We are utterly delighted to announce that for the third-year running, Spark Compliance Consulting has been shortlisted for the Compliance Consulting Team of the Year by the International Women in Compliance Awards. See our Press Release HERE.
I was on top of the world in the Land Down Under earlier this month, where I had the privilege of joining the best and the brightest in the compliance profession to discuss guidelines for best practices, including the only global anti-bribery standard, ISO 37001.
Our mission? To develop three new compliance standards and create an ISO 37001 Handbook.
ISO TC-309, as the committee is called, is organized under ISO, the International Organization for Standardization. The committee is comprised of delegates from over 48 participating member countries and 17 observing member countries – a truly global effort! For our annual meeting, Standards Australia generously hosted delegates from over 27 countries for five days in Sydney, supplying conference rooms for the four different working groups meeting simultaneously – and loads of coffee.
While some people in the United States don’t understand the importance of the ISO 37001-Anti-Bribery Management Systems standard, standards in other countries are incredibly important. Policy-makers use the standards as the driving force behind new legislation, regulatory bodies audit and benchmark companies they are reviewing against the standards, and many companies treat the standards – certifiable or not – as de-facto requirements for their organization.
We are working on several key initiatives that every compliance officer should know about:
Brand New Compliance Standards
ISO TC-309 is developing two new standards:
Guidelines for the Governance of Organizations (ISO 37000)
Guidelines for Whistleblowing Management Systems (ISO 37002)
“These recommendations are great, but what should I do with them?” We all know that a best practice for any company in any industry is to periodically evaluate and assess the current state of its compliance program. Such an assessment, whether performed internally or by an outside consultant, should be completely objective with a clearly defined purpose. For example, some assessments may be designed to measure an organization’s preparedness for complying with a new law or regulation. Others may be broader in scope and seek to measure the effectiveness of a program (or aspects thereof) in mitigating an organization’s compliance risk. Irrespective of its scope, a good assessment can provide invaluable insights into a compliance program with important recommendations for improving its overall structure and effectiveness.
While feedback on your program is important, there’s a risk that the company will view the assessor’s recommendations as a check-box exercise. At worst, the company may race to complete the recommendations as quickly as possible, sacrificing quality and thoughtfulness in the process. Because each task completed is another checkmark on the “to-do” list and, thus, a measure of progress and performance, the recommendations are often prioritized based on ease-of-completion starting with the low-hanging fruit, first. This approach, while effective in quickly checking items off a “to-do” list, is often counterproductive and can result in a disjointed and inconsistent program.
Four Steps to Getting the Most Out of Assessment Recommendations
A better approach is to take a more holistic view of the assessment and…
Ding. Ding. Ding. Email. Email. Email… For many compliance professionals, communication takes place only one way – via email. It’s estimated that the average employee receives 121 emails per day. While email can be a valuable way to communicate en masse about compliance policies and requirements, it’s not always the best way to communicate. What else can you do?
There are a variety of great ways to communicate to the whole employee population. Not only can some of these channels be more effective than email, but by varying the way you communicate, you’re more likely to engage your employees and pique their curiosity. If you’re in an email rut, how can communicate more effectively? Here’s a checklist of 20 communication channels that you can use instead of email. Why not try:
o Videos from compliance
o Videos from the CEO / managers
o Intranet messaging
o Screensaver messages
o Via e-learning platform
o Live meetings
o Live training
Ring. Ring. Ring…is anyone there? Can you hear me now? Have I reached the right number? Nearly everyone with a compliance program has some sort of reporting mechanism, whether it’s a formal whistle-blower hotline or an email address for the compliance department. But how good is your whistle-blower hotline? To find out, answer these three questions.
1. Who can call?
Do you want to hear about the ethical concerns of your employees? Of course. What about the concerns of your suppliers? How about the compliance concerns of your customers? Yes? Yes. Knowledge is power. While it’s true that if you extend the availability of your whistle-blower hotline to the outside world, you may get some spurious complaints, a real concern that you can properly investigate is worth the irritation of a couple of consumer gripes about your product.
A mature compliance program’s whistle-blower hotline should be available to:
· Your employees
· Your suppliers
· Your business partners
· The public
Extend the reach of your hotline so that everyone who needs to contact you can do so.
2. How can they communicate with you?
Imagine you’re really hungry. You walk up the street and see two restaurants. One has an “A” rating on the window for food safety, certified by the city’s health and safety body. The other has a handwritten “A” on the window, without any information as to who gave the grade. Which restaurant would you go into?
With respect to the ISO 37001 Anti-Bribery Management Systems Certification, many commentators have asked the question, “Who is doing the certification!?!” Up until recently the answer was simply, “Certification bodies.” But which certification bodies? And how do you know whether a certification body has a quality process in place to ensure that it only certifies companies that meet the high threshold requirements of ISO 37001?
When the anti-bribery ISO standard was published in Oct. 2016, a second standard was published with it. This second Standard, ISO 17021-9, laid out the auditing criteria that was to be used to determine whether a company had met the standard, and specified that only anti-bribery experts could be auditors. While the auditing criteria could be applied immediately, verification that a certifying body was following that criteria would take longer to judge. That is because, similar to companies seeking ISO 37001 certification, certification bodies can seek accreditation by proving that they are following proper ISO certification standards.
The Accreditation Process
ISO is a global NGO comprised of member bodies from all participating country. Each country has what’s called an accrediting body. This body evaluates certifying bodies and decides whether the certifying body is following the auditing criteria associated with various ISO standards, including ISO 37001. This is a rigorous process. After reviewing audits, if the accrediting body is satisfied, it will accredit the certifying body.
Where I live in the United Kingdom, the ISO member body is called UKAS. It is “responsible for determining, in the public interest, the technical competence and integrity of organizations offering testing, calibration and certification services.” UKAS began a pilot program in July 2017 to begin accrediting certification bodies for the ISO 37001 Standard. The process is long and arduous, requiring the applicant certification body to submit to multiple reviews while the UKAS personnel observe the ISO 37001 certification audits as they take place to ensure the certification body is adhering to the ISO 17021-1 and -9 standards, and awarding ISO 37001 certification only when it is truly earned.
In the United States, the ISO member body is called ANSI/ANAB. It is responsible for granting accreditation to certifying bodies. After launching its ISO 37001 accreditation process last year, it has now accredited several certification bodies and several more certification bodies are going through the accreditation process, including ETHIC Intelligence and Perry Johnson Registrars, Inc.
The good news? Accreditation is FINALLY being granted to the best ISO 37001 certification bodies. It is now possible to separate the wheat from the chaff, as the multi-year review process is coming to an end for the early adopters.
(Note - this post is written for compliance officers by Spark Compliance Consulting's CEO, Kristy Grant-Hart)
Do you need a compliance program evaluation? And if so, should it be done by an outside party? It can be scary to allow an outsider to perform an assessment. I know this first hand – when I was in-house, I remember being deeply uncomfortable when we brought in the evaluators. Would the assessor say my program was terrible, which would embarrass me or make me look bad? Would they say everything was great, when I knew there were unresolved problems, and then management wouldn’t hear my requests for more resources? Was it worth subjecting myself and the program to a review?
The short answer is yes, it was not only worth it, my program benefitted for years to come. Here are four reasons why that’s true:
No. 1: Program Evaluations are Expected Under Regulatory Guidelines
Make no mistake, the Federal Sentencing Guidelines say that to companies need to “evaluate periodically the effectiveness of the organization's compliance and ethics program.” Likewise, ISO 37001 requires auditing of the anti-bribery program on a regular basis. Obtaining and maintaining certification requires it.
There’s good reason regulators expect program reviews, because you can’t improve without them. Why is it critical to have an external reviewer? Because…
No. 2: You Can’t Effectively Audit Your Own Work
“Wait, they want three months of the CEO’s personal bank statements? Are they insane?” This was a real request to one of my clients via a due diligence questionnaire. When I called to inquire with the requesting company why they needed this, they said that they wanted to ensure that the CEO wasn’t receiving “unusual payments” that could be a bribe.
Due diligence questionnaires are a critical tool for understanding third-parties. But they can quickly get out of control, putting unreasonable burdens on the answering party, and at worst, invading the privacy of individuals in wholly unnecessary ways.
How do you balance the legitimate need for information with the reality that no questionnaire can fully protect the company from the possibility that the third-party will misbehave? Here are three do’s and don’ts when it comes to due diligence questionnaires.
1. Don’t Ask For Information That Won’t Stop The Third-Party From Being Approved
Most due diligence questionnaires are far too overreaching. The rule should be this: if you wouldn’t deny a third-party if the answer is negative, don’t ask the question.
Some questionnaires ask if any employee has ever been convicted of a misdemeanor. First of all, as many companies have thousands of employees, how could they possibly answer this in good faith? Secondly, if a key manager had a shoplifting offense or marijuana conviction from twenty years ago, would this stop the third-party from being engaged by your company? If the answer is yes, ask the question. If the answer is no, don’t.
2. Do Ask All Questions Your Require for Your Risk Ranking and Approval
You probably need to know information about the ultimate beneficial owner(s) of any higher-risk third-party working with your company. You also probably need to know the names and titles of key managers, as well as if the company has ever been convicted of bribery or other compliance-related offense. Ask all of the questions you need up front so you’re not going back to the third-party again and again. Have an “if yes” methodology that allows the third-party to explain itself if it answers important questions in the affirmative.
They’re already written, right? And you’ve had a lawyer look them over in the States. What could be easier? Hold on right there. It’s not always obvious that certain words, phrases or concepts may need to be changed or removed in order to meet with the expectations of your employees in the rest of the world. Here are the top seven things to avoid in globalizing your Code, employee handbook or policies.
Reference to U.S. Law
Referring to “local, state or federal law,” or “state laws” can immediately flag your policy as U.S.-centric. Instead, include references “all applicable laws,” or to other in-scope jurisdictions, such as European Union (EU) law. If your company is only in a few jurisdictions, you can write out the name of each country. If you want to keep references to U.S. federal law in your Code or policies, try “national, state, local, or U.S. federal law.”
Also – as Brexit approaches, please note that references relating to EU law may need to be changed to “UK and EU law,” as the Brexit process may separate UK law from EU law in the near future.
Spark Compliance Consulting is delighted to announce that it has been shortlisted for the Compliance Consulting Team of the Year award for the second year in a row at the Women in Compliance Awards. (see our press release HERE)
In addition, founder Kristy Grant-Hart has been honored with a nomination for the inaugural Mentor Award for the Advancement of Women in Compliance.
Spark Compliance Consulting had a banner year in 2017. The business grew 185% and Spark expanded from its offices in London and Los Angeles to a new office opened in Atlanta in the latter half of the year.
The annual Women in Compliance Awards are “the ultimate celebration of the achievements female compliance professionals make every day in the world of compliance and business. The Awards embody the very best initiatives, individuals and teams, bringing into sharp focus the united efforts of this innovative and dynamic sector” according to organizer C-5. The black-tie event, featuring a champagne reception, formal dinner and celebrity entertainment, will be held on March 22nd at the Sheraton Grand Hotel Park Lane, in London.
This is a guest post by Patrick O'Kane, Author of "GDPR - Fix it Fast! Apply GDPR to Your Company in 10 Simple Steps"
Staff training is a crucial part of protecting data privacy. One recent study found that human error is the leading cause of data breaches, featuring in 37% of data breaches. Providing staff training is an important part of avoiding GDPR fines.
Despite its importance, staff training is perhaps the most under-emphasised part of any GDPR project. Companies have been busy fixing their processes, working on their information security and updating their customer consents; however, there seems to be seems to be little attention paid to how staff training will need to be revamped in order to keep your company in line with the requirements of GDPR.
These are my 3 tips on staff training:
In October 2016, the International Organization of Standardization (“ISO”) published ISO 37001, the first global standard for the development and implementation of an anti-bribery management system. The emergence of ISO 37001 was a welcomed development as it provides a universal framework for managing bribery risk that can be used by organizations of all sizes, industries, regions and risk profiles. To date, Peru, Singapore and the Philippines have adopted ISO 37001 as their respective government’s standard, and other countries are expected to follow their lead.
A unique feature of ISO 37001 is that an organization can demonstrate compliance with the standard by obtaining a certification from an independent, accredited auditor. The certification brings substantial value to an organization as it provides an objective means by which it can outwardly demonstrate its commitment to combating bribery. Not only does this provide a competitive advantage over an organization’s non-certified competitors, but it also levels the playing field (from a bribery risk management perspective) for smaller organizations competing against large multinational corporations or foreign domestic firms.
ISO 37001 is not without its critics. The criticism, however, is generally not directed at the standard itself. Instead, the critics take issue with the certification of the standard. A common theme of their arguments is that the certification process is merely a check-the-box exercise where an auditor only confirms the existence of a “paper program”. The critics argue that the process falls short because it makes no determination as to whether the program is actually put into action. They also contend that the certification only reflects the status of the program at a given moment in time (i.e. the evaluation period) and, thus, lacks any predictive value as to how the organization will conduct itself in the future. In short, they conclude the certification is worthless because it does not ensure that the certified organization is “doing anti-bribery compliance” or will “do anti-bribery compliance” in the future.
There are three fundamental flaws with the critics’ argument...
For everyone struggling with implementation of the new European General Data Protection Regulation (GDPR), Patrick O’Kane has written a fabulous new book called GDPR – Fix it Fast: Apply GDPR to Your Company in Ten Simple Steps. I wrote the Foreword for the book, and am so proud to be involved. The following is a guest post by Patrick O’Kane. The Kindle edition of the book can be found here on Amazon. The hard-cover edition will be available Jan. 1.
How to fix your company policies for GDPR – Three things you need to know