FCPA Compliance and Ethics Blog

June 17, 2011

Setting the “Tone at the Top” for FCPA and UK Bribery Act Compliance

Filed under: Bribery Act,FCPA — tfoxlaw @ 1:40 am
Tags: ,

Ed. Note-today we share the third in a series of Guest Posts by Michael Potorti, CPA on the role of an auditor in FCPA/UK Bribery Act Compliance.

In any organization, employees look to Management to set the example for them to follow. Almost all employees want to believe in a company and maximize their efforts to drive the Company forward to be the best it can be in a particular industry. They look to their leaders for guidance and advice and pay particularly close attention when Town Halls are held and Company-wide communications are released. I have consulted for many companies and I have witnessed this first hand – a common thread, if you will.

When it comes to FCPA and UK Bribery Act compliance, what better way to kick off your efforts than by having Executive Management use these forums and communications to drive the point home that ALL employees must comply. It sets the “Tone” that the Company takes pride in doing business ethically and will not tolerate offenses.

Here are some suggestions for setting the “Tone at the Top”:

1) Get Executive Management’s Buy In – to clarify that this is not “just another thing the Company needs to comply with”, meet with Management to educate them on the FCPA/UKBA. Give examples of recent judgments against companies that include hefty fines and jail time for some Executives. Ensure that the audience includes the Board of Directors and Executive Management.

2) Work with the Legal and Compliance Departments to include FCPA/UKBA compliance in the Company’s General Ethics Policy – these departments will be involved in the process to imbed FCPA/UKBA compliance within the organization so it is key to get their views on where the major risks are and what employees are expected to do going forward. Specific language should be inserted into the Ethics Policy and Standard Operating Procedures should be developed/amended to provide guidance on how to comply with the FCPA/UKBA.

3) Communication from CEO – a Company-wide communication should be issued by the CEO that points to Company guidance and encourages Mid-Management and all employees to cooperate with the imbedding of related internal controls and training efforts. The communication should specifically state that the Company expects that all employees will comply with the FCPA/UKBA and that Executive Management will have zero tolerance for offenders. A separate communication should be developed and distributed publically to all 3rd Party Agents, vendors, etc. stating the Company’s commitment to compliance.

4) Set up a Steering Committee – the committee should include Board Members and Executive Management and exist to monitor Project efforts to imbed internal controls and provide targeted training within the organization. Project status should be provided on a regular basis so that the Committee can help with any “roadblocks” or bottlenecks that develop. The Committee can also provide any new information to the Project team (i.e. newly uncovered instance of fraud) so efforts can be amended as necessary.

Executive Management must be on-board with the effort to make employees aware of the FCPA/UKBA and their impact on the Company for instances of non-compliance. Proactive efforts could save the Company huge cost and negative publicity in the long run.

Micheal Potorti can be reached at mpotorti@mp-audit.com. 

June 16, 2011

“I Know a Case” and Other Great Aphorisms – Observations on the FCPA Hearing

Filed under: FCPA — tfoxlaw @ 1:53 am
Tags: , , , , ,

I know a case.” These four words are the bane of every young lawyer. When you are an associate, there is always some older senior partner who is sure that he remembers some case that is the key precedent for whatever the legal problem de jour is for that emergency. Of course, he is a bit fuzzy on the name of the case,  he cannot remember the date and heaven forbid he could give you a citation, but he is sure that it exists. So you had best go forth and find it. Another way to look at it is the Urban Myth; the person is sure they know some story or fact which is true but no one can ever seem to find the original source of the information.

I say all of this by way of introduction to my take on Tuesday’s House Judiciary Committee hearing on the Foreign Corrupt Practices Act (FCPA). Several commentators wrote very well yesterday about the substance of the hearing (the FCPA Professor); one possible fix to the FCPA (the FCPA Blog); and how the House might ‘update’ the FCPA (White Collar Defense and Compliance). I will try not to trample over some of the insightful musings of my blogging colleagues in these areas, instead I will try and discuss some of the more interesting lines, observations and questions I heard posed yesterday. So we will begin with…

I Know a Case

Former US Attorney General and now Chamber of Commerce lobbyist Michael Mukasey discussed the infamous ‘taxicab case’ which has been making the FCPA circles for some time now. In this example a company pays for a foreign governmental official to take a ride home after working hours in a taxicab because it is so late that the trains are no longer operating. Thereafter, some unnamed compliance officer back in the US self-reports this to the Department of Justice (DOJ) and the unknown DOJ attorney assigned to the matter demands a full investigation which costs the company over $200,000 (or $300,000 or $400,000-depending on which version of the story you hear). General Mukasey testified that the example is “real” and the DOJ demanded a full investigation. Interestingly in a response to a later question, while acknowledging that he did not know when the now infamous taxicab case arose, who it might have involved, he did admit it could have occurred while he was Attorney General. But he was sure “the taxi ride is a real example.”

We All Know What IT Is

No we are not bringing up Potter Stewart here but Representative Ted Poe, he of the 27th Congressional District here in Houston, who spent most of his allotted five minutes talking about how tough he was on crime, when both a Prosecutor and Criminal Judge, and how much business the Chinese are taking away from US companies through various nefarious activities. He had just returned from Iraq where he “heard” Chinese companies were going to rebuild the Iraqi oil business through “money changing hands” but he was a little light on the specifics of this allegation. But the most interesting observation was everyone knows what corruption is because “We All Know What IT is.” It was not clear what this insightful observation was in response to, or what it would suggest for enforcement of the FCPA, but certainly one could assume that it means that the DOJ should need to release even less guidance if corporation’s know what bribery is because “we all know what IT is”.

Let Me Tell You a Question

I learned about this technique by listening to and watching Dan Rather when he was a reporter. I saw it again practiced by Representative John Conyers when, during his five minutes of Q&A time, he repeated asked Shana-Tara Regon, Director of White Collar Crime Policy, National Association of Criminal Defense Lawyers, if she could list or name one example where the DOJ was guilty of “over-criminalizing” the FCPA through an overzealous prosecution of the FCPA. It was certainly a valid question and the answer of ‘none’ would have been telling. Unfortunately Rep. Conyers repeatedly interrupted Ms. Regon so that when she made the admission that she could not name any, her answer was overwhelmed by Rep. Conyers telling her his question.

Just Say No

However, I  save the best for last. It came when the Committee Chair, Representative James Sensenbrenner, reeled off a long series of questions to the DOJ representative, Greg Andres. The first question was whether the DOJ would support amending the FCPA to make all commercial bribery illegal; not simply that involving foreign governmental officials. For me this was the WOW moment. Do you believe that Rep. Sensenbrenner asked the question for any of the following reasons:

  • To make the US the leader in ethical business conduct on a world-wide basis?
  • To do away with the arbitrary distinction between bribing a private citizen and bribing a governmental official?
  • To bring the US up to the standards set by the British under the UK Bribery Act?
  • To garner the support of the OECD, Transparency International and other international NGOs which advocate the outlawing of all commercial bribery?

Alas, we will never know. Mr. Andres answered another one of the plethora of questions that Rep. Sensenbrenner asked and before Mr. Andres could even complete that answer, Rep. Sensenbrenner interrupted him to say “see you later, we will be drafting a bill.” Rep. Sensenbrenner concluded the hearing by telling Mr. Andres, “get that message sir and tell that to the AG.”

All we can conclude at this point is that more will be revealed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

June 15, 2011

Suggestions for Starting a Regulatory Compliance Risk Assessment

Ed. Note-today we have a guest post by our colleague Mary Shaddock Jones, who has recently joined the world of private practice.

You have just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates.  Seems like a daunting task.  How do you proceed?  Here are a few suggestions to get you started:

  1. Risk Assessment- I believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis.  For the purposes of this exercise- you are required to identify the legal (statutory) and regulatory requirements in each country which your company currently does business.  There could be thousands of different legal and regulatory requirements.  I believe that the key is to first consider the requirements that could significantly affect the company’s ability to meet its missions and goals.
  2. Identifying Key Legal/Regulatory Risks- In order to determine the “Key” risks (i.e. those which could significantly affect the company), you need to “divide” the company into various “risk centers” and identify the “risk owners” within each risk center.  For instance, if your company is required to import vessels/equipment into a foreign country to perform work, then one significant risk to the company is the inability to import the vessels/equipment if the person responsible for doing so fails to follow the proper legal/regulatory requirements.  As a result, one of the “risk centers” could be the vessel/equipment regulatory compliance department.  If your company manufacturers tennis shoes in the U.S. but imports the various components of the shoes from foreign countries.  A breakdown in the importation of the individual component could have a significant impact on the company’s ability to sell its tennis shoes.  As a result, one of the “risk centers” could be the procurement department.  The point is this- you, as the Compliance Manager have to understand your company’s business processes in each country with sufficient clarity that you can begin to identify the various “risk centers” and “risk owners”.
  3.  Identifying Major Steps-  Now that you have identified the various “risk centers”, it is time to meet with the individual risk owners to collectively map out each step in the process unique to the particular risk center.  By doing so, you can next identify what each major activity in the process.  Once the major activities are identified, you can then begin to collect  information as to what laws/regulations apply in each country.
  4. Identifying Major Laws/Regulations-   In the scenario presented, your company performs work both in the United States and in several international locations.  First, you need to understand the U.S. laws which apply to foreign business activities, including such things as economic sanctions and boycotts; export controls; anti-terrorism; anti-bribery and corruption to name a few.  Other U.S. laws, such as environmental, employment, trade, tax and anti-trust laws, may also apply. Finally, you will need to consult with knowledgeable counsel in the various countries to identify the local laws which apply to each of the major activities outlined above.
  5. Maintaining Privilege- Risk Assessments should typically be performed by legal counsel or at least under the direction of legal counsel so to utilize the attorney-client privilege in order to protect privilege and confidentiality issues which may arise during the risk assessment process.
  6. Acting as “Project Manager”- Under the scenario presented, you have been presented with a huge project.  You should approach it with the hat of a “Project Manager” in order to define the project, identify the risks, coordinate the experts both within the company and outside the company who can identify the Key Risks, then collect and organize the information so that it can be presented to Senior Management in a useful format.

Mary Shaddock Jones, Attorney at Law and former Assistant General Counsel and Director of Compliance at Global Industries, Ltd. can be reached via email at  msjones@msjllc.com or via phone at 337-515-8527 .

Join Ms. Jones and myself  for Upcoming Webinar

Tuesday, June 21 at 1 EDT, I am co-presenting on a webinar with Mary Shaddock Jones, on “Supply Chain Relationship Management Under the FCPA and Bribery Act”. The event is co-hosted by Ethisphere and World Check. For information and registration details click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. 


June 14, 2011

FCPA Training: Some Practical Aspects of Resisting a Bribe

Filed under: FCPA,Training — tfoxlaw @ 1:22 am
Tags: , ,

I recently was asked to prepare some Foreign Corrupt Practices Act (FCPA) training which used examples of requests for bribes to help prepare the company’s employees if they are solicited to pay a bribe. To do so I relied on the expanded edition of Resisting Extortion and Solicitation in International Transactions (RESIST). It is a practical tool to help companies train employees to respond appropriately to a variety of solicitations.

Iohann Le Frapper, who chaired the RESIST initiative, stated that “RESIST is the only anti-bribery training toolkit developed by companies for companies and sponsored by the four global anti-corruption initiatives working on the supply side of the issue of fighting corruption,” and it “helps businesses avoid solicitation from the onset”; it also provides practical advice on how best to confront demands for bribes when they do arise.

RESIST presents 22 scenarios which discuss solicitation of bribes in the context of project implementation and in day-to-day project operations. Each scenario presented is designed to respond to two basic questions with real world facts and responses:

  • Demand Prevention – How can the company prevent the demand from being made in the first place?
  • Demand Response – How should the company react if such a demand is made?

The paper also presents a general list of suggestions which companies can implement to assist in their overall FCPA compliance effort. Embedded within are specific procedures to put these general suggestions into practice, for example the suggestions on Demand Prevention  include (1) general company anti-corruption polices; (2) policies on facilitation payments; (3) policies for company representatives who may be exposed to solicitation of bribes; (4) techniques for dealing with specific risks; (5) due diligence of agents and intermediaries; (6) management of agents and intermediaries; (7) implementation of additional control procedures; (8) transparency in the procurement process; (9) initiation of collective action to improve overall business integrity; and (10) implementation of legal and financial precautions. The suggestions on Demand Response include: (1) the immediate response; (2) internal company reporting; (3) company investigation, including discussion with the relevant persons; (4) disclose to the appropriate external source, if appropriate; and ultimately (5) withdrawal from the situation, whether it is the project or the entire country.

Using the RESIST scenarios I was able to create training which many of the participants felt gave them some hands on advice in situations they might face. It fleshed out many of what the employees felt were the more theoretical aspects of the FCPA. The RESIST tool is a useful aid and one that I recommend for the FCPA compliance specialist. It provides a list of common scenarios, which companies have faced in the past, how to handle them and proposes controls to implement to try and ameliorate the solicitation of bribes and outright extortion.

The full document may be downloaded at http://www.iccwbo.org/policy/anticorruption/index.html?id=37568.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

June 13, 2011

Recent DPAs Provide Guidance on FCPA Compliance Best Practices

The House Judiciary Committee will hold hearings Tuesday on the Foreign Corrupt Practices Act. At this point the Witness List as set forth on the Committee’s website is as follows:

  • Hon. Michael Mukasey
    Former Attorney General
    Partner
    Debevoise & Plimpton LLP
  • Mr. Greg Andres
    Deputy Assistant Attorney General
    Criminal Division
    U.S. Department of Justice
  • Mr. George Terwilliger
    Partner
    White & Case LLP
  • Ms. Shana-Tara Regon
    Director
    White Collar Crime Policy
    National Association of Criminal Defense Lawyers

At this point no preview of the witnesses’ testimony has been released. However, other than Greg Andres, the testimony will probably not be a defense of the FCPA or even the need to expand it to meet the anti-bribery and anti-corruption enhancements found in the UK Bribery Act. Indeed it reads like a list of representatives from the US Chamber of Commerce, which has been engaged in a campaign to amend the FCPA.

However in the past 12 months or so many of the complaints which have practitioners have made regarding the FCPA have been addressed by the Department of Justice (DOJ) or by recent court rulings. In a blog entitled, “House Judiciary FCPA Hearing: An Opportunity for Greater Information” I have reviewed the federal district court rulings in the CCI and Lindsey Manufacturing cases, which both discussed the factors which should go into an analysis of what is a foreign governmental instrumentality under the FCPA. So at this point, I thought it might be propitious to review some of the information which has come out from the DOJ on what it considers the current best practices for a FCPA compliance program.

Alliance One/Universal Corp.-actions during the pendency of an investigation

Last July, the DOJ released joint Deferred Prosecution Agreement (DPAs) for two companies in the tobacco industry: Alliance One and Universal Corp. These DPAs started a year-long process by which the DOJ has informed the compliance community about specific steps companies can take to enhance their FCPA compliance program or benchmark their current compliance programs against DOJ suggested best practices. These two DPAs in question provided to companies in the midst of FCPA enforcement actions specific steps that should be implemented during the pendency of an investigation to present to the DOJ, which could reduce the overall penalties at the end of the day. Initially it should be noted that full cooperation with the DOJ at all times during the investigation is absolutely mandatory. Thereafter from the Alliance One matter, the focus was on accounting procedures and control of cash payments. From the Universal case, a key driver appears to be the due diligence on each pending international transaction, and subsequent full due diligence on each international business partner. Next is the management of any international business partner after due diligence is completed and a contract executed. Lastly is the focus on the Chief Compliance Officer position, emphasizing this new position throughout the organization and training, training and more training on FCPA compliance.

Panalpina Settlements-Best Practices

In the DOJ settlement with the freight forwarder Panalpina and all related settlements announced on the same day last November, the DOJ attached as Attachment C (Attachment B to the Noble Non-Prosecution) a list of 13 best practices which included the collective Corporate Compliance Programs provided the FCPA compliance practitioner with the most current components that the Department of Justice believes should be included in a FCPA compliance program. Hence, this information is a valuable tool by which companies can assess if they need to adopt new or to modify existing their internal controls, policies, and procedures in order to ensure that it maintains: (a) a system of internal accounting controls designed to ensure that a Company makes and keeps fair and accurate books, records, and accounts; and (b) a rigorous anti-corruption compliance code, standards, and procedures designed to detect and deter violations of the FCP A and other applicable anti-corruption laws. The Preamble notes that these suggestions are the “minimum” which should be a part of a Company’s existing internal controls, policies, and procedures:

1. Code of Conduct.

2. Tone at the Top.

3. Anti-Corruption Policies and Procedures.

4. Use of Risk Assessment.

5. Annual Review.

6. Sr. Management Oversight and Reporting.

7. Internal Controls.

8. Training.

9. Ongoing Advice and Guidance.

10.  Discipline.

11. Use of Agents and Other Business Partners.

12. Contractual Compliance Terms and Conditions.

13. Ongoing Assessment.

The DOJ goes on to fill in each of these categories so that it a valuable list to create, enhance or benchmark your FCPA compliance program.

Alcatel-Lucent, Maxwell Technologies and Tyson Foods-Risk Assessments

The three enforcement actions, all announced in early 2011, involving the companies Alcatel-Lucent, Maxwell Technologies and Tyson Foods, had common areas that the DOJ indicated were FCPA compliance risk areas which should be evaluated for a minimum best practices FCPA compliance program. In both Alcatel-Lucent and Maxwell Technologies, the Deferred Prosecution Agreements (DPAs) listed the seven following areas of risk to be assessed.

1.         Geography-where does your Company do business.

2.         Interaction with types and levels of Governments.

3.         Industrial Sector of Operations.

4.         Involvement with Joint Ventures.

5.         Licenses and Permits in Operations.

6.         Degree of Government Oversight.

7.         Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

In the Tyson Foods DPA, this list was reduced to the following (1) Geography, (2) Interaction with Governments, and (3) Industrial Sector of Operations. As with all DPAs released since the Panalpina settlements, each DPA has included an Attachment C, compliance program best practices. However these three DPAs give the compliance practitioner the guidance that the DOJ considers a risk assessment to be the starting pointing for any compliance program. In addition to this information on the starting point, there are specific risks which should be assessed listed by the DOJ. 

Johnson and Johnson-self disclosure and enhanced compliance obligations

  1. Self-Disclosure

FCPA practitioners have repeatedly asked the DOJ for specific guidance as to what will be the tangible results of self-disclosure. In the Johnson & Johnson DPA this question is clearly answered. Listed under the section “Relevant Considerations” one of the reasons the DOJ entered into the DPA is the following:

a.         J&J voluntarily and timely disclosed the majority of the misconduct described in the [Criminal] Information and Statement of Facts;

So the self-disclosure was one of the reasons that the DOJ entered into the DPA, however, and perhaps more importantly, the self-disclosure brought to Johnson & Johnson a monetary benefit with a tangible reduction in its overall fine and penalty. The DPA reported a reduction by 5 points of the company’s overall Culpability Score with the following:

(g)(1) The organization, prior to an imminent threat of disclosure or government investigation, within a reasonably prompt time after becoming aware of the offense, reported the offense, fully cooperated, and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct;  -5

It is not possible to determine from the DPA how much of the reduction was attributable to the self-disclosure and how much was attributed to the conduct thereafter. However, this precise language makes clear that the DOJ places a real value on such self-disclosures and companies should take this as a clear sign that, at the end of the day, it will be better for them to self-disclose.

  1. Attachment D-Enhanced Compliance Obligations

The following nine points will not be unfamiliar to the FCPA compliance practitioner. These points are recognized to be in most ‘good to best’ compliance programs. However, the Johnson & Johnson DPA goes much further by adding an Attachment D, entitled “Enhanced Compliance Obligations” which is designed to be in addition to, and to build upon, the commitments made by Johnson & Johnson in Attachment C. These enhanced obligations include the following:

A.        Compliance Department

B.        Gifts, Hospitality and Travel

C.        Complaints and Reports

D.        Risk Assessments and

E.         Acquisitions

F.         Relationships with Third Parties

G.        Training

H.        Annual Certifications

This Attachment D “Enhanced Compliance Obligations” is an excellent road map for the FCPA practitioner in which to establish, enhance, or simply review a company’s FCPA compliance program. As with the Attachment C, the DOJ expands upon each of these categories. The Johnson & Johnson DPA demonstrates that a company’s commitment to ongoing FCPA remediation and program enhancement will help it reduce its overall FCPA liability in a case with facts as bad as those presented in this matter.

These DPAs demonstrate that the DOJ is committed to releasing information on what it believes will constitute a best practices compliance program. It will be interesting to see if any of the witnesses before the House Judiciary Committee will acknowledge the DOJ’s efforts in this area or the recent federal court rulings on what may constitute an foreign governmental instrumentality under the FCPA in their testimony.

———————————————————————————————————————————————————————

Join Me for Following Upcoming Webinars

Tuesday, June 21 at 1 EDT, I am co-presenting on a webinar with Mary Shaddock Jones, former Assistant General Counsel and Director of Compliance at Global Industries, Ltd., on “Supply Chain Relationship Management Under the FCPA and Bribery Act”. The event is co-hosted by Ethisphere and World Check. For information and registration details click here.

Wednesday, June 22 at 1 PM EDT, I am a co-panelist with Henry Mixon, Managing Director of Mixon Consulting, in a webinar hosted by Corporate Compliance Insights, entitled, “Internal Controls Under the FCPA & UK Bribery Act”. For information and registration details click here.

———————————————————————————————————————————————————————-

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

June 10, 2011

Implementing a Values-Based Approach to Your Compliance Program

In an article in the March issue of Inside Counsel entitled, “Interactive Ethicsauthor Brian Martin, Senior Vice President and General Counsel of KLA-Tencor Corp., discussed some of the lessons learned when his company transformed its compliance and ethics training from a rules- based training program to an ethics-based training program. I found it to be a useful review of training for the compliance practitioner.

He began by discussing a similar point recently raised by Preet Bharara in his Key Note speech to Compliance Week 2011; that is compliance with laws is not synonymous with ethical decision making, it is bigger. As lawyers, we are trained to counsel clients as to where the line is that they may not cross and then tell them not to step over it. Both Preet Bharara and Brian Martin make clear that this approach can lead companies into significant difficulties. Bharara focused on the difficulties in which a company can find itself in if it is embroiled in a Foreign Corrupt Practices Act (FCPA) investigation. He offered one piece of advice, which I found particularly persuasive, and that was that if your company is so fragile that one subpoena from or a visit by the Department of Justice (DOJ) investigators will effectively destroy it, you should not be anywhere close to the line of violating the FCPA. Martin provides another perspective, which is that “We have too many examples where corporate troubles ensued from a culture setting the behavioral expectation at compliance with laws i.e., as long as its legal approach.”

Martin related that his company moved from a rules-based compliance training to an ethics-based approach. He cited three general areas where his company had changed its approach in a manner to encourage employees to behave ethically, they are (1) The Code; (2) Ethics Training; and (3) You Make the Call.

1.     The Code

Martin opined that most company Code of Conduct are heavy on “formalistic and complex policy and legal compliance statements.” However, they do not set forth a clear statement on “values and ethics”. This leads many non-lawyers in a company to find it very difficult to implement their company’s Code of Conduct in the everyday scenarios they face in the business world. Martin argues that this gap between a Code of Conduct and the real business world should be “filled in by the company’s values.” At Martin’s company this issue was addressed by reorganizing its Code of Conduct around the company’s core ethical values and renaming the Code of Conduct “Values in Action” to reflect the primacy of the company’s values and ethical standards.

2.     Ethical Training

Martin next addressed the issue of training at his company. He recognized the difficulty of training ‘ethics’ with some type of rules based approach. He said that ethical training is much broader than simple rules and regulations training. A company must approach ethics in all facets of its business activities and in all roles throughout the company. This begins with Human Resources in the hiring process where a company should hire only ethical candidates. It should continue throughout the employment tenure by not only providing the stick of disciplining those employees who commit ethical violations but providing a structure to incentivize and reward those employees to do business ethically. He concluded this section by noting that “ethical training is not an event; it is delivered through observation and consistent leadership.”

3.     You Make the Call

In part of his company’s overall ethical-based values training, Martin included a module, entitled “You Make the Call”, in which he asked employees questions about scenarios which raised ethical concerns. He presented scenarios which could not be answered by simple reference to company polices. Rather employees were asked to address the scenarios and to discuss how they would handle each matter before the entire training class. Martin noted that he found these discussions “fascinating” as employees from different disciplines within the company formulated how they would think through and act on the scenarios. He said that the answers generally involved some type of reference to both personal and company values but at the end of the day it reinforced what the training was designed to convey “doing the right thing”. Martin concluded by noting that such training “equipped the business teams with ethical decision-making paradigms that are more durable than any policy could be.”

I certainly found Martin’s article very instructive in ways to think through the difference in rules-based compliance program and a values-based ethics program. His approach in training will provide the compliance practitioner with solid tools to implement in his or her company’s compliance training program which will help drive home the ethical values that you should try to impart. This may go a long way towards implementing Preet Bharara’s advise to do “more than the minimum” because aspiring to the minimum in a corporate compliance program because only doing the minimum is a recipe for disaster.

———————————————————————————————————————————————————————-

Join Me for Following Upcoming Webinars
Tuesday, June 21 at 1 EDT, I am co-presenting on a webinar with Mary Shaddock Jones, former Assistant General Counsel and Director of Compliance at Global Industries, Ltd., on “Supply Chain Relationship Management Under the FCPA and Bribery Act”. The event is co-hosted by Ethisphere and World Check. For information and registration details click here.

Wednesday, June 22 at 1 PM EDT, I am a co-panelist with Henry Mixon, Managing Director of Mixon Consulting, in a webinar hosted by Corporate Compliance Insights, entitled, “Internal Controls Under the FCPA & UK Bribery Act”. For information and registration details click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

June 9, 2011

Use of an ERM Map to Implement or Enhance Your Compliance Program

For some time I have wanted to write about an Enterprise Risk Management (EMR) Map that I came across. It is put out by a company called MetricStream. This ERM Map is designed to assist the compliance practitioner in either designing or reviewing a company’s Governance, Risk and Management (GRC) by providing a visual representation of the best practices in compliance business processes. It allows a company to either develop a gap analysis or classify gaps in its GRC program by better understanding overall system requirements. The ERM Map lays out these best practices in a visual format; identifying sub-processes within the specific disciplines involved in ERM; and finally separating such practices in Leadership, Organization, Process and Technology. This post will focus on Leadership and Process and I will discuss these in only some of the areas which are identified by discipline on the ERM Map.

I.                Chief Compliance Officer

  1. Leadership-the Chief Compliance Officer (CCO) is responsible is the model for ethical behavior and should link ethics to business success. The CCO should be a part of the Executive Leadership Team and work to create a formal compliance program including a Code of Conduct, Compliance Policy and Compliance Procedures to detail how the program should be conducted throughout the company.
  2. Process-the CCO should develop processes for monitoring of compliance so that if there is a violation, it can be detected and then remedied. There should be some type of ethics certification and creation of an anonymous reporting or helpline. There should be a formal measurement of compliance and ethics risks and a follow-up analysis of compliance failures to determine lessons learned going forward.

II.             Chief Risk Officer

 

  1. Leadership-this role should lead through visibility on the full spectrum of enterprise and operational risk. As risk management is a value generating business process; the role should be a part of the Executive Management Team.
  2. Process-this role is responsible for creating the formal process for analyzing and managing enterprise risk across the company. It assists to ensure that the Internal Audit process is risk driven and that financial processes are risk-based.

III.           Chief Financial Officer

 

  1. Leadership-the Chief Financial Officer (CFO) should focus the department’s efforts on business risk when conducting internal audits. This is broader than simply general audit, Sarbanes-Oxley (SOX) or Foreign Corrupt Practices (FCPA) audits; it should include all business risks. There should be accountability to the company’s Board of Directors.
  2. Process-initially it should be noted that ERM should drive audit priorities and the overall audit process should be repeatable and systematic. There should be consistent processes in place between operational and internal audit. In the area of findings, a summary of findings should be reported to the Board of Directors and there should a collaboration of findings with and recommendations to the persons or departments which are audited.

IV.            Chief Operating Officer

 

  1. Leadership-the Chief Operating Officer (COO) should be responsible for operational risk and should lead the effort to impart that quality and safety are at the core values of the company. This office should be accountable to regulators, industry and legal standards. The COO should lead to achieve consistent compliance and minimize exceptions.
  2. Process-the CCO should lead in the collaboration between quality and regulatory affairs. If there is decentralized accountability, the CCO must consolidate the reporting through centralized record keeping and document control. This role should enhance the collaboration between quality and regulatory affairs.

V.              Chief Information Officer

 

  1. Leadership-with a nod towards my “This Week in the FCPA” partner Howard Sklar who routinely lists data security as a key compliance concern, I will discuss the role of the Chief Information Officer (CIO) within the ERM Map. The role should begin with expertise on the integration of technological controls into business applications. The CIO should be charged with the centralized management of IT governance and should ensure that the IT environment is secure. This would include protection of information security. Finally as a leadership function, the CIO should ensure that data security is a Board of Directors agenda topic.
  2. Process-here the CIO should work to have an overall IT framework assist to drive business processes. There should be a centralized document management and approval system and there should be end-user identity management.

I have but scratched on the surface of the information readily available on the ERM Map. I would urge the compliance practitioner to go to the company’s website and order a complimentary copy of the map. It will give you a very good visual road map to create or enhance a complete company-wide GRC structure or allow you to think through any of the departments I have discussed and several others on the ERM Map which I have not discussed. It is a very valuable and free tool.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

June 8, 2011

Performing a Risk Assessment for FCPA and UK Bribery Act Compliance

Filed under: Audit,Bribery Act,compliance programs,FCPA — tfoxlaw @ 6:55 am
Tags: , ,

Ed. Note-today we have the second in a series of Guest Posts by Michael Potorti, CPA on the role of an auditor in FCPA/UK Bribery Act Compliance

Companies that are subject to the FCPA and/or UK Bribery Act need to look at their organization as a whole to flag potential areas of non-compliance. Management could tend to be subjective in performing this task so it would be wise to have an outside party work with management to attempt to identify the processes, procedures, cultures, etc. that pose an elevated risk.

All industries are different and each one has particular customs or unique ways of doing business. Certain countries/cultures also have expectations of companies wanting to do business there: these are the facts. However, what was acceptable in the past can suddenly become unacceptable (in the Government’s eyes), especially in the case of the UK Bribery Act, which deals with the bribery of government officials as well as individuals associated with commercial entities.

Here are some ideas when conducting a Risk Assessment:

1) Look at the company as a whole using a Risk Based Approach –
certain subsidiaries within the organization may be of low risk, for example, a US-based subsidiary that does not interact with or does not rely on Foreign officials for sales. Other subsidiaries could be flagged as high risk due to the sole fact that they are located in a country where corruption is rampant. These high-risk entities should be automatically included in your plan on mitigating non-compliance risk.

2) Interview Executive Management, local management, etc. to get their views on where the risks lie –
inquire directly of management on where they feel the areas of risk are. Is it a certain customary procedure that is carried out when dealing with Foreign Governments that makes management nervous? Is the fact that the company uses 3rd Party Agents that have a tarnished reputation? Is doing business in certain countries really worth the risk of potentially large fines and damage to reputation (not to mention the shareholder lawsuits when the company’s stock dips)?

3) 3rd Party Agent review –
a recurring theme in charges brought by the US Department of Justice relates to the use of corrupt 3rd Party Agents. What kind of due diligence does your company do on 3rd Party Agents before you do business with them? Do you know how and to what extent your subsidiaries use these agents in securing business?

4) We do not want to flood the organization with internal controls that have little value –
a result of the Risk Assessment will be the identification of a number of areas that are deficient. Practical and sustainable controls need to be implemented to address (remediate) these deficiencies. However, controls should be designed to target these high-risk areas in order to mitigate risk. Creating a large number of controls and having them implemented company-wide may be overkill, unless there is a real possibility that other parts of your organization could be affected. Automated controls are preferred as they free up your employees to do their daily duties more efficiently and effectively.

A proper Risk Assessment will accomplish the formal identification of risk areas within your organization and define what controls are needed to mitigate risk. It will also set the stage for establishing, implementing and communicating company-wide policies.

June 7, 2011

The Compliance and Ethics Program: Outsourcing Inspiration

In the June issue of the Harvard Business Review is an article by Alan Grant entitled, “How Customers Can Rally Your Troops”. In this article Grant argues that “End users can energize your workforce better than your managers can.” His basic thesis is that employees are highly motivated and more effective when they are shown that their job performance has a positive impact on others.

This article had me wondering if such a concept could be translated into a company’s overall compliance and ethics program. The answer I came up with is a resounding yes, it can. The first question I had to think through was who are the end users of a compliance program? From a sales perspective the typical end user would be a customer, whether commercial or consumer. So I began to think about the customers of a company and how its compliance program might affect them. Most compliance practitioners do not normally think of their sales customers as people or entities who would be end users of a company’s compliance program.

However, the more I thought about it the more I realized that any company compliance program must take customers into consideration during an evaluation process. Most companies are aware of the mantra “Know Your Customer (KYC)” and put this phrase into action. My colleague Howard Sklar calls it “compliance convergence” but however you term it  a company must be aware of whom it is doing business with in the areas of export control and anti-money laundering. Sufficient checks must be run on customers to satisfy  Restrictive Party Screening in the export control area. In the anti-money laundering the various Department of Commerce and Department of Treasury lists should be screened before any transactions occur.

Nonetheless, it is clear that a wide variety of third parties could be the user of a company’s compliance program, either through a Code of Conduct, Compliance Policy or Compliance Procedure. This could be third parties in the sales channel such as sales representatives, agents, resellers or distributors. It could be business partners such as Joint Ventures partners or Teaming Partners, as well as  services providers such as freight forwarders, visa expeditors or customs clearance providers. This listing is not exclusive there  could be others.

In his article Grant identifies methods to use the required screening to improve and enhance a company’s overall compliance program by taking companies which are subjected to such screenings and using them as examples to your own company as motivational tools. He terms it “outsourcing inspiration” and that a company can bring in outsiders to speak about a company’s overall compliance effort and how such an effort positively impacted their company. He argued that there are three mechanisms of outsourced inspiration, they are (1) Impact – Company employees themselves can see how their compliance program positively benefited other organizations; (2) Appreciate – Compliance practitioners can see how other third parties appreciate their actions and move  forward the overall compliance effort; and (3) Company compliance practitioners develop a deeper understand of the issues third parties face when complying with overall compliance programs, procedures and obligations.

Grant also posits that strong leaders are very good at outsourcing inspiration,  in a complimentary role to a leader’s vision. A strong leader will use such outsourced inspiration to provide examples of his or her vision. Grant listed several specific techniques by which this can be accomplished. I have taken them and adapted them for a compliance and ethics program.

  • Identify past, present and future end user – See who will be the company’s end users and be prepared to communicate with them on the compliance and ethics program.
  • Dig up feedback from past end users – Bring in third parties from outside the company to share their positive experiences in dealing with the company’s compliance and ethics program.
  • Set up event and meetings where end users can share their experiences.
  • Turn employees into end users – Make employees beneficiaries of a compliance and ethics code so that they will understand what it means to stand in the shoes of a third party or customer under the code, compliance policy or procedures.
  • Find end users inside the organization – The sales team on are the front lines of any compliance and ethics program when dealing with customers or other third parties. Use their experiences to help guide the company in training sessions.
  • Engage employees who currently perform low impact work – Find a way to make compliance everyone’s business. Even if an employee might not deal with a foreign business partner or other third party, have that employee communicate something about how the Code of Conduct has guided a business decision that he or she has made. If you invest all employees with ownership, they will certainly take it and embrace it.
  • Spread the message – Communicate the message throughout the organization through a variety of media and mechanisms.
  • Recognize impact contributions – Because leaders are often unaware of specific compliance actions taken insider a company, have a reward or acknowledgement system to bring such conduct up to the leader’s attention so he/she can acknowledge it companywide.

The final example comes from personal experience so I hope that you will find it as powerful as I did. One of the first times I was required to contact a customer to ask some questions about the customer’s compliance program was with Tyco, which had gone through their own compliance and ethics journey. I informed the transactional counsel I was working with that I needed to interview a person with knowledge about Tyco’s compliance and ethics program. He transferred me to someone in Tyco’s compliance department. That compliance officer proceeded to tell me, over one hour, the compliance problems that Tyco had sustained and the steps that they had taken to remedy the structural problems involved through a revamped Code of Conduct and completely rewritten compliance program. He fully answered any and all questions that I put to him. I came away from this conversation thinking that this company was committed to compliance and more importantly for Tyco; it was a company that I wanted to do business with. That is outsourcing inspiration that you cannot pay a trainer to teach.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

June 6, 2011

Preet Bharara on the Principles of Ethics, Integrity and Corporate Culture

Filed under: compliance programs,FCPA,Preet Bharata — tfoxlaw @ 1:14 am
Tags: ,

At the recent Compliance Week 2011 Conference one of the Key Note Speakers was Preet Bharara, United States Attorney for the Southern District of New York. His topic was the general principles of ethics, integrity and corporate culture. I found his remarks very appropriate for the compliance professional in evaluating a company’s overall compliance program.

He began his talk by discussing corporate culture. Some of the most egregious conduct, which violated the Foreign Corrupt Practices Act (FCPA), has come from companies with robust compliance programs. Many of these companies have had criminal conduct at all levels of the corporate hierarchy. He pointed to recent Deferred Prosecution Agreements (DPA’s) entered into by Alcatel-Lucent and Johnson & Johnson. This signaled to him that corporate culture did not meet the goals stated in the compliance programs.

He stated that corporate culture is not, in and of itself, dispositive, but one thing he has observed is that if a company has a culture of what he termed “minimalism”; it may well put itself in a very negative position. Preet urged that companies stop to see how close they could come to getting up to the very line separating ethical from non-ethical behavior. Rather they should aspire to “more than the minimum” because aspiring to the minimum is a recipe for disaster.

He said the return from a such an overall program, of doing more than simply the minimum, would return dividends if a company finds itself in a FCPA investigation because a prosecutor can recognize the difference is such a company attitude. Additionally if you are close to the ethical dividing line, it may be very easy to step over this line so a company should consider that it might step over the line without intending to do so, if it always does business right at the line between ethical and non-ethical corporate behavior.

Preet said that an ethical component should guide a company’s business actions. Not only will this return dividends with prosecutors if a company is caught up in a FCPA charge, it will also help a company in the market place. This is because there need not be a specific charge brought against a company. Entire industries can be caught up in a FCPA investigation. Moreover, if your company is so fragile that one subpoena directed to it will destroy the business; your company needs to be well back from the ethical line. In other words, your company should be even more careful about staying away from the ethical line.

Preet views integrity as the most important characteristic of a leader. He emphasized that a leader must be ready to do more than simply talk about it, he must be willing to emphasize it. He used the phrase that each company leader must “daily put on the drumbeat for integrity.” But after this most important characteristic, the true test of a leader is whether he or she adds value. This is equally true in the ethics arena. Preet argued that ethically run companies are more profitable.

Preet had some interesting comments regarding the role of Human Resources in general and a company’s hiring process in general. He said that specific questions about ethics and integrity be incorporated into a company’s interview process. He did not mean the simple asking of questions where a right or wrong answer was patently clear. He suggested that a company delve into a candidate’s decision making process for complex ethical scenarios. In addition to the interview process, a similar rigorousness should be incorporated into internal evaluations of employees. He pointed out that the enablers in a company are really people that are ticking ethical time bombs and that at some point they will make a misstep that could cost the company sorely.

In what I found to be very pointed remarks to my legal profession, Preet said that there is a material difference between being a good lawyer and a great lawyer. He said that a good lawyer can learn, even memorize the rules; however, a great lawyer can help a client understand that in the compliance and ethics arena. It makes better ethics and legal sense not to step as close as you can to the rules. A company can be more profitable and much better run if it steps back and operates ethically.

Preet’s talk was very informative. It certainly gave this compliance practitioner some very concrete ideas on how to advise clients to stay out of FCPA trouble and if they do find themselves in such hot water, to present a very persuasive case to a prosecutor.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,509 other followers