Implementing effective compliance programs is challenging, especially where third-party risk management is involved. In this podcast, Ropes & Gray litigation & enforcement partner Amanda Raad is joined by ethics and compliance consultant Hui Chen, who served as compliance counsel in the Department of Justice, to discuss how companies can tell if a compliance program is working. The podcast covers:
- Some of the key areas that companies may be getting wrong
- Understanding if a third party is right for your company
- How to use checklists effectively
- The importance of taking a holistic approach to risk and compliance
Click here to listen to the podcast
Amanda Raad: Hello, and welcome to our podcast. This is the second in our series of podcasts focused on risk mitigation and management. My name is Amanda Raad. I am a partner at Ropes & Gray in our litigation and enforcement practice. Joining me is Hui Chen, former Department of Justice compliance counsel, and current ethics and compliance consultant. In this podcast, we’re going to discuss how companies can tell if a compliance program is working, and we will address some of the key areas that companies may be getting wrong. Companies develop processes, taking third-party procedures and controls, for example, that might actually work really well, and maybe they're asking all of the right questions, but things still get missed and accidents still happen. Why do you think that is? And what do you think's happening there?
Hui Chen: I think what we need is a brain behind the checklists. And you will see in some of the cases that certainly fraud section has prosecuted, that involving third-parties, the third-party is properly registered in the system, they have gone through due diligence, there is a contract, there is proof of service. But nobody's asking, "Why are we using this vendor for this service?" In some cases, it makes no sense at all. And so that level of, "Why are we doing this," as opposed to check, check, check is really what's missing. I have to say, I feel like the compliance profession has given checklists a bit of a bad name because we always say the checklist mindset is something we don't want. I recently read one of my favorite author's book, Atul Gawande on The Checklist Manifesto. I admit to avoiding that book for a while because it seems to be talking about checklists and a checklist is something that we don't like. After I read that book, I realized that I had completely misunderstood how checklists should be used. You know, as he describes, in an operating room, a checklist is there to facilitate communication. A checklist is never to be done alone. So if a nurse takes a checklist and just checks it off by herself, they might as well not have it – that's not how they do it. The checklist says, "Discuss whether patient has allergy." So literally, this facilitates an exchange of information of all the people in the operating room and understand is there, you know, an allergy to certain types of drugs that we need to be concerned about that we might be administering during the operation. The purpose of the checklist is really to make sure the team functions as a team and they talk to each other. And if we use that kind of checklist mindset, then we might actually have good checklists where people are asking questions, like, "Why are we doing this? Why are we using this vendor?"
Amanda Raad: And that analogy, just to take it a step further in the compliance setting and staying in the third-party scenario for a second, probably works well also in facilitating communication between the business and compliance, between finance and compliance, between all the relevant stakeholders because otherwise, you know, we talk a lot about the business actually owning the responsibility, or owning the compliance. But then the compliance function often gets stuck with executing the checklist. And so I think what I hear you saying is compliance maybe leads the process or the discussion, the information gathering. But that it has to be with multiple stakeholders to really get to the true understanding of who is the third-party, what are they doing for us, and why?
Hui Chen: Exactly, exactly. So that the finance person, you know, for example, in this scenario or the procurement person is not just saying, "Is there a real vendor? Check. Is there proof of service? Yes. Is there contract in place? Yes." They do that and then they say what they should be saying. A real functioning checklist would be they ask, "But why are we using this vendor?"
Amanda Raad: Right. And, "How are they working for us?"
Hui Chen: Exactly. And starting the conversation.
Amanda Raad: And, "Does it all make sense?"
Hui Chen: Exactly.
Amanda Raad: What are the two or three or four, however many you choose, things that companies are just goofing up, it's not working, they need to do better?
Hui Chen: Training, we talked about. There is a lot of waste that goes into the training space in terms of people being trained for things that are not relevant to their work or things that actually don't teach them anything. And so that's I think a huge space that really could use more consciousness of what is effective, what is the purpose. Another area is approvals. So people sometimes think, "The more we have people to approve of certain things, the better. So let's line up 12 approvers for, you know, every transaction." Again, I think it's about credibility. It's also about, you know, basic psychology, which is when you have 12 people approving something, everyone will think the other 11 already approved it, "So why should I pay extra attention?" The more effective way to do it that I have seen is really think through, why do you have each approval – so who needs to own that? And train each of those approvers on specifically what, you know, that approver is looking for. Another area is due diligence. So everybody talks about third-party due diligence as if, you know, that's the end. I mean, you put, you know, your vendors or third-parties through your due diligence system and now you're done, onto the next vendor. I always think of due diligence like the credit check that you get, you know, you go through when you apply for a credit card. It's about the past. It's about whether you had been bankrupt in the past, whether you had been paying your bills in the past. But credit card companies use that to, you know, determine how much they will trust you in your credit limit. And then what they really care about is whether you're going to pay your bills going forward. And that's what companies are not paying as much attention to. So once again, in the evaluation of corporate compliance program document, we didn't talk about third-party due diligence, we talked about third-party management because this is an ongoing responsibility. And it's actually far more important what they're doing with you one you have on-boarded them. So, you know, monitoring the spend on third-parties and monitoring their activities, holding relationship managers accountable, teaching them about how to manage those relationships. Those are as important, if not more important. In fact, I will say they're more important than the due diligence up front. And then I think a final area that goes to where we started is thinking about risk and compliance. I do think it's important that we move away from the compartmentalization that we currently have, and coming at employees from different angles, talking about different types of conduct risks as if they were separate things, and not emanating from the same root causes. And I think that would go a long way. If we can actually emerge from that compartmentalization, I think we can go a long way in actually addressing some of the conduct issues.
Amanda Raad: And it sounds like maybe there's a little bit of wasted resources going on in this and so we spend a lot of time talking about how expensive and burdensome all of this can be to get right. But if we can be more efficient and if we can come at this the right way in a more holistic way, then hopefully we can be better and also more efficient from a cost perspective.
Hui Chen: Absolutely, yes.
Amanda Raad: Thank you, Hui. For additional news and insights, please visit www.ropesgray.com. Thank you for listening.