So your Board of Directors and senior management just handed you the keys to a brand-new, shiny compliance program. It conforms to the seven elements of the OIG Guidance for implementing an effective compliance plan. You’ve been designated as the chief compliance officer with single-point accountability for managing the day-to-day operations of the compliance program (No. 1). You’ve approved written policies and procedures for implementing your compliance program (No. 2). You’ve developed and trained all relevant personnel on your compliance program (No. 3). You’ve implemented a hotline for employees to anonymously report putative compliance violations (No. 4). You’ve developed a comprehensive auditing and monitoring program, in partnership with Internal Audit and the company’s external auditors (No. 5). You’ve created a program to investigate and take corrective actions to remediate credible allegations (No. 6). And finally, you’ve demonstrated a track record of taking disciplinary action against transgressors (No. 7).
Having built your compliance program by the book, the question remains: does it really work in practice? That is, have you created a “paper tiger” with “check-the-box” requirements capable of churning out the right metrics and reports, but lacking real forensic capabilities? Or have you created not only a robust program capable of dealing with issues once they surface, but also more fundamentally a program with predictive and preventative capabilities that will interdict compliance transgressions at their inception? Unfortunately, these questions won’t be answered for most companies until an adverse event has occurred and the compliance department responds to a hotline complaint, a government subpoena, or both.
This past year was rife with examples of huge multinational companies with sophisticated, robust compliance programs failing to detect ongoing, massive fraudulent activities with significant reputational and financial impact. The biggest and most highly publicized of these incidents related to the reported fraud that occurred in connection with GlaxoSmithKline’s China operations involving illicit payments made to Chinese physicians and other healthcare professionals over a seven-year period.
What is so surprising in this instance is that the fraud apparently occurred under the auspices of one of the worlds most comprehensive and sophisticated compliance programs. Were these perpetrators smart so as to avoid detection over such a lengthy period? Did Glaxo’s compliance program contain a flaw capable of allowing this fraud to occur? If so, was this flaw capable of being detected without the benefit of hindsight? The truth probably lies somewhere in-between. Glaxo’s compliance program was probably no more or less flawed than any other company’s program, or even that of the National Security Agency’s security program designed to protect the U.S. government. And yet, Edward Snowden infiltrated the NSA in an unprecedented manner, the ramifications of which will continue to play out for years to come.
Every company, including Glaxo and the NSA, sets out with the best of intentions to erect a compliance program. The problem is that fraud and corruption, by their very essence, are almost impossible to prevent. You’re talking about one or more individuals, usually acting in concert, deliberately and with bad intent, intentionally planning to violate the law. Planning this fraud is all these perpetrators think about (consider the 9/11 terrorists and their years of planning), while you are thinking about operating an honest and profitable business. If the consequences of violating a law (with the threat of huge fines and possibly jail time) fail to deter these individuals, they will not likely be deterred by the consequences of violating a company’s compliance policy. They are bad actors, and no amount of policy writing or compliance training will prevent their actions. They are bent on committing fraud, and they will find a way.
So what is the point of having a compliance program if it can’t always prevent bad actors from doing bad things? The answer, in my opinion, is quite simple. While there will always be bad people bent on doing bad things, an effective, well-designed, and well-managed compliance program can make the effort needed to violate the law so difficult as to not be worth the time and potential consequences that follow. My mother always said, “Keep little things little.” In the compliance arena, this translates into keeping isolated and non- systemic whatever fraud and corruption does occur. This presupposes a well-functioning compliance program, which transcends the “Seven Elements” by having the ability to (i) identify key risks to the business, (ii) predict where fraud will most likely occur within those key risk areas, (iii) develop meaningful plans to address those areas, and (iv) deploy key performance indicators (KPIs) that truly measure the effectiveness of the risk-mitigation measures that are undertaken. In other words, a robust Risk Assessment and Mitigation program.
A Risk Assessment and Mitigation program is the cornerstone of an effective compliance program. It is the means by which the array of compliance programmatic tools is deployed to manage and mitigate the key risks a company faces. It can be a company’s single most effective weapon to proactively manage risk based on a deep-seated understanding of its business operations, its risk profile, and the internal and external environment in which it operates.
I recommend following six basic principles in developing a Risk Assessment and Mitigation process. If followed, these principles will put your company in the best position possible to assess and prevent risk before it occurs, and to keep bad acts isolated when and if they do occur.
1. Ensure Senior Management Buy-In and Visible Support
In order to be effective, the Risk Assessment and Mitigation process must be more than a “paper exercise.” It must be real; it must be meaningful like every other key process within a well-managed organization. For example, every company engages in budget planning and business reviews, and public companies are required to go much further under the SEC disclosure rules, including Sarbanes Oxley. Each process is well defined and oftentimes involves the Board of Directors, as well as external advisors such as statutory auditors and brokers.
The Risk Assessment and Mitigation process should be no less rigorous. While not per se mandated by law, this process is designed to manage business and legal risks that are no less, and oftentimes far greater, than those targeted by the aforementioned processes. Too often, senior management relegates risk assessment and mitigation to a process “run by the lawyers for the lawyers.” The tendency is for business executives to delegate the management and ownership of this process to the legal and compliance functions without meaningful participation by management. The lawyers and compliance personnel engage in an exercise designed to brainstorm the risks that are, from their perspective, the most critical to the business, often in isolation from the businesses in which these risks reside. While business managers may be polled for their perspective on risk, oftentimes this is far from a participatory, collaborative process. Legal and compliance will then develop what they believe are meaningful mitigation strategies, which they in turn own and are responsible for implementing. The result is a potentially close-end, contained process that doesn’t capture true business risks, since the business operators truly in the best position to understand the business model and the nature of the attendant risks that can occur within that model haven’t been meaningful participants in the risk identification and mitigation process. In other words, it was largely a “paper process.”
The first step is for senior management to acknowledge this as a mission-critical process that is, at a minimum, jointly owned by and developed in partnership with all business heads. No one better understands the risks facing the business like the people responsible for running it. While legal and compliance understand the law, business owners understand the operational ways in which those laws can be violated, and consequently the best ways to prevent this from happening. Any Risk Assessment and Mitigation process that isn’t jointly owned, operated, and managed with the business heads runs a real risk of being ineffective.
2. Employ a Sound Methodology for Identifying and Managing Key Risks
One of the more difficult things to do in this process is clearly define the risks being managed. It seems simple, but in reality it’s not. Many risk management processes that I’ve seen over the years master stating the obvious. With respect to fraud, for example, many programs will simply articulate the risk as a “violation of the FCPA.” But what does this mean? Have you identified the specific underlying risk in the company’s business model that could potentially lead to a violation of the FCPA? For example, who in the organization is most likely to come into contact with officials of foreign governments? Who within that business segment will likely feel “pressure” to obtain results in connection with their contact with foreign governments? If you haven’t done this “in the field” assessment of the risks facing the people who really work at the company, then any ensuing mitigation strategy could be rendered meaningless.
Meaningful risk identification occurs through effective partnering between legal, compliance, and the business operators. Legal and compliance can articulate the legal aspects of the risk, while the business people can articulate the manner in which these legal risks relate to the operations in practice. Together, this partnership can develop a set of risks that are linked clearly and measurably to the legal violations they intend to mitigate.
3. Employ a “Bottom-Up” Process Owned by the Business
Many companies employ a high-level process whereby risks are identified and mitigation plans developed at the most senior levels, sometimes without meaningful advice and input from the individuals who actually confront these risks in the field. This raises the issue as to whether the most senior individuals in the company are in the best position to determine the key operational risk that oftentimes occurs at a relatively low level within the organization.
Many companies have as many as 10 layers between the C-Suite and the operational-level employee. CEOs and their C-Suite management teams are macro-engineers. They provide high-level guidance and direction to their organizations. It’s perhaps unrealistic to expect that they would be able identify and articulate operational risk issues with sufficient granularity so as to provide complete input to a Risk Assessment and Mitigation plan. A more robust process is one in which the risk assessments and mitigation plans are developed at the operational level, flow upwards in a pyramid fashion at each level within the organization, and ultimately are reviewed and approved by the C-Suite team. For example, in a company with fifteen different operating units, a Risk Assessment and Mitigation plan would be developed within each unit. Each unit plan, once finalized, would be implemented at the business-unit level and also submitted to the C-Suite team. One overall Risk Assessment and Mitigation plan would also be developed at the corporate level. In this manner, you have addressed risks from both the local and corporate angles, thus maximizing the chances that the most meaningful risks have been identified and will be managed at the appropriate levels within the company.
4. Employ a Methodology for Prioritizing Risks by Severity and Probability
Having identified as many of the business risks possible from discussions with all levels of the corporate structure, how do you prioritize to deploy scarce resources to manage one risk over another? Value judgments must be made on a well-informed basis. In so doing, a best practice is to consider the probability of the risk occurring times the severity should it occur, and develop a ranking of risk on that basis. Many companies employ a numerical scale to measures these factors—for example, a scale of 1 to 5, with 1 being the lowest probability/severity and 5 the highest. The higher the multiple of these two quotients, the higher the ranking of the risk.
For example, the risk of a third party committing bribery in connection with a government tender in China could have severe consequences, but if you only participate in one tender a year, then the probability of occurrence is relatively low. Contrast this with a situation where your company engages in multiple government tenders in a high-risk country, all through third parties. The severity/probably quotient in this case would be much higher, and the risk would be accorded a higher relative ranking.
This process assumes in-depth knowledge of the risks at issue and the business model in which they operate. Only in-depth knowledge of these issues could credibly ascertain the severity of their impact and the probability of their occurrence. Again, this underscores the need for an active dialogue between the business head, compliance, and legal.
5. Develop Meaningful Mitigation Strategies Owned by Identified Business Owners
Now you have fully engaged management at every level; identified the key risks to the business; and prioritized these risks using the severity-times-probability index. You’re half way there!
It’s time to develop mitigation plans to manage those risks. In other words, this is where the rubber meets the road. This is the opportunity to meaningfully manage and prevent identified risks from occurring.
Again, it’s imperative that meaningful mediation plans be developed in partnership with the business. They must not be mere platitudes—that is, there must be a direct correlation between the action being taken and the prevention of the risk being addressed.
Let’s go back to our determined bad-actor example. How do you prevent and/or detect fraud from occurring in connection with a government tender through a third party where you have a business associate hell-bent on offering a bribe? No amount of training will likely deter this bad actor, so agreeing on a risk mitigation of enhanced training would likely be of little or no use. On the other hand, adopting an enhanced transactional review of government tender in high-risk markets, including a requirement for higher-level corporate approval, may well prevent this fraud from occurring—or at least detect the fraud. The point is, you must strive to adopt meaningful mitigation strategies tailored to each identified risk.
Equally as important is the accountability for ensuring that risk-mitigation actions are successfully implemented and taken to conclusion. Assigning responsibility to legal and/or compliance is not enough. Legal and compliance are control functions. Unless they are empowered to take action, they lack the ability to enforce these actions at the operational level. Moreover, they are put in the difficult position of having to verify the actions of others who are in the best position to implement these remedial actions. In order to be meaningful, risk-remediation actions must be owned by the business people. If the action will be taken at the business-unit level, then the business-unit head must assume accountability. If it will be undertaken at the corporate level, there needs to be C-Suite accountability. The buck must stop where the rubber meets the road!
Finally, all remediation actions must be time-bound and reviewed periodically by the company’s compliance committee. And there must be consequences for failure to achieve agreed risk-mitigation plans within the agreed timeframe. Otherwise, managers will focus their attention on the myriad of other tasks that occupy their time, and remediation actions will fall to the bottom of the list.
6. Develop Key Performance Indicators that Measure the Effectiveness of Risk-Mitigation Actions
Having undertaken steps 1 through 5, you have one more important action to take. That is, how do you know that the risk-mitigation strategies that you’ve employed are achieving their intended purpose? This can be a difficult task, since you’re often trying to prove a negative: “the risk-mitigation actions must be working since the bad event hasn’t occurred.” Is that the case, or are you simply unaware that the bad event has occurred? This is without a doubt the biggest conundrum every CCO faces—the Holy Grail of the compliance world. How do you prove the effectiveness of your program?
There is no magic answer to this question. The solution lies in a company’s ability to develop meaningful KPIs that act as surrogates to predict success or failure of your compliance initiatives. Many times, KPIs may seem paradoxical in nature. For example, a well-functioning compliance hotline and training program should yield a consistent stream of questions and calls. This demonstrates that your message is cascading down throughout the organization. Some may disagree, but I would be worried if the call volume and follow-up questions suffered a dramatic drop in a high-risk market, particularly on the heels of a robust compliance-training blitz in that market. Similarly, I would be concerned if your third-party screening process fails to detect any red flags that result in enhanced reviews and/or terminations. I’ve experienced situations where companies have used well-established processes to screen thousands of third-party distributors—without a single red flag and/or termination. Based on these results, one should seriously question the effectiveness of the third-party screening process, which seems, at best, a check-the-box exercise—and no doubt an expensive one!
In summary, while you can’t always prevent bad actors from doing bad things, implementation of the above strategies will certainly put you in the best position to manage and/or prevent some of the compliance catastrophes that we have witnessed in the recent past.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.