Next Tuesday morning, at the University Club of Chicago, Stephen Martin and I will co-present at a Foreign Corrupt Practices Act (FCPA) event hosted by Kreller. If you are in or near Chicago I hope that you can join us. The title of our presentation is “Anti-Corruption/FCPA Developments & Best Practices” and we will focus on a concept that Stephen and his partners at the law firm of Baker & McKenzie have developed which are five essential elements of a corporate compliance program. Over the next two posts, I will sketch out what Stephen and I will be presenting. In today’s post I will present the background to the development of the five essential elements and in Part II, I will go through the remaining elements.
First a word about Stephen Martin; for those of you who do not know Stephen Martin, he has a long and distinguished legal and compliance career. He was at the Department of Justice (DOJ) and then moved in-house, helping some of America’s largest companies to wade through major corporate scandals. He was most recently the General Counsel (GC) at Corpedia before heading into private practice at Baker & McKenzie. He has been around the (compliance) block more than once and I can assure you that he knows his FCPA compliance stuff. He is certainly one of the practitioners that I would go see to make a FCPA compliance presentation.
Why is it important to have such a compliance program? I will answer in two words, Morgan Stanley. The declination to prosecute, issued by the DOJ, provides the most recent and powerful evidence of the benefits of investing in compliance. Morgan Stanley’s pre-existing compliance program was highlighted in press releases and public comments as the biggest reason for the Government’s decision not to prosecute the bank. The decision not to prosecute was based on evidence of:
• Rigorous internal controls;
• Regular training and reminders on FCPA policy and compliance;
• Internal policies addressing the corruption risks associated with the giving of gifts, business entertainment, travel, lodging, meals, charitable contributions and employment, that were updated regularly to reflect regulatory developments and specific risks;
• Compliance program monitoring and auditing; and
• Extensive pre-retention due diligence on business partners and stringent controls on payments to business partners.
The five essential elements of a corporate compliance program are based upon the best practices as set out in the seven elements of a corporate compliance program under the US Sentencing Guidelines; the 13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance; and the UK Bribery Act’s Six Principles of an Adequate Procedures compliance program. The following chart lists the elements of each.
While the above guidelines and statutes vary in length, tone and detail, depending on the jurisdiction and the enforcement agency, from this comparison Martin and his colleagues distilled five essential elements which they believe make up a best practices compliance program. They are as follows:
- Leadership – color coded Red.
- Risk Assessment – color coded Yellow.
- Standards and Controls – color coded Blue.
- Training and Communication – color coded Green.
- Oversight – color coded Grey.
The point means more than simply “Tone-at-the-top”. A successful compliance program must be built on a solid foundation of ethics that are fully and openly endorsed by senior management; otherwise the program may amount to little more than a hollow set of internal rules and regulations. There should be an unambiguous, visible and active commitment to compliance. But even more than support or the right tone, compliance standards require that companies must have high-ranking compliance officers with the authority and resources to manage the program on a day-to-day basis. And compliance officers must have the ear of those ultimately responsible for corporate conduct, including the board of directors.
Some of the questions you might think about in connection with the leadership of your compliance program are the following: How is board oversight implemented? Is there an ethics or audit committee reporting to the full board? What is the role of the Chief Compliance Officer? What is the role of the General Counsel? How do the legal and compliance departments interact? Does the CCO have “real power”? Is she or he treated as a second-class citizen?
Equally the Board of Directors has a key role to fulfill. The Board must ensure compliance policies, systems and procedures are in place and it should monitor implementation and effectiveness of the compliance program:
- Be actively involved
- Attend Board meetings
- Review, consider and evaluate information provided
- Inquire further when presented with questionable circumstances or potential issues
- Once Board knows of a potential compliance issue it must act.
- Regularly receive compliance briefings and training.
I think everyone agrees and understands that the Chief Compliance Officer (CCO) is a key, if not the key, role in a company’s compliance program. Some of the important indicia of a CCO are that they are high ranking within the company and are dedicated to compliance and responsible for day-to-day management and oversight of compliance program. The position should have direct access to the Board or appropriate Board committee and the Compliance Department should be provided sufficient resources to achieve its goals.
In addition to the role of the CCO, there should be compliance officers in high-risk markets who regularly communicate with managers in the field because country and/or regional managers are often the employees in the trenches who are responsible for overseeing sales people and third-party agents who are producing, selling and distributing the company’s products and services. Lastly, local managers are often in the best position to set the tone for compliance and to detect and address illegal or unethical practices before they become issues that put the company at risk.
II. Risk Assessment
The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high risk areas first.
What are some of the areas where you need to assess your risks? As set out in the DPA’s of Tyson Foods, Alcatel-Lucent and Maxwell Technologies the following are suggested:
- Country Risk - What is the correlation between growth markets and corruption risk and what is the perceived level of corruption? In other words, the Transparency International Corruption Perceptions Index or similar list.
- Sector Risk - Has government publicly stated industry is under scrutiny or already conducted investigations in sector? Are there corruption risks particular to the industry?
- Business Opportunity Risk - Is the business opportunity a high value project for your company? Are there multiple contractors or intermediaries involved in the bidding or contract execution phase?
- Business Partnership Risk - Does this business opportunity require a foreign government relationship? Does a foreign government require you to rely upon any third parties?
- Transaction Risk - Will your company be required to make any “compelled giving” through any requirements for political or charitable contributions? Are you required to use any intermediaries to obtain licenses and permits?
In addition to an initial risk assessment to either (1) inform your compliance program or (2) help you to identify high risks and prioritize their remediation, risk assessments should be a regular, systemic part of compliance efforts rather than an occasional, ad hoc exercise cobbled together when convenient or after a crisis. These should be conducted at the same time every year and deputize a consistent group, such as your internal audit department or enterprise risk management team, to conduct the annual review. Such annual risk assessments act as a strong preventive measure if they are performed before something goes wrong. In addition, enforcement trends and government priorities change rapidly so it is vital to stay up to date and conduct regular assessments. Lastly, it avoids a “wait and see” approach.
Risk assessments should also be used to scrutinize new business partners and third-party agents. The majority of FCPA/anti-corruption investigations and enforcement actions involve some use of third parties, including consultants, distributors, contractors and sales agents. By conducting a formal risk assessment each year it provides an opportunity to take a closer look at recently-established business relationships to make sure partners and third parties do not have improper connections to government officials or some involvement in unethical or illegal conduct. Additionally conducting such a risk assessment allows your company to proactively address and remediate any risks that are uncovered.
Stephen Martin and the Baker & McKenzie team have put together an excellent resource for the compliance practitioner in their five essential elements of a corporate compliance program. I hope that you can attend our FCPA event next week. For those of you who cannot attend in person, you can email me for the slide deck and other materials after the event.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at firstname.lastname@example.org.
© Thomas R. Fox, 2012