The coming weeks and months will be incredibly challenging for all as COVID-19 does not respect national boundaries, races, religions or another other construct people have created to differentiate themselves from each other. The same will be true for businesses of all stripes across the globe. This week, I want to focus my writings on some of the things a Chief Compliance Officer (CCO) or compliance practitioner can do right now, in the midst of this crisis, and what we might need to consider as we prepare to come out of the crisis, hopefully in the weeks and months ahead. Today, I lay out some specific technological innovations to help manage your compliance program going forward.
Third Party Management
Ranked as the highest Foreign Corrupt Practices Act risk is generally third-party management, at least on the sales side. This is a process that can be automated both through the onboarding process, due diligence, contracting and management of the relationship after the contract is signed. While nothing will ever take the place of a well-trained compliance practitioner reviewing and evaluating due diligence, if you can automate the document obtaining and retention process coupled with the back-end relationship management you can significantly cut your costs going forward. Moreover, this process will help you in the Document, Document, and Document function of any best practices compliance program.
Internal Controls
Here there is no better example than our friends from GlaxoSmithKline PLC (GSK) to demonstrate not only the failure of internal controls but also how a technological solution can assist your compliance going forward. The company got into hot water in China through two prime methods of paying bribes: the directincentives and indirect incentives methods. They paid out enormous sums in sales expenses, including travel costs and fees for sales meetings, marketing, business development and other expenses. Most of the largest expenses were travel costs or meeting fees and the expenses of the companies’ sales teams were, in every case, several multiples of the net profits each company earned the prior year. A simple automated internal control requiring a second set of eyes on such expense would go a long way to preventing or detecting fraud, in the form of bribery and corruption against the company.
Additionally, it would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the required criteria, as defined and interpreted in Company policies. It should fall to a compliance officer, by putting a second set of eyes on any such requests to finalize (read prevent) and approve a definition of permissible and non-permissible gifts, travel and entertainment and internal controls will follow on from such definition or criteria set by the company. Further, by automating this process, you also have a fallback protection on the detect prong.
Ongoing Monitoring
Saving the best and most important for last, a final technological solution is around monitoring. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks.
Here I want to focus on two technological solutions of ongoing monitoring which can help you to manage your compliance risks more effectively. The first is relationship monitoring. In the GSK matter, internal company emails showed the company’s sales staff in China were instructed by local managers to use their personal email addresses to discuss marketing strategies related to Botox. Relationship software imports and analyzes communications data, like email, IM, telephony and SMTP log files from systems such as Microsoft Exchange Servers and Lotus Notes. The software then leverages social network analysis and behavioral science algorithms to analyze this communications data. These interactions are used to uncover and display the networks that exist within companies and between the employees of companies. Additionally, relationships between employees and external parties such as private webmail users, competitors and other parties can be uncovered.
The second type of monitoring is transaction monitoring. Generally speaking, transaction monitoring involves review of large amounts of data. The analysis can be compared against an established norm which is derived either against a businesses’ own standard or an accepted industry standard. If a payment, distribution or other financial payment, is made outside an established norm, a red flag can be created that can be tagged for further investigation. Vince Walden, partner at Alvarez and Marsal Holdings, LLC, calls this your company’s “payment stream, post contract.”
The pressure for the corporate compliance function will only increase during the time of the coronavirus health crisis and beyond. You will need to bring both new tactics and strategies to bear to more fully prevent, detect and remedy, compliance and ethics deficiencies. Moreover, in every crisis is an opportunity to learn. Even in a crisis not seen by any in our lifetimes, you can learn to do things smarter and more efficiently even if it is because you are forced to do so. If you can demonstrate greater efficiency and a longer cost effectiveness in using a technological solution in conjunction with your compliance program, that may be exactly the message that not only your senior management may want to hear but will respond to favorably and provide some funding. But you have to do your homework and be able to demonstrate value going forward.
Tomorrow, how companies respond to the coronavirus crisis will determine their fate for years down the road.
[View source.]
