Managing Anti -Corruption Efforts in the New Era of ...

Managing Anti-Corruption Efforts in the New Era of Enforcement

The Sustainable Foreign Corruption Practice Act (FCPA) Compliance Program for Life Sciences Organizations

June 21, 2012

Christopher P. Cieslok Director Project Management Europe, MetricStream

Agenda

Backgroun and Introduction

FCPA in the Context of the Life Science Industry

Best Practices for Implementing FCPA Compliance Program

Leveraging Technology for FCPA Compliance

© 2012 MetricStream, Inc. All Rights Reserved.

Background and Introduction

*From Wikipedia; 20-June-2012 http://en.wikipedia.org/wiki/Corruption

*http://en.wikipedia.org/wiki/Foreign_Corrupt_Practices_Act


Lessons Learned On Compliance and Ethics © Thomas R. Fox / tomfoxlaw.com PC


Legal Disclaimer

• The views stated herein are solely that of the presenter.

• Everything in this presentation is a generalization and is subject to numerous exceptions.

© Thomas R. Fox / tomfoxlaw.com PC


Basics

Who or what is regulated?

Basis for regulation

What is prohibited?

Foreign Corrupt Practices Act

people, books & records

Listing of company’s securities on U.S. stock exchange,

nationality (“domestic concern”)

bribes, inaccurate books and records

Export and reexport controls

goods, software and technology

national origin of content

certain end uses, end users or end

destinations

Money Laundering people

nationality (such as citizenship, residency, physical

presence, or employing or parent company)

transactions involving certain

persons, countries or activities


FCPA Compliance Program

1. Code of Conduct

2. Tone at the Top

3. Anti-Corruption Policies and Procedures

4. Use of Risk Assessment

5. Annual Review

6. Senior Management Oversight and Reporting

7. Internal Controls

8. Training

9. Ongoing Advice and Guidance

10. Discipline

11. Use of Agents and Other Business Partners

12. Contractual Compliance Terms and Conditions

13. Ongoing Assessment

© Thomas R. Fox / tomfoxlaw.com PC


Third Party Relationship Check Up

• Do you have a list or database of all your third parties and their information?

• Have you done a risk assessment of your third parties and prioritized them by level of risk?

• Do you have a due diligence process for the selection of third parties, based on the risk assessment?

• Once the risk categories have been determined, create a written due diligence process.

• One the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations?

• Is there someone in your organization who is responsible for the management of each of your third parties?

• What are “red flags” regarding a third party?


Red Flags

• Named as a Designated Party, SDN or on any similar list.

• Connections to countries identified as non-cooperative with international efforts against money laundering.

• Providing false or misleading information.

• Refusal to disclose the nature and source of assets.

• Refusal to identify a beneficial owner.

• Acting as the agent for an undisclosed principal.

• Company address is not a physical site but a PO box.

• Use of a shell company.

• Lack of concern regarding risks or transaction costs.

• Structuring transactions to avoid reporting requirements.

• Offering to engage in transaction with no or little business justification.

• A request that funds be transferred to an undisclosed third party or in another jurisdiction.

• Any transaction designed to evade taxes.


UK Bribery Act Adequate Procedures

1. Proportionate Procedures-a company’s anti-corruption procedures should be proportionate to the bribery risks it faces and to the nature, scale and complexity of its activities.

2. Top level commitment – this concerns establishing a culture across the organization in which bribery is unacceptable. If your business is small or medium sized this may not require much sophistication but the theme is making the message clear, unambiguous and regularly made to all staff and business partners.

3. Risk Assessment – this is about knowing and keeping up to date with the bribery risks you face in your sector and market.

4. Due diligence – this is about knowing who you do business with; knowing why, when and to whom you are releasing funds and seeking reciprocal anti-bribery agreements; and being in a position to feel confident that business relationships are transparent and ethical.

5. Communications– this concerns both internal and external communications. It should begin with a strong “Tone at the Top” but also focus on implementation of policies and procedures. There should be policies for gifts, hospitality, travel & entertainment, charitable and political contribution and sufficient internal controls. Training for both at-risk employees and similarly situated third parties. Strong Code of Conduct.

6. Monitoring and review – this relates to auditing and financial controls that are sensitive to bribery and are transparent, considering how regularly you need to review your policies and procedures.


Life Sciences Enforcement Actions


Johnson and Johnson

• $77 MM fine

• Cooperation regarding competitors

• Enhanced compliance obligations

• Credibility-can you make a comeback?

©


Smith and Nephew

• Use of distributors to pay bribes

$22MM fines and penalties

External Monitor

©


Depuy

• UK action-pre Bribery Act implementation

Individual Prosecution of John Robert Dougall

One Year Jail time

©


Biomet

• Bribes paid to doctors to use products

Failure of Internal Audit

$22.6 MM in fines and penalties

Three Year Compliance Monitor

©


Compliance Convergence


Export Control Compliance Program

1. Top and Middle Management Committee.

2. Continuous Risk Assessment.

3. A written policy back up by a procedures manual.

4. Ongoing training of employees.

5. Ongoing screening of employees, contractors, customers, products and transactions.

6. Record Keeping.

7. Period Audits.

8. An internal program for the reporting of violations and appropriate mechanism for escalation of any export violations.

9. Appropriate corrective actions to hold employees accountable under a progressive disciplinary program and voluntary self-disclosure.


AML Program

1. Communications and Training – specific communications and training for the high-risk market should be designed and implemented with a country-specific approach which identifies the risks and the compliance response to the risk.

2. Enhanced Controls and Review – additional controls for each policy should be implemented with greater scrutiny of auditing of expenditures.

3. Due Diligence – the hiring of third parties should be subject to even greater scrutiny than typical in the high-risk country. A conservative compliance response to any red flags is imperative.

4. Monitoring and Auditing – the monitoring of activities in a high-risk country is a key aspect of any high-risk program. Auditing of every aspect of the operation should be conducted on a regular basis.


Managing Anti-Corruption Efforts in the New Era of Enforcement FCPA Compliance Program for Life Sciences Organizations Christopher P. Cieslok Product Marketing Manager, Corporate Compliance Solutions


• Growth of organizations across boundaries

• The need for a common compliance framework to manage diverse regulations

• Siloed approach towards the different aspects of compliance management

• Ineffective management of related policies, training programs, risks, internal controls, issues and corrective action

• Lack of a single, centralized view of the compliance program status

Organization Drivers


FCPA Compliance Program Elements Policy and Procedures

Creation, Distribution, Attestation

Chief Ethics and Compliance Officer Tone from the Top

Risk Assessment Qualitative and Quantitative

Managing Controls Built-in Control Libraries, Testing,

Re-aligning

Audit Management

Incident Management and Corrective Action

Training Program Management


Best Practices in Technology Adoption

• Multiple Requirements, but a single framework

• Integrate the different components together – policies, procedures, risk, controls, audit

• Seamless integration with external systems, for eg., financial continuous control monitoring systems

• Ability to keep track of changing regulatory landscape

• Adaptable to the changing business processes

• Tone from the Top

• Scalable and alignment with the organizational growth


Integrating the Compliance Program Elements

Incident Management/

Corrective Action

Regulatory Compliance (FCPA, UK Anti-

Bribery, Industry specific regulations)

Audit Management

Policy & Procedure

Mgmt.

Risk Assessment And

Management

Dashboards & Reporting

Manage Control Hierarchy Test controls Remediation

Risk Factors Key Risk Indicators What-If Analysis Risk Scoring – Inherent and

Residual

Closed Loop Incident Management

Control Assessment Control Improvement

Recommendation

Training Management


Integrating with External Sources

• Capturing alerts and events from reliable sources for timely and relevant policy and compliance activities

• Analysis and mapping to compliance and risk categories, business units

• Triggering compliance risk assessments, policy updates

ComplianceOnline.com

Bloomberg

Transparency Intl.


Policy and Procedure Management Creation, Review, Approve,

Organize

Certification and Self Assessments

Mapping to Controls & Risks

Aligning Policies to changing regulatory landscape

Awareness and Training Tracking and Visibility

Policies related to -Commission Payment -Expense Re-imbursement -Payment -Travel and Entertainment -Employee Background

Enforcing the policy and guidelines and ensuring compliance on employees and Third Parties


Risk Assessment

Library of Risks

Risk Factors

Residual Risk Inherent Risks

Controls

Ranking of Risks

Risk Scoping

Location/Division Statutory Group Product Line Commodity Group

What-If Analysis

Risk Mitigation

3rd Party Testing

Internal Audit

Internal Audit

Risk Mitigation

FCPA Compliance

Strategy

Bribery Criminal Misconduct Policy Gaps

Value of business with governmental entities and other high risk organizations

use of agents and other intermediaries


Compliance Audit Management Risk Assessments and Scoping

User Homepage

Planning & Scheduling

Audit Fieldwork Auditing Controls, High-risk

processes

Work Paper Review & Completion

Final Audit Report

Audit Remediation Control Improvement

Recommendations

Start


Training Management

Assigning Courses to Employees

Initiate Training

Report Course Completion

Creating Questionnaire

Administering Tests

Reports - Training Gap

Creating and Assigning Competency

Certification

Training Objective •Understanding Corporate Anti-Corruption Policies •Potential Red Flags •Reporting and Escalation Mechanism Training Scope •Employees •3rd Party Training •Training for Employees at risk

Training Status •Reports – Training Medium, Gaps, Trained-Untrained Employee Breakup


Case Management and Corrective Action

Email, Phone, or Web based Employee Hotline Whistle-blowing Systems, Ombudsman Continuous Control Monitoring System

Capture Case

Analyze, Validate & Assign

Investigate Remedial Action

Approve & Close

Case Investigators oInternal Auditors oCompliance Officers oLegal Team oHR

Case Manager

Leadership Team

Monitoring , Reporting & Analytics

C O M M U N I C A T E


Continuous Control Monitoring ,

Segregation of Duties

Seamless Integration

Compliance System

FCPA Compliance Dashboard

External Data (Regulatory

Feeds)

Spread Sheets

Audit Analytics Systems

Ability to Co-Exist


Tone from the Top

• Offer the flexibility to link management objectives with processes, policies, risks, controls, incidents and corrective action

• Role based view of Compliance program, for eg: the CECO view to be broader and larger as compared to the BU Head view

• Support Complex Organization Hierarchies

• Aggregated View and ability to drill down to details

• Continuous Compliance Program Monitoring


Prevent Detect Respond

Training Status

Policy Certification

Performance of the Controls Implemented

Risk Metrics Score

Profile of Issues, Incidents and Cases

Remediation Status

Key Sustainable Metrics to Track


About MetricStream

Delivering Business Performance through Integrated Governance, Risk and Compliance Vision

Solutions

• Corporate Compliance • Risk Management • Audit Management • Policy & Procedure Management • Environmental Health & Safety

Contact us • Website: www.metricstream.com • Email: [email protected]

Analyst Recognition

Leader in Gartner GRC Magic Quadrant

Leader in Forrester GRC Wave

Market Leadership

• Serving Large Global Corporations • Industry Specific Quality and GRC Offerings • Patented GRC Platform Technology

• Supplier & Vendor Governance • Issue and Incident Management • IT GRC • Quality Management • Energy & Sustainability Management

http://www.gartner.com/it/page.jsp?id=676310


Q&A

A copy of this presentation will be made available through Life Science Forum Basel. Please visit www.metricstream.com for more details on upcoming webinars and presentations.

Questions? Thomas R. Fox Ph: 832-744-0264 www.tfoxlaw.com [email protected] Follow me at www.twitter.com/tfoxlaw. Follow my blog at http://tfoxlaw.wordpress.com/

Contact Us:

Christopher P. Cieslok Director Project Management Europe +41 78 677 3141 www..metricstream.com [email protected]

http://www.metricstream.com/

mailto:[email protected]?subject=Life Science Forum Basel - Questions

mailto:[email protected]?subject=Life Science Forum Basel - Questions


Thank You

Contact: Email: [email protected] Web: www.metricstream.com

mailto:[email protected]

Managing Anti -Corruption Efforts in the New Era of ...

Documents

Transcript of Managing Anti -Corruption Efforts in the New Era of ...