Q&A: What You Need To Know About Compliance Risk Management
When working with programs funded by taxpayers, there is little room for error. From disaster relief to maintaining business ethics on a construction site, putting controls and management in place can help mitigate risk and prevent corruption. Each situation has its own unique approach, and often requires third-party monitors to prevent and identify fraud and abuse.
Bisnow sat down with CohnReznick Government and Public Sector Advisory National Director Frank Banda to discuss the company's best practices for compliance, risk and integrity monitoring.
Bisnow: What is compliance, risk and integrity monitoring? Walk us through a typical audit.
Banda: I lead our government and public sector, so that’s the perspective I’m going to give you, with federal and state agencies. When you talk about compliance risk and integrity monitoring, we’re referring to compliance with laws and regulations. When you talk risk, you’re looking at what could go wrong with the administration of a program funded with taxpayer dollars and what controls are in place to properly manage those funds. It’s the risk that those services will not be delivered to the taxpayers or citizen, the risk that something could go wrong. Our government and public sector group at CohnReznick, for instance, is dedicated to helping our clients manage and mitigate risk.
Bisnow: What is integrity monitoring?
Banda: "Integrity monitoring” is a phrase that was coined in the Northeast to address corruption in the construction industry. One way to battle it, and I think this came out of the New York State Department of Investigations, was to put third-party integrity monitors on construction projects to prevent and detect fraud, waste and abuse. Integrity monitoring has since evolved into a risk mitigation and management tool. It’s the identification of risk, evaluating controls in place to mitigate and manage these risks and testing the effectiveness of those controls throughout the duration of the project or program.
Bisnow: What does a typical evaluation look like?
Banda: You can imagine that compliance, risk and integrity monitoring can go in a number of different directions. There’s no typical approach, especially for compliance and risk assessments. After Superstorm Sandy hit, CohnReznick was hired by the State of New Jersey to oversee $3B of U.S. Department of Housing and Urban Development disaster recovery dollars awarded to the state for the recovery of many of its housing programs. We implemented an integrity monitoring program. We started with a risk assessment of the 19 programs funded with HUD's Community Development Block Grant Disaster Recovery funds. Evaluating and looking at the risk and scoring those programs, we evaluated what could go wrong. We would look at the variables, such as whether or not the people administering these programs had the experience and success doing so, and the key performance indicators they were going to be using to assess successful performance.
Bisnow: It sounds like CohnReznick's assessment was an in-depth process.
Banda: In many ways, it’s a skill to be able to evaluate risk. Each of those programs is unique and requires experience, as well as someone who will look at these programs and think, “What could go wrong?” It requires somebody who is very analytical, a good critical thinker, but also someone who has experienced running these types of programs.
Bisnow: What are some best practices that government and public sector organizations can employ to ensure compliance with the complex tangle of laws, codes and regulations? How can private companies streamline their due diligence processes?
Banda: There are a lot of tools out there. Some of them have been laid out with other types of programs. A good place to start for public sector organizations is USA.gov. Here you can find a list of federal laws and agencies charged with enforcing them. For companies, it is important to set a tone at the top for lawful and ethical behavior. This can be accomplished by implementing a compliance and ethics program. An effective program protects a company by detecting and preventing improper conduct and promoting an ethical culture. While one program does not work for every organization, there are several components, such as standards and procedures, training and education, monitoring, disciplinary measures and remediation, that should be a part of every program.
Bisnow: How do risks differ between the public and private sectors?
Banda: As a mission-driven organization, whether you’re in the public or the private sector, accomplishing that mission is the most important thing. Large private sector organizations that have gone public usually have sophisticated governance structures. They have their shareholders, and are responsible to them for the use of their company dollars. In the public sector, you’re responsible to the taxpayers. But both government organizations and private companies are responsible for the handling of funds. I think those risks are a bit different because in the case of a private sector company, there is a profit motive. That creates a certain amount of risk. With profit motives at the forefront, individuals could have rich, incentive-based employment contracts. Risks then go up.
Bisnow: What is the most common pitfall government and public organizations encounter in ethics compliance? Fund management compliance?
Banda: The most common is not having a compliance and ethics program. That’s first and foremost. But once you have those programs, the No. 1 pitfall for both public and private companies is not having the proper tone at the top from both leadership and at the top where there is a board of directors or leaders of a government agency.
Bisnow: Have compliance monitoring procedures changed under President Donald Trump's administration?
Banda: When there was a change in the administration, we thought there might be a relaxing of compliance and oversight. The new administration wanted to move forward quickly, and best practices that have been implemented over the years might go by the wayside and not be really in the forefront of the new administration’s planning. But what we’ve found is that even though there are some rollbacks that are coming with Dodd-Frank and Federal Acquisition Regulations, the new administration is very interested in ensuring that there’s proper oversight of taxpayer dollars. Public sector organizations must make risk management a priority. The agencies are embracing it for two reasons: Firstly, the proper handling of taxpayer dollars is of the utmost importance for any agency or government organization, and secondly, most agencies have fewer resources available to them. So they need to assess where their risks are within the agency, and whether they have the proper controls in place. Regardless of which regulations are in place, enterprise risk management is of the utmost importance because you have to accomplish your mission and objectives with fewer resources.
To learn more about this Bisnow content partner, click here.