FCPA Compliance and Ethics Blog

October 13, 2014

Ringo, Sir Paul and an Effective Compliance Program

Paul McCartneySometimes the universe converges in ways that are beyond my simple comprehension. This past weekend was one of them. It began a few months ago when I saw an advertisement from StubHub that showed Ringo Starr playing in Houston on October 10 and Sir Paul McCartney playing in New Orleans on October 11. I figured if the two surviving members of the greatest rock and roll band in the history of the world were going to play on two consecutive nights it was a sure sign from the Oracle of Rock ‘N Roll that I was intended to attend both, lest I tempt a fate worse than going against an entity nearly as powerful as the Oracle of Delphi. Moreover, the Friday concert coincided with the birthday of my little sister who happened to be in town and one of the planets biggest Beatles fans, it made the convergence complete. Ringo Starr

I also learned two completely new and unrelated facts this weekend. The first is that a native of Liverpool, England, is called a ‘Scouser’. That comes from my Liverpudlian friend Pam, who also introduced me to the Liverpool Football Club. The second is that my wife is a closet Mr. Mister uber fan, who rocked out as a teenager to this group in the early days of MTV. On reflection that is perhaps the more odder convergence.

While there is clearly a reason Ringo Starr tours with true musical all-stars and Sir Paul McCartney has been raised to the peerage for his musical prowess, in many ways the Ringo Starr concert was the bigger revelation. I had wondered how Ringo would fill out an entire concert. He did it by surrounding himself with musicians fabulous in their own right. They included: Steve Lukather, former lead singer from Toto on vocals, lead and rhythm guitar; Gregg Rolie, former keyboardist from Santana and Journey on vocals, organ, keyboards; Richard Page, former lead singer from Mr. Mister, on vocals and bass guitar; and finally, best and certainly not least, Todd Rundgren on vocals, lead and rhythm guitar, bass guitar, percussion, harmonica and, occasionally, even keyboards.

So in addition to Ringo singing his standards of Photograph, It Don’t Come Easy, Yellow Submarine and (of course) With a Little Help From My Friends. We also got to hear songs first released by Santana, Toto, Mr. Mister and some great Todd Rundgren hits. The group clearly loved playing and jamming with each other. Further, these other groups’ songs were great fun to hear and as they may never reform, I would not otherwise have the chance to hear them performed lived.

Sir Paul McCartney. You really do not have to say much more. His concert did not exceed my expectations because they were about as high as expectations could have been. He seriously rocked out for over three hours, playing everything from the earliest Beatles songs up to a ballad for his latest wife. I cannot remember ever attending a concert where everyone one in attendance knew the words to every song but we all did and we all sung them all the way through the entire show.

What is the compliance angle to all of this? Just as there is more than one way to put on a great concert, there is more than one way to have an effective compliance program. This continual message from the Department of Justice (DOJ) came again earlier this month through remarks by Assistant Attorney General for the Criminal Division, Leslie R. Caldwell, at the 22nd Annual Ethics and Compliance Conference, where she made clear that while the FCPA Ten Hallmarks of an Effective Compliance Program is one set of guidelines for an effective compliance program, there is no “one-size fits all” compliance program. She laid out another way to think through, review and analyze your compliance program. 

  1. High-level commitment. A company must ensure that its directors and senior management provide strong, explicit, and visible commitment to its corporate compliance policy. Stated differently, and again, “tone from the top.”
  1. Written Policies. A company should have a clearly articulated and visible corporate compliance policy memorialized in a written compliance code. Again, employees need to know what to do–or not do–when faced with a tough judgment call involving business ethics. Companies need to make that as easy as possible for their employees.
  1. Periodic Risk-Based Review. A company should periodically evaluate these compliance codes on the basis of a risk assessment addressing the individual circumstances of the company. Companies change over time through natural growth, mergers, and acquisitions.
  1. Proper Oversight and Independence. A company should assign responsibility to senior executives for the implementation and oversight of the compliance program. Those executives should have the authority to report directly to independent monitoring bodies, including internal audit and the Board of Directors, and should have autonomy from management. Compliance programs needed to be funded; they need to have resources. And they need to have teeth and respect within the company.
  1. Training and Guidance. A company should implement mechanisms designed to ensure that its compliance code is effectively communicated to all directors, officers, employees. This means repeated communication, frequent and effective training, and an ability to provide guidance when issues arise.
  1. Internal Reporting. A company should have an effective system for confidential, internal reporting of compliance violations. I know that many companies have multiple mechanisms, which is good.
  1. Investigation. A company should establish an effective process with sufficient resources for responding to, investigating, and documenting allegations of violations. What this means on the ground will depend on the company. A sophisticated multi-national corporation obviously will be expected to have more resources devoted to compliance than a small regional company.
  1. Enforcement and Discipline. A company should implement mechanisms designed to enforce its compliance code, including appropriately incentivizing compliance and disciplining violations. Further, the response to a violation must be even-handed. People watch what people do much more carefully than what they say. When it comes to compliance, you must both say and do.
  1. Third-Party Relationships. A company should institute compliance requirements pertaining to the oversight of all agents and business partners. This cannot be emphasized strongly enough.
  2. Monitoring and Testing. A company should conduct periodic reviews and testing of its compliance code to improve its effectiveness in preventing and detecting violations. Kick the tires regularly. As I said, compliance programs must evolve with changes in the law, business practices, technology and culture.

Caldwell also emphasized that as important as the compliance program itself; the implementation is also reviewed and evaluated by the DOJ. When the DOJ investigates a case, they look at the messages about compliance that are given to employees; they look at what employees are told in their day-to-day work. This means the DOJ will look at emails, chats, and recorded phone calls. They will interview witnesses about the messages they received from their supervisors and management to determine if they received messages about compliance, or about making money at all costs.

Another consideration for the DOJ is incentives. The DOJ will examine the incentives that a company provides to encourage compliant behavior – or not. This means that if a company is actually encouraging compliance, if its values are to be ethical and within the law, this message must be conveyed to employees in a meaningful way. If not, it is likely that the DOJ will not view the compliance program as credible. Interestingly, Caldwell said that sometimes the effective implementation of a compliance program means standing apart from the other companies in your industry.

Just as Ringo and Sir Paul ably demonstrated, there is more than one way to put on a great concert. They both assessed their strengths and weaknesses and used that information to put great bands around them illustrated their strengths. The same is true in the world of Foreign Corrupt Practices Act (FCPA) compliance. The key is to review and assess your compliance risks and then manage them. And, as always, Document, Document, and Document whatever you do so that if a regulator comes knocking, you can demonstrate evidence of the above.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

 

 

October 10, 2014

The Horror of Dracula and Internal Controls in International Locations, Part I

Christopher Lee as DraculaThis Friday we celebrate the second in the Hammer Films horror series, which was actually its first offering, based on Count Dracula, entitled “Horror of Dracula”. It starred the famous Hammer Films horror movie two-some of Peter Cushing as Professor Van Helsing and Christopher Lee as Count Dracula. If you have grown up on the classic Universal monster films, the first thing that strikes you about the Hammer Films is the glorious technical color production. The second thing is the focus on gore. Horror of Dracula, with its emphasis on blood is particularly focused. Nevertheless, the productions are first rate and with Cushing and Lee bringing some gravitas to the cast, the movie certainly holds up. One of the biggest changes from Bram Stoker’s novel and the Universal movie version starring Bela Lugosi, is the location change from England to Transylvania for the confrontation between Professor Van Helsing and Dracula. In other words, they were on Dracula’s home turf; not in England on Professor Van Helsing’s home ground.

As the Foreign Corrupt Practices Act (FCPA) deals largely with conduct outside the US, today, I will begin a multi-part series on internal controls at locations outside the US. Part I will focus on how to think through the issues of internal controls outside the US and why your company’s internal controls might require changes for different countries across the globe. In Part II, I will review how to determine the risk in a geographic region outside the US, through a Location Risk Assessment and for Part III, I will close with how a compliance practitioner should use a Location Risk Assessment.

Clearly, a Chief Compliance Officer (CCO) should be considering the entity-wide internal controls for a company. Under the FCPA accounting provisions, issuers can be held liable for the conduct of their foreign subsidiaries, even though the improper conduct occurred outside of the US. The scope of liability is based on the issuer’s incorporation of the subsidiary’s financial statements in its own records and Securities and Exchange Commission (SEC) filings. So, as with the use of third party distributors to sell product, FCPA enforcement looks past the structure of the transaction and makes enforcement decisions based upon the substance. Once again I visited with internal controls expert Henry Mixon to discuss these issues.

While a CCO should expect (or at least hope) that internal controls at locations outside the US are of the same effectiveness as internal controls within US business units and at the US corporate office; unfortunately, that might not always be the case. It is often the case that corporate level internal controls are stronger than those in foreign business units. Mixon indicated that there may well be several reasons for this. First, the company’s Chief Financial Officer (CFO) may be paying closer attention to the corporate level internal controls, with the idea that the corporate level internal controls are the final “filter” to detect issues. This follows partly from the focus in most companies on the controls over financial reporting, which does not include all controls needed for FCPA compliance. A second reason is that many companies were built through acquisitions, resulting in many business units (both in and outside the US) having completely different accounting and internal control systems than the corporate office. There is often a tendency to leave acquired companies in the state in which they were acquired, rather than trying to integrate their controls and conform them to those of current business units. After all, the reason for the acquisition was the profitability of the acquired company and nobody wants to be accused of negatively impacting profitability.

A third situation may exist at locations outside the US that began simply as a sales office. Then the location gradually expanded its scope of operations to become a full scope business unit with its own accounting and data processing functions. Unfortunately, it is not often the situation in which there was a master plan for internal controls as the location’s scope grew. Often processes were added internally and were usually designed by the local personnel that in practice meant the Country Manager had total control over financial affairs and was not really accountable to the Corporate Office. This can be particularly true as long as a country business unit’s profits continue. In such situations, there will rarely be any focus on effective preventive internal controls for FCPA risk.

The next area for inquiry is where should a CCO begin in any of the above scenarios? Mixon believes that the initial first step is to determine the extent of centralization or decentralization of relevant processes or put another way, to what extent are relevant processes performed at the corporate offices? In some companies it is common, for example, to have all vendor invoices paid from the corporate office. In other companies, the corporate accounting function only aggregates information received from business unit accounting departments. This translates into a varying analysis of risk regarding locations outside the US, depending on the degree of accounting decentralization. A good starting point is to determine the extent to which the financial statements of business units outside the US are reviewed and analyzed by the corporate accounting function. This will give good insight into whether the corporate accounting function provides an element of internal control or merely serves as a data aggregator.

The first step for the CCO is to determine the possible universe of risks and to assess the risks to result in a priority of how attention will be focused. One useful approach advocated by Mixon is the Location Risk Assessment (LRA), whose purpose is to capture in one place each location outside the US where your company conducts business and to assess the compliance risks posed by the nature of operations at each location. Once the risks at each location have been properly categorized, you can then prioritize your approach to dealing with the risks.

For your weekend viewing, I would suggest you kick your feet up and look forward to some good, old-fashioned 1950s flavored gore found in the Horror of Dracula. If your temporal compliance matters need your attention, you can look forward to Part II next week, in which I will discuss how a compliance practitioner should perform a Local Risk Assessment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 8, 2014

GSK as a Watershed in the International Fight Against Bribery and Corruption

Lifting WeightsGlaxoSmithKline PLC (GSK) may well be a watershed in the global fight against bribery and corruption. Behavior and conduct, which was illegal under Chinese law but previously tolerated and even accepted by Chinese government officials, quickly became a quagmire that the company was caught in when charges of corruption were leveled against them last year. Many westerners were skeptical about the claims made against GSK and its head of China operations, Mark Reilly. That is one of the problems in paying bribes to government officials; it is always illegal under domestic law. David Pilling, writing an article in the Financial Times (FT) entitled “Why corruption is a messy business”, said “Multinationals are discovering that there is only one thing worse than operating in a country where corruption is rampant: operating in one where corruption was once rampant – but is no longer tolerated.”

When it began, it was not it clear why China’s Communist Party Chief Xi Jinping began his anti-corruption push. Some speculated that it was an attack on western companies for more political reasons that economic reasons. Others took the opposite tack that the storm, which broke with the bribery and corruption investigation of GSK, was China’s attack on western companies to either hide or help fix problems endemic to the Chinese economic system. My take is that his campaign has a different purpose but incorporates both political and economic reasons. That purpose is that Xi has recognized something that the US government officials and most particularly the Department of Justice (DOJ) have been preaching for some time. That is, the insidiousness of corruption and its negative effects on an economic system.

Xi and China have realized that corruption is a drain on the Chinese economic system. Publications as diverse as the Brookings Institute to the Wall Street Journal (WSJ) have noted that one of the reasons for the anti-corruption campaign is to restore the Chinese public’s faith in the ruling Communist Party. Bob Ward, writing in the WSJ article entitled “The Risks in China’s Push to Root Out Wrong”, said, “China’s anticorruption drive began in late 2012 as a way to cleanse the ruling Communist Party and convince ordinary Chinese that the system isn’t rigged against them. Investigators are targeting some of China’s most powerful officials and disciplining tens of thousands of lower-echelon officials who party investigators contend got used to padding their salaries.” Cheng Li and Ryan McElveen, writing online for Brookings, in an article entitled “Debunking Misconceptions About Xi Jinping’s Anti-Corruption Campaign”, wrote, “If there were ever any doubts that Xi could restore faith in a party that had lost trust among the Chinese public, many of those doubts have been dispelled by the steady drumbeat of dismissals of high-ranking officials since he took office.”

But the economic reasons behind the anti-corruption campaign are equally important. One of the more interesting articulations came from one disgraced former Chinese government official, who was one of the earliest senior officials to be charged with corruption. In a WSJ article by James T. Areddy, entitled “Chinese Ex-Official Admits to Corruption”, he wrote about the trial of Liu Tienan, the “former head of the National Energy Administration and senior director in the National Development Reform Commission” who had been arrested in May 2013. His trial finally came around in September 2014. At his trial he made some rather extraordinary statements. Areddy wrote that “Liu testified that reducing official power is key to curbing corruption: “The major point, which is based on my own experience, is to give the market a great deal of power to make decisions.”” But Liu did not end there, “as he explained his view that China’s state bureaucracies are too powerful and entrepreneurs are too weak. “Approvals should be developed in a system, rather by an individual’s actions. This would help prevent abuse of power for personal self-interest.””

Whether or not Liu thought those statements up on himself, a smart defense lawyer suggested he make them to reduce his sentence, or the Chinese government told him to say it as his role in the well-known show trials of the Chinese justice system; it really does not matter. That is one of the most incredible statements I have ever heard of coming out of anything close to an official Chinese statement or proceeding. Think about it; first Liu is saying that the Adam Smith’s ‘invisible hand’ of the market should be governing market decisions. Next, he speaks against the arbitrary nature in China for entrepreneurs in giving approval about how businesses can expand and grow in China. This arbitrary process should be replaced with objective criteria. It is almost if Lui is channeling his inner FCPA Professor when he speaks against artificial barriers to market entry. Finally, Liu attacks the small-mindedness of bureaucratic mentality in their use of power for self-interest.

There have already been demonstrated economic benefits to China’s anti-corruption campaign. In September, Bloomberg reported that China’s fight against bribery and corruption could boost economic growth, generating an additional $70 billion for the budget, in summarizing economists’ forecasts. An article in the online publication Position and Promotions, reported that the bribery “could trigger a 0.1-0.5 percent increase in the world’s second-biggest economy, equivalent to $70 billion dollars.” This crackdown should also be welcomed by western companies, as “it could also benefit foreign companies operating on the Chinese market, who have experienced the negative effects of the omnipresent palm-greasing, according to Joerg Wuttke, president of European Chamber of Commerce in China.” He was further quoted as saying, “It takes the stress away. You’re not afraid that somebody gets an order because he found a better champagne or something like that. It’s not Singapore yet, but it’s a very positive development”.

As we close this phase of GSK’s saga, I think some time for reflection is appropriate. For the compliance practitioner there have been many specific lessons to be learned from GSK’s missteps. However I think the clearest lesson is that the only real hope that a company has into today’s world is an effective, best practices anti-corruption compliance program. Whether it is designed to help a company comply with the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption legislation, it really does not matter. It is the only, and I mean only, chance your company will have when an issue in some far-flung part of the world splashes your company’s name across the world’s press.

But there may also be cause for celebration to those who have long preached against the evils of corruption, whether it is for economic reasons or for those who view the fight against anti-corruption as a part of the fight against terrorism. For if China is attacking domestic corruption, I believe that will lead other countries to do so as well. We are already seeing stirrings in India under new President Modi. So while GSK may well suffer going forward, the fight against global bribery and corruption may just have moved a few feet forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 6, 2014

Chief Compliance Officer as Chief Persuasion Officer

Shuba and RobinsonThe roles of a Chief Compliance Officer (CCO) can be many and varied but one role of any successful CCO is that of Chief Persuasion Officer (CPO). I say this because it is often the case that the most a CCO has in his or her arsenal is the ability to persuade. While there may be times that the CCO can veto something outright, it may not only be difficult but also risk long-developed corporate political capital that might be best used at another time or in another arena. I thought about this concept of persuasion and how even the smallest gesture can pay great dividends when I read the New York Times (NYT) obituary of George Shuba. Shuba was a little known outfielder from the old Brooklyn dodgers who had a decent seven-year professional career with the team. He played on the losing side in two World Series in 1952 and 1953 but was with the Dodgers for their only win over the Yankees in the World Series of 1955.

However, Shuba is remembered for one dramatic gesture. In 1946, both he and Jackie Robinson were playing for the Dodgers farm team, the Montreal Royals. In the first professional game that Robinson played when he was the first African-American to break the color line; Robinson hit a home run in the third inning. Shuba was on deck and went to the plate to shake Robinson’s hand. A photographer was on hand to snap a picture and when that photo went out over the wire services it was viewed as a gesture of racial tolerance. While there would be many opposite events for Robinson when he finally made it up to the major leagues, that one picture made a difference. Shuba’s comment on the 60th anniversary of the handshake, “I couldn’t care less if Jackie was Technicolor.”

Such small gestures can make a difference. I recently read a book review in the New York Review of Books, for a biography of Dale Carnegie by Steven Watts, entitled “Self-Help Messiah: Dale Carnegie and Success in Modern America, penned by Ian Frazier. Carnegie is of course well known for his seminal work “How to Win Friends and Influence People” first published in 1936. I was somewhat surprised to learn that the text was largely drawn up as transcripts to lectures Carnegie was giving in New York City in the mid-1903s. Carnegie’s main thesis was to provide concrete steps on how ordinary people could help master the art of persuasion. While it has been some time since I read this book, what I recall is that to influence people, one has to listen to them. So for me, the book was about how to become a better listener.

I cannot say enough about this skill for a CCO. If you hear any long-term CCO speak about their job, they will tell you it is largely about listening to people; whether those people are employees, senior management or the Chief Executive Officer (CEO) and Board members. By listening to others you not only hear, and hopefully will come to understand their concerns, but you allow them to come to decisions themselves and you are not in the position of telling them what to do. It is a skill that has served many CCOs very well for many years.

I recently wrote about a presentation at the SCCE 2014 Compliance and Ethics Institute about influence and was reminded of this when I read an unattributed article in the Financial Times (FT) entitled “Persuasion for the time pressed”. In this article it discussed Professor Robert Cialdini, the Regents’ Professor of Psychology and Marketing and Arizona State University. Professor Cialdini is one of the leading proponents of ‘persuasion science’, which draws upon various disciplines, including “psychology, neuroscience and behavioural economics”. The Professor has been in this field for over 30 years and has been dubbed “The Godfather of Influence” based upon his work. One of his insights was that corporations should have a “chief persuasion officer” because such a person can help to bring influence upon others and “often it is the smallest changes that can make the biggest differences.”

In his work, entitled “Influence: The Psychology of Persuasion”, Professor Cialdini laid out what he believed to be six “universal principals of persuasion” which I have adapted for the compliance practitioner.

  1. Reciprocity - Cialdini believes that people will feel obligated to return favors performed for them. But for the compliance practitioner, I think this means listening and using skills to help manage risk or even high-risk areas. One of the points of compliance is that unless a transaction involves bags of cash being paid to get a deal done, there usually a way to manage compliance risk. If you, as a CCO, can help an executive or your company to successfully manage a high compliance risk, this will be remembered.
  2. Authority - Cialdini believes that people look for experts to show them the way. The Department of Justice (DOJ) expects a company’s compliance experts to have subject matter experts (SMEs) on Foreign Corrupt Practices Act (FCPA) anti-corruption compliance programs. This is made clear in the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program. For the CCO, Cialdini’s insight is that you or someone on your staff must be able answer the day-to-day questions that come up on doing business not only in compliance with the FCPA but your company’s compliance regime.
  3. Scarcity - Here Cialdini takes a slightly different tack by noting that the less a resource is available, the more people want it. For the CCO, I think this translates to the scarcity of your time. A good chuck of your time must be spent at the corporate office but a large amount must be spent out in the field. Your employee base will respond to you more often and with a deeper symbiosis if you can get out into the field and meet people.
  4. Liking - Noting the self-obvious Cialdini says that the more people like you, the more they want to say yes to you. However, as noted in point 3 above, for the CCO I think this means getting out into the field, training employees who want to do business the right way on how to do so and simply meeting and talking with them. In my corporate life I put on contract and transaction law training across the world for the company’s business units and the universal response was along the line of ‘thank you for coming out here to talk to us.’
  5. Consistency – Here Cialdini intones that people want to act on concert with their values. I believe that most people do want to conduct their business ethically and in compliance with anti-corruption laws such as the FCPA. By providing them a way to do so, you can help them do something they were inclined to do anyway. I once had an employee in the Far East tell me that there was more then enough business for the company to garner in the middle of the road. He did not see the need to even get close to the line of bribery and corruption. With that type of attitude, a CCO can almost be a facilitator.
  6. Social Proof – This can be a tricky one for a CCO. Cialdini believes that people will look to others on what to do to guide their own behavior. This means that a compliance program must have sufficient incentives to get the message of compliance through middle management and down to the troops. Simply put if employees see a high revenue producer get bonuses and promotions for conduct which may violate your company’s Code of Conduct; they will come to believe in short that management is much more concerned about the bottom line than doing business ethically and in compliance.

From these articles and perspectives, I believe that several conclusions can be drawn. First, as in the case of George Shuba, a little can mean a lot. Second, from Dale Carnegie, one of the primary keys to influencing people is to listen to them. Thirdly, from Professor Cialdini, a CCO can be a CPO and by using the six principals of persuasion, can create a more effective compliance program. Finally, always seek to improve your soft skills.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 3, 2014

Hammer Films, “We Sell Hammers” and Other Famous Last Words

Hammer FilmsToday is the first of five Fridays in October so today I will begin my now annual October FrightFest blog posts. Over the past couple of years I have focused on the classic Universal horror movies from the 1930s and 40s. This year I am going to re-watch and blog about the classic Hammer Studio monster movies from the late 1950s. Hammer Films was founded in the UK in 1934 and are best known for their Gothic “Hammer Horror” films, produced from the mid-1950-70s. They also Peter Cushing and Christopher Lee, for which fans of Star Wars are eternally grateful, to the greater movie watching audience.

Another type of hammer informs today’s compliance moment, as in “We sell hammers.” That was the excuse given by Home Depot managers when their own cybersecurity department employees would try to obtain budget to update cybersecurity software or to even put on training about the dangers of a data breach. If you have attended any compliance conference this year, you have been subjected to one or more sessions on cybersecurity and/or data breaches. As if the Target fiasco from last year was not enough, the most recent massive breach comes courtesy of Home Depot. Unfortunately the Home Depot saga provides some excellent lessons for the anti-corruption compliance practitioner or a company subject to the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act.

In an article which appeared on the front page of the New York Times (NYT) entitled “Warned of Risk, Home Depot Left Data Vulnerable”, Julie Creswell and Nicole Perlroth, reported that the Home Depot data breach and theft was “The biggest data breach in retailing history” and it had “compromised 56 million of its customers credit cards.” Moreover, the “data has popped up on black markets, and, by one estimate, could be used to make $3 billion in illegal purchases.” How could such an event have happened even after the very public debacle endured by Target?

It certainly did not happen overnight but the article noted that “Industry experts were flabbergasted that Home Depot, one of the world’s largest retailing companies, was caught so flat-footed after the breach at Target, which resulted in the theft of more than 40 million cards before the holiday season.” The article reported Home Depot had been warned by its own employees of data security issues as far back as 2008. But a series of missteps, or perhaps more appropriately non-steps, led to the Home Depot’s current problems. One of the major problems was “Home Depot relied on outdated software to protect its network.” This included information that some of the company was still relying on “outdated Symantec software from 2007 and did not continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers.”

Another failure by Home Depot was in the area of ongoing monitoring. The article reported that “Credit card industry security rules require large retailers like Home Depot to conduct scans at least once per quarter, using technologies approved by the Payment Card Industry Security Standards Council, which develops technical requirements for its members’ data security programs. The P.C.I. Council requires that approved, third-party quality security assessors perform routine tests to ensure that merchants are compliant.” Unfortunately the article reported that two former employees stated “more than a dozen systems handling customer information were not assessed and were off limits to much of the security staff.” Rather unbelievably, this scanning is not only fundamental to data security but also one of the simplest and least costly. The article quoted Avivah Litan, a cybersecurity expert at Gartner, who said, “Scanning is the easiest part of compliance. There are lots of services that do this. And they can be run cheaply from the cloud.”

Yet another FUBAR by Home Depot was in the hiring for its cybersecurity team. No doubt due to his very Southern name, the company hired Ricky Joe Mitchell, a security engineer, who was swiftly promoted up to a “job in which he oversaw security systems in Home Depot stores.” The problem for Home Depot and indeed Ricky Joe was that he had been terminated from, the articled stated “he was fired by EnerVest Operating, an oil and gas company, and before he left, he disabled EnerVest’s computers for a month.” For that cute little good-bye present, he was “sentenced to four years in federal prison in April.”

The article also reported that many cybersecurity focused employees in the company had departed over the years. The reason was that it appeared no one was listening to their concerns. The company simply refused to believe that it was at risk for a data breach.

So what lessons can be drawn for the anti-corruption compliance specialist who must deal with laws such as the FCPA or UK Bribery Act? Clearly Home Depot failed to adequately assess its risks for a data breach. For the compliance practitioner, I think the lesson here is to understand not only your company’s business sales model, products and services and foreign government touch-points but to reassess those risks on a regular basis.

You should keep track of external and internal events that may cause change to business processes, policies and procedures. Some examples are new laws applicable to your business organization and internal events driving changes within a company. Such internal changes could be a company reorganization or major acquisition. This type of review appears to be similar to the Department of Justice (DOJ) advocacy of ongoing risk assessments. The FCPA Guidance specifies, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”

Ongoing monitoring is another lesson to be drawn from Home Depot’s fiasco. While ongoing monitoring in the compliance realm is not as easy or inexpensive, ongoing monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information. As in the cybersecurity world, there are both companies and software which you can use to help you in ongoing monitoring.

How about that good-ole boy Ricky Joe? Do you really want to have a head of a critical cybersecurity team who has sabotaged a prior employer? Similarly, in the compliance realm, do you want to have a top salesman or even Chief Compliance Officer (CCO) who engaged in bribery and corruption in a prior job? If the answer is yes, go directly to jail and DO NOT collect $200. What does Ricky Joe’s hiring and rapid promotion tell you about the pre-hire vetting done by Home Depot? Yes, I thought so.

I usually use sports as a mirror to look at compliance issues. Of course living in Houston, there are the sad-sack Houston Astros and their owner who are always around to provide some lessons. But the actions and inactions of Home Depot even rival those of the Astros for some lessons learned on compliance. In my title, I used the “We Sell Hammers” line and promised other famous last words. Unfortunately they come from one, un-named former Home Depot employee, who “went so far as to warn friends to use cash, rather than credit cards at the company’s store.” Famous last words indeed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 2, 2014

The Mitford Sisters and the Compliance Audit

Mitford SistersDeborah Cavendish died last week. She was the last surviving member of an extraordinary group of women known as the ‘Mitford Sisters’. They were six daughters of David Freeman-Mitford, the 2nd Baron Redesdale and the former Sydney Bowles. The six had about as varied lives as one could possibly have from six different yet related siblings. Nancy (1904-73) became an author and wrote “The Pursuit of Love” and “Love in a Cold Climate.” Pamela (1907-94), who grew up wanting to be a horse, married a horseman who became a physicist. Diana (1910-2003) married Britain’s fascist leader Oswald Mosley, in the presence of Hitler and Joseph Goebbels. Unity (1914-1948) fell in love with Hitler and was Eva Braun’s rival for his affections; she died a decade after her attempted suicide with the bullet still in her head. Jessica (1917-96) was a communist. This did not prevent her from eloping with Churchill’s nephew and moving to the United States, where she penned “The American Way of Death” and other books. Deborah developed a passion for chickens and later married Andrew Cavendish, who became the Duke of Devonshire, making Deborah, the Duchess of Devonshire.

Deborah’s major accomplishment was to adapt the Duke ancestral home of Chatsworth into self-sustaining family business. She kept up a personal and active involvement in this project for nearly 40 years, until her husband died and she became the Dowager Duchess. Today, Chatsworth is one of the most visited sites in England.

I thought about Deborah, her remaking of Chatsworth and how she and her sisters remade themselves from the fairly-tale princess lives they grew up with when I read a recent article in the Red Flag Group’s Compliance Insider, September-October issue, entitled “Rethinking the typical audit”, by Georgia White. The piece recognized that the standard financial audit clause may be of little use to the compliance practitioner but it can be reworked “to include proactive compliance obligations which can be an effective and valuable way to positively manage relationships with distributors and resellers.” Some of the reasons for typical audit clauses with such parties are disfavored and were identified as “insufficiently tailored and poorly defined” or such audit clauses have some type of “catch-all” provision which allows a company to audit more than simply its relationship with a distributor or reseller. Such audit clauses were noted to “represent little value for both the client and the business partner.”

Compliance Audit Clause

The first focus of the article was that “Compliance audits should be aimed at engaging business partners to participate in compliance initiatives pro-actively, whether by way of interview or discussion, integrity circles or forums, or healthy checks or periodic review” all supplemented by occasional transaction sampling. In other words, you must do the work required in managing the relationship after the contract is signed or Step 5 in the Five Step lifecycle management of third parties. The article suggested the following compliance audit clause, “In addition to maintaining proper records and accounts in relation to Distributor/Reseller’s use of product X, Distributor/Reseller will participate in compliance health checks and periodic reviews, and attend integrity circle and forums on a regular basis as required by Supplier Y. In the event of an allegation of misconduct, upon seven (7) days written notice Supplier Y (or its authorized agent)may conduct an inspection and audit all relevant facilities and records of Distributor/Reseller to verify compliance with obligations under this Agreement. Such audit is to be conducted in business hours at Supplier Y’s own expense and in such a manner as not to unreasonably interfere with Distributor/Reseller’s normal business activity.”

Getting buy-in from business partners

The piece suggests that in this manner of pro-actively engaging your Distributor/Reseller you can help maintain “the integrity of the relationship” and keep “open and transparent lines of communication.” While it may be easier to include such a clause with a new Distributor/Reseller; you may face a challenge with such a relationship which has been long standing. However for an effective Distributor/Reseller to be maintained, the author believes that everyone must be treated equally (the Fair Process Doctrine in play) as “compliance audits should apply to new and existing partners alike.” The key is communication by educating your Distributor/Reseller base “on the value of this kind of proactive exchange on compliance issues during business-planning sessions.” In other words, set expectations by talking to your business partners about why the compliance audit is necessary and, more importantly, have them understand the “risks associated with product diversion and unethical behaviour.”

When should the audit clause be added?

The piece takes on another touchy subject in audit clauses which is timing by stating, “To maintain positive relationships with existing business partners it is important to consider the timing of any proposed changes to existing contractual provisions.” However White provided some timing points for initiating this discussion.

  • Contract renewal cycle. If such a discussion is brought up during the regular renewal cycle you certainly should have good argument about such programs under a Foreign Corrupt Practices Act (FCPA) best practices compliance program. The debate about whether distributors were covered was ongoing until a couple of years ago so many companies may not have considered auditing such relationships. Moreover, White notes that if you raise the issue during a renewal cycle, “business partners are less likely to invoke suspicion that is a ‘targeted’ requirement” you are aiming only at them.
  • Annual business planning sessions. Such meetings usually entail an overall strategy component so White believes it is a good time to bring up the issue in the context of your company’s overall anti-corruption compliance efforts. You should have the opportunity to “discuss best-practice strategy and introduce the possibility of proactive compliance auditing for the relationship going forward.” The more you can focus on the ‘partner’ nature of the compliance obligation the more this should resonate with your Distributor/Reseller.
  • Company-wide annual meetings with Distributor/Resellers. Here White suggests that if you bring all of your Distributor/Resellers together and announce the auditing requirement, you may be able to demonstrate that auditing is now a system wide requirement. She believes “The chance of buy-in is increased if it is perceived that other competitors are already actively engaging with you in this manner.”
  • White suggests, particularly if you are in a high risk environment or need to institute such an audit right sooner rather than later, to negotiate over audits rights. She suggests “consider introducing the proposed change in tandem with a benefit that is being rolled out to the business partner.” I would add that you could also sweeten up the pot.

From the overall tone of White’s article, the key seems to communication. Communication can be used to show that adding and then invoking a compliance audit clause is not necessarily a negative outcome. But more than communication with your Distributor/Resellers is the concept from the Fair Process Doctrine; that is, if the process is fair, people and business partners may be more willing to accept a perceived negative outcome. This will go a long way to alleviating fears from Distributor/Resellers that they are being targeted for some nefarious reason or worse, that your company may be using the information obtained in a compliance audit to drive down the commercial value of the relationship.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 1, 2014

Creation of Yosemite and Putting Compliance at the Center of Strategy

YosemiteOn this day in 1890, an act of Congress created Yosemite National Park, home of such natural wonders as Half Dome and the giant sequoia trees. Environmental trailblazer John Muir (1838-1914) and his colleagues campaigned for the congressional action, which was signed into law by President Benjamin Harrison.

In 1889, John Muir discovered that the vast meadows surrounding Yosemite Valley, which lacked government protection, were being overrun and destroyed by domestic sheep grazing. Muir and Robert Underwood Johnson, a fellow environmentalist and influential magazine editor, lobbied for national park status for the large wilderness area around Yosemite Valley. With this persuasion, Congress set aside over 1,500 square miles of land for what would become Yosemite National Park, America’s third national park. In 1906, the state-controlled Yosemite Valley and Mariposa Grove came under federal jurisdiction with the rest of the park to create the Yosemite that we know today. It clearly was a triumph for Muir and Johnson but more so for the American people.

I recently read an article in the Harvard Business Review (HBR) that seemed to draw inspiration from the actions of Muir and Johnson. The article by Frank Cespedes, entitled “Putting Sales at the Center of Strategy”, discussed how to connect up management’s new sales plans with the “field realities your salespeople face.” Referencing the well-known Sam Waltonism that “There ain’t many customers at headquarters”; Cespedes believes that “If you and your team can’t make the crucial connections between strategy and sales, then no matter how much you invest in social media or worry about disruptive innovations, you may end up pressing for better execution when you actually need a better strategy or changing strategic direction when you should be focusing on the basics in the field.”

The problem is usually clear. Senior management and the C-Suite make clear their commitment to doing business ethically and in compliance with anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA). The company even has a best practices compliance. But the problem is that the installation or enhancement of a compliance regime is usually perceived as a ‘top-down’ exercise. The reality of the employee base that must execute the compliance strategy is not considered. Even when there are comments, it is derisively characterized as ‘push-back’ and not taken into account in moving the compliance effort forward. I thought Cespedes piece had some great insights for the compliance practitioner so borrowing from his four-point process, I will rework it for a compliance professional.

Communicate the Strategy

It can be difficult for an employee base to implement a strategy that they do not understand. Even with a company wide training rollout, followed by “a string of e-mails from headquarters and periodic reports back on results. There are too few communications, and most are one-way; the root causes of underperformance are often hidden from both groups.” Here Cespedes’ insight is that clarification is a leadership responsibility and in the compliance function that means the Chief Compliance Officer (CCO) or other senior compliance practitioner. Moreover, if the problem is that employees do not understand how to function within the parameters of the compliance program, then there is a training problem and that is the fault of the compliance department. I once was subjected to a PowerPoint of 268 slides, which lasted 7.5 hours, about my company’s compliance regime. To say this was worse than useless was accurate. The business guys were all generally asleep one hour into the presentation as we went through the intricacies of the books and records citations to the FCPA. The training was a failure but it was not the fault of the attendees. If your own employees do not understand your compliance program that is your fault.

Continually improve your compliance productivity

I thought this point was insightful. Cespedes talked about incentivizing your sales force. Why not do the same concepts around compliance? You can work with your Human Resources (HR) department to come up with appropriate financial incentives. Many companies have ad hoc financial awards, which they present to employees to celebrate and honor outstanding efforts. Why not give out something like that around doing business in compliance? Does your company have, as a component of its bonus compensation plan, a part dedicated to FCPA compliance and ethics? If so, how is this component measured and then administered? There is very little in the corporate world that an employee notices more than what goes into the calculation of their bonuses. HR can, and should, facilitate this process by setting expectations early in the year and then following through when annual bonuses are released. With the assistance of HR, such a bonus can send a powerful message to employees regarding the seriousness with which compliance is taken at the company. There is nothing like putting your money where your mouth is for people to stand up and take notice.

Improve the human element in your compliance program

This is another area where HR can help the compliance program. More than ongoing assessment of employees for promotion into leadership positions, here HR can assist on the ground floor. HR can take the lead in asking questions around compliance and ethics in the interview process. Studies have suggested that certainly Gen Y & Xers appreciate such inquiries and want to work for companies that make such business ethics a part of the discussion. By having the discussion during the interview process, you can not only set expectations but you can also begin the training process on compliance.

However, this approach should not end when an employee is hired. HR can also assist your compliance efforts by tracking employees through their company career to identify those who perform high in any compliance metric. This can also facilitate the delivery on more focused compliance training to those who may need it because of changes on FCPA risk during their careers.

Make your compliance strategy relevant

Cespedes notes, “Most C-suite executives know these value-creation levers, but too few understand and operationalize the sales factors that affect them.” In the sales world this can translate into a reduction in assets to underperforming activities. This is all well and good but such actions must be coupled with an understanding of why sales might be underperforming in certain areas. In the compliance realm, I think this translates into two concepts, ongoing monitoring and risk assessment. Ongoing monitoring can allow you to move from a simple prevent mode to a more prescriptive mode; where you can uncover violations of your company’s compliance program before they become full blown FCPA violations. By using a risk assessment, you can take the temperature of where and how your company is doing business and determine if new products or service offerings increase your compliance risks.

Above all, you need to get out and tell the compliance story. Louis D’Amrosio was quoted for the following, “You have to repeat something at least 10 times for an organization to fully internalize it.” If there is a disconnect between your compliance strategy and how your employee base is implementing or even interpreting that strategy, get out of the office and go out to the field. But you need to do more that simply talk you also need to listen. By doing so, can help to align your company’s compliance strategy with both the delivery and in the field.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 30, 2014

Discipline and Rigor in Your Internal Controls

DisciplineIn a recent New York Times (NYT) Op-Ed by David Brooks, entitled “The Good Order”, he discussed how routine can lead to creativity. He cited to the example of three well-known authors whose habits included the following. “Maya Angelou would get up every morning at 5:30 and have coffee at 6. At 6:30, she would go off to a hotel room she kept — a small modest room with nothing but a bed, desk, Bible, dictionary, deck of cards and bottle of sherry. She would arrive at the room at 7 a.m. and write until 12:30 p.m. or 2 o’clock.” Another example was John Cheever, who “would get up, put on his only suit, ride the elevator in his apartment building down to a storage room in the basement. Then he’d take off his suit and sit in his boxers and write until noon. Then he’d put the suit back on and ride upstairs to lunch.” Finally, there was the example of Anthony Trollope, who “would arrive at his writing table at 5:30 each morning. His servant would bring him the same cup of coffee at the same time. He would write 250 words every 15 minutes for two and a half hours every day. If he finished a novel without writing his daily 2,500 words, he would immediately start a new novel to complete his word allotment.” Brooks thesis for his piece seemed to be summed up by a quote from Henry Miller (of all people), “I know that to sustain these true moments of insight, one has to be highly disciplined, lead a disciplined life.” Sort of gives a whole new meaning to the word ‘discipline’.

However moving back to somewhat salacious concepts, I thought about those words in the context of internal controls around a Foreign Corrupt Practices Act (FCPA) compliance program. Brooks’ thoughts on building and maintaining order inform today’s post. In the area of internal controls, I believe it is incumbent to consider not only the most obvious risk areas for your internal controls but also the universe of potential transactions within the operations of a particular company. Once again relying on my friend and internal controls expert Henry Mixon I queried him about some of the other types of internal controls a company should consider around gifts, travel, business courtesies and entertainment.

One area that companies need to be mindful of is corporate checks and wire transfers, in response to falsified supporting documentation, such as check requests, purchase orders, or vendor invoices. Here Mixon believes that the Delegation of Authority (DOA) is a critical internal control. So, for example a wire transfer of $X between company bank accounts in the US might require approval by the Finance Manager at the initiating location and one officer. However, a wire transfer of $X to the company’s bank account in Nigeria, could require approval by the Finance Manager, a knowledgeable person in the Compliance function, and one officer. The key is that the DOA should specify who must give the final approval for such an expense.

I asked Mixon about the situation where checks drawn on local bank accounts in locations outside the US “off books” bank accounts, commonly known as slush funds. Petty cash disbursements in locations outside the US – the unique control issues regarding locations outside the US will be discussed in a future podcast. Some petty cash funds outside the US have small balances but substantial throughput of transactions. In this instance, Mixon said that the DOA should address replenishment of petty cash funds in countries outside the US, as well as approval of expense reports for employees who work outside the US, including those who travel from the US to work outside US.

Another area for concern is travel, the reason for this being that a company’s corporate travel department and independent travel agencies can buy tickets, hotel rooms, etc., for non-employees. Mixon noted that internal controls might be needed to ensure policies are enforced when travel for non-employees can be purchased through a corporate travel department or through independent travel agencies. As was demonstrated with GlaxoSmithKline PLC (GSK) in China, a company must not discount the risk related to abuse of power internally and collusion with independent travel agencies. Mixon advises that you should implement procedures to ensure compliance with your company policies regarding payment of travel and related expenses for third parties, for not only visits to manufacturing or job sites but also any compliance restrictions that might be in place.

An area for fraud, corruption and corporate abuse has long been Procurement cards or “P Cards”. Mixon cautions that if your company uses procurement cards, assume this to be a very high-risk area, not just for FCPA but also for fraud risk generally. Banks have made a great selling job to corporations for the use of P-Cards to help to facilitate “cash management” but, more often than not, they can simply be a streamlined way to allow embezzlement and misbehavior to go undetected. Here a control objective should be put in place along the lines of a written policy and procedures defining the acceptable and unacceptable use of company Procurement Cards, required forms, required approvals, documentation and review requirements.

An interesting analogy that Mixon used is that misbehavior, like water, seeks its own level. Mixon explained that this meant if the pre-approval process and strong controls over expense reports prevent misbehavior, employees who wish to misbehave will seek other ways to do it where controls are not so strong. This means you should use your risk assessment process to help prioritize where controls are most needed. If your company prohibits gifts and any travel other than for the submitting employee from being included in the expense report, you should consider requiring instead a check request form be used, which, Mixon noted, would be subject to stringent controls. He added that in such cases a checklist should be completed and attached to the check request which includes questions and disclosures designed to flush out exactly what was provided in the way of a business class airline, pocket money, event tickets, side trips, leisure activities, spouses or other relatives who might be traveling and why the travel had business purpose. Such an internal control would allow for a more streamlined processing of expense reports and still elevates the gifts/travel items to the appropriate level of review and requires appropriate documentation.

I inquired as to why a Compliance Officer relies on the audit controls that are in place regarding gifts because in many companies, internal audits of expense reports are common. Mixon noted that it is important to keep in mind that, with respect to gifts, internal audits most often constitute, at best, a detect control, which only gives comfort for some historical period and is not necessarily representative of the controls in place to prevent future violations. So, it will be a false sense of security if a Compliance Officer relies on the internal audit of expense reports to be the control needed over violation of Gift policies.

I thought about one line in Brooks’ piece, which seemed to echo Mixon’s thoughts on internal controls, where Brooks wrote, “Building and maintaining order…requires toughness of mind and rigid discipline to properly serve your own work.” By having the rigor to institute and enforce the types of internal controls Mixon has identified, you can go a long way towards detecting and more importantly preventing a FCPA violation from occurring.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 29, 2014

TNG Premiers and Internal Controls for Gifts in a Best Practices Compliance Program

Star Trek TNGThis week, 27 years ago, Star Trek – The Next Generation (TNG) made its television debut. Rarely has there a follow up to a beloved original series (Star Trek – The Original Series (TOS)) that is equally treasured by fans. They say that your favorite Star Trek is the one you grew up with, so for me that is TOS and that will always be my most beloved Star Trek series, but for the younger generations TNG fills that bill. The series occurred some 70 years in the time after TOS so things were a bit different. One of the differences was on following the Prime Directive more rigorously. While Captain Kirk, who actually had a hand in drafting the Prime Directive, seemed to view it with situational ethics, Captain Picard was much more concerned about not violating it.

I thought about this evolution of the Prime Directive from TOS to TNG when considering what types of internal controls a compliance practitioner might consider in the area of gifts in a Foreign Corrupt Practices Act (FCPA) best practices compliance program. I have been continuing my exploration of internal controls with well-known expert Henry Mixon, Principal of Mixon-Consulting. Mixon believes that it would be reasonable to expect that internal controls over gifts would be designed to ensure that all gifts satisfy the criteria as defined and interpreted in Company policies. Generally speaking, these are fairly narrow, including a definition of the dollar limit, which must not be exceeded in order for gifts to be permissible, coupled with some subjective criteria such as the legality of the gifts for the recipient and whether the practice is customary within the country where the gift is delivered. The question I focus on is how to enforce the policies so that employees are not free to disregard them at will?

The Department of Justice (DOJ), in several enforcement actions and the FCPA Guidance has emphasized the importance of risk assessment and effective controls and building a program tailored to those risks. Many companies effectively minimize the risk of inappropriate gifts through stringent pre-approval requirements because a sufficiently robust and enforced pre-approval policy can reduce the number of gifts simply because of the headache of getting the pre-approval. This has the added benefit of ensuring enforcement of internal controls, largely because of the reduced volume of gifts being included in expense reports. Mixon cautions that in considering the effectiveness of controls, you must always keep in mind the most frequently used method for defeating an internal control, which is driven by a dollar amount criteria, is splitting the item into multiple parts in order to appear to stay under the limit and to avoid the defined approval authority based on the amount of the gift.

Mixon believes that the key analysis is whether there are controls in place to enforce the policies and whether those controls are documented. To help to answer this query, he posited that there are four issues to evaluate.

  • Is the correct level of person approving the payment / reimbursement for the gift?
  • Are there specific controls, including signoffs, to demonstrate that the gift had a proper business purpose?
  • Are the controls regarding gifts sufficiently preventative, rather than relying on detect controls?
  • If controls are not followed, is that failure detected by other internal controls or the compliance protocols?

While many compliance practitioners believe that employee expense reports are a sufficient internal control regarding gifts, because there are other ways in which a gift can be presented, there need to be other controls. Mixon believes that once your company policy on gifts has been finalized, the internal controls over expense reports fall into three basic areas: (1) The expense report format, including what information it requires; (2) Controls over the submitting employee and the preparation of the expense report; and (3) Controls to ensure the approvers do their review process properly.

Mixon believes the format itself of an expense report can go a long way toward prevention of violations of company policy. First it is important to have preprinted representations and certifications within the form because these can lead to “stop and think” type of controls, meaning the person submitting the expense report has to at least consider the information being submitted. The form can be signed without reading the preprinted representations, but if the employee and reviewers have been trained on how to review the expense report, it can be difficult to say later that the submitting employee did not understand what they were signing.

Mixon suggested two forms of representation, the Preparer’s representations and the Approver’s representations. The Preparer’s representations include ensuring that all items representing a proper business purpose comply with the company’s code of conduct, comply with local law and custom, and comply with all applicable company policies regarding FCPA compliance. The Approver’s representations ensure that all supporting documentation has been examined and that all documentation complies with applicable company policies, including the submission of original receipts. Further, the approver should certify that they have complied with all company policies regarding the review and approval of the expense report.

Mixon noted that some companies have two basic forms of expense reports. One is for situations in which all items pertain to US locations and do not involve any expenses incurred outside the US or for benefit of persons outside the US. The second is for items involving locations or persons outside the US. The international reporting form might have more stringent requirements and should provide for more detailed disclosures. It could require reporting, in a separate section of the expense report, all items that involve government officials, so that these items are not “buried” elsewhere in the expense report. Just as an added measure, the expense report includes a column where other expenses are reported which requires the submitter to check “Government Official YN?” this type of format should require sufficient disclosure of information regarding each item involving government officials. The next step in such an enhanced protocol would require a senior officer from the business unit to approve any reimbursements that meet certain criteria, for example, certain geographical areas or countries. Finally, such an enhanced representation could also include separate sections for each item requiring a description of the business purpose of meals, entertainment, names and business affiliation of all attendees, description of gifts and their business purpose, etc. A typical expense report requires this information to be on the receipt. Mixon believes that moving beyond simply requiring receipts and requiring such detail to be incorporated directly onto the expense reimbursement forms highlights the presence or absence of proper documentation much more readily. Mixon ended by noting it was incumbent to ensure reviewers sign off that each such item has documentation that required pre-approvals were obtained, if necessary.

While following the Prime Directive does not always lead to the result that the crew of TNG Enterprise desired; it did have the greater effect of allowing cultures and peoples to develop without interference. Internal controls around gifts can be used in a variety of ways in your best practices compliance program. They can certainly be used to detect an issue and perhaps even prevent an issue from becoming a full-blown FCPA violation, however, by using some of the techniques that Mixon has suggested you can move your compliance program to a proscriptive phase where you not only stop an issue from becoming a violation but through identification, you can move towards remediation as a part of your ongoing compliance efforts. Just as Star Trek’s Prime Directive had an ultimate purpose, if you can move your compliance program’s internal controls forward, you can help make them a part of your financial controls and thereby have a better run company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 26, 2014

West Side Story and GSK In China – Board Oversight and Tone in the Middle

West Side Story IIYesterday, I celebrated the anniversary of one of America’s cultural lows. But today, I am extremely pleased to open with exactly the opposite, that being one of America’s greatest gifts to the performing arts. For on this day in 1957, the musical West Side Story premiered on Broadway. There are so many facets to one of the great, even greatest, works of musical theater. Leonard Bernstein penned the score, Stephen Sondheim wrote the lyrics, Jerome Robbins choreographed the dance and the story was by Arthur Laurents, inspired by Romeo and Juliet.

There are many great songs, dances and moments in the play. Most of us (at least of my age) outside New York were introduced to the play via television where it ran for one showing in 1971. The show never toured until the 2000s. When I finally got to see the stage production I was absolutely blown away. I had never seen anything like and it and I will never forget the 5-counter point singing by Tony, Maria, Anita, Bernardo and the Sharks, and Riff and the Jets, as they all anticipate the events to come that night in the song Tonight’s Quintet. The show truly is one of America’s gems.

I thought about the continuing appeal of West Side Story as a musical and why the story continues to resonate with the American people when I continued to consider some of the lessons learned from the GlaxoSmithKline PLC (GSK) matter in China. Today’s areas for reflection should be the role of a company’s Board of Directors and the second is the ‘tone in the middle’. While we have not heard from the GSK Board on this case, it has become clear that the GSK Board was aware of both the anonymous whistleblower allegations and the release of the tape of the GSK China Country Manager and his girlfriend. One of the lessons learned from the GSK scandal is that a Board must absolutely take a more active oversight role not only when specific allegations of bribery and corruption are brought forward but also when companies are operating in high risk environments. Further how can a company move its message of doing business ethically and in compliance down the employee chain.

In a NACD Directorship article, entitled “Corruption in China and Elsewhere Demands Board Oversight”, authors Eric Zwisler and Dean Yoost noted that as “Boards are ultimately responsible for risk oversight” any Board of a company with operations in China “needs to have a clear understanding of its duties and responsibilities under the FCPA and other international laws, such as the U.K. Bribery Act”. Why should China be on the radar of Boards? The authors reported, “20 percent of FCPA enforcement actions in the past five years have involved business conduct in China. The reputational and economic ramifications of misinterpreting these duties and responsibilities can have a long-lasting impact on the economic and reputation of the company.”

The authors understand that corruption can be endemic in China. They wrote, “Local organizations in China are exceedingly adept at appearing compliant while hiding unacceptable business practices. The board should be aware that a well-crafted compliance program must be complemented with a thorough understanding of frontline business practices and constant auditing of actual practices, not just documentation.” Further, “the management cadence of monitoring and auditing should be visible to the board.” All of the foregoing would certainly apply to GSK and its China operations.

Moreover, the FCPA Guidance makes clear that resources and their allocation are an important part of any best practices compliance program. So if that risk is perceived to be high in a country such as China, the Board should follow the prescription in the Guidance, which states “the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

To help achieve these goals, the authors suggested a list of questions that they believe every director should ask about a company’s business in China.

  • How is “tone at the top” established and communicated?
  • How are business practice risks assessed?
  • Are effective standards, policies and procedures in place to address these risks?
  • What procedures are in place to identify and mitigate fraud, theft, and corruption?
  • What local training is conducted on business practices and is it effective?
  • Are incentives provided to promote the correct behaviors?
  • How is the detection of improper behavior monitored and audited?
  • How is the effectiveness of the compliance program reviewed and initiated?
  • If a problem is identified, how is an independent and thorough investigation assured?

Third parties generally present the most risk under a Foreign Corrupt Practices Act (FCPA) compliance program and are believed (at least anecdotally) to comprise over 90 percent of reported FCPA cases, which subsequently involve the use of third-party intermediaries such as agents or consultants. But this is broader than simply third party agents because any business opportunity in China will require some type of business relationship.

One of the major failings of the GSK Board was that it apparently did not understand the actual business practices that the company was engaging in through its China business unit. While $500MM may not have been a material monetary figure for the Board to consider; the payment of such an amount to any third party or group of third parties, such as Chinese travel agencies, should have been raised to the Board. All of this leads me to believe that the GSK Board was not sufficiently engaged. While one might think a company which had received a $3bn fine and was under a Corporate Integrity Agreement (CIA) for its marketing sins might have sufficient Board attention; perhaps legal marketing had greater Board scrutiny than doing business in compliance with the FCPA or UK Bribery Act. The Board certainly did not seem to understand the potential financial and reputational impact of a bribery and corruption matter arising in China. Perhaps they do now but, for the rest of us, I think the clear lesson to be learned is that a Board must increase oversight of its China operations from the anti-corruption perspective.

GSK Chief Executive Officer (CEO) Sir Andrew Witty has certainly tried to say all of the right things during the GSK imbroglio on China. But did that message really get down into to the troops at GSK China? Moreover, did that message even get to middle management, such as the GSK leadership in China? Apparently not so, one of the lessons learned is moving the Olympian Pronouncements of Sir Andrew down to lower levels on his company. Just how important is “Tone at the Top”? Conversely, what does it say to middle management when upper management practices the age-old parental line of “Don’t do as I do; Do as I say”? In his article entitled, “Ethics and the Middle Manager: Creating “Tone in The Middle” Kirk O. Hanson, listed eight specific actions that top executives could engage in which demonstrate a company’s and their personnel’s commitment to ethics and compliance. The actions he listed were:

  1. Top executives must themselves exhibit all the “tone at the top” behaviors, including acting ethically, talking frequently about the organization’s values and ethics, and supporting the organization’s and individual employee’s adherence to the values.
  2. Top executives must explicitly ask middle managers what dilemmas arise in implementing the ethical commitments of the organization in the work of that group.
  3. Top executives must give general guidance about how values apply to those specific dilemmas.
  4. Top executives must explicitly delegate resolution of those dilemmas to the middle managers.
  5. Top executives must make it clear to middle managers that their ethical performance is being watched as closely as their financial performance.
  6. Top executives must make ethical competence and commitment of middle managers a part of their performance evaluation.
  7. The organization must provide opportunities for middle managers to work with peers on resolving the hard cases.
  8. Top executives must be available to the middle managers to discuss/coach/resolve the hardest cases.

What about at the bottom, as in remember those China unit employees who claimed they were owed bonuses because their bosses had instructed them to pay bribes? Well if your management instructs you to pay bribes that is a very different problem. But if your company’s issue is how to move the message of compliance down to the bottom, Dawn Lomer, Managing Editor at i-Sight Software, provided some concrete suggestions in an article in the SCCE magazine, entitled “An ethical corporate culture goes beyond the code”, where she wrote that that the unofficial message which a company sends to its employees “is just as powerful – if not more powerful – than any messages carried in the code of conduct.” Lomer suggested that a company use “unofficial channels” by which your company can convey and communicate its message regarding doing business in an ethical manner and “influence employee behavior across the board.” Her suggestions were:

  1. Reward for Integrity - Lomer writes that the key is to reward employees for doing business in an ethical manner and that such an action “sends a powerful message without saying a word.”
  2. The three-second ethics rule – It is important that senior management not only consistently drives home the message of doing business ethically but they should communicate that message in a short, clear values statement.
  3. Environmental cues – Simply the idea that a company is providing oversight on doing business ethically can be enough to modify employee behavior.
  4. Control the images – It is not all about winning but conducting business, as it should be done.
  5. Align Messages – you should think about the totality of the messages that your company is sending out to its employees regarding doing business and make sure that all these messages are aligned in a way that makes clear your ethical corporate culture clear. 

The GSK case will be in the public eye for many months to come. Both the UK Serious Fraud Office (SFO) and US authorities have open investigations into the company. Just as the five counter-point singing or the rooftop symphonic dance scene to the song America demonstrates the best of that art form; you can draw lessons from GSK’s miss-steps in China now for implementing or enhancing your anti-corruption compliance program going forward now.

And while you are ending your week of considering GSK and its lessons learned for your compliance program, crank up your speakers to 11 and listen to some five counter-point singing the movie version of the Tonight Quintet, by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,760 other followers