This week I have been exploring how you can more fully operationalize your compliance program. I have considered this in the context of third-parties, forecasting and the risk management process and through the use of a root cause analysis. Today, I want to conclude this week’s blog posts with a post on operationalizing compliance through tailored training.
The DOJ Evaluation of Corporate Compliance Programs (Evaluation), in Prong 6, Training and Communication – Risk-Based Training, asks:
What training have employees in relevant control functions received? Has the company provided tailored training for high-risk and control employees that addressed the risks in the area where the misconduct occurred? What analysis has the company undertaken to determine who should be trained and on what subjects?
This adds two requirements. The first is that you must assess your employees for risk to determine the type of training you might need to deliver. Meaning you should risk rank your employees. Obviously, the sales force would be the highest risk but there may be others which are deserving of high risk training as well. From your risk ranking, you need to then develop training tailored for the risks those employees will face.
However, this type of analysis does not fully tie the calculus of FCPA touchpoints to the full panoply of the prevent, detect and remediate mandates of an operationalized compliance program. There are innumerable employees in every corporation who could be employed in the detect prong and who are generally not being engaged as a part of compliance backstop. Typically, high-risk employees have FCPA training annually. However numerous studies have shown that more focused, indeed tailored, training can be more effective.
Imagine the scenario where a high-risk employee is traveling to west Africa, which they book through the corporate travel portal. Unless the employee notifies compliance of this travel it is highly unlikely the compliance department would know about such travel. Now imagine a corporate algorithm which could connect the dots of a high-risk employee, traveling to a high-risk country on a high-risk assignment.
The current practice, in tech speak, is single-tenant software hosting, i.e., one piece of software available at a time with no continuity between corporate functions. Now envision a more multi-tenanted, Software as a Service (SaaS), approach where a company’s information is available through a single application, rather being diluted through multiple applications. If a company is not using multi-tenancy, it may be hosting or supporting thousands of single-tenant information systems and cannot aggregate information across the corporate base and extract knowledge from large data sets as every corporate discipline may be housed on a different server and possibly a different version of software. This allows large and, more importantly, disparate data to be constantly fed into a single system where compliance can move more quickly and efficiently.
Now consider our high-risk employee, traveling to a high-risk country on a high-risk assignment. When they book the travel, compliance could read the information and then deliver a tailored compliance training reminder. This removes the need for a referral to the compliance department to call and ask the employee where they are going, what the business purpose is and who they are meeting, etc. Communications and training would be delivered to the employee’s computer via email or other delivery mechanism. It could be as simple as a reminder about the FCPA, Code of Conduct and anti-corruption compliance program around facilitation payments. Yet it could be as sophisticated as the RESIST training which provides specific procedures to resist solicitations requests or even extortion demands, by referencing anti-corruption polices; policies on facilitation payments and even corporate policies for employees. You could even add a list of potential responses such as an immediate response to the bribe-solicitor and reference to internal company reporting for assistance.
Further, there would be an audit trail which helps to satisfy the “Document, Document, and Document” component of your compliance program. Never forget the DOJ specifically mentioned compliance reminders as a reason Morgan Stanley received a declination back in 2012. This means when the government comes knocking you will have evidence of tailored training delivered to employees. Finally, such training also operates as an internal control to meet the Accounting Provisions requirement of the FCPA.
Again, consider another manner of how tailored training might be used for the traveling high-risk employees, where predictive analytics which could be used in conjunction with prior expense reports of both the employee and the region. On the personnel level, tailored training could help to determine if there were any issues around large expense reimbursements or those which might show a pattern of running up to the level where preapproval is required. Tailored training could give a wide range of statistics which would allow the compliance practitioner to operationalize compliance by considering sales expenses to determine if any issues might arise. Finally, in a continuous feedback loop, a prescription solution could then be delivered to prevent an issue arising to the level of an internal Code of Conduct violation or even a FCPA violation, further operationalizing compliance.
[View source.]
