FCPA Compliance and Ethics Blog

September 11, 2014

King Arthur’s Roundtable – The CCO as Chief Collaboration Officer

RoundtableMany commentators such as Donna Boehme and Mike Volkov often talk about what is required for the position of Chief Compliance Officer (CCO), both in terms of corporate support and skills as a leader of a company’s compliance function. But in many ways a CCO can be seen as a collaborator because so much of the job is working with and interfacing with various functions within a business. I thought about that concept when I read an article in the Corner Office section of the New York Times (NYT) entitled “Titles Don’t Matter. Teamwork Does.” by Adam Bryant where he interviewed and profiled Girish Navani, Chief Executive Officer (CEO) of eClinincalWorks, a provider of clinical information systems.

I found Navani’s leadership style focusing on collaboration to be a good model for a CCO or compliance practitioner because what the compliance function needs to bring is a partnership to help the business and other units do business in compliance with the relevant legal and regulatory scheme. In the world of anti-bribery and anti-corruption that means compliance with the Foreign Corrupt Practices Act (FCPA), UK Bribery Act and similar laws. Navani said that his leadership style is to be as open as possible. One of the techniques that he uses is to have an oval table for meetings. No doubt channeling his inner King Arthur (or perhaps Richard Harris playing King Arthur), the configuration of the table actually seems to facilitate conversation and learning.

Another interesting insight was that Navani structures his company around teams. I thought this could be something that the compliance function could use in its dealings with business units because compliance is really a partnership with the business units and compliance spans multiple functions within any company. I also found another leadership insight from Navani’s leadership style. Navani said he continues “to learn every day. Leadership to me is many different qualities. Some are very basic. You’ve go to be approachable, humble and hard-working. Then there are ones regarding how you treat people. I listen more now. Before, I’d speak all the time. I will still do a lot of talking in meetings, but I absorb others opinions more. And I’m completely open to being told “no”. Questioning my own decision-making with others in the room is fine.”

I found that last point quite useful to consider. Coming out of the legal department and into compliance, I did not always take kindly to being told ‘no’ by someone from the business unit. I thought every pushback was some type of pressure test looking for weakness or tension. However, Navani’s style brings up the useful reminder that often the business function can assist compliance in learning how to perform the function more quickly or more efficiently. Certainly the business can assist the compliance function in understanding the highest risks that a company should focus on managing. In such a partnership role, compliance and the business unit can compliment each other to stop wasting time on immaterial risks so that resources can be delivered to the company’s highest risks.

Navani also stressed accountability. At his company “You’ve got to be accountable to yourself first, and you’ve got to be accountable to your team.” This certainly has application to the compliance function as well. One of the battles that compliance can fight is to be ‘The Land of No’ and the CCO is the head of it, or ‘Dr. No’. However by stressing accountability and creating transparency in the compliance process, I believe that a CCO can go a long way towards ameliorating that misperception.

I also found Navani’s techniques for hiring instructive for compliance. He said, “I look for the heart first. I don’t ask for direct experience.” He expects a modicum of professional expertise by the questions he asks most often are “Do you want to win? What drives you every day? Why health care IT? Can you spend 10 years of your career here? What do you want to do in those 10 years?” Navani went on to say that if he received satisfactory responses to those queries the technical aspects of a position can be taught. But he strives to see if a candidate’s heart is in the right place.

In addition to using these questions to ferret out candidates who will not work with his company, Navani uses these questions to set both a tone and expectation. The message he sends is “We’re not going to stifle you. If you can think out of the box, you will.” Navani believes that by hiring such employees they have the opportunity to become game changers at his company. Now imagine if you could have your Human Resource function use the hiring process to ask questions around attitudes around business ethics or other compliance issues. It would have the dual effect of allowing your company to have a front line inquiry that might weed out those who might be prone to cutting corners through bribery and corruption. But equally important would be the expectation set on the high value your company has on compliance and business ethics. The message would begin pre-hire, set again during employee orientation training and continued throughout the employment tenure.

Through migrating some of these leadership techniques that Navani espoused into your compliance tool-kit; a CCO or compliance professional can help to shift a company’s conversation around compliance. You can move from simply being seen as a safety backstop to one of developing and implementing solutions. Some of the other insights that I drew from Navani include setting out your core function of compliance. A compliance function should be able to offer expertise and insight into solutions. One part of that may be delivering data and other information to the business function to help them make better economic decisions for the company. But another way might be through compliance coaching advocacy.

Navani’s leadership once again demonstrates that if your compliance function shows integrity and responsibility, it can lead to greater teamwork between departments. Many business units fear that the compliance function will take away control of the business process from them. However by demonstrating that compliance is really in partnership, this can move a long way to alleviating this concern.

And do not forget the Round Table.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 8, 2014

Board of Directors and FCPA Oversight – An Internal Control Under SOX, Part II

Circle DiagramIn Part I of this two-part post regarding a Board of Director’s Role in Foreign Corrupt Practices Act (FCPA) oversight from the internal controls perspective, I reviewed how a Board might have independent liability for its failure to act as an appropriate internal control as required by Sarbanes-Oxley (SOX). Today I will review what internal controls are and what a Board’s role is within the context of internal controls.

Beginning on Tuesday, in conjunction with this two-part blog, my colleague Henry Mixon, Principal of Mixon Consulting, and myself are recording a podcast series on internal controls, which can be found on FCPA Compliance and Ethics Report. We are discussing the following areas: what are internal controls; how a company might use them and how they can be implemented? In the first of the podcast series I asked Mixon what are internal controls? He began with the textbook definition, which he said was “Internal controls are systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to:

  • conduct its business in an orderly and efficient manner,
  • safeguard its assets and resources,
  • deter and detect errors, fraud, and theft,
  • ensure accuracy and completeness of its accounting data,
  • produce reliable and timely financial and management information, and
  • Ensure adherence to its policies and plans.

Mixon noted that internal controls should be instituted entity wide, not simply limited to those functions used or reviewed by accountants and auditors. For an anti-corruption compliance regime such as the FCPA or UK Bribery Act, internal controls are measures to provide reasonable assurances that any assets or resources of a company (not limited to cash) cannot be used to pay a bribe. This definition includes diversion of company assets (such as by unauthorized sales discounts or receivables write-offs) as well as the distribution of assets.

Mixon noted that the basic framework for internal controls is derived from the COSO Model developed by the Committee of Sponsoring Organizations of the Treadway Commission in 1992 (COSO). This model has become the standard for an internal control framework and provides a structure to ensure companies address the key elements that should result in an effective system of internal controls. Using the COSO Model, as modified in 2013, provides a very supportable approach when adversarial third parties challenge whether a company has effective internal controls. The COSO Model defines internal controls in a pyramid, from bottom to top, as follows: (a) Control environment, (b) Risk assessment, (c) Control activities, (d) Information and communication, and (e) Monitoring.

In the 2013 update the basic framework was retained with substantial support from user companies, and 3 specific objectives were added: (I) Operations Objectives – effectiveness and efficiency of operations, including safeguarding assets against loss; (II) Reporting objectives – internal and external financial reporting; and (III) Compliance objectives – adherence to laws and regulations to which the entity is subject. According to the guidance in the 2013 update, the system of internal controls can be considered effective only if it provides reasonable assurance the organization, among other things, complies with applicable laws, rules, regulations and external standards. With the addition of those specific objectives, the COSO framework now specifically includes the need for controls to address compliance with laws and regulations.

We then turned to the question of which internal controls does a company need to institute? Mixon said that each company defines its internal controls to fit its business by determining what the Company wishes to protect and what type of control environment does it want to have in place. This means that they can be less formal in smaller companies but still effective if the focus is on the right risks. Based upon FCPA guidance, the most common control needs have been identified as follows: (i) Dealings with third parties; (ii) Gifts and entertainment, and (iii) Charitable donations. Yet even within those categories, a wide range of risks exists, depending on a company’s business practices. Mixon emphasized that a Top Down ‘Check-the-box’ generic set of policies will not likely result in effective controls.

The process to determine which internal controls are needed will be of some familiarity to the compliance professional. It all starts with a risk assessment to establish the corporate policies which are applicable, tailored to the company, and sufficiently specific. The risk assessment will also help to identify the types of transactions across the company which should be addressed (gifts and entertainment, maintenance of bank accounts and movement of cash, dealings with third parties, etc.). The next step is to prepare a set of documents which define the control objectives to be in place for each type of transaction – example: “Controls will be in place to ensure no vendor has been added to the vendor master file until complete due diligence has been completed and the vendor has been approved in accordance with Corporate policies. Thereafter, you will need to document how the controls will be performed and how they will be evidenced and then incorporate the control procedures into applicable work instructions and job descriptions.” Mixon cautioned that for each business location, determine the specific controls needed to accomplish each control objective. In many companies, a disparity of operating practices and accounting systems will result in different controls being needed. He ended by emphasizing that while this assignment may seem overwhelming it can be done in reasonable stages, pursuant to a specific implementation plan – it does not have to be done all at once for the entire company.

As you will recall from Part I, I believe, as gleaned from Jim Doty’s remarks, that a Board must not only have a corporate compliance program in place it must also actively oversee that function. This led me to conclude that failure to perform these functions may lead to independent liability of a Board for its failure to perform its allotted tasks in an effective compliance program. Doty’s remarks drove home one of the roles that a Board performs, which fulfills those tasks. Internal controls work together with compliance policies and procedures as stated by Aaron Murphy, a partner at Akin Gump, in his book “Foreign Corrupt Practices Act”, as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Murphy breaks down internal controls into five concepts, which I have adapted for a Board or Board subcommittee role for compliance:

  1. Corporate Compliance Policy and Code of Conduct – A Board should have an overall governance document which will inform the company, its employees, stakeholders and third parties of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate.
  2. Risk Assessment – A Board should assess the compliance risks associated with its business.
  3. Implementing Procedures – A Board should determine if the company has a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy.
  4. Training – There are two levels of Board training. The first should be that the Board has a general understanding of what the FCPA is and it should also understand its role in an effective compliance program.
  5. Monitor Compliance – A Board should independently test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.

There have been several FCPA enforcement actions where the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) discuss the failure of internal controls as a basis for FCPA liability. The Smith & Wesson enforcement action is but the latest. With the questions about the Walmart Board of Directors and their failure to act in the face of allegations of bribery and corruption in the company’s Mexico subsidiary, or contrasting failing to even be aware of the allegations; there may soon be an independent basis for an FCPA violation for a Board’s failure to perform its internal controls function in a best practices compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 28, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part III

7K0A0129Today, I conclude a three-part series on risk assessments in your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption compliance program. I previously reviewed some of the risks that you need to assess and how you might go about assessing them. Today I want to consider some thoughts on how to use your risk assessment going forward.

Mike Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. Finally, through this risk matrix you should be able to assess relative remediation requirements.

A manner in which to put into practice some of Volkov’s suggestions was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations”. Her article focused on the how Timken Company, assesses and then evaluates the risks the company has assessed. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks. 

LIKELIHOOD 

Likelihood Rating Assessment Evaluation Criteria
1 Almost Certain High likely, this event is expected to occur
2 Likely Strong possibility that an event will occur and there is sufficient historical incidence to support it
3 Possible Event may occur at some point, typically there is a history to support it
4 Unlikely Not expected but there’s a slight possibility that it may occur
5 Rare Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY 

Priority Rating Assessment Evaluation Criteria
1-2 Severe Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4 High Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7 Significant
8-14 Moderate
15-1920-25 LowTrivial Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by Visual RiskIQ, a relationship-analysis based software such as Catelas or other analytical based tools. But you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the DOJ in its FCPA Guidance and in the UK Bribery Act’s Adequate Procedures. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

In an article in Compliance Week Magazine, entitled, “Lessons on Risk Assessments from Winnie The Pooh” Jason Medford articulated that a key use of a risk assessment is to assist the internal audit function in developing their internal audit plan. He cited to the Institute of Internal Auditors (IIA) standard 2010.A1, which states “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually.” He went on to note that “In order to have a truly integrated GRC capability it is necessary for internal auditors to work with other GRC professionals in their organization. They must align their annual audit plan with the organization’s objectives, strategies, and initiatives of the other GRC professionals. They must collaborate, coordinate, and align their audit activities with other GRC professionals to increase visibility, improve efficiency, accountability and collaboration.

Carol Saint, Vice President of Internal Audit for 7-Eleven, who was interview by OCEG President Carol Switzer for the same article said that “We start with a risk assessment, beginning with business units because this is how the organization has designed accountability.  We decompose business units into the processes and sub-processes they own and execute. We evaluate how sub-processes align to achievement of strategic objectives: How do they affect the company’s value drivers? Next, we map financial statement lines to the sub-processes to help prioritize from that lens. Finally, for each sub-process we consider specific risks that could hinder achievement of strategic objectives, as well as fraud risks, significant accounting estimates, benchmarking/ hot topics, and ERM risks. We created an “intensity rating” that measures how often a process/sub-process was mentioned in our stakeholder interviews as a risk to the company. And we also considered how cross-functional a process is so that the element of complexity—a risk accelerator—could help determine audit plan priorities. This year’s plan development process was quite intense, but I think we did a good job of creating a baseline so that future risk assessments are more efficient.”

I hope that you have found this series on risk assessments useful. If you have any questions or better yet would like me to work on a risk assessment for your organization, please contact me.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 27, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part II

7K0A0501Ed. Note-Today, I continue my three-part posts on risk assessments. Today I take a look at some different ideas on how you might go about assessing your risks.

One of the questions that I hear most often is how does one actually perform a risk assessment? Mike Volkov has suggested a couple of different approaches in his article “Practical Suggestions for Conducting Risk Assessments.” In it Volkov differentiates between smaller companies which might use some basic tools such as “personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices” from larger companies. Such larger companies may use these basic techniques but may also include a deeper dive into high risk countries or high risk business areas. If your company’s sales model uses third party representatives, you may also wish to visit with those parties or persons to help evaluate their risks for bribery and corruption that might well be attributed to your company.

Another noted compliance practitioner, William Athanas, in an article entitled “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, took a different look at risk assessments when he posited that companies assume that FCPA violations follow a “bell-curve distribution, where the majority of employees are responsible for the majority of violations.” However Athanas believed that the distribution pattern more closely follows a “hockey-stick distribution, where a select few…commit virtually all violations.” Athanas suggests assessing those individuals with the opportunity to interact with foreign officials have the greatest chance to commit FCPA violations. Diving down from that group, certain individuals also possess the necessary inclination, whether a personal financial incentive linked to the transaction or the inability to recognize the significant risks attendant to bribery.

To assess these risks, Athanas suggested an initial determination of the touch-points where the operations of manufacturing companies “intersect with foreign officials vested with discretionary authority.” This will lead to an understanding of the individuals who hold these roles within a company. This means that a simple geographic analysis is but a first step in a risk analysis. Thereafter companies should also focus on “those who authorize and record disbursements, as well as those who represent the company in situations where they may be solicited for payments.” The next step is to determine those company employees who may have the incentive “to pay bribes on the Company’s behalf.” This incentive can come from a variety of forms; such as a company compensation plan, which rewards high producers; employees who do not understand the risk they place the company (and themselves) in by engaging in tactics which violate the FCPA; and, finally, those employees who seek to place their individual interests above those of the company.

Athanas concludes by noting that this limited group of employees, or what he terms the “shaft of the hockey-stick”, is where a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts on “intensive training sessions or focused analysis of key financial transactions — on those individuals with the opportunity and potential inclination to violate the statute.” This focus will provide companies the greatest “financial value and practical worth of compliance efforts.”

Lawler suggests that you combine the scores or analysis you obtain from the corruption markers you review; whether it is the DOJ list or those markers under the UK Bribery Act. From there, create a “rudimentary risk-scoring system that ranks the things to review using risk indicators of potential bribery.” This ensures that high-risk exposures are done first and/or given more time. As with all populations of this type, there is likely to be a normal or ‘bell curve’ distribution of risks around the mean. So 10-15% of exposure falls into the relative low-risk category; the vast majority (70-80%) into the moderate-risk category; and the final 10-15% would be high risk.

Earlier this week I wrote a piece about the Desktop Risk Assessment. I will not repeat the entire blog post here but only use some of the areas you could assess as a starting point for discussion. If you do not have the time, resources or support to conduct a worldwide risk assessment annually, you can take a different approach. You might try assessing other areas annually through a more limited focused risk assessment, which a colleague of mine calls the Desktop Risk Assessment. Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:

  • Are resources adequate to sustain a culture of compliance?
  • How are the risks in the C-Suite and the Boardroom being addressed?
  • What are the FCPA risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
  • Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
  • Communication of information and findings – Are escalation protocols appropriate?
  • What are the opportunities to improve compliance?

There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.

This list is not intended to be a complete list of items, you can pick and choose to form some type of Desktop Risk Assessment but hopefully you can see some of the things areas you can assess and deliver any remedial action which may be warranted. Further, if you aim to perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years or so, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. And do not forget the that the FCPA Guidance ends its section on risk with, “When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”

A completely different approach was articulated by Leonard Shen, Vice President (VP) and Chief Compliance Officer (CCO) at PayPal, in a presentation to Compliance Week. His approach is not the right approach for every company but for those initiating their compliance journey, or a company considering a significant upgrade due to some systemic issue; this approach may be a more effective approach than the traditional risk assessment where a team of lawyers, CPAs and internal auditors assess a company’s compliance environment.

In a company which is initiating its compliance program, it can be perceived as a sea change of culture. However, Shen indicated that he had used an approach which worked to alleviate those types of concerns which also provided enough information to perform a robust assessment which could be used to form the basis of an effective compliance program. He termed this type of approach as one to “engage and educate.” While the approach had a two word name, it actually had three purposes; (1) to engage the employees in what would form the basis for an enhanced compliance program; (2) to educate the employees generally in compliance and ethical behavior; and (3) through the engagement of employees, to gather information which could be used to form the basis of a risk assessment.

Shen and his compliance team traveled to multiple company locations, across the globe, to meet with as many employees as possible. A large number these meetings were town hall settings, and key employee leaders, key stakeholders and employees identified as high risk, due to interaction with foreign governmental official touch-points, were met with individually or in smaller groups. Shen and his team listened to their compliance concerns and more importantly took their compliance ideas back to the home office.

From this engagement, the team received several thousand-employee suggestions regarding enhancements to the company’s compliance program. After returning to the US, Shen and his team winnowed down this large number to a more manageable number, somewhere in the range of a couple of hundred. These formed the basis of a large core of the enhancements to the existing company compliance program. After the enhanced compliance program was rolled out formal training began. During the training, the team was able to give specific examples of how employee input led to the changes in the enhanced program. This engaged the employees and made them feel like they were a part of, and had a vested interest in, the company’s compliance program. This employee engagement led to employee buy-in.

During the town hall meetings, and the smaller more informal group meetings, Shen and his team were doing more than simply listening, they were also training. However, the training was not on specific compliance provisions; it was more generally on overall ethics and how the employees could use compliance as a business tool. Most ethical standards of a company are not found in an existing compliance program, they are found in the general anti-discrimination guidelines and ethical business practices such anti-competitiveness and use of customer confidential information prohibitions. Often these general concepts can be found in a company’s overall Code of Conduct or similar statement of business ethics; workplace anti-discrimination and anti-harassment guidelines can be found in Human Resource policies and procedures.

Concepts such as anti-competitiveness and use of customer and competitor’s illegally obtained confidential information may be found in anti-trust or other business practice focused guidelines.

Shen and his team’s aim on the education component of “engage and educate” was to have the company employee’s start thinking about doing business the ethical way. It was ethical concept based training designed to be in contrast to a rules based approach, where employees believe they are taught the rules, and then try to see how close they can get to the line of violating the compliance rule without actually stepping over the line. Moreover, by having this general ethical business training, it laid the groundwork for the enhancement of the company’s compliance program and the training that would occur when the enhancement was rolled out.

A third key component of the “engage and educate” program is the risk assessment component. Shen’s approach here was not the traditional control-testing model, where documents are pulled and tested against a standard. Shen and his team listened, listened and listened. They listened to their employees concerns and they listened to the compliance issues they raised. As they were listening they began to ask questions about what was done and why. The questioning was not in an adversarial, interrogation mode but ferreting out the employees concerns while having the employees educate the team on the actual procedures that were used in several areas identified as key high risk areas.

Shen emphasized that this was an assessment and not an audit so no detailed forensic work was needed or used. However, by listening, and gently questioning, Shen and his team were able to garner enough information to create a risk assessment profile which informed and became the basis of their compliance program enhancement. Shen and his team did not identify to the company employees that they were engaged in a formal risk assessment. He believed that in many ways, he and his team were able to garner more useful information with which to inform their compliance program enhancement.

Shen’s “engage and educate” approach worked for his company at that point in time. It may not work for other companies as a traditional risk assessment but it does provide a different model if your company is beginning to create their compliance program, or is looking into a major enhancement.

Tomorrow, I will look at how you might use a risk assessment going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

August 26, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part I

7K0A0079Yesterday, I blogged about the Desktop Risk Assessment. I received so many comments and views about the post, I was inspired to put together a longer post on the topic of risk assessments more generally. Of course I got carried away so today, I will begin a three-part series on risk assessments. In today’s post I will review the legal and conceptual underpinnings of a risk assessment. Over the next couple of days, I will review the techniques you can use to perform a risk assessment and end with a discussion of what to do with the information that you have gleaned in a risk assessment for your compliance program going forward.

One cannot really say enough about risk assessments in the context of anti-corruption programs. Since at least 1999, in the Metcalf & Eddy enforcement action, the US Department of Justice (DOJ) has said that risk assessments that measure the likelihood and severity of possible Foreign Corrupt Practices Act (FCPA) violations identifies how you should direct your resources to manage these risks. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The UK Bribery Act has a similar view. In Principal I of the Six Principals of an Adequate Compliance program, it states, “The commercial organisation regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” In other words, risk assessments have been around and even mandated for a long time and their use has not lessened in importance. The British have a way with words, even when discussing compliance, and Principal I of the Six Principals of an Adequate Compliance program says that your risk assessment should inform your compliance program.

Jonathan Marks, a partner in the firm of Crowe Horwath LLP, said the following about risk assessments in his 13-step FCPA Compliance Action Plan, “A comprehensive assessment of the potential bribery and corruption risks – both existing and emerging risks – associated with a company’s products and services, customers, third-party business partners, and geographic locations can serve as the basis for the compliance program. The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company.”

The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face. Both the both the US Sentencing Guidelines, the UK Bribery Act’s Consultative Guidance list Risk Assessment as the initial step in creating an effective anti-corruption and anti-bribery program.

What Should You Assess?

In 2011, the DOJ concluded three FCPA enforcement actions which specified factors which a company should review when making a Risk Assessment. The three enforcement actions, involving the companies Alcatel-Lucent SA, Maxwell Technologies Inc. and Tyson Foods Inc. all had common areas that the DOJ indicated were FCPA compliance risk areas which should be evaluated for a minimum best practices FCPA compliance program. Both the Alcatel-Lucent and Maxwell Technologies Deferred Prosecution Agreements (DPAs) listed the seven following areas of risk to be assessed.

  1. Geography-where does your Company do business.
  2. Interaction with types and levels of Governments.
  3. Industrial Sector of Operations.
  4. Involvement with Joint Ventures.
  5. Licenses and Permits in Operations.
  6. Degree of Government Oversight.
  7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

All of these factors were reiterated in the FCPA Guidance which stated, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”

These factors provide guidance into some of the key areas that the DOJ apparently believes can put a company at higher FCPA risk. These factors supplement those listed in the UK Bribery Consultative Guidance states, “Risk Assessment – The commercial organization regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” The Guidance points towards several key risks which should be evaluated in this process. These risk areas include:

  1. Internal Risk – this could include deficiencies in
  • employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks;
  • employee training or skills sets; and
  • the company’s compensation structure or lack of clarity in the policy on gifts, entertaining and travel expenses.
  1. Country risk – this type of risk could include:

(a) perceived high levels of corruption as highlighted by corruption league tables published by reputable Non-Governmental Organizations such as Transparency International;

(b) factors such as absence of anti-bribery legislation and implementation and a perceived lack of capacity of the government, media, local business community and civil society to effectively promote transparent procurement and investment policies; and

(c) a culture which does not punish those who seeks bribes or make other extortion attempts.

  1. Transaction Risk – this could entail items such as transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents.
  2. Partnership risks – this risk could include those involving foreign business partners located in higher-risk jurisdictions, associations with prominent public office holders, insufficient knowledge or transparency of third party processes and controls.

Another approach was detailed by David Lawler, in his book “Frequently Asked Questions in Anti-Bribery and Corruption”. He broke the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Sector Risk, (4) Transaction Risk and (5) Business Partnership Risk. He further detailed these categories as follows:

  1. Company Risk-Lawyer believes this is “only to be likely to be relevant when assessing a number of different companies – either when managing a portfolio of companies from the perspective of a head office of a conglomerate or private equity house.” High risk companies involve, some of the following characteristics:
  • Private companies with a close shareholder group;
  • Large, diverse and complex groups with a decentralized management structure;
  • An autocratic top management;
  • A previous history of compliance issues; and/or
  • Poor marketplace perception.
  1. Country Risk-this area involves countries which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. Obviously the most recent, annual Transparency International Corruption Perceptions Index can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.
  2. Sector Risk-these involve areas which require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:
  • Extractive industries;
  • Oil and gas services;
  • Large scale infrastructure areas;
  • Telecoms;
  • Pharmaceutical, medical device and health care;
  • Financial services.
  1. Transaction Risk-Lawyer says that this risk “first and foremost identifies and analyses the financial aspects of a payment or deal. This means that it is necessary to think about where your money is ending up”. Indicia of transaction risk include:
  • High reward projects;
  • Involve many contractor or other third party intermediaries; and/or
  • Do not appear to have a clear legitimate object.
  1. Business Partnership Risk-this prong recognizes that certain manners of doing business present more corruption risk than others. It may include:
  • Use of third party representatives in transactions with foreign government officials;
  • A number of consortium partners or joint ventures partners; and/or
  • Relationships with politically exposed persons (PEPs).

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 14, 2014

Na-Nu Na-Nu – Final Report to Ork From Mork – Information from FCPA Inquiries

Mork from OrkEd. Note: Na-Nu Na-Nu. We interrupt our daily blog post to provide this final report to the Planet Ork. Na-Nu Na-Nu 

To say that the American culture lost two prime cultural champions this week would be an understatement. The effect that Robin Williams and Lauren Bacall had on a variety of areas in this country probably cannot be measured. Over the next two blogs I will honor each of these larger than life personas and try to examine how they may impact your Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption program. Today Robin Williams; tomorrow Lauren Bacall.

Where does one begin or even end with Robin Williams? His early work in standup comedy; his sitcom television performances; to his many guest appearances on TV variety shows; his incredible movie career – both live and animated; or even his well-known and very public struggles with substance abuse and depression. He was one incredible body of work. For almost any American who grew up in the 70s, we were introduced to Williams in the sitcom Mork and Mindy. His role as an alien allowed him to rift and comment on many human foibles. This was most thoroughly on display at the end of every episode when, in character as Mork, he would report back to his home planet of Ork on some aspect of terran culture. (Na-Nu Na-Nu)

This weekly communication informed both his home planet and us here on Planet Earth about ‘social norms’. I considered this form of communication when I read a recent article in the Wall Street Journal (WSJ), entitled “Venezuelan Firm Is Probed In U.S.”, by José De Córdoba and Christopher M. Matthews. They reported on a Venezuelan company, Derwick Associates (Derwick), who are under investigation by the Department of Justice (DOJ) and Manhattan District Attorney’s office. Derwick was reported to have been “awarded hundreds of millions of dollars in contracts in little more than a year to build power plants in Venezuela, shortly before the country’s power grid began to sputter in 2009”. Also under investigation is a Missouri based engineering, procurement and construction company, ProEnergy Services (ProEnergy), “that sold dozens of turbines to Derwick and helped build the plants”. The article reported that the DOJ’s “criminal fraud section are reviewing actions of Derwick and ProEnergy for possible violations of the Foreign Corrupt Practices Act”.

The article noted that this issue might have come to the attention of the DOJ and Manhattan DA through a lawyer at Derwick who voluntarily contacted federal prosecutors last year. Although it was not clear from the WSJ article if it was related to or even played a part in instigating the FCPA investigation, was information that Otto Reich, “the top State Department official for Latin America during the Administration of President George W. Bush, had filed a federal court lawsuit in 2013, alleging among other things that “Derwick and the company’s owners, among others, obtained contracts to build power stations in return for paying multimillion dollar bribes to senior Venezuelan officials.””

At least one of the basis of regulatory scrutiny was funding of a bribery scheme through overcharging for goods and services. The article reported “Federal prosecutors are scrutinizing the difference been prices ProEnergy charged Derwick for its equipment and the prices Derwick charged the Venezuelan government, a person familiar with the matter said. The person said that in some past FCPA cases, excessive margins were used to conceal bribes to pay foreign officials.”

Derwick, in a statement from its President Alejandro Betancourt, which was provided by its lawyer Adam Kaufmann, said, “Neither Derwick nor its principals have been contacted by any U.S. law enforcement agency.” Clearly this begs the question of whether the company has been contacted by any representatives of the US government who are not from a “law enforcement agency”. In a statement from ProEnergy, it declined to comment on any investigation.

Consider some of the information from this WSJ article. First is how did this case come to the attention of the DOJ? About all that can be said from the article is that Derwick did not self-disclose to the DOJ. However, given the relationship between the government of Venezuela and the US, is it really a surprise that large commercial transactions by US entities into Venezuela are scrutinized by the US government? Did the investigation come about from a whistleblower, i.e. the lawyer for Derwick? If yes, what is the legal obligation of lawyer to his or her client? What if the lawyer sees, observes or even inadvertently stumbles upon criminal activity? What if the lawyer removes documentation, which the lawyer believes demonstrates evidence of a crime?

I was also very intrigued by the information about investigators looking into pricing margins as indicia of corruption. One of the more increasing areas of FCPA scrutiny has been that of commission rates. This is because under circumstances, a high or unusual commission rate can be indicia of monies which are available by a third party, paid via commission, to use as a pot of money to pay bribes to foreign officials. If your typical commission is 5% or you have a range of 5% to 10%, but provide one third party a commission rate of 15%, this may be evidence that the unusual amount is being used as a mechanism to fund bribes.

However, simply focusing on the commission rate alone is too facile an inquiry. Even a commission rate below 5% can create quite an amount of money if the sales price is sufficiently high. In the energy industry, large service contracts or construction contracts can be huge, i.e. in excess of $1bn, and five percent of such an amount is a very large sum of money. It is, therefore, not unusual that in some contracts, the percentage commission will decrease with an increased contract price. The point is there is no one right or wrong commission rate. It will be a fact intensive inquiry.

Borrowing from a noted compliance practitioner, William Athanas, who has suggested an appropriate inquiry along the lines of the following: Where the third party requests a commission above the standard range, the policy should require a legitimate justification. Evaluating and endorsing such a justification requires three steps: (1) relevant information about the contemplated increased commission must be captured and memorialized; (2) requests for increased commissions should be evaluated in a streamlined fashion, with tiered levels of approval (higher commissions require higher ranking official approval); and (3) increased commissions are then tracked, along with the requests and authorizations, in order to facilitate auditing, testing and benchmarking. The point is there needs to be a well thought-out protocol, which is followed and well documented through the entire process.

Another insight that I gleaned from the WSJ article comes from the seller/customer relationship between Derwick and ProEnergy. ProEnergy is reported to have sold turbines to Derwick and have assisted in constructing the power plants. When your company sells a product to a customer, a compliance practitioner typically does not become involved in the negotiations over final pricing between your company’s customer and the end-user. ProEnergy may not have been concerned with the final pricing that Derwick charged their customer, the Venezuelan government. Indeed, the compliance function may not be involved with the commercial pricing between your company and its direct purchaser. This article may require you to change this posture. Was ProEnergy asked to reduce its price to Derwick so that Derwick could mark the price up enough to the Venezuelan government to create a pool of money that could be used to pay bribes? What if ProEnergy received its full listed price book rate but then Derwick charged a premium to the Venezuelan government?

Finally, what about risk? The WSJ article reported that Derwick’s President said “the company’s margins [with the Venezuelan government] were consistent with general industry practice and reflected the high financial risk taken on during a difficult time to do business in Venezuela.” If your company has a business opportunity that presents a high financial reward, is it necessarily because there is some high risk involved? That risk can be risk of getting paid, bringing the project in on time and within budget, political risk, weather-related risk or almost any other type of risk, but that risk might also be a corruption risk. While the WSJ article does not report on the size of the US Company involved in the inquiry, ProEnergy, it would seem that its commercial relationship with Derwick generated a large amount of income for the company. If your company has one of its largest contracts for work overseas, should there be compliance function review and scrutiny of the risks involved?

Are these inquiries that a compliance practitioner now needs to make? If so, how does a Chief Compliance Officer (CCO) make such an inquiries? I think Donna Boehme would say that it all begins with the compliance function ‘having a seat at the senior management table’ so that the CCO or compliance practitioner can be aware when some unusual business opportunity arises. Questions, questions, and more questions.

Na-Nu Na-Nu – this is the final report to Ork from Planet Earth. Na-Nu Na-Nu 

For a viewing of one of Mork’s reports to his home planet Ork, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 31, 2014

Lessons Learned from the Beautiful Game: Compliance, FIFA and the World Cup

World Cup e-BookThe 2014 World Cup is over and in the books. It was a great tournament for probably everyone across the globe but the host nation of Brazil. While there are many lessons to be learned from this event, the lead up to and events of this year’s World Cup provide some interesting insights for the compliance practitioner. I have collected some of my writings on FIFA, the World Cup and the world of the ‘Beautiful Game’ in one volume, entitled, “Lessons Learned from the Beautiful Game: Compliance, FIFA and the World Cup”. It is now out and available from amazon.com in Kindle e-reader format.

In this short volume I take a look at some for the following topics.

  • FIFA and its selection process for the 2022 World Cup in Qatar.
  • Performing due diligence and World Cup bids.
  • Referee Professionalism as an anti-corruption tool
  • What are some of the consequences for failure to set a proper tone-at-the-top.
  • Leadership lessons from managers of some of the world’s top soccer clubs.
  • Lessons learned from both compliance successes and failures.

I am sure that you will find this e-Book gives you some ideas for your anti-corruption compliance program, no matter which FIFA country you might practice compliance in. Finally, you cannot beat the price, as it is only $3.99. You can order a copy by going to amazon.com or by simply clicking here.

July 25, 2014

Code of Conduct, Compliance Policies and Procedures-Part IV

Policies and ProceduresThis is the fourth and final installment of my series on the the importance of a Code of Conduct and anti-corruption compliance policies and procedures in your compliance program and how you should go about drafting or updating Code of Conduct and anti-corruption compliance policies and procedures. On Tuesday, I reviewed the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I looked at how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures. Today, I will end the series on how to keep all of the above vibrant and dynamic through a discussion of how to assess, review and revise them and your Code of Conduct on a timely basis.

Simply having a Code of Conduct, together with policies and procedures is not enough. As articulated by former Assistant Attorney General, for the Criminal Division of the US Department of Justice, Lanny Breuer, “Your compliance program is a living entity; it should be constantly evolving.” In an article in the SCCE Magazine, entitled “Six steps for revising your company’s Code of Conduct”, authors Anne Marie Logarta and Ruth Ward suggest considering the following issues before you take on an update of your Code of Conduct.

  • When was the last time your Code of Conduct was released or revised?
  • Have there been changes to your company’s internal policies since the last revision?
  • Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?
  • Are any of the guidelines outdated?
  • Is there a budget to create/revise a Code?

After considering these issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. I would also add that your standards, policies and procedures should be reviewed and updated in the same manner. If you decide to move forward the authors have a six-point guide which they believe will assist you in making your revision process successful, which I have used as a basis to include revisions to your compliance policies and procedures.

  1. Get buy-in from decision makers at the highest level of the company 

The authors believe that your company’s highest level must give the mandate for a revision to a Code of Conduct and compliance polices and procedures. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”

  1. Establish a core revision committee 

You should have a cross-functional working group would be ideal to head up your effort to revise your Code of Conduct and compliance polices and procedures. This group should include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, the topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. The authors emphasize that creation of a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”

  1. Conduct a thorough technology assessment 

The cornerstone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” They believe that technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.

In addition to this use of technology in drafting your Code of Conduct and compliance polices and procedures revisions, you should determine if they will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code and compliance polices and procedures will only be available in hard copy.

  1. Determine translations and localizations 

The authors emphasize, “If your company does business internationally, then this step is vital to ensure you have one Code, no matter the language.” They do note that if you decide to translate your Code of Conduct be sure and hire someone who is an “approved company translation subject matter expert.” Here I would simply say to contact Jay Rosen at Merrill Brink, as those guys are the one of the top Language Service Providers and know what they are doing when it comes to translations. The key is that “your employees have the same understanding of the company’s Code-no matter the language.” 

  1. Develop a plan to communicate the Code of Conduct 

A rollout is always critical because it “is important that the new or revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” Your company should use the full panoply of tools available to it to publicize your new or revised Code of Conduct and compliance polices and procedures. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide Code of Conduct and compliance polices and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all thing compliance; the three most important aspects are ‘Document, Document and Document’. However you deliver the new or revised Code of Conduct, you must document that each employee receives it.

6.   Stay on Target 

The authors end by noting that if you set realistic expectations you should be able to stay on deadline and stay within your budget. They state that “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.

These points are a useful guide to not only thinking through how to determine if your Code of Conduct, and compliance policies and procedure needs updating, but also practical steps on how to tackle the problem. If it has been more than five years since it was last updated, you should begin the process that the authors have laid out. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

There are numerous reasons to put some serious work into your Code of Conduct, policies and procedure. They are certainly a first line of defense when the government comes knocking. The FCPA Guidance makes clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” And by considered, I think it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Moreover, as Allen emphasized, “having policies written out and signed by employees provides what some consider the most vital layer of communication.” Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 22, 2014

Code of Conduct, Compliance Policies and Procedures-Part I

Policies and ProceduresFor the remainder of this week, I will have a four-part episode on your Code of Conduct and anti-corruption compliance policies and procedures. In today’s post I will review the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I will review how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures and how to assess, review and revise them on a timely basis.

The cornerstone of a US Foreign Corrupt Practice Act (FCPA) compliance program is its written protocols. This includes a Code of Conduct, policies and procedures. These requirements have long been memorialized in the US Federal Sentencing Guidelines (FSG), which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). These requirements were incorporated into the 2012 FCPA Guidance. The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws. 

In the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In each DPA and NPA over the past 36 months the DOJ has said the following as item No. 1 for a minimum best practices compliance program.

  1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code. 

Stephen Martin and Paul McNulty, partners in the law firm of Baker and McKenzie, developed one of the best formulations that I have seen of these requirements in their Five Elements of an Effective Compliance Program. In this formulation, they posit that your Code of Conduct, policies and procedures should be grouped under the general classification of ‘Standards and Procedure’. They articulate that every company has three levels of standards and controls. First, every company should have a Code of Conduct, which should, most generally express its ethical principles. But simply having a Code of Conduct is not enough. So a second step mandates that very company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. From the base of a Code of Conduct and standards and policies, every company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors which should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 21, 2014

World Cup Finale – Compliance Lessons to be learned from Success and Failure

World Cup 2014Over the past few weeks, I have written several articles on the lessons a compliance practitioner can draw from this year’s World Cup and the international group which runs the event, the Fédération Internationale de Football Association or more commonly know as FIFA. Over on my podcast site, the FCPA Compliance and Ethics Report, Mike Brown, the Managing Director of Infortal and myself have just concluded a 7 part World Cup Report, where we discussed issues surrounded FIFA and this year’s World Cup in the context of anti-corruption programs. Whatever else FIFA may be, it is certainly is a compliance practitioner’s dream for lessons learned on bribery and corruption.

The 2014 championship is over and Germany came through this year’s tournament as the clear victors. Over the past couple of weeks, I was lucky enough to see the current Queen/Adam Lambert Tour. They ended both concerts with We Are the Champions and I could not but help think of the German soccer team and indeed the entire German country, winning its first World Cup title since unification. And, of course, any discussion of Germany, its title and this year’s World Cup will have to include is absolute destruction of the Brazilian team and the hearts of the host country with its 7-1 uber-win in the Semi-Finals. How long will that game be remembered? My guess is as long as soccer is played.

While Argentina did have its shots at Germany in the finals, in order to win they were required to play a near perfect game, which, unfortunately for the team and the country, it failed to do in the finals. Does this mean that Messi is not the greatest player in the game today? I really do not know but I still love watching him play and that is good enough for me.

From all of this, the lessons for the compliance practitioner can be many but I wanted to focus on two leadership lessons: What can you learn from failure? and What can your learn from success? Losing first. In an article in this week’s issue of Sports Illustrated, entitled “And Then There was Ein”, Grant Wahl wrote about how Germany turned its national soccer program around from one of its most devastating performances in Euro 2000 where it finished last in its group and did not win a single match in the tournament. From that nadir, “the national federation teamed up with German clubs to overhaul the country’s youth development.” Players from this development program were instrumental in leading the 2014 German team to the 2014 World Cup win. In other words, the German soccer federation learned from its past mistakes and grew a team that became champions.

Contrast this lesson with Wahl’s take on Brazil. He quoted Alex Bellos who said the following, “What does it mean to be the five-time champion if you let in four goals in six minutes?… The world’s biggest footballing country hosting a World Cup, in front of their own fans, and were made to look like they couldn’t play football. And against a team that was playing with artistry and sophistication and happiness, all the thing that Brazil is supposed to play with. You couldn’t have devised a more devastating epitaph for the Beautiful Game.” Bellos went on to say, “Brazil’s week from hell revealed a nation satisfied with resting on past soccer achievements and unwilling to seek new ideas abroad.”

Just as lessons can be learned from failure they can also be learned from success. In this week’s Corner Office section in the New York Times (NYT), Adam Bryant profiled Kat Cole, the President of Cinnabon, in an article entitled “Questioning Success More Than Failure”. While thinking about Germany’s success in the World Cup I was intrigued when Bryant quoted Cole for the following, “I’ve learned to question success a lot more than failure. I’ll ask more questions when sales are up than I do when they’re down. I ask more questions when things seem to be moving smoothly, because I’m thinking: “There’s got to be something I don’t know. There’s always something.” This approach means that people don’t feel beat up for failing, but they should feel very concerned if they don’t understand why they’re successful. I made mistakes over the years that taught me to ask those questions.”

Both of these perspectives can be very useful for the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance practitioner. Just as it is axiom that your compliance program should not be static but dynamic and evolving, what are you learning from your compliance failures and compliance successes? Most lawyers and compliance practitioners can review root cause/analyses to help determine how a compliance failure might have arisen. But how many are looking at your compliance successes. By this I do not mean celebrating your compliance successes but performing the same type of root cause/analyses to determine how a fact pattern arose but was prevented from becoming a full-blown FCPA violation. If something came in through the hotline, did you interview the whistleblower about what caused them to have confidence to report in that manner? Did you look at the training delivered to the whistleblowing employee? How about their supervisor? Did you interview that supervisor to see how he or she got the message out to not only use the hotline but stress the message of no retaliation?

In her interview Cole put it another way when she said, “I learned to make sure I take the full authority of my role. When I haven’t, I knew it immediately. And so I keep a keen eye out for whether my young leaders are forgoing an opportunity to lead. Their intentions might be right but the action and outcome are wrong. I remind people that they were hired for their point of view: “I want 100 percent of your brain 100 percent of the time, and there is a respectful way to communicate and disagree. Please do not hold back, because I want 100 percent of my investment in you.””

For the compliance practitioner, I found Cole’s insights useful in other areas. Although given in the context of ambitious employees who might want to succeed at Cinnabon, I found them to be useful in compliance as well. “First, I talk about being incredibly coachable, because we all give each other feedback. If you want to move up, you’ve got to get as many inputs as possible to continue to develop. Second, take your development into your own hands and be curious about the entire company. If there’s something you want to learn, go learn it. The structure here is like a start-up. Then I talk about productive achievers and destructive achievers, and that I only promote and support productive achievers. And that’s about mentoring and helping others while you are delivering results.

Germany is the new king of the soccer world. Long live the King, at least until the next World Cup. The lessons that Germany took to heart in the wake of its disaster in Euro 2000 directly led to it hoisting the trophy this year. Conversely, Brazil rested on its considerable laurels and now must live with the ignominy of a 7-1 shellacking, probably for the rest of the country’s collective memory. For a compliance program to be effective it must evolve. As Wahl’s Sports Illustrated article makes clear, lessons can be learned and evolution made from failure. However, as Bryant’s Corner Office article interview of Cole makes clear as well, lessons can be learned from successes as well.

Perhaps that is the final lesson from the 2014 World Cup…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,893 other followers