By Elizabeth Junell

Effective compliance programs are like suits of armor protecting an organization from exposure to risk. The world of risk is forever in flux, so some measure of exposure is needed so that a company can know where weak spots in its armor—areas prone to risk—exist. Compliance resources can then be directed to reinforce the suit of armor as the level of exposure dictates.

At the heart of the compliance program is risk assessment. Assessing risk is not a one-time event, nor is it a one-size-fits-all proposition. Rooting out the weak spots in an organization is a process that should occur at various points in a compliance program’s life cycle. To get the right answer each time, the risk assessment should be tailored to include the organization’s specific risk factors.  Companies often use a quantitative approach, strictly by the numbers, but balancing quantitative results with qualitative analysis can be beneficial in identifying the company’s true risk profile.

Jurisdictional or business segment revenue is often used to measure corruption and bribery risks in an anti-corruption compliance program. The revenue generated by unit is weighted by other factors to identify the risk profile for the business as a whole. Other factors may include Transparency International’s (TI) perceived corruption risk (or CPI), revenue generated from state-owned entities versus commercial enterprises, headcount by function, and so forth and so on. The key is to include specifically relevant risk factors without over-engineering the process.

While these quantitative measures can be quite telling about exposure to corruption and bribery risk across an enterprise, qualitative interpretation is important for an effective assessment. Qualitative factors are not typically built into a binary process, but they can be crucial to understanding the level of risk inherent to a particular portion of the business. Balancing the two might reveal that an initial assessment of high risk is actually a lower risk. Ultimately, these two sides of the same coin should coalesce to paint a holistic picture that represents the true risk profile of the business.

I observed an excellent illustration of balancing quantitative with qualitative factors while working with a company that generated significantly more revenue from clients in a Middle Eastern country than any other country where it operated. The particular country is typically considered to be a higher-risk jurisdiction, based on TI’s CPI. As a result, the company’s quantitative analysis indicated that its operations in the Middle East had the greatest exposure to corruption and bribery, with countries in Africa and Asia-Pacific following. To stop here would have meant that the company would have directed its compliance resources accordingly, with the Middle East getting the most attention.

When we applied qualitative interpretation, a different story emerged. The company’s largest client by far in the Middle East was a state-owned entity (SOE). Typically, this fact would support the notion that the quantitative assessment was correct in terms of directing compliance resources.

But the SOE had demonstrated to the company that it was also concerned with anti-corruption compliance, and had become more aggressive itself in developing its compliance program. The company also had SOE clients in Africa and Asia-Pacific, but those clients had not demonstrated to the company the same attention to anti-corruption compliance. As a result, the reality for the company was that its business in the Middle East actually presented lower risk of exposure to corruption and bribery than its operations in the other countries, despite the results of the quantitative analysis.

Binary calculation of risk can be very informative, especially when company-specific risk factors are included. But getting the right answer about where to direct valuable and finite compliance resources requires thoughtful analysis of quantitative results.  Considering mitigating circumstances that can be substantiated and documented is crucial, therefore, to an effectively executed risk assessment. The moral of the story? Coalesce the two sides of the same coin.

Elizabeth (Beth) Junell is a partner at Ernst & Young’s Fraud Investigations & Dispute Services practice in Dallas. She is a forensic accountant with significant experience in high-profile fraud, investigations and corporate compliance matters in the U.S. and abroad. She specializes in reactive and proactive anti-corruption-related matters for major multinational companies. The views expressed herein are those of the author and do not necessarily reflect the views of Ernst & Young LLP.

Click here to subscribe to an e-mail digest of The Forensic Brief blog.

By Todd Marlin and Piyush Dixit

Todd Marlin

The modern-day litigation and regulatory landscape has resulted in an explosion of electronically stored data being retained in the business environment. As a result, corporate entities, regardless of industry, are faced with mounting financial and resource outlays when dealing with discovery of electronically stored data in response to formal litigation, regulatory investigation or government investigation.To combat the skyrocketing costs and time investments legal teams must devote to such endeavors, many practitioners are turning to a technological “savior” commonly referred to as predictive coding.

Recent court rulings in Da Silva Moore v. Publicis Groupe, Global Aerospace v. Landow Aviation, Kleen Products v. Packaging Corp of America and In Re: Actos Products Liability Litigation have provided guidance on appropriate uses of predictive coding.  Read more.

Click here to subscribe to an e-mail digest of The Forensic Brief blog.

By Adam Cohen

Adam Cohen

Of all the nebulous, ill-defined terms being thrown around in today’s technology-driven environment — including “cloud computing” and “social media” — “big data” is jockeying for first place as the most overused.  It sounds scary and ambiguous, and in some ways it is. But it is hardly a novel idea.  Nevertheless, big data does have implications for electronic discovery (eDiscovery).

Generally, big data has three defining characteristics:  volume, variety and velocity.[1] Volume simply refers to the ever-increasing amount of data being generated by sources like text messaging, social media, transactional data and any other form of digital communication and record keeping. The growth of volume is compounded by the trend of decreasing storage cost. This lends itself naturally to entities and individuals keeping data that they might otherwise discard because of its lack of utility.  Read more.

Click here to subscribe to an e-mail digest of The Forensic Brief blog.

By Jennifer Shimek

Home health care is a critical service for our nation’s aging patients. Providers bring skilled and unskilled care to the patient’s home, including everything from nursing care to assisting with daily tasks.

The Department of Health and Human Services Office of Inspector General (OIG) identifies these home health services as a key area vulnerable for fraud waste and abuse.  In 2010 alone, the OIG estimated that Medicare paid home health agencies (HHA) over $19.5 billion for submitted claims.  As a result, home health services, again, has been included as a focus area for the OIG in the Office of Inspector General Work Plan Fiscal Year 2013.

Audits, penalties, settlement agreements and corporate integrity agreements (CIAs) are common in the home health industry.  Consequently, home health providers need to be aware of the issues and compliant with regulatory requirements. The Centers for Medicare & Medicaid Services (CMS) continues to increase its audits of the industry, and home health providers should be adequately prepared for an audit when it is their turn.  For example, in 2011, a home health provider agreed to pay $150 million to resolve criminal and civil investigations pertaining to fraudulent billing activities with the government.  In 2012, the largest home health fraud case in U.S. history was settled for over $350 million.

The risk lies with whether the home health provider was paid for services it did not perform or paid for services with insufficient medical record documentation to support the claim.  Read more.

Click here to subscribe to an e-mail digest of The Forensic Brief blog.

By Todd Marlin

Those who have worked with electronically stored information for more than a decade or so no doubt remember the hand-wringing days of trying to extract relevant data for litigation purposes from what seemed to be an ocean of gigabytes. Just as we became comfortable with the concept of gigabytes worth of storage, our initial reaction to the exponential growth of data then was “what in the world is a petabyte?”

We long for the days when we faced a paltry 20 million emails, as in the 1999 case of United States v. Philip Morris — a seminal e-discovery case that was among the first to tackle large volumes of data. Cases like this were phenomenal for their time, but are now a matter of routine.

Today, an hour’s worth of business for a typical big-box retail chain can create millions of transactional records. The entirety of data from the private sector doubles every 14 months. So-called “big data” is no longer a phenomenon. It is a reality we wrestle with in the everyday course of business to a degree we never conceived, and it touches myriad worlds — not the least of which are those of anti-corruption and fraud.

To understand the challenges and opportunities presented by this seemingly ungovernable deluge of data, we must first understand what big data is. Since the advent of consumer-level networking and the internet (machines talking to machines), massive volumes of data across disparate systems have surged.  Read more.

Click here to subscribe to an e-mail digest of The Forensic Brief blog.

By Ryan Pratt

The destruction wrought by Hurricane Sandy and the ensuing chaos have challenged everyone in the affected region, but in the immediate aftermath those businesses that suffered the most damaging losses must be prepared to address their insurance claims.

A large, complex property and business interruption claim is a series of negotiations between the insured and the insurance company beginning the day of the loss. The recovery process can take months, even years, making communication—both internally and externally—a critical part of the process.

In this instance, estimates by forecasting firms suggest the damage from Sandy could exceed $50 billion, second only in history to Hurricane Katrina. For those in business, diligent attention throughout the claim process is critical to drive claims forward. Most insurers are forthright in their business practices and ultimately pay claims; persistence on the part of the insured can be the difference in your claim being on the top of the pile. The onus is on you.

Physical Damage Immediately Following Disasters

The Consumer Federation of America last week said that payments by private insurers for wind damage to homes and business properties from the storm will exceed $10 billion dollars. For those that suffered loss, this means that the claim process starts now—or more accurately last week. The day after damage is discovered, the decisions made in the early stages of the claim will affect the amount and the speed of recovery.

As a claimant, your most pressing responsibility is documentation. Before you begin cleanup or even cosmetic repair, take plenty of photos of all affected portions of your property. Work with the insurer to understand the magnitude of the damage and document decisions made with the adjuster about what needs to be repaired or replaced. Be involved in the process. You and your personnel know your business and should go alongside the insurers’ experts to understand their assessment of the damage and the property’s condition.

Document everything. Insurers may require documentation of all expenditures for verification of what product or service was purchased and the rate at which it was procured.  Early in the claim process, companies should set up separate accounts to track loss-related expenses, so that they can be easily identified and documented in the claim.  Read more.

By Greg Wolski and Virginia Adams

Greg Wolski

Allow me to introduce one of my colleagues, Virginia Adams. Over the years, Virginia and I have worked closely on a number of anti-corruption due diligence matters spanning various industries and geographies. The majority of these matters have involved contemplated acquisitions or investments in emerging markets, both by corporate acquirers and private equity firms. Our proactive due diligence efforts have surfaced many interesting scenarios — from flat-out bribe-paying admissions and uncovering payments to agents with mysterious ties to government officials in highly corrupt countries, to analyzing compliance programs requiring only a few tweaks to bring up to minimum standards—all assisting our clients in assessing potential risks that could cause trouble down the road.

Virginia is a senior manager based in our New York office who focuses her practice around various anti-corruption services, including investigations, compliance monitoring and risk assessments, in addition to proactive due diligence. She brings many years of field experience working in emerging markets and identifying firsthand what potential corruption risks could be lurking.

This week’s post relates to a recent trend we are seeing emerge in FCPA settlement agreements with the U.S. Department of Justice (DOJ). During the first half of 2012, four companies reached agreements with the DOJ, which laid out requirements for anti-corruption due diligence, monitoring and reporting in the context of mergers and acquisitions (M&A). Specifically, the four companies are required to:  Read more.

By Bill Henderson and Katie Kyle

Bill Henderson

U.S. regulators’ heavy enforcement of the Foreign Corrupt Practices Act is affecting small companies in the aerospace and defense industry, as shown by the recent fine levied on a small aircraft maintenance company, NORDAM Group. The Tulsa-based manufacturer in July agreed to pay $2 million for charges that it paid direct and indirect bribes to employees of airlines controlled and owned by the People’s Republic of China.

According to the Department of Justice, three employees of a NORDAM affiliate entered into sales representative agreements with fictitious entities then used the money from NORDAM to bribe airline employees. Using third parties for bribe payments is not original. In fact, most reported FCPA cases involve the use of third-party intermediaries such as agents or consultants.

In March, another Tulsa aircraft maintenance company, BizJet International Sales and Support Inc., agreed to pay $11.8 million to settle China-related FCPA charges.

Companies doing business with state-affiliated airlines clearly have elevated corruption risk. These companies include aircraft equipment and technology providers and those serving the aftermarket with installation, maintenance, repair and overhaul services. By our count, there are more than 80 majority or wholly state-owned airlines worldwide, and many of those airlines are located in countries that rate high on Transparency International’s Corruption Perceptions Index, including China, India, Russia, Argentina, South Africa, Vietnam, Egypt and Venezuela.  Read more.