tfoxlaw

June 19, 2013

What is Board Responsibility For Compliance?

Filed under: Board of Directors,compliance programs,Department of Justice,FCPA,FCPA Guidance,FCPA Professor,New York Times,Wal-Mart — tfoxlaw @ 1:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, FCPA Professor, Foreign Corrupt Practices Act, NYT

Ed. Note-this article was originally posted in the FCPA Professor.

The nightmare of every corporate director is to wake up to find out that the company of the Board he or she sits on is on the front page of the New York Times (NYT) for alleged illegal conduct. This nightmare came true for the Directors of Wal-Mart when the New York Times, in an article entitled “Vast Mexico Bribery Case Hushed Up by Wal-Mart After Top-Level Struggle”, alleged that Wal-Mart’s Mexican subsidiary had engaged in bribery of Mexican governmental officials and that the corporate headquarters in Bentonville, Arkansas, had covered up any investigations into these allegations.

Recently the NYT reported that shareholders were asking questions of the Wal-Mart Board regarding its response these allegations. In a story, entitled “More Dissent in a Store Over Wal-Mart Bribery Scandal”, Stephanie Clifford reported Wal-Mart shareholders are still asking questions of the Board regarding its role in the ongoing scandal. Some of these questions include “whether the company is holding current and former executives financially responsible for breaching company policies” and concerns about the company’s supply chain vendors. This shareholder dissatisfaction held several groups of large shareholders to indicate that they would vote against the company’s current Board of Directors at its annual shareholder meeting.

Clifford quoted from a report by Institutional Shareholder Services (ISS), a proxy advising firm, which said that investors have also complained about “being in the dark about the nature and extent of the alleged violations (and knowledge of them within the company)” and the company’s “timetable for completion of its investigation and disclosure of its results”. There were also questions raised about the remediation efforts of Wal-Mart. The ISS report went on to add that “Shareholders should vote against these directors to send a clear message to the board that such poor oversight does not come without repercussions.”

The publicity and costs to Wal-Mart have been well documented. The FCPA Professor has consistently stated that he views this scandal as largely a failure of corporate governance. In a post entitled, “Wal-Mart One Year Later” he said, “Corporate governance, or lack thereof, is what made the NY Times April 2012 remarkable. This is the reason why Wal-Mart generated all the buzz it did a year ago this week and I’ve consistently held the view that the Wal-Mart story is a corporate governance sandwich with the FCPA as a mere condiment.” I thought about the Professor’s observations on this failure in light of Clifford’s article and wondered what the Board’s legal obligations might be.

I. Some Case Law

As to the specific role of ‘Best Practices’ in the area of general compliance and ethics, one can look to Delaware corporate law for guidance. The case of In Re Caremark International Inc. Derivative Litigation 698 A.2d 959 (Del.1996) was the first case to hold that a Board’s obligation “includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that failure to do so under some circumstances may, in theory at least, render a director liable for losses caused by non-compliance with applicable legal standards.” The Corporate Compliance Blog, in a post entitled “Caremark 101”, said that the Caremark case “addressed the board’s duty to oversee a corporation’s legal compliance efforts. As part of its duty to monitor, the Board must make good faith efforts to ensure that a corporation has adequate reporting and information systems. The opinion described this claim as “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment,” with liability attaching only for “a sustained or systematic failure to exercise oversight” or “[a]n utter failure to attempt to ensure a reporting and information system.”

In the case of Stone v. Ritter 911 A.2d 362, 370 (Del. 2006), the Supreme Court of Delaware expanded on the Caremark decision by establishing two important principles. First, the Court held that the Caremark standard is the appropriate standard for director duties with respect to corporate compliance issues. Second, the Court found that there is no duty of good faith that forms a basis, independent of the duties of care and loyalty, for director liability. Rather, Stone v. Ritter holds that the question of director liability turns on whether there is a “sustained or systematic failure of the board to exercise oversight – such as an utter failure to attempt to assure a reasonable information and reporting system exists.”

Andrew J. Demetriou and Jessica T. Olmon, writing in the ABA Health Esource blog, said that “This standard aims to protect shareholders by ensuring that corporations will adopt reasonable programs to deter, detect and address violations of law and corporate policy, while absolving the Board from liability for corporate conduct so long as it has exercised reasonable responsibility with respect to the adoption and maintenance of a compliance and reporting system. Although the standard protects the Board, consistent with most jurisprudence under the business judgment rule, it also requires that the Board follow through to address problems of which it has notice and this may include adopting modifications to its compliance program to address emerging risks.”

Lastly, I recently heard Jeff Kaplan discuss the oversight obligations of the Board regarding the compliance function. In addition to the above cases, he discussed the case of Louisiana Municipal Police Employees’ Retirement System et al. v. David Pyott, et al., 2012 WL 2087205 (Del. Ch. June 11, 2012) (rev’d on other grounds, No. 380, 2012, 2013 WL 1364695 (Del. Apr. 4, 2013), which was a shareholder action that went forward against a Board based upon a claim that the Board knew of compliance risk based on the company’s business plan. The Delaware Court pointed out the possibility that “The appearance of formal compliance cloaked the reality of noncompliance, and directors who understood the difference between legal off-label sales and illegal off-label marketing continued to approve and oversee business plans that depended on illegal activity.” Kaplan believes that this case more generally, supports the need for risk-based oversight by board.

II. FCPA Guidance and US Sentencing Guidelines

A Board’s duty under the Foreign Corrupt Practices Act (FCPA) is well known. In the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance, under the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1, entitled “Commitment from Senior Management and a Clearly Articulated Policy Against Corruption”, states “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3 entitled “Oversight, Autonomy and Resources”, where it discusses that the Chief Compliance Officer (CCO) should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The DOJ’s Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

Board failure to head this warning can lead to serious consequences. David Stuart, a senior attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the SEC and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine Products, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”. I would not be a far next step for the SEC to invoke the same provisions against audit committee members who do not actively exercise oversight of an ongoing compliance program.

There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the SEC desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.

From the Delaware cases, I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. The specific obligations set out regarding the FCPA drive home these general legal obligations down to the specific level of the statute.

The Wal-Mart case has driven home the need for focused Board of Directors oversight of a company’s compliance program. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. If the Wal-Mart Board had fulfilled its legal obligations regarding compliance, the company might not have found itself on the front page of the New York Times.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Leave a Comment

June 18, 2013

How to Assess Suspicious Financial Activity

Filed under: Anti-Money Laundering,compliance programs,Compliance Week,FCPA,OCEG — tfoxlaw @ 1:01 am
Tags: AML, best practices, compliance, compliance programs, FCPA, OCEG

The banking world is littered with institutions that have paid astronomical fines for their failures around anti-money laundering (AML) legislation. Much has been written and said about these events. However one of the areas that has received perhaps less attention is the programs that banks and other financial institutions have set up to comply with the ever-growing increase in AML regulations. But just as crooks tend to follow the money, sophisticated lawbreakers, who tend to engage in crimes such as money-laundering will try and move their operations to business and industries with less robust protections around AML. That is why I found this month’s article by Carole Switzer, President of the Open Compliance and Ethics Group (OCEG), in the June issue of Compliance Week, entitled “The Battle to Balance Vigilance and Suspicion”, to be instructive for the anti-corruption/anti-bribery practitioner who typically focuses on Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance.

In the article Switzer makes clear that she believes that “the most effective AML programs are based on the understanding that financial institutions have an obligation to all of their stakeholders to remain vigilant about AML risks. Banks are not required to prove money laundering; rather they are required to strike the right balance in their vigilant reporting of suspicious activity.” She recognizes that “banks must file a suspicious activity report (SAR) when suspicious activity arises. What qualifies as a suspicion often is a difficult question—as is the determination of whether or not to file a SAR.” Yet Switzer also notes that “filing of too many (and/or incomplete) SARs can overwhelm regulatory agencies, reducing their ability to address genuine criminal activity” and that filing “too few SARs and a company can turn a blind eye to potential money laundering, opening itself and, in some cases, its top managers to significant penalties.” I would posit that the dynamic tension would appear for any company; whether financial institution or other commercial operation. Hence, I believe that Switzer’s thoughts can be used by a non-financial concern to help protect it from violation of US or UK AML laws.

As usual, Switzer has provided a road map to illustrate her thoughts, entitled “Suspicious Activity Investigation Lifecycle”. In the diagram Switzer notes that it is important to understand each step in the lifecycle, so that a company can exploit “opportunities for technology and automation”. Technology, coupled with the human element, which recognizes the signs of suspicious AML activity can help your company protect itself and “hear through the noise.” She counsels that the “focus is to identify suspicious activity and report it, not to prove criminality; law enforcement will take it from there, blending your information with information from other institutions before making a decision on how to proceed.” She lists the following four steps.

1. Triage – Switzer believes that “understanding and managing your inbound alerts can be an intimidating task. High alert volume and false-positives can abound, often at a 50:1 ratio (False/True).” A company should also focus on automated solutions that allow you to invest human capital into exception cases. Finally, remember to consistently review and modify the system until your organization can hear through the noise.

2. Investigation – As an investigation process can tax your resources, you should strive to ascertain that you are making the right inquiries documenting the process at every turn. Some of the questions that Switzer suggests you focus on include “Do you understand the context? Are your procedures applicable to the product used? How does the processing channel affect the investigation? What history does the customer or organization have with your institution? Are you truly investigating or just documenting?”

3. Action – After you have finished conducting research, obtained an understanding of the suspicious activity, its context, and the implications, Switzer advocates that this is the time to react. She believes that it is important to have a protocol in place. Some of her suggestions include placing the party on a continued Watch List, or you could “kick off your Enhanced Due Diligence cycle, or offboard the customer altogether.” She notes that the key here is “expediently limiting risk and exposure and promptly notifying regulatory authorities.” To which I would add: document, document, and document.

4. Feedback/Review – As with any process you need validation or ‘a second set of eyes.” Switzer proposes that you should review your actions and reports for accurateness. Some questions that you may wish to keep in mind are the following: “Was your investigation fruitful? What did you learn? Is our current process sound and comprehensive? Learning what you have done, how it has affected your risk profile, and how you have reacted is critical to ongoing success.” A rigorous system would “constantly challenge assumptions and work to refine the process. Evaluate how your customers, products, and business are changing, and develop new scenarios.”

Switzer notes some of the more common mistakes made include failure to document your compliance efforts and missing of key internal and external deadlines for reporting. She cautions against tipping off customers directly during the inquiry process or indirectly through sending questions to a third party which may convey such information. Finally, training is important so that any report which is generated is not of such poor quality, incomplete or overly vague as to be useless and miss important information.

As with other areas of compliance, there are best practices which are fairly well known. Switzer reminds us that your suspicious activity program should constantly challenge your ongoing assumptions and evaluate the accuracy of your program. You should regularly review and adjust thresholds amounts for such investigations and study new typologies. Tone at the top is key in the suspicious activity area of AML compliance so your company should create a culture of compliance, ensure the staff is aware and empowered to do the right thing. Your compliance program should incorporate ongoing monitoring and outcome analysis. Lastly, do not forget to train.

Most non-financial enterprises do not look at potential AML issues, certainly not as thoroughly as financial institutions. However, I believe that this may well be the next area that corrupt persons and parties will try to exploit from otherwise law-abiding entities. The time to prepare is sooner rather than later. Switzer has laid a protocol which you can implement and which can go a long way down the road to protecting your company.

© Thomas R. Fox, 2013

Leave a Comment

June 17, 2013

Justin Rose and Barry Vitou-Two Winning Brits

Filed under: Barry Vitou,Bribery Act,Richard Kovalevsky,thebriberyact.com — tfoxlaw @ 12:00 pm
Tags: Barry Vitou, Bribery Act, QC, Richard Kovalevsky, Russia, thebriberyact.com

Ed. Note-Yesterday, Justin Rose won the US Open, making him the first Englishman to win the Open since Tony Jacklin in 1970. So a big tip of the golf cap to Mr. Rose. In the field of anti-bribery and anti-corruption, the English are somewhat ahead of their golfing wins at the US Open. Barry Vitou, who together with Richard Kovalevsky QC, helps to shine a light on the UK Bribery Act, posted a piece on his recent remarks at the St. Petersburg International Law Forum. I asked Barry if I could repost his remarks on my site, which he graciously allowed me to do so.

———————————————————————————————————————————————————————-

Last week Barry attended and presented on a (large) at the St. Petersburg International Law Forum about corruption.

The St. Petersburg International Legal Forum is now an established premier fixture on the legal map in Russia.

There were various slots on corruption. Ever topical on Wednesday the Russian media (this link is worth clicking through to see the raid) was full of the story about the arrest of the Russian CEO of Societe General Russia on suspicion of bribery (USD$1.5 million to allegedly favourably alter the terms of a loan in Moscow).

At the Forum Barry presented on International developments (a quick run down on the continuing trend for anti-bribery law creation and enforcement), the UK Bribery Act (coming soon…eventually) and the practical aspects of compliance in a Russian context.

What do I mean by in a Russian context?

Russia’s capitalist economy is barely twenty years old. You can’t make an omelette without scrambling some eggs and it’s fair to say a large number of eggs have been scrambled in Russia.

But you can’t fail to be inspired, as your walk around the streets of Moscow and St. Petersburg, by the progress which has been made in those twenty years.

It’s not perfect. There’s still a long way to go. But whichever way you look at it strides have been taken.

Back to the ‘Russian context’:

For Russian business on the one hand UK Bribery Act and FCPA seem distant.

Yes, there is long arm jurisdiction under both. But in reality, non-Russian law enforcement will (in most cases) find it hard to enforce. Getting evidence will be tough (probably even tougher than usual) and Russia’s constitution forbids the extradition of a Russian national to another country.

There is little or no chance of Russians being extradited in orange jumpsuits to face the music in the US.

And yet.

On the other hand, there are three compelling reasons why, in practice, Russians care a lot about anti-bribery and why, whenever we present there we do so to packed houses.

First, Russians don’t like corruption. Contrary to popular belief Russians do not like having to bribe traffic cops, kindergarden teachers to get their kids in, the planning department to get the permits to refurbish their apartment or anything else for that matter.

No-one would be happier than Joe Blogski or John Doeski if corruption in Russia was a thing of the past. It isn’t yet (but then corruption is alive and well in the West too).

Second, many Russian businesses want to operate on an international stage. This ranges from setting up shop in London or New York to Russian businesses doing IPO’s on the NYSE, NASDAQ or London Stock Exchange and everything in between.

But perhaps the most compelling of each of the three reasons at the moment is not a general desire to stamp out corruption, the threat of law enforcement or the lofty aspiration of setting up outside Russia.

Instead it is the more prosaic reality that many Russian businesses count western companies as their customers. Increasingly those Western customers are seeking to impose their own (developing and in some cases ill thought out) anti-corruption compliance on Russian businesses (mindful of the problems third parties in risky places – and Russia is a risky place – can cause).

So Russian businesses, the Russian government and Russian citizens are very interested in anti-corruption.

After explaining that in Russia it was broadly impossible to fire someone suspected of bribery (they would need to be convicted by a criminal court) and that the only two reasons to sack someone were, basically, 1. if they were drunk at work or 2. seriously late, Anton Smirnov of Lovells said a journey of 1000 steps starts with just one step.

The chairman of the panel, the very smart Alevtina Kamelkova Russian & CIS General Counsel of Alcatel Lucent said it would be really helpful if CEO’s of Russian groups demonstrated tone from the top and participated in anti-corruption panels like those running at the Forum.

That would be good too.

But in our view Russia should not beat itself up and likewise the West should not beat Russia up, over its present stage of development.

In world terms the Russian economy is a baby.

Non-Russian labor laws are hardly perfect – but we’ve come across plenty of others with similar flaws from the UK to Asia and beyond when dealing with international internal investigations.

We would like to see some CEO’s of Western businesses taking the time to demonstrate real tone from the top and talk about anti-corruption on similar panels. Imagine the message that would be sent if the CEO of a Fortune 500 (not under FCPA investigation) took the time…

We agree that every journey starts with just one step. Russia has begun its journey.

Leave a Comment

June 16, 2013

Corruption and Compliance Asia Congress: I Hope You Can Join Me

Filed under: Beacon,Best Practices,Bribery Act,Corruption and Compliance Asia Congress,Ethical Leadership,Ethics,FCPA — tfoxlaw @ 2:11 pm

The last week of June, I will be attending, presenting and moderating at one of the best conferences focusing on anti-corruption compliance that I have recently seen offered in Hong Kong. If you are a compliance practitioner and want to hear about the most cutting edge best practices regarding the US Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other programs related to anti-bribery and anti-corruption compliance and meet some of the top compliance practitioners in the South and Southeast Asia, you should plan to attend. It is the Corruption and Compliance – Asia Congress, hosted by Beacon. It will be held from Monday, June 24 to Wednesday, June 26, at the Hyatt Regency, Hong Kong. For full details on the event, click here.

Beacon has put together one of the absolute best aggregations of compliance talent that has ever come to Hong Kong for a compliance conference. Included are compliance industry leaders, literally from across the globe, some of the luminaries included are David Lee, a partner from Norton Rose Fulbright; Eric Carlson, from Covington and Burling LLP; Alexandra Wrage, head of Trace International, Isadora Garcia Torres, Vice President & Regional Compliance Officer for Siemens, Matthew Friedman, UN Project on Human Trafficking; and Sam Gibbons, International Compliance Association.

What will be some of the key topics, talks and workshops? How you should take a risk-based approach to directing an effective compliance program, including (1) Conducting an effective corruption risk assessment – What the process should look like; (2) Collecting and integrating insights from all appropriate functions – such as Internal Audit, Business Units, Legal, Regulatory and Quality; and (3) Understanding how regulatory requirements and risks impact the businesses and the organization’s people, processes and technology. Wondered about conducting risk assessments of potential anti-corruption violation in merger and acquisition (M&A) transactions? You will learn about conducting due diligence in your M&A targets and transactions; strategizing on effective pre-deal screening; and, finally, integration of FCPA compliance programs during the post-merger period.

As corporations are increasingly leveraging external or third-party suppliers and service providers to reduce operating costs, together with the heightened level of government scrutiny and the slew of anti-corruption legislations and regulations introduced across multiple jurisdictions, how do you manage the risk associated with third-party? Do you need insight into managing fraud and corruption risks in external or third-party suppliers? If the answer to either of these questions is yes, you will learn how to effectively implement ongoing measures to assess, monitor and mitigate third-party risks; understand the degrees of risk based on various third-party relationships and, finally, hear about the best practices for managing third parties for overall ethics and compliance program excellence.

There will be a session on “Top Gun” corruption risk assessment strategies in which you will learn how to analyzing the probability of corrupt practices within an organization; identify, assess and resolve risk items before they turn into threats; move from the identification of risks to ‘actionable’ information and how to prioritize risks, identify tools to address identified risks and use risk data as guidance on the development of anti-corruption strategies. There will be a session on the leveraging of corruption risk assessments data for effective compliance resourcing strategies in which you can determine how to take an institutional approach to corruption risk assessment to effectively identify weaknesses in the enforcement of rules and regulations within the organization.

Do you need a more in-depth review of an anti-bribery/anti-corruption compliance program? If the answer is yes, I will be leading a half-day workshop on assessing and determining the “health” of the organization’s compliance culture and gaining buy-in from all levels of the organization. In this workshop, you will learn about the following: General awareness of ethical/legal issues that arise at work; Proactive seeking of ethics/compliance advice within the organization; Employee knowledge of workplace rules; Willingness to inform management of problems/deliver “bad news” to management; Employee willingness to report legal violations (e.g. call the “whistleblower hot line”); Employee perceptions that leadership pays attention to ethics and cares about ethical conduct as much as the bottom line; Employee-perceptions of fair treatment within the organization; Institutional ethics and values that are openly discussed and are integrated into decision-making; and Employee perceptions that ethical behavior is rewarded and unethical behavior punished across all levels.

Bottom Line: This is one of the very best FCPA conferences that has ever been staged in Hong Kong. It will offer some of the most cutting edge best practices on a wide variety of issues that bedevil compliance practitioners on a day-to-day basis. This list of speakers is the most ‘A-List’ that has ever been seen at such an event in Hong Kong. You owe it to yourself to attend. I hope to see you there.

——————————————————————————————————————–

If you are a reader of this blog, you can obtain a 15% discount for the conference by quoting 688TF15D as the registration code.

———————————————————————————————————————

© Thomas R. Fox, 2013

Leave a Comment

June 14, 2013

Lunch with the FCPA Compliance & Ethics Blog – Phil Wedemeyer and the Audit Perspective in Compliance

Filed under: Audit,Best Practices,Board of Directors,Books and Records,compliance programs,FCPA,Financial Times,Internal Audit — tfoxlaw @ 1:01 am
Tags: best practices, Board of Directors, compliance programs, FCPA, Foreign Corrupt Practices Act, FT, Internal Audit

One of my weekend reading pleasures is the Saturday section in the Financial Times (FT) entitled “Lunch with the FT”. Each week, this column highlights a weekly interview with leading cultural and business figures. In addition to an excellent interview with fascinating people, the column discusses the food served and lists the prices of all items purchased. The column is so smartly done that even the Men In Blazers talk about it in their weekly podcasts on all things soccer.

Since imitation is the most sincere form of flattery, today I will inaugurate a “Lunch with FCPA Compliance and Ethics Blog” series of posts. While it will not be a weekly feature, nor will I detail the costs for lunch, I will commit to you the cost will be in line with that of a Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance program business entertainment lunch. My inaugural guest is Phil Wedemeyer, who is a retired former partner of a Big Five accounting firm (when there was a Big 5); the former Director of the Office of Research and Analysis at the Public Company Oversight Accounting Board and currently sits on the Board of Directors of two corporations; one public, where Phil is the Chairman of the Audit Committee, and one private. As you might guess from someone with such a professional background, Phil tends to view things through the prism of an audit perspective.

This week Phil and I sat down for a couple of Houston’s finest cheeseburgers to catch up. Phil asked me what might be happening on the FCPA front and I told him that I thought the news about the National Security Agency (NSA) information collection programs was going to make the job of the compliance practitioner more difficult. Many of America’s allies are up in arms over not only the collection of information but the revelation that such collection of information can be used in monitoring FCPA compliance across the globe. I think this will mean that companies will face greater data privacy laws and have more difficulty not only getting information out of foreign countries and into the US for evaluation but even in collecting types of data and information.

Great Board Oversight Required?

Phil had another take on it, which I found equally interesting. He questioned whether this information about the US government could put an additional burden on not only the compliance practitioner but on a board of directors? When I asked him what he meant by this, he questioned if a company had reliable information that the US government was employing oversight techniques to search for evidence of bribery and corruption (or non-compliance with other laws or regulations) beyond more traditional law enforcement techniques (e.g., whistleblowers, self-disclosure and competitor reporting); should this cause that company to increase its oversight of compliance with the FCPA? In particular, more comprehensive government monitoring activity could increase the chances of discovery of the types of illegal activities at lower levels of the company that is one of the primary objectives of whistleblower procedures and that may not always be known to upper level management. Further, if so, would this change in risk put a director on notice that they need to perform additional oversight of the compliance function?

Transaction Analysis

Phil also inquired about any trends that I might have seen over the past six to 12 months on FCPA enforcement. I told him that one of the things I have seen is the introduction of transaction monitoring, beginning with the Morgan Stanley declination. I then discussed the Eli Lilly enforcement action and particularly the bribery scheme used in Poland where charitable contributions were made to a charity run by the head of a provincial health service. This led to sales spiking in that province rather dramatically. These cases, and some others, have led me to advocate that companies engage in transaction monitoring from the compliance perspective to identify any anomalies.

Phil’s observation here was once again based on his auditing background. He said that, in considering variations in operating results as a director, he asks two questions of management: What happened and how do you know? In answering these questions, it is clearly important that management understands the business cause of significant sales increases and that there could be other issues involved in the situation that may require consideration by the compliance practitioner. Phil thought analysis of variations needs to occur at the level at which the sales increase was material. As an example, he conjectured that, in the Lilly scenario, such a sales spike would likely not be material to the company’s consolidated financial statements or, for that matter, to the European business unit. However, such a sales increase would most probably be material for the country of Poland and certainly for the province in which the sales increase occurred.

Once the material level is determined, direct questions should be asked and answered at that level. Explanations of a sales increase as being the result of the appointment of a new head of business development or a more aggressive sales manager should not simply be taken at face value. Questions such as what techniques were used; what was the marketing spend; how much was spent on business entertainment or other specific categories; were charitable donations made to any non-core business charities and other questions might help to get at the true underlying reason for a sales spike. Further, a company should review its findings in subsequent periods for confirmation. So, for example, if a sales increase legitimately appears to be due to the efforts of a new person in the territory or region, is that same increase sustained in later periods. The answer to such a question might identify red flags indicating the need for further review.

One of the key things that I learned from my lunch is the need for the compliance practitioner to talk to other non-compliance professionals to get their perspectives on how they view issues. So, just as I had lunch with Phil Wedemeyer, you could take out the head of your internal audit group for a lunch and chat; or HR; or IT. The list of possibilities is lengthy. I hope that you have enjoyed my inaugural, Lunch with the FCPA Compliance and Ethics Blog as much as I have bringing it to you.

———————————————————————————————————————————————————————-

I will be discussing transaction monitoring on a free Webinar entitled, “A Winning Strategy for Automating FCPA Compliance” hosted by SAP, next Wednesday, June 19 at 2 PM EDT. For registration and information, click here.

———————————————————————————————————————————————————————-

© Thomas R. Fox, 2013

Leave a Comment

June 13, 2013

Why Can’t We Be Friends? Compliance and HR

Filed under: Best Practices,Bribery Act,Compliance Week,Culture,Ethical Leadership,Ethics,FCPA,Human Resources,Training,Training — tfoxlaw @ 1:01 am
Tags: Bribery Act, compliance programs, ethical leadership, ethics, ethics and compliance, FCPA, Foreign Corrupt Practices Act, HR

I have long been an advocate of the compliance function working with the Human Resources (HR) function in any company to help achieve greater compliance under anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. I think that HR is uniquely situated to ‘connect the dots’ in many areas of compliance. My thoughts on this subject were echoed in a recent article in the June issue of Compliance Week Magazine, in an article by Jaclyn Jaeger, entitled “How Compliance and HR Can Get It Together”. Jaeger quoted Alex Weisgerber for the following, “Boards are increasingly asking their executive teams to identify and address major people risks.” He further stated that “The HR-compliance partnership can help anticipate this request and set the organization’s human capital risk management agenda proactively.”

However, Jaeger wrote that in some companies this cooperation towards the goal of greater compliance has been found to be lacking. There may be several factors which lead to a more asymmetrical approach by these functions, particularly due to “gaps in communication and collaboration between compliance and HR.” She quoted Weisberger that “The two groups simply haven’t found many opportunities to collaborate in supporting organizational performance.” While I disagree with this statement, Jaeger’s article does detail some of the steps the compliance practitioner can take to bring these two corporate functions into alignment.

Jaeger quotes Shanti Atkins, for the following, “The first challenge to overcome is the “deeply held stereotypes that legal, compliance, and HR typically have of each other.” It’s important to talk about those if we are to get past them.” But perhaps more importantly is the notation held in many legal departments and compliance functions that “the HR function is not a strategic player in the company—that its central function is to manage paperwork, schedule training sessions, and mediate mundane spats such as who hogs the best space in the parking lot.”

As mentioned above, I have long advocated that HR is uniquely situated to connect the dots and along this line of thought, Jaeger wrote that “Getting employees to function as a coherent, engaged unit has to do with people, not policies—and people issues are exactly where HR excels, or course. HR has its finger on the pulse of employee culture, Atkins says because it is the primary channel employees use to complain when there is a problem—and those problems are usually a warning sign of wider compliance-related issues.” What are some of the areas that HR can assist the compliance function with? I believe that there are five key areas. They include the following.

Training

A key role for HR in any company is training. This has traditionally been in areas such as discrimination, harassment and safety, to name just a few, and based on this traditional role of HR in training this commentator would submit that it is a natural extension of HR’s function to expand to the area of FCPA compliance and ethics. There is a training requirement set forth in the US Sentencing Guidelines. Companies are mandated to “take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”

Employee Evaluation and Succession Planning

What policy does a company take to punish those employees who may engage in unethical and non-compliant behavior in order to meet company revenue targets? Conversely, what rewards are handed out to those employees who integrate such ethical and compliant behavior into their individual work practices going forward? One of the very important functions of HR is assisting management in setting the criteria for employee bonuses and in the evaluation of employees for those bonuses. This is an equally important role in conveying the company message of adherence to a FCPA compliance and ethics policy. In addition to employee evaluation, HR can play a key role in assisting a company to identify early on in an employee’s career the propensity for compliance and ethics by focusing on leadership behaviors in addition to simply business excellence. If a company has an employee who meets, or exceeds, all his sales targets, but does so in a manner which is opposite to the company’s stated FCPA compliance and ethics values, other employees will watch and see how that employee is treated. Is that employee rewarded with a large bonus? This requirement is codified in the Sentencing Guidelines with the following language, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.”

Hotlines and Investigations

One of the requirements for a company under the Sentencing Guidelines is that they “… have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.” This requirement is met by having a hotline. One of the traditional roles of HR in the US is to maintain a hotline for reporting of harassment claims, whether based on EEOC violations or other types of harassment. It is a natural extension of HR’s traditional function to handle this role.

Regarding investigations, HR can bring broad benefits to any FCPA compliance and ethics program through an efficient investigation process. It is recognized that a Legal or Compliance Department may wish to take over and complete an investigation process. However, HR can bring a consistency in both the process and any discipline which is imposed. Such consistency reinforces the senior management’s message of commitment by the company to FCPA compliance and ethics. Such a function by HR can lead to an understanding of emerging risks. Lastly, it may be that employees are more willing to speak up to HR and the building of trust can be utilized to assist in overall risk mitigation.

Background Screening

A key role for HR in any company is the background screening of not only employees at the time of hire, but also of employees who may be promoted to senior leadership positions. HR is usually on the front lines of such activities, although it may be in conjunction with the Legal Department or Compliance Department. This requirement is discussed in the Federal Sentencing Guidelines for Organizations (FSGO) as follows “The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.”

When the Government Comes Calling

While it is true that a company’s Legal and/or Compliance Department will lead the response to a government investigation, HR can fulfill an important support role due to the fact that HR should maintain, as part of its routine function, a hard copy of many of the records which may need to be produced in such an investigation. This would include all pre-employment screening documents, including background investigations, all post-employment documents, including any additional screening documents, compliance training and testing thereon and annual compliance certifications. HR can be critical in identifying and tracking down former employees. HR will work with Legal and/or Compliance to establish protocols for the conduct of investigations and who should be involved.

Lastly, another role for HR can be in the establishment and management of (1) an Amnesty Program or (2) a Leniency Program for both current and former employees. Such programs were implemented by Siemens during its internal bribery and corruption investigation. The Amnesty Program allowed appropriate current or former employees, who fully cooperated and provided truthful information, to be relieved from the prospect of civil damage claims or termination. The Leniency Program allowed Siemens employees who had provided untrue information in the investigation to correct this information for certain specific discipline. Whichever of these programs, or any variations, that are implemented HR can perform a valuable support role to Legal and/or Compliance.

Doing More with Less

While many practitioners do not immediately consider HR as a key component of a FCPA compliance solution, it can be one of the lynch-pins in spreading a company’s commitment to compliance throughout the employee base. HR can also be used to ‘connect the dots’ in many divergent elements in a company’s FCPA compliance and ethics program. The roles listed for HR in this series are functions that HR currently performs for almost any company with international operations. By asking HR to expand their traditional function to include the FCPA compliance and ethics function, a US company can move towards a goal of a more complete compliance program, while not significantly increasing costs. Additionally, by asking HR to include these roles, it will drive home the message of compliance to all levels and functions within a company; from senior to middle management and to those on the shop floor. Just as safety is usually message Number 1, compliance can be message Number 1A. HR focuses on behaviors, and by asking this department to include a compliance and ethics message, such behavior will become a part of a company’s DNA.

If your company does not integrate HR into several ongoing roles for FCPA compliance I believe that is high time you did so. Jaeger’s article points out several steps you can take to bring these two functions into greater collaboration. From my perspective, HR can be a valuable partner for compliance and one that you should begin to take advantage of now.

© Thomas R. Fox, 2013

Leave a Comment

June 12, 2013

British PM Leads the Fight against Shell Corporations

Filed under: Anti-Money Laundering,Bribery Act,Due Diligence,FCPA,Shell Corporations — tfoxlaw @ 1:01 am
Tags: AML, Bribery Act, Cameron, FCPA, G8, Obama

One of the critical areas in due diligence for foreign business partners is determining who are the true owners of an entity. Unfortunately this is not always possible to determine as many countries do not require the names, addresses and other identifying information of shell company owners or limited liability partners. Many people think of the Cayman Islands or other traditional tax havens when such issues arise.

However, a surprising number of allegedly low risk countries also have this problem. New Zealand is generally recognized as one of the lowest risk countries in the annual Transparency International Corruption Perceptions Index (TI CPI), nevertheless this rating may not be all it seems. In an article by Michael Field on Stuff.co.nz, entitled “NZ firms linked to money laundering”, Field reported that one individual was listed as a Director of over 300 New Zealand formed companies. Another person, listed as the Director of the New Zealand Company alleged to have been involved with the shipment of arms to North Korea, was “convicted of 75 breaches of the Companies Act for giving false addresses on registration forms”.

New Zealand is not the only country with a low corruption perception which may not be completely accurate. In a Reuters article, entitled “Special Report: A little house of secrets on the Great Plains”, authors Kelly Carr and Brian Grow reported on one house in Cheyenne, Wyoming, which the authors claim “serves as a little Cayman Island on the Great Plains” as it is home to the registration of over 2,000 entities. The article claims that Wyoming allows “the real owners of corporations to hide behind “nominee” officers and directors with no direct role in the business, often executives of the mass incorporator.” Carr and Grow also quote Jason Sharman, a professor at Griffith University in Nathan, Australia, who states that “Somalia has slightly higher standards [for business incorporation] than Wyoming and Nevada.”

One of the anomalies in the ongoing Hewlett-Packard (HP) investigation, for alleged bribery and corruption violations in its German subsidiary, was the German authorities’ investigation of activities in and through the state of Wyoming. The article by Carr and Grow may help explain why the German authorities needed to investigate matters relating to Wyoming where the allegations were that bribes were paid by a HP German subsidiary for a sale into Russia.

Against this backdrop, British Prime Minister David Cameron has taken the lead in forcing jurisdictions who register such companies to disclose their ownership. While Cameron has come at this problem through the angle of tax evasion and compliance, it clearly has implications for the US Foreign Corrupt Practices Act (FCPA), UK Bribery Act and various anti-money laundering (AML) laws. The issue of public registers and beneficial ownership is coming to the fore on the eve of the G8 Summit which will be held in Northern Ireland starting next Monday. The Guardian has reported, in an article entitled “David Cameron under pressure to clarify owners of firms at G8”, that Cameron has also been given a political boost by the Cayman Islands agreeing to sign the OECD multilateral convention on tax transparency and information, the most important of the British overseas territories to do so.”

However, perhaps there is legislation on the way to close this loophole in the US. In another Reuters article, entitled “US House bill targets anonymous shell corporations”, Patrick Temple-West reported on prior US legislative attempts to require disclosure of corporate beneficial owners. Three such efforts have failed since the year 2000. Who might oppose such legislation? Temple-West reported that “Some state government group[s] remain opposed. In the past, resistance has also come from business groups and lawyers.” I am also somewhat chagrined to report that an organization that I belong to, the American Bar Association (ABA), has opposed prior legislation to provide greater discloser for shell companies.

Still this resistance may be changing. In an article in the New York Times (NYT), entitled “Obama Urged To Back Plan To List Owners Of Shell Firms”, Ravi Somaiya reported that “Anticorruption activists have urged President Obama to back a plan to publicly register the owners of shell companies in the United States and around the world, a move they say is essential to thwart corrupt government officials, tax evaders and money launderers who rely on an opaque financial system.” This problem has existed for several years in the US. Somaiya reported that “The Financial Crimes Enforcement Network, a bureau of the Treasury Department, estimated in 2005 that as much as $18 billion in suspicious transactions were made using international wire transfers that used shell companies in the United States.”

Somaiya also quoted Jack A. Blum, a lawyer and the chairman of Tax Justice Network USA, who said “These anonymous shell companies are used by everybody who steals money. Tens of thousands of shell corporations have been set up within the United States, he said, primarily in four states — Delaware, Montana, Nevada and Wyoming — that have loose regulations.” We know that the bad guys are selling the U.S. as a place to set up companies,” Mr. Blum said, citing its “aura of legitimacy.”

How does all of this relate to due diligence as the US problem would not seem to impact a company covered by FCPA? First of all, a company should know with whom they are doing business, and more pointedly a US company which is subject to the UK Bribery Act needs to recognize that any agent, distributor or other type of representative here in the US, is a foreign entity under the Bribery Act and needs full due diligence. While the jurisdictional scope of the Bribery Act has yet to be fully fleshed out, such a US company needs to consider its due diligence here in the US and may need to strengthen its investigations and background checks on such parties to comply with the Bribery Act.

© Thomas R. Fox, 2013

Comments (1)

June 11, 2013

FCPA Enforcement as a Security Issue and Implications for the Compliance Practitioner

Filed under: compliance programs,Data Privacy,Department of Justice,Enforcement Actions,External investigations,FCPA — tfoxlaw @ 1:01 am
Tags: Data, Data Privacy, Department of Justice, DOJ, FCPA, FCPA Blog, FCPA enforcement, Foreign Corrupt Practices Act

One of the things that has long puzzled me is what led to the significant rise in the enforcement of the Foreign Corrupt Practices Act (FCPA) beginning in the 2003-2004 time frame? One of the more consistent theories that I have heard proffered, by Dan Chapman, Dick Cassin, Alexandra Wrage and others is that after 9/11, the Bush administration viewed corruption as a security issue. I admit that I was not totally sold on this theory until last week when, the FCPA Blog, in an article entitled “NSA spying also linked to FCPA enforcement”, reported that the National Security Agency (NSA) has engaged in economic espionage for the benefit of the United States and perhaps others. The FCPA Blog quoted a story from the American Spectator, entitled “Rise of the Surveillance State”, by James Bovard. One of the items which Bovard discussed is the program monikered ‘Echelon’, which he described as “a spy satellite system run by the National Security Agency along with the United Kingdom, Australia, New Zealand, and Canada. Echelon reportedly scans millions of phone calls, e-mail messages, and faxes each hour, searching for key words.”

Apparently this program is also used for FCPA enforcement. Bovard wrote that “A February report by the European Union alleged that Echelon has been used for economic espionage. Former CIA Director James Woolsey told a German newspaper in early March that Echelon collects “economic intelligence.” One example Woolsey gave was espionage aimed at discovering when foreign companies are paying bribes to obtain contracts that might otherwise go to American companies. Woolsey elaborated on his views in a condescending March 17 Wall Street Journal oped, justifying Echelon spying on foreign companies because some foreigners do not obey the U.S. Foreign Corrupt Practices Act. To add insult to injury, Woolsey noted there’s no reason for U.S. companies to steal backward Europe’s secrets.” Isn’t that a comforting thought when the US claims the Chinese are stealing secrets through computer hacking.

But what are the implications for the compliance professional? For a more Orwellian prediction, John Batchelor, in an article entitled “ NSA Scandals: FCPA Compliance Game Changer?”, has this chilling predeiction, “Currently it takes months or years to develop a solid FCPA case and most of those end up with fines and some type of penalty. Could that change to a new way of enforcement where the government targets a company, identifies corruption, gathers evidence, and instead of going through the motions, simply calls them to schedule a meeting, slapping a fine and a series of actionable tasks for the company in question? It’s not happening now, but that is a question.” It would seem to do away completely with the concept of due process so I would discount this scenario as unlikely.

However, Batchelor does point out that such government oversight might well occur in countries which are known or perceived to be high risk for corruption. He says, “Under the FCPA we focus on anti-bribery, however, with our current emphasis on national security, I think there is a serious question to ask for any company that operates in high CPI areas where terrorist cells or money laundering outfits to terrorist cells operate.” From this premise, Batchelor poses several topical inquiries which you should consider now. They include: “How well do you know your agents? How well do you know their relationships? How well do you know the companies they are affiliated with? Are there red-flags that low-level DPL type screenings might not uncover?”

I believe that the revelations which came out last week will make the compliance professional’s job more difficult but that difficulty may well be due to the backlash against not only the massive collections of data that the US government is obtaining through its surveillance programs but also the arrogance shown in statements like former CIA Director Woolsey, in the statement quoted in the American Spectator article. I believe that there three general areas which will negatively affect US compliance professionals.

First, is in the area of data access. Edward Luce, in a Financial Times (FT) article entitled “Obama has hurt himself and business over privacy”, said that the “US is losing credibility in its goal of trying to stop the internet from balkanizing into separate national frameworks.” While Luce discussed this in terms of the US criticism of “the great firewall of China”; a US investor might think about the Securities and Exchange Commission’s (SEC’s) struggle to get China to agree to allow auditors to provide data to the US consistent with US securities laws, or laws which the SEC enforces, such as the books and records component of the FCPA.

Second, what about data privacy? I think that the acknowledgement of the US surveillance programs will lead other countries to toughen up their data privacy requirements. This means that the compliance professional will be faced with an even more bewildering set of data privacy requirements to deal with to accurately access a company’s compliance program. For the intelligence angle, Luce quoted Ira Hunt, the CIA’s chief technology officer for the following, “Since you can’t connect the dots you don’t have…we fundamentally try and collect everything and hang on to it forever.” However, we now know that this surveillance also was used for other law enforcement issues such as enforcement of the FCPA. While foreign governments cannot legislate privacy as to the data collected by the US government, they certainly can do so vis-à-vis US companies doing business in their jurisdictions or home-domiciled foreign companies which are subject to the FCPA through a US subsidiary.

Indeed this very issue is now in the forefront of EU-US trade negotiations. In another article in the FT, entitled “Data scandal clouds trade talks”, Hannes Swoboda, leader of the socialist members of the European Parliament was quoted as saying, “With all the information that we’ve found out in the recent days about how easily the US spies on people’s private data I think it will be difficult for the Americans to oppose a strong data protection agreement.” The article notes that many of the rules proposed for EU data protection are opposed by US companies because “their business models would be damaged.”

Lastly, what about jurisdiction and the FCPA? Currently if a banking transfer goes thought the US banking system, FCPA jurisdiction attaches. While it has not yet been tested, several commentators have spoken about information which might be saved on servers based in the US. So what if information appears on Google or through a Google-search or on Facebook? Now take the next step and ask, if there is data mining, which strikes pay dirt, could that create or even portend jurisdiction?

As an American, I understand the need for enhancing security protocols after 9/11. It is an irritation, but only that, similar to taking off my shoes to go through security, all courtesy of Richard Reid, ‘the Shoe Bomber’. Further, these US government surveillance programs, which have been ongoing though both a GOP and Democratic administration, were authorized by an overwhelming majority of both houses of the US Congress and has judicial oversight. But many outside the US may not see the same needs and protections that I see in place. Luce said in his article, “Washington’s reassurances are irrelevant to the 3.4bn non-Americans who are online…But foreigners might not be comforted to learn that their privacy is protected by a secret US court, which is overseen by a select group of US lawmakers who are themselves sworn to secrecy.”

I think that the job of the compliance practitioner just got a lot tougher.

Leave a Comment

June 10, 2013

The Business of Successful Transformation

Filed under: Best Practices,change management,Communication,Tim Aikens — tfoxlaw @ 7:37 am
Tags: change management, Tim Aikens

Ed. Note-today we have a guest post from out colleague Tim Aikens, which originally appeared on Tim’s website, Azarel.com.

This month I have chosen a couple of topics that most of us come across at some time in our career. The toxic culture – being in an organisation that clearly has little or no moral compass. Secondly how do you tell your boss he or she is wrong? Nobody is perfect, but the boss will often think they have a divine right to be . . Right!

Read on . . . . .

Toxic Corporate Culture – What is it and does it really matter?

A couple of months ago an article in the BBC internet news caught my attention: – ‘Australia London 2012 Olympic swim team ‘toxic’. The first paragraph read ‘Australia’s Olympic swimmers existed within a “toxic” team culture that led to bullying and misuse of prescription drugs, a report has found.’ The inference was that this culture had contributed to the poor performance of the team at the Olympics.

In a world where competition is increasing and becoming more global, a corporation will need to use every tool available to gain competitive advantage. This would include having a ‘good culture’. But all too often the drive for success leads to the opposite. I googled toxic culture and was amazed to find a plethora of learned papers and news articles about the topic. The issue would seem to be big and important. But what is a ‘toxic culture’ and does it really matter? I believe there is such a thing and long term it can destroy an organisation.

Firstly it is important to summarise what we mean by a ‘toxic corporate culture’.

A few extreme examples in recent history of toxic cultures are Enron, Tyco and WorldCom. Others might include News International and Lehman Brothers. Some have imploded in a spectacular manner, others are still very successful. The single most common feature in all of them is the desire for financial success at almost any cost. Put more simply – greed – especially at the higher levels in the organisation. There are other signs that appear to be common – bullying, lack of transparency, a closed circle of influence at the top, words (in the sense of written values or behaviours) not matching actions, placing unreasonable demands on staff (from hours to how they are expected to treat others), a win lose style (i.e. my gain is your loss – lots of internal competition). There are many others, but from a review of the literature these are the main signs. You might see one or more in your organisation; none are perfect, but when you begin to see a theme, it’s time to change something or move on.

Many organisations will exhibit some of these traits somewhere and some may be tolerated – the perpetually angry boss, a ‘long hours culture’, or one where rules are regularly ignored or abused.

Does it really matter? So what if life is hard at the workface? Some staff members may be happy to be workaholics; others may enjoy the competitive aspects of a zero sum game when it comes to sales. As long as the company remains profitable and stock price keeps going up why worry? At this point the question becomes partly ethical and partly business. A leader might say I have to treat my staff this way in order to get results, others (both staff and workforce) might know no other way.

My view on the ethical side is yes, it really does matter. How can we tolerate this kind of behaviour yet admonish other nations for corruption and slave labour. It is perfectly possible to run a business well without even small amounts of toxicity. A quick review of the Sunday Times Best Companies to work for will show that not only are they good places to work, but that they are also successful. At an individual level, who believes that they will be more productive long term in a toxic environment? A couple of years ago I read a great book entitled ‘The No Asshole Rule’. The author is passionate about civilised workplaces and believes that they can be achieved and boost performance. An organisation full of ‘assholes’ has to be toxic. The book is a wonderful antidote to this even if a little tongue in cheek at times.

From the business perspective the answer ought to be clear. There is no long term future for a ‘toxic’ organisation as Enron and others have demonstrated. Yet there are many businesses that have a reputation (deserved or otherwise) that are still doing business with little or no pressure to change (yet). Most of them manage to keep the toxicity under control, whether it is the way they treat staff or the products they sell. In many cases they are tolerated because the public likes what they make or do, or because the product is cheaper.

What to do? You work for a company that expects long hours and pays poorly. If you quit another job may be hard to come by. You are a partner in a big firm that makes a lot of money, but there are some questionable practices. Leaving means a big drop in salary. For the hard pressed employee it is often a matter of comfort. Can you stick it out and continue to work in an organisation that behaves so poorly? For others it is a matter of conscience. Is the way this organisation operates right, ethically and morally correct? There are lots of books and articles that tell you how to deal with a toxic culture. None of them will work if the leaders do not change and make a decision to operate their organisation in a morally, ethically and socially responsible manner!

What do you do when your boss is wrong?

Who would you rather tell that they had made a mistake and were wrong over something – Lord Alan Sugar or Sir Richard Branson? They are very different characters and how you might approach them over an error might be very different. Some people are simply more approachable than others. But move away from the character and ask the bigger question, how do you tell your boss when they are wrong? There are two issues at stake in this situation. Firstly, your relationship with your boss and your career – the consequences of handling the situation wrongly. Secondly there is the business. What are the implications for the business if the error is not taken on board and corrected? When the boss is wrong – and you know it, it can be quite an emotive time. Decisions can be made more through the heart than the head. The direct approach may not always be the right one. Here are a few things to think about before raising the ‘error’.

The situation. If your boss is talking about how many times a football team has won the league and you know he is wrong, what is the impact on the business. In a social setting he or she might be quite happy to be corrected or not (see next comment). If the error has no impact on you or the business consider letting it slide. What value do you add to a relationship by telling your boss he is wrong!

The other side of ‘situation’ is the environment. If you are in a meeting, telling your boss he is wrong may not be a good idea. In some societies (e.g. China) this loss of face is a big issue. If the boss is wrong and it needs correction consider an indirect approach (see comment 3) that allows him to save face and you are not seen as the ‘bad guy’ who made his boss look bad.

The boss. I have worked for just about every kind of boss there is. Their personal nature and style are key to the approach you take:

Big ego. Be very careful. Do not say anything in a public setting unless really forced to. E.g. his error could impact a major business decision about to be made. If possible, correction should be offline and in private.
Consensus Manager. You are probably OK to deal with this upfront, but be careful about the words you use.
Sensitive Manager. These people are often quite happy to be told they are wrong in private, but fall apart and can react out of character if confronted in a more public setting. The language has to be very carefully chosen.
The grandstander. Usually someone who wants to make a big impact. If you announce the error he would look bad, if you don’t he could make a fool of himself, as well as lead to a poor decision. They often have big egos as well so treat them in the same way.

Recognising the type is an important first step, and of course it always pays to understand your boss in any job.

The approach. How do approach the situation and what do you say. From the comments above it is obvious that there is no one right answer. However there are some guidelines that will help:

Think first! The old saying, ‘engage brain before opening your mouth’ is universally true. Think about three things. Should I actually say something, what should I say and how do I say it? Examine your motives.

Style. You can go for the open and honest approach, but as noted above that may not always be best (for you or the person in error). There are other ways:

- the evidence approach e.g. ‘I understand your viewpoint, but have you considered . . .’. You are not actually saying the boss is wrong, but introducing new evidence and giving him or her the chance to change their mind. However, with this approach make sure you really have good evidence supported by numbers.

- use dialogue. Rather than say ‘you are wrong’ start some dialogue and get into a debate if circumstances allow.

- be positive and supportive. You are there to support your boss not see them fail. Make sure you say something positive and supportive as you open a debate.

- get the boss to explain. Rather than state what you might thing is obvious, get the boss to expand on their viewpoint. This gives you and others opportunities to move into debate.

Words. Be very careful about the words you use. Avoid clichés like ‘with respect’ (which usually means with no respect), or ‘as you know’, or ‘I hear what you say’. These and many others will be interpreted for what they are – a precursor to saying or implying you are wrong! Try and use ‘yes AND’, not ‘yes BUT’.

———————————————————————————————————————————————————————-

Tim Aikens is the founder of Azarel, a consultancy which helps companies manage transformation and change. He can be reached at tim@azarel.com

———————————————————————————————————————————————————————

Comments (1)

June 7, 2013

Codes of Conduct: what are they good for?

Filed under: Catherine Choe,Code of Conduct — tfoxlaw @ 1:01 am
Tags: best practices, Code of Conduct, compliance, compliance programs

Ed. Note-today we have a guest post from Catherine Choe, a well known Code of Conduct maven.

I had an interesting and frustrating conversation with a relative about the work that I do, which includes working with companies on refreshing their Codes of Business Conduct. Despite working at a large, publicly traded, multinational corporation, I had to describe the Code twice before he recalled having certified reading the one at his company. It got me thinking about why we have Codes and whether they’re doing an adequate job serving their purposes.

Two of the primary goals of any Code are first, to document and clarify minimum expectations of acceptable behavior at a company, and second, to encourage employees to speak up when they have questions or witness misconduct. There have been some very compelling articles discussing how important it is to teach employees that even actions that seem like minor misconduct should be reported. I agree with this, of course, but I think that those of us in compliance & ethics should not lose sight of how difficult the decision to report major misconduct can be for many employees.

I recently heard a story about this that drove home how much anxiety the decision to report can cause. I was having drinks with Sara, a friend I hadn’t seen in over a year. Sara and I used to work together, and as we were catching up (i.e., gossiping) about former colleagues and mutual friends, she told me about something that happened to her a couple of weeks earlier.

Sara was attending a happy hour and chatting with Tracy. Sara and Tracy started at the company on the same day and were in the same orientation group, where they bonded over their shared love of celebrity tabloids and became fast friends. Over the years, Tracy worked her way up in the sales department to become a senior manager. At the happy hour, Tracy shared details from the latest bonus trip that she had been selected to attend along with other top sales employees as a reward for outstanding performance.

It seems that in addition to her reputation for exceeding nearly every sales goal put in front of her, Tracy had also developed a habit of dating her colleagues. In some instances, her partners were at her level, but most of the time, they were junior to her, although not in her reporting line. All of her relationships were consensual, and she never exerted influence, positive or negative, over their careers. Tracy simply found that it was more convenient, given the number of hours she worked and the days that she traveled, to find romance at work. Management turned a blind eye to these activities, despite them being in contravention of company policy. This was in part because of her performance and in part because nobody ever complained.

Tracy became involved with a junior colleague on the bonus trip and, as friends often do, was starting to share juicy details. Tracy, wanting to show Sara what the junior colleague looked like, pulled out her phone to show Sara a picture. Sara expected to see a head shot. What she saw instead was a picture of the gentleman in question in the shower, with no idea that Tracy was snapping a photograph.

Sara shared the story with her boyfriend as an example of Tracy’s continuing refusal to grow up and a reason for the growing distance between the two friends. Sara expressed discomfort at having been shown the picture and some sympathy for the gentleman who’d had his picture taken in an intimate moment without his consent. Her plan for the future was to minimize contact and avoid spending time with Tracy.

Sara’s boyfriend, a lawyer, told her she had a responsibility to report Tracy’s behavior. Sara disagreed, saying that the relationship was a consensual one between two adults. In addition, Sara was concerned that Tracy might lose her job at a time when jobs were hard to find; Sara didn’t think it was right to interfere with Tracy’s livelihood

Sara’s boyfriend insisted that Sara report the incident, going so far as to say that if she didn’t tell someone in authority at the company, that he would call the company’s General Counsel to report the behavior himself. He also noted that she might not have been as reluctant to raise her hand if the genders of the parties involved had been reversed.

Sara felt trapped. Despite the egregious nature of Tracy’s behavior, Sara was torn between loyalty to her friend and doing what she knew in her heart was the right thing. After several sleepless nights, she asked her boyfriend to consider calling the helpline rather than calling the GC, which she hoped would make it harder to trace the report back to her. Out of sympathy for her distress, he agreed but told her she should check to see what her responsibilities were in the company’s Code of Conduct.

Sara downloaded the Code of Business Conduct from the company’s website and checked the Table of Contents and the index. Both places directed her to the first section of the Code, which stated that employees, officers, and directors had a duty to report misconduct. Defeated, Sara called the HR business partner for her department the next day.

Two things stood out to me when Sara told me this story: (1) Sara’s reluctance to report the misconduct despite its egregiousness and (2) the role of the Code of Business Conduct in the resolution. It’s true that if someone had reported Tracy when she first started dating her colleagues, she might not have reached the point of nonconsensual pictures in the shower, and then Sara would not have faced the dilemma she did. Despite the existence of HR policies either forbidding romantic relationships at work or requiring their disclosure, workplace romances continue to occur. As adults, we spend most of our time at the office with our coworkers. Personal relationships are inevitable.

In addition, we often feel more loyalty to our coworkers than we do to the companies that employ us. Our colleagues are people. We work on projects together, we celebrate successes with each other, and we console each other when there are failures. The collegiality that we build can improve productivity for the company.

Companies employ us. They provide us with the money we need to shelter and feed ourselves and our families, but companies are not people. The relationships we have with them are not personal. What this means for C&E practitioners is that when we tell employees to report misconduct, no matter how small, the choice we are presenting is to be loyal to our coworkers or be loyal to the company. Respect the teamwork and collegiality we’ve built, or “tattle” on our teammates for minor infractions of a Code that most employees skim once a year. The decision to report, even in the face of serious misconduct, is gut-wrenching, especially if the bad actor is a friend or simply likeable.

Luckily for Sara’s company, the Code specifically cited a duty to report. Companies often struggle with the decision as to whether to make reporting a duty or something more voluntary. Making reporting a duty puts a burden on the company to ensure there are consequences for those who do not report misconduct. Some decide that the administrative burden is too great or that they are uncomfortable with the potential impact it will have on the company culture. After the conversation I had with Sara, I believe that the benefits outweigh those potential drawbacks.

We all know that our companies need Codes, so that our expectations around appropriate behavior are written down for employees. We all know the general topics that should be covered in our Codes. The level of sophistication in interactivity often depends on the level of technology sophistication of the employee base. Many of us have gotten savvier about adding specific examples in our Codes to provide additional guidance. We seem to take it for granted that employees will read the Code with the same attention and focus that we do.

The reality is that employees read the Code when forced to, either because of an annual certification campaign or because they face a dilemma. In the former situation, employees skim, then sign; in the latter situation, employees look for an answer to a specific question. Everyone in C&E has a checklist in mind of things that the Code should have and do. At the top of my checklist is how quickly people like Sara can find the topic of her question and how clearly the Code answers it. If employees are unable to find clear answers to their dilemmas quickly, the Code is not serving its purpose.

———————————————————————————————————————————————————————-

Catherine Choe is Managing Member at TFL Compass (www.tflcompass.com), a compliance and ethics consultancy. She is an authority on the business impact of C&E programs and has lectured widely on harmonizing C&E practices with business processes. Catherine is also an experienced and talented speaker with exceptional communication and presentation skills. She tweets regularly as the Code Maven (@CodeMavencc). She can be reached by phone at 408-337-2463 or email at cchoe@tflcompass.com.

———————————————————————————————————————————————————————-

Comments (3)

FCPA Compliance and Ethics Blog

June 19, 2013

What is Board Responsibility For Compliance?

June 18, 2013

How to Assess Suspicious Financial Activity

June 17, 2013

Justin Rose and Barry Vitou-Two Winning Brits

June 16, 2013

Corruption and Compliance Asia Congress: I Hope You Can Join Me

June 14, 2013

Lunch with the FCPA Compliance & Ethics Blog – Phil Wedemeyer and the Audit Perspective in Compliance

June 13, 2013

Why Can’t We Be Friends? Compliance and HR

June 12, 2013

British PM Leads the Fight against Shell Corporations

June 11, 2013

FCPA Enforcement as a Security Issue and Implications for the Compliance Practitioner

June 10, 2013

The Business of Successful Transformation

June 7, 2013

Codes of Conduct: what are they good for?

January

Blogroll

Pages

Admin

Read by Email

Follow “FCPA Compliance and Ethics Blog”

June 2013
M	T	W	T	F	S	S
« May
					1	2
3	4	5	6	7	8	9
10	11	12	13	14	15	16
17	18	19	20	21	22	23
24	25	26	27	28	29	30