I really enjoyed this piece from the FCPA Blog about how compliance should report more directly to a corporate board, namely through the use of a Chief Compliance and Ethics Officer (CECO.) Being independent of management creates a strong compliance function for Walmart, and this shift comes after spending over $400 million investigating allegations of bribery in Mexico. As someone who deals in the fraud and forensic analysis space, I am completely on board with this idea, as compliance is just another dimension of control for a company’s finances.
Compliance is a control system, parts are the preventative controls and parts are the detective (which we’ve written about before.) It’s difficult, if not impossible to have perfect preventative controls, just like it’s difficult to have a perfect compliance plan. Oversight actually recommends a mix of preventative (like compliance policies) and detective controls (like a transaction monitoring system, such as Oversight Insights On Demand™)
This mix of preventative and detective controls is common outside the world of finance. For instance you want to control the temperature in your office or house. You can have a plan that says, “it’s June in Atlanta, and in the morning the sun hits the office window, therefore turn on the AC.” This is analogous to a preventative control, but you’d still want a thermostat to tell you the actual temperature in the office in case it’s cloudy and a cold front came through. A thermostat allows you to monitor the results (in this case, the temperature) for the impact of the sun hitting the window and the actual outside temperature. The thermostat serves as the detective control.
Detective controls are most effective when they can independently observe the actual activity. In the engineering world you’d call this a feedback loop. For compliance to be highly useful, and the feedback loop/detective control needs to be ongoing, so nothing can slip through the cracks. A continuous feed of transaction analysis can be a great way to strengthen a compliance system.
Being able to show the board a report that analyzes the company’s transactions can be a very powerful tool to independently demonstrate an organization’s compliance. In some cases, such as the exoneration of Morgan Stanley from FCPA violations; even when one of their employees was found guilty of bribing a government official, having transaction monitoring as part of a fully developed compliance program was specifically cited by the DOJ. It’s hard to refute the proof when it is in front of you, and having concrete analysis is better than enforcing, say an eight hour power point presentation as part of annual “compliance training.”
Speaking to Scher’s point about needing CECO’s so compliance officers will no longer be afraid to report non-compliance, we do need the CECO’s but also the concrete evidence to support an officer’s findings. There’s an old saying – the truth is in the transactions, and with the right analysis and compliance reporting relationships this truth can finally be taken to the board level.