Getting Employees to Care About a Compliance Policy

Putting a compliance policy into practice is not something that most companies do very well. How do you get buy-in for a new or amended compliance policy? How do you determine if a new compliance policy contradicts anything that you currently have in your compliance policy portfolio?

When thinking about such questions regarding compliance policies I am reminded of four questions posed by Stephen Page, in his book “Achieving 100% Compliance Of Policies and Procedures”, wherein he poses the following questions: (1) What is the nature of the policies owner’s function? As these are compliance policies, they are critical to a company doing business in compliance with relevant anti-corruption/anti-bribery laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. (2) What is your organization’s overall vision and mission? This question speaks to management’s commitment to doing business ethically and in compliance with legal requirements. (3) What is the content of the policies? This speaks to the connection of the policy goals with other incentives, such as compensation and promotion. (4) What is your company’s receptivity to the policy? This question speaks to training and communication so that employees will understand not only the underlying reason for the policy but drive adherence to the policy.

These and other questions were explored at the recently concluded Compliance Week 2013 event in a session entitled “Case Study: Putting Policies into Practice at Dell”. Kristi Kevern, Director of Operational Compliance and Page Motes, Director, Strategic Programs Office – Global Ethics & Compliance from Dell Corporation, were the two panelists for the event. Kristi discussed how Dell overhauled its entire compliance policy management program and I will discuss her remarks in a later blog. Motes does not come from a compliance background but came from business development. I found her perspective quite different from the usual compliance perspective. From where she sits, she recognizes the need to internally market a new compliance policy; however this marketing plan must begin at the inception of a compliance policy and not after it has been drafted.

Motes said that it is incumbent to obtain buy-in from the business units before a compliance policy is drafted because, after all, it is the business units which will implement a compliance policy. This begins with a business unit sponsor who should have ownership of any new compliance policy. After the initial draft is made, it should be circulated to make sure that the compliance policy is workable and that it is translated from legalese (or accounting-ese) or other technical jargon into plain English. She said that is one of her key roles.

The next step is the internal market. Here Motes believes that a key is to move away from words such as ‘ethics’ to words that denote behaviors. She said that her group would talk about trust, honesty, respect, judgment and responsibility. After rollout the compliance group must train on the new policy and then monitor to ensure that it is followed. Finally, there must be some consequences to an employee if they are trained but fail after multiple warnings to follow a policy.

I thought about Motes’ ideas when I read a recent article in the June issue of Fast Company magazine, entitled “Starbucks’s Leap of Faith” which discussed the company’s rollout and approach to innovation. One of the examples in the article was when Starbucks rolled out its mobile application to allow customers to pay through their smart phones. The company worked with staff on proto-types, then trained and followed up with interviews to determine how the new system was working. Recognizing that there were technical glitches to overcome, the company persevered. Ryan Records, Vice President of Payments, was quoted as saying “it became seamless and flawless and an elegant way to pay” and that payment method now accounts for roughly 10% of the company’s total pay each day.

The Starbucks story drove home to me the key message from Motes. You must work with the business units to operationalize any policy. While it is true that a compliance professional will be the subject matter expert on the requirements of what should go into a compliance policy, but it is equally important on how that information is imparted and getting employees to care about the policy. Page puts it in a slightly different light. He said “From a systems viewpoint, it is often the organization’s infrastructure, and not its people, which is rigid and inflexible, often leading to angry and frustrated employees. If people cannot approach problems, talk openly, or give opinions, then this prevailing attitude can cause withdrawal and people who do not care. The clearer the tie between what an organization is doing and the results, the more energy, commitment, and excitement they will generate during a change process.” I think the latter sentence is what you need to strive for in the realm of compliance policies.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

What Are The Essential Elements of a Corporate Compliance Program?

Can you synthesize and reconcile the world’s leading laws, regulations and commentaries on the best practices an anti-bribery and anti-corruption compliance program. I recently saw one such approach by Paul McNulty and Stephen Martin of the law firm, Baker and McKenzie. They have developed what they term the five essential elements of a corporate compliance program. These five elements are based upon the best practices as set out in the seven elements of a corporate compliance program under the US Sentencing Guidelines; the 13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance; the FCPA Guidance’s Ten Hallmarks of Effective Compliance Program and the UK Bribery Act’s Six Principles of an Adequate Procedures compliance program. The five elements are:

• Leadership
• Risk Assessment
• Standards and Controls
• Training and Communication
• Oversight

I.                   Leadership

The point means more than simply “Tone-at-the-top”; a successful compliance program must be built on a solid foundation of ethics that are fully and openly endorsed by senior management. There should be an unambiguous, visible and active commitment to compliance. But even more than support or the right tone, compliance standards require that companies must have high-ranking compliance officers with the authority and resources to manage the program on a day-to-day basis. And compliance officers must have the ear of those ultimately responsible for corporate conduct, including the board of directors.

Some of the questions you might think about in connection with the leadership of your compliance program are the following: How is board oversight implemented? Is there an ethics or audit committee reporting to the full board? What is the role of the Chief Compliance Officer? What is the role of the General Counsel? How do the legal and compliance departments interact? Does the CCO have “real power”? Is she or he treated as a second-class citizen?

Equally the Board of Directors has a key role to fulfill. The Board must ensure compliance policies, systems and procedures are in place and it should monitor implementation and effectiveness of the compliance program:

• Be actively involved
• Attend Board meetings
• Review, consider and evaluate information provided
• Inquire further when presented with questionable circumstances or potential issues
• Once Board knows of a potential compliance issue it must act.
• Regularly receive compliance briefings and training.

II.                Risk Assessment

The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high risk areas first.

What are some of the areas where you need to assess your risks?

1. Country Risk - What is the correlation between growth markets and corruption risk and what is the perceived level of corruption? In other words, the Transparency International Corruption Perceptions Index or similar list.
2. Sector Risk - Has government publicly stated industry is under scrutiny or already conducted investigations in sector? Are there corruption risks particular to the industry?
3. Business Opportunity Risk - Is the business opportunity a high value project for your company? Are there multiple contractors or intermediaries involved in the bidding or contract execution phase?
4. Business Partnership Risk - Does this business opportunity require a foreign government relationship? Does a foreign government require you to rely upon any third parties?
5. Transaction Risk - Will your company be required to make any “compelled giving” through any requirements for political or charitable contributions? Are you required to use any intermediaries to obtain licenses and permits?

In addition to an initial risk assessment to either (1) inform your compliance program or (2) help you to identify high risks and prioritize their remediation, risk assessments should be a regular, systemic part of compliance efforts rather than an occasional, ad hoc exercise cobbled together when convenient or after a crisis. They should be conducted at the same time every year and performed by a consistent group, such as your internal audit department or enterprise risk management team. Such annual risk assessments act as a strong preventive measure if they are performed before something goes wrong as it avoids a “wait and see” approach.

III.             Standards and Controls

Generally, every company has three levels of standards and controls. (1) Code of Conduct. Every company should have a Code of Conduct which should express its ethical principles. However, a Code of Conduct is not enough. (2) Standards and Policies. Every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. (3) Procedures. Every Company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

IV.              Training

Another pillar of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct. Simply conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The Department of Justice’s (DOJ) expectations of effectiveness are measured by who a company trains, how the training is conducted and how often training occurs.

There are several key elements to training. First is that you need to train the right people. You must prioritize which audience to educate by starting your training program in higher risk markets and focus on directors, officers and sales employees who may have direct contact with government officials or deal with state-owned entities. Again, focus initially on training country managers in your company’s high-risk markets, then expand geographically and through the ranks of employees.

Second, in high risk markets and for high risk employees or third parties you should conduct live, annual training. Enforcement officials have made it clear that live, in-person training is the preferred method in high-risk markets and also that it should be regular and frequent. Another benefit of live training is the immediate feedback from employees that would be much less likely to occur during a webinar or other remote training. Lastly, during live training, employees are more likely to make casual mention of a potentially risky practice, giving you the opportunity to address it before it becomes a larger problem.

It is important that you pay attention to what employees say during training. This is because training can alert you to potential problems based on the type of questions employees ask and their level of receptiveness to certain concepts. For example, during training employees might ask specific questions about important compliance considerations such as their interactions with government officials or gift-giving practices. Such questions can raise red flags and uncover issues that should be reviewed and addressed quickly.

V.                 Oversight – including monitoring, auditing and responses

The issue your company should focus on here is whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. These ongoing efforts demonstrate your company is serious about compliance.

Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem.

Finally, what are your remediation efforts? Your company should remediate problems quickly. A key concept behind the oversight element of compliance is that if a company is policing itself on compliance-related issues, the government will not have to do it for them. Remediation, then, is an important component of oversight. It is not enough to just gather information and identify compliance problems through monitoring and auditing. To fulfill this essential element of compliance, you also have to respond and fix the problems.

I have found that the Baker ‘Five Essentials’ approach is an excellent way to think through your obligations under a wide variety of anti-corruption and anti-bribery requirements. It allows you to put in place a program which should meet virtually any legal requirements you may come up against by doing business anywhere in the world. Lastly, the five-step approach is an excellent way for you to benchmark your current compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

An Inspired Choice – Ethical Leadership Under Difficult Circumstances

I am attending Compliance Week 2013 through Wednesday. As usual Matt Kelly and the Compliance Week team have put together a first rate program for the event. There have been, and will be over the next couple of days, some very informative panels, speakers, roundtables and conversations. The conference began today with a talk by Retired Major General Lewis MacKenzie, the former head of the United Nations peacekeeping forces. Although General MacKenzie’s choice as the initial keynote speaker of the conference might not seem self-obvious, I found Matt Kelly’s invitation to the General to speak and his position as the first speaker on the first day of the conference, were both inspired decisions.

The theme of his talk was how to maintain ethical leadership under difficult circumstances. Matt Kelly posed the question to the General of “how do you speak the truth to power?” The General began his remarks by giving his definition of leadership, which as he said was “getting people to do what they don’t want to do and having them enjoy it while they are doing it.” Based on that definition and his remarks below, I came to see why Matt wanted the General to speak to a gathering of compliance professionals on ethical leadership under difficult circumstances.

The General said that it all starts with a leader being him or herself, after they take the reins of leadership. He believes that people usually rise to a high level in an organization because of technical competence, coupled with the relationships they developed along the way. He believes that a leader must strive to maintain those relationships because that is the key to information flow both upwards to the top and down through the organization. A leader must take all pains not to become isolated.

The General believes that relationships work in several critical areas. The first is that a leader can utilize the talents of his subordinates to not only understand but to overcome obstacles. But equally important is that by having a relationship with someone, it may provide an avenue to resolve a matter before it blows up into a full financial reporting issue or even criminal issue. He said that he would try to find out the one thing that his troops were passionate about and he could use that information “as a window into what they think about the organization.”

He designated his next point with the acronym, LWWA, or ‘leading while walking around’. He said that to get people to do things, a leader must get out of the office and talk to people. But he cautioned that it is more than simply talking to people, as he believes a critical skill of a leader is to listen as well. To this skill, he said that rather than hear someone and think about what your response might be, you should actually listen to what they have to say. He found that by listening good ideas could come up to him and then he could implement them and get the credit.

The General talked about courage. By this he did not mean the courage to lead a charge up a hill, but rather, he meant the courage to say no and to hear someone who says no to you. He believes it is the job of a leader to set the tone for an organization. A leader must teach his subordinates to have the courage to disagree with him or as he said “disagree without being disagreeable”. If one of the first things you do in a leadership position is belittle or defame publicly someone who disagrees with you, no one will do so in the future.  For a leader to succeed, the General believes that a speak up culture must exist. To do so, a leader must make it acceptable and safe for subordinates to say no.

It is the job of a leader to accept responsibility. In an interesting exercise, the General asked the entire audience of over 500 conference participants to raise their hand if they had ever been criticized for being ‘too responsible’. He then asked anyone in the audience to raise their hand if they had criticized someone else for being ‘too responsible’. No one person raised their hand in response to either query. It is clear that the General believes a leader must take responsibility. Further, there is no ‘but’ which follows the line “I am responsible”. In other words, no ifs, ands, or buts are allowed when it comes to a leader taking responsibility.

The General said that one of the best ways he found to motivate people was to give them a job which had difficult but not impossible objectives to success. This has two benefits. The first was that most people would be motivated to try and achieve the difficult objective. However the second was more long term. By achieving the results, the person or team had something to brag about and it gave them greater confidence going forward. This is particularly true if there is a metric which can be used to demonstrate the overcoming of the obstacle. However, a leader must not set a high or unreasonable objective that it can only be achieved by “breaking the back of the organization.”

The General took some questions from the audience. One that I found applicable to the compliance arena was about resources. Specifically he was asked how to carry out missions with limited resources. He tied his answer back into his thoughts on relationship. He said that people want to contribute their ideas. If you give them a means to do so, in a speak up culture, they can be your best resource. An army has often times to do more with less and must do so on the fly. But this same concept translates to civilian employees who want their company to succeed and can stand ready with ideas to assist you moving forward toward your objective.

If you are a Chief Compliance Officer (CCO) or in a senior leadership position, you should think about the General’s remarks in the context of what you and how you do it, within your organization. Do you have relationships with other key members of senior management so that you can go to them, not only when things are going well, but more importantly when they are not going well or a crisis has arisen? Do you have a speak up culture at your company? If not why not, as that certainly is a part of any best practices compliance program under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act.

Lastly, think about the General’s remarks on resources. One never has all the resources you need or even think that you want. But use the talent that is available to you. There are other professionals in your company who do not work in the compliance department but are equally dedicated to doing business ethically and in compliance. Human Resources and Internal Audit are but two prime examples. Seek them out and ask their assistance. I think you may be well surprised at the solutions they can provide or suggest to you.

As I said, by the end of General MacKenzie’s talk, I had come to believe that Matt Kelly made an inspired decision not only to invite him to speak to the conference but to be the first speaker out of the box. It has set a great tone for the event.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The Drugstore Cowboy and Compliance

One does not have to look very far in the business world to come across the phrase “Know Your Customer.” A company certainly needs to know if an entity that it may sell products or provide services to will pay for those items. Running a Dun & Bradstreet credit check is routinely performed to ascertain if a counter-party is a good credit risk. But how much more should a company do in regards to its customers? Clearly banks, other financial institutions and even casinos need to assess a customer from the perspective of anti-money laundering (AML). Is there a reason grounded in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act that would suggest that customers should go through background scrutiny from the anti-bribery/anti-corruption compliance perspective?

I thought about internal controls regarding due diligence requirements on customers, effective compliance programs and third party validation of credentials when reading an article in June issue of Wired Magazine, entitled “Drugstore Cowboy”, by Jake Pearson. I found this article to be a very cautionary tale for those companies which need to consider just whom they are doing business with or for. The story involved an undercover sting operation by the US government against Google. The operation involved a convicted felon, one David Whitaker, who convinced law enforcement authorities that Google had assisted him, in violation of its own internal protocols and US laws, to sell illegal “black market steroids and human growth hormones” online. Whitaker told federal officials that “Google employees had actively helped him advertise his business, even though he made no attempt to hide its illegal nature.” Based upon his experience, Whitaker believed that Google must be “helping other rogue Internet pharmacies too.”

On paper, it appeared from the article that Google has a systems designed to ferret out sites which used words or had other indicia that they were selling illegal drugs. There was an initial screening by a Google sales representative. There was an automated program which searched for key words that might indicate illegal drugs were being sold. There was a review of the website itself to see of other factors were present which might show that illegal products were being sold. Finally, Google used a third party verification service, to attest that any site selling pharmaceutical products was properly licensed.

Based upon his experiences, the government set Whitaker up with an alias, fake company, bank account and phone lines and then monitored and watched him to see if his claims were true. He was told to see if Google would actively assist him to sell advertising for a non-existent company called “SportsDrugs.net, a website that sold HGH and steroids from Mexico, with no doctor’s prescription.” The plan that Whitaker used was straightforward.

1. Establish a fake identity. Whitaker made cold calls to representatives of Google to get set up as an account in the company’s system.
2. Submit the site. The feds designed the sting operation so that it would be obvious the false company was selling illegal drugs. So it offered HGH and steroids, had pictures of the drugs and even had a ‘Buy Now’ button to make clear that no doctor’s prescription was required. The Google sales representative passed the fake sales site along for “policy review, an automated process that Google uses to vet all advertisers.”
3. Scrub the site. After the fake sales company was initially rejected by the policy review process, a Google representative agreed to help “tweak it” so that it would pass through the Google approval process. The Google sales representative advised Whitaker to rename the site, remove the pictures of the illegal drugs and delete the ‘Buy Now’ button from the site.
4. Rework the site. After the suggested changes were made by Whitaker, his fake site was approved by Google. Thereafter the items which had been removed from the website, including both the photos of illegal drugs and ‘Buy Now’ button were added back into the site, all with the assistance of the Google sale representative.
5. Raise the stakes. In this phase, the undercover sting operation widened. After their initial success with SportsDrugs.net; the feds created other fake websites for Whitaker, all of which purported to sell illegal drugs. The other sites included one selling “RU-486, better known as the abortion pill, which is normally taken under close supervision of a doctor.”  Another site sold the psychotropic drugs Xanax and Valium, both without any need of a doctor’s prescription. In a final example the feds created a ‘Trojan Horse’ site; in which a pharmacy site that held a valid license also had sales for “three clearly disreputable online pharmacies.”

The chilling thing I found in this article was it reported that in each one of the false scenarios, Whitaker was reported to have explained to the Google representative the true nature and purpose of the site. All of the information that Whitaker conveyed made clear that these sites were designed to sell drugs which are illegal in the US, without a doctor’s prescription. In just over the span of three months, the undercover operation spent over $200,000 with Google.

Google ended up settling with the US government for a fine of $500 million. Although Pearson did not quote the US Assistant District Attorney, who headed the investigation and enforcement action, Peter Neronha, was quoted as telling the Wall Street Journal (WSJ) the “culpability went far higher than the sales reps that Whitaker worked with. Indeed, he said, some of the company’s most powerful executives were aware that illegal pharmacies were advertising on the site.” Google itself would not comment for the Pearson article.

From the account in the Pearson piece it would appear that Google had a system in place to check and make sure that it was not advertising sites which sold illegal drugs but that system, both human and automated, was worked around. For the anti-corruption compliance practitioner, I think that there are several key lessons which can be learned from this tale.

Train, Train, Train. If you sell services, which can be used to facilitate illegal conduct, you need to train your sales force to watch out for signs of that illegal activity. The initial Google sales representative who was contacted by Whitaker should have been the first line of prevention to stop the issue before it came up for the company.

Monitor, Monitor, Monitor. There should be several types of monitoring. If a business name comes through your system and it is rejected, there should be a monitoring mechanism in place to note if it reappears later or is approved through some other means, as was done in this situation. Similarly, if the name of a business owner comes up in connection with another company, there needs to a mechanism in place to perform a cross check. The sales representatives should also be monitored to determine if they are manipulating the system.

Incentives, Incentives, Incentives. While not discussed in the Pearson article, what do you want to bet that the Google sales representatives were compensated, at least in part, with a commission based upon the number of GoogleAds that they sold? If your compensation structure or other incentive structure rewards people who use shortcuts, then there will always be employees who take them.

Audit, Audit, Audit. Remember the part of the story about how the Google sales representative would advise Whitaker how to scrub his website of key words, search terms and other information which would indicate that it was selling illegal pharmaceuticals only to reinsert those on the site after the scrubbed site had been approved? You need to audit to determine if any illegal conduct has begun after the contract is signed. And if you do not have audit rights, you have a very slim chance of actually performing an audit.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Four Keys to Compliance Leadership

One of the most divisive moments in American history occurred on this date in 1868. On this day the US Senate voted against impeaching President Andrew Johnson thereby acquitting him of having committed “high crimes and misdemeanors” as required under the US Constitution. After all the arguments had been presented for and against him, Johnson waited for his fate, which hung on one swing vote, as there is a Constitutional requirement that requires a vote of 2/3rds of the Senate for impeachment. The vote was one short, at 35-19. Johnson was acquitted and finished out his term. If Johnson had been impeached, it surely would have led to a very different political development in the US, where not liking the sitting President could have become a constitutional basis for impeachment.

The Radical Republicans who ran the Congress immediately after the conclusion of the Civil War certainly did not think much of President Johnson’s leadership style. So what about you as a compliance officer? Certainly part of your leadership is implementing and enhancing policies and procedures? In many ways it is the human element, which President Johnson sorely lacked, that you may well need to devote most of your time focusing on. I recently read an excellent article it the Corner Office section of the New York Times (NYT), entitled “We’re Family Yes, but We’re Still Accountable”, in which Adam Bryant reported on his interview with Brooke Denihan Barrett, the co-Chief Executive Officer (co-CEO) of the Denihan Hospitality Group (Denihan), a 50-year old family business which focuses on the hospitality business.

Training

One of the things that Barrett has learned is how to train people. She explained that “I thought the way you got things done was by telling people what to do. That’s where I learned what not to do. I spent a good portion of my time telling people what they did wrong instead of really encouraging them about what they did right.” She came to realize that was perhaps not the best way to manage people and “learned to cut people some slack.” She said that she found “that you get a lot more with the carrot routine than the stick routine. I also realized that you really needed to explain the “why” of things. You need to give people a little bit of space to come around, and say, “Yeah, that makes sense,” before you really engage them in what needed to be done.”

I found that her final point may be critical for compliance training. By explaining the why of compliance, employees can better understand what the company is trying to accomplish. So if your goal is to do business in an ethical manner, then explain this and how the company’s compliance program will help to accomplish this goal through its policies and procedures.

Accountability

One of the things that Barrett emphasized was the erroneous perception that because her company was a family business there was no accountability. She made clear that “You have to set certain standards that you want people to live up to. And if people need help, then we want to help them along the way.” However, accountability is a two-way street. Just as the employee must be held accountable, so must the company in terms of providing support to allow employees who want to do the right thing and to do their job well. Barrett said, “Sometimes organizations can fall down if they don’t also ask: How do you give people the tools they need to be successful? How do you get that person to understand what change needs to happen, and how do you help them along the way? Because people can’t always figure it out on their own, and nor should you expect them to.”

Listening

Many of the CEOs that Bryant interviews for his Corner Office section speak about the need for listening skills. Barrett was no exception. But as CEO she found that employees were sometimes reluctant to speak openly and candidly with her. So she began to meet with employees in small groups of 10 to 12 people. At Denihan they call them ‘Roundtables’. Barrett said that she will say to them ““Tell me something I don’t know.” And I’ll get comments like: “Oh, but you know everything. You’re the C.E.O.” It’s just a reminder of the perceptions that people have of the head of the company. But every time I ask that question, I learn something new.” Imagine as a compliance officer if you were to ask that question in a roundtable, what do you think you might hear back from your company’s employees?

Barrett also spoke about how to have a ‘difficult conversation’. She said that if there is a mistake made she views it as an opportunity for learning and professional growth. At Denihan, they call them ‘lessons learned conversations’ and they may occur with a group where a problem has arisen. Barrett related, “we might bring people together in a room who were involved in a project and ask: What were the things that worked? What were the things that didn’t? What could we have done differently? And we’ve had some very spirited and cathartic conversations. You have to be able to let people put something on the table without actually pointing the finger. It allows things to come out in more of a non-accusatory manner.”

Hiring and Promotion

These are two key areas in compliance that are finally beginning to receive the attention that they deserve. Barrett’s thoughts on how she views these in the context of her interviewing are instructive. She acknowledged that by the “time somebody meets me, you can assume that the skills are there. So what I interview for is fit. And I’m always very curious to know, what is it about our company that appeals to that person?” She asks specifically about culture, requesting the candidate define it and how do you think that culture is special. She also asks candidates to talk about a failure and what lessons that they learned from the experience and how they dealt with the experience. I would suggest that both of those lines of inquiries should be used when evaluating a candidate for hire or promotion.

Barrett’s interview provided some interesting insights on leadership. Moreover, her experience in professional growth has shown there are different styles and techniques that you can successfully use in your company’s compliance program. Train people on the reasons why your company is doing compliance so that they will understand how to do it. Make them accountable but also provide them with the compliance tools and support to do business the right way. If there is a problem or issue, use it as a lesson learned so that employees can profit from the experience. Lastly, make a discussion of culture a cornerstone in your hiring interview or promotion interview process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

What is Your Compliance Strategy?

Do you have a strategy? The Houston Astros claim to have a strategy that involves being the worst team in baseball for up to the next five years and then magically they will become a winner. I suppose that having the worst record in baseball demonstrates that they are on the right path. Another three game series, another three game sweep by the visiting team, thus ending three games of some of the most pathetic baseball I have ever seen. However, even the ever-optimistic Astros manager, Bo Porter, admitted in an interview to the Houston Chronicle last week that “He has no idea if the Astros’ rebuilding plan will work.”

Now suppose you are in management, though not in the Houston Astros where you are implementing a strategy to set the all-time season record for losses, but a successful compliance program. How can you go about it? While most companies have compliance programs, they do not have a compliance strategy. To endure, a compliance strategy must address the interests of all stakeholders: investors, employees, customers, governments, NGOs, and society at large. A compliance strategy should increase shareholder value while at the same time improve the firm’s performance on environmental, social, and governance (ESG) dimensions. These concepts were recently explored in an article on sustainability in the May issue of the Harvard Business Review (HBR), article entitled “The Performance Frontier”. I found the concepts that the authors Robert G. Eccles and George Serafeim put forth, translate into the compliance arena as well.

The basic posit is that corporate investments in compliance do not necessarily require trade-offs in financial performance. Instead, if a company will focus on the issues that are the most relevant to both risk and shareholder value, a company should be able to boost both financial value and compliance performance. The authors believe that to do so, companies should focus on four areas.

1.      Identify Material Compliance Issues

While the overall list of compliance issues may be long and broad, the key is to determine the material issues to your company. In the context of sustainability, the authors suggest you can use a “Which Issues Matter Most” data map. They also phrased it in another manner by stating, “Evidence of economic impact is determined by evaluating both anecdotal reports and quantitative studies to gauge whether management (or mismanagement) of the issue will affect traditional corporate valuation parameters: revenue growth, return on capital, risk management, and management quality.” In the compliance arena, this would correspond to a risk assessment.

2.      Quantify the Relationship Between Financial and Compliance Performance

After you understand your company’s material compliance issues, assess the impact that improvements in each would have on financial performance. Compliance performance has many dimensions and depending on the company’s compliance strategy and the issue being considered, the most important dimension could be cost reduction, revenue growth, or gross margin defense. In the sustainability area, the authors state that a “host of factors complicate evaluations of the relationship between ESG and financial performance. Not the least of them are limitations on the ability to precisely measure ESG performance—a challenge that SASB and others are working to address.” However, even with this difficulty, I believe that a company can make an informed estimate of the slope of the performance-frontier curve for any pair of compliance and financial variables by determining whether each incremental improvement in compliance performance causes a corresponding positive or negative change in financial results – or has no impact.

3.      Innovate Products, Processes and Business Models

As with any strategy, it should be informed by your analysis. Once you determine the compliance issues to focus on, you should benchmark your industry peers on these issues. If your company’s performance falls short of industry benchmarks in a particular risk parameter, getting it up above par is the first priority. Within the sustainability context, the authors state that “At the very least it will mitigate your risks, since stakeholders tend to focus on industry laggards in campaigns aimed at increasing corporate ESG performance. Many improvements, such as reducing manufacturing waste, involve minor or moderate innovations that can enhance efficiency and, therefore, financial performance. Those sorts of innovations are increasingly necessary (but not sufficient) to ensure competitiveness.”

In the compliance arena, there are many resources available to you for benchmarking. The first place to start is the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) Foreign Corrupt Practices Act (FCPA) Guidance released last November. The “Hallmarks of Effective Compliance Programs” set forth in the Guidance is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

4.      Communicate the Company’s Innovations to Stakeholders

This may be one area of a typical compliance strategy that a company does not normally take into account. A company’s compliance function cannot assume that shareholders and other stakeholders will understand how its innovations have improved both compliance and financial performance – and how the two interrelate – unless such information is communicated effectively. As the authors state in the framework of sustainability “This is more than a matter of public relations; major innovations often require substantial investments whose benefits will not be seen for years to come. If a company expects shareholders to commit for the long term in order to receive those benefits, it needs to provide them with information that justifies their investments.” The authors call this “integrated reporting” and I believe that this is also true in the area of compliance.

As a communications tool, integrated reporting involves more than posting a PDF version of the Code of Conduct on a company’s website. As with almost all reporting, the most effective reporting is as much about listening as talking, and it serves as a key platform for stakeholder engagement. The authors believe that integrated reporting is a “way to establish a conversation that considers a company’s performance in a holistic way, identifies the tough trade-offs, and builds a case for innovation and the benefits it can generate. This engagement is also central to eliciting feedback on how well the company is meeting expectations, the quality of its communications, and what it can do to improve them.”

On the final point, the authors state something that I believe is often overlooked as a part of any compliance strategy. It is that “integrated reporting enhances discipline. It forces management and employees to think about both the financial and the ESG implications of their decisions and helps spur innovation as they seek to improve both kinds of performance.” The FCPA Guidance speaks to Incentives and Disciplinary Measures, which is generally considered to be both the carrot and the stick. The stick to demonstrate that there should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. The carrot as the DOJ and SEC recognize that positive incentives can also drive compliant behavior. This would dovetail with the authors’ observation that integrated reporting enhances discipline.

Eccles and Serafeim discuss in their article the corporate benefits of having a sustainability strategy. I think their ideas are applicable to the compliance field and give you new ways to think about old problems. As for the Astros, maybe they could develop a winning strategy.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Get Out of the Ivory Tower – Using Internal Corporate Resources to Facilitate the Compliance Function

The second day of Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston packed as much solid information into it as did the first day. One of the sessions dealt with utilizing other corporate functions to assist a compliance department in implementing or enhancing a compliance program. There are many resources which currently exist inside your organization and if you are in the position where you must use internal rather than external resources, this post will detail some of the functions which you may be able to call upon inside your organization.

You should start with a basic approach which the speaker termed “Get Out of the Ivory Tower”. He explained that the compliance department must obtain realistic input from geographies, cultures, business units and corporate functions within the company. As he rather succinctly put it to the audience “A procedure which may work in Texas may not work in Indonesia.” He also counseled to train in local languages. This may mean more than translating your talk into one language. He gave the example of his training in Spain where he had dual translations going, from English into Spanish and Catalan.

Part of this translation issue led to his next point, which was not to believe your own story or even worse, your own propaganda. Simply because a Country Manager says something is true means does not mean that it is true. Internal controls, monitoring and auditing are important to test that you are actually doing compliance rather than simply saying you are in compliance.

In determining what other departments might be able to assist the compliance function, the speaker suggested that you should start with three inquiries. They were:

1. What can yours do? This is the initial assessment that you need to make about what your compliance department can do. What are your resources and budget? Start with this question.
2. What can theirs do? In looking around your company, next ask this question. What are the functions of the departments? Are there things that they are currently doing which can supplement the compliance function? Are there functions in that department’s core function which can assist the company in the doing of compliance?
3. How many employees does each of you have? An obvious concern is the number of employees that are available to assist the compliance function.

What are some of the other corporate functions that might assist the compliance department going forward? An obvious starting place is Human Resources (HR). The speaker listed several areas in which HR can bring expertise and, in my experience, enthusiasm to the compliance function. Some of the reasons include the fact that HR is physically located at or touch every site in the company, globally. HR is generally seen as more approachable than many other organizations in a company, unfortunately including compliance. A person’s first touch point with a company is often HR in the interview process. If not in the interview process, it is certainly true after a hire is made. Use this approachability.

Obviously, HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the Document, Document Document portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be on each audit. Further, compliance risks can also be evaluated in this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert so you can turn to them for any of your compliance program requirements which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If you company uses SAP and you make an acquisition of an entity which does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

There are many ways to implement or enhance a compliance program in a company. If you do not have the luxury of creating an entire compliance department with an unlimited budget, you may be able to call upon other areas of corporate expertise to facilitate your role. Do not be an Ivory Tower.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

From the Compact Model to the Luxury Model – Managing Your Third Party Risk

I am currently attending the Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston. The event is excellent and the presentations have been ‘spot on’ for the nuts and bolts of how to do compliance. As the conference is in Houston, a number of the speakers and attendees are from energy companies but the concepts that are being discussed apply to all companies which have an anti-corruption or anti-bribery compliance program. One of the things that came through each of the presentations was that as compliance programs mature, many companies are developing programs which are more tailored towards the risks that companies face, which are ascertained through more sophisticated risk assessments and management of those risks.

This pattern is certainly consistent with the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA Guidance which says that a company should assess its risks and manage its risks. From this starting position, a company can then put together a well thought out and reasoned approach to Foreign Corrupt Practices Act (FCPA) compliance. Many of the presentations dealt with third parties and the differing responses and approaches companies have developed for the specific risks that they have uncovered.

Clearly third party risk mitigation through due diligence is key. How much due diligence is enough? One speaker said that it is a balancing call to determine the right amount. There were several presentations which spoke about the increasing use of technology to assist companies in this process. One speaker, a former federal prosecutor, said that one of the things that she looked for when a prosecutor was the ‘thoughtful analysis’ that the FCPA Guidance speaks about. To this end she believes that the human element will always be important because prosecutors want to see the thought process of not only how your program is designed but how you have crafted your risk mitigation based upon the information that you have assessed.

One of the speakers listed some of the factors to begin the review of your third parties. Recognizing that there is no one all-encompassing list, she suggested the following:

1. How many third parties do you have?
2. Where are these third parties located?
3. Industry or sector do you conduct business?
4. What is the relationship of the third party to a foreign government or state owned enterprise?
5. Are the owners of the third party related at all to government employees?
6. Is the use of the third party a business necessity or not? Why do you need to use sales representatives?
7. What are the reputations and qualifications of the third parties? Can they do what you need them to do from a commercial perspective?
8. How much control will you have over the third parties? Contrast the control that you have over sales agents with the lesser amount of control that you have over distributors and joint ventures.

From the answers to some of these questions you can begin to craft your third party due diligence inquiries. I was intrigued by one speaker who speech contrasted the steps that you might take with a lower risk third party with that of a higher risk third party. She likened the lower risk approach to that of a compact car and set out the following suggestions:

• Rank each third party by the risk you have assessed;
• Perform an Internet search on the third party;
• Perform reference checks on the third party;
• Interview control persons involved with the third party;
• Agreement to abide by anti-bribery and anti-corruption laws;
• Insert appropriate compliance terms and conditions in your third party contracts.

She contrasted the Compact model with what she termed the ‘Luxury model’ requirements of a third party program:

• Prioritize your third parties by risk;
• Appoint a Business Unit sponsor for each third party;
• Develop a detailed third party application;
• Perform an electronic records search on each third party;
• Also perform independent screening of each third party;
• Perform reference checks on each third party;
• Perform site visits and interviews of each third party;
• Have each third party acknowledgement your company’s Code of Conduct;
• Require each third party  to go through ethics training;
• Create a company committee, consisting of internal business, legal and compliance representatives to review your high risk third parties;
• Insert compliance terms and conditions into each third party contract;
• Require both internal and external audits of each third party;
• Perform annual updates on your third parties; and
• Perform quarterly electronic database rescreening.

There was also a discussion of some common Red Flags that you should be on the outlook for. They included:

• Excessive commissions paid to third parties;
• Unreasonable discounts given to third parties such as distributors;
• Vaguely described services in a third party contract or invoice back to your company;
• A third party which is in a different line of business than the one you want to hire to assist your company;
• Close association by the third party with a Foreign Official;
• Retention of the third party is required by a Foreign Official;
• The third party is a shell company located offshore; and
• Payments made to the third party are in a country different from the location where the third party’s services are delivered.

The concepts I derived from this presentation is that you should assess and manage your risks. If you determine them to be low, the Compact Model may work for you. If your third party risks are high, then the Luxury Model may be more appropriate. If you use a thoughtful and reasoned approach, you can navigate this area. But always Document, Document and then Document what you have done and why.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

My FCPA and Bribery Act Musings Continue

This past week, my second book, “Best Practices Under the FCPA and Bribery Act” was released. Over the past few years I have tried to provide the compliance practitioner with solid information that can be used to implement, review and enhance a US Foreign Corrupt Practices Act (FCPA) or UK Bribery Act based compliance program. I am often asked to collect my blog posting regarding what are the current best practices for an anti-corruption/anti-bribery compliance program. In other words, what are the specifics of a compliance program. This volume will provide the compliance practitioner with information that can be used for the ‘nuts and bolts’ of compliance.

Using the format of the most recent US Department of Justice (DOJ) and Securities and Exchange Commission (SEC) “A Resource Guide to the U.S. Foreign Corrupt Practices Act. The Foreign Corrupt Practices Act (FCPA)” [the “FCPA Guidance”]; I have included some of my thoughts on what you can do to create and maintain a best practices compliance program. I have also included some thoughts on how to create and maintain such a compliance program using the Six Principles of an Adequate Procedures compliance regime under the UK Bribery Act.

I was honored to have the FCPA Professor, Mike Koehler, pen the forward and he said, in part, “In the current global marketplace, Foreign Corrupt Practices Act (“FCPA”) risk needs to be on the radar screen of most companies – large and small, public and private, and across industry sectors. Given the current enforcement theories of the Department of Justice and Securities and Exchange Commission, FCPA risk is not always apparent from reading the statute. There is no way for business organizations to truly eliminate FCPA risk, but such risk can be effectively managed and minimized through pro-active policies and procedures and other means of risk assessment.”

I hope that you can use this volume, in conjunction with the FCPA Guidance and the Ministry of Justice’s Six Principles of an Adequate Procedures compliance program, to implement or enhance your compliance regime. Both the FCPA Guidance and Six Principles make clear that there is no ‘one size fits all’ compliance program. The key is to assess your company’s risks and to manage those risks appropriately. This volume will help you to determine the type and scope of program that is appropriate for your company and will assist your compliance efforts going forward.

Best Practices Under the FCPA and Bribery Act is available exclusively on amazon.com. For a copy, click here.

Remedies of FCPA Violations – Lessons Learned from the Boeing 787 Lithium-ion Battery Issue

Over the past three months, the aircraft manufacturer Boeing has gone through a public relations nightmare and financial disaster over the failure of lithium-ion batteries in its new flagship aircraft, the 787. This Boeing case study can provide some interesting lessons for the compliance professional who is working under a Foreign Corrupt Practices Act (FCPA) or Bribery Act compliance program.

One of the issues raised over this matter was the use of third party supplier and subcontractors to third party suppliers for the design and manufacturing of the batteries. As reported in a New York Times (NYT) article by James B. Stewart, entitled Japan’s Role in Making Batteries for Boeing, the construction of the batteries at issue was outsourced by Boeing to a Japanese company called GS Yuasa. Stewart’s article points out the need for close review of suppliers and what can happen if the quality does not meet the standards required for the project. In an article entitled, “Boeing and the Conduct of Due Diligence on Sub-Suppliers”, I considered the use of sub-suppliers from the anti-corruption/anti-bribery compliance program perspective. In this post, I will consider Boeing’s response to the problem of the failure of the lithium-ion batteries.

In a Wall Street Journal (WSJ) article, entitled “How Boeing Rescued the 787”, reporter Andy Pasztor discussed the background to Boeing’s problems and the company’s response. The planes, which have been grounded since mid-January due to “The images of the burned batteries—one of which prompted an emergency landing and passenger evacuation of a Dreamliner in Japan—tarnished a plane that Boeing executives have said is key to its future.” While the company has not “disclosed the cost of the 787′s grounding, but analysts say the company could have to pay penalties to customers. The grounding also halted new Dreamliner deliveries, delaying hundreds of millions of dollars in revenue.” Further, the public relations disaster was palatable.

Somewhat naively, after the initial grounding, Boeing executives “told FAA officials that a few easy changes in cockpit checklists, some enhanced battery inspections, and stepped-up surveillance of battery health during flights would be enough to solve the problem.” But that was not good enough for Transportation Secretary Ray LaHood who said at “a news conference the planes wouldn’t resume flying until regulators were “1,000% sure” they were safe.” Based on this statement, it became clear to Boeing that “the FAA would insist on more extensive and time-consuming changes.”

Yet, even in the face of Secretary LaHood’s pronouncement, Boeing’s engineers were frustrated in all their attempts to determine the cause of the batteries’ failures. As reported by Pasztor, “By the end of the first week on the ground, Boeing “had 500 engineers dedicated to understanding” the complex technical issues, Mike Sinnett, the 787′s chief engineer, said last month. Their next focus was to try to pinpoint the specific cause of internal battery short circuits, and develop a targeted engineering solution. Boeing teamed up with government investigators from the U.S. and Japan, but the goal remained elusive.”

From these initial frustrations, Boeing engineers turned to the concept of a “containment box.” The containment “box serves several purposes: withstanding higher temperatures than the old design, and keeping dangerous chemicals from leaking. It also vents smoke outside the plane, and in the event of overheating automatically sucks oxygen from the battery. That is intended to snuff out any fire in a fraction of a second.”

I think that Secretary LaHood was on to something when he said that the 787 would not fly again until “regulators were “1000% sure” they were safe.” It is not simply a fix on a specific issue, although that is a part of any solution. But the solution must be reviewed with a holistic approach in mind. There must be additional protections in place so that if there is another failure, that failure will be contained. For Boeing this would prevent a replay of the scene on the Japan Airlines 787 where a fire in the lithium-ion batteries spread outside the battery itself.

From the anti-corruption/anti-bribery compliance program perspective what I found interesting was the final solution which Boeing hit upon, even if forced to by Secretary LaHood. Since Boeing was not able to determine the specific cause of the lithium-ion batteries failures, it took a more systemic approach to the remedy. The company “shifted to wide-ranging internal battery fixes aimed at combating a variety of potential causes.” This is the type of response which we saw highlighted in the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance released last year. In the section on ‘Declinations’ the Guidance had information on six declinations to prosecute companies who self-disclosed FCPA violations. Two of the common factors to each declination were that (1) each company remedied the specific matter which gave rise to the FCPA violation but equally importantly (2) each company made their overall compliance program more robust.

In other words, do not simply remedy the conduct at issue; make sure you catch it quickly before it spreads. This would also equate to McNutly Maxim’s One and Two. 1-What did you do to prevent it?and 2-What did you do to detect it? Or as my process oriented wife might say, ‘you need a second set of eyes on it’ to validate the process and prevent failure in the process.

Perhaps the most interesting thing about this entire Boeing 787 episode is to show the intersection of anti-corruption/anti-bribery compliance and safety. I have often pondered how closely these disciplines seem to interact and overlap. I think that this Boeing situation shows that we in compliance can learn quite a bit from our colleagues in safety.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013