FCPA Compliance and Ethics Blog

April 16, 2014

Tales from the Crypt-Rule No. 7-Actions Speak Louder Than Words

Filed under: Best Practices,compliance programs — tfoxlaw @ 7:30 am

Tales from the CryptEd. Note-I inadvertently ran Tale From The Crypt, Rule No. 8 out of order, so today we present Rule No. 7, which reminds us that Mom was right, actions do speak louder than words…

This Tale from our Crypt reminds us that over the years, you think you’ve heard it all and seen it all when it comes to abuse of expense accounts. One common thread however flows through the stories: Crime & Punishment are not always linked and often dependent on who you are as much as what you did. As we reminisced, several amusing stories came to mind…

As a young pup working in a small office of a much larger organization, I happened upon an “abuse in progress.” The employees wanted a refrigerator in their lunchroom. They put their heads together and the operations director came up with a brilliant idea. They would bring in receipts from home for personal expenditures of supplies, postage and the like, submitting them as petty cash expenses. They estimated it might take a couple of months to raise the required funds for their refrigerator. Good thing they had not actually submitted any receipts for replenishment of their petty cash fund when I caught wind of it. Their goal was admirable, keeping low paid but experienced workers warm and happy in a cold, snowy climate. But their methodology was designed to avoid possible refusal of their request because the office was a low performer. Nothing beats feet & ears on the ground.

It’s amazing what a sample can uncover. I’m personally a big proponent of statistical sampling because you can draw very powerful conclusions from relatively small investments of time. With that said, the experienced investigator or auditor has an amazing 6th sense for judgmental sampling. There was the marketing manager who submitted receipts for a new wardrobe and a whole set of Tupperware® reported as travel expenses related to a sales meeting he was in charge of planning. And yes, his manager had signed his approval of the expense report. Even though the purchases were not large, we were curious as to why the employee believed this to be valid travel expense (motives related to small issues sometimes indicate larger problems). Rather than bypassing this, we opted to review the spending with the employee. We got directly to the issue, showed him his expense report, and asked if he had submitted it. He responded that he had. We asked him if it was accurate as we were reviewing a group of expense reports. He stated that it was. Then we pulled out the receipts that he had attached and asked if they were his. He stated that they were. Then we called attention to while his expense report stated that the spending was for travel that the receipts were for other types of spending which appeared to be personal. The employee proceeded to explain that the spending was indeed for legitimate business expenses because he had established a dress code for the upcoming sales meeting which required everyone to wear black slacks and polo shirts. With a straight face, he went on to say that he had lost weight and no longer owned the self-required clothing and had to purchase proper attire to comply with his own rule! We had to bite our tongues not to lose it right then and there. So we proceeded to call his attention to the entire set of plastic food storage containers. Amazingly, he had an answer for that as well. This spending he had recorded as miscellaneous travel because he said his team was working late hours in preparation for the meeting and he had to bring in food from home to keep the team fed and happy and he did not have anything at home to use to carry it so, he bought the storage containers. We asked him why he recorded it as travel and he replied that was the only way he knew to be reimbursed. We explained that neither expenditure was acceptable as travel and not reimbursable by the company and that we would be back with him with the company’s intended actions. Then we met with the supervisor, who admitted that he never looked at the supporting receipts submitted for expense reports of those in his charge. Further, he assumed that his employees only would submit legitimate and authorized expenses. We presented our findings to Human Resources (HR) and General Counsel (GC) who jointly opted for the employee to reimburse the company for the personal expenses and a reprimand for the supervising manager, a well-respected member of sales management.

Over the years, I’ve seen other occasions, including a member of sales management entertaining customers and recording as meals; an evening of alcohol at a strip club in Mexico; a VP providing personal holiday gifts to various members of his organization hidden in travel expenses; and salesmen dressing up their leased company cars with trucks with “farkles” like custom steps, caps, wheels, and bed liner. The sad part about the thousands of dollars spent on unauthorized vehicle add-ons, besides management’s tacit approval and hiding these on expenses as “travel”, is that these vehicle add-ons technically violate the company’s vehicle lease agreement.

Each of these occurrences was handled differently by HR & GC. While we were not asked to delve beyond interviewing the manager who thought it an acceptable practice, the Mexico affair resulted in his termination. The VP was required to reimburse the company. The sales team vehicle infractions resulted in re-education.

We also uncovered a plant level employee structuring travel to extend company travel and placing him at a casino for evenings of gambling with the company picking up the tab for the extended stay. This employee lost his job. Contrast this with a senior leader identified as falsifying airline flight options to obtain approval for upgrades which would not otherwise be approved resulting in thousands of dollars in upgrades. The employee was “counseled”. Or perhaps the entrepreneurial approach at one subsidiary of registering their admin as a “travel agent” and booking their own flights through this “agency” (in violation of our travel policy) to obtain discount rates, but keeping the sales incentives for their personal benefit. That one had us really shaking our heads for their “creative” approach to securing discount travel, and while we admired their intent and ingenious approach to thriftiness, we really couldn’t permit the fraud to continue. C-Suite members’ personal expenses continue to be periodically identified as company expenses and remedied by recording them as compensation. Can you say “catch me if you can”?

While the actions of the GC and HR in each of these situations may have been appropriate for the given facts and circumstances, the perception is one of inconsistency and tolerance which encourages continued abuse and opens the door to challenges to disciplinary actions as unfair or even discriminatory. Deception and entitlement can become pervasive, particularly if the company has a policy of not publishing, even in general terms, internal “sentencing guidelines” for workplace misconduct. Our job is hard enough as it is, constantly working against the tide of perceived bias and favoritism. Whether the C-Suite participates or not, perceived inconsistencies establish a “tone at the top,” setting precedents that challenge the legitimacy of the Integrity & Compliance function. All it takes is a firm commitment to Integrity by consistently demonstrating intolerance for actions that do not support company values to turn the tide in our favor. But then, we might be out of a job… hmm. Let us think about that a bit more…

Who are the Two Tough Cookies?

Tough Cookie 1 has spent the more than half of her 20+ legal career working in the Integrity and Compliance field, and has been the architect of award-winning and effective ethics and compliance programs at both publicly traded and privately held companies. Tough Cookie 2 is a Certified Internal Auditor and CPA who has faced ethical and compliance challenges in a variety of industries and geographies and recently led a global internal audit team. Their series “Tales from the Crypt: Tough Choices for Tough Cookies” are drawn largely from real life experiences on the front line of working in Integrity & Compliance, and personal details have been scrubbed to protect, well, you know, just about everyone…

April 15, 2014

The Louisiana Purchase and Compliance Focus Group – Changing the Game

Focus GroupIn 1803, the fate of the United States changed in ways that could have never been contemplated, when the French Minister Talleyrand offered to sell France’s entire Louisiana Territory in North America to stunned American negotiators, Robert Livingston and James Monroe, who were simply trying to purchase the city of New Orleans from the French Emperor Napoleon. Quickly recognizing that this was an offer of potentially immense significance for the US, Livingston and Monroe began to negotiate on France’s proposed cost for the entire territory. Several weeks later, on April 30, 1803, the American emissaries signed a treaty with France for a purchase of the vast territory for $11,250,000. With the sale of the Louisiana Territory, Napoleon abandoned his dreams of a North American empire, but he also achieved a goal that he thought more important. “The sale [of Louisiana] assures forever the power of the United States,” Napoleon later wrote, “and I have given England a rival who, sooner or later, will humble her pride.”

There are many great resources out there for the compliance practitioner. One of them I have really come to appreciate and look forward to receiving is the Red Flag Group’s bi-monthly Compliance Insider magazine, available both in print and online versions. In the most recent version there were several articles that I found very useful for the compliance practitioner but the one I want to focus on today is the compliance focus group. This provides a forum, which allows employees to raise compliance issues and concerns in “an informal environment, in small groups or in one-on-one sessions. They can be done as stand alone or as break-out sessions from larger meetings, conferences or similar events where multiple parties get together.” The article provided 10 things which you should consider before you hold your compliance focus groups.

  1. Select Your Countries and Regions Carefully. You need to reflect on selecting those areas, which have “compliance issues, have been the subject of investigations or are higher risk.” Contrast that selection with one or more regions that have achieved compliance performance so that you can clearly articulate the difference. Most importantly, pick the regions that need the most support and “have the most business at risk if there is a compliance issue. You will also know from your own business those areas, business units or regions where there is more “noise” around compliance.”
  1. Plan Your Locations, Times and Attendees. Think about your logistics, both higher level such as travel times and lower details such as seating. As you will usually desire to have three to four sessions per day, up to 90 minutes, you will need to make sure people have enough time to get there and register. But also think about seating, as you want to make things as informal as possible. This means a conference table or a large U shape arrangement and not classroom or lecture room seating.
  1. Have Separate Management Sessions. It is important that you make attendees feel that they can give open and honest thoughts about the company and its compliance regime. This means you cannot have senior management in sessions for middle management and lower management and employees.
  1. Draft an Agenda and a Short Presentation. The author believes that many times participants will need a stimulus of some sort to get things going. He advises “A good idea is to build a brief agenda before the meeting, even if it is fairly flexible – many senior employees will demand an agenda before accepting a meeting.” Also prepare a brief PowerPoint presentation for the session designed to explain the purpose and outcomes of the session, keep it to five or six slides which will act as placeholders for discussion topics.
  1. Think About Some Probing Questions In Advance. Here are some of the suggested questions that you should consider asking to the group:
  • Do people understand what compliance is? What does it mean to you in your daily business dealings?
  • What do people think of the policies and procedures across the company?
  • Is the training simple and easy to understand?
  • What is the company culture around compliance? Do people really take it seriously or is there a “tick-the-box” mentality?
  • Are there issues with reporting? How do people report? What is the culture regarding reporting issues?
  • Does management “walk the walk” with compliance or just “talk the talk”?
  • How does your company compare to its peers in the area of compliance?
  • What is the competitive environment like, both externally and internally?
  • Where are the areas that compliance could improve?
  1. Select a Facilitator. Compliance issues can be sensitive and people can be uncomfortable talking about them. For the focus group to succeed and be of value, everyone should be made to feel comfortable; and feel that they are not being audited or reviewed or they will not be confident to speak up. The author believes that here a good facilitator can be assist in keeping “the discussion going, ensure that everyone participates, make people feel at ease and, most importantly, ensure that the discussion is lively. The facilitator might also need to be trained on some of the risk areas of the business and have a solid understanding of the business and the existing compliance program.”
  1. Prepare Your Opening Disclaimer. Some participants may want to know how their comments will be used, quoted directly or generalized. This would be the time to address such concerns and invoke confidentiality of names and other identifiers.
  1. Prepare Some Takeaways. The leader should be prepared to summarize what the next steps will be going forward, including when a report might be issued to management and what might included in the report.
  1. Prepare a Report For All Participants. A key component of any compliance focus group is a post event report, which consolidates all sessions. This should be generated as soon as possible after the end of the last session. The report should include specific actions that will be taken based upon the input received from the focus groups. There will certainly be expectations from participants that if they have reported any circumstances which warranted responses they will want to know what the compliance team is doing about a response. Participants will also want to see whether the feedback they gave is consistent with that given in the other sessions.

10.Write a Report for Management. This report should focus on the larger issues raised in the compliance focus groups and, as the author notes, “looking at the trends, steps forward and lessons learned.”

While your compliance focus group may not be quite the game changer that the Louisiana purchase was for the US, it will certainly provide you solid information on your compliance program that you can use to move it forward; as the article notes, “From the people who use the programme everyday—your employees and partners—you can find out what the programme means, how it adds value (or doesn’t add value) and how it is seen by the management team around the world. And while you are at it, you may want to check out the Red Flag Group’s Compliance Insider magazine, it is a great resource.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Implementing Compliance Incentives In Your Company

IncentiveSeveral readers have asked why I have not written anything about the Houston Astros this year. The answer is two-fold. The first is that I really do not care. However, the more I thought about it, the real reason is that they are not relevant. Just how not relevant are the bumbling hometown (former) loveables? Last week they achieved the noteworthy accomplishment of obtaining a Nielson rating of 0.00 for a second consecutive season. I am not aware of any other major league team, which has been on television for a game where no one was recorded as watching for the entire game, for two straight seasons. Pretty amazing when you think about it.

However, one thing that is relevant in the context of any best practices anti-bribery compliance program is incentives. The Department Of Justice (DOJ) and Securities Exchange Commission (SEC) could not have been clearer in the FCPA Guidance about their views on the need for incentives to help drive behavior that is ethical and in compliance with the Foreign Corrupt Practices Act (FCPA) when they stated “DOJ and SEC recognize that positive incentives can also drive compliant behavior.” In the Guidance, the SEC cited to the following:

[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts is short-term profitability, and that cutting ethical corners is an acceptable way of getting there, they’ll perform to that measure. To cite an example from a different walk of life: a college football coach can be told that the graduation rates of his players are what matters, but he’ll know differently if the sole focus of his contract extension talks or the decision to fire him is his winloss record.

A recent article in the Spring 2014 issue of the MIT Sloan Management Review, entitled “Combing Purpose with Profits”, by authors Julian Birkinshaw, Nicolai J. Foss and Siegwart Lindenberg, presents some interesting steps on how a company might work towards achieving the goals articulated by the DOJ and SEC. The key thesis of the authors is if you want to motivate employees you have to have purpose. In their article they presented case studies from three entities: the Tata Group, Handelsbanken and HCL Technologies. From these three cases studies they came up with six core principles, which I will adapt for the compliance function in an anti-corruption compliance program.

  1. Compliance incentives don’t have to be elaborate or novel. The first point is that there are only a limited number of compliance incentives that a company can meaningfully target. Evidence suggests the successful companies are the ones that were able to translate pedestrian-sounding compliance incentive goals into consistent and committed action.
  2. Compliance incentives need supporting systems if they are to stick. People take cues from those around them, but people are fickle and easily confused, and gain and hedonic goals can quickly drive out compliance incentives. This means that you will need to construct a compliance function that provides a support system to help them operationalize their pro-incentives at different levels, and thereby make them stick. The specific systems which support incentives can be created specifically to your company but the key point is that they are delivered consistently because it signals that management is sincere.
  3. Support systems are needed to reinforce compliance incentives. One important form of a supporting system for compliance incentives “Is to incorporate tangible manifestations of the company’s pro-social goals into the day-to-day work of employees.” Make the rewards visible. As stated in the FCPA Guidance, “Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career.”
  4. Compliance incentives need a “counterweight” to endure. Goal-framing theory shows how easy it is for compliance incentives to be driven out by gain or hedonic goals, so even with the types of supporting systems it is quite common to see executives bowing to short-term financial pressures. Thus, a key factor in creating enduring compliance incentives is a “counterweight,” by which we mean any institutional mechanism that exists to enforce a continued focus on a nonfinancial goal. This means that in any financial downturn compliance incentives are not the first thing that gets thrown out the window and if my oft-cited hypothetical foreign Regional Manager misses his number for two quarters, he does not get fired. So the key is that the counterweight has real influence; it must hold the leader to account.
  5. Compliance incentive alignment works in an oblique, not linear, way. The authors believe that “In most companies, there is an implicit belief that all activities should be aligned in a linear and logical way, from a clear end point back to the starting point. The language used — from cascading goals to key performance indicators — is designed to reinforce this notion of alignment. But goal-framing theory suggests that the most successful companies are balancing multiple objectives (pro-social goals, gain goals, hedonic goals) that are not entirely compatible with one another, which makes a simple linear approach very hard to sustain.” What does this mean in practical terms for your compliance program? If you want your employees to align around compliance incentives, your company will have to “eschew narrow, linear thinking, and instead provide more scope for them to choose their own oblique pathway.” This means emphasizing compliance as part of your company’s DNA on a consistent basis — “the intention being that by encouraging individuals to do “good,” their collective effort leads, seemingly as a side-effect, to better financial results. The logic of “[compliance first], profitability second” needs to find its way deeply into the collective psyche of the company.”
  1. Compliance incentive initiatives can be implemented at all levels. Who at your company is responsible for pursuing compliance incentives? If you head up a division or business unit, it is clearly your job to define what your pro-social goals are and to put in place the supporting structures and systems described here. But what if you are lower in the corporate hierarchy? It is tempting to think this is “someone else’s problem,” but actually there is no reason why you cannot follow your own version of the same process. We have seen quite a few mid-level managers make a real difference, and often quite quickly, using the principles outlined here.

The author’s have set out several steps that you can implement into your compliance program to enhance incentives to facilitate anti-corruption. There have been many who have criticized the FCPA Guidance. While I am certainly not one of them, I do not think there can be any argument that it does not present the DOJ and SEC views on a minimum best practices compliance program. So if the DOJ and SEC think incentives in your compliance program are important, I suggest to you, they are important. The article, which is the basis of this blog post, provides an excellent start for the exploration of some ways to inculcate anti-bribery and anti-corruption incentives into not only your compliance regime but also, more importantly, the DNA of your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 14, 2014

The HP FCPA Settlement

FCPA SettlementLast week the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) jointly announced the conclusion of a Foreign Corrupt Practices Act (FCPA) enforcement action against Hewlett-Packard Company (HP). In the settlement, HP agreed to pay $108MM in fines, penalties and disgorgements for criminal and civil acts. To say that it was one of the more perplexing FCPA settlements would seem to be an understatement. While some will read the settlement documents and see conduct which did not merit such a high total amount of fines and penalties, I am not from that camp.

The tale of this sordid affair of bribery and corruption occurred over 3 continents with multiple countries involved, evidencing an entire breakdown in company internal controls and a complete lack of a culture of compliance. Yet the settlement documents make great pains to emphasize that few employees were actually involved in the nefarious conduct. How bad was the conduct? Think right up there with BizJet because we had bags of cash delivered to a Polish government official. (But unlike BizJet, the Board of Directors did not approve the bribery scheme and it was not taken across the border.) For the Russian deal, it was shopped through several countries with multiple levels of company review, which did not seem to work or care much about anything except getting the deal done. For Mexico, they just seemed to get a free pass where the contract description for the agent who paid the bribe was “influencer fee”.

Finally, as most readers might remember, HP did not self-report this misconduct to the DOJ or SEC. Apparently, the story of HP’s bribery by its German subsidiary to gain a contract in Russia was broken by the Wall Street Journal (WSJ) article in April 15, 2010. The next day, the DOJ and SEC announced they were investigating the allegations of bribery. However, HP was made aware of the allegations by its German subsidiary in December 2009, when German authorities raided HP’s offices in Munich and arrested one HP Germany executive and two former employees. Yet HP never self-reported. Not exactly the poster child for self-disclosure for any company going forward.

Of course HP’s public response at the time indicated its attitude, when a HP spokesperson was quoted in the WSJ article as saying “This is an investigation of alleged conduct that occurred almost seven years ago, largely by employees no longer with HP. We are cooperating fully with the German and Russian authorities and will continue to conduct our own internal investigation.”

More befuddlement comes from the reported facts around HP Germany. As noted by the WSJ report, one, then current, HP executive was arrested and two former employees were arrested in connection with the investigation by German authorities. There is no mention of them in any of the settlement documents. The WSJ article also reported that investigation-related documents submitted to a German court showed that German prosecutors were “looking into whether H-P executives funneled the suspected bribes through a network of shell companies and accounts in places including Britain, Austria, Switzerland, the British Virgin Islands, Belize, New Zealand, the Baltic nations of Latvia and Lithuania, and the states of Delaware and Wyoming”. While some of these countries were mentioned in the settlement documents there was no mentions of DOJ or SEC investigations into Wyoming, Belize, the British Virgin Islands or New Zealand.

What are we to make of the criminal fines levied against the Russian and Polish subsidiaries of HP? The Polish subsidiary pled guilty to a two count Criminal Information consisting of (1) violating the FCPA’s internal control provisions; (2) violating the FCPA’s books and records provisions. The US Sentencing Guidelines suggested a fine range of $19MM to $38MM, the final fine was $15,450,244.

For the Russia deal, the Russian subsidiary pled guilty to a four count Criminal Information consisting of (1) conspiracy to violate the books and records provisions of the FCPA; (2) violating the FCPA’s anti-bribery provisions; (3) violating the FCPA’s internal control provisions; (4) violating the FCPA’s books and records provisions. The US Sentencing Guidelines suggested a fine range of $87MM to $174MM, yet the final fine was $58,772,250.

Finally, in Mexico HP’s subsidiary, according the to the SEC Press Release, “paid a consultant to help the company win a public IT contract worth approximately $6 million. At least $125,000 was funneled to a government official at the state-owned petroleum company with whom the consultant had connections. Although the consultant was not an approved deal partner and had not been subjected to the due diligence required under company policy, HP Mexico sales managers used a pass-through entity to pay inflated commissions to the consultant.” This was internally referred to by HP as an “influencer fee.” Pretty clear evidence of what it was to be used for, wouldn’t you say? Yet the DOJ did not to criminally prosecute the company’s Mexican subsidiary and entered into a Non-Prosecution Agreement (NPA), HP agreed to pay forfeiture in the amount of $2,527,750.

How did HP accomplish all of this? In a Press Release HP Executive Vice President and General Counsel John Schultz said, “The misconduct described in the settlement was limited to a small number of people who are no longer employed by the company. HP fully cooperated with both the Department of Justice and the Securities and Exchange Commission in the investigation of these matters and will continue to provide customers around the world with top quality products and services without interruption.”

As reported by the FCPA Professor, in his blog post entitled “HP And Related Entities Resolve $108 Million FCPA Enforcement Action”, the HP Russian subsidiary Plea Agreement gave the following factors for the reduction in the fine from the Sentencing Guideline range:

“(a) monetary assessments that HP has agreed to pay to the SEC and is expected to pay to law enforcement authorities in Germany relating to the same conduct at issue …; (b) HP Russia’s and HP’s cooperation has been, on the whole, extraordinary, including conducting an extensive internal investigation, voluntarily making U.S. and foreign employees available for interviews, and collecting, analyzing, and organizing voluminous evidence and information for the Department; (c) HP Russia and HP have engaged in extensive remediation, including by taking appropriate disciplinary action against culpable employees of HP and enhancing their internal accounting, reporting, and compliance functions; (d) HP has committed to continue enhancing its compliance program and internal accounting controls … (e) the misconduct identified … was largely undertaken by employees associated with HP Russia, which employed a small fraction of HP global workforce during the relevant period; (f) neither HP nor HP Russia has previously been subject of any criminal enforcement action by the Department or law enforcement authority in Russia or elsewhere; (g) HP Russia and HP have agreed to continue to cooperate with the Department and other U.S. and foreign law enforcement authorities, if requested by the Department …”

In the same blog post, the Professor reported the following reasons were stated for reduction in the final fine by HP’s Polish subsidiary’s:

“(a) HP Poland’s cooperation with the Department’s investigation; (b) HP Poland’s ultimate parent corporation, HP, has committed to maintain and continue enhancing its compliance program and internal accounting controls …; and (c) HP Poland and HP have agreed to continue with the Department and other U.S. and foreign law enforcement authorities in any ongoing investigation …”

We have witnessed companies, which have engaged in ‘extraordinary cooperation’ with the DOJ during the pendency of their FCPA investigations. BizJet is certainly one that comes to mind. Further, there are clear examples of companies, which extensively remediated during the pendancies of their FCPA investigations, from which they clearly benefited. Two prime examples are Parker Drilling, which not only received a financial penalty below the suggested range but also was not required to have a corporate monitor, while they had C-Suite involvement in its bribery scheme. Weatherford seeming came back from the brink during mid-investigation when they hired Billy Jacobson and turned around not only their attitude towards cooperation with the DOJ but also their efforts toward remediation.

Both of these companies are headquartered in Houston and both have been quite active on the conference circuit talking about their compliance programs so most compliance practitioners are aware that these companies are on the forefront of best practices. Perhaps HP is on some circuit doing that, somewhere. If so, kudos to them. If their remediation work led to a best practices compliance program for the company and their extraordinary cooperation led to the astonishing reduction in penalties to their entities, I certainly tip my cap to them. If their lawyers were great negotiators and made great presentations to the DOJ and SEC, all of which led to or contributed to the final results, a tip of the cap to them as well.

So what is the lesson to be learned for the compliance practitioner? Other than befuddlement, I am not sure. Congratulating HP and its counsel is not a lesson it is an action. If HP now has a best practices compliance program, I hope they will provide the compliance community with the lessons that they learned and incorporated into their compliance program, which allowed them to obtain the fines below the minimum suggested range. If they have incorporated some enhanced compliance components into their program I hope they will share those enhancements too.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 11, 2014

Joint Venture Partners and the Company You Keep Under the FCPA

Lie Down Wtih DogsAs the father of a teenage daughter I am sometimes, reluctantly, forced to admit that upon rare occasions my parents were right about a few things. One was asking for permission first rather than asking for forgiveness after the fact, or in my case as a teenager the untoward event. Another was my mother’s admonition that you are judged by the company you keep. I thought about that truism when I read an article in the Financial Times (FT) yesterday, entitled “Steinmetz unit won Guinea mining riches corruptly, inquiry says”, by reporter Tom Burgis.

The article relates the long running story of the BSG Resources’ (BSGR) winning of the multi-billion mining concession for the Simandou iron-ore mine in the country of Guinea, which was awarded to the company at the end of the reign of the country’s former dictator Lansana Conté, before he died in 2008. According to a report prepared by the current government of Guinea, BSGR won the contract by paying bribes to his fourth wife Mamadie Touré in the form of cash and shares “to help ensure those rights were stripped from Anglo-Australian miner Rio-Tinto and granted to BSGR.”

Of course there is also the tale of BSGR employee/agent/representative/other Frederic Cilins who contacted Ms. Touré in the US and offered to pay her some $5MM to retrieve the contracts which detailed the payments she was to receive from BSGR. It turned out that there was a Grand Jury investigation going on over BSGR at the time and by now Ms. Touré was a cooperating witness with the Department of Justice (DOJ). Cilins was arrested, charged with and pled guilty to obstruction of justice.

BSGR has denied all of these allegations and says that it received the rights to the mining concession fair and square. Further, it has questioned not only the legitimacy of the report issued by the Guinea government but of the government itself, saying “[current] President Conté has manipulated the process through unconditional technical and financial support from activists line [billionaire transparency advocate] George Soros and NGOs that function as his personal advocacy groups.” The Guinea government report notes recommends that BSGR’s mining concession be cancelled.

So how does all this imbroglio relate to my mother’s admonition? It is because BSGR was in a joint venture (JV) with the Brazilian company Vale for this concession. The FT article reports “After spending $160m on preliminary development of its Guinea assets, BSGR in April 2010 struck its $2.5bn deal with Vale, of which $500m was payable immediately. The balance was to be paid if targets were met but Vale halted payments last year, after the corruption allegations surfaced. The inquiry concluded that, although payments to Ms Touré allegedly continued following the Vale transaction, it was “likely” that the Brazilian group “has not participated in corrupt practices”. Nonetheless, it said the Vale-BSGR joint venture – which BSGR says has spent $1bn at Simandou – should be stripped of its rights to that and other prospects.”

Vale’s response to all of this has been – wait for it – “conducts appropriate due diligence prior to its investments.” Vale had no comment on the Guinea government report released yesterday. I wonder what its due diligence on BSGR turned up?

I wrote last week about the life cycle management of the third party relationship. Those series of articles was primarily aimed at agents and other representatives in the sales channel and vendors in the supply chain. While those same concepts apply to JV’s, there is another level of management when there is a relationship such as a JV. One JV partner must have transparency into the actions of its partner and there must be as much assurance as can be possible that there is no corruption going on. From the time line presented in the FT article it appears that the JV between BSGR and Vale was created (2010) after the payments were contracted to Ms. Touré and the concession granted to BSGR (2008).

However I am sure that is of little comfort to Vale who is now down its $500MM that it paid to BSGR to enter into the JV relationship. How much has it had to spend to circle the wagons to defend itself? And do you think the DOJ has come knocking on their door during its investigation? (The smart money says yes). To top it all off, last week the company announced it might have to write-off its entire investment in Guinea. While Guinea indicated that Vale would not be banned from rebidding if rights for the mining concessions were reopened, what do you thing Vale’s chances would be? (Here the smart money says no).

Did Vale subject itself to Foreign Corrupt Practices Act (FCPA) liability by joining into a JV with BSGR? At this point I have no idea. But you know my Mom was right, in the FCPA world, when it comes to JV’s, you are known by the company you keep.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 10, 2014

Asking Questions To Build Your Compliance Program

IMG_3289On this day in 1932 President Franklin D. Roosevelt (FDR) enacted the Civilian Conservation Corps (CCC) declaring a “government worthy of its name must make a fitting response” to the suffering of the unemployed. He waxed poetic when lobbying for its passage, declaring “the forests are the lungs of our land [which] purify our air and give fresh strength to our people.” Of FDR’s many New Deal policies, the CCC is considered by many to be one of the most enduring and successful. It provided the model for future state and federal conservation programs. From 1933 to 1942, the CCC employed over 3 million men.

The CCC, also known as “Roosevelt’s Tree Army,” was open to unemployed, unmarried US male citizens between the ages of 18 and 25. All recruits had to be healthy and were expected to perform hard physical labor. Enlistment in the program was for a minimum of 6 months; many re-enlisted after their first term. Participants were paid $30 a month and often given supplemental basic and vocational education while they served. Under the guidance of the Departments of the Interior and Agriculture, CCC employees fought forest fires, planted trees, cleared and maintained access roads, re-seeded grazing lands and implemented soil-erosion controls. The CCC was a solution that was right for the place and time but its effects have lasted up through this day. There are still CCC built national parks and other facilities in use. We still drive over bridges built by the CCC.

I thought about the CCC, how it was such an effective organization for its time and how the results of its efforts have lasted over 80 years, in some cases, when I read an article in the April issue of Inc. magazine, entitled “35 Great Questions”, where Paul Graham, Jim Collins and other business leaders looked at some of questions that thought business leaders should be asking of themselves and of their teams. While the focus was not on compliance and ethics, many of the questions clearly could be viewed through such a prism. The key is that by asking good questions, as listed below, it “opens people to new ideas and possibilities.”

  1. How can we become the company that would put us out of business?
  2. Are we relevant? Will we be relevant five years from now? Ten?
  3. If energy were free, what would we do differently?
  4. What is it like to work for me?
  5. If we weren’t already in this business, would we enter it today? And if not, what are we going to do about it?
  6. What trophy do we want on our mantle?
  7. Do we have bad profits?
  8. What counts that we are not counting?
  9. In the past few months, what is the smallest change we have made that has had the biggest positive result? What was it about that small change that produced the large return?
  10. Are we paying enough attention to the partners our company depends on to succeed?
  11. What prevents me from making the changes I know will make me a more effective leader?
  12. What are the implications of this decision 10 minutes, 10 months, and 10 years from now?
  13. Do I make eye contact 100 percent of the time?
  14. What is the smallest subset of the problem we can usefully solve?
  15. Are we changing as fast as the world around us?
  16. If no one would ever find out about my accomplishments, how would I lead differently?
  17. Which customers can’t participate in our market because they lack the skills, wealth, or convenient access to existing solutions?
  18. Who uses our products in ways we never expected?
  19. How likely is it that a customer would recommend our company to a friend or colleague?
  20. Is this an issue for analysis or intuition?
  21. Who, on the executive team or the board, has spoken to a customer recently?
  22. Did my employees make progress today?
  23. What one word do we want to own in the minds of our customers, employees and partners?
  24. What should we stop doing?
  25. What are the gaps in my knowledge and experience?
  26. What am I trying to prove to myself, and how might it be hijacking my life and business success?
  27. If we got kicked out and the board brought in a new CEO, what would he do?
  28. If I had to leave my organization for a year and the only communication I could have with employees was a single paragraph, what would I write?
  29. What have we, as a company, historically been when we’ve been at our best?
  30. What do we stand for – and what are we against?
  31. Is there any reason to believe the opposite of my current belief?
  32. Do we underestimate the customer’s journey?
  33. Among our stronger employees, how many see themselves at the company in three years? How many would leave for a 10 percent raise from another company?
  34. What did we miss in the interview for the worst hire we ever made?
  35. Do we have the right people on the bus?

As a Chief Compliance Officer (CCO) many of these questions could be adapted to the compliance function or directly asked of you, your leadership and your team. One of the thing that bedevils many CCOs is time to think, plan and consider what Warren Berger, the author of “A More Beautiful Question”, says is the “inquiry’s ability to trigger divergent thinking, in which the mind seeks multiple, sometimes non-obvious paths to a solution.”

I often say that a key role for a CCO is listening but equally important is asking questions. Inc.’s list of thought-provoking questions can give you some excellent ideas about areas to explore with your compliance team, your senior management and the employees in your company. So start asking questions and start listening.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

 

 

April 9, 2014

Tales From the Crypt: Rule No. 8 – Even Sailors Behaving Badly can get Promoted

Tales from the CryptEd. Note-the Two Tough Cookies are back with today’s guest post on the toleration of bad behavior…

It is no secret that “sailor’s mouth” is an acronym for someone who liberally uses foul language in even the most formal situations. There was a time in my life when I was known for dropping the “f-bomb” a bit too frequently, but age, experience and just plain civility has given me the presence of mind to be sensitive to others in a way I was not early in my career. I don’t even use that particular term in casual conversation with friends any longer without feeling a tinge of regret as soon as the word crosses my lips, acutely aware that it’s a bit “unseemly” of me, and doesn’t reflect the person I’ve grown into. I am less “familiar” with people, as I have come to realize that familiarity does indeed breed contempt, particularly in the workplace. I don’t even relax in casual get-togethers with friends, as many of my friendships are the direct result of my work relationships and, as we know from prior posts, appearances matter. When you are an Integrity and Compliance professional, people look at the whole person, not just the person who shows up to work, and personal conduct outside the workplace can result in just as damning a judgment from peers as conduct within workplace walls.

I was less than a month on the job when I was handed the work files pertaining to the hotline calls that had come into the organization before I was appointed to the compliance function. I had met with the HR professional who handled the lion’s share of the investigations, but one stood out – instead of the file name being labelled by the implicated party accused of wrong doing (as most were), this file was labelled under the name of the accuser. What I found within was nothing short of extraordinary, and, in hindsight, gave me crystal clarity to what lay ahead. What puzzles me (and many of my colleagues) to this day is how individuals such as those we describe in our Tales seem to consistently percolate to the top of their organizations, landing one plumb assignment after another, and those of us who keep our heads down, demonstrate respect and do our jobs with professionalism and dedication seem to get shunted off to the side again and again. We’re missing something important and this Tale from our Crypt spotlights one of the worst of the worst…

The time of my appointment was one of change. The CEO, unbeknownst to me, was preparing for retirement, planning on “ruling” his roost for only a few short months before turning his mantle over to one of the senior level executives who had steadily risen through the ranks and was now in charge of the largest revenue segment of the company. The Chief Human Resource Officer (CHRO) had “resigned” only a few months prior to my arrival, and I could not get a straight answer as to why. The interim executive in charge of the human resource function had only been at the organization a short time, overlapping the prior CHRO’s tenure by only a month.   He already had business cards printed with the title CHRO under his name, even though the board had not officially sanctioned his candidacy for the role and there was still an active executive search underway. By all rights, I should have been clued in then and there, but I was happy to have a job, having just left a rather unsavory position at a privately held company that made “hostile work environment” sound like a Hawaiian vacation in comparison to the draconian employment tactics they routinely used that forced me to stop and meditate every morning prior to crossing the threshold into the office.

The file that I had open before me told a story of foul language, abusive behavior, threatening gestures, lack of sensitivity for “personal” needs (such as terminal illness resulting in a death in the family), disrespect towards subordinates, and falsified work history. Was this guy for real? And to have him as “Charles in charge” of the HR function for a large, global company? I was shaking my head in disbelief. To further compound matters, the company had already hired a “coach” to work with him on his foul language…. and still, there was no apparent change of behavior.

The person who filed a complaint against this individual was so intimidated by his language, threatening gestures, and workplace violence (he once threw a pencil at her from across the room, saying people’s actions weren’t going to stick, just like the pen didn’t stick to the wall) that she asked to be demoted and lose pay in order to not work for him any longer.

Shortly after our new fearless CHRO took the reins, I caught wind that not only was the CHRO being snickered at behind his back for his outrageous behavior, word had it that he had actually falsified his work history, claiming a higher level HR executive position on his resume than was true. I had it on “good authority” from another HR professional that when both the CHRO and my “source” were colleagues at this same company, our new CHRO had established himself firmly as a “buffoon” and had risen no higher than a manager at his prior organization. Yet he managed to convince our hiring folks that he was “leadership” material…. and it was no wonder when we looked at the new hire due diligence process (coming up later)…

A really quick way to percolate talk around the coffee pot (and erode the respect your employees have for the organization) is when a company bends over backwards to accommodate an executive’s special needs, especially setting up offices and whole operations in places where the company never had a business presence, for the convenience of the executive (or one of his top subordinates). Not long after his self-appointment, our new CHRO became so enamored with a candidate of his choosing that he pushed to move an entire HR function to this candidate’s home state, disrupting the lives of several dozen individuals who were forced to either move to the new location (a full day’s drive and 5 states south of headquarters), find a new position at HQ, or be laid off.  In this instance, the CHRO’s “pet” was ensconced to oversee several HR support functions out of this new location. Given that the “pet” was new and unproven as an employee, the talk speculated whether or not there was something going on between the CHRO and this new hire. Then this new manager pushed through the hiring process a candidate she had chosen in spite of the interview panel commenting that the candidate’s “demeanor was deceptive.”

When it came to the background check on new hires, “asleep at the wheel” comes to mind. The only reason this candidate came up on my radar was when another HR colleague suspected something was amiss when the company was pursuing some government contracts, and a request for documentation was issued from a state agency that wasn’t part of the bidding process. This Mata Hari’s mistake? When we opened the file (which was sent via email, from a fabricated email address, from a web site she created and launched only a month earlier, which very much had the look and feel of an “official” state agency, and even had a live phone number answered by her “significant other” – you get my drift…), the metatags on the document indicated she was the author, and not the state agency.   When we reviewed her application, and did a root cause analysis of what went wrong, it became clear that expediency won over reason, and red flags which surfaced in the original background check were overlooked, even though several points indicated her candidacy as “unverifiable.” False names were given for references, and burn phones given for contact info. Job positions were fabricated for companies which did not exist, and couldn’t be found on either the internet, or by the PI’s we hired to actually visit the sites identified. We weren’t even really certain if the candidate’s social security number was really hers … but I digress.

We have seen it again and again – people behaving badly, getting away with it, and in some instances, being “rewarded” for their behavior by being promoted soon after a workplace incident was brought to my attention. We have yet to break the “code” of when arrogance crosses the line from being “coachable” behavior, to being “assertive” and a “closer,” thus worthy of promotion. We cannot figure out, for the life of us, why allowing fundamental compliance lapses such as due diligence in hiring can be overlooked, shrugged off as if inconsequential. We have come to the conclusion it all has to do with whether or not you’ve finally been accepted into the “inner circle” and/or whether or not the company feels too “invested” in the person to simply punt them out of the arena for being abrasive, and in some instances, downright hostile. What amazes us even further is when it is the Human Resource Function that is behaving badly….

Who are the Two Tough Cookies?

Tough Cookie 1 has spent the more than half of her 20+ legal career working in the Integrity and Compliance field, and has been the architect of award-winning and effective ethics and compliance programs at both publicly traded and privately held companies.  Tough Cookie 2 is a Certified Internal Auditor and CPA who has faced ethical and compliance challenges in a variety of industries and geographies and recently led a global internal audit team. Their series “Tales from the Crypt: Tough Choices for Tough Cookies” are drawn largely from real life experiences on the front line of working in Integrity & Compliance, and personal details have been scrubbed to protect, well, you know, just about everyone…

April 8, 2014

Mickey Rooney and The 90 Cent Solution

Mickey Rooney as PuckWe begin today with a word on the death of Mickey Rooney. Rooney’s career, spanning nearly 90 years was certainly was from a different era. He was short of stature and long in his number of marriages but as Bob Lefsetz noted in his blog post tribute to Rooney, “But they stood in front of us twenty feet tall. At the drive-in. Even when the pictures truly got small on the tiny old screens of yore they emerged triumphant, because they were so good-looking, so charismatic. And if you were big enough, a bright enough star, your legacy lived on, even if your present day circumstances bore no resemblance to fame.” But here’s why there is always a place in my heart for Mickey Rooney. When I was very young I lived with my grandparents and one night I watched the 1935 movie version of Shakespeare’s A Mid Summer Night’s Dream on television with my grandmother. Rooney’s so over the top performance of Puck began for me a life long love affair with the Bard. So here’s to the grandmother that started me off on a lifelong love affair of Shakespeare’s works and here’s to the Mickster—you did it your way.

I have often considered the role of senior management is to set a proper ‘Tone-At-The-Top” to do business ethically and in compliance with anti-corruption laws like the Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act. Incentives to do business ethically and in compliance are also recognized as an important part of any best practices compliance program. The flip side of incentives is disincentives, such as discipline or financial penalties for affirmatively engaging in misconduct. But how far should such disincentives go and how strong should they be? Should there be penalties for not only affirmatively engaging in misconduct but also failing to monitor risk-taking that allows misconduct to occur? If the latter becomes prevalent, how close do we come to criminalizing conduct, which is arguably negligent and not simply intentional?

I have thought about several of these questions and many others over the past few days when reading about the ongoing struggles of General Motors (GM) over its Cobalt recall issues and Citigroup in regards to its Mexican banking operations. In an article by Gretchen Morgenson in the New York Times (NYT), entitled “The Wallet as Ethics Enforcer”, where she asked “Who decided—and who agreed—that 90 cents was too much to pay for each switch that would have fixed the problem that apparently led to 13 deaths? How much did that decision add to the bottom line and add to executives’ compensation over the years? What will the company have to pay in possible regulatory penalties and legal settlements?” One of her own answers to these questions reads, “While the shareholders of G.M. will shoulder the cost of the fines, the settlements and loss of trust arising from the mess, the executives responsible for monitoring internal risks like these are unlikely to be held accountable by returning past pay.”

Citigroup, which had previously indicated that it had been the victim of a huge fraud perpetrated by one of its customers in Mexico, Oceanografía. However, now Citigroup now faces both federal criminal and civil investigations over the affair. As reported in a Wall Street Journal (WSJ) article, entitled “Crime Inquiry Said to Open On Citigroup”, Ben Protess and Michael Corkery reported that both the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have opened investigations “focusing in part on whether holes in the bank’s internal controls contributed to the fraud in Mexico. The question for the investigators is whether Citigroup—as other banks have been accused of doing in the context of money laundering—ignored warning signs.” For a bank to be criminally liable, “prosecutors would typically need to show that the bank willfully ignored warning signs of the fraud.” However, to show a civil violation, the threshold is lower and there may only need to be a showing that the bank lacked the proper internal controls or internal oversight.

In her article, Morgenson spoke with Scott M. Stringer, the New York City Comptroller, who is a strong advocate of corporate requirements which “make sure that insiders who engage in questionable conduct are required to pay the piper” in the form of clawback provisions. Stringer has worked with companies to expand clawback provisions beyond those mandated by Sarbanes-Oxley (SOX), which required “boards to recover some incentive pay from a chief executive and chief financial officer if a company did not comply with financial reporting requirements.” Now, clawbacks have expanded to require executives to return compensation “even if they did not commit the misconduct themselves; they run afoul of the rules by failing to monitor conduct or risk-taking by subordinates.” Stringer believes that such clawback provisions not only “speak to the issue of financial accountability but also to setting a tone at the top.”

Morgenson ends her article by noting that unless GM makes public its internal investigation, “we may never know how many G.M. executives knew about the Cobalt problems and looked the other way.” In the meantime though, this debacle shows the importance of policies that hold high-level employees accountable for conduct that, even if not illegal, can do serious damage to their companies. Directors creating such policies would be sending a clear signal that they take their duties to the company’s owners seriously.”

At this point, we do not know high up the decision went in GM not to install the 90 cent solution. But I would argue it really does not matter. Somewhere in the company, some engineer figured out a solution and indeed one was implemented without changing the part number. I am sure the GM Board would have been sufficiently shocked, just shocked, to find out that such decisions as monetary over safety were going on inside the company. What does all of the information released so far tell us about the culture inside GM when these decisions were made? While I am certainly willing to give current GM Chief Mary Barra the benefit of the doubt about her intentions for the company going forward, particularly after a grueling couple of days before Congress, what do you think the financial incentives were in the company when the 90 cent solution was rejected?

It initially appeared that Citigroup was the victim of a massive fraud perpetrated by one of its customers. However, even initially it was reported that Citigroup let its Mexican operation, Banamex run its own show with very little oversight from the corporate office in New York. Now Citigroup is not only under a civil investigation for lack of proper internal controls but also a criminal investigation for willful ignorance of Banamex’s operations. Does any of this sound far-fetched or perhaps familiar? Think about Frederick Bourke and ‘conscious indifference’. Even the judge in Burke’s criminal trial mused that she did not know if he was a perpetrator or a victim. Perhaps Citigroup is both, but if he was both it certainly did not help Bourke. While I am certainly sure that the Citigroup Board of Directors would also say that it would also simply be shocked, just shocked, to find that there were even insufficient internal controls over Banamex, let alone willful ignorance of criminal actions of its Mexico subsidiary, it does pose the question as to what is the culture at the bank?

As important as clawbacks are, until the message of compliance gets down from the top of an organization, into the middle and then to the bottom, a culture of compliance will not exist. I have worked in an industry where safety is goal number one. But in the same industry I have heard the apocryphal tale of the foreign Regional Manager who is alleged to have said, “If I violate the Code of Conduct, I may or may not get caught. If I violate the Code of Conduct and get caught, I may or may not be punished. If I miss my numbers for two quarters, I will be fired.” Clawbacks for Board members would not have influenced this apocryphal foreign Regional Manager, any more than they would have worked on the psyche of the GM engineers who proposed and then later dropped the 90 cent solution. It was clear to them what their bosses thought was important for them to keep their jobs. As long as management has that message, doing business ethically and in compliance will always take a second seat.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

April 7, 2014

The Battle of Shiloh, Corruption in Ukraine and Things to Come

Things to ComeOn this day 126 years ago the two-day battle of Shiloh ended. On the second day, the Union troops under General Grant largely recovered the ground that the Confederate troops had taken on the first day. Grant was severely criticized for allegedly being taken by surprise by the Confederate attack but he managed to survive the firestorm. The Confederates lost their most senior commander, General Albert Sydney Johnson, on the first day of the fighting.

With the successful Union counter-attack on the second day the battle is generally viewed as a tactical victory for the North. However, for me the thing that is most significant about this battle is that it was the first horrific slaughter of the Civil War. There were over 23,000 casualties on both sides. Unfortunately it presaged more to come. I will never forget Shelby Foote’s comments in Ken Burn’s documentary The Civil War. Shiloh was not an aberration but there were 25 more Shiloh’s to come. It truly was a sign of things to come.

The recent events in Ukraine have had a variety of interpretations, results and predictions. But one thing is clear, the government of Ukraine allowed systemic corruption to occur. One can look to the Archer-Daniels-Midland Corp. (ADM) Foreign Corrupt Practices Act (FPCA) enforcement action to see the effects in play. In that matter, ADM paid bribes to obtain tax rebates to which it was legally entitled. Unfortunately for ADM it developed opaque schemes to fund bribery payments and then hid them on its books and records. Not good for FPCA compliance.

Or consider the case of Ikea. In an article in Bloomberg, entitled “Dashed Ikea Dreams Show Decades Lost to Bribery in Ukraine”, Agnes Lovasz wrote that Ikea has tried for over a decade to open a store in the country but has been unable to do so because it refuses to pay bribes to do so. She wrote that according to Transparency International’s (TI’s) Corruptions Perceptions Index (CPI), “Stuck between the European Union and its former imperial master Russia, Ukraine has emerged as the most corrupt country on the continent.” She quoted Erik Nielsen, chief global economist at UniCredit SpA in London, for the following, “Even before this latest crisis, Ukraine was a mess beyond description”. How about this recommendation from Lennart Dahlgren, a retired Ikea executive who led the company’s entry into Russia, who said in an interview with Russkiy Reporter magazine in 2010, that compared with Ukraine, Russia, the most corrupt major economy, “is whiter than snow”. Faint praise indeed.

While a US, UK, EU or other western government response is certainly appropriate, I thought about a business led response to such a situation when I read a recent article in the April issue of the Harvard Business Review (HBR), entitled “The Collaboration Imperative”, by authors Ram Nidumolu, Jib Ellison, John Whalen and Erin Billman. In this article they discussed business collaborations in the context of sustainability. I found their concepts should be considered by companies or industry groups when trying to develop strategies to fight corruption. As Jason Poblete continually reminds us, the marketplace is one important place to look for solutions to problems and this article certainly provides some starting points for such an analysis.

The authors posit that collaboration models should be divided into two categories: (1) coordinated processes and (2) coordinated outcomes. Adapting these to anti-corruption/anti-bribery programs, this means that under the ‘coordinated processes’ prong businesses should identify and share industry-wide operational processes that prevent and detect bribery and corruption. Under the ‘coordinated outcomes’ prong, the authors work translates into developing industry benchmarks and standardized systems for measuring anti-corruption/anti-bribery performance across the value chain.

The authors had some specific steps in their article which I thought also provided insightful for implementing their ideas in the anti-corruption/anti-bribery context. First you should being this journey “with a small, committed group.” The reason to do so is “to prevent the logjams that can occur when many stakeholders with conflicting goals try to work together, start by convening a small “founding circle” of participants. The members must have a common motivation and have mutual trust at the outset. This group develops the project vision and selectively invites subsequent tiers of participants into the project as it develops.” Next you should try to “link self-interest to shared interest.” This is because to help facilitate success, “collaboration initiatives must ensure that each participant recognize at the outset the compelling business value that it stands to gain when shared interests are met.” The participants need to then try to monetize the system value by “linking self-interest and shared interest is to quantify how the collaboration reduces costs or generates revenue for each participant.” It helps to build a direct path to some early successes because it is important “to generate momentum and commitment, the action plan must also emphasize quick wins. Business thrives on visible and immediate results, and sustainability collaborations are no exception. Even if these wins are small initially, the cost savings or incremental revenues provide proof to other executives inside participants’ organizations that the investment is worthwhile.”

As many in such a collaborative group will have conflicting priorities, the authors believe it is important to have “independent project-management specialists with demonstrated competence in trust building among diverse stakeholders. Additionally, the project management function must be seen by all participants as neutral and committed to the success of the project, rather than to any individual stakeholder.” Interestingly, the authors note that there should be built in competition which should be “structured to support shared goals.” Finally, and perhaps most obviously, any such group must have a culture of trust. Fortunately, in the anti-corruption/anti-bribery world there are very few trade secrets but beyond this, the “building and maintaining trust is an ongoing practice foundational to every other practice during the collaboration project.”

Perhaps the people or the leadership of Ukraine may at some point realize that the perceived endemic nature of corruption in their economic system, helped lead in part to its current problems. Maybe the citizens in Crimea thought the Russian government less corrupt. While I do not pretend to know the answers to these questions, the collaboration model that the authors have detailed for sustainability initiatives is certainly one that US companies might wish to consider on some type of industry wide basis.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 4, 2014

Life Cycle Management of Third Parties – Step 5 – Management of the Relationship

Five stepsToday ends my review of what I believe to be the five steps in the management of a third party under an anti-bribery regime such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. On Monday, I reviewed Step 1 – the Business Justification, which should kick off your process with any third party relationship. On Tuesday, I looked at Step 2 – the questionnaire that you should send and third party and what information you should elicit. On Wednesday, I discussed Step 3 – the due diligence that you should perform based upon the information that you have received from and ascertained on the third party. On Thursday, I examined Step 4 – how you should use the information you obtain in the due diligence process and the compliance terms and conditions which you should place in any commercial agreement with a third party. Today, I will conclude this series by reviewing how you should manage the relationship after the contract is signed.

I often say that after you complete Steps 1-4 in the life cycle management of a third party, the real work begins and that work is found in Step 5– the Management of the Relationship. While the work done in Steps 1-4 are absolutely critical, if you do not manage the relationship it can all go down hill very quickly and you might find yourself with a potential FCPA or UK Bribery Act violation. There are several different ways that you should manage your post-contract relationship. This post will explore some of the tools which you can use to help make sure that all the work you have done in Steps 1-4 will not be for naught and that you will have a compliant anti-corruption relationship with your third party going forward.

Managing third party relationships is an area that continues to give companies trouble and heartburn. The “2013 Anti-Bribery and Corruption Benchmarking Report – A joint effort between Kroll and Compliance Week” found that many companies are still struggling with ongoing anti-corruption monitoring and training for their third parties. Regarding training, 47% of the respondents said that they conduct no anti-corruption training with their third parties at all. The efforts companies do take to educate and monitor third parties are somewhat pro forma. More than 70% require certification from their third parties that they have completed anti-corruption training; 43% require in-person training and another 40% require online training. Large companies require training considerably more often than smaller ones, although when looking at all the common training methods, 100% of respondents say their company uses at least one method, if not more.

While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, writing in the White Paper by The Steele Foundation entitled “Global anti-corruption and anti-bribery program best practices”, said, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.”

One noted commentator has discussed techniques to provide this management and oversight any third party relationship. Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), writing in the Compliance Week magazine set out a five-step process for managing corruption risks, which I have adapted for third parties.

  1. Screen - Monitor third party records against trusted data sources for red flags.
  2. Identify – Establish helplines and other open channels for reporting of issues and asking compliance related questions by third parties.
  3. Investigate - Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
  4. Analyze - Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
  5. Audit - Finally, your company should have regular internal audit reviews and inspections of the third party’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.

Based upon the foregoing and other commentators, I believe there are several different roles in a company that play a function in the ongoing monitoring of the third party. While there is overlap, I believe that each role fulfills a critical function in any best practices compliance program.

Relationship Manager

There should be a Relationship Manager for every third party which the company does business with through the sales chain. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party. Some of the duties of the Relationship Manager may include:

  • Point of contact with the Third Party for all compliance issues;
  • Maintaining periodic contact with the Third Party;
  • Meeting annually with the Third Party to review its satisfaction of all company compliance obligations;
  • Submitting annual reports to the company’s Oversight Committee summarizing services provided by the Third Party;
  • Assisting the company’s Oversight Committee with any issues with respect to the Third Party.

Compliance Professional

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. I do not believe that this will create a conflict of interest or that there are other legal impediments to providing such services. They can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third party.

Oversight Committee

I advocate that a company should have an Oversight Committee review all documents relating the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment is within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.

Audit

A key tool in managing the relationship with a third party post-contract is auditing the relationship. I hope that you will have secured audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed. Noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data, which is also appropriate for a compliance audit. As a base line I would suggest that any audit of a third party include, at a minimum, a review of the following:

  1. the effectiveness of existing compliance programs and codes of conduct;
  2. the origin and legitimacy of any funds paid to Company;
  3. books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;
  4. all disbursements made for or on behalf of Company; and
  5. all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

If you want to engage in a deeper dive you might consider evaluation of some of the following areas:

  • Review of contracts with third parties to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the third party have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous reporting, hotline or any other reporting mechanism.
  • Does the third party have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review employee expense reports for employees in high-risk positions or high-risk countries.
  • Testing for gifts, travel and entertainment that were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

In addition to monitoring and oversight of your third parties, you should periodically review the health of your third party management program. Once again I turn to Diana Lutz and her colleague Marjorie Doyle, and their White Paper entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, where they gave a checklist to test companies on their relationships with their third parties.

  1. Do you have a list or database of all your third parties and their information?
  2. Have you done a risk assessment of your third parties and prioritized them by level of risk?
  3. Do you have a due diligence process for the selection of third parties, based on the risk assessment?
  4. Once the risk categories have been determined, create a written due diligence process.
  5. Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations?
  6. Is there someone in your organization who is responsible for the management of each of your third parties?
  7. What are “red flags” regarding a third party?

Perhaps now you will understand why I say that after you prepare the Business Justification; send out, receive back and evaluate the Questionnaire; set the appropriate level of Due Diligence; evaluate the due diligence and execute a contract with appropriate Compliance Terms and Conditions; now the real work begins, as you have to manage the third party relationship.

I hope that you have found this review of the life cycle management of third parties helpful for your compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Next Page »

Customized Rubric Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,199 other followers