Ensure Compliance with Digital Signature Laws for Employee Surveys in Mexico

How to eSign a document: digital signature lawfulness for Employee Compliance Survey in Mexico

the broadcast is now starting all attendees are in listen only mode hello everyone this is uh Mike volkup uh and you're here for uh today's webinar had a good turnout a lot of people signed up for how to conduct a compliance program assessment um uh if uh you should be able to download a set of the slides if you're not able to just send me an email and I'll send them to you right after we're finished email is on the first page there m volkoff at uh M volkovlaw.com please let me know if you have any trouble hearing me um and make sure we don't have any technical problems before we get started we've got a lot of material to cover and I hope everybody had a great Thanksgiving holiday and I appreciate your uh showing up but anyways please let me know if there are any problems uh in terms of hearing or anything and to make sure that you can see the slides as well I just shared them uh on the uh on the system so make sure you can see those as well and hopefully you can uh download um download them uh at this point so you you can go along with them but let me know if there are any problems if you do have questions uh please feel free to um uh please feel free to um to put them in and I'll try to get to them as we go along anyways uh thank you again for showing up um this is a good topic it also uh just to start off with a little bit of an advertisement uh it does this is sort of right in our sweet spot at the firm we've done a lot of compliance program assessments um sometimes you know we call them risk and compliance program assessments uh this is more sort of focusing on just the compliance aspect I've done presentations before in Risk assessments but this to me is how you get it into the actual sort of details of your compliance program uh and to make sure that you can do uh get into that anyways we've done a lot of uh assessments uh in a variety of Industries it really is something that we do a lot of we have a lot of experience in this area with different Industries and we are we obviously stay up to date with government guidance we work with clients putting programs together we can always put together benchmarking data as well in specific Industries so it's something that we enjoy doing and love uh working in so it's something that we hope we get an opportunity to work with you so I thought we'd start out with some basic questions why do we do it who should do it and how should they do it um so let's start first with why do we even conduct an assessment and I have found that just working with clients that obviously it's used internally externally if you have to deal with Regulators or you have to deal with the government but internally it's really a great sort of knowledge is power thing but also it gives you the insights into your program what's working and you want to get to that goal of effective ethics and compliance program the review process itself is very powerful and very helpful I found that most compliance people who participate in the process with us learn a lot as do we because they finally have the time or they dedicate the time to talk to people learn more about the business and provide sort of essential Frameworks in which to make important decisions about compliance so it's really great it also gives you a way to prioritize your projects or your initiatives and of course it gives you a way to speak to you know the board Senior Management other functions that you need in terms of coordination with and operationalizing your program and in the end look we want a strong corporate culture that protects our corporate reputation so that's why it's something that we feel very strongly about and obviously The Regulators want to see this as well just to give you a summary of some of the government guidance and the mandates that have come from government guidance um and frankly these the guidance you know some oftentimes becomes a standard uh and it also becomes informs best practices and then if they're domestic here in the United States they tend to have a big impact in the international field as well so please uh you know these are just basic um Provisions that come out of uh the department of Justice's uh evaluation of corporate compliance programs I did not list here it's evaluation with regard to criminal and I trust but it includes similar language uh and you should always take that into account so doj you have not only the sort of corporate compliance programs in the Criminal Division applying across the board but now it also we have it in the antitrust division as well so it affects everything Federal sentencing guidelines we had and then in 2019 we had ofac uh with their compliance commitments uh guidance obviously we've had the fcpa guidance in 2012 and 2020 and to the extent you're involved in health care issues subject to HHS oigs oversight false claims act there's a lot of there's a great guidance document from 2017 which I've written a bunch about which is a resource guide on measuring compliance program Effectiveness so not only is it a good idea for you but it's also something the government expects uh as well I think the the the calculation with regard to the government is even more significant now based upon the recent speech by uh the deputy attorney general it's not assistant general the deputy attorney general Lisa Monaco uh who talked about uh the upcoming White Collar enforcement barrage um and we're going to see that and basically she was pretty upfront about that companies uh if you don't have you better have an effective ethics and compliance program if you don't have it you will be penalized uh but also they they made it very she made it very clear she doesn't want to hear that you don't have enough resources to do this or that um she was pretty explicit about that uh and that in close cases uh the failure to have an effective compliance program means there's a greater probability that doj will bring the case uh and then she also reminded everybody that they are going to rely County independent corporate monitors again to a greater extent than the prior Administration so this is yet another reason uh to do this now um uh I only put these two Frameworks up here just so you have these to work with there's a framework obviously in the healthcare sector as well which is dates back further but in the elements of a program but here the requirements uh and I just listed these for your benefit just to have olfac in terms of its guidance talks about these five areas and the doj evaluation of corporate compliance um this is the general requirement but there are specific ethics and compliance program uh requirements that are set out in the evaluation uh document which is a critical document for everybody to look but we're going to talk about how we use those and use some of the standards that are in there as well the evaluation framework is set upon these three important questions and uh the evaluation framework is something when I'm doing an assessment uh you know with a client we will start with a lot of those factors and then tailor it uh to the specific circumstances of the the company that we're working with or the client but first is the corporation's compliance program well designed second is it uh being applied in earnestly and in good faith in other words is the program adequately resourced and empowered to function effectively and that was new language that was put in the in other words and third does the corporation's compliance program work in practice the second question was added they added that language I think because they had seen that too many compliance programs without prop the proper amount of resources and a lack of empowerment where for example there was not a control in place that a the chief compliance officer had to sign off on a particular transaction and basically giving the the chief compliance officer the ability to stop a transaction if they believed it was in uh it was not in compliance with either the company's code or the law or whatever so these are the three critical questions we talk about now the second Point here that I wanted to get at is there's a distinction and I think this is uh sort of the assumption that I'm making in there's a distinction between um what I would call continuous monitoring and Improvement in a formal compliance program assessment now when I me when the doj guidance talks about continuous monitoring and Improvement they have also started to push that concept to say that it's really important the in their upgrade their uh their revisions to the guidance they talked at length about the importance of continuous monitoring and improvements and they want to see proof that for example your updated risk assessment is then informs your let's say policies and procedures and that this is an ongoing basis when I look at a compliance program assessment here's the distinction I see it as more sort of a snapshot it's an enterprise-wide or could be a discrete part of the organization within an Enterprise where we re review carefully the elements of a compliance program and assess it based upon how it's doing in other words is it performing is it doing those elements are they performing well for what we're doing and what our goals are so it's a review that's distinct from sort of a continuous monitoring and updating which is of a compliance program which is an ongoing process for which the part of the assessment includes looking at how we do continuous monitoring and updating for example uh to me the one of the key issues is how do you update your risk assessment uh and you should be updating it on a continuous basis but not on a fulsome you know elaborate risk assessment process but to have some process in place uh in between the time period that you may conduct a more formal risk assessment so my recommendation and our recommendation in general in this area and we've been asked a lot by clients and I think it works well is to have a comprehensive program assist assessment at least uh every three years and then that will result in sort of a gap analysis then a listing of projects and then over uh the next three year period you would prioritize implementation of remedial steps that need to be done now obviously all of this is subject to changes in business or the specific context or what exactly the project is you acquire somebody you grow in a certain way uh you know there's a huge investment to expand into International markets or things like that obviously I'm making a lot of assumptions here but in general I think the formal comprehensive assessment should be done every three years and then within that time period you're doing remediation but you're also doing a continuous monitoring type process for various functions where you can incorporate improvements as you're going along as well so there may be some overlap with that process as well so the big picture and where we start when we're trying to do this is the and the big issue is determining your scope okay are we going to do this Enterprise wide or are we going to do a portion of our business or whatever we want to do in terms of our compliance program we're also going to have to figure out how we're going to do it what's our methodology what information are we going to collect what types of information are we going to collect and I'll we're going to talk about that and uh are we also going to do certain testing and review as part of this as part of the ongoing assessment process or to the extent and this is another big assumption the company itself has its own or compliance program has its own testing or reviews or internal audit is doing certain testing and reviews we will review those testing procedures to determine whether they're adequate on the other hand we also as part of the assessment process I think if we have the time and inclination can do some conduct of the testing and the review uh do our own testing and I'll show you when we talk about this a little bit more about what kind of things can be done in this context um uh um I also would like so we have would then come up with an assessment some conclusions and then we have to inform everybody and then we have to come up uh with um with obviously um you know plan and a priority plan and then we have to be people have to be held accountable for the plan itself and how they're going to be uh accomplishing it or so the continuous Improvement Loop you know starts with our assessment uh there'll be a gap analysis a three-year remediation plan with obviously high priority items in the first year and then lower as we go to second and third year same with uh and then we still have this continuous monitoring and improvements process which ultimately will be picked up and caught uh in in you know on an ongoing basis but then every three years would be then measured again on the assessment process that we're talking about and I'm going to go into all the details of what factors what issues we're going to look at and that goes into the scope and how we're going to do that before we get to that though who should conduct the assessment now I've seen a variety of ways that this is done one is I've seen uh Chief compliance officers who have the time and are able to do it and they gain a lot of valuable insights it creates a very positive ongoing relationship with business people because you get to meet and know a lot of people I've seen some people uh you know it's a lot of time to put in so it's hard for ccos and their team to do this the other point that comes up sometimes is whether or not it's an independent and objective in a sense you're get you're judging yourself and you're saying oh I'm doing a great job and you want to report that to the board and to everybody else it's a little bit more difficult to do that so you got to be careful I think with regard to who's going to do that but I've seen some people do sort of more informal thing themselves I've also seen ccos who work with uh you know compliance departments that will partner with internal audit and that gives them a little bit more Independence and an objective view because internal audit obviously doesn't have a you know a stake in it to the same extent um most of the time we see external Consultants brought in you know for these bigger type assessments uh Consultants law firms volkov law yes we do fair amount of this uh but our model is not necessarily to come in and just push everybody the side and do our you know independent review we work actually very closely with the compliance team because uh we and I encourage them to accompany us let's say if we're doing interviews and whatever to participate as much as possible because they learn a ton and it's also good because you get the benefits of the ongoing relationship and they gain valuable insights it doesn't affect our objective view because uh we're not there to make the CCO happy the CCO wants to hear our sort of independent advice and the independence I think adds a level of credibility when this is then brought before the board or it's a senior management team it reduces the burden on compliance and audit teams time wise but it's obviously more costly uh you know than than having an internal team do it now the one thing I can say about the model we use is we're a lot cheaper than sort of the big four or any big Law Firm because we know what we're doing and we know how to do this in a sort of an efficient way and that's one of the ways we also sell uh you know to get to obviously to get more business so it's a positive experience for ccos I can't tell you every person that I've done this with has really enjoyed the experience I mean it's been a little bit of a drain on their time um but they get to meet people it also sends the right message I think to have the chief compliance officer or members of the compliance team with us when we're doing this or with the you know third party whoever you may choose to do it with um because it shows a commitment to compliance that you're listening uh that you're part of the assessment process you want to hear objectively from these folks about this and it allows you then um you know if you piggyback on a third party that's doing this it allows you to really um you know get some valuable insights without all of the time that's involved in other words let the third party uh provide or dig through a lot of the details and come up with sort of approaches to issues that you can then review and partner with them on uh and inevitably you will find unknown activities or risk creating activities I always remember I was with someone uh and he heard for the first time that they had seven you know third parties in Brazil without any contracts out there trying to sell their products um the other thing that comes about it through this is that the compliance you know the gaps in the compliance program become readily uh apparent in this so now let's talk about sources of information um and the way that you do this and how you get this done um and this is where you have to spend time and we're going to talk about the issues and when we get to each of the issues that have to be examined the question will be okay now how are we going to get at that issue are we going to rely on qualitative and quantitative or testing information what are we going to do and how are we going to get this so qualitative type of information to me is always the ability to interview people have Workshop groups with people I have a one friend who's a chief compliance officer who you know will have a group of people and do workshops with them sort of let's say managers of all five divisions in the company uh and then have an in a round table where everybody sort of discusses the issues and they go down the checklist of sort of issues they want to cover and there's a really valuable discussion um those internal workshops panel of managers whatever can be really very helpful in both cases we're going to look at documents because we want to see what's going on uh in both cases qualitative or quantitative it just depends on what you do so for example documents we will go through all the board meeting minutes and presentations by the compliance team uh the slide decks and everything like that over let's say a multi-year three-year Pro you know last three years and we'll look at those documents and we will look at the minutes and if any specific issues require follow-up we'll do that but it gives us a good a good sort of a good test on this focus groups are another thing that we can do in the qualitative area it's not quantitative again and surveys we can have culture surveys not enterprise-wide but targeted uh surveys or if you there's a specific compliance program aspect that you want to do some surveying on that's good and these are targeted quick hit sort of Rapid Fire surveys that you know 10 or 12 questions and we can try to do that as part of the assessment process but these are on the qualitative side these are really sort of uh really some of the standards now in terms of quantitative look the the compliance programs these days particularly if you have automated platforms for some part or all of your program is going to generate a lot of data third-party data how many third parties where are they from what kind of you know how long was the uh uh the due diligence process uh from the beginning to the end um you know all of these types of things can be uh looked at we look at documents now control testing and review is that you have certain controls or you have policies and procedures and are people complying with them and how are they complying with them are they complying with them in in the proper manner and I'll show you a couple of examples of that financial transaction sampling always something to do now notice that I say quantitative and sampling that is really sampling is the key here we're not going to go through everything not all the third parties not all the internal investigations but we're going to look at for example we've done in reviews of an internal investigation program and we'll sample the internal investigations you know pick a sample of 20 or 30 and make sure and go through the file and and make some observations and uh about that same with financial transactions you can look at sort of key accounts to do that as well we also always have you know as you all know employee reporting and incident data which can be used again in terms of measuring certain requirements is that as well um somebody asked a good question which is what's the difference between a workshop and a focus group a focus group is a workshop to me is similar managers and employees focus groups tend you know like all let's say division directors a focus group may be sort of a more broader range of people at different positions in the company when I use workshops it's more like um uh more like similarly situated groups and groups of people with equivalent sort of levels within the company um okay so uh let's see so let's go now to assessment topics for a second and this is what I wanted to talk to you about in terms of the topics for that should be included for the review uh in those topics uh um and those topics I think are important and this provides a framework now obviously this has to be adjusted depending upon the situation where you work or you know who you're doing this for and what are the risks that you're actually looking at in terms of your compliance program um so for example sample topics uh for review and this is what I would call sort of the framework elements and then I'm going to framework issues and then we're going to talk in the next slide more in debt debt on the compliance program elements that are going to be ultimately evaluated so the framework starts with what operations does the company have what lines of business divisions Global operations and understanding that uh the organizational structure of the business of the entire organization uh including and then we also need to know exactly how is ethics and compliance set up or how are ethics and compliance resources allocated in that sense so for example if you have an Ethics ambassador program those are resources that have to be taken into account in terms of your assessment of the ethics and compliance structure and the performance similarly our scope has to include the specific risks and what I call mitigation strategies which is your program and the elements of your program so do we have corruption risks money laundering trade sanctions export controls antitrust if you're in the health care industry um you know you have domestic uh huge risks and the false claims act area in the health care industry of your medical uh health care provider uh if you're a pharmaceutical or medical device company you have domestic as well as International risks just look at Novartis and what they went through so health care and then we generally have fraud risks in other words people who steal people who embezzle money from us and we need to make sure we understand those types of risks as well and this is sort of our laundry list and we could have more or less depending upon you know we have trade sanctions and Export controls depending upon we may not be subject to export controls with dual use items or with defense articles but we may nonetheless be subject to trade sanctions and anti-boycott regulations and we have to make sure we're familiar with those so let's go now I wanted to talk a little bit more and I think this will be helpful to you is to look at the elements uh for assessment in other words what are we ultimately going to assess and as you're going through each of these issues a lot of these come from the guidance but they get modified here and there and you may take ad issues or remove issues depending upon your industry and what your answers are with regard to the framework in other words what your risk profile looks like what your International do what your Global footprint is like or is it just a United States footprint that type of thing or is it just certain countries you know including America including the United States of America with Mexico and Canada well that's going to be a different type of framework than if you're operating in 110 countries all around the world so let's talk about each of these elements and I short-handed these but just to give you a framework here so that we can talk about it compliance program elements for assessment has to include some kind of uh what kind of senior leadership oversight and monitoring is uh maintained do you have for example like a uh a senior executive uh compliance committee that you're the chair of and what's your interactions with senior leadership what do they what kind of information do they get on a regular basis and what kind of tone at the top are they setting up and also for your board what kind of tone at the top as well and derives from the corporate oversight the Senior Management oversight and the monitoring and the interactions and that occur we also now must look at corporate culture and management integrity and we'll go through the some of these issues in more detail in a minute in a minute uh corporate culture and management Integrity Communications uh that occur in terms of promoting ethical cultures the conduct of senior the board senior and middle management these are all three elements that have to be assessed as part of a corporate culture assessment uh in the way that the justice department has defined and really frankly best practices to find an industry standards to find uh and what kind of level of Engagement do we have with the board Senior Management and middle management we also need to look at the compliance program resources and the independence and the autonomy that's a big issue and it has to be objectively done in terms of are there enough people working in the compliance function do they have the authority and the autonomy are they properly qualified are they properly compensated all of the factors that come from the Justice Department's guidance are really helpful in terms of looking at this and resources are a continuing issue and you have to take an objective View and look at have you has the compliance Department requested resources has it been denied why what kind of resources were requested what was the explanation for these are all types of important issues and what kind of Staffing do they have do they have people located overseas do they have an ambassadors program as well all of these things are important what kind of risk assessment process do we have for determining a risk profile updating it meaning on a continuous basis or you know and by continuous I don't mean daily but you could have a quarterly survey that's sent out to update to key people not everybody uh on the risk assessment to see where you are in certain risks or anything changes uh and then how do you integrate the results or a change in a risk profile into your policies and procedures and other elements of your program third-party risk management we've talked with length about that uh in terms of this is another assessment element that has to be assessed your policies and procedures do you have a policy committee for example do you have a way in which the code of conduct is kept in the current made available on the intranet has links that work uh for connecting people to the code of conduct to regular policies do we have a conflict of interest third party risk management process policy same with Gibson hospitalities and any other relevant topics that may come out and flow out of your risk assessment and you'd have to be tailoring that so we also have then payment processes and internet and internal Financial controls how do we take invoices how do we review them those types of things uh and what kind of financial controls are in place to make sure that people are providing service that we don't have shell companies that we don't have shell vendors that we don't have some kind of subterfuge process going on we then look at some other interesting issues here confidential reporting these are all familiar to us and whether or not we get root causes if we have a good internal investigation function and results training Communications and continuing advice mergers and Acquisitions and the critical integration post acquisition integration process incentives and disciplinary measures incentives for an ethical conduct do we include for example enr um in our employee evaluations and what kind of discipline and consistent discipline hopefully is being meted out auditing improvements testing and monitoring activities and then Opera operationalization and coordination across the organization these are all the distinct issues that need to be looked at and I sort of put it like this and I tried some you know summarize this a little bit more for you or you know to try to give you a friend framework in in terms of that um so for example Frameworks uh again are operations your structure how ethics and compliance is structured your risk profile engagement gets at your leadership and management uh compliance function what kind of training and Communications and then our controls their compliance controls their financial controls go to employee reporting investigation and misconduct rates uh Financial obviously controls to the extent they overlap with the compliance program and like gives meals and entertainment policies and procedures are controls in the end and we want to look at those as well so those are the I'm trying to just give you sort of a framework within which uh to to look at in terms of this now I did get a question about the ambassador's program the ambassadors program is basically people who are designed related on a non-full-time basis but basically are available and participate in ethics and compliance activities but they would be working part-time on that while they let's say do other things and that's one of the ways that ethics and compliance people will leverage their resources in that in uh in that way um uh um the great question we got are there any elements that differ between private and public companies well that's a I think a really good question and there are some elements where you have to take you know obviously SEC risks uh if you're a public company uh are going to inform your financial controls and uh you know the way in which you're assessed on your internal controls and I don't think uh I think your risks in your risk profile in terms of your internal controls particularly financially are going to be um different it's a different sort of element of that so for example the invoice to payment process uh if we have weaknesses in that in a private company sure that's not great but they tend to be non-material issues uh and so it's not going to be as significant as if you were a public company and you have weaknesses in your invoice to payment process the SEC can cite you for that and they have uh and so that you'll have a differing sort of application of standards in that sense as well but that's a great question thank you for that uh so for each topic that I've talked about we have to review the questions look at the guidance uh sources that you have uh considering the industry that you're involved in and um and look at your sources of information and plot out what you want to look at so for example you would identify qualitative or quantitative factors review and decide on how you're going to do this re review the guidance from doj ofac HHS oig they have great ideas on topics and questions and modify them as relevant to what they apply to we can also um incorporate additional sources of information although I don't find them as you know I don't spend as much time with them oecd serious Fraud Office there's other International uh sort of non-profit groups that will put out uh you know compliance guidance um one thing is document your assessment process as you're going through it um and uh and we're going to talk a little bit about more about some of the quantitative data issues that I'd like to see uh you know some of them incorporated into the assessment itself if you have the time and the budget to do it and obviously we've done them without sort of detailed testing and we've and we've done them with detailed testing so there's there's different ways to sort of go about that issue now so what is really the value of you know pinning your assessment towards the guidance that is out there well it's a it's an excellent source of topics and questions uh it tends to be a very sort of um free-flowing sort of discussion back and forth uh in terms of the government sort of gives out guidance people incorporate it people address it um you know it's not likely that you're let's knock on wood that you're going to be subject to an enforcement action where you have to defend your compliance program but it is good for the industry and there's a sort of some standardization in some of the aspects here and it gives you some level of comfort it's obviously government guidance like starting with the sentencing guidelines and doj guidance now are going to have and have had a significant role in Industry developments along with enforcement actions and looking at what's being done but you must the only thing I would just remind everybody is adjust them for your specific situation and the scope of the assessment that you ultimately determine you want to have because you can't just be uh you know I'm just going to do everything that doj tells me no let's make sure it's relevant to what we're trying to accomplish uh in this in this process like I said automated platforms are available now and people are using them and as a result there's a lot of data that can be used uh third-party systems obviously Financial transactions and you know getting into your sap system let's say if you have that if you have an automated system uh like concur or another one for your gifts meals and entertainment there are ways to sort of do that if you have a policy management tool that can be very helpful in generating data conflicts of interest a lot of people have an automated tool for you know the annual certification or disclosure process training people are you know are trying to and we'll discuss that in a minute in terms of generating more data uh as you go along on whether your training is effective the feedback you get and whether people are tested and actually learning um similar with incident tracking and monitoring hotline reporting and record keeping we have lots of Records usually here with internal investigations as well so one point I would always urge everybody to do is to measure or review your existing measurement of your ethical culture um you know and I get to be a broken record here but you know particularly in the ESG area with the governance the focus on ethics and the focus on culture this is an area where people need to spend more time and I've been arguing uh for that and here are uh some of the ways in which you could do as part of an assessment uh you know assessing your ethical culture how well is your program doing in answering the big question and creating a culture of compliance the justice department wants to see a culture of compliance well how are we doing that how are we measuring that how are we responding to that data these are specific questions that the justice department guidance asks and that we better have answers for so these to me are some of the tools you can use in terms of creating it uh if you if you're gonna have a you know a measurement program of ethical culture test it and then you want to assess how well you are doing in measuring your ethical culture or if you don't have a program in place uh then you can do your own as part of an assessment a measurement of part of the ethical culture do not try to do the whole company uh it's too much work but really sort of I would Target here your higher risk activities and see what you can come up with in terms of that as well so um uh you know that's I mean that to me is really kind of like important is to get some handle on this in terms of uh in terms of this um okay so that we've talked about culture and here with the culture of compliance questions that are in the Justice Department guidance how often does the company measure its culture of compliance do you seek import from all levels uh and what's the perception of senior and middle management and what steps has the company taken in response to its measurement of the compliance culture I think most companies right now honestly are not doing any of this uh to be honest with you and I think that this is something that should be a higher priority and I think you just don't want to be in a situation where uh you know you don't uh you don't have an answer for any of that and relying upon the annual sort of HR or every two years HR type of surveying is just not that that effective uh I think um so anyways let's go back I mentioned another kind of testing that can be done which is control based Assessments in other words did your company do people comply with your applicable compliance controls so you break down a compliance control of policy and a procedure and and then break it down into specific and measurable type projects uh measurable type things so for example third-party onboarding are people following the process and break that process down same with gifts meals and entertainment trade compliance all of these to the extent you have processes in place for these are people following the process within which you're talking about so that's and I'll give you some examples so for example this is one engaging third parties uh and you look at these particular controls a through I and are they being followed so you'd go through a particular third party was there when they were on boarded was there a business justification um was it obtained at a reasonable cost in other words a fair market value analysis was it appropriate due diligence conducted supporting documentation maintained are there any red flags and then you have a contract and expenses and you know things like that legal review and approval of the contract uh in you know all I'm saying here is in this example is a control-based testing uh regime that you could use as a way as part of your overall assessment I don't want to do testing on every part of the company or every aspect of the compliance program but pick one or two areas that you think may be valuable to know here's one for sort of third party events uh in terms of in the health care sector for example where you may have a third party event overseas or domestically and here are some of the controls that they had in place in this company and then um uh you can then go through the you sample again the files by taking a few of the third party events and then subjecting it to these kind of questions and that's the way uh that I found it very helpful the sample use of the metrics then so then you can for example provide an assessment as part of your assessment how what percentage of people are you know satisfactorily adhering to our policy regarding third parties and this is something that's important so that may inform you in terms of after you're going on with your assessment that you may think okay now we need to do more training on third party due diligence and onboarding processes one other thing that I would mention uh in it's something that I like about the health care uh you know sort of compliance area for sampling is that they may uh you know they may start and it's a great sampling technique I think let's say they start with 10 uh samples and if nine out of ten are successful or positive then you stop the sampling if you uh if they're let's say five out of 10 are satisfactory then you take a larger sample uh and you try to get it down to an error rate that's sort of lower and it's a way to sort of build your sampling process in corporate Integrity agreements uh have these and they're it's actually pretty cool sampling process but what's the value of quantitative results let's say your assessment includes two topics that are quantitatively uh you know let's say one of them is the time within which it takes you to close uh internal investigations or let's say the you review a sample of internal investigations to see that the protocols that you have were followed those quantitative results while in that one year may not be you know so so valuable but it gives you a consistent way to measure and to support specific insights so for example you may do it one year and then the next year you do it again and then you have something to compare are we doing better are we getting worse what do we need to do to address this uh performance issues but remember there's a lot of assumptions that go on in testing even though people like to you know certainty and numbers and all that stuff there's validity issues of whether the data and the standards May really you know are they appropriate for what you're trying to measure but it's one good tool to have and not to just rely upon qualitative areas here for example is a sample of third-party risk management questions that we might use for example in assessing a third party risk management aspect of a compliance program and I just list these here just so you can see kind of the the range of issues that we may ask and this may include sort of some interviews of people who are responsible for onboarding on the vendor and supplier side and then we have onboarding of let's say on the distribution and sales side another group and we can go through these questions with sort of those two sort of groups uh and try to get a feel for that and then we may sample again the third party population uh you know and pick some of a small group out and do some uh sampling and just reviewing of some files along the way sampling is the best way to do it same with risk assessments we look at risk assessments to see um and is the compliance program uh you know designed and properly tailored and we start with the risk process in other words has the company identified as assessed and defined its risk profile and then basically applying and allocating its resources uh that makes total sense uh given its risk profile so again we'll review that as part of the process more time I think needs to be spent on training programs because um I I think there's a greater Push by the government and by the industry in general that are we really um training people correctly is it valuable is it we don't want just an attendance and certification type of measurement we want to test to ensure that employees are learning we're doing seeing a lot more quick hits you know small video small video presentations uh training rates uh and in tracking employee performance it would be interesting to see what like rates of misconduct are uh after being trained in let's say Russia let's say we train them all on anti-corruption and then we sort of track well how many anti-corruption issues are we having after we've done the training and after people pass tests so are they applying what we're teaching them in the real world so that's a new and I think pretty interesting issue the other data that we look at often is the hotline and the incident data which I think is a very valuable source of uh information uh as well for and there's obviously people already tracked this and report on it as well similarly with reporting investigations these are some of the issues and the questions are the internal investigations properly scoped accurately assessed independently conducted properly documented qualified and independent investigator and does it have sufficient funds and is there sort of a Lessons Learned Loop coming back as well and how we make sure making sure that we have a consistent discipline and is there an anonymous reporting Avenue these are issues that for example if you're going to look at investigations you can talk to people and ask these questions but I think it's always good to sample some of the investigations you know take 20 or so and just randomly take them and take a look at see what you see in terms of the files I remember doing this at a big company and I was amazed to see you know investigations were being conducted and closed based upon an email and there was no sort of proper paperwork or consistent paperwork across all the investigations so something to consider I've mentioned Financial transactions and you search for and here again to me you can take a look at high risk accounts you can take a look at the general ledger for let's say a subsidiary in a high risk area and you ask well let's see what the uh the accounts that are listed on the general ledger and you see some weird accounts like what is this why do they have this account which is called you know party fund or whatever and that's where you can look at things and you you risk rank uh your areas and you may end up or types of accounts or operations and you can do again some financial transaction testing and not in great depth you're not going to do an audit you're not going to do that but make this in terms of a sampling protocol something you want to do we also like I mentioned have to look at the compliance program resources and the autonomy these are some of the questions uh and this really you know how what's the reporting relationship like to the board what kind of access do you have what's your relationship like with the board and sufficient personnel and resources well-qualified people people who know what they're doing uh and also how are the compliance people treated in the organization in terms of uh you know corporate advancement and opportunities to advance within the company well I'm including here just for your own use You Know sample questions for what we look at in terms of the independence uh autonomy and authority of the chief compliance officer these are kinds of questions that we will look at and ask in terms of what role do they have and do they have proper resources uh and things like this this is more just like I wouldn't say I wouldn't be just you know just ask these questions these are just topic areas to make sure that you cover them in your process so let's talk about assessment results what we do ultimately is we come up with something like this sort of a heat map uh you know where the way you want to talk about it you know your red yellow green uh type of assessment in terms of and we will have on the left hand side some of the general categories that I mentioned uh and ultimately their judgment calls that have to be made here and I'll talk about that in a second and then we may even use sort of the compliance program maturity uh below industry standards and what do we use though ultimately to grade how do you grade somebody and it's a sort of an amorphous thing but we uh you know I hate to say it like you know it when you see it that type of answer but they're definitely judgment calls but they're also industry Benchmark reports for example we did a an assessment for a company in the retail industry and there happened to be a big uh Benchmark report that was done on compliance programs in the retail industry which was very helpful I mean you have to adjust for size and things like that but um it really uh can be you know really helpful the program deficiencies are often obvious because once you go down all the lists and all the the sort of prompts that you have um you really will find program deficiencies that are fairly obvious after a while the question usually will be well how do you rank this deficiency versus another um but in all and it's also difficult because you get a mix of qualitative and quantitative factors but I have to tell you that in many cases it's pretty obvious what needs to be done or what's not being done and in that respect um you know we need to have a report that we use but uh it becomes fairly obvious and relatively easy to write in terms of some of the issues uh and then I would always urge assessment reporting and that it should be shared with the board senior Executives you can do it in a summary form no more than three pages with a chart or summary uh a follow-up presentation uh may you know you share a summary and then you do a follow-up presentation 30 minutes to an hour uh and then the internal senior compliance committee if you have one hopefully uh would be re sort of own the assessment and the remediation schedule and what needs to be done and the priorities over the next three years uh that need to be done as well so I know there are a lot of issues um I appreciate all the questions um uh and I will um we'll try to get uh try to get to those if I didn't get to them already I do want to run the poll question and you know since we do a lot of work in this area uh please let us know if we can help you in this because we obviously have a lot of experience in this area so let us know if you want to talk about it or we're happy to consult um if you're going to do it internally yourself we're happy to help in that respect uh not something we would charge for or anything like that we would be happy to just give you feedback on stuff uh that may come up um but uh it's important this is an important issue like I said we've done a lot of these so we've seen sort of um you know how these are used effectively because eventually I think these kind of assessment reports are then used strategically in your own internal you know deliberations and own internal budgeting process to say well we had this assessment and you know this was identified as an issue that we need to address uh as well so um you know I would uh you know I would definitely um you know put some effort into this whether you do it internally or in combination with somebody please give some thought to it um in any event uh thanks again everybody I know we're at the end here if you need a set of the slides please uh if you couldn't download them and I apologize some of firewalls don't allow that if you could um send me an email at m volkov at volkov law that would be great um and then we could go from that and also there will be a recording that's made available on volkov law TV I should get it uploaded soon uh and uh you can also get a copy of that if you want other people to listen to it in your company and in a event this was I really appreciate it I know it's a lot of information this is an important area but please hope you all had a great holiday stay in touch and and hope to talk to you soon foreign