Many Chief Compliance Officers (CCOs) came to the position from the legal department, internal audit or another professional discipline. These professions are technically focused and their training provides little to no soft skills training. Yet when one rises to the level of a CCO soft skills are at least equally important if not more important so than technical skills. Now overlay this need for soft skills with the focus from the Department of Justice’s (DOJ) FCPA Pilot Program on remediation as one of the four prongs required to achieve a fine and penalty reduction and the emphasis in the DOJ’s Evaluation of Corporate Compliance Programs (Evaluation) of operationalizing compliance; it is easy to see that the remediation phase is as important as the investigation phase.
Many have focused on the more technical aspects of the remediation component of a potential Foreign Corrupt Practices Act (FCPA) compliance violation. However, I wanted to explore the soft skills that a CCO must use, both internally and externally, to achieve the goals available under the Pilot Program, though extensive remediation. This week I begin a five-part series on what a CCO needs to consider when working through the remediation in the face of a FCPA investigation or allegation of FCPA violation.
I am joined in this exploration by Dan Chapman, well-known in the compliance community for his in-house compliance role a Baker Hughes Inc. and his CCO roles at Parker Drilling and Cameron International. In the latter two positions, Dan led both companies’ efforts to successful resolution of FCPA issues. Over the coming week, I will be considering five key soft skills, not taught in law schools or other professional schools, for every CCO to consider in the remediation phase of a FCPA inquiry. We will consider the following: (1) The Gatekeepers; (2) Project timing; (3) Communications with stakeholders; (4) When you are done? and (5) Post-resolution.
Chapman believes the first thing you need to begin with when faced with a FCPA investigation and remediation is to assess how the culture at the top of the company will affect your remediation efforts going forward. He noted, “I think the first thing that you want to do is, to gather an assessment or make an assessment regarding the culture at the top, and how it might affect remediation.” To do so, he advocated a three-step inquiry. The first question to consider is “who are your gatekeepers?” The second inquiry is into the level of focus the gatekeepers can give to the remediation. Finally, the third inquiry is to assess the gatekeepers understanding and knowledge of compliance.
Who are the gatekeepers?
While a company may have multiple gatekeepers, including the legal department, compliance function, Supply Chain (SC), Human Resources (HR) or Internal Audit (IA), you need to determine who makes the decisions regarding compliance issues. Some of the compliance activities Chapman suggested you consider are “investigations, training, due diligence, vendor selection, audits, and other compliance subject matters.”
Look beyond paper line reporting and assess lines of communications and information reporting structures to ascertain how decisions and actions are taken regarding compliance issues. Chapman provided the example of budget and spend where he said it is important to understand who authorizes compliance expenditures; the CCO, the Board or Audit Committee or the Chief Executive Officer (CEO) or perhaps other(s).
Level of gatekeeper focus
This inquiry delves into how much time, energy and focus the gatekeepers will be able to give to the compliance function and specifically the remediation. The gatekeeper focus can be a function of interest or of workload. The time of Boards and senior management is usually stretched to the limit, most particularly if large issues or decisions are looming. Often, it is not that the gatekeepers do not have the passion for the subject but they simply do not have the time to prioritize it. Chapman noted, “if a company is dealing with bankruptcy risk or is dealing with a significant corporate transaction such as they’re acquiring a company that is of the same size, that’s going to divert senior management’s time and they’re not going to be able to focus on compliance.”
Level of gatekeeper understanding
The third inquiry is to assess the level of compliance understanding of your company’s gatekeepers. Here you need to tread carefully because if gatekeepers believe they understand compliance yet have very little appreciation of best practices, doing compliance or the operationalization of compliance and are entrenched in their uninformed views, it may be difficult process to move the company to a point which meets the DOJ requirements for extensive remediation under the Pilot Program. You will need to determine if these gatekeepers will defer to you as the CCO and compliance subject matter expert (SME) or outside consultants as SMEs. Chapman believes the optimal situation is where the gatekeepers are highly knowledgeable but are willing to defer to the CCO as the compliance SME.
You will also need to understand the compliance structure of the organization. If the CCO reports directly to the Board or C-suite, it can allow a more rapid and unfettered response on remediation. However, if the company’s reporting structure is such that compliance reports to personnel at a lower level of the organization, Chapman believes this “can make real compliance change more difficult. Even worse is a situation where you have supervisory lines or organizational structures that infer that compliance decision making is in practice different from what one would expect based on those supervisory lines and organizational documents.” He noted such a structure is “a very dangerous thing.”
These three inquiries speak directly to the soft skills a CCO must have and must employ in this type of situation. Chapman noted, “interpersonal skills and the ability to read between the lines is essential.” Boards and C-Suite level executives are very busy with innumerable pulls on their time so you should respectful of both their time and in your communications with them. Being polite and courteous never hurts.
Knowing which questions to ask to allow you find out this information is critical so you can quickly assess whether someone is a gatekeeper and what is their level of compliance knowledge. Some of the questions he suggested to ask include “How do things really get done here? What are the lines of a communication when it comes to making decisions with respect to compliance? Are compliance personnel truly autonomous, do they have authority to get things done?” Chapman concluded this can be “a very delicate discussion, and one that senior management might not always want to have. Knowing how to push and how not to push in a way that is respectful of the commitments that the senior managers have is going to be critical.”
Tomorrow I will consider project planning and risk assessment for extensive remediation.
[View source.]
