The Role of Compliance in Protecting Our People & Communities

The U.N. Office on Drugs and Crimes estimates that annual illicit proceeds total more than $2 trillion globally. Proceeds of crime generated in the United States were estimated to total approximately $300 billion in 2010 or about 2% of the overall U.S. economy. As history would remind us and amidst the COVID-19 pandemic, crisis creates extreme vulnerability to fraud and financial crime across our global financial systems.

The ExCo vs. The Status Quo brings together like-minded individuals and brands to illuminate the innovative actions companies are taking to make a bigger impact. This diverse community of industry leaders are building the conversation around what’s working, what’s not, and how to make things better – together – through a shared commitment towards a common goal.

Today, I’m joined by Gilberto Wong, who is the Global Sales and Partner Compliance Leader at ServiceNow. ServiceNow believes in the power of technology to reduce the complexity in our jobs and make work, work better for people. They transform old manual ways of working into modern digital workflows so employees and customers get what they need when they need it. Gil is an ethics and compliance professional with experience in designing, operationalizing and enhancing global compliance programs. Prior to joining ServiceNow he was the North American Head of Compliance, Global Anti-Corruption program lead for General Cable, which was acquired by Prysmian Group under a three-year non-prosecution agreement with the U.S. Department of Justice for violations of the Foreign Corrupt Practices Act or FCPA.

He has co-led the integration of two global compliance programs post acquisition, designed and implemented global third-party due diligence and monitoring programs, third party audit programs, overhauled codes of conduct and related training overseeing numerous internal and cross-border investigations, and presented compliance program updates to C-suite and board members. Additionally, he served 13 years in the U.S. Army Reserve JAG Corps as a paralegal specialist, including 11 years as a non-commissioned officer and one year of active-duty service as a criminal justice non-commissioned officer in charge.

Gil, you’ve accomplished a lot in your career. And what I’ve loved most about your nomination is talking with my colleagues and hearing them describe the immense value you’ve brought to Exiger along the way.  Stepping back a minute, I just want to say thank you first and foremost for your service to our country and also for your candor in your partnership with Exiger. I’ve really been looking forward to this chat because, in the words of the great Shanti Salas with a nod to your military service, Gil has been both a wartime compliance leader and a peace time compliance leader. The perspective that you bring across all your experience is so unique. Thanks, again, for being here.

Gilberto Wong, Sales & Partner Compliance Leader at ServiceNow: Anna, thank you for that introduction. I’m truly excited to be here and to share my perspective with you and the Exiger team. I will start with a short disclaimer that what I discuss today are solely my views and opinions and do not represent or should be construed as the opinions of ServiceNow.

Gil, what does ‘making the world a safer place to do business’ mean to you?

GW: When I received your invitation and I looked into the campaign, the first thing that came to my mind was that it was a reminder of the intent of the laws that our compliance programs are intended to help us be compliant with. It really boils down to protecting people. And there’s so many layers to protecting people. From a company perspective, it’s protecting our employees, our customers, our partners, our leaders, our shareholders. Our investors are relying on the board and leaders to ensure we are doing the right thing. From a public sector standpoint, it is protecting the people that elected and appointed public officials were entrusted to represent and serve.

I have seen firsthand the effects of corruption and  diversion of public funds. We want to help ensure that funds ultimately intended to help societies, via public grants, contracts, multi-lateral funds, etc. are being used for their intended purpose, that they are not diverted improperly for personal gains, and that societies are getting the full benefit.  We all have a role in the fight against fraud and corruption, to make sure that the business world is a safe and fair playing field.

We all have a role in the fight against fraud and corruption, to make sure that the business world is a safe and fair playing field.

When you look back over your career, how has the role of compliance changed?

GW: I think it’s definitely evolved. I started my professional career on a much different path and then ended up in risk advisory, business intelligence and corporate investigations. When I was in that space, I recall helping financial services companies with AML/ KYC compliance program audits – reviewing and testing the filing of suspicious activity reports, etc. In retrospect, it almost felt like it was a check the box mentality; we’re doing what we are required to do. I think over the years that has evolved to where compliance is now more involved in greater areas of risk, more involved with the business, and more proactive in nature

It’s  typical for industries and even companies within industries to have different risk domains that fall within compliance responsibility. We see things like antitrust, anti-human trafficking compliance, conflict minerals, public sector compliance, trade sanctions and export controls. Data privacy is huge. The scope of compliance continues to evolve and the function’s direct involvement with the business, as a business partner, continues to expand. Compliance is no longer just a monitoring authority or audit authority, but rather a business partner that helps drive sustainable growth for companies.

Compliance is no longer just a monitoring authority or audit authority, but rather a business partner that helps drive sustainable growth for companies

So in the context of the landscape you’ve just laid out and the enormous impact being made in all these different vectors across the day-to-day business, how has the pandemic either forced or just naturally evolved that further?

GW:  The current environment presented a challenge in terms of getting us to review our priorities, our resources, and where we needed to focus our efforts. We saw COVID impact certain sectors and companies harder than others. Accordingly, I assume that the compliance functions within those sectors and companies were also more challenged by COVID than others.

We may not grow as fast and need to be a bit more conservative on our functional growth targets. For me it was asking, what are the key initiatives we need to get done this year and what can we postpone to post-COVID or FY21? Also, looking at our head counts and resources, where do we need to spend and focus our efforts to get through this environment? And then reassess once we get past this current environment.

Sort of a recalibration exercise, right? Getting really vicious about your priorities, understanding the budget constraints you have to work within and then figuring out how to put it all together because we all know that regulators are not expecting any less right from compliance programs this year.

As a follow on to that question, how has technology impacted your ability to keep up with regulatory change and your expanding global third-party network?

GW: That’s a great question. I think there are two parts to this. At ServiceNow, we’ve been working remotely globally since the end of February. We’ve had to adjust how we continue to build relationships with our stakeholders within the organization, our partners and even with our customers so that we remain relevant, invited to participate and provide a risk lens to our business on risk-relevant business decisions.

Technology has been a huge part of our continued ability to operate effectively in compliance. The ability to have virtual meetings and still have that interaction; to build relationships, network and continue to build trust and can continue to communicate, which is critical to what we do. Technology has definitely helped despite the environment having challenged us in a way that we had to rethink how we’re staying engaged, relevant and continuing to build relationships and further our mission.

Leading up to 2020 and increasingly in this current environment, regulators have encouraged compliance leaders to innovate in their programs, policies and procedures with an undercurrent of acknowledgement that the tools, policies and programming procedures that we put in place 10 years ago, even two years ago, are not designed to effectively manage the incredible amount and complexity of data, and all the nuance that we face today in trying to stay one step ahead of all the malfeasance around us.

What does that mean to you? Not just with respect to technology but also how we think about operationalizing the technology, the tactics and the strategies in creative ways?

GW: Right. This year has been all about the updated Evaluation of Corporate Compliance programs. My first impressions of the updated guidance were that they codifed what was understood to be best practices for compliance. I think the DOJ made its expectations more clear: we expect you to continue investing in compliance, emphasizing proactive efforts, continuing to take a risk-based approach to prioritization, and ensuring your compliance programs work through monitoring and testing.  With regards to third-party risk, the DOJ made clear that is more than just performing due diligence. 

Reading between the lines of the updated guidance, there is the expectation that compliance functions leverage technology to help stay effective, stay relevant, and be meaningful. That’s critical. Technology enables us to continue to move and scale with the business. So when we think about third party risk, we continue to leverage and rely on third party relationships to help build, promote our business globally and oftentimes sometimes exclusively. We don’t always have the ability to have someone monitoring a third-party 24/7, but we can leverage technology to help us achieve this.

You should be leveraging technology to help you stay effective, stay relevant, and be meaningful.

When you look out two months, three months, a year down the road, amidst all this continued uncertainty, how do you think this environment could further accelerate the need to innovate to do even more with less?

GW: We were faced with the challenge of how to continue achieving our goals and priorities while working remotely. We’ve definitely seen the current environment motivate companies to accelerate their digital transformation efforts. Companies are seeing the value and ROI from investing in this sooner rather than later. From a compliance perspective, we similarly should be moving towards real-time monitoring of our third-party relationships, proactively root out risk and be able to respond sooner rather than later.  I think that is what we’re all trying to achieve . . . how can you take a more proactive approach to mitigating and responding to risk?

When we’re performing due diligence and there is a need to escalate for further review, process matters as we have a direct impact on business.

What are some of the biggest challenges facing your industry today related to financial crime and corruption?

GW: More and more we are seeing cyber threats from organized crime globally that are leveraging technology to commit financial fraud. For example, we have absolutely used Exiger to understand where third parties may have had their own cyber breaches. Holding our third parties accountable for ensuring that they’re investing in their own cybersecurity, protecting customer data, along with our data and our IP, is really important. I definitely see cyber being a big threat. I also see that it’s not only in tech, but we continue to see the involvement of third parties in FCPA enforcement actions across all industries.

Companies will continue to work with third parties, invite them to develop business, be representatives of the brand, promote it, and deliver and manage relationships. We definitely need to ensure that we understand the reputational, operational, legal and financial risk when working with these third parties so that we can mitigate that risk if they are going to challenge the integrity of our revenue and that of our efforts in building relationships with customers. Continuing to be able to get relevant data, quickly, allows us to be informed of who we are considering working with and/or are working with, globally. Leveraging reliable data available in near real time allows us to monitor and respond to third-party risk quickly and keep with the pace of business.

Shifting away from the risks and challenges, data, the pace of business growth, expansion, can you share any example of major trends or developments in your industry that you think will help start to solution some of those challenges and really make the world a safer place to do business?

GW: I look at the example of AB InBev and they developed an in-house AI driven risk monitoring capability that’s connected to their business opportunities. I really admire how they took it on themselves to build something in-house to help them proactively mitigate compliance risk. Where I think there is room for technology to improve in our space, it’s connecting all the dots together. There’s great technology out there for helplines, whistleblower program managers; great technology for compliance training; great technology to help track travel and expense and how we manage expense, gifts and entertainment to government actors; great technology for third-party, reputational due diligence and monitoring. How do we tie it all together?

I think there is a big opportunity where we can leverage that data and having greater connectivity with our CRM and ERPs, to connect the data and make more real-time decisions while we scale and continue to monitor business. For example, if we have a certain government opportunity, is the third party that were going to provide a quote to a reseller? Are there any recent red flags or issues with that government and customer? Have we passed the threshold of our gift and entertainment limits for that third party or government customer? Have we had any internal allegations or inquiries or concerns?

Having the ability to tie all that data together to help monitor and have that connectivity at a very large scale and a very fast pace but still being able to flag and focus on the higher-risk scenarios. There is still a big opportunity there in the compliance technology space. And I think what AB InBev developed is a great example of them trying to tackle that challenge.

There is a big opportunity where we can leverage and connect all data to enable compliance to make more real-time decisions while monitoring business.

If there is one legacy you can leave behind in your career around this idea of making the world a safer place to do business, what is it?

GW: (I jokingly say I influenced the DOJ’s guidance) Long before they presented the updated guidance to the Evaluation of Corporate Compliance Programs and when having to present a third-party risk management program to the DOJ, I developed a four-stage framework on how we were going to manage third party risk over a relationship lifecycle, beyond just pre-engagement due diligence.

1. Stage One is pre-transactional due diligence.  Understanding the reputation and background of who we’re considering doing business with.  This is where Exiger comes in with the third-party due diligence.
2. Stage Two is managing and assessing risk at the opportunity level. For example, is a current opportunity with a foreign government customer?  In a high-corruption risk jurisdiction? Is the opportunity direct or through a reseller?  What discounts or other monetary incentives are being considered?
3. Stage Three is how we are managing and monitoring that relationship. Are we providing tailored compliance training for our third parties? Are we performing partner audits?  Are leveraging risk monitoring technology like Insight 3PM for red flag alerts?
4. Stage Four is how we are reassessing and periodically reevaluating that relationship. Are we evaluating them against our performance standards and expectations? Are we updating that due diligence? Are we asking them to recertify their commitments to the complainants with all the applicable anti-corruption laws and our Partner Code of Conduct?

But really, for me, I hope to build teams that then go on and build their own teams and contribute to the fight against corruption and ensuring that there’s a level playing field. I’ve had the benefit of learning and having great leaders to learn from, and I expect to emulate and share that with my teams so that they develop their own teams and build an army that fights corruption and helps make the world a safer place to do business.

Thank you, Gil.  We appreciate all the leadership and feedback you’ve provided to Exiger over the years.  It’s incredibly valuable and helps us understand where our solutions are meeting the market’s needs and where we still have work to do . . . 

Rapid Fire Round with Gilberto

• Favorite Place to Travel: For me, it’s Nicaragua, that’s where I spent my teenage years growing up. My parents still live there.  It just really energizes me to go back home, visit the beaches where I grew up going. I love going back to Nicaragua.
• Favorite Food: You know, if I had to pick one, I would say sushi, I love sushi. I love Peruvian food. I love pizza, I love barbecue. But if I had to pick one, it would be sushi.
• Favorite Show to Binge: True Detective, Game of Thrones, Stranger Things. Currently we’re into His Dark Materials.
• Favorite Book: Everything by Nick Hornby
• Favorite Band/Singer: My favorite band is an Argentinian rock band called Soda Stereo. I’m also a big fan of The Beatles and the Red Hot Chili Peppers.