FCPA Compliance and Ethics Blog

March 14, 2014

The Ides of March and Evaluation of Compliance Risk

Ides of MarchTomorrow, March 15 is enshrined as one of the most famous days of all-time, the “Ides of March”. On this day in 44 BC, the “Dictator for Life” Julius Caesar was assassinated by a group of Roman nobleman who did not want Caesar alone to hold power in the Roman Empire. It was however, this event, which sealed the doom of the Roman Republic as his adopted son Octavian first defeated the Republic’s supporters and then his rival Dictator Marc Anthony and became the first Emperor of the new Roman Empire, taking the name Augustus.

One of the more interesting questions in any anti-corruption compliance regime is to what extent your policies and procedures might apply in your dealings with customers. Clearly customers are third parties and in the sales chain but most compliance programs do not focus their efforts on customers. However, some businesses only want to engage with reputable and ethical counter-parties so some companies do put such an analysis into their compliance decision calculus.

However, companies in the US, UK and other countries who do not consider the corruption risk with a customer may need to rethink their position after the recent announcements made by Citigroup Inc. regarding its Mexico operations.

In an article in the New York Times (NYT), entitled “Fraud Exposes Challenges for Citi in Mexico”, reporters Michael Corkery and Jessica Silver-Greenberg wrote about the troubles which have befallen “the bank’s “crown jewel” – a sprawling retail lender called Banamex.” Citigroup recognized there was risk in Banamex, even having, what the reporters said was, a “little black book” which was stated by one un-named top executive to be the “book of redlined clients” and was also described as “an informal tally of Mexican companies” that could imperil the company’s Mexican operations. The bank has come to grief with its involvement in a $400MM fraud “that was discovered last month highlights the limitations of that kind of culling, and more broadly points to the challenges of finding solid lending clients in a country where the line between big business and political cronyism can become blurred.”

While Citigroup blamed this problem on “bad luck and bad actors” the article revealed a more complicated picture. The picture was one where “the bank had been placing large bets on a few risky corporate borrowers”. The $400MM loss involved an oil services company, Oceanografía SA de CV. But the bank also sustained other losses where loans were made to building contractors, which after a Mexican government a policy shift it “effectively killed the developers’ suburban projects” and they were not able to repay the loans.

Moreover, with regard to Oceanografía, the bank itself recognized the inherent danger of doing business with the entity. The article noted that Banamex has extended $585MM in short-term credit to a company that Citigroup itself had warned its own bond investors was “from time to time subject to various accusations, including accusations of corrupt practices.” Oceanografía is a company that provided construction, maintenance and vessel-chartering services to Pemex’s exploration and production subsidiary. However, as the article noted, “Oceanografía’s fortunes, however, changed sharply last month after it became the subject of a new government review that resulted in a suspension of government contracts to Oceanografía for the next 20 months. Banamex had advanced as much $585 million to Oceanografía through an accounts receivable program. The program was supposed to work like this: Banamex would advance money to Oceanografía to provide services to Pemex. The oil giant would then pay back Banamex, verifying invoices provided by Oceanografía to confirm that the work had been completed. In theory, Banamex was relying on Pemex’s ability to pay back the bank.”

Unfortunately for Banamex, much like the developers “which relied on government subsidies to finance their suburban developments, Oceanografía’s business relied on government contracts from Pemex. But when those ties were cut, the problems quickly surfaced. Shortly after the suspension of government contracts to the oil services company, Citigroup said it discovered the fraud at its Mexican unit, involving Oceanografía.”

These losses were coupled with the semi-autonomous relationship that Banamex had with its parent, Citigroup. The article stated, “the bank he [Mr. Medina-Mora] built has been considered something of a “black box” — a highly profitable but not especially transparent unit that was run with great autonomy by its leader, according to current and former bank executives. Sometimes, though, that autonomy rankled other executives in New York, the people said.” Citigroup denied that Banamex was semi-autonomous and in a statement in the article said, “We dispute assertions that the management team is autonomous,” Further, “While Banamex is a subsidiary of Citigroup, it is absolutely subject to the same risk, control, anti-money laundering and technology standards and oversight which are required throughout the company.”

For the compliance practitioner there are several lessons to be garnered from Citigroup’s reported problems and Julius Caesar’s demise on the Ides of March. In Caesar’s case, he wholly ignored the resentment that had been welling up in the Roman aristocracy for his high-handed action in becoming a Dictator. Even on the day in question, he dismissed his personal guard detail as he was going to the Roman Senate and finally, although he allegedly was handed a written communication warning him of his impending doom, he never took the time to read it. In other words, not only did he miss the red flags, he ignored specific warning signs and reduced his risk management capabilities by dismissing his security detail.

Similarly, as reported by the NYT, Citigroup would seem to have missed the warning signs about Oceanografía and if the NYT article is correct, might have actually internally ignored red flags while broadcasting them to bond holding investors. Lastly, whether the Banamex unit was semi-autonomous, as alleged in the article, or not as claimed by Citigroup’s statement, the point is that there must always be oversight. More than simply a ‘second set of eyes’ there should be internal controls which can be reviewed and vetted.

Finally, as noted in the article, the loans in question involved businesses that relied on government contracts, payments or some other form of support. While that may be of some comfort in developing countries, it can also be a source of risk. It also points to another analysis, which is not always considered, that being if a proposition is high reward, it is probably because it is also high risk in some area. While many companies can evaluate high financial risk and hope for attendant high financial reward, they also need to consider how a high corruption risk might factor into their analysis.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 13, 2014

Harriet Tubman and Navigating to Become an Ethical Company

Harriet TubmanMarch 10th was the 101st anniversary of the death of Harriet Tubman. She was one of the greatest conductors on the Underground Railroad, which took slaves out of the old south and up to freedom in the north and into Canada. I read about her as a child and her story always moved me. The one thing I remembered is that when traveling at night in the pitched darkness, she would feel for the moss growing on trees so that she would always know which way to travel. Moss grows on the north side of a tree so she would always be able to move her way north and to freedom for those she helped escape.

I thought about Harriet Tubman and her story of how she could determine which way to travel in pitch darkness when I recently read an article in the Ethisphere Magazine, entitled “Ethics By Example”, by Gary E. McCullough. In his article he gave some specific steps that a company can engage in to help foster and create an ethical culture which he has learned over the past 25 years from working for companies as varied as Proctor and Gamble, Career Education Company and serving as an infantry officer in the US Army. 

1.    Implement structure and clear expectations. 

McCullough suggests that you should create a mechanism that allows employees to address issues. In doing so, you should also be able to demonstrate both senior management and the company’s commitment to ethics and compliance. He recommends the following steps:

  • Set clear policies and expectations through your vision statement;
  • There must be strong education and training programs;
  • Metrics and measurement systems are a must;
  • A visible compliance structure within your company;
  • A confidential helpline for reporting issues with a stout no retaliation policy; and
  • A method to investigate and resolve complaints. 

2.    Ignoring infractions is not an option.

McCullough recognizes that company leaders face ongoing struggles to balance being too harsh or too lenient. If the former occurs, a leader can run the risk of demoralizing his team. If it is the latter, a leader can simply be run over by his or her troops. But a company leader must address infractions of your internal Code of Conduct, or other similar policies, or no employee will take it seriously. 

3.    Make ruthless decisions, but execute them with compassion. 

Leaders have to make tough decisions. McCullough counsels that no matter how difficult a decision might be, it should be delivered with compassion. In other words, no termination communicated by email. Tell people in person and then give them the assistance to help moving forward. 

4.    Focus on the work. 

Channeling his inner Paul McNulty (he of McNulty’s Maxims), McCullough intones that the most critical thing is what you do after a problem arises. As McNulty might say, “What did you do after you found out about it?” Do not defend your past practices or say that everyone else does it but move forward to remediate the situation, fulfill your obligations and move forward. In the world of Foreign Corrupt Practices Act (FCPA) prosecution, it is clear from 2013 corporate enforcement actions that a company should remediate during the pendency of any FCPA investigation or enforcement action. Such remediation will go a long way in reducing the overall penalty, enhancing your credibility with the Department of Justice (DOJ) and helping to avoid the appointment of a corporate monitor.

5.    Be in alignment with your Board. 

McCullough believes that Boards share ownership of a company’s compliance function with the Chief Executive Officer (CEO), senior management and the compliance function. As such the best accomplishments in compliance comes when the Board, or a committee thereof, can bring a sustained outside perspective, methods and best practices to a company’s overall compliance regime.

6.    Instill it in the culture.   

I once explained a CEO’s role in compliance to a company executive and as I was going through various strategies, he looked at me and said, “You want me to be the ambassador for compliance.” I said that was exactly what I wanted him to do and it was the best description I have ever heard of what both McCullough and I believe a CEO can bring to the table. McCullough writes, “leaders must model the behavior expected from others. And when engaging with individuals, never let an opportunity pass to remind them of the company’s obligations to its stakeholders to always “do the right thing””. I could not have said it better myself.

McCullough’s points, while general in nature, are a good starting point for any compliance practitioner to review the overall nature of a company’s ethical and compliance health. For the compliance practitioner it provides some general, yet important points that they can discuss with a CEO or senior management about the company’s ethical direction. Much like Harriet Tubman’s ability to continue to move north on the Underground Railroad in pitch darkness, these guideposts will help your compliance program to move forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 10, 2014

Compliance Leadership Lessons from Captain Kirk

Captain KirkAs readers of this blog know, I am an über Star Trek maven. Last week, in Episode 41 of  my podcast, the FCPA Compliance and Ethics Report,  I visited with John Champion, one of the co-hosts of the Mission Log podcast. Mission Log will eventually review all of the Star Trek television episodes and movie franchise entries. John and his co-host Ken Ray began their journey summer of 2012 and have managed to get through all 79 episodes of the original Star Trek television series. They will next turn to the Star Trek movies, the animated television series, then to Star Trek – The Next Generation and on down the line of the world built by Gene Roddenberry.

I met John at the NMX Annual Conference earlier this year. I heard him talking about his podcast and checked it out. I also asked him if I could interview him for my podcast, specifically on the leadership lessons that a compliance practitioner might draw from the original captain of the Enterprise, James T. Kirk. John graciously took time out of busy schedule to visit with me on leadership, Star Trek and his podcast, Mission Log.

Champion views the leadership style of Captain Kirk as one that greatly depends on the inputs from the group that surrounds him; specifically Lt. Commander Spock and the ship’s physician, Dr. Leonard McCoy (Bones). In other words, his senior management team. More insightfully, Champion noted that it is the interplay of these three characters, Kirk, Spock and McCoy that not only makes the television series work so well but it also informs what he termed the “leadership psyche” of ethos, pathos and logos.

In the Greek world, these three were believed to be the key to successful leadership. Ethos is the Greek word for ‘character’. Through ethos, a leader stands as an authority figure, through credibility, competence and/or special expertise. Pathos is the Greek word for both ‘suffering’ and ‘experience’. It is generally recognized as the more compassionate side of humanity. Logos generally refers to the more rational side of humans. The best definition I have found for logos is on the site, PathosEthosLogos.com, which says that “Logos is the Greek word for “word,” however the true definition goes beyond that, and can be most closely described as that by which the inward thought is expressed and the inward thought itself”.

In the original Star Trek all three of these traits are identified in one character. Kirk, the ship’s captain, is the authoritarian figure. Spock, the half-human, half-Vulcan subscribes to the Vulcan ideology of suppressing one’s emotions in favor of logic. Finally, Bones is the romantic of the three and clearly speaks for the Greek concept of pathos. Champion’s dissection of Kirk’s leadership is that he takes all three of these concepts and uses them in his analysis. While clearly, at the end of the day, the decisions are the final responsibility of Kirk, he does actively seek input from his trusted advisors before coming to his final choice.

For the compliance practitioner, this means that you should seek a wide variety of inputs for your decision-making calculus. The Machiavellian trait of seeking trusted advise from experienced advisors, (Subject Matter Experts – SMEs) is certainly in play here. But by incorporating these three very different concepts into the way you might think through an issue can help you to evaluate a greater range of considerations. Monitoring, auditing and similar oversight techniques can bring you the logical examinations through data. But data is, in the final analysis, a product of human actions so the data must be read with some measure of humanity or human character. Values are not numbers but how we assign actions to that raw data? Finally, the ethos must be taken into account. Obviously there must be an ethical component to any decision made, but ethos also speaks to the character of the decision. Was the decision made using all the facts that were, or should have been, available to the decision-maker?

I thought about Champion’s remarks when I read the New York Times (NYT) Corner Office column by Adam Bryant, entitled “When Ideas Collide, Don’t Duck”. In this article, Bryant reported on his interview with Jeff Lawson, Chief Executive Officer (CEO) of Twillio, a cloud communications company. Lawson spoke about all three Greek leadership concepts in both his education in being a company head. From the ethos perspective, he spoke about his grandfather who built and sold a hardware company in Detroit. Then in his 70s, his grandfather took a job as a manufacturer’s representative, selling paint accessories to hardware stores that had previously been his competitors. His grandfather did this for another 20 years and when he died, Lawson said, “The Owner of every hardware store in Detroit came to the funeral. It was amazing.”

Lawson had another insight, which related to pathos and it revolved around feedback. He said, “This is especially important with millennial workers, who really want feedback. They want to always be learning, always be growing, and they’re looking for that constant feedback. It’s not that they’re looking for constant praise, but rather they want to keep score. They want to know how they’re doing.  Part of it is the short cycle of Internet feedback, and people who grew up with the Internet just expect quick feedback on things. That’s just part of the changing ethos, especially with younger workers. If you get into the habit of regular feedback, it’s not confrontational; it’s just the ebb and flow of conversation and a constant tweaking of how you work with somebody.”

Lawson incorporates the logos concept into his leadership set as well. He does this in the context of empowering employees to come up with new ideas but requires these employees to validate them to move forward. He said, “A lot of our values are about empowering employees. “Draw the owl” is a favorite. It’s based on the Internet meme of how to draw an owl. It says: “Step 1, draw some circles. Step 2, draw the rest of the owl.” That’s what it takes to be an entrepreneur — you have to put aside all the reasons you think you can’t do something or figure it out. Our job is to come in every day and take a vague problem that we don’t know how to solve and figure out the solution.”

Does art imitate life or does life imitate art? I am never too sure. But from my chat with John Champion, it is clear that even such a cultural marvel as Captain James T. Kirk can provide leadership lessons for the compliance practitioner.

If you have not yet done so, I hope you will go over and check out my podcasts at the FCPA Compliance and Ethics Report. I am up to Episode 41 and should have a couple more up this week. 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 5, 2014

Overwhelmed? Planning and Execution in Compliance

IMG_3289What should you do when an event or series of events is so overwhelming that it staggers your ability to evaluate, plan and respond to it or them? I thought about that question when I read an article in the New York Times (NYT) about the role of the Mayor of Rio De Janeiro in the upcoming World Cup this summer and the 2016 Olympics, entitled “Rio’s Mayor, Shepherd of the City’s Rebirth, Feels the Strains, Too” by Simon Romero. In the article, the Mayor, Eduardo Paes, discussed the strains he is under in tearing and then rebuilding his city in anticipation of the globe’s two greatest sporting events. He was quoted as saying “Don’t ever in your life do a World Cup and Olympic Games at the same time. This will make your life almost impossible.”

What if something happens in your company, corruption-wise, and your life as the Chief Compliance Officer (CCO) or compliance officer is turned upside down, much like Paes?. My colleague Stephen Martin advocates having a 1-3-5 year plan in place to fall back upon. Martin believes that such a document would be an important item to produce to a prosecutor, who might be reviewing your compliance program in the event of a voluntary self-disclosure, a Dodd-Frank or other whistle-blower event, which has led your company to receive a subpoena or letter of inquiry or an industry sweep. He believes that such a strategic plan could well lead to the development of credibility for your company and your compliance program in the event of one of the aforementioned eventualities.

But, if you do have such a plan, how can you implement it in the face of something as overwhelming as is facing the current Mayor of Rio? In his book, “Achieving 100% Compliance of Policies and Procedures”, author Stephen Page discusses ‘Creating a Review and Communication Control Plan.’ In this section he sets forth several steps for the compliance professional to use in reviewing, creating and implementing updated compliance procedures. A review plan should be created to enable policies and procedures to “remain an integral party of the daily work lives of the target audience.” Page breaks down the process into three main categories: (1) General Review; (2) Ongoing Communications; and (3) Training Campaign.

The CCO or compliance practitioner should keep track of “external and internal events which may cause change to business process, policies and procedures.” He lists two examples of where new laws applicable to your business organization and internal events drive changes within a company. Such internal changes could be a company reorganization or major acquisition. This type of review appears to be similar to the Department of Justice (DOJ) advocacy of ongoing risk assessments. In several Deferred Prosecution Agreements (DPAs) announced this year, the DOJ listed several different areas to review, including:

  1. Geography;
  2. Interaction with types and levels of Governments;
  3. Industrial Sector of Operations;
  4. Involvement with Joint Ventures;
  5. Licenses and Permits in Business Operations;
  6. Degree of Government Oversight; and
  7. Customs and Immigration. 

Communications of the overall policies and procedures should not be a single event but continuous and ongoing. In other words, do not simply post your new policy on your company’s business policy website and let it sit there for years. You should make the announcement of policy implementation more public and such communication should be followed up. Page gives several examples of how policies can be communicated.

  1. Via company-wide email;
  2. Posters placed through the physically facilities;
  3. Strategic placement of information on company bulletin boards;
  4. In company meetings; and
  5. In newsletters.

Finally, ongoing training is a key component of an effective compliance program. He recognizes that training is constrained by budgetary realities. However there are various formats and media that can be used for training. These include in small workshop groups, presentations at company-wide conferences, smaller departmental meetings, internal webcasts/video casts and training DVDs.

The author concludes by noting that a review plan “is a great tool” for the compliance analyst as it provides a method for the ongoing evaluation of policies and sets forth a manner to communicate and train on any changes which are implemented. More than simply staying current, this approach will help provide the dynamics that the DOJ continually talks about in keeping your program fresh. Lastly, such a review plan can also guide the compliance practitioner in creating an ongoing game for compliance program upgrades and updates that Stephen Martin advocates.

 Another approach is one articulated by Jan Farley, the CCO at Dresser-Rand, which basically is ‘don’t spread yourself too thin”. Jan’s comments also echo something that I believe is clear from the Guidance: Don’t focus on the small stuff. Indeed the Guidance states, “Thus, it is difficult to envision any scenario in which the provision of cups of coffee, taxi fare, or company promotional items of nominal value would ever evidence corrupt intent, and neither DOJ nor SEC has ever pursued an investigation on the basis of such conduct.” In other words, do not waste your compliance time, resource or energy around these small issues. However, if these small issues are a part of a larger systemic or long standing course of conduct that violates the FCPA, then the DOJ may well look into these issues. You will want to show the DOJ you are focusing on the “big stuff”.

The Guidance also makes clear that each company should assess its risks and manage its risks. The Guidance specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and Securities and Exchange Commission (SEC) take into account when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.

Another approach was set out by Bruce Rector, in an article in the Houston Business Journal (HBJ), entitled “Strategic planning needs constant follow-up to be successful”. In the article Rector sets out steps to assist in utilizing a strategic plan. He recognizes that while a strategic plan can serve as guide for your company going forward, it must actually be utilized to garner any use out of it. Rector notes “if your company and management team have expended the time and resources to pull together a strategic plan, the next logical step is to follow up and keep things on track.” Revising Rector’s steps for the compliance practitioner I have set out the following.

  •  Review the Goals of the Strategic Plan. This requires that you arrange a time for the CCO and team to review the goals of the Strategic Plan. Rector advises that to the extent possible this should be done in person. The CCO should lead a discussion of the Strategic Plan and determine how this goal in the Plan measures up to its implementation in your company.
  • Design an Execution Plan. Here Rector advises that the “Keep it Simple Sir”, or KISS method, is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straightforward plan to ensure that the goal in question is being addressed. Rector notes that any “plan must be specific with clear tasking and deliverables and a definite timeline for delivery.”
  • Put Accountabilities in Place. In any plan of execution, there must be accountabilities attached to them. Simply having a time line is not enough. This means that the persons tasked with the responsibility of performing the tasks be clearly identified, by both the individual so tasked and the actual task they are assigned to complete. Accountability also includes a “follow-up mechanism to ensure that these vital goals are achieved.” This requires the CCO or other senior compliance department representative to put these in place and then mandate a report requirement on how the task assigned is being achieved.
  • Schedule the Next Review of the Plan. Most interestingly, Rector recommends a review of the foregoing process on a weekly basis. While noting that this may seem time consuming, he believes that once the group assigned with this responsibility gets “into the rhythm, it can go smoothly.” While I would not necessarily agree that weekly meetings are required, Rector does correctly note that such regularity allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis.

If you face a challenge as great as Mayor Paes, you will indeed need something to assist you in moving forward. While starting from scratch or implementing a compliance regime in the midst of an internal investigation or Foreign Corrupt Practices Act (FCPA) enforcement action can be daunting, the basic advice to put down a plan and follow that plan with reasonable actions and steps is solid advice. But keep in mind Jan Farley’s counsel as well and do not  spread yourself too thinly. Focus on your entity’s risk and then manage or, if need be, remediate your risk.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

 

© Thomas R. Fox, 2014

March 4, 2014

How Does the 20th Amendment Inform Your Compliance Program Incentives?

FDR InagurationOn this date in 1933, FDR held his first inauguration. It was also the final inauguration held in March before the passage of the 20th Amendment to the US Constitution that moved the inauguration date to January 20th. What was the reason the Constitution originally set an inauguration date in March, some six months after the November election? It is because a Roman Tribune’s annual term of office began in March, rather than in January. During this six month period, the old administration did not have much incentive to do anything, which could benefit the incoming Presidential administration, if they were from different parties. That was the driving force for the 20th Amendment.

I thought about this dis-incentive when considering the question of how could you incentivize your senior management team so that they will integrate compliance into their business routine? Put another way, how can you measure compliance in senior management or evaluate it for the purposes of a bonus calculation? This issue has often been difficult to sustain in a company because the compliance evaluation of whether a senior manager or company leader is often viewed as too subjective. However, in a recent article in the Compliance Insider magazine, put out by the Red Flag Group, I came across an article that directly addresses these issues and concerns.

The article was entitled, “Integrating Your Compliance Programme Into the Variable Compensation of Executives”. The article was built around a case study of the Sorin Group, which is a healthcare multinational and the company’s incentive program for its compliance regime. Interestingly, the reason the company created such an incentive program in the first place was to “influence actual behaviors, and not merely the consequences of any wrong doing that may occur.” With this premise, at the Sorin Group, compliance has been made an integral part of each manager’s performance objectives. Members on the company’s Executive Leadership Team (ELT) and the other leaders of all of its corporate functions and “business units are directly responsible for the culture, understanding, observance and adoption of the Sorin Code of Conduct, the Sorin United States and international compliance policies and procedures” and their respective health industry codes of practice.

Further, each of the different functions within the Sorin Group has adopted individual performance objectives specifically regarding compliance. The individualized “compliance objectives are agreed and documented every year for each function and senior manager, and form part of the process of continuous performance review (written reviews twice yearly) managed by Sorin’s human resources team. The responsible executive of each function or group is required to cascade each of the compliance obligations to those employees under them. This ensures that the whole company has compliance integrated into their variable remuneration.”

The company’s evaluation process includes the staff that report to each senior executive who are interviewed by the General Counsel (GC) or other member of the compliance function “to determine their adherence to the compliance objectives.” Additionally, “An assessment is performed alongside line managers and a member of the human resources team to determine whether the obligations have been met, and to what extent.” Lastly, this same system applies to the company’s Board of Directors and Chief Executive Officer (CEO).

The variable compensation awarded at the end of each year can be affected in two ways by his or her compliance evaluation. The first is for an entire group and “If a group fails to meet expectations for the specific objectives the executive and their whole team will miss out on the entire variable pay for that year.” But “If a group meets some expectations for the compliance objectives they will receive payment of the variable, with the amount dependant on the amount of objectives that have been met.” The same holds true for the individual within the group so that “if an employee fails to meet his or her compliance objectives, the whole bonus for that employee will remain unpaid.”

The article also gave some specific examples of compliance obligations that are measured and evaluated. This is an excellent list for the compliance practitioner to use in benchmarking a company’s compliance program in this area or instituting such an incentive compensation system for your company. They include the following.

For the ELT

  • Lead from the top – in your own conduct (lead by example) and in the decisions you take, to the resources and time you commit to compliance
  • Facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally
  • Support specific initiatives from the CEO, legal and compliance functions. 

For Department Heads

  • Demonstrate, facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally
  • Support specific initiatives from the legal and compliance functions
  • Ensure that all employees, agents and contractors directly or indirectly reporting to you fully complete all required training and communications in a timely manner
  • Provide full cooperation with investigations conducted by the compliance or legal functions of any alleged violation of compliance policies
  • Include the Chief Compliance Officer or another legal or compliance function representative in your management meetings at least twice per year, per geography
  • Identify instances of non-compliance and support compliance monitoring and reporting systems
    • Partner with compliance in resolving compliance issues.

For Country Heads of Sales

  • Certify that all employees, agents and contractors directly or indirectly reporting to you have fully reported all sales and marketing interactions with all HCPs (Health Care Professional) in a timely manner
  • Certify that all employees, agents and contractors directly or indirectly reporting to you have fully, promptly and accurately reported all expenses with HCPs on Concur. 

The article also speaks of five things to consider when developing such a compliance incentive program.  (1) The program needs to be cascaded down the organization so that it applies to all levels in the company. (2) Include both a 360 degree review and mid-year review. (3) To truly incentive senior management, the compliance objectives should be at least 25% of the overall discretionary bonus program. (4) Do not have simply ‘tick-the-box’ incentives but include subject incentives.

As the final item to consider, the article says that you need to have SMART compliance objectives, which are defined as:

  • Specific: A specific objective has a much greater chance of being accomplished than a general objective (e.g don’t just say “ensure training has been completed by your team”, say;
    • Who: who needs to be trained?
    • What: what training objectives do you want to accomplish?
    • Where: identify a location for the training
    • When: establish a time frame for the training to be completed
    • Which: identify requirements and constraints for any training
    • Why: provide specific reasons, purpose or benefits of accomplishing the training objective.
  • Measurable: Establish concrete criteria for measuring progress toward the attainment of each objective you set.
  • Aggressive but attainable: When you identify objectives that are most important to the compliance function and the relevant business, employees are more likely to see the value in making them come true.
  • Realistic: To be realistic, an objective must represent something which you are both willing and able to work toward.
  • Timely: An objective should be grounded within a timeframe. 

The article ends with some insights into lessons learned by the Sorin Group in its role of the compliance incentive program. These lessons included the following:

  • Top down: If your ELT is truly on board you can make big leaps and not limit your compliance ambitions to incremental steps.
  • Personalize: The objectives should be more personal to each function and more granular.
  • Balance: Have qualitative judgments but couple them with concrete and – most importantly – objective and measurable key performance indicators.
  • Publicize: Talking about the real company examples of its people make the difference.
  • Be positive: Focus your company’s efforts on positive incentive behaviors. In other words, use both the stick and carrot.
  • Just do it: Stop talking the talk and start walking the walk.

The FCPA Guidance made clear that the Department of Justice and Securities and Exchange Commission expect that incentives to be built into your best practices compliance program. The Sorin Group case study in Compliance Insider provides solid tips for the compliance practitioner on steps to take for his or her company’s compliance program. Is some of this subjective? Yes it is but that does not mean financial incentives cannot be written into the evaluation of any senior management to help guide ethical business practices.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 27, 2014

Alfred the Great, GE and the Management of Third Party Risk

Alfred the GreatI am currently studying Medieval England including the reign of Alfred the Great. As you might expect with someone monikered as ‘The Great’ he is certainly considered right up there with the greatest Kings of England. Not only did he largely drive out the Viking invaders from his country but he also set the stage for the unification of England under one crown, for the first time since the days of Roman Britain under the Caesars. One of the innovations he developed was fortified towns, called burgs, from which to resist Viking raids and incursion. But more than simply walled cities for defense, within these fortified towns was a wide road running down the middle of the town called the ‘High Street’ and a street situated next to the town’s walls appropriately called ‘Wall Street’. These streets were wider than the others in the town to facilitate the movement of troops in the time of crisis, such as a Viking raid. In other words, Alfred evaluated the risk to his kingdom and put multiple layers of steps into place to manage those risks.

In the Foreign Corrupt Practices Act (FCPA) compliance world, one of the key components that the Department of Justice (DOJ) wants to see is a risk assessment and a company managing its risks, based upon said risk assessment. One company’s response to a risk or set of risks does not necessarily mean that another company must follow it. The DOJ’s Ten Hallmarks of an Effective Compliance Program are broad enough to allow companies to manage their own risks, hopefully effectively. I thought about this concept when I was listening to a presentation by Flora Francis and Andrew Baird of GE Oil & Gas at the 2014 SCCE Utility and Energy Conference in Houston this week on GE’s third party risk management. First of all, if you have the chance to hear a couple of nuts and bolts compliance practitioners from GE like these two speak, run, don’t walk, to their presentation. GE’s commitment to compliance is well known but also the company’s willingness to share about their compliance program is a great boon to the compliance community. Lastly, is the gold-standard nature of the GE compliance program and while it may be more than your company needs to manage their own risks, the GE compliance regime does shine a light that we can all aspire to in our own compliance programs.

Both speakers made clear that GE’s program was the company’s response to its assessed risks. Further, the compliance program has evolved, not only as the company’s risks have evolved but also as the company has determined what works and does not work as well. Within the realm of third parties’ the prescient question from compliance to the business unit would be ‘What is your “Go To Market Strategy” and how will your use of third parties assist you in carrying out that strategy?’ Some of the factors the speakers cited could include your company’s market coverage strategy, product segmentation, pricing and margin expectation, an added capability which your company may not possess such as technology, and finally there could be local legal requirements for a local content third party in certain countries.

Some of the factors which GE considers, when evaluating a third party, include the following: 

  • Business Model: Do we need third parties to reach our customers or can we build the organization ourselves?
  • In-house Capabilities: Do we already have the organization in place to handle these capabilities?
  • Overlap: Do we already have a third party in the region/country that can handle our needs?
  • Volume of Business: How much business will this third party bring to the company?
  • Compliance Risk: Where is the third party located? Will they interact with government officials? Do they have same commitment to compliance?
  • Regulatory Environment: Is it simple or strict? What are the chances of regulatory violations?
  • Reputation: What is the third party’s reputation in the market? 

I was also intrigued to learn about the risk analysis process that GE uses with its third parties. Initially the process breaks the risks down into low risk and high risk. A low risk received a limited review and analysis, while a high risk receives an escalated review and analysis consisting of the following reviews: compliance, legal, business leadership and finance.

But more than simply the level of review, I was interested in the ‘Risk Score Drivers’ that GE has developed. Once again, the speakers emphasized that these are GE’s risk score drivers and have been developed over time through the company’s internal analysis and processes. Nevertheless I found them to be a very useful way to think about third party risk. The risk score drivers listed were:

  •  Country channel where the third party is located in or where it sells into;
  • Experience by the third party with the sales channel;
  • Type of third party involved; agent, reseller, distributor;
  • Commission rate, is it standard v. non-standard;
  • Will any sub-third party relationships be involved;
  • Will the third party sell to government entity or instrumentality;
  • Do any of the third party’s principals, Officers or Agents work for a foreign government, state owned enterprise or political party;
  • Was the third party mandated by customer or the end user;
  • What is the third party’s contract duration;
  • Is the third party involved in more than one project;
  • Does the third party have any historical compliance issues;
  • What is the percent of sales with products or services; and
  • What is GE’s annual revenue with the third party?

GE compliance then takes these scoring factors and puts them into an evaluation matrix when determining the amount of risk involved and whether or not the company should move forward with a proposed third party. If the decision is made to move forward and create a commercial relationship, the third part must agree to commit to the compliance standards of GE; stay current with and obey all applicable legal and regulatory provisions; comply with all contractual provisions; grant to GE audit rights; agree to report any compliance violations; certify to all compliance requirements on a regular basis; receive and complete compliance training and to allow regular site visits. GE also requires each third party to have a relationship manager assigned to it who is there to establish ongoing communication, provide ongoing training and to provide a platform for business improvement. Internally GE has processes in place to refresh due diligence; review, renew and update as appropriate contracts; conduct regular site visits and periodic audits.

Flora and Andrew ended their presentation with the following quote from the US Sentencing Guidelines about the question – ‘When is Enough, Enough?’ When you can show the government agency asking that you have taken appropriate steps to design, implement, and enforce a compliance program that is generally effective in preventing and detecting criminal conduct.

Their presentation was an excellent mechanism for the compliance practitioner to assess their third party management program. Although they made clear that this program was not for all companies, there is enough meat present for anyone to use in evaluating where you might be and where you might need to go in management of your third parties. And just as Alfred the Great constructed a defense-in-depth in his fortified towns, so the GE program for the management of third party risk has several layers of protection so that when the crisis does arise, they can adequately respond when the government comes knocking.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 25, 2014

Tales From the Crypt: Tale 2-Tough Choices for Tough Cookies

Tales from the CryptEd. Note-today we continue our ‘Tales from the Crypt” series, which is penned by a couple of anonymous compliance practitioners who will write about some of the real world experiences that they have encountered. I hope that you will not only enjoy but find useful in addressing some compliance and ethics issues that you may face in your job.

Tough Cookie 1 has spent the more than half of her 20+ legal career working in the Integrity and Compliance field, and has been the architect of award-winning and effective ethics and compliance programs at both publicly traded and privately held companies.  Tough Cookie 2 is a Certified Internal Auditor and CPA who has faced ethical and compliance challenges in a variety of industries and geographies and recently led a global internal audit team. Our series “Tales from the Crypt: Tough Choices for Tough Cookies” are drawn largely from real life experiences on the front line of working in Integrity & Compliance, and personal details have been scrubbed to protect, well, you know, just about everyone… 

Do As You’re Told

Rule # 2 in the integrity and compliance field is that “Management Override is alive and kicking,” and all you worker bees better “do what the boss says” or else. Of course, those of us senior level professionals see it for what it really is – “Management Override” is the world’s oldest risk and is the Achilles ’ Heel of Fraud Prevention due to its cycle of dysfunction:

  1. Economic conditions cloak poor management decisions;
  2. Staff competency is suppressed in favor of “executive decision-making;” and
  3. “At will” employment rules rescue dysfunctional managers from accountability.

Tales from the Cryot.Tale 2

Even the strongest corporate or personal codes of ethics oftentimes cannot penetrate this bubble of deception without the backing of  strong, courageous leadership and a rock solid culture of integrity.

On her first day on the job for a small,  privately-held freight trucking company (The Company), the controller was invited to a meeting between the owners of the Company and their bankers.  Surprise!  The Company had been planning to factor their accounts receivable as a cash flow stop gap and meetings with the bankers were well on the way to closing the arrangement.  While factoring can be a savvy way to tighten the cash flow cycle, it is not a panacea for businesses that do not have strong cash management.  The invitation for “Management Override” to come calling was firmly in the Company’s grasp. As the days and weeks went on, the controller realized that this small trucking company was undergoing significant expansion, adding warehouse and dock locations, backed with additional equipment and administrative staffing.  They were also adding more drivers, mostly owner-operators, and company-owned trailers.  The growth was financed with the Company’s receivables because it did not require a personal guarantee from the owners.

As with most receivables financing contracts, terms provide the lender with the most favorable accounts receivable.  The business was quickly running out of available cash to borrow.

The controller also identified another problem, collections on the accounts receivable.  The receivables aging reflected many old, unpaid invoices that were excluded from the borrowing base and the Company had no experienced collections staff.  Customers were mainly small “mom & pop shops” who did not feel compelled to pay for freight on merchandise they had already received.  The controller pressed the owners for a new customer approval process based on a credit review and received approval to hire an experienced collections clerk, and we began to see cash flow in from the efforts.

Some customers did not appreciate the outstanding debt reminders and complained to the sales team.  Concerned with growth and freight tonnage rather than cash, the owners directed the controller to cease collection activities and lay off the collections clerk (“at will” to the rescue!).

Uncontrolled spending continued until the borrowing base was at a maximum with invoices and payroll pending.  The owner approached the controller one morning and asked her to make changes to the accounts receivable ledger, changing names of customers that were an “excluded” class in the borrowing base so that they would appear to be valid within the borrowing base.  “For example,” the owner said, “change Yellow Freight to Yellow Mining and Manufacturing.” Refusing to compromise her integrity, the controller declined to follow the owner’s instructions, advising that the change was “unethical and illegal.”  Later that week, the Company used the “at will” provisions to relieve the controller of her duties for having “insufficient experience.”

Needless to say, the cycle of deception self-destructed, and approximately a year later, the Company filed Chapter 11 bankruptcy, and eventually Chapter 7.

This publication contains general information only and is based on the experiences and research of the authors. The authors are not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The authors shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

February 24, 2014

Commitment to Compliance: the Compliance Committee

Iwo Jima Flag RaisingSunday was the 69th anniversary the most iconic photo of World War II, at least from the American perspective. Of course it was the raising of the American flag at Mt. Suribachi on Iwo Jima. To say that one photo cannot change the lives of those pictured is belied by this image. The photographer, Joe Rosenthal, won a Pulitzer Prize for the photograph. While three of the six flag-raisers died fighting on Iwo Jima, one survivor, Rene Gagnon appeared during half time at the 1969 Orange Bowl; Ira Hayes was immortalized songs both by Johnny Cash and Bob Dylan and the last remaining flag-raiser, John Bradley, died in 1994.

I once tried a lawsuit in Harlingen County, Texas, where the name of one of the flag-raisers, Harlon Block, is inscribed in the Memorial to the county’s deceased war veterans on the courthouse square. The Judge of the trial used it as an example of civic duty and, years later, when I read James Bradley’s book, “Flags of Our Fathers”, about his father John Bradley and the men who raised this flag, I learned that the Judge in my trial was one of 16 high school seniors from Harlingen High School who all volunteered for enlistment on the same day. Harlon Block was one of the Judge’s classmates and they volunteered together. I am still moved when I think of that story.

One of the commitments I believe can enhance a compliance program is the creation of a compliance committee. As far back as in the 2005 Monsanto Corporation Deferred Prosecution Agreement (DPA) the compliance committee concept appears to have found favor with the Department of Justice (DOJ). In Appendix B to the DPA, Monsanto agreed to, among other things, “the establishment and maintenance of a committee to supervise the review of (I) the retention of any agent, consultant, or other representative for purposes of business development or lobbying in a foreign jurisdiction”, or a Compliance Committee. Later, this concept was used in the settlement of Halliburton’s shareholder action around its Foreign Corrupt Practices Act (FPCA) enforcement action.

The Monsanto DPA provides guidance on this point by stating “The majority of the committee shall be comprised of persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transaction;” this would indicate that senior management should be involved in the Compliance Committee. It would also indicate that more than one department should be represented on the Compliance Committee. This would include senior representatives from the Accounting (or Finance) Department, Compliance & Legal Departments and Business Unit Operations.

The Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual suggests the following language in its proposed form of Compliance Committee Charter:

The compliance officer shall have ultimate responsibility for operating the compliance program, with the support and assistance of the compliance committee. The committee shall consist of ### members, representative of each major department or area. The committee may appoint ad hoc members, each to serve at the pleasure of the committee, to assist and advise the committee in carrying out this charter. While the ad hoc members of the committee are not entitled to vote on matters formally considered by the committee, the ad hoc members shall be entitled to call a meeting of the committee and, further, to have any matter included on the agenda of any meeting of the committee. The committee shall designate the proper manner for calling meetings and the setting of agendas thereto.

 The compliance officer and committee shall retain a direct line of communication with and a direct reporting responsibility to the board of directors, executive committee, and CEO.

In the November/December issue of the SCCE Compliance & Ethics Professional magazine, Donna Boehme wrote an article entitled “Building a horse and not a camel: The compliance committee”. Where she cautioned that “More often than not, a [compliance] committee that is conceived with all best intentions evolves into something less that ideal: (a) a team of micromanagers that routinely substitutes its judgment for that of the CCO; (b) a source of unnecessary red-tape and ‘make-work’ for the compliance function, (c) a filter between the CCO and the governing body.”

To remedy these potential pitfalls, Boehme recommends three rules for building an effective compliance committee.

  1. The compliance committee should have a clear, written charter that sets out the functionality, goals, and parameters of the group, along the lines discussed above.
  2. The CCO should chair a committee of her peers-senior level officers in a position to make decisions and marshal resources.
  3. The compliance committee should be periodically reviewed for effectiveness and adjusted as necessary to meet the stated goals of the charter.

One of the things  Boehme makes clear is that “every compliance structure should be fit-for-purpose.” In other words, if your company’s highest compliance risk is third party relationships, I think you should focus your compliance committee resources on that issue. The scope of this was not fleshed out in the Monsanto DPA. However, it suggested that a company should incorporate both a pre-execution function and a post-execution management function in overseeing the full relationship with any third party. While this would most necessarily focus on FCPA compliance, there should also be a commercial component to this function.

To this end, a compliance committee should review all documents relating the full panoply of a third party’s relationship with a US company. This would begin with a review of any initial requests to engage a new third party. The information presented to the compliance committee would include a Business Unit’s request to engage the third party, the costs and benefits. The next step would be to review the due diligence and all background investigative materials on the prospective third party.

The compliance committee should receive copies of, and approve, all due diligence and background investigative materials before a contract is executed with a third party. Particular attention should be paid to the form of the contract. If there are deviations from the company’s standard form of agreement, with regard to the FCPA compliance issues, there should be a full explanation by the third party or Business Unit. The compliance committee should determine if the company is taking on any unwarranted FCPA compliance risk if non-standard FCPA compliance terms and conditions are used.

After the commercial relationship has begun the compliance committee should monitor this relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations on the third party with at least a minimum of a Level One Due Diligence and higher levels of Due Diligence based upon an appropriate risk rating. There should be an evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third parties. All FCPA compliance training should be reviewed and certifications confirmed. The compliance committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. As with all things FCPA the three most important words here are Document, Document and Document. If you cannot produce documentary evidence to the DOJ of your annual review and its findings, it is of no use to your company.

In addition to the above remedial review, the compliance committee should review all payments requested by the third party to assure such payments are within the company guidelines and are warranted by the contractual relationship with the third party. Lastly, the compliance committee should review any request to provide the third party with any type of non-monetary compensation and, as appropriate, approve such requests.

The compliance of a third party is one of the key tools that a company can use to prevent and detect any violation of its own Code of Ethics and Compliance and the FCPA. The proper structure of the compliance committee and its full engagement with all aspects of a company’s relationship with a third party is one of the areas that the DOJ will look for in a successful FCPA compliance program.

A compliance committee is a key tool, which can be utilized by a company to manage its relationships with its third parties. Its use has been commented upon favorably by the DOJ through its citation in the Monsanto DPA. A Compliance Committee does not replace any of the other key components of an effective FCPA compliance program but it does provide an additional level of protection, back-up and transparency for all deals with a third party. It should be employed by US companies as an additional protection against any type of FCPA compliance and ethics violation “slipping through the cracks” to become a much larger problem down the road.

But take Boehme’s cautionary words to heart, that the guiding principles of a compliance committee should be that it helps and does not hurt your overall compliance efforts going forward. And then use the raising of the flag on Iwo Jima to think about commitment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 14, 2014

Tales from the Crypt-Rule No. 1 ‘Nothing is as it Seems’

Tales from the CryptEd. Note-today we begin a series by a couple of anonymous compliance practitioners who will write about some of the real world experiences that they have encountered. I hope that you will not only enjoy but find useful in addressing some compliance and ethics issues that you may face in your job.

Tales From the Crypt: Tough Choices for Tough Cookies

Tough Cookie 1 has spent the more than half of her 20+ legal career working in the Integrity and Compliance field, and has been the architect of award-winning and effective ethics and compliance programs at both publicly traded and privately held companies.  Tough Cookie 2 is a Certified Internal Auditor and CPA who has faced ethical and compliance challenges in a variety of industries and geographies and recently led a global internal audit team. Our series “Tales from the Crypt: Tough Choices for Tough Cookies” are drawn largely from real life experiences on the front line of working in Integrity & Compliance, and personal details have been scrubbed to protect, well, you know, just about everyone…

Nothing is as it Seems

Fans of the hit show NCIS know that Agent Gibbs has countless “rules of engagement” from “Rule # 11 – let it go when the case is closed” to “Rule #5 – don’t get personally involved.”  The following scenario  leverages Rule #1 in the Integrity & Compliance field – Nothing, absolutely nothing, is as it seems.

Whether new to the field (a “probie”) or a seasoned veteran to Integrity & Compliance, you’ll agree that you quickly learn that there are at least three sides to every story (even if there are only 2 “players”), and it is your job to be politically savvy enough to uncover hidden agendas, and rapidly become not only a highly skilled listener, but also be part cop, part advocate, part HR professional, all rolled into one.  I often tell people that 80-90% of what I do boils down to common sense paired with great communication skills. Good communicators understand the needs of and cater their communications to their audience.

The following tale from our crypt is about harassment, and how good communication skills are critical to avoiding harassment in the workplace.  Simplified to its basest element, harassment truly is in the eye of the beholder – what might offend one person won’t offend another.  It’s the actor’s duty to ensure that he or she is aware of their audience, and doesn’t cross the line in word or deed to offend or cause undue stress.  In other words, cater your words and deeds to your audience, intended or otherwise, with sincerity and respect, and the battle is nearly won.  In the legal sense of harassment, the “eggshell plaintiff” rule is the perfect analogy   – it doesn’t matter if the kick to the leg (conduct) was a mere tap that wouldn’t even bruise someone else.  If the person receiving the kick has a weakness in their leg (perceives harassment) that causes it to break (feels victimized – the eggshell plaintiff), the kicker has a duty to make amends.  In the corporate world, it’s also the supervisor’s duty to take proactive steps to prevent reoccurrence if someone does cross the line, and cultivate a sincere desire to respect others in the workplace.

I recall an incident that took place at a factory – the helpline call came in, indicating that a certain fellow was “incessantly harassing” the caller during her shift (second), and she was requesting that his shift be changed to third shift so she could avoid being harassed any further.

Fact 1: the caller was a woman (side 1)

Fact 2: the implicated party was a man (side 2)

Fact 3: the two parties worked second shift (undisputed common ground)

Everything else in the call gives rise to the “third” side of the story.  We proceeded with our investigation, as the caller was “generous” enough to provide her identity as well as the alleged harasser’s identity.  Our first order of business, of course, was to interview both parties.  The caller was interviewed first. Her story was one of his relentless harassment, from daily cat calls to interrupt her work, leaving suggestive notes at her work station, removing and not replacing her critical tools, and spoiling her lunch by pouring soda in her lunch box.  We asked her if there was anyone who could verify her claims, witnesses to the incidents she described.  Her response was “no, he always does things to me when no one else is around to witness them.”

We then interviewed the implicated party – the man.  We first asked him to describe, in his own words, his “relationship” with the caller, after advising him that a helpline call came in implicating himself and the caller (without telling him the nature of the complaints).  His proceeded to break down in front of us, visibly relieved at the opportunity to speak, and commenced to reveal a story of a whole year of terrorization by the caller against him, since the day he started working at the factory.  We learned from him that the caller had applied for his job but was passed over as unqualified.    He believed that she had been making his life miserable as an act of revenge for the job she coveted and felt she deserved as a tenured employee.  When asked why he never brought it to our attention, he said he felt he had no recourse, since her hostility did not precisely fit the harassment definition in the training he had received in the past year.  He was also embarrassed that he hadn’t been able to handle it quietly on his own.

As we did with the caller, we asked him if there were any witnesses to this behavior, and he referred us to several co-workers who had work stations near his.  We interviewed them as well, and his claims of bullying and hostility were confirmed by every single one, with specific incidents instigated by the caller provided freely by the witnesses.   We advised our victim to make us immediately aware of any subsequent incidents following our interviews.

The challenge is that harassment is usually thought of in terms of prohibited workplace behaviors related to legally “protected classes,” such as race, gender, sexual orientation, ethnicity, religion and the like.  In this case, the gray area is bullying – where a co-worker creates a hostile work environment not based on any protected class under the law or a colleague does and says things interpreted as demeaning and demoralizing without giving rise to legal recourse.  This is where harassment training often falls short, and absolutely needs to rise above the letter of the law and address the spirit of the code of conduct for your organization.  You have to consider the types of behaviors being demonstrated and what they “communicate” to the audience.  If your company values statement includes “respect for people,” as many do, any behaviors that give rise to a hostile work environment, regardless of a protected class or not, are a violation of your company standards and you need to address them as a Key Performance Indicator (“KPI”) for the people involved without delay.  If your values statement does not include “respect for people” and your harassment training does not include situations and scenarios of bullying and hostility, perhaps it’s time you thought about updating them.

Ending workplace bullying is an urgent matter, and the work is never done – you must continually address bullying and hostility on a frequent basis to sensitize your people to your expected standards.  In this instance, the caller clearly was in the wrong, and the implicated party was a victim.  We put the caller on probation, advising her that a repeat occurrence would not be tolerated.  We changed the equipment that she was working on to another station that was on the opposite end of the factory floor, and modified shift breaks and lunchtimes so that neither party would have occasion to cross paths unless done so intentionally.  We refreshed our communications on workplace conduct and respect to include sessions on bullying and hostility that does not fall under a protected class, and we asked the plant manager to speak to it at his next line meeting with all his managers.   We urged our employees to “speak up” and “make the call” if they witnessed activities that they believed demonstrated a lack of respect.  We did everything we thought we needed to do to correct the situation, and validated our response with our more than ample resources, guidelines and legal counsel. 

Done and done? Hardly…  A few weeks later, I saw the HR manager and asked how things were going between the caller and her “victim.”  I was shocked to learn that the victim committed suicide two weeks earlier, apparently because our caller had renewed her bullying with fevered intensity, incensed that she had to learn a new piece of equipment, and couldn’t have her lunchtime with her buddies, “because of him.”   The day following the fellow’s suicide, the caller did not return to work, and our efforts to find her were fruitless as she had moved out of town, with no forwarding address.   I was, to say the least, devastated.  Regardless of the letter of the law, bullying and workplace hostility is something you cannot ignore, and must be addressed without delay.

This publication contains general information only and is based on the experiences and research of the authors. The authors are not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The authors shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

© Thomas R. Fox, 2014

February 13, 2014

What is the Role of An Apology In Anti-Corruption Enforcement?

ApologyWhat is the most famous apology in literature? Plato’s Apology for Socrates certainly is in the conversation. In addition to presenting Plato’s views on his teacher, it is believed to be the most authentic account that has been preserved of Socrates’ defense of himself as it was presented before the Athenian Council. I thought about the change in the meaning of an apology in modern times whilst reading an article in the New York Times (NYT) DealBook column over the past few weeks on the subject of apologies.

This exploration of apologies began with two DealBook articles earlier this month. One was a guest article, entitled “Calling for an Apology Cease-Fire”, by Dov Seidman, founder of LRN, who has been tracking apology trends for many years. The second was by Andrew Ross Sorkin and was entitled “Too Many Sorry Excuses for Apology”. Seidman laid out the problem as follows, “I am also offended because there are some authentic, legitimate apologies that are sent forth into the world. But bad apologies drive out good, so that those who take their apologies seriously, and work tirelessly to live up to them, are dismissed along with the drivel. Apologies can and should be hugely important actions and mechanisms, blessed with enormous power and lasting impact. But they must be two-way exchanges of trust and healing that are open and transparent. It is because I mourn the loss of the genuine apology that I propose an apology cease-fire.”

Sorkin viewed the problem from a slightly different angle when he wrote, “But what should you do when you don’t think you should apologize but everyone else does? You know the situation: Leaders “apologize” but clearly don’t mean it because they don’t think they should be apologizing in the first place. They apologize to gain some good will from the public rather than defend the behavior that is being criticized.”

Seidman finds that most apologies today do not provide any substance behind them. He said “our values have been so distorted that most people – and I’m considering both prominent apologizers and the rest of us – operate as though the purpose of an apology is to get out of something with the minimum pain and suffering possible. So you tell the aggrieved party you’re sorry – that you regret stepping on their foot, stepping on their self-confidence or stepping on their insurance policy. They accept mechanically, and we all move on.”

Seidman believes there are five essential characteristics of an authentic apology and they are: 

  • They must be painful. If an apology doesn’t create vulnerability and isn’t therapeutically painful, it’s not an apology at all.
  • They must be authentic and not an excuse. An apology can’t have ulterior motives or be a means to an end.
  • They must probe deep into the personal or organizational values that permitted the offense. Apologizers need to conduct a “moral audit” by looking themselves in the mirror and asking, “How did I get here and how did I drift from the person I aspire to be?”
  • They must encourage feedback from the aggrieved. This includes truly opening up to input and two-way conversation during and after an apology, and embracing ideas as to how to improve.
  • They must turn regret into a real change in behavior. The new behaviors they elicit must be continuing, reinforced by a sustained investment in avoiding the same mistakes in the future.

I often use what I characterize as McNulty’s Maxims on questions that would be asked by a regulator in any Foreign Corrupt Practices Act (FCPA) enforcement action: (1) What did you do to prevent it?; (2) What did you do to detect it?; and (3) What did you do when you found out about it? I find that Seidman’s prescriptions for an authentic apology resonate with McNulty Maxim Number 3, which in many ways is the most important maxim. Did your company move forward to remediate the issue that caused the FCPA violation? What steps did you take? Did you terminate those responsible? Were there any internal penalties against senior management or the Board that oversaw the conduct in question? Was your company accountable?

Seidman ends his piece by suggesting that there be a new “apology metric” to determine how authentic and how effective an apology is over time. He states, “Let’s commit to demanding more from business and public figures — and from ourselves — when contrition is being pursued. It will not be easy. But by returning to a search for redemption that accepts its difficultly, we can rediscover its real possibility. I invite you to join me in continuing both a personal and public exploration of the authentic apology. Let’s hold ourselves accountable for restoring the value of a precious and noble commodity.”

Sorkin, coming at his piece from his reporter hat, proposes a complimentary approach. He has started an ““Apology Watch” on the DealBook website  and on Twitter using the hashtag #ApologyWatch. It is his hope that DealBook “readers will participate by helping us track new apologies and, more important, follow up on what companies, institutions and individuals have done post-apology.”

Should an apology be a part of any settlement of a FCPA enforcement action? If not, when is an apology appropriate for a corporate leader when his or her company admits to violations of the FCPA, UK Bribery Act, Chinese domestic anti-bribery laws or another other similar anti-corruption regimes? Indeed are there simply too many insincere apologies being made by corporate executives? I think that the answer falls within McNulty’s Maxim No. 3. For if your actions belie your words, it probably means that your words have no meaning and indeed are simply empty words. If that is true you may well end up with what Seidman portends, “For those caught in an empty apology, the results could be expensive and embarrassing.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

« Previous PageNext Page »

Customized Rubric Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,201 other followers