Robust Program Mechanics (Best Practices with Corresponding Procedures)
While the leadership is probably the most critical component, the leaders cannot effectively lead if they do not have the tools to keep flying the ship, even under the difficult and trying times. Captain Sullenberger had to make some hard decisions, but if there was not an APU and other safety procedures in place, then even his great leadership could not have saved the flight. It is only when the proper mechanisms are in place that these components can come together to effectively avert disaster and make a safe landing. Otherwise, the system breaks down and the perfect execution of the landing is compromised, leading to further damage to the property, the people and the reputation. However, with an effective system of mitigating risks, the company can be ready to isolate any incident and quickly remove the elements that led to the issue. With the appropriate controls, the company can escape damage, be ready to adjust and learn from the mistakes in order to progress with a better strategy for the future. The system acts as a counterbalancing influence that monitors and analyzes the various inputs to best predict vulnerabilities and minimize damage. This can make all the difference in the survival and prosperity of the organization in the aftermath of a serious incident. Two components that can immeasurably strengthen compliance programs are risk-based screening and scores and periodic audits and monitoring.
Risk-Based Third-Party Screening and Scores
We must always anticipate where we are most at risk for corruption to affect our business dealings.
In order to be sure the plane is ready to fly, the pilot goes through a checklist, known as the pre-flight checklist. This checklist ensures that all the systems are in working order and everything seems normal before take-off. For the corporation, a questionnaire is like the pre-flight checklist. It allows the company a systematic process to score and screen new agents, vendors or other types of intermediaries. This questionnaire process assures the company that the third party operates their business consistent with the culture, processes and principles of your company. If they check out, you get the green light and you’re ready to get going. If things do not check out, meaning you get a medium or high risk score, this will either cause you to slow down and take caution or put on the brakes completely.
Once at this stage, the risk review team can go deeper. Just as the airline calls in the mechanics and engineers, this team will analyze the situation further to either determine the problem and solve it, or cancel the flight/project all together. In the case of the company, this can greatly decrease the time and damage done by a bad relationship and many times head off mistakes before they happen. It is essential to make sure the plane is ready for flight before it takes off. But once you are underway, the system must continue to monitor the equipment, the protocol and the process to be sure everything keeps on running smoothly. This can be done through periodic audits and monitoring.
Periodic Audits and Monitoring
We must always be vigilant combating corruption and unethical actions.
While risk-based screening can help prevent problems by keeping the company from doing business with certain third parties, other mechanisms need to be in place that will work to protect the organization throughout the lifetime of its existing business relationships. These mechanisms must continue to monitor relationships, protocols and processes to be sure everything keeps on running smoothly.
Third-party contracts should include explicit provisions regarding supplier adherence to a company’s compliance and ethics expectations. The third parties should be encouraged or required to obtain a third-party certification for compliance and ethics expectations. The third-party acknowledgment and compliance with the supplier, distributor or third-party code of conduct should be a required condition of doing business with the company. In addition, a company can require third parties to follow an industry code of conduct. So once the third party has agreed to these things, and the contract allows for audits, it is important that the company actually perform these audits. Compliance and ethics initiatives often specifically target third parties, but they should also apply to your company’s internal parties and employees who interact with the customers and intermediaries. Remember, it took the pilot, co-pilot, the crew and all the passengers, as well as the rescue efforts to know what they are doing and act accordingly for the flight or rescue to be a success. In an organization, the sum of all the working parts and parties contribute to the overall integrity of the company and must be united around compliance and ethics expectations.
These strategies and tactics can help your company manage the day-to-day compliance processes, just like the checklist, the APU, training and inspections help the planes manage their normal flight procedures. However, when something out of the ordinary does happen, these guidelines also allow the leadership to have confidence that the appropriate tools are in place to face the challenge, manage the company through crisis and minimize possible damage and/or casualties.
These steps reduce the amount of damage to the company’s reputation, minimize the impact to the company’s earnings and preserve jobs of the employees as well as the relationships with intermediaries and customers. Budgets, lack of vision, a check-the-box mentality, disregard for process adherence and directives and an inability to manage and analyze trends and data are the greatest threats to an organization being able to prepare. That is why clear leadership and sound advice are needed to protect both your company’s reputation and bottom line. Reputational harm can be especially difficult to overcome, particularly in the short term. According to a 2014 university study, indirect costs related to reputational damage, often in the form of cumulative shareholder loss, “represent a 46.3 percent reduction of market capitalization for firms accused of both bribery and financial fraud.”[i]
“Sully” and his crew led Flight 1549 to safety, but it could not have been done if the people who made the plane and ran the airline had not put the right mechanisms in place to allow them to do so. Therefore, I reiterate Captain Sullenberger’s quote; “We know that we must always be prepared. We must always anticipate. We must always be vigilant. Expecting the unexpected and having an effective plan for dealing with it must be in the very makeup of every professional…” These words ring true for any organization that wants to operate successfully in the business and compliance environment of today. A company can apply Sully’s words by anticipating a certain level of corruption whenever we do business in risky areas. We are “vigilant” by reinforcing the principles, updating and adjusting when needed. We expect the unexpected to happen. While we might not always prevent accidents, having a system to quickly respond will minimize damages and correct issues more precisely and in less time. An effective compliance program protects the company, its employees, third parties and its customers as well as preserving the reputation, jobs and profitability of the organization.
Epilogue
In the movie “Sully,” an auxiliary power unit (APU) system played a role in the miraculous landing of U.S. Air Flight 1549 on the Hudson River on January 15, 2009.
The compliance function is a lot like that of the auxiliary power unit that helped Captain Sullenberger and crew respond to crisis when a failure occurred in another part of the plane. It may operate quietly in the background for many years, especially if leaders demonstrate their commitment to ethical business dealings – if there is clear direction throughout every level of the organization and if there are the needed mechanisms in place to keep compliance processes running smoothly. Sound training programs also provide a great foundation for continued improvement and protect the company from lapses or oversights by employees who don’t understand the nature of corruption or the ethical challenges in the international space. Neglecting any of these crucial operating components could mean disaster if an organization is not functioning properly when ethical and compliance practices are tested.
As noted before, we don’t have compliance departments for the company to make money; instead, we have compliance departments to keep the money the company makes and to be sure we are ready when trouble comes.
[i] http://masonlec.org/site/rte_uploads/files/FCPA%20II%20Final%20(6.4).pdf
John W. Fanning is a Business Development Director in Kroll’s Compliance practice, based in the Houston area. John works to broadening Kroll’s presence in the South Central United States and Latin America, as well as working with and advising Kroll’s North American customers. In addition to his focus on client service he is subject matter expert in the compliance space. John works with multi-national companies providing "Best Practices" for Anti-Corruption/FCPA Programs. He helps to develop effective strategies for using due diligence and technology for effective 3rd party risk mitigation, through Compliance Solutions, AML, Anti-Corruption and FCPA disciplines.
John has held various roles in the Governance, Risk and Compliance, Information, and Legal Industries for over 20 years. Prior to joining Kroll, John worked for both LexisNexis and Thomson Reuters. He has successfully helped fortune 500 corporations, large law firms, government agencies and law enforcement professionals design, build, maintain and enhance their legal, due diligence and compliance information, work flows and internal processes. John leverages Kroll’s technology, his experience, and the team knowledgeable professionals and experts at Kroll to build comprehensive compliance solutions that help protect the reputation of clients. 
