome expectations is putting the cart before the horse – the time and resources spent will be wasted.

While every organization is unique and therefore pursues unique objectives, most organizations strive to achieve growth, profitability, total shareholder return, and key value drivers such as workforce productivity, quality, customer loyalty, and innovation. In the same way, each of our programs for internal financial control will be unique and should strive to achieve unique objectives, but every program should deliver on these universal objectives:

• Promote business conduct in-line with business objectives
• Prevent noncompliance and weaknesses
• Prepare the organization to deal with noncompliance and weaknesses when (not if) they occur
• Protect the organization from negative consequences
• Detect noncompliance and weaknesses earlier rather than later
• Respond to noncompliance and weaknesses more quickly rather than slowly
• Improve the program so that similar noncompliance and weaknesses are not repeatedly encountered
• Reduce losses due to noncompliance including fines, penalties and investigation costs
• Enhance the culture so that, even in the absence of controls, the workforce is inclined to do business within defined boundaries of conduct

Now, undoubtedly, I will get a few emails (mostly from consultants) noting that the benefits of implementing a strong program of internal controls go beyond the outcomes listed above. Fine. Shareholders will be thrilled if our programs deliver more. But at the end of the day, if we cannot demonstrate that our programs deliver on the universal outcomes above, we need to get new day jobs.

Once we have a firm understanding of whether, and the degree to which, our programs are achieving top-level outcomes, we can discuss whether we have optimized the outlay of financial and human capital. In addition, we can thoughtfully analyze whether process improvement (e.g., reducing the cycle time to discover noncompliance of a particular type) is worth the investment.

Beware of the Big Stick Carried by the Government

Beware of the big stick carried by the government. Its called the False Claims Act and contract and environmental managers have long known that they can’t just sign the myriad of required certifications to the government without risk of organizational and personal prosecution. You can’t just cross your fingers and hold your breath, hoping no one notices if your certified statement isn’t true. In many instances, the penalty for admitting a compliance failure or weakness up front may be small, but the cost of filing a false statement or false claim (a false statement tied to a government payment) can be huge. Now, Chief Compliance Officers and other GRC executives are learning it the hard way.

The complaint filed this week against Christi Sulzbach, who was the Associate General Counsel and Corporate Integrity Program Director at Tenet Healthcare Corporation (Tenet) makes that point loud and clear. Sulzbach is alleged to have signed and provided to the Government declarations that falsely stated that to the best of her knowledge and belief, Tenet was in material compliance with all federal program legal requirements, despite her allegedly having received legal opinions to the contrary. The government also alleges that these false declarations allowed Tenet to bill Medicare for millions of dollars in claims that it was not legally entitled to receive.

It’s just a signature on a standard required clause, right? WRONG. It’s a signature that now is exposing Ms. Sulzbach to hundreds of millions of dollars of potential liability PERSONALLY, even after Tenet has settled with the government for more than $920 million dollars.

I used to jokingly call the Chief Compliance Officer job the “designated scapegoat,” but cases like this one highlight the importance of taking the job seriously. Understand what government contract laws and regulations apply to you and your organization. Use a consistent approach to manage compliance. Don’t sign things that put your personal reputation, assets and possibly even freedom on the line – unless you have undertaken the necessary investigations to know that what you are saying is true. Don’t assume that no one checks. Don’t step into the line of the swing of that big stick.

GRC - More than Three Letters

To be clear, there are substantially more processes than governance, risk and compliance playing critical roles in GRC. But 13-letter acronyms rarely catch on. To understand the complete portfolio of processes related to GRC – processes that help an organization drive toward objectives while staying within boundaries – consider the following areas:

Governance. Processes typically executed by the board, corporate secretary and governance professionals including board management; staying qualified to do business; shareholder / stakeholder relations; setting and evaluating performance against enterprise objectives; vetting strategy; evaluating executive performance; risk oversight; etc.

Strategy. Processes typically executed by the chief executive officer, “c-suite” as a whole and strategy professionals including: setting strategy; designing balanced scorecards; managing corporate performance; merger and acquisition activity; etc.

Risk Management. Processes typically executed by the chief risk officer, business line and other executives including: identifying, assessing and managing all types of risk (strategic risk; financial risk; operational risk; compliance risk, etc.); buying insurance; etc.

Audit. Processes typically executed by the chief audit executive, internal audit, audit committee and external auditors including: managing internal audits; facilitating external audits; executing financial reporting; evaluating internal controls (e.g., internal controls over financial reporting (ICFR), internal controls over other risks); conducting investigations; etc.

Legal. Processes typically executed by the general counsel and legal staff including: defining legal strategy; investigations; litigation; assisting with due diligence for mergers and acquisitions; ensuring legal compliance (see next point); etc.

Compliance. Processes typically executed by the general counsel, chief compliance and ethics officer, compliance professionals and other legal staff including compliance in areas such as: employment; environmental; government contracts; global trade; anti-fraud; anti-corruption; information privacy and security; sales practices (antitrust issues); advertising and marketing; product quality and manufacturing; etc.

Information Technology. Processes typically executed by the chief information officer, privacy officer and/or security officer including: automating controls; managing electronic records; facilitating internal and external reporting; delivering electronic filings; securing information; ensuring privacy; etc.

Ethics & Corporate Social Responsibility. Processes typically executed by the chief ethics officer and chief responsibility officer including: managing the code of conduct; developing ethical leaders; promoting adopted principles and values; crafting public communications and reports; understanding socio-political-economic context; aligning incentives and human behavior; etc.

Quality Management. Processes typically executed by quality professionals throughout the organization such as: integrating “lean” thinking, Six Sigma or other techniques into all enterprise processes; conducting root cause analysis and process improvement projects; etc.

Human Capital & Culture. Processes typically executed by human resource professionals and organizational design and development professionals including: enhancing workforce capabilities; appraising individual and team performance; developing culture of performance, integrity, openness and accountability; etc.

Each of those areas plays a key role in helping an organization drive principled performance. And all of them can benefit from a shared strategy and operational approach and from cross-communication and shared technology.

When I talk about "integrated GRC," I do not mean that all of these processes and functions should be consolidated. Rather, management should take a step back and consider what they all have in common. Where practical, management should adopt a common language and approach to the meta-process that they all share.

Antitrust Compliance

On a recent webcast, I spoke with Michael Horowitz, a commissioner with the United States Sentencing Commission (USSC) and Eric Morehead, the assistant general counsel at the USSC. The topic of discussion was antitrust.

The entire webcast can be found at OCEG.

As always, it was an interesting session where Mr. Horowitz outlined the key dimensions of criminal antitrust (essentially price fixing) and contrasted these issues with civil antitrust issues (such as monopolistic behavior).

A real gem came at the end of the session during the audience Q&A. One participant asked how organizations should structure their compliance training to address antitrust issues. Specifically, they wanted to know where to "draw the line" when it comes to who should be trained.

Mr. Horowitz provided some very insightful advice. While it would be unusual for, say, an executive assistant to engage in product pricing or negotiating activities they should still be trained. The reason being that these are the individuals who book travel and arrange meetings for people who DO engage in pricing and negotiating activities. In fact, often, executive assistants are called as witnesses in antitrust cases.

Mr. Morehead provided some excellent details about how antitrust is addressed in the U.S. Federal Sentencing Guidelines and some statistics about prosecution. A summary follows:

• Base Offense Level is 12
• Non-Competitive bidding increases the offense level
• The “Volume of Commerce” also can adjust the Offense Level upward from 2 to 16 levels
• Special instructions for fines – individuals to pay a fine equal to one to five percent of the “volume of commerce”, but never less than $20,000.
• Special instructions for sentencing organizations

Volume of Commerce

• The “volume of commerce done by” the defendant in “good or services that were affected by the violation”
• Cumulative amount that can cover multiple counts or conspiracies
• Amount is the commerce affected by the conspiracy

2005 Amendments

• Base Offense Level was increased from 10 to 12.
  
• Volume of Commerce Table was enhanced – range went
  from $ 400,000 - $ 100,000,000
  to $1,000,000 - $1,500,000,000
  
• The adjustments for volume of commerce also increased from a prior maximum of 7 levels to a new maximum of 16 levels, reflecting a new maximum enhancement of for volume of commerce.
• These changes reflected the Antitrust Division’s experience of uncovering larger dollar conspiracies and also fostered greater proportionality between antitrust sentencing guidelines and fraud offense guidelines.

Individual Sentences
In FY 2003 In FY 2006
Mean 7.2 Months 8.2 Months
Median 4 Months 9 Months
Number 12 Cases 12 Cases

Organizational Sentences
In FY 2003 In FY 2006
Mean $6.2 MM $46.5 MM
Median $2.7 MM $1.1 MM
Number 10 Cases 15 Cases

Source: 2003 Sourcebook of Federal Sentencing Statistics, U.S. Sentencing Commission; 2006 Sourcebook of Federal Sentencing Statistics, U.S. Sentencing Commission

== slm ==