More than two-thirds of compliance officers say they don’t have enough resources to develop and implement sufficient compliance programs. The complaints are in part prompted by the growing volume of data that companies produce and handle as well as the increasingly complex regulatory landscape. Today, compliance officers and counsel are forced to do more with the same budget. When it comes to anti-corruption compliance, in-house departments must create and maintain programs effective at preventing, detecting and remediating FPCA violations all while minimizing costs to the company. The stakes are high – a company that fails to maintain an adequate program can find itself at a disadvantage if a violation does occur, while an effective program can earn the company credit with the government. See “Charles Duross and Kara Brockmeyer Discuss What Matters to FCPA Regulators When Negotiating FCPA Settlements (Part Two of Two),” The FCPA Report, Vol. 2, No. 25 (Dec 18, 2013).
By Rebecca Hughes Parker
The FCPA Report recently spoke with Varun Mehta, Vice President of Legal and Compliance Solutions at Clutch Group, about ways companies can identify and address inefficiencies in their legal and compliance departments, including handling data before and during an investigation, choosing automated software programs, structuring reporting lines, conducting risk assessments and performing due diligence on third parties.
Clutch Group provides litigation, compliance and investigative services for many Fortune 500 companies and helps those companies streamline their legal and compliance departments. Mehta previously worked for Johnson & Johnson and Boston Scientific Company.
Handling the Data Explosion
FCPAR: In terms of efficiency, how has the provision of legal services changed over the last generation?
Mehta: The only thing that has evolved in the legal industry over the past 30 years has been the size of firms and the cost of legal advice when legal cases come up. Otherwise, it has not really evolved much. People haven’t tried doing things in a different way or thinking about the best way to do them.
You still have two major factors that have driven the need for organizations like ours to help build efficiencies into legal services. The first is the exponential growth of data. Right now, most big companies are nearly doubling their data on an annual basis. The second important thing is both the volume and complexity of regulation. The enforcement climate is very different today than it was just 15 years ago in terms of the number of regulators and the size of fines.
FCPAR: The data available has exploded, increasing the cost of any kind of investigation or litigation substantially.
[See “Strategies for Preserving Data Before and During an FCPA Investigation,” The FCPA Report, Vol. 1, No. 12 (Nov. 14, 2012).]
Mehta: Yes. I’m running an investigation now where, for each person, there are approximately eight to ten different data types. Consider that over a five-year period – everything from Bloomberg and Reuters and instant messages to voice data to e-mails to SMS/BlackBerry messages. There was definitely a void in the market for someone to do it efficiently. That’s what we’ve been working on for the past few years.
FCPAR: How can companies streamline their systems to make data collection and review easier?
Mehta: The people in charge of risk should have a basic understanding of the company’s data environment infrastructure. That’s primarily because being able to understand it, even at an elementary level, is critical when a problem happens. Then, you’re not waiting for someone to put a report together for you. You already know how the systems work.
You can tell the regulators what you have in place and what you do to mitigate risk. Usually, if the company is able to show it is meeting reasonable expectations and it has a solid understanding of limitations and anomalies, regulators are a little more cooperative.
FCPAR: What should companies be considering when they are choosing among software programs?
Mehta: There are a lot of companies out there trying to sell a black box where you can push a button and it solves all your problems. I’ve seen my clients and other companies go down the path where they bought a $10 or $20 million piece of software but have not been able to do anything with it, because software alone does not solve your problems. Technology is only as good as the user that uses and deploys it.
A company should consider how the software will work in practice and who will be involved in using it. Also, the end goal is important. What pieces of information would I like to know? What is it that I would find valuable and how would I find it?
In terms of a proprietary software system or one “off the rack,” companies should think about what data will need to be preserved and for how long. How will the tool do that, both in the regular course of business and when there is a crisis?
Also, it is important that whoever is managing that risk level (whether it’s general counsel, the chief compliance officer or both) should be involved in all of these purchasing decisions. That’s critical. What we often see is that a lot of general counsels aren’t brought to the table. They have to force their way onto the table. They have to be involved in that discussion.
Choosing a Reporting Structure
FCPAR: What are some of the different reporting and organizational structures you see multi-national companies use in legal and compliance departments and their advantages?
[See “How to Structure Chief Compliance Officer Reporting Lines to Maximize the Efficacy of Anti-Corruption Compliance (Part One of Three),” Vol. 2, No. 22 (Nov. 6, 2013), Part Two of Three, Vol. 2, No. 23 (Nov 20, 2013), Part Three of Three, (Dec. 4, 2013).]
Mehta: We have seen a few different structures among our clients. Instead of thinking of this as the role itself, it is helpful to try to understand what the goal of that role is. Both general counsel and compliance officers are chief risk officers, typically. Their goal is to eliminate risk for the company. When you think about that, splitting off a compliance role indefinitely from a general counsel role may raise questions of who is in control of the risk.
There is a divide, however, between operations and risk. When you are undergoing massive shifts or changes to your environment, like JPMorgan, it’s probably a good idea [to separate the roles] because there is a divide between operations and risk. Companies can keep the people who are managing the operational risk under operations and the insight and overall goal of risk should sit under general counsel.
Ultimately, though, in most cases I think the most effective way to drive this is under a general counsel because the general counsel is the chief risk officer and compliance is a big component of that. From an efficiency perspective, the biggest struggle companies run into when they separate legal and compliance is the duplication of a lot of roles. Companies want their lawyers in the general counsel’s office to be thinking about compliance as part of everything they do.
Streamlining Risk Assessment
FCPAR: A risk assessment of the company itself is often considered a first step in developing a compliance program. How can that be done efficiently?
Mehta: If a company doesn’t have the budget to build a massive infrastructure (like many companies), the most important thing is to understand and see what is happening in the industry. What kinds of things are your peers doing? If you’re in a software business, what kinds of things have regulators come after your peers for in the past? Are there FCPA concerns? Are there broader concerns around doing business with countries you shouldn’t be doing business with? Are there privacy concerns? You need to know where to start.
The best way to figure out where to start is to examine what the trends are. Make sure that the board and C-suite are very involved in that discussion. Everyone should be in line with the plan: here is our priority; here’s what we’re seeing in the market; here is what we are capable of doing today; and here is what our horizon is over the next three to five years.
The next step is getting close to the business and understanding what is happening. Companies often want to hastily go out and hire third parties or consultants to come in and do massive assessments. But the best preventative insight tool may be to grab a beer with the head of a business unit at least once a month and ask where the problems are. “This is what we’re seeing in other parts of the business. Are we getting involved in this? What should we be nipping in the bud before it turns into a real issue?”
After you have made those assessments, after you’ve decided on your vision, that’s when you think about where you may need outside consultants. Companies should talk to their peers, go to events and read publications to assess the market. They should understand the market and the industry and then understand their own businesses.
This is coming from a third party provider like myself: don’t come to us in the first instance. Understand your business first and then come to us.
[See “Insight from Top Companies and Practitioners on How They Are Addressing Current Anti-Corruption Issues, from Self-Reporting to Risk Assessments to Training,” The FCPA Report, Vol. 2, No. 10 (May 15, 2013).]
Training Employees Effectively and Economically
FCPAR: What advice do you have for in-house legal or compliance departments when it comes to economically training employees on anti-corruption compliance?
Mehta: It is not unlike risk assessment. Companies should think about priorities and challenges. I’ve seen the normal training – employees jump on to a website and read a PowerPoint for an hour and answer questions at the end. Let’s all be honest, though, nobody is learning anything there, they are just trying to meet the requirement and get through this. You’ve got to be creative. We don’t want companies to just check the box that they trained people. We want companies to be able to say that they have instilled the ideas within the environment of the company.
One client – the head of a software company – put together hired actors and they did a traveling road show and webcast. It was not like the normal compliance videos. They tried to imitate the TV show “The Office.” That’s something everyone will remember. It goes a long way to be creative and create material about the issues and the red flags that seeps into people’s minds. This client with the drama/comedy compliance video went to every major office with this travelling group of actors. The whole thing was webcast and simulcast for those that weren’t able to make it, or were sitting in offices that the actors weren’t planning to visit.
[See “How to Keep Employees Engaged and Invested in an Anti-Corruption Compliance Program,” The FCPA Report, Vol. 2, No. 14 (Jul.10, 2013).]
FCPAR: That kind of project – with live actors – may entail more cost, correct? Is that worth it?
Mehta: Ultimately, from a budget perspective it was comparable to a lot of these more widespread training tools. It’s not like the compliance officers got Brad Pitt to do it, just a local acting troupe to help them out. They were excited about the opportunity because they hadn’t really worked in the corporate sector before. They thought this would be a good opportunity for them too.
If a company tries to think a little bit out of the box, there’s always potentially a way to do it. Maybe instead of hiring actual actors, it puts together a group of people within the company that can serve as the actors.
[See Dechert Produces Movie to Assist in FCPA and Corporate Governance Training,” The FCPA Report, Vol. 2, No. 16 (Aug. 7, 2013).]
Vetting Third Parties
FCPAR: Third parties are a major risk area in FCPA compliance – the vast majority of enforcement actions are related to the actions of third parties – and companies do various levels of risk assessment and due diligence on them. Do you think questionnaires are a good way to start with the risk assessment?
[See“Sample Questions to Ask Third Parties When Initiating Anti-Corruption Due Diligence,” The FCPA Report, Vol. 2, No. 20 (Oct. 9, 2013).]
Mehta: Questionnaires are definitely a good way to start, but I’m less concerned with the questionnaire itself. We try is limit the number of questions we ask. There can be hundreds of questions on these questionnaires. But usually, if you have four or five pieces of key data, you can search for almost anything. The web is at our disposal. I have a tough time when I hear that people are paying thousands of dollars for a report of information when all people are doing is searching on the web and just consolidating it.
FCPAR: What are some of the more efficient procedures to risk-assess and research these companies?
[See “Charles Duross and Kara Brockmeyer Discuss Five FCPA Enforcement Trends That Matter to Regulators: Individual Prosecutions, Administrative Proceedings, Global Coordination, Corporate Monitors and Third Parties (Part One of Two),” The FCPA Report, Vol. 2, No. 24 (Dec. 4, 2013).]
Mehta: That’s obviously a major concern. Everybody’s trying to figure out an effective way to do that. What seems to have taken precedence is that companies are drafting these static reports where they do a profile on a company at any given moment – a risk report. One client told me that he gets the risk reports – he may get hundreds or thousands and it’s hard to get through them. It’s not dynamic or interactive. We have tried to find a better way.
There are a number of technologies out there that crawl for information, constantly looking for data. They are consolidating and presenting it to a client in an effective way. We are working on an app that automatically alerts you when a third party has gone through an important change and gives regular real-time updates instead of an annual survey or audit. Ultimately, the key to keeping due diligence costs down is having an ongoing program. If companies set this automated system up, it should be able to do that on a regular basis.
Imagine having an iPad app that contains all of the information for all of your offices worldwide, with all the different providers and real time feeds of information about those providers coming in with alerts when red flags are raised. The information is out there. It’s just about who is going to be able to consolidate it and put it into a digestible format.
FCPAR: Is this something that would be better done by an external consultant?
Mehta: This is one of those things where it’s better to use or leverage an external party, unlike the questionnaire. We usually help our clients out for free on that.
FCPAR: Sometimes there are thousands and thousands of third parties, so I assume the key words that raise the flags would be really important.
Mehta: Imagine if, out of tens of thousands of parties, there is a risk-sorting matrix, or risk scoring formula. Such as, if the third party is in Bangladesh and their CEO was hit with a fraud dispute, that should be marked high risk. With software, it is really easy to do things like that.
FCPAR: There are some automated risk-assessing software programs out there already for third parties.
[See“How FCPA Transaction Monitoring Software Works,” The FCPA Report, Vol. 2, No. 4 (Feb. 20, 2013).]
Mehta: Right, there are some. There’s still more evolution that could happen in that space. I think that many are still working their way through and it will be exciting to see what kind of dent they can make in the market. As long as companies aren’t looking at static documents and reports, that will be a win for everybody, because they’re going to get better information faster in a way that everyone will find more valuable.
Cutting Down on the Costs of Investigations
FCPAR: Once the investigation starts, how can companies streamline the investigation? Are there areas you see consistently that could have been changed in a proactive way that would have helped make the investigation more cost-effective had they been implemented beforehand?
Mehta: First, it is important to know what the end goal is. We get called in quite often to solve problems, and we ask the company what the ideal end result for them would be. A number of times we can’t get exactly there but we can get pretty close to it. If we are focused more on the end result instead of the small problem in front of us, many times we can hit a few birds with one stone.
Second, when you are doing the same thing over and over, there are often better ways to do it, like going to a third party for help or coming up with an automated solution. There are many things that can be done without investing a ton of money, to make employees’ lives a little bit easier. A form or a FAQ can be created, a repository where, instead of your salesperson asking for approval every time, he or she can access an automated document to get an answer. Many of these things can be simple and done internally.
Finally, look at the other activities that are happening within the organization. If a company is doing a large document review for a litigation, where it has to review hundreds of thousands or millions of pieces of information, maybe the legal team can team up with the compliance team and say, look, we’re already looking at this information, is there anything else you may want to know about this proactively? Even after the fact, after the company has already reviewed the information and it’s already processed in the system, is there a way to leverage that information to find compliance issues proactively?