Global Featured Wired

Day 18 of 31 Days to a More Effective Compliance Program- Internal Reporting and Triaging Claims

FCPA Compliance & Ethics -

  The call, email or tip comes into your office; an employee reports suspicious activity somewhere across the globe through your internal reporting mechanism. That activity might well turn into a FCPA issue for your company. As the CCO, it will be up to you to begin the process which will determine, in many instances, [...]

The post Day 18 of 31 Days to a More Effective Compliance Program- Internal Reporting and Triaging Claims appeared first on Compliance Report.

Letter to Pat Kelly

The Compliance & Ethics Blog -

By Roy Snell I wrote a letter to Pat Kelly, the FBI Integrity and Compliance Officer. He is retiring. Pat’s experience in Compliance has been no different than many other compliance professionals I have met over the last 20 years. Implementing compliance programs in the government setting is as difficult and dramatic as in […]

BlackRock Supports Stakeholder Governance

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by Martin Lipton, Wachtell, Lipton, Rosen & Katz, on Thursday, January 18, 2018 Editor's Note: Martin Lipton is a founding partner of Wachtell, Lipton, Rosen & Katz, specializing in mergers and acquisitions and matters affecting corporate policy and strategy. This post is based on a Wachtell Lipton publication by Mr. Lipton.

BlackRock CEO, Larry Fink, who has been a leader in shaping corporate governance, has now firmly rejected Milton Friedman’s shareholder-primacy governance and embraced sustainability and stakeholder-focused governance. January 2018 BlackRock letter to CEOs.

In our Some Thoughts for Boards of Directors in 2018 (discussed on the Forum here), we noted:

The primacy of shareholder value as the exclusive objective of corporations, as articulated by Milton Friedman and then thoroughly embraced by Wall Street, has come under scrutiny by regulators, academics, politicians and even investors. While the corporate governance initiatives of the past year cannot be categorized as an abandonment of the shareholder primacy agenda, there are signs that academic commentators, legislators and some investors are looking at more nuanced and tempered approaches to creating shareholder value. 

In his letter, Larry Fink says:


The New Digital Wild West: Regulating the Explosion of Initial Coin Offerings

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by Randolph A. Robinson, II (University of Denver), on Thursday, January 18, 2018 Editor's Note: Randolph A. Robinson, II is visiting assistant professor at the University of Denver Sturm College of Law. This post is based on his recent paper.

In 2017, initial coin offerings or ICOs raised a collective $4 billion for blockchain entities. While the rise of bitcoin has brought cryptocurrencies and the blockchain into recent media headlines, you could be forgiven if you are unfamiliar with concept of an ICO, as this funding mechanism only reached mainstream audiences in 2016 with the launch of an entity called The DAO. The DAO was formed as a decentralized venture capital fund, intended to fund the development of new blockchain companies and applications. But, before fully operational, The DAO suffered a cyber-attack that drained over one-third of its funds, putting an early end to the ambitious experiment. Although no longer operational, The DAO’s completely unregulated nine-figure fund raise would give rise to widespread duplication of this controversial corporate funding mechanism.


The SEC Administrative Law Judges Are Heading to the Supreme Court

Compliance Building -

The use of administrative law judges by the Securities and Exchange Commission has been strained since the jurisdiction was expanded under Dodd-Frank. There have been a series of cases challenging the ALJs under the the Appointments Clause of the Constitution. The problem was that the judges were appointed by an internal panel instead of by the President or the SEC Commissioners.

An advertising case that led to an adviser being barred is now headed to the U.S. Supreme Court. In the Lucia case, the lower court used a three prong test to determine if an ALJ is an “Officer” under the Appointments Clause:

  1. significance of the matters resolved by the government official
  2. discretion the official exercises in reaching the decision
  3. the finality of the decision

On Jan. 12th, the Supreme Court granted an appeal to hear Lucia v. SEC. This was likely based on two factors.

One was a split in the courts on whether the SEC’s administrative law judges were properly appointed. The 10th Circuit Court of Appeals came to the opposite conclusion in Bandimere v. SEC. That court used a different three part analysis to determine if an ALJ is an “inferior officer”:

(1) the position of the SEC ALJ was “established by Law,”;
(2) “the duties, salary, and means of appointment . . . are specified by statute,”.; and
(3) SEC ALJs “exercise significant discretion” in “carrying out . . . important functions,” .

The Bandimere decision rejected the argument in the Lucia case that ALJs do not have final decision-making power. They have enough power to make them an “inferior officer.”

The second was that the Department of Justice decided that the ALJ appointment process was flawed. That position dropped in the Solicitor General’s Brief on Writ of Certiorari for Lucia the argument is now to hear the case and overturn the Lucia ruling.

“[T]he government is now of the view that such ALJs are officers because they exercise ‘significant authority pursuant to the laws of the United States.’ Buckley v. Valeo, 424 U.S. 1, 126 (1976)”

In response, the SEC ratified all the ALJ appointments. This should fix the problem and erase the constitutional problem.

In the reply brief, Lucia argued that the government’s change of its position and its revised procedures did nothing for him.

“Although the government now agrees that SEC ALJs are Officers, it has afforded petitioners no redress for having subjected them to trial before an unconstitutionally constituted tribunal… On the contrary, petitioners remain subject to draconian sanctions—including a lifetime associational bar—resulting from the tainted proceedings below”

It looks like the SEC has fixed the problem with its ALJs going forward. The problem will be what to do with all of the cases that have already been decided. It seems likely that the SEC is going to agree that the ALJs were a problem. The big question is how to fix that problem for the cases that have already been adjudicated. I would guess that there are a lot of cases that going be expunged, people no longer barred and cash fines repaid.


Draft GDPR Transparency Guidelines Issued: What Does Your Privacy Policy Need to Contain?

Program on Compliance and Enforcement, New York University School of Law -

by Jeremy Feigelson, Jane Shvets, Dr. Thomas Schürrle, Ceri Chave, Dr. Friedrich Popp, and Christopher Garrett

Late last year, the Article 29 Working Party (the “Working Party”) issued detailed draft guidance (the “Guidelines”) on transparency under the EU General Data Protection Regulation (the “GDPR”), which comes into force in May 2018. These Guidelines, which will be finalized following a consultation process, contain the Working Party’s interpretation of the mandatory transparency information that must be provided to a data subject by way of privacy policy or other disclosures.

One of the express requirements of the GDPR relates to how businesses communicate their use of a data subject’s personal information to that data subject at the point of data collection or consent, typically via a privacy policy or notice. Getting this right is crucial. Businesses will need to examine their current privacy policies and other disclosures closely, and consider whether these need revising not just in the light of the GDPR, but also to factor in the requirements listed in the Guidelines, which elaborate on existing GDPR provisions. While the Guidelines will not be binding, data protection authorities may take a dim view of businesses which fail to comply with the Guidelines without good reason, given that representatives from all of the EU data protection authorities are part of the Working Party. Businesses that fail to comply with the information duties under the GDPR will face fines of up to the higher of 4% of annual worldwide turnover or EUR 20 million.

The Working Party Guidelines

First, what information must businesses include in their privacy policies?

  • Identity and contact information for the controller/data protection officer (where applicable[1]): this allows the data subject to easily identify who the controller is and should, where possible and practicable, include several methods by which the controller can be contacted (g. phone number, email address, postal address).
  • Purposes and legal basis for processing: companies should include the legal basis relied upon for processing alongside the purposes for which the data is processed. The Guidelines do not specify whether the privacy policy must list the legal basis for each category of data processed (e.g., names, telephone numbers, e-mail addresses).
  • Legitimate interests: where legitimate interests are relied on by the controller or third party as the legal basis for processing, the specific legitimate interests need to be expressly stated in a way the data subject can understand. Businesses should also consider, as best practice, providing the data subject with information on how the data controller balances its own interests against those of the data subject. Businesses should carefully consider how to execute this in practice; succinctly summarising the “balancing test” while also ensuring it is easily understandable might seem challenging, but is worthwhile where practicable in order to demonstrate compliance with, for example, the GDPR’s accountability principle.
  • Recipients or categories of recipients of personal data, including third parties, joint controllers and processors that receive data: the default position is that information must be provided on any named recipients. In many cases, for example where the controller engages various data processors, the identity of which may change from the time to time, this task may be onerous and not always practicable. If the controller elects to provide categories of recipients instead of individual names, the controller must be able to show why it did so and provide as much information as possible in the privacy policy, such as information about the type of recipient (by reference to the activities it carries out) and the industry, sector and sub-sector, as well as where the recipients are located.
  • Transfers of data to third countries, along with the safeguards in place and where copies of such safeguards can be found (g. via a link): the privacy policy should specify the basis for any data transfer outside the European Economic Area (i.e. binding corporate rules, adequacy decision, standard contractual clauses and derogations), along with a list of third countries to which data will be transferred. The Guidelines state that the list must be exhaustive.
  • The retention period: the Guidelines state that it is insufficient to state, in general terms, that personal data will be held for as long as is necessary for the purposes for which it was processed. Businesses can use statutory requirements or industry guidelines as a means of assessing how long personal data should be kept, but the overarching purpose is to allow a data subject to assess the relevant storage periods, depending on the categories of data provided. Where the data is being held due to an ongoing commercial, business or employment relationship, it may not be possible for the controller to specify an exact retention period, but the data subject should have sufficient information to be able to determine the period.
  • Data subjects’ rights: a privacy policy should include information on how a data subject can access, rectify, erase, restrict processing of, object to the processing of and port their data. These rights must be explicitly brought to the data subject’s attention. While stated in the Guidelines, although not expressly required by the GDPR, this information may need to be accompanied by explanations on what the right involves and how it can be exercised.
  • How a data subject can withdraw consent: not only does this need to be contained within the information provided to data subjects, but businesses need to ensure that their systems and processes can actually effect the withdrawal of consent as easily as it was given.
  • The right to complain: data subjects need to be made aware of their right to complain to the relevant supervisory authority in the event of an infringement (actual or alleged) of the GDPR.
  • Use of mandatory fields: online forms need to indicate clearly which fields are mandatory and which are optional, as well as the consequences of not completing the mandatory fields. For example, in an employment context there may be a contractual requirement to provide certain information to an employer.

Second, the GDPR requires businesses to provide information to data subjects in a way that is “concise, transparent, intelligible and easily accessible”. What does this mean for privacy policies in practice?

  • Information on the processing of a data subject’s personal data must be presented in an efficient and succinct manner, in order to avoid “information fatigue”. Using layered privacy statements is a good way of ensuring a privacy policy is easily navigable and user-friendly. Alternative means available to online businesses include “just-in-time” contextual pop-up notices, 3D touch or hover-over notices and privacy dashboards.
  • Businesses can make their privacy policies easily and readily accessible by making the information available on the same page on which personal data is collected and by clearly signposting it. The Guidelines consider that combining a privacy policy with other terms and conditions or only providing a link to the privacy policy on the first page of the website will be insufficient.
  • The privacy policy must be easy to understand. Businesses should establish who their intended audience(s) are and what the average member’s level of understanding may be, taking particular care where their goods/services target children or vulnerable members of society. User panels can be used to test whether an intended audience understands the privacy policy relevant to the processing of their personal information.

Third, businesses will need to monitor their compliance with the transparency requirement regularly throughout the life cycle of processing (for example when data breaches occur) and not only at the point when data is collected from the data subject or otherwise obtained.

Fourth, complying with the current draft Guidelines does not necessarily ensure future compliance. The Working Party will publish updated Guidelines along with a FAQ section once it has analysed the responses to its transparency consultation, and the UK Information Commissioner’s Office will continue to revisit its approach as future EU guidelines and best practices develop post-May 2018. Businesses should do the same to ensure they meet the regulators’ evolving expectations as the GDPR comes into force and is enforced.

[1]   The Working Party has prepared specific guidance on Data Protection Officers (WP 243, last revised and adopted on 5 April 2017).

Jeremy Feigelson, Jane Shvets, and Dr. Thomas Schürrle are Partners at Debevoise & Plimpton LLP. Ceri Chave, Dr. Friedrich Popp, and Christopher Garrett are Associates at Debevoise & Plimpton LLP.

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.

Everything Compliance-Episode 24, the Looking Back to Look Forward Edition

FCPA Compliance & Ethics -

In this episode, the top compliance roundtable podcast returns with a look back at some of the top FCPA, compliance and data privacy/data security issues from 2017 and how they inform what will be the top such issues in 2018 by looking forward.  Jay Rosen considers the new Justice Department FCPA Corporate Enforcement Policy and [...]

The post Everything Compliance-Episode 24, the Looking Back to Look Forward Edition appeared first on Compliance Report.

Getting Practical With Emerging Risks

BRINK News -

Yesterday’s BRINK article on the outlook for global risks depicted a fractured and fractious world, characterized by the confluence of far-reaching technological disruptions and seismic shifts in political and geopolitical imperatives. The extraordinary velocity of change that is spurring many companies to question not just their basic resilience, but also their fitness for purpose in the new world order is also influencing expectations of risk management.

If robust finances were the major corporate concern during and after the financial crisis, the key issue these days is market positioning. If back then the risk management buzzwords were prudence and controls, now they are business case support and responsive agility. Staying out of—or exiting—certain markets for fear of an unwelcome shift in the political climate might prove expensive, not least if competitors are more bullish. Likewise, the pressure for adopting new technologies is intense, even where near-term performance benefits are uncertain and longer-term ecosystem effects unclear.

As our new report contends, risk leaders should devote more resources to grappling with emerging threats. While this doesn’t mean tasking teams with predicting the future, it does call for a stronger role in challenging prevailing assumptions and giving shape to key uncertainties in a way that illuminates the impact of plausible scenarios and informs senior management decisions. It involves recognizing not just that new risks are appearing on the horizon, but that operational risks may become strategic risks, known risks may become unknown, controllable risks may become uncontrollable, and risks assumed to be acceptable may acquire “fat tails.”

From Identification to Action

Three things are essential if work on emerging risks is to remain true to the messiness of these issues and also be truly integrated into corporate decision processes. These are: creatively exploring the sources of risk; embedding a thorough risk characterization in impact analyses; and being able to justify potential responses.

The search for emerging threats requires looking beyond the issues that can immediately and easily be anchored to business performance. Unpack hot risk topics and trends to see how different—often non-market—forces might surge or collide in problematic ways. Tease out pockets of volatility or uncertainty in the firm’s commercial ecosystem. Apply a fresh lens to the firm’s strategic and institutional vulnerabilities.

It’s often unwise to dismiss possible risk topics too early—they may combine with other ideas and be useful later. And don’t worry at the outset whether something is a risk, a driver or a consequence—that can be resolved in due course. A preparedness to challenge “house truths” is vital, as is not constraining discussions by views on probability (“the chances of that happening are tiny”).

A thorough characterization of the top emerging risks involves assessing what’s shaping each risk, their likely trajectory and its potential consequences, with a view to determining where it might touch the firm, the types of impact and the time profile of the damage. This helps clarify the materiality of each risk, and provides an initial steer for response planning.  

Quantified scenarios that give shape to plausible alternative futures are useful for exposing hidden tensions between commercial ambitions and corporate risk appetite. They can be used not just for stress-testing finances, but also for challenging strategic goals and rehearsing crisis management preparedness. Although scenario narratives and quantification exercises for emerging risks shouldn’t be constrained by historic data and risk relationships, acceptance of the results will depend on the degree to which key stakeholders have appreciated the validity of the inputs.

John Drzik on the Global Risks Report

Management levers that address a range of top-tier emerging risk concerns may present a more compelling business case than multiple action plans targeting individual issues. However, overly generic recommendations will encounter pushback from company leaders as they will be unable to articulate what they will deliver and the (opportunity) cost of doing so. The threshold for mandating action is that much higher than for familiar risks, given the high levels of uncertainty, especially with regard to preemptive responses.

Investment decisions regarding solutions for emerging risks should also take into account residual risk exposures (“are they acceptable?”), any significant knock-on consequences, the lead-in time required to implement the measures, and the speed with which precautionary measures can be unwound should they no longer be needed. Sometimes, aggressive market plays and investment in research and development are more appropriate than defensive mitigation measures. Contingency planning may strengthen resilience against fast-onset risks, where precautionary action has been deemed unviable.

The search for emerging threats requires looking beyond the issues that can immediately and easily be anchored to business performance.

A New Boldness for Risk Teams

With new risks swinging into view, senior-level demands changing, and new technological capabilities emerging, this is an exciting time for risk leaders to reframe their function for the new era.

Taking advantage of the new opportunities requires a shift of emphasis in three areas:

  1. Better alignment with business priorities: Risk teams need to demonstrate strong business or commercial acumen and engage more intensely with the company’s strategic ambitions and major investments. This will sharpen their ability to develop valuable insights into emerging concerns and help scope innovative risk mitigation solutions.
  2. More flexible deployment of resources: Revised analytical methodologies, including the introduction of new data science and automation techniques, should free up capacity in risk teams for more project-based (as opposed to routine) risk work and the provision of advice to business and functional leaders.
  3. Greater dynamism in stakeholder engagement: A more creative lens with regard to emerging risks will enable risk teams to engage with institutional and individual biases and blind spots and help build an appreciation of threats for which evidence may be limited or conflicting.

To take this forward, some risk leaders may need to expand their comfort zone. But those who can mesh strategic vision, influencing skills, and technological fluency on top of their core risk-management expertise will be best positioned to help their firms negotiate dynamic risk environments laden with potential shocks and disruption.

Financial Institutions Are Playing Catch-Up in AML and Sanctions Compliance

Corruption, Crime & Compliance Blog -

Compliance officers are a much more collaborative group of professionals than lawyers.  Compliance officers share information with colleagues about compliance experiences, best practices and strategies.  The compliance industry benefits from this sharing of information.

On occasion, however, this sharing of a company’s performance in one area can lead to unfair judgments by a recipient of the information.  For example, one company may conduct an in-depth due diligence on every third party, while another may target due diligence reviews based on risk ranking and exclude some candidates from an in-depth due diligence and conduct a basic level due diligence on lower risk candidates.  Compliance officers who share information have to be careful to distinguish between their respective companies’ risk profiles and not use such a comparison as a means to judge their performance.

On the other hand, there are some basic requirements where such a comparison is warranted.  A board of directors should receive compliance training every year – no ifs, ands or buts.  If one company conducts such training, the other company should be doing so.  To take an even more basic example, every company has to have a code of conduct – and if a company does not, they should remedy that omission.

The same analysis applies to surveys.  A recent survey of financial institutions conducted by Alix Partners on AML and Sanctions compliance (here) contains informative results that support some of my general concerns about ethics and compliance programs – board members do not receive adequate training and compliance officers are continuing to struggle with lack of adequate resources.

The key findings from a global survey of a variety of financial institutions found that:

  • 20 percent of the respondents do not train their boards on AML and sanctions compliance;
  • 54 percent of the respondents identify automated transaction monitoring and filtering programs as their top priority investment;
  • 55 percent of the respondents identify sanctions screening as a top priority investment;
  • 8 percent of the respondents do not have a formal AML or sanctions compliance program;
  • 32 percent of the respondents consider their AML and sanctions compliance program budget inadequate or severely inadequate;
  • 35 percent of the respondents do not conduct annual independent reviews of their AML and sanctions compliance program.

Considering that financial institutions are heavily-regulated and face significant risks, these results are surprising and raise serious concerns about the industry’ commitment to compliance.

The failure to train a board on compliance is inexplicable and sends the wrong message to managers and employees in a company that does not conduct training for its board.  While I know that board members are busy there is no excuse and CCOs have to push this issue when reporting to the board.  Very few boards are familiar with strategies and practices for conducting oversight and monitoring a compliance program.  A CCO needs to explain to the board the legal and code risks, mitigation strategies, and how the board should conduct oversight and monitoring of the company’s compliance program.

Despite claims that companies are committed to their compliance program, the failure to allocate adequate resources is a continuing trend in the financial industry and will eventually become the focus of enforcement and regulatory actions.  It is surprising to say the least that one-third of the respondents noted that they operate compliance with inadequate or severely inadequate resources.

The post Financial Institutions Are Playing Catch-Up in AML and Sanctions Compliance appeared first on Corruption, Crime & Compliance.

Tribute to Keith Jackson and Breakthrough Strategies in Compliance

FCPA Compliance & Ethics -

Keith Jackson died last week. He was universally recognized as the Voice of College Football and announced college football games for over 40 years. According to his obituary in the New York Times (NYT), Robert A. Iger, the chief executive of the Walt Disney Company, said of Jackson “For generations of fans, Keith was college [...]

The post Tribute to Keith Jackson and Breakthrough Strategies in Compliance appeared first on Compliance Report.

Experimental Design and Loss Prevention Programs

Loss Prevention Media -

The purpose of many loss prevention programs is to reduce shrink, reduce returns, and lower other negative sales impacting activities. It is important, when designing an experiment and measuring the results, to take a holistic approach and determine a wide range of positive and negative indicators of success or failure. While we will want to see the corresponding loss-related metrics improve with the implementation of a loss prevention program, we should be equally focused on not impacting core sales. See Figures 1 and 2 for lists of LP initiative and metrics related to shrink.

Figure 1. Common Loss Prevention Solutions


Figure 2. Loss Reduction Metrics

Experimental Design

Figure 3 illustrates the normal flow in the scientific method’s process. First, the researcher asks a question. An example question is, “Why do the iPads in the display area of the store continue to get stolen?”

Next, the loss prevention professional researches the question. For example, an inspection of the display area in the store may reveal that the iPads are only secured to the table with a very weak device that can be easily bypassed.

Next, the loss prevention professional would form a hypothesis: “iPads that are secured to the table with a more secure device will not get stolen as often.” At this point in the scientific method, an experiment should be conducted to determine whether the hypothesis is correct.

Figure 3. The Scientific Method

Many factors can hinder or ensure a complete and accurate experiment. For example, how many records (sample size) you have in the experiment can influence your results and how you can interpret them. For an ideal experiment, it is recommended to have a large number of experimental records, and that the test subjects (can be employees or stores, for example) are representative of the entire population you are trying to investigate. The best way to ensure “representation” is using a random selection of subjects.

For the ideal experiment, it is important to have a control group (those not receiving the test factor – or the thing you are trying to test). It is essential that the test factor is applied as it is planned to be deployed, and that the test factor is the only difference between the test subjects and the control subjects. Again, the assignment of the subjects into “test” versus “control” is best done randomly. Once the subjects are assigned, it is important that the subjects do not know to which group they have been assigned.

Once the subjects have been selected and assigned, it is the time to collect data. Again, the data collection process is also guided by principles that ensure experimental validity. Proper analytical techniques are then required to correctly analyze the data and interpret the results.

Loss Prevention Experiments: Issues to Consider

When conducting an experiment, the primary goal is to answer the research hypothesis without any doubt as to the validity of your experiment. Figure 4 shows some common threats to experimental validity. Each of these items can interfere with an experiment and make the results and conclusions unreliable.

Figure 4. Threats to Validity

When testing loss prevention programs, it is important that only one factor in the store is changed at a time. Additionally, whenever possible, the stores should be assigned to test and control groups randomly so that all other potential confounding variables will be distributed equally in both the test and the control groups.

Suppose that you were attempting to measure the effects of a more secure device to prevent loss of iPads. If, at the same time as your experiment, there were a separate initiative that placed a guard in the area with the iPads. This would be a confounding factor, which would make measuring the effects of the more secure device impossible. Since both prevention factors are present at the same time in the same stores, it will be impossible to separate the effects of the guard from the effects of the more secure devices.

A potential threat to an experiment’s validity and the conclusions from the experiment is improper or incomplete analysis. If the wrong statistical tests are used, if confounding variables that should have been considered are not considered, or if another explanation for the effect was not analyzed, then the results may be invalid. To avoid validity issues with improper analysis, confounding variables, seasonality, open and closing stores, control stores, and proper statistical tests should be used in the analysis.

Even if a proposed hypothesis is true, without an adequate sample size, we may not be able to prove the hypothesis (and reject the null hypothesis in the statistical test). The null hypothesis is the opposite of what you are trying to prove. This becomes increasingly important when the size of the effect is small. For example, suppose we are trying to detect whether shrink has decreased. With only ten stores in a sample and with the natural variation of shrink, we will be unable to detect small changes in shrink due to natural fluctuations in the data. However, if we use 100 stores, this will probably overcome the variation in shrink.

The goal of an experiment and an analysis is to determine whether the loss prevention initiative creates value beyond the cost of the program. To measure return on investment, we first need to analyze the data in a manner that accounts for seasonality and normal data fluctuations. For this reason, we would measure the shrink rate in the test stores and control stores before the test, during the test, and during the same two periods in the previous year. Let’s assume, for this test, that we can obtain shrink within a specific time window using a manual method of measurement.

Once the experiment is completed, an analysis should be conducted to measure the impact of the new loss prevention program on the key metrics. A few key factors should be addressed in the analysis, which are unique to retail:
1) Seasonality – a key reason to use a control sample is seasonality. Most retailers have very different sales and loss patterns depending on the time of the year. There are a few techniques that we can use in the analysis to protect against seasonal fluctuations falsely influencing results.

2) Year-over-year trends – before the test, if stores are trending higher or lower on a key metric year over year just before the test, it may be important to consider these trends in the analysis. A way to deal with both the year-over-year trends and seasonality is to use the following metric for each store. Each store in the test and control sample converted to this measurement captures the net change in the key metric considering trends before and during the test compared with the prior year.

If the results of the experiment are good, and the program is to be rolled out to all stores for a retailer, there are some rollout considerations. The program should be executed similarly to how it was executed for the test. It is also important to establish execution reports to determine whether the program is being executed properly as the program matures. If ongoing measurement is required, it may be useful to maintain a control group of stores that never get the program and can be used as a baseline group for comparison. Alternatively, the program’s removal can be tested at some point. The means that for some period, the program is removed from a random sample of stores and now our test program is the removal of the program. This type of test would be conducted like the original test but in reverse.

In conclusion, the processes for conducting experiments in this article should help the loss prevention professional test and evaluate which programs will have the greatest effect in controlling losses.

EDITOR’S NOTE: This post has been excerpted/adapted from the authors’ text, Essentials of Modeling and Analytics: Retail Risk Management and Asset Protection. Learn more.

The post Experimental Design and Loss Prevention Programs appeared first on LPM.

Prioritizing Social Responsibility in Companies: A coming firestorm?

Ethical Systems Blog -

In a development that Andrew Ross Sorkin of The New York Times believes will cause “a firestorm” in boardrooms across the country, Larry Fink, the CEO of BlackRock has sent a letter to the chief executives of the world’s largest public companies urging them to prioritize their company’s social responsibilities.

Sorkin writes that this is likely to be a watershed moment for American companies, given BlackRock’s position as one of the largest investors in the world with more than $6 trillion under management through 401(k) plans, exchange-traded funds and mutual funds.

In Fink’s appeal, BlackRock recognizes that most of the public has a long-term investing perspective, often saving for retirement or a rainy day.  Most companies, however, manage their business with short-term interests in mind despite the interests of their owners and shareholders.  This emphasis on the short-term, as Fink says in his full letter, “sacrifice[s] investments in employee development, innovation, and capital expenditures that are necessary for long-term growth.”   This skewed dynamic has become even more pronounced given the shift towards greater use of index funds.  As a fiduciary to the long-term investing public, BlackRock believes that “[their] responsibility to engage and vote is more important than ever.”

Fink’s letter also emphasizes the role of public companies in growing economic inequality. He writes, “Since the financial crisis, those with capital have reaped enormous benefits. At the same time, many individuals across the world are facing a combination of low rates, low wage growth, and inadequate retirement systems.”  Ethical companies are ones that tend to these dynamics, by providing good jobs to employees, recognizing ethical behavior and fostering an ethical and speak-up organizational culture. 

This emphasis on long-term value creation is consistent with academic research that shows that more ethical companies have better financial performance in the long run. Furthermore, Just Capital has also shown through its research that more ethical and “just” companies are more profitable. 

Profits aside, Fink makes an even stronger point – it’s the right thing to do.  “The time has come for a new model of shareholder engagement – one that strengthens and deepens communication between shareholders and the companies that they own.”

*image courtesy of The New York Times

Further Reading:




Tags: Andrew Ross SorkinLarry FinkBlackRockethics paysAzish Filabi

Compliance into the Weeds-Episode 66, the Salary Penalty for Misconduct

FCPA Compliance & Ethics -

In this episode Matt Kelly and I take a deep dive into a fascinating paper from Harvard Business School. Boris Groysberg and George Serafeim, worked with a global recruitment firm, to study more than 2,000 executive-level job placements from 2004 to 2011, examining a wide range of job placements and pay data since 2004. They [...]

The post Compliance into the Weeds-Episode 66, the Salary Penalty for Misconduct appeared first on Compliance Report.

A Sense of Purpose

The Harvard Law School Forum on Corporate Governance and Financial Regulation -

Posted by Larry Fink, BlackRock, Inc., on Wednesday, January 17, 2018 Editor's Note: Larry Fink is Founder, Chairman and CEO of BlackRock, Inc. This post is based on Mr. Fink’s annual letter to CEOs.

Dear CEO,

As BlackRock approaches its 30th anniversary this year, I have had the opportunity to reflect on the most pressing issues facing investors today and how BlackRock must adapt to serve our clients more effectively. It is a great privilege and responsibility to manage the assets clients have entrusted to us, most of which are invested for long-term goals such as retirement. As a fiduciary, BlackRock engages with companies to drive the sustainable, long-term growth that our clients need to meet their goals.



Subscribe to Hong Kong Loss Prevention Association 香港防損協會 aggregator - Global Featured Wired

HKLPA (@the_hklpa) Tweets

RT @mikevolkov20: Episode 14 - What Every Compliance Officer Needs to Know About Data Privacy and the EU's GDPR - Corruption, Crime &… 3 weeks 16 hours ago
RT @ComplianceXprts: What You Need To Know About Auditing And Risk Management In The Transport Industry 1 month 1 day ago
RT @EthicalSystems: Our 2017 End of Year Letter from @JonHaidt and @azishf "This is the time for the business… 1 month 3 days ago
RT @ComplianceXprts: Inspection of Facilities and Sporting Venues - Due Diligence 1 month 3 days ago
RT @ComplianceXprts: 14 Essentials For Your Compliance Management System 1 month 2 weeks ago
RT @ComplianceXprts: Our focus is on what people don't want to do. #ce 1 month 2 weeks ago
RT @mikevolkov20: ISO 37001: Board, Top Management and Anti-Bribery Compliance Responsibilities (Part III of V) - 3 months 6 days ago
RT @RSAFraud: 1 in 4 retailers state loyalty #fraud is one of the most detrimental threats to their e-commerce business… 4 months 11 hours ago
RT @ComplianceXprts: FTAs, Risk Management and The Transport Industry #riskmanagement 4 months 11 hours ago
RT @ComplianceXprts: How To Navigate Audit Road Blocks : Part II Avoid Challenges To The Audit Scope 4 months 6 days ago