Murmur in the Middle (Management)

/
Murmur in the Middle (Management)

The following is a guest blog post by Diana Trevley, Spark Compliance Consulting’s West Coast Director.

Although “the tone from the top” gets most of the press, for most compliance teams the “murmuring in the middle” represents the greatest challenge for engagement.  In a surprising number of litigations and government actions, long before the case ever reached the courthouse, the whistleblower reported what he or she saw or suspected to a line manager – and yet nothing was done.  After the company took no action, the whistleblower then went to the government – or filed a lawsuit – leaving the company in a far more precarious position than if the issue had been addressed after it was first reported internally. 

 

Perhaps the middle manager didn’t think the issue was important?  Maybe the he or she did not know how to appropriately escalate the issue?  Or perhaps the middle manager was concerned that it would reflect badly on him or her? 

Read More

The Great ISO Debate – The Gloves are OFF!

/
The Great ISO Debate – The Gloves are OFF!

Compliance expert Tom Fox and I are friends, but that doesn’t mean we always agree with each other, especially when it comes to opinions about the ISO 37001 Anti-Bribery Management Systems Standard.  Earlier this month, Tom wrote a scathing article about why he doesn’t like it, and I challenged him to a debate to discuss his concerns.  The gloves came off in our discussion on his podcast, which can be found here: http://fcpacompliancereport.com/2017/03/12016/ .  Who won?  I’ll leave that to you to decide! 

Read More

Wildly Effective Compliance Officer Tip of the Week - 48

/

Have you tried using Google Alerts to help you keep up with pending legislation that would affect your industry or affect how you do your job?  If you haven’t, you should.  Google Alerts send emails to your in-box on a regular basis alerting you to news about the topics you choose.  Let’s say you work in the fishing industry, and there is a new law that would potentially affect your company’s supply chain.  You can create a Google Alert which will send you notifications relating to that law so you can stay on top of its developments.  When the law comes into force, you’ll have as much time as possible to implement programmatic changes to comply with the law. 

Que? Speaking the Same Anti-Bribery Language in an International World

/

Note: This is a guest post by attorney and compliance expert Ramsey Kazem.

Many years ago, as an employee of a retail store, I witnessed an incident where the inability to communicate in like terms undermined a sales transaction that otherwise would have been simple and straightforward.  A German tourist entered the store, selected a shoe from the shelf and asked the salesman to bring him a size 45.  The salesman recognized the customer was offering his European shoe size, but was unsure how to convert it to a U.S. standard – after all, this was at a time before smart phones, wi-fi and easy access to the internet; one could not simply “Google it”.  The salesman explained he was not familiar with European sizes, but pointed to the measuring tool in the corner and offered to measure the customer’s shoe size.  The customer, already knowing his size, refused and barked: “I am size 45.  Get me size 45!!!”  No longer interested in being helpful, the salesman sarcastically replied: “I don’t know what that is.  This is America.”  The German angrily stormed out of the store without completing the purchase. 

While all the ingredients for a successful sale were present, the inability to understand each other not only sabotaged the deal but it caused hard feelings in the process. This incident provides an important reminder that people of different cultures often say the same thing, differently.  Both parties were communicating in English, but speaking a different language. 

In international business, discussions regarding applicable anti-bribery and corruption standards can lead to similar misunderstandings between business partners of different countries.  While bribery is a global phenomenon, compliance standards to root it out are not universal.  What is expected and acceptable in one region of the world may not be adequate in others.  Adding to the confusion, terms such as “due diligence”, “risk assessment”, “training” (and others) are nebulous and may mean different things to different people.  Confronted with these challenges, organizations reflexively insist on the standards with which they are most familiar.  An American company, for example, may insist on standards articulated in the U.S. Sentencing Guidelines, the FCPA Resource Guide or published DOJ or SEC settlement agreements.  A U.K. company may default to standards published in the guidance to the U.K. Bribery Act.  And, on and on.  The foreign counterparts, however, may not be familiar with, or receptive to, these requirements.  Worse yet, the insistence on mandating standards of jurisdictions in which the business partner does not operate could strain the relationship between the parties.         

On October 15, 2016, after years of study and in collaboration with delegations from 56 countries, the International Organization for Standardization (“ISO”) published ISO 37001, the first global standard for the development and implementation of an anti-bribery management system.  The emergence of ISO 37001 was a welcomed development as it provides a universal framework for managing bribery risk.  Moreover, it allows business partners from all regions to communicate in a common language.  ISO 37001 means ISO 37001 in any language.   

Why Using ISO is like Building a House

                To understand the benefits of ISO 37001 it is important to know what it is (and what it is not).  ISO 37001 provides a framework for the development and implementation of an anti-bribery management system.  The standard sets forth mandatory requirements that an organization’s anti-bribery management system must meet, but generally leaves the means and methods for satisfying those requirements to the discretion of the organization.  To that end, the standard includes guidance for meeting the mandatory requirements.  These global best practices are non-mandatory – an organization must only implement these measures to the extent they are reasonable and proportionate to the organization’s bribery risks.  In other words, ISO 37001 is not a one size fits all mandate, but allows sufficient flexibility to tailor the system to the unique risks of the organization.  As such, ISO 37001 applies to organizations of all sizes, industries, regions and risk profiles. 

                By way of analogy, if you were constructing a house, ISO 37001’s mandatory requirements would mandate items essential to a stable and effective structure – e.g., a roof, load bearing walls, mechanical, plumbing and electrical systems, etc.  The standard’s non-mandatory requirements, on the other hand, provide a home owner the flexibility to customize the structure – e.g., select finishes, decide where to invest in upgrades, modify the layout, and comply with requirements of local ordinances.  Just as in a design for a new home, ISO 37001’s mandatory and non-mandatory requirements work together to ensure the anti-bribery management system is both: (1) stable and effective; and (2) tailored to the unique risk of the organization. 

                ISO 37001 is not only a roadmap for developing new anti-bribery programs, it also provides a globally accepted benchmark against which to evaluate and improve existing programs.  When properly implemented, the standard will reduce an organization’s bribery risk and improve its overall ethical culture.  Moreover, to demonstrate a commitment to combating bribery, organizations can obtain an ISO 37001 certification from accredited auditors.  The certification not only confirms an organization’s compliance with the standard but, in many instances, will provide a competitive advantage over non-certified competitors in its industry.  Finally, as a global standard, ISO 37001 provides a common language for international business partners.  As will be discussed below, organizations should seek out ISO 37001 certified partners to transact business with as the common baseline for managing bribery risk will lead to more reliable and effective communications to address the issue in their transaction.   

Let’s All Get On the Same Page

                At the outset, it is important to mention that an ISO 37001 certification does not ensure that no bribery has occurred or will occur within the certified organization.  More importantly, business partners of a certified organization are not absolved from their due diligence and monitoring obligations.  The point of the certification is not to guarantee that an organization presents no bribery risk.  Instead, the certification process provides an objective mechanism by which an entity can demonstrate to its stakeholders that its anti-bribery management system complies with the requirements of ISO 37001.  Transacting business with an ISO 37001 certified business partner results in several important advantages, including: 

                A common understanding of terms and concepts.  Prior to ISO 37001, there was no global standard for managing bribery risk.  While the various existing standards used similar terminology, individual terms and concepts did not have a fixed definition.  Even a concept as fundamental as “bribery” itself was subject to various definitions.  Under the FCPA, for example, bribery was limited to corrupt payments to foreign government officials.  And, so-called facilitating payments – minor bribe payments to secure routine governmental action – are excepted from the definition and entirely permissible.  The U.K. Bribery Act, on the other hand, takes a more expansive approach to bribery and precludes corrupt payments in governmental and commercial transactions.  Moreover, facilitating payments are not exempt and are likewise prohibited.  Consequently, when a business partner claims to have an anti-bribery program it is entirely unclear as to the precise conduct the program is designed to manage and mitigate.  Obviously, a program designed to meet the standards of the FCPA is likely to have narrower prohibitions than one designed to meet the requirements of the U.K. Bribery Act. 

Inconsistencies in terms create uncertainty and confusion in assessing to what extent a foreign business partner is managing its bribery risk, if at all.  With ISO 37001, organizations are not confronted with this issue.  Key terms are precisely defined in the standard’s definitional provision.  Moreover, concepts such as “risk assessment”, “due diligence”, and “training”, which are not subject to an exact definition and may vary by circumstance, are nonetheless subject to a defined process and criteria.  Even if the ultimate output is different, an organization will understand the process undertaken and the factors considered in tailoring these procedures.  This leads to more productive communications regarding the scope, scale and effectiveness of the anti-bribery management system as ISO 370001 certified business partners will be communicating from a common baseline and in like terms.

Efficiencies in key processes.  Transacting business with an ISO 37001 certified business partner does not eliminate an organization’s due diligence and monitoring obligations.  However, it does make these and other processes more efficient, reliable, and effective.  For example, the due diligence process can be more targeted.  An organization will know the processes required to be implemented, the information that must be documented, and the controls required to be in place.  With this understanding, an organization can be very specific in its due diligence and more deeply scrutinize the high-risk areas of the relationship.  Moreover, because both sides of the transaction are working from the same playbook, an organization can gain tremendous insight into a potential business partner’s approach to managing its bribery risk.  Decisions where to invest anti-bribery compliance resources, how to assess and prioritize risk areas, which of the suggested best practices to implement, and under what circumstances to go beyond the minimum requirements of the standards can be very revealing.     

    Likewise, working with an ISO 37001 certified business partner allows an organization to take a more targeted approach with respect to monitoring.  ISO 37001 includes significant mandatory documentation requirements.  An organization, therefore, can be very strategic in exercising its audit rights and review documentation specific to the areas of the business relationship that require closer scrutiny.  Moreover, a comprehensive understanding of what the standard requires enhances an organization’s ability to identify red-flags in a business partner’s performance. 

Stability in the standard.  While it is a stretch to suggest that the other standards are subject to sudden and unexpected modifications, recent political changes around the world have caused some to question whether, and to what extent, anti-bribery standards and enforcement actions will be impacted.  Time will tell whether these concerns are well founded, but it is unlikely that any significant changes will be forthcoming or tolerated.  After all, no political party has campaigned on a platform to make bribery legal again.  Nevertheless, it is worth noting that ISO 37001 is not impacted by the political climate of the day.  It was developed by a non-governmental organization with the collaboration of compliance standards experts representing 56 countries.  The standard reflects global best business practices and will change only as new, more effective techniques for addressing bribery risk are developed and globally recognized.         

Conclusion

ISO 37001 is the first global standard for the development and implementation of an anti-bribery management system.  By developing a universal framework, organizations from all regions of the world can more effectively address bribery risk with their foreign counterparts as both sides of the transaction will be working from a common baseline of understanding.  Moreover, it allows international business partners to communicate in a common language – perhaps, even a German tourist and an American shoe salesman.

 Ramsey Kazem can be contacted at  +1-404.872.5615 or by email at info@thethreetwelvegroup.com.

 

 

When Can I See You Again? Spring Conference Season!

/
When Can I See You Again? Spring Conference Season!

10 days, 5 speeches, 3 countries, 2 continents…it must be Spring Conference season!  I’m gearing up for a massive two weeks of learning, speaking, networking, connecting and finding out what’s new in compliance.  Shall we meet up in person?

 

This weekend kicks off in National Harbor, Maryland with the Health Care Compliance Association’s 21st annual Compliance Institute.  We’re expecting 3,000 people.  I’m giving the keynote on Monday morning, titled…what else?  How to Be a Wildly Effective Compliance Officer.  That afternoon the fabulous Calin Elardi and I will be presenting, “Yeah, but what’s in it for me?  Making training and communications Impactful, Relevant and FUN!” 

Read More

Wildly Effective Compliance Officer Tip of the Week - 47

/

When there is a change in management or leadership at a company, there is often a big shift in how people relate to compliance.  In many industries, compliance hasn’t fully developed as a career, and new leaders may not know how to relate to you or understand the value of what you do.  At times like this, it is important to remember that building your relationship with the new leader is important, but also, that part of your job may be to educate the leader about what you do and the direct value you bring to the organization.  Try not to be frustrated if this takes some time.  New leaders can become great advocates, but they may need to understand what we do first.

How to Build Instant Rapport

/

 

The dictionary defines rapport as an “especially harmonious or sympathetic relation.”  A study from the Georgia Institute of Technology found that job seekers who created rapport early in their interactions with the interviewer scored higher overall than those who performed equally well in the technical part of the interview but failed to generate an early sense of connection.  So how does one build that elusive sense of rapport? 

Finding Common Ground

The fastest way to build rapport is find common ground.  Let’s say you are meeting the new manager of sales and you need to find a way to interest her in compliance.  Prior to the meeting you can view her LinkedIn, Facebook or Twitter profile to find out information about her history and preferences.  Where did she go to school?  Where did she grow up?  Does she list any volunteer activities that might show her interests?  Do you have any connections in common?  Any of these small pieces of information can build an instant connection between you and the person you’re meeting, especially if you bring them up early in the conversation.

Notice the Details

When you meet someone in person, look for details which could conjure commonalities.  What photo is the person using for his screen-saver?  Is it his children, pets, or vacation photo?  Are there mementos or pictures in her office which show that she has an interest in a certain sports team, outdoor activity, or the arts?  Try to find something to comment on where you have a shared interest or passion.  This will immediately give the listener the feeling that you understand him or her, which immediately builds rapport.

Compliments

If you can’t easily find something in common to discuss, try starting with a compliment.  For example, “I heard from [name of boss or co-worker] that you did a great job on [thing], well done!”  If you’re in a new office or location, try praising the city, building, artwork or anything else that catches your eye.  Beginning with a compliment or positive statement lets the listener know that you have already associated good things with him or her.   

Rapport-building is the art of making someone feel at ease and as if they already know you.  Highlighting common experience or interests, noticing the little details and giving genuine compliments can ensure that the listener comes away from your conversation saying, “I like you.  You remind me of me.”

 

 

Wildly Effective Compliance Officer Tip of the Week - 46

/

Many compliance officers are uncomfortable using social media sites like Twitter or LinkedIn to promote themselves or comment on what’s happening in the profession.  While it is always important to be courteous and professional, social media allows people to connect across the world.  Your network can expand rapidly without even leaving your desk, and when you meet people in person at conferences that you’ve connected with virtually, you’ll have an immediate warm contact instead of a cold introduction. 

Quiz: What’s Your Type?

/
Quiz: What’s Your Type?

All of us enjoy working in a way that suits our personality and proclivities, but is your natural way of working helping you to be a Wildly Strategic compliance officer?  Perhaps you love to collaborate with other functions, or perhaps you’re the type who likes to run everything yourself.  Identifying your type can help you to see your own strengths and weaknesses, which in turn will allow you to strategically identify how you work with the business.

Read More

Wildly Effective Compliance Officer Tip of the Week - 45

/

Keeping up with news in the profession is an important part of a compliance officer’s job.  I recommend that you schedule 20 minutes each day to check blogs and news services.  Free sources like the FCPA Blog and Tom Fox’s blog can help you keep up with the latest enforcement actions, while the SCCE Blog and my blog at Compliance Kristy can help you keep up with best practices, which influence regulator expectations.  By spending a few minutes a day investing in your ongoing learning, you can make yourself even more effective.