FCPA Compliance and Ethics Blog

September 12, 2014

The FCPA Compliance and Ethics Report

If you have not done so, I hope that you might go over to my podcast site, the FCPA Compliance and Ethics Report,  to check out some of my recent podcasts. The episodes are between 20-30 minutes long and they are available for download on iTunes so you can listen to them on your commute to work or when working out at the gym.

Internal Controls

I have begun a series on internal controls in a best practices FCPA compliance program with noted internal controls expert Henry Mixon. In Parts I & II, Mixon and I discuss the basics of what are internal controls. These podcasts supplement some of my recent blogs on internal controls.

Episode 85-What Are Internal Controls, Part I

Episode 87-What Are Internal Controls, Part II

HR and Compliance

One of the best allies for the compliance function in any company is the Human Resources department. I explore how HR can assist compliance in a myriad of components of any best practices compliance program.

Episode 86-Use of HR in a Compliance Program

Continuous Improvement of a Compliance Program

In the FCPA Guidance and in almost every speech I have heard by a Department of Justice official, they talk about how your compliance program should evolve to meet new compliance risks, changes in best practices, geographic markets where your company does business and new product/service offerings. You can do this by continuous improvement of your compliance program.

Episode 84-Continuous Improvement of Your Compliance Program

The Compliance EcoSystem

Jon Rydberg is the Founder and CEO of Orchid Advisors. He is also the former CCO of Smith & Wesson and was at the company when it navigated it way through a FCPA investigation and enforcement proceeding. From these experiences, Rydberg has developed a holistic approach to compliance which he has trademarked as the “Compliance EcoSystem”. I explore his ideas on an fully integrated approach to compliance

Episode 83-Interview with Jon Rydberg

Use of Interviews in Your Compliance Program

Brian Ching is the most famous player in the history of the Houston Dynamos soccer club. Ching recently retired and moved into the front office as the General Manager of the Houston Dash, the Houston professional women’s soccer club. I interviewed Ching on his transition to management and how the Dash use the face-to-face interview process to not only assess the non-soccer skills that the team requires of its players but also to communicate the team’s expectations. There are some very significant insights about how a company can communicate its expectations regarding ethical business practices.

Episode 79-Interview with Brian Ching

The FCPA Professor

Finally and last but certainly not least, I bring back the FCPA Professor for a two-part podcast on his new book The Foreign Corrupt Practices Act In a New Era.

Episode 80, Interview with the FCPA Professor, Part I

Episode 81-Interview with the FCPA Professor, Part II

A good weekend to all.

September 11, 2014

King Arthur’s Roundtable – The CCO as Chief Collaboration Officer

RoundtableMany commentators such as Donna Boehme and Mike Volkov often talk about what is required for the position of Chief Compliance Officer (CCO), both in terms of corporate support and skills as a leader of a company’s compliance function. But in many ways a CCO can be seen as a collaborator because so much of the job is working with and interfacing with various functions within a business. I thought about that concept when I read an article in the Corner Office section of the New York Times (NYT) entitled “Titles Don’t Matter. Teamwork Does.” by Adam Bryant where he interviewed and profiled Girish Navani, Chief Executive Officer (CEO) of eClinincalWorks, a provider of clinical information systems.

I found Navani’s leadership style focusing on collaboration to be a good model for a CCO or compliance practitioner because what the compliance function needs to bring is a partnership to help the business and other units do business in compliance with the relevant legal and regulatory scheme. In the world of anti-bribery and anti-corruption that means compliance with the Foreign Corrupt Practices Act (FCPA), UK Bribery Act and similar laws. Navani said that his leadership style is to be as open as possible. One of the techniques that he uses is to have an oval table for meetings. No doubt channeling his inner King Arthur (or perhaps Richard Harris playing King Arthur), the configuration of the table actually seems to facilitate conversation and learning.

Another interesting insight was that Navani structures his company around teams. I thought this could be something that the compliance function could use in its dealings with business units because compliance is really a partnership with the business units and compliance spans multiple functions within any company. I also found another leadership insight from Navani’s leadership style. Navani said he continues “to learn every day. Leadership to me is many different qualities. Some are very basic. You’ve go to be approachable, humble and hard-working. Then there are ones regarding how you treat people. I listen more now. Before, I’d speak all the time. I will still do a lot of talking in meetings, but I absorb others opinions more. And I’m completely open to being told “no”. Questioning my own decision-making with others in the room is fine.”

I found that last point quite useful to consider. Coming out of the legal department and into compliance, I did not always take kindly to being told ‘no’ by someone from the business unit. I thought every pushback was some type of pressure test looking for weakness or tension. However, Navani’s style brings up the useful reminder that often the business function can assist compliance in learning how to perform the function more quickly or more efficiently. Certainly the business can assist the compliance function in understanding the highest risks that a company should focus on managing. In such a partnership role, compliance and the business unit can compliment each other to stop wasting time on immaterial risks so that resources can be delivered to the company’s highest risks.

Navani also stressed accountability. At his company “You’ve got to be accountable to yourself first, and you’ve got to be accountable to your team.” This certainly has application to the compliance function as well. One of the battles that compliance can fight is to be ‘The Land of No’ and the CCO is the head of it, or ‘Dr. No’. However by stressing accountability and creating transparency in the compliance process, I believe that a CCO can go a long way towards ameliorating that misperception.

I also found Navani’s techniques for hiring instructive for compliance. He said, “I look for the heart first. I don’t ask for direct experience.” He expects a modicum of professional expertise by the questions he asks most often are “Do you want to win? What drives you every day? Why health care IT? Can you spend 10 years of your career here? What do you want to do in those 10 years?” Navani went on to say that if he received satisfactory responses to those queries the technical aspects of a position can be taught. But he strives to see if a candidate’s heart is in the right place.

In addition to using these questions to ferret out candidates who will not work with his company, Navani uses these questions to set both a tone and expectation. The message he sends is “We’re not going to stifle you. If you can think out of the box, you will.” Navani believes that by hiring such employees they have the opportunity to become game changers at his company. Now imagine if you could have your Human Resource function use the hiring process to ask questions around attitudes around business ethics or other compliance issues. It would have the dual effect of allowing your company to have a front line inquiry that might weed out those who might be prone to cutting corners through bribery and corruption. But equally important would be the expectation set on the high value your company has on compliance and business ethics. The message would begin pre-hire, set again during employee orientation training and continued throughout the employment tenure.

Through migrating some of these leadership techniques that Navani espoused into your compliance tool-kit; a CCO or compliance professional can help to shift a company’s conversation around compliance. You can move from simply being seen as a safety backstop to one of developing and implementing solutions. Some of the other insights that I drew from Navani include setting out your core function of compliance. A compliance function should be able to offer expertise and insight into solutions. One part of that may be delivering data and other information to the business function to help them make better economic decisions for the company. But another way might be through compliance coaching advocacy.

Navani’s leadership once again demonstrates that if your compliance function shows integrity and responsibility, it can lead to greater teamwork between departments. Many business units fear that the compliance function will take away control of the business process from them. However by demonstrating that compliance is really in partnership, this can move a long way to alleviating this concern.

And do not forget the Round Table.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 8, 2014

Board of Directors and FCPA Oversight – An Internal Control Under SOX, Part II

Circle DiagramIn Part I of this two-part post regarding a Board of Director’s Role in Foreign Corrupt Practices Act (FCPA) oversight from the internal controls perspective, I reviewed how a Board might have independent liability for its failure to act as an appropriate internal control as required by Sarbanes-Oxley (SOX). Today I will review what internal controls are and what a Board’s role is within the context of internal controls.

Beginning on Tuesday, in conjunction with this two-part blog, my colleague Henry Mixon, Principal of Mixon Consulting, and myself are recording a podcast series on internal controls, which can be found on FCPA Compliance and Ethics Report. We are discussing the following areas: what are internal controls; how a company might use them and how they can be implemented? In the first of the podcast series I asked Mixon what are internal controls? He began with the textbook definition, which he said was “Internal controls are systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to:

  • conduct its business in an orderly and efficient manner,
  • safeguard its assets and resources,
  • deter and detect errors, fraud, and theft,
  • ensure accuracy and completeness of its accounting data,
  • produce reliable and timely financial and management information, and
  • Ensure adherence to its policies and plans.

Mixon noted that internal controls should be instituted entity wide, not simply limited to those functions used or reviewed by accountants and auditors. For an anti-corruption compliance regime such as the FCPA or UK Bribery Act, internal controls are measures to provide reasonable assurances that any assets or resources of a company (not limited to cash) cannot be used to pay a bribe. This definition includes diversion of company assets (such as by unauthorized sales discounts or receivables write-offs) as well as the distribution of assets.

Mixon noted that the basic framework for internal controls is derived from the COSO Model developed by the Committee of Sponsoring Organizations of the Treadway Commission in 1992 (COSO). This model has become the standard for an internal control framework and provides a structure to ensure companies address the key elements that should result in an effective system of internal controls. Using the COSO Model, as modified in 2013, provides a very supportable approach when adversarial third parties challenge whether a company has effective internal controls. The COSO Model defines internal controls in a pyramid, from bottom to top, as follows: (a) Control environment, (b) Risk assessment, (c) Control activities, (d) Information and communication, and (e) Monitoring.

In the 2013 update the basic framework was retained with substantial support from user companies, and 3 specific objectives were added: (I) Operations Objectives – effectiveness and efficiency of operations, including safeguarding assets against loss; (II) Reporting objectives – internal and external financial reporting; and (III) Compliance objectives – adherence to laws and regulations to which the entity is subject. According to the guidance in the 2013 update, the system of internal controls can be considered effective only if it provides reasonable assurance the organization, among other things, complies with applicable laws, rules, regulations and external standards. With the addition of those specific objectives, the COSO framework now specifically includes the need for controls to address compliance with laws and regulations.

We then turned to the question of which internal controls does a company need to institute? Mixon said that each company defines its internal controls to fit its business by determining what the Company wishes to protect and what type of control environment does it want to have in place. This means that they can be less formal in smaller companies but still effective if the focus is on the right risks. Based upon FCPA guidance, the most common control needs have been identified as follows: (i) Dealings with third parties; (ii) Gifts and entertainment, and (iii) Charitable donations. Yet even within those categories, a wide range of risks exists, depending on a company’s business practices. Mixon emphasized that a Top Down ‘Check-the-box’ generic set of policies will not likely result in effective controls.

The process to determine which internal controls are needed will be of some familiarity to the compliance professional. It all starts with a risk assessment to establish the corporate policies which are applicable, tailored to the company, and sufficiently specific. The risk assessment will also help to identify the types of transactions across the company which should be addressed (gifts and entertainment, maintenance of bank accounts and movement of cash, dealings with third parties, etc.). The next step is to prepare a set of documents which define the control objectives to be in place for each type of transaction – example: “Controls will be in place to ensure no vendor has been added to the vendor master file until complete due diligence has been completed and the vendor has been approved in accordance with Corporate policies. Thereafter, you will need to document how the controls will be performed and how they will be evidenced and then incorporate the control procedures into applicable work instructions and job descriptions.” Mixon cautioned that for each business location, determine the specific controls needed to accomplish each control objective. In many companies, a disparity of operating practices and accounting systems will result in different controls being needed. He ended by emphasizing that while this assignment may seem overwhelming it can be done in reasonable stages, pursuant to a specific implementation plan – it does not have to be done all at once for the entire company.

As you will recall from Part I, I believe, as gleaned from Jim Doty’s remarks, that a Board must not only have a corporate compliance program in place it must also actively oversee that function. This led me to conclude that failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Doty’s remarks drove home one of the roles that a Board performs, which fulfills those tasks. Internal controls work together with compliance policies and procedures as stated by Aaron Murphy, a partner at Akin Gump, in his book “Foreign Corrupt Practices Act”, as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Murphy breaks down internal controls into five concepts, which I have adapted for a Board or Board subcommittee role for compliance:

  1. Corporate Compliance Policy and Code of Conduct – A Board should have an overall governance document which will inform the company, its employees, stakeholders and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate.
  2. Risk Assessment – A Board should assess the compliance risks associated with its business.
  3. Implementing Procedures – A Board should determine if the company has a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy.
  4. Training – There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is and it should also understand its role in an effective compliance program.
  5. Monitor Compliance – A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.

There have been several FCPA enforcement actions where the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) discuss the failure of internal controls as a basis for FCPA liability. The Smith & Wesson enforcement action is but the latest. With the questions about the Walmart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing to even be aware of the allegations; there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 5, 2014

Board of Directors and FCPA Oversight – An Internal Control Under SOX, Part I

Sam HoustonToday we begin by honoring the political process and a politician extraordinaire for on this day in 1836, Sam Houston was elected as the first President of the Republic of Texas. One of the most interesting characters from the early-to-mid-19th century, Houston was born in Virginia in 1793, moved with his family to rural Tennessee as a teenager and later ran away and lived for several years with the Cherokee tribe. Houston served in the War of 1812. He practiced law in Nashville and from 1823 to 1827 served as a US congressman before being elected governor of Tennessee in 1827. He was extensively interviewed for Alex De Tocqueville’s seminal work Democracy in America.

A failed marriage led Houston to resign from office and live again with the Cherokee who officially adopted him. In 1832, President Andrew Jackson sent him to Texas to negotiate treaties with local Native Americans for protection of border traders. Houston arrived in Texas during a time of rising tensions between US settlers and Mexican authorities and soon emerged as a leader among the settlers. In 1835, Texans formed a provisional government, which issued a declaration of independence from Mexico the following year. Houston was appointed military commander of the Texas army.

Houston served as the Republic of Texas President until 1838, then again from 1841 to 1844. Houston helped Texas win admission to the United States in 1845 and was elected as one of the state’s first two senators. He served three terms in the Senate and ran successfully for Texas’ governorship in 1859. As the Civil War loomed, Houston argued unsuccessfully against secession, and was deposed from office in March 1861 after refusing to swear allegiance to the Confederacy. He died of pneumonia in 1863.

This political process angle informs your anti-corruption compliance program through the passage of Sarbanes-Oxley (SOX). Yesterday, I was at a presentation, where James Doty, Commissioner of the Public Company Accounting Oversight Board (PCAOB) spoke. One of the questions was put to him was regarding the function of a Board of Directors under SOX, which I thought had some significant implications for Foreign Corrupt Practices Act (FCPA) compliance. He was asked if the Board or its sub-committee which handles audits was a part of a company’s internal financial controls. He answered that yes, he believed that was one of the roles of an Audit Committee or full Board. I had never thought of the Board as an internal control but the more I thought about it, the more I realized it was an important insight for any Chief Compliance Officer (CCO) or compliance practitioner.

In the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1 , which states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The Department of Justice’s (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Doty’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program.

Board liability for its failure to perform its assigned function in any compliance program is well known. David Stuart, an attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the Securities and Exchange Commission (SEC) and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine Products, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”. It would not be too far a next step for the SEC to invoke the same provisions against audit committee members who do not actively exercise oversight of an ongoing compliance program.

Further, the SEC has made clear that it believes a Board should take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.

I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward.

Lawyers often speak to and advise Boards on their legal obligations and duties. However the insight I received from the Q&A with James Doty drove home a different, yet very valuable point to me. If a Board’s oversight is part of effective financial controls, then the failure to do so may result in something far worse than bad governance. It may directly lead to a FCPA violation and could even form the basis of an independent FCPA violation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 4, 2014

Pro Football and the FCPA Professor

FootballFor those of us lucky enough to enjoy AAA (or perhaps AA) baseball, disguised as a major league team in our city, today brings harbingers of elation. No the Houston Astros are not moving to a city near you but the National Football League (NFL) begins its 95th season tonight with a match up of Seattle and Green Bay. I do not care if the Houston Texans are in the toilet again or my beloved Dallas Cowboys will stomp to yet another 8-8 season under the egotistical owner Jerry Jones. I love watching pro football. So for all you pro football aficionados out there, here’s to us!

With the upcoming season now only hours away, I was interested to receive the FCPA Professor’s latest article (as opposed to his latest book The Foreign Corrupt Practices Act In A New Era) entitled “How a Successful Football Organization Can Inform Foreign Corrupt Practices Act Compliance in a Business Organization”. As readers of this blog will know, I often use sports to discuss the nuts and bolts of Foreign Corrupt Practices Act (FCPA) compliance. So it was gratifying to see the FCPA Professor use sports in some of his writings. Further, since he is much better known for his basketball prowess (he went to college on a basketball scholarship), I was particularly gratified when he harkened back to my primary sport of football for his latest paper by stating, “In the spirit of the season, this article highlights four attributes of a successful football organization that can also elevate FCPA compliance in a business organization.” The four attributes are:

Understanding the playbook

While beginning with the proffer that any successful team has playbook that is effectively communicated, the FCPA Professor noted, “understanding the playbook and effectively communicating its contents are essential first steps in managing and minimizing FCPA risk in a business organization. Yet as simple as this sounds, many business organizations fail to take adequate steps to ensure that everyone is actually on the same page when it comes to FCPA compliance.” From this he moves into some thoughts on training.

The Professor cautions against over-complicating your FCPA training. I tell the folks that I train on the FCPA that the one thing I want them to take away is that if their stomach tells them something is wrong or the hair on the back of their neck stands up, just raise your hand and ask for help. The Professor phrases it another way by stating, “Toward this end, the goal of FCPA training should not be to make each participant an expert on the FCPA’s specific elements but rather to provide all participants a pair of FCPA goggles so they can approach their specific job functions able to recognize FCPA risk and report it to the appropriate experts within the business organization.” He concludes this section by stating, “In short, and just as in football, success in the field is best accomplished by an FCPA compliance playbook that engages employees and motivates them to spot risk, which is then effectively communicated to all members of the organization in a language they can actually understand.”

Execution by all team members

Here the Professor makes an interesting observation, which is too often overlooked in the compliance arena. In football there are skill positions such as those people who handle the football. Quarterbacks, running backs and receivers generally are the most well known and well paid. However the Professor notes, “success on the field is more often dependent on execution by the so-called ‘‘grunt players,’’ such as a successful snap by the center, the ability of the offensive line to protect the quarterback and the ability of the defensive line to pressure the quarterback. Indeed, key to building a successful football organization is drafting and cultivating such ‘‘grunt’’ players as evidenced by the frequency in which offensive or defensive linemen are selected in the NFL draft ahead of various ‘‘skilled positions.’’”

In the compliance world, there are skilled players at the top, such as the Chief Compliance Officer (CCO), Chief Financial Officer (CFO), Chief Executive Officer (CEO) and various Board members who may be involved with a company’s compliance function. However many FCPA violations arise out of what the Professor calls the ‘grunt work’ of doing business. To be sure, there was the KBR $148 million bribe paid through its joint venture (JV) for work in Nigeria. But more often it is the spade work of doing business which can lead to a FCPA violation, as the Professor notes, “tax, import/export and securing licenses, permits, certifications and the like—are actionable under the FCPA’s anti-bribery provisions.”

He further notes that compliance must be viewed as a corporate wide function. It is not and should not be viewed as strictly a legal function as “it is also a finance and auditing issue and thus a function that is best achieved holistically throughout a business organization.” I agree with his observations and would urge compliance practitioners to take a look at your compliance program through the eyes of your field team or international business representatives. Moreover by getting these folks to ‘raise their hands’ and get information in your hands, you may be able to stop a compliance issue before it becomes a full FCPA violation.

A flexible playbook

Here the Professor channels his inner FCPA Guidance by noting that a team’s playbook “is uniquely tailored to the strengths and weaknesses of the team based upon its current roster.” In the business world, this means that you need to assess your company’s compliance risks and manage your risks, not those of some other entity. The Professor suggests some basic questions you should start with to make this determination.

  • Where does your company do business? What are those countries reputations for corruption?
  • Who are your potential customers? Are they foreign governments or state owned enterprises?
  • What is your sales model? Do you use third parties in the sales cycle in foreign countries?
  • How do get your products into foreign countries? Do you use freight forwarders or customs brokers? How about visa processors for your company personnel?
  • How does your company obtain the necessary licenses, permits, certifications and other necessary paperwork to do business in foreign countries?

Your risk level will depend in large part on answers to these questions. The Professor ends this section with the following, “just like a football playbook that is uniquely tailored to the strengths and weaknesses of the current roster and adjusted throughout the season to incorporate specific opponents, an FCPA compliance playbook that is consistent, yet flexible enough to incorporate specific realities in different countries, can best minimize FCPA scrutiny and enforcement.”

Playing hard, but not too aggressively

In football players certainly want to play hard but face penalties for playing too aggressively. I would add that sometimes there are grey areas in the rules that can get players into trouble. Moreover, just as each football team will have its own risk tolerance, businesses will as well. The Professor states, “The same is true for FCPA compliance. Business organizations, particularly those accountable to shareholders to increase value, should aggressively compete in the global marketplace to gain a competitive edge over competitors. Yet the practical reality is that much of what happens in the global marketplace can also fall into a gray area given the FCPA’s provisions, which have frequently been found to be vague and ambiguous when subjected to judicial scrutiny. The potential of a business organization to find itself on the wrong end of enforcement agency discretion is further compounded if employees seek to justify their conduct under the FCPA’s facilitating-payments exception and affirmative defenses.”

I would guess that the FCPA Professor had fun writing this article. I certainly enjoyed reading it. For any fan of football, I would speculate that you would too. Even if you are not a football fan, I believe that you will gain new and additional insights into some of the ‘nuts and bolts’ of FCPA compliance by reading this article.

You can down the Professor’s article by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 3, 2014

Language as a Long Term Compliance Strategy

LangaugeI constantly rely on Jay Rosen and his team at Merrill Brink for translation and other language related services in the compliance portion of my work. (Yes I do practice law and compliance for a living; I blog for gratis.) For not only am I required to help evaluate documents in a foreign language which need to translated into English but often I need a foreign language version of compliance related documents that I create, from third party questionnaires to contracts to Foreign Corrupt Practices Act (FCPA) training materials. While I still tend to think of language as a tactical issue, Jay has long striven to have me see it as part of a businesses overall strategy.

I think I may have finally seen the light that Jay has been preaching to me over the past few years when I read an article in the September issue of the Harvard Business Review (HBR), entitled “What’s Your Language Strategy?” by Tsedal Neely and Robert Steven Kaplan. The authors posit that language should bind not only your company’s global talent pool but also your company’s vision. After concluding the article, I now understand how language is a strategy to help inform your compliance program as well. This is because just as “Language pervades every aspect of organizational life” the authors believe that companies “often pay too little attention to it in their approach to talent management.” I would add that is also true in the compliance function.

The authors believe that problems revolve around potential “blind spots regarding language.” They write that company leaders pay too little attention to the role of language when “hiring, training, assessing and promoting employees. This can lead to miscommunication and friction, especially among team members who collaborate across borders.” While the authors point that a company’s competitiveness that may suffer, I would suggest that a company’s compliance function could also suffer. The authors believe that a company should align its language strategy with its overarching priorities. Further, by building “language skills and cultural awareness throughout your organization in order to acquire and develop the kind of talent you need to compete globally and locally.” The authors believe that by paying attention to this issue, your company can potentially turn “vulnerability into a competitive strength.”

The authors identify five key points which a company should evaluate regarding language. I would also add they relate directly to any international company’s anti-corruption compliance function whether under the FCPA; UK Bribery Act or other anti-bribery regime.

Hiring and Training

Here companies need to understand how candidates might come across in the interview or other pre-employment evaluation process. While a candidate with multiple language fluency may overshadow deficits in other critical areas, it may also be a problem because as an evaluator, “you may need to accept some limitations on language capabilities and be prepared to provide training to meet both global and local language needs.” But even if you get pass this first hurdle the authors identify a follow up problem in this area; that is, after hiring and/or promotion. They state, “Another blind spot is a tendency to over rely on external lateral hires with a certain degree of language skill to fill midlevel roles rather than hiring and grooming outstanding junior candidates with the capacity and motivation to learn new languages. While the latter approach may initially take more time, companies often find that entry-level hires ultimately become their best leaders, because they have been trained from an early stage in company culture and practices. Defaulting to lateral hires can make it more difficult to build a cohesive culture—those recruits have been trained elsewhere and may have trouble assimilating.”

Evaluating Talent Accurately

Even if your company does improve its entry level hiring practices and provide training to assist new employees in their language skills, you still need to make accurate performance evaluations. Here companies may get into trouble because “Language agility does not necessarily spell high performance.” The authors point to the need for a robust process to assess skills and attributes which allows a company to “look beyond verbal agility when gauging performance. It’s a reality check, a way to make sure that you and other leaders are not unduly swayed by fluency.”

Rethinking the Role of Expatriates

One of the key areas in the compliance field is to develop local compliance talent and expertise. This is not only because “expatriates may not be familiar with the local language, culture, and business practices, they can bring knowledge of organizational culture along with an understanding of the company’s products, processes, and systems.” One of the roles of any compliance manager, particularly an ex-pat is “to focus on developing local talent and ensuring that indigenous professionals begin to play leadership roles in the local businesses.” Equally important is to “think about the people you’re choosing to send abroad. To build a strong team of local leaders, it’s critical to give expatriate assignments to your best people—not just to solid contributors who happen to have the right language skills and are more easily dispensed with at home. Otherwise, you may find that your firm’s global offices fail to attract, develop, and retain the strong indigenous talent they need for high performance.”

Managing Communications on a Global Team

Most of the company’s I have worked at hold all their communications in English-language on a company wide basis. Of course I thought this was great. But the authors note that “managers often unwittingly position native speakers of a lingua franca as “winners” within the firm; consequently, nonnative speakers experience a substantial loss of power and status. If companies don’t take such issues into account, they can cause otherwise talented and engaged professionals to underperform and even withdraw.”

The authors believe that managers need to understand which of their employees are comfortable with the second-language proficiency and those who may not be so comfortable. They provide specific guidance as follows, “Global managers must deal directly with such issues to promote productive global cooperation. They must be sensitive to how employees of varying language proficiency are interacting. The goal is to make it easier for native and nonnative speakers to establish trust and communicate effectively. Managers’ observations should include the following: Who attends meetings? Who speaks up? Are the best employees contributing, or is language getting in the way? It’s then important to facilitate meetings and calls so that nonnative and native speakers get equal airtime. Often this means coaching primary-language people to speak less and second-language people to speak more. It also involves setting clear agendas up front, considering the mode of communication, and thinking through meeting choreography in advance.”

Building Cultural Awareness

The authors conclude by reminding us that language fluency does not always equate to cultural fluency, as “too often leaders underperform because they fail to adapt their management styles and practices to fit a multicultural environment. For them, understanding the cultural background of each team member, the role of the company, its products and services, and the customers it serves within various cultural and regional contexts is as essential as learning to conjugate new verbs.” They believe that “Managers should be held accountable that language and cultural skills are developed throughout their organization.”

The authors’ piece is chock full of ideas, insights and issues for a Chief Compliance Officer (CCO) or compliance practitioner. Any company doing business internationally is going to have the issues that the authors discuss in their article. The compliance function has all of these issues in spades because if you need to consider the FCPA, it is because you are doing business internationally.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 2, 2014

Spin Sucks-Communications Tips for the Compliance Professional

Spin SucksOne of my favorite social media acquaintances is Gini Dietrich, the founder and Chief Executive Officer (CEO) of Arment Dietrich Inc. Not only does she bring one of the freshest voices to what might arguably be called ‘one of the world’s oldest professions’, that being Public Relations (PR) (she identified a 1800 BCE PR campaign), she is a top notch cyclist and an über Chicago Bears fan. Earlier this year she released her book Spin Sucks. While the book is obviously aimed at the PR, it provides a wealth of information, which the compliance professional can also use.

As you might guess from the title of the book, Gini believes that if you “Lie or spin the truth you will be found out,” and that folks will “take you to task” for doing so. More than just your reputation will suffer; you will lose the ability to have credibility going forward. Her thesis is that today, “while media strategy is an important part of a communications program, there are many other tactics used in a cohesive strategy: content, email marketing, social media, crisis and reputation management, events, social advertising, investor relations, lobbying, regulatory work, and more.” That sounds like a good prescription for a compliance practitioner to consider in the communication function of a best practices compliance program.

The book is broken down into 10 chapters and for the compliance professional, I want to focus on Chapter 7 – Your Customers Control the Brand. Here Dietrich focuses on a company’s customers because they, in many ways, hold or control the brand. And, as a company, your brand is really all you have. I think this is very true for the compliance practitioner and is not something which is discussed or recognized enough of the time. Dietrich provides seven points that she believes can help shape the perception of your brand. I have adapted them for the compliance professional.

  1. Be Vigilant. Dietrich says this issue warrants “Not just repeating your brand message over and over again, but in monitoring and listening to conversations happening online about you.” While a company may not have as many employees communicating about the compliance function online, the point is nonetheless well taken. You should listen to concerns about your compliance program. Listen through the hotline, at training sessions and any other time you get the chance. I like the way Gini puts it, “Harness that information [and] be vigilant about paying attention”.
  2. Be Honest. Yes your mother, and Gini’s mother, was right, Honesty is the Best Policy. Dietrich says, “Keep people updated. Communicate the ups and downs. When you’re honest about the issues, challenges, or concerns, there isn’t a story to tell. It might be painful at first, but the pain won’t last as long as it would if you lie or attempt to sweep the problem under the rug.” Think about General Motors and its attempts to hide the ignition switch problems, where would the company be if it had been honest about the problem?
  3. Be Open. Dietrich nails the issue on this point when she start off, “This one is so hard. It’s difficult for human beings to keep open minds about many things.” As a lawyer, I would say that can be exponentially true for my juris docum But at the end of the day, the compliance program is not the legal department; it is a function designed to prevent, detect and remediate problems, not just to say NO. Paraphrasing Dietrich, if you show a willingness to talk about issues, and even change your policies based on feedback, you’ll create the most loyal employees.
  4. Be Active. Here Dietrich focuses not on the busy work of being on all types of social media but using such mechanisms to engage your customer base. For the compliance professional first and foremost is to get out of the corporate office and into the field. Let people meet you, get to know you and listen to their concerns. Incorporate their ideas and feedback into your compliance program going forward.
  5. Be Consistent. Gini talks about consistency in messaging because “if you aren’t consistent, how can you expect your customers to know who you are?” For the compliance professional, I would submit that this prong anticipates issues broader than simply communications. I often discuss the Fair Process Doctrine and how that is so important in administering your compliance program. One of the keys to this doctrine is consistency. The consistency of your actions should follow the consistency of your message.
  6. Be Creative. I often say that lawyers and compliance professionals are only limited by their imaginations. This is certainly true in the field of media relations. Here Dietrich suggests tackling a problem head on. In the compliance arena it might mean using a compliance misstep as a lesson learned. For instance, after the Walmart corruption scandal was broken in the New York Times, many companies incorporated the examples that arose of what is and, more importantly, what is not a facilitation payment into their training.
  7. Be Proud. Dietrich states, “Once you figure out your vision-what you want to achieve, who you want to be when you grow up-post it everywhere.” She suggests several mechanisms to make employees proud of your brand and I would submit that you could also do this in the compliance arena. You can create plaques or recognition awards for employees who shine through in compliance. She ends this section with the following, “Be proud of what you are doing and don’t be afraid to tell the world about it.” This is another message that I do not think gets enough play by compliance professionals. We bring real value to our companies and our work is something to be proud of. It should be celebrated.

Dietrich writes in a conversational style that is easy to read and digest. I found her book had some great pointers about communication, which could be very helpful to the compliance practitioner, in addition to the media relation specialist. You can purchase a copy by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 29, 2014

I Hope You Can Join Me

Filed under: Best Practices,compliance programs,FCPA,Hiperos,Third parties — tfoxlaw @ 12:00 pm

I’d like to extend an invitation to an upcoming event: Hiperos will be hosting an Executive Briefing on Third Party Management – a half-day event that we are holding in various cities across the US.

By way of context: in recent months, our press has been filled with reports of companies whose revenues have been directly affected by a regulatory fine or whose reputation and brand equity has taken a hit. In every case, the culprit was one of the company’s third parties – an HVAC supplier causing a massive data breach, a contract manufacturer using child labor, a consultant bribing government officials – the list goes on and on.

These briefings have been organized for you to network with other executives from Fortune 1000 companies (including Hiperos customers) and to connect with peers who face the same third party management challenges as you.  You will also have an opportunity to hear from industry experts and practitioners who will present on specific aspects of third party management.

Agenda:

8:00 AM       Networking breakfast.

8:30 AM       Keynote sessions from industry experts including:

Linda Tuck-Chapman – until very recently the Chief Procurement Officer of Bank of Montreal – BMO

Tom Fox – renowned FCPA/bribery and corruption pundit/expert

Dr. Andrea Bonime-Blanc  – former chief ethics and compliance officer at Bertelsmann, Chair Emeritus of ECIA and CEO of GEC Risk Advisory LLC

10:00 AM     Use cases from Hiperos customers including: Ingram Micro, Charles Schwab, Discover Financial, Anadarko, AstraZeneca

11:30 AM     Third Party Management – The Future
Presentation from Doug Bergeron (CEO Opus Global) and Greg Dickinson (CEO Hiperos)

12:00 PM       Networking Lunch

1:00 PM         Adjourn

If you would like to attend, or for more information, click Here

Venue:

The Executive Briefings will be held in the following locations:

Tuesday, Sept 9th – Palo Alto, CA

Rosewood Sand Hill

2825 Sand Hill Rd

Menlo Park, CA 94025

Wednesday, Sept 10th – Chicago, IL

JW Marriott

151 W Adams St

Chicago, IL 60603

Thursday, Sept 11th – Houston, TX

Hotel Sorella

800 Sorella Court

Houston, TX 77024

Wednesday, Sept 17th – New York, NY

W Union Square

201 Park Ave S,

New York, NY 10003

Thursday, Sept 18th – Princeton, NJ

Princeton Marriott at Forrestal

100 Collage Road East

Princeton, NJ 08540

I will be participating in the Palo Alto, Houston and Princeton events I hope that you can join me at one of these upcoming events!

Extraordinary Rendition and Ripples From the Chinese Corruption Investigations

Extraordinary_Renditions_CvrAs many of you know, I am a recovering trial lawyer. So I was very interested when I received a book for review by Paul Batista, entitled Extraordinary Rendition. Not only is Batista a practicing trial lawyer specializing in federal criminal defense, he also authored one of the leading treatise on the federal racketeering statute, “Civil RICO Practice Manual,” first published in 1987 by John Wiley & Sons, and now in its third edition (Wolters Kluwer 2008).

I learned long ago that there are two basic story lines: Hero Takes A Trip and Stranger Comes To Town. They both are great formats and I enjoy them equally if the writing and story-telling is good. Extraordinary Rendition falls into camp one and I found it to be the journey of discovery of a nearly burned out trial lawyer, Byron Carlos Johnson, who comes to defend Ali Hussein, a Syrian national who had lived in the US for 10 years prior to 9/11 and was accused of being a banker for Al Qaeda. The story follows twists and turns of not only the trial but the various agents and agencies of the US Government as they try to derail Johnson and his attempts to defend Ali Hussein. While it certainly could be called a legal thriller, it is a rollicking good ride and I give my hardiest recommendation to anyone interested in the legal issues involved or a thriller about a man caught up in forces far beyond his control; yet does take control of what he can.

I thought about Batista’s book when I read a recent article in the Financial Times (FT), entitled “Beijing probe touches west’s cereal bowls” by Lucy Hornby. Her basic thesis was set out in the first line of her piece, “Never before have China’s domestic politics had such ramifications for global business.” She wrote about two tangible examples of what she termed the “ripple effects” of the Chinese anti-corruption investigation, which began in earnest last summer with the revelations of corruption by the UK pharmaceutical giant GlaxoSmithKline PLC (GSK).

Hornby reported on the Canadian company, Athabasca Oil Corporation, “the partner company for major Chinese investments in Canadian oil sands – fell 13 per cent this week. They are down 24 per cent since the beginning of April, when Athabasca announced PetroChina, a listed unit of CNPC, would buy the 40 per cent of the Dover oil sands project that it did not already own. Since then, two executives from PetroChina’s Canadian operations have fallen prey to the corruption purge – and the C$1.32bn (US$1.23bn) transfer payment has not been made.” But it has also reached the British breakfast table as Chinese authorities announced they were investigating the owner of the company that makes the breakfast staple Weetabix.

Business ventures in other countries such as Cambodia and Australia have been put off due to the Chinese corruption investigation. This has been because of both corrupt payments made to Chinese officials and in some cases corrupt payments alleged to have been made by Chinese officials. For instance in Cambodia a project that was mired in such problems that the primary funding partner, The World Bank, had suspended funding has now run into such problems that Standard Chartered may lose up to $250MM in funding which it provided. Further, Hornby reported that “In Australia last year, a A$1.4bn bid for Sundance Resources – which had proposed a $A5bn iron ore mine on the border of Cameroon and the Republic of Congo – collapsed after high-flying Chinese entrepreneur Liu Han abruptly vanished. Mr Liu had built his mining business by cultivating ties with Mr Zhou while the latter governed southwestern Sichuan province. He was sentenced to death in May for organised crime. His defence was that he was carrying out orders for unnamed “leaders”.”

Things are particularly difficult at PetroChina, a major investor in Canadian oil sands, because, as Hornby noted, “dozens of senior executives have been detained or questioned in the past year. Many, including the head of its Indonesian business, played key roles in its international projects.” However Hornby believes that “capital expenditure commitments by state-owned enterprises are likely to be honoured as the investigation continues, because China’s large and growing economy has a fundamental need for resources.”

Another large Chinese energy concern CNPC has also been hard hit by the corruption scandal. Attached, as a diagram, to Hornby’s article is a graphic that shows the extent of the company’s investments of the past 10 years or so. The graphic also notes that the company “has been hardest hit by the ongoing corruption purge, with dozens of senior executives detained or questioned.” The chart below shows the “ripple effects” of CNPC investment.

Country Investment Amount
Kazakhstan $12.7bn
Peru $2.6bn
Turkmenistan $1.2bn
Scotland $1bn
Ecuador $0.7bn
Australia $4.1bn
Canada $3.3bn
Syria $0.6bn
Mozambique $4.2bn

Hornby’s article touched on another area, which has significance for the Foreign Corrupt Practices Act (FCPA) practitioner, that beg the question of whether a state-owned enterprise is an instrumentality or in any other way covered by the FCPA? She wrote that “the unusually public nature of this corruption investigation has given outsiders a clearer insight into the way money and power have become entwined, and influence dealmaking, in today’s China.” She quoted Luke Patey, author of the book The New Kings of Crude, for the following, ““For years, Chinese national oil companies have fought hard against the label that they are political instruments of the Chinese government and Communist party. That political nature is now on full display.””

Hornby’s article demonstrates not only the pervasive nature of Chinese corruption but also how many countries such corruption may have effected. For those FCPA naysayers who argue that the law brings a competitive disadvantage to US companies, they should read her article to open their eyes. Many of these Chinese investments are now on hold with no hope of completion or even funding because of the domestic turmoil inside China over corruption. Companies and countries want a reliable business partner, starting with one which does not engage in bribery and corruption to obtain a contract and then onto a company which fulfills its contractual obligations. Think about that as a selling point the next time you are oversees.

And while you are traveling overseas, read a copy of Batista’s Extraordinary Rendition on the trip over. You can purchase a copy by clicking here or here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 28, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part III

7K0A0129Today, I conclude a three-part series on risk assessments in your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption compliance program. I previously reviewed some of the risks that you need to assess and how you might go about assessing them. Today I want to consider some thoughts on how to use your risk assessment going forward.

Mike Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. Finally, through this risk matrix you should be able to assess relative remediation requirements.

A manner in which to put into practice some of Volkov’s suggestions was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations”. Her article focused on the how Timken Company, assesses and then evaluates the risks the company has assessed. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks. 

LIKELIHOOD 

Likelihood Rating Assessment Evaluation Criteria
1 Almost Certain High likely, this event is expected to occur
2 Likely Strong possibility that an event will occur and there is sufficient historical incidence to support it
3 Possible Event may occur at some point, typically there is a history to support it
4 Unlikely Not expected but there’s a slight possibility that it may occur
5 Rare Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY 

Priority Rating Assessment Evaluation Criteria
1-2 Severe Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4 High Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7 Significant
8-14 Moderate
15-1920-25 LowTrivial Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by Visual RiskIQ, a relationship-analysis based software such as Catelas or other analytical based tools. But you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the DOJ in its FCPA Guidance and in the UK Bribery Act’s Adequate Procedures. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

In an article in Compliance Week Magazine, entitled, “Lessons on Risk Assessments from Winnie The Pooh” Jason Medford articulated that a key use of a risk assessment is to assist the internal audit function in developing their internal audit plan. He cited to the Institute of Internal Auditors (IIA) standard 2010.A1, which states “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually.” He went on to note that “In order to have a truly integrated GRC capability it is necessary for internal auditors to work with other GRC professionals in their organization. They must align their annual audit plan with the organization’s objectives, strategies, and initiatives of the other GRC professionals. They must collaborate, coordinate, and align their audit activities with other GRC professionals to increase visibility, improve efficiency, accountability and collaboration.

Carol Saint, Vice President of Internal Audit for 7-Eleven, who was interview by OCEG President Carol Switzer for the same article said that “We start with a risk assessment, beginning with business units because this is how the organization has designed accountability.  We decompose business units into the processes and sub-processes they own and execute. We evaluate how sub-processes align to achievement of strategic objectives: How do they affect the company’s value drivers? Next, we map financial statement lines to the sub-processes to help prioritize from that lens. Finally, for each sub-process we consider specific risks that could hinder achievement of strategic objectives, as well as fraud risks, significant accounting estimates, benchmarking/ hot topics, and ERM risks. We created an “intensity rating” that measures how often a process/sub-process was mentioned in our stakeholder interviews as a risk to the company. And we also considered how cross-functional a process is so that the element of complexity—a risk accelerator—could help determine audit plan priorities. This year’s plan development process was quite intense, but I think we did a good job of creating a baseline so that future risk assessments are more efficient.”

I hope that you have found this series on risk assessments useful. If you have any questions or better yet would like me to work on a risk assessment for your organization, please contact me.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,626 other followers