Board of Directors | FCPA Compliance and Ethics Blog

February 12, 2013

The HP Acquisition of Autonomy – Lessons Learned for Doing Compliance ‘By the Book’

Filed under: Best Practices,Board of Directors,Wall Street Journal — tfoxlaw @ 1:01 am
Tags: compliance, compliance programs, Hewlett-Packard, HP, Wall Street Journal, WSJ

Doing something ‘by the book’ means more than following a process. It means following that process during high stress times. One of the things that I think gets missed when discussing compliance programs is the need for rigor in the process. By this not only do I mean that your process needs to be robust but that you need to follow that process even in very extraordinary circumstances. Further, if you deviate from your compliance process you should document the reason for doing so. During a compliance emergency is not the time to depart from your well-thought out process that you use at all other times. One of the things that appear to have gotten Wal-Mart into trouble over its Mexican subsidiary’s actions is that when allegations of bribery and corruption bubbled up to its corporate office, the standard investigation protocol was over-ridden and a completely new and different investigation protocol was put into place. A protocol which had the persons accused of bribery and corruption investigating themselves. Can you guess what the result was?

Similarly, the ongoing news about the Hewlett-Packard Co’s (HP) acquisition of Autonomy Corp., (Autonomy) and its attendant fall-out can provide similar lessons for the compliance professional. As reported by Ben Worthen and Justin Scheck in the Wall Street Journal (WSJ) article entitled “Inside H-P’s Missed Chance To Avoid a Disastrous Deal”, HP did not follow its own internal protocol for acquisitions during the time that led up to its purchase of the British company Autonomy. Additionally, HP’s actions and decisions before and after the acquisition probably steered the deal in to, at a minimum, a very difficult path to success.

New Leadership

In 2010, HP made the decision to bring in someone, who was little known in Silicon Valley, to run the company, that person being Leo Apotheker, who had headed the German company, SAP. However, little noted at the time was the change in the Board of Directors, where “H-P simultaneously got a new board chairman, also a software specialist: Ray Lane, a venture capitalist and former president of Oracle Corp. Soon after, four H-P board members didn’t stand for re-election, and five new members arrived.” In other words, a majority of the top leadership positions in the company changed in a very short time.

Apotheker immediately made clear his desire to purchase one or more software companies. However, the Board of Director’s “finance committee scotched one, and negotiations to buy the other fell apart over price. A frustrated Mr. Apotheker told Mr. Lane, “I’m running out of software companies,” said a person familiar with the conversation.” This led HP to take a look at Autonomy.

Board Protocol

Another change for HP in the pre-acquisition process regarding the Autonomy deal related to Board of Director oversight. It came about because Apotheker had two major initiatives early in his tenure. One was to divest the company of its PC-manufacturing business. The second was to purchase Autonomy. These initiatives were considered so large and complex that the Board of Directors split itself into two separate groups to evaluate each proposal. So only half the Board was looking into the details of the Autonomy deal. Further, “H-P’s normal procedures require the board’s finance committee to review and approve deal proposals before they reach the full board. That didn’t happen with the proposal to acquire Autonomy, said people familiar with how the board proceeded.” While the split of the Board of Directors provided some ease of coordinating some logistical issues such as scheduling meetings, it provided Apotheker, with “more opportunities to lobby for a deal, said people familiar with the board’s activities.”

Red Flag Raised (or not)

One of the things that HP’s Board of Directors were surprised about during the due diligence process was “how little detail about the target firm’s finances became available. Autonomy allowed a review of financial statements and about 25 sales contracts. H-P also wanted the “working papers,” or original financial material, underlying Autonomy’s audits. Autonomy declined to provide them, citing U.K. corporate-takeover rules that require companies to disclose the same documents to all potential suitors.” While understanding that it is never the case that an acquiring company gets to review everything that it wants to during due diligence, reviewing only 25 sales contracts for a company that you are about to spend over $8 bn on does seem a bit of an under-representation of financial data to review. Moreover, some of the members of the HP due-diligence team “said they were reassured, to some extent, by Autonomy’s being a public company that had been audited for years.” Autonomy’s UK audit firm was Deloitte.

But even Deloitte raised red flags with HP, however weakly. At one point, people from HP and KPMG, HPs audit team in the acquisition of Autonomy, spoke by telephone with the Deloitte team. Someone at Deloitte “mentioned that about a year earlier, an Autonomy finance executive had alleged improper accounting at Autonomy, according to people familiar with the call. Three of these people said Deloitte mentioned the issue briefly and added that a review had found the allegation to be baseless. The H-P team didn’t investigate further, one of the people said, and didn’t share the information with either Mr. Apotheker or H-P’s board.” The articles claims that “Neither Mr. Apotheker nor the directors ever heard such an allegation during negotiations, according to several people either close to the CEO or knowledgeable about the board. Said one: “There were zero red flags raised about this company during the whole process.””

Loss of Steam

The WSJ article referred to the lack of enthusiasm that some members of senior management at HP had over the Autonomy transaction. For instance, “Chief Financial Officer Cathie Lesjak said an acquisition would batter H-P’s balance sheet, using up its cash and incurring debt, said people familiar with the conversations.” Pretty profound when you think about it now. But beyond simply the Autonomy debacle, the Board of Directors was becoming equally uneasy with Apotheker’s desire to cut the heart out of the company by getting rid of the PC-manufacturing business. So just after the Autonomy purchase, the Chairman of the Board Mr. Lane “spoke to senior H-P executives and found a near-universal view that their CEO wasn’t right for the job. In late September, 35 days after the agreement to buy Autonomy and 11 months into Mr. Apotheker’s tenure, the board dismissed him.”

This meant that the person who had shepherded the deal through the company was gone. Apotheker had not only pushed for the deal but said he had plans on how to integrate Autonomy into HP and make it work. He was quoted in the WSJ article as saying, “”We had concrete and ambitious plans on how to integrate and leverage the Autonomy acquisition,” Mr. Apotheker said. “But I was gone by the time the deal closed.”” This led to claims by the head of Autonomy, Mike Lynch to claim that the intention for HP to integrate and sell Autonomy software after the transaction never came to pass. “Within weeks, Mr. Lynch told the new H-P CEO, Ms. Whitman, in an email that when he discussed with H-P’s server unit the idea of selling Autonomy software along with H-P hardware, he received a “very negative response.””

The End

Whitman and other HP executives went to the UK to try and figure out what went wrong with the transaction, the integration or both, and two weeks later Lynch was fired by HP. Within weeks of the Lynch firing, HP said that “the company heard an allegation from an Autonomy executive that Autonomy manipulated its numbers. That set in train the process that led to H-P’s November write-down and allegation of improper accounting by the software firm.” Now the US Department of Justice (DOJ), the Securities and Exchange Commission (SEC) and the UK Serious Fraud Office (SFO) are all investigating the allegations that Autonomy manipulated its books and records.

Lessons Learned

I understand that you never have enough time to perform all the pre-acquisition due diligence that you might like to, whether it is financial or compliance. However, several clear lessons standout for the compliance practitioner from this matter. The first, and foremost, is to establish your pre-acquisition protocol, not during the time you are acquiring a company but before so. If you normally require approval from the full Board of Directors keep that requirement in place and do not cut your approval to one-half because you have two large matters to digest. Second, if a red flag is raised, you should clear it, not the person or entity that brings you the information. The third is to have a post-acquisition plan in place and, to the extent you can do so under the circumstances presented, follow it.

All three of the above suggestions would seem to be the perfect description of ‘by the book’. My father was in the US Navy during World War II and Korea. He is also an engineer. Those two backgrounds would seem to make him as strong a candidate for as ‘by the book’ as possible. But he was also a believer in information, analysis and documentation. The reason, he believed that if you did not study it, you could not document it; if you did not document it, you could not analyze it; and if you did not analyze it, you could not improve it. So document, document and then document everything you do from the compliance perspective and use that information to create a better book, but only if the information and your analysis thereof warrants it.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Leave a Comment

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

Many commentators are still mining the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (the “Guidance”), which was released last November. I continue to find nuggets to provide to the compliance practitioner, as do others. But as we are a Base 10 culture, today I want discuss the 10 points listed as the ‘Hallmarks of Effective Compliance Programs”. They are a change in style, but not content, from the prior 13 point minimum best practices that the DOJ has in the Deferred Prosecution Agreements (DPAs) since at least November, 2010 and, indeed, from prior information made available by the DOJ.

I. Where Have We Been

Beginning with at least the Metcalfe & Eddy Consent and Undertaking, filed in December, 1999, the DOJ has laid out its thoughts on what should go into a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. In the Metcalfe & Eddy Consent and Undertaking, the DOJ laid out ten points of an effective FCPA anti-corruption compliance program. This was modified somewhat in Opinion Release 04-02, which laid out a best practices compliance program in 12 points, where the DOJ reviewed the proposal by an investment group who were acquiring certain companies and assets from ABB Ltd. ABB Vetco Gray Inc. and ABB Vetco Gray (UK) Ltd., two of the entities being acquired, had previously pled guilty to FCPA violations. The investment group desired to protect itself from further liability, to the extent possible, by proposing to the DOJ a comprehensive best practices compliance program. While the DOJ noted that this compliance program was not a shield against future violations, the DOJ would not “intend to take an enforcement action [against the investors] for violations of the FCPA prior to their acquisition from ABB.”

In the Panalpina DPA, issued in November, 2010, the DOJ laid out a 13 point minimum best practices compliance program. This number was changed this past summer when the Data Systems & Solutions LLC (DS&S) DPA was announced. In this enforcement action the DOJ listed 15 points on its minimum best practices FCPA anti-corruption compliance program. Then later in the summer, the DOJ moved to a 9 point compliance program in the Pfizer DPA. Even with all these changes in the number, the substance of each compliance program has remained the same.

II. Where Are We Now? Hallmarks of Effective Compliance Programs

The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes that depending on a variety of factors such as size, type of business, industry and risk profile that a company should determine what is appropriate for its own needs regarding a FCPA compliance program. But the Guidance makes clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. The Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some of the risks a company should assess include “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”
Oversight, Autonomy, and Resources. This section starts with a discussion on whether a company has assigned a senior level executive to oversee and implement a company’s compliance program. Not only must a company assign such a person with appropriate authority but that person, and the overall compliance function, must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Additionally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
Risk Assessment. The Guidance states that “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
Incentives and Disciplinary Measures. This involves both the carrot and the stick. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” These incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
Third-Party Due Diligence and Payments. Here the Guidance focuses on the ongoing problem area of third parties. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration. Here the DOJ and SEC spell out what it expects in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information is not something that most companies had previously focused on. Basically, a company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

As I commented earlier in this article, the DOJ and SEC have communicated what they believe are the important parts of a risk based, anti-corruption compliance program for many years. I do not think that a compliance defense could be set out any more succinctly. However, I do like things set out in Base 10 and the “Hallmarks of Effective Compliance Programs” is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point for any compliance practitioner to implement a new compliance program or to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

© Thomas R. Fox, 2013

Leave a Comment

January 20, 2013

Tribute to Stan The Man and 11 Rules for Compliance Success

Filed under: Best Practices,Board of Directors,Chief Compliance Officer,compliance programs,FCPA — tfoxlaw @ 6:46 pm
Tags: baseball, CCO, compliance, compliance programs, Department of Justice, DOJ, FCPA, sports, st louis cardinals, Stan Musial, stan the man musial

Today we honor Stan ‘The Man’ Musial who played 22 seasons for the St. Louis Cardinals (1941–1963) who passed away on Saturday. Musial was a record 24-time All-Star selection and is widely considered to be one of the greatest hitters in baseball history. He compiled 3,630 hits He also amassed 475 home runs during his career, was named the National League‘s Most Valuable Player (MVP) three times and won three World Series championship titles. Musial was a first-ballot inductee to the Baseball Hall of Fame in 1969. I actually got to see Musial play at the old Colt Stadium, where the Houston Colt 45’s played in before the Astrodome was built and before they became the Astros. My father, who grew up in Tulsa listening to the St. Louis Cardinals and so passed on his passion for the Cards to me. We could even listen to the Cardinals on the radio in Houston as the uber-powerful AM station KMOX broadcast throughout the Midwest and South. Because of this anomaly I am still a fan of baseball on the radio. So today we celebrate one of the very greatest baseball players of all-time.

In the 60s I was given a long-playing album about hitting in which Musial narrated. It came with a book which you were to turn the pages while Stan The Man taught you how to hit. While it might have talked about his unique corkscrew stance, phenomenal eye-hand coordination or bat level when swinging at an off-speed pitch the one thing I have remembered throughout the years was practice and practice and practice. That is how Musial became one of the greatest hitters of all-time.

I was reminded about this when I read an article in this month’s Inc. magazine and entitled “The Rules” by authors Adam Bluestein, Leigh Buchanan, Issie Lapowsky and Eric Schurenberg. In the article the authors interviewed some of the world’s top entrepreneurs “as well as thinkers from business schools to come up with 11 nuggets of hard-earned wisdom and meticulously researched insight” or as the magazine’s cover promised “11 Rules for Success”. I believe that they are a good review for any Chief Compliance Officer (CCO) and present an entrepreneurial way to think about an overall best practices compliance program.

Do less - Evan Williams the co-found of Twitter. Williams believes many things are actually distractions and leaders lack the perspective of focus. I liked this insight from Williams, “When you are obsessing about one thing, you can reach insights about problems that are hard to solve.” As a CCO, you need to step back and take a look at your overall compliance program on at least an annual basis.
Embrace accidents - Tony Hsieh, the Chief Executive Officer (CEO) of Zappos. Here Hsieh is referring to serendipity. I would use the old football adage that when preparation meets opportunity, luck arises. Hsieh believes that if you make enough contacts at some point you will be able to ‘connect the dots’ to create something spectacular. Talk to other compliance professional, go to conferences and events, have dinner with your peers when you are traveling, talk-talk-talk to others in the profession. You never know when one of their experiences may help you.
Choose your playing field - Roger Martin, the Dean of the Rotman School of Management and co-author of Playing to Win: How Strategy Really Works. Martin believes that you must have more than just aspirations or even vision, you must have a strategy. I think this is why my colleague Stephen Martin says it is so important to have a 1 and 3 and 5 year plan for your compliance program. As Roger Martin puts it “The heart of strategy is defining where you are going to play and how you are going to win.”
Fail - Arianna Huffington, the co-founder and Editor-in-Chief of the Huffington Post. Huffington says that she learned from her mother that failure is a “stepping-stone to success, as opposed to the opposite of success. When you fail that way, it changes dramatically what you’re willing to do, how you’re willing to invent and the risks that you’ll take.” In other words, learn from your failures.
Let others lead - Michael Useem, Professor at the Wharton School. Useem emphasizes that leadership is “a team sport.” You should endeavor to build leadership in the ranks of your organization “by empowering people to independently make good decisions.”
Slow down – Danny Meyer, founder and CEO of Union Square Hospitality Group. Meyer believes that a company should move slowly and deliberately. With his business he believes that this strategy allowed his company to “develop a soul”. But more than this it allowed his business to make a name for itself with its customers because they came to know not only what it sold but more importantly what it stood for. In this world, the life of innovation is quite short so Meyer believes that the product differentiator is how a business does something rather than what it sells
Emphasize steady progress - Teresa M. Amabile, Harvard Business School Professor. Amabile studied a large number of employees and found that on their most productive days “they were able to move forward in their work, even if it was just an incremental step forward.” She believes that managers must pay attention and see if employees are making steady progress and if not, why not. She asked, “Do they have clear goals and autonomy about how to pursue those goals? Do they have sufficient resources?”
No tricks - Phil Lubi, founder of Evernote. Lubi believes that you should play to both your strengths and weaknesses. Do not hide behind what he termed “false choice.” Be honest and let investors and your Board of Directors know the truth. By doing so he believes that you will build more durable relationships.
Stop thinking about yourself - John Mackey, co-founder of Whole Foods. Mackay believes that you need to step back and look at the big picture. For Mackay this came when he recognized that his company’s Board of Directors did not only have a fiduciary duty to the shareholders but was also a stakeholder in the company. His advice to entrepreneurs is to “think about your business and all the relationships it has. You have to develop a feeling for who your stakeholders are and figure out how to make them all winners.”
Don’t discount the role of luck - Michael Maubossin, investment strategist at Legg Mason Capital Management. In a somewhat counter-intuitive analysis, Maubossin believes that you should not only look at companies that succeed but also those that fail. This is because if you only look at company’s which succeed, you will miss those which employ the same strategy but failed. He believes that by recognizing alternative outcomes, and the role of luck, you can keep “your mind open to other possibilities, so you can manage or mitigate them.” This means that you can learn from compliance failures as well as compliance successes. Foreign Corrupt Practices Act (FCPA) enforcement actions usually provide significant information on what got a company into FCPA hot water and this is information that you can learn from.
Don’t be immune to new ideas - Bob Metcalfe, founder of 3Com. Metcalfe believes that “If you have an ongoing business, it’s hard to innovate, because innovation likely threatens what you have.” But he emphasizes that if you are standing still, it is likely that not only are other companies catching up to you, they are also passing you in the business world. In the compliance world, the concept of best practices is constantly evolving. As anti-corruption and anti-bribery compliance programs and criteria evolve, today’s ‘enhanced compliance obligation’ may be tomorrow’s best practice.

The Inc. article provided some interesting insights into what made some of the world’s top entrepreneurs very successful. You might see how these insights could help you improve your compliance program. And while it doesn’t have quite the same rhyming scheme as Paul Simon’s Mrs. Robinson, here’s to you Stan ‘The Man’ Musial. I hope that you enjoy an inning or two at the great game in the hereafter.

© Thomas R. Fox, 2013

Comments (1)

August 14, 2012

Pfizer DPA Part III – What Does It All Mean?

Filed under: Agents,Best Practices,Board of Directors,Code of Conduct,compliance programs,Deferred Prosecution Agreement,Department of Justice,Discipline,Enforcement Actions,FCPA,Mergers and Acquisition — tfoxlaw @ 6:06 am
Tags: compliance programs, Department of Justice, DOJ, DPA, Due Diligence, ethical leadership, FCPA, Pfizer

Last week I began an exploration of the Pfizer Deferred Prosecution Agreement (DPA) which was announced last week by the Department of Justice (DOJ) in connection with its settlement of Foreign Corrupt Practices Act (FCPA) violations. In Part I, I reviewed the Corporate Compliance Obligations, Attachment C.1. In Part II, I reviewed the Enhanced Compliance Obligations, Attachment C.2 and Corporate Reporting Obligation, Attachment C.3, which Pfizer agreed to implement and operate under. In Part III, I will discuss some of the implications raised by the Pfizer DPA for the compliance practitioner.

Below is a comparison chart of the minimum best practices compliance program as set out in the Panalpina DPA and all DPAs coming forward with the minimum best practices compliance program as set out in the Pfizer DPA. While the number of compliance obligations is somewhat different, when read in conjunction with the Enhanced Compliance Obligations of Attachment C.2, there is not significant difference. Therefore, and initially, the compliance practitioner must read both the Corporate Compliance Obligations and Enhanced Compliance Obligations in conjunction with each other.

CORPORATE COMPLIANCE COMPARISON CHART

Panalpina Minimum Best Practices	Pfizer 9 Point Corporate Compliance Program
1. Code of Conduct. To ensure against FCPA violations.	1. Clearly articulated corporate policy against FCPA violations.
2. Tone at the Top. A company will ensure that its senior management provides visible support and commitment to its corporate anti-corruption policy.	2. Promulgation of compliance standards and procedures designed to reduce the prospect of violations of the anti-corruption laws and Pfizer’s compliance code.
3. Written policies and procedures. Should be created in the following areas (a) gifts; (b) hospitality, entertainment, and expenses; (c) customer travel; (d) political contributions; (e) charitable donations and sponsorships; (f) facilitation payments; and (g) solicitation and extortion.	3. Assignment of one or more senior corporate execs for implementation and oversight of compliance program. They shall report to the Board.
4. Risk Assessment. Perform risk assessment and use it to inform your compliance program. 9(b)-internal and confidential reporting system.	4. Effective communication of the compliance policies including training and certification of training.
5. Annual Reviews. No less than annually, a company should review and update as appropriate to ensure continued compliance program effectiveness.	5. An effective system for reporting illegal conduct or violations of the company anti-corruption program.
6. Senior Management Oversight and Reporting. Assignment of one or more senior corporate executives for implementation & oversight of compliance program and they shall report to Board of Directors	6. Appropriate disciplinary procedures.
7. Internal controls. These should include financial and accounting procedures which should ensure that the company has accurate and fair books and records, which cannot be used for or conceal bribery.	7. Appropriate due diligence for retention and oversight of agents and business partners.
8. Training. A company shall effectively communicate compliance program through training and annual certifications	8. Standard compliance terms and conditions in contracts including (1) reps and undertakings re: anti-corruption compliance; (2) right to audit; and (3) right to terminate for breach thereof.
9. Advice and Guidance. The Company should establish or maintain an effective system for: (a) Providing guidance; (b) Internal and confidential reporting; and (c) Responding to such requests and undertaking appropriate action in response to such reports.	9. Periodic testing of Pfizer compliance code and anti-corruption procedures.
10. Discipline. A company shall institute appropriate disciplinary procedures to address violations compliance policy or ant-corruption laws.
11. Third Party Reps. (a) Properly documented risk-based due diligence and regular oversight of agents and business partners; (b) Informing agents and business partners of the compliance standards; and (c) Seeking a reciprocal commitment from agents and business partners.
12. Compliance terms and conditions. Should be included in every agent agreement.
13. Ongoing Assessment. Period review and testing of compliance program to evaluate it and improve the program’s effectiveness.

In addition to a Chief Compliance Officer (CCO) and Risk Officer (RO) who will have report directly to the Chief Executive Officer (CEO), there was further specified requirements for compliance leads to be appointed with responsibility for each of its business units who would in turn report to the CCO and RO or General Counsel (GC). Finally, similar to the situation we observed in the Halliburton settlement of its shareholder derivative action, Pfizer will have an Executive Compliance Committee, which will sit below the Board of Directors to oversee Pfizer’s compliance program.

The Enhanced Compliance Obligations require that Pfizer maintain policies and procedures regarding gifts, hospitality, and travel in each jurisdiction that are appropriately designed to prevent violations of the anti-corruption laws and regulations, presumably tailored to each jurisdiction. This statement would seem to focus on reasonableness not only in terms of monetary value but also in factoring in the jurisdiction where the gift or hospitality is to be provided. Finally, and as always, travel and training must have a business purpose.

There was a very detailed plan laid out for a risk-based program of annual proactive anti-corruption reviews of high-risk markets. It consists of five markets which are at high risk for corruption because of the business and location. The specifics for each visit will be a useful guide for the compliance practitioner to compare with similar work done by his compliance group. It includes (a) On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training; (b) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with, and payments, to individual foreign government officials or health care providers, as well as other high-risk transactions in the market; (c) Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and (d) a review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk.

Interesting, the DPA specifies that Pfizer will maintain “significant” resources for the compliance function. These significant resources will be dedicated to several different types of compliance tools, including (a) an international investigations group charged with responding to and investigating anti-corruption compliance issues and ensuring that appropriate remedial measures are undertaken after the completion of an investigation; (b) an anti-corruption program office providing centralized assistance and guidance regarding the implementation, updating and revising of the FCPA Procedure, the establishment of systems to enhance compliance with the FCPA Procedure, and the administration of corporate-level training and annual anti-corruption certifications; and (c) a mergers and acquisitions (M&A) compliance team designed to support early identification of compliance risks associated with complex business transactions and to ensure the integration of Pfizer’s compliance procedures into newly acquired entities. There was a slightly different time schedule listed for Pfizer to complete post-acquisition auditing, training and implementation of the Pfizer compliance program into the acquired company. I have added to my recent FCPA M&A Box Score Summary.

Time Frames	Halliburton 08-02	J&J	DS&S	Pfizer
FCPA Audit	High Risk Agents - 90 days Medium Risk Agents - 120 Days Low Risk Agents - 180 days	18 months to conduct full FCPA audit	As soon “as practicable”	One year
Implement FCPA Compliance Program	Immediately upon closing	12 months	As soon “as practicable”	One year
Training on FCPA Compliance Program	60 days to complete training for high risk employees, 90 days for all others	12 months to complete training	As soon “as practicable”	One Year

While there was no new language regarding risk evaluation, due diligence on, or other management of third party business parties, the DPA did specify that when it is appropriate on the basis of a FCPA risk assessment, the company will provide FCPA and anti-corruption training to relevant agents and business partners, at least once every three years.

The company is also to use annual certifications from senior managers in each of Pfizer’s Business Units, Divisions, and operational functions confirming that their standard operating procedures adequately implement Pfizer’s anti-corruption policies, procedures and controls, including training requirements; that they have reviewed and followed up on any issues identified in FCPA trend analyses; and that they are not aware of any FCFA or other corruption issues that have not already been reported to the Compliance Division or the Legal Division.

There is a wealth of information in the Pfizer DPA and other documents relating to its resolution of these FCPA issues. I would commend all the documents to you to read and see what areas your company may need to look at more closely and how these Compliance and Enhanced Compliance Obligation Attachments may provide insight into areas where you might be lacking or need to enhance your compliance program and coverage. These enhanced obligations could well become the new minimum best practices in the FCPA compliance arena.

Leave a Comment

August 12, 2012

Pfizer DPA Part II – Enhanced Compliance Obligations and Corporate Compliance Obligations

Filed under: Audit,Best Practices,Board of Directors,compliance programs,Deferred Prosecution Agreement,Department of Justice,FCPA,Internal Controls,Joint Ventures,Mergers and Acquisition,Risk Assessment — tfoxlaw @ 8:26 pm
Tags: compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act

Last week I began an exploration of the Pfizer Deferred Prosecution Agreement (DPA) which was announced last week by the Department of Justice (DOJ) in connection with its settlement of Foreign Corrupt Practices Act (FCPA) violations. In Part I, I reviewed the Corporate Compliance Obligations, Attachment C.1. Today we review the Enhanced Compliance Obligations, Attachment C.2 and Corporate Reporting Obligation, Attachment C.3, which Pfizer agreed to implement and operate under. In Part III, I will discuss some of the implications raised by the Pfizer DPA for the compliance practitioner.

I. Attachment C.2 – Pfizer’s Enhanced Compliance Obligations

In addition to the minimum best practices,as set out in Attachment C.1 – Corporate Compliance Obligations, Pfizer agreed to the following additional compliance obligations:

A. In General. Pfizer will maintain the appointment of a senior corporate executive with significant experience with compliance with the FCPA, including its anti-bribery, books and records, and internal controls provisions, as well as other applicable anticorruption laws and regulations (hereinafter “anti-corruption laws and regulations”) to serve as Chief Compliance and Risk Officer, who will have reporting obligations directly to the Chief Executive Officer. The company will maintain the appointment of heads of compliance with responsibility for each of its business units (“BU Compliance Leads”) who have reporting obligations through the Chief Compliance and Risk Officer or General Counsel. There will be an Executive Compliance Committee to oversee Pfizer’s compliance program.

The company will maintain gifts, hospitality, and travel policies and procedures in each jurisdiction that are appropriately designed to prevent violations of the anti-corruption laws and regulations. Further and at a minimum, these policies and procedures shall contain the following restrictions regarding foreign government officials, including but not limited to public health care providers, administrators, and regulators: (i) Gifts must be modest in value, appropriate under the circumstances, and given in accordance with anti-corruption laws and regulations, including those of the government official’s home country; (ii) Hospitality shall be limited to reasonably priced meals, accommodations,

and incidental expenses that are part of product education and gaining programs, professional training, and conferences or business meetings; (iii) Travel shall be limited to product education and training programs, professional training and education, and conferences or business meetings; and (iv) Gifts, hospitality, and travel shall not include expenses for anyone other than the relevant officials, unless different standards are required by local law or regulation.

B. Complaints, Reports and Compliance Issues. The company will maintain “significant” resources for the compliance function. It shall have (a)An international investigations group charged with responding to and investigating anti-corruption compliance issues reported on a global basis acid ensuring that appropriate remedial measures are undertaken after the completion of an investigation; (b) An anti-corruption program office providing centralized assistance and guidance regarding the implementation, updating and revising of the FCPA Procedure, the establishment of systems to enhance compliance with the FCPA Procedure, and the administration of corporate-level training and annual anti-corruption certifications; and (c) A mergers and acquisitions compliance function designed to support early identification of compliance risks associated with complex business transactions and to ensure the integration of Pfizer’s compliance procedures into newly acquired entities.

Lastly the company must maintain its mechanisms for making and handling reports and complaints related to potential violations of anti-corruption laws and regulations, including, when appropriate, referral for review and response by internal audit, finance, legal, compliance and other personnel as appropriate, and will ensure that reasonable access is provided to an anonymous, toll-free hotline as well as to an anonymous electronic complaint form, where anonymous reporting is legally permissible.

C. Risk Assessments and Proactive Reviews. Pfizer will continue to conduct a risk-based program of annual proactive anti-corruption reviews of high-risk markets. These FCPA proactive reviews are designed to identify anti-corruption con7pliance issues, examine compliance procedures and controls as implemented in the field and identify best practices to be implemented in additional markets. In doing so, Pfizer will identify markets which are at high risk for corruption because of the business and location. Five of these will be identified and reviewed annually. Each review shall contain the minimum: (a) On-site visits by an FCPA review team comprised of qualified personnel from the Compliance and, when appropriate, Legal Divisions who have received FCPA and anti-corruption training; (b) Where appropriate, participation in the on-site visits by qualified auditors; (c) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with and payments to individual foreign government officials or health care providers, as well as other high-risk transactions in the market; (d) Creation of action plans resulting from issues identified during FCPA proactive reviews; these action plans will be shared with appropriate senior management, including when appropriate the Chief Compliance and Risk Officer, and will contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and € Where appropriate, feasible, and permissible under local law, review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk.

D. Acquisitions. The Company will continue to ensure that, when practicable and appropriate on the basis of a FCPA risk assessment, new business entities are only acquired after thorough risk-based FCPA and anti-corruption due diligence was conducted by a suitable combination of legal, accounting, and compliance personnel. When such anti-corruption due diligence is appropriate but not practicable prior to acquisition of a new business for reasons beyond Pfizer’s control, or due to any applicable law, rule, or regulation, Pfizer will continue to conduct anti-corruption due diligence subsequent to the acquisition and report to the Department any corrupt payments or falsified books and records as required by company’s reporting obligations found in Attachment C.3 Pfizer will ensure that Pfizer’s policies, standards and procedures regarding anticorruption laws and regulations apply as quickly as is practicable, but in any event no more than one year post-closing, to newly-acquired businesses, and will promptly: (a) Train directors, officers, and senior managers, and those employees working in positions involving activities covered by Pfizer’s policies regarding anti-corruption and compliance with the FCPA, and, where necessary and appropriate, agents and business partners; and (b) Include all newly-acquired businesses in Pfizer’s regular anti-corruption auditing schedule.

E. Relationships with Third Parties. Based upon its internal risk assessment, the company will conduct risk-based due diligence of sales intermediaries, including agents, consultants, representatives, distributors, and joint venture partners. Such due diligence will be conducted prior to the retention of any new agent, consultant, representative, distributor, or joint venture partner and for all such sales intermediaries will be updated no less than once every three years. At a minimum, such due diligence shall include: (a) a review of the qualifications and business reputation of the sales intermediaries; (b) a rationale for the use of the sales intermediary; and (c) a review of relevant FCPA risk areas.

Where due diligence of a sales intermediary raises a serious red flag, the relevant information shall be reviewed by personnel from the compliance or legal divisions who have received FCPA and anti-corruption training. Where appropriate and where permitted by applicable law, the company will include appropriate compliance terms and conditions in each contract with such third parties.

F. Training. The company will provide biennial training on anti-corruption laws and regulations to directors, officers, executives, and employees working in positions involving activities covered by Pfizer’s policies regarding anti-corruption and compliance with the FCPA. The company will provide enhanced FCPA training for all internal audit, financial, compliance and legal personnel involved in FCPA proactive reviews or anti-corruption due diligence related to the potential acquisition of new businesses, if not already qualified and experienced. When it is appropriate on the basis of a FCPA risk assessment, the company will provide FCPA and anti-corruption training to relevant agents and business partners, at least once every three years.

The company shall maintain a system of annual certifications from senior managers in each of Pfizer’s Business Units, Divisions, and operational functions (at the market or regional level, or the reasonable equivalent) as appropriate, confirming that their standard operating procedures adequately implement Pfizer’s anti-corruption policies, procedures and controls, including training requirements, that they have reviewed and followed up on any issues identified in FCPA trend analyses, and that they are not aware of any FCFA or other corruption issues that have not already been reported to the Compliance Division or the Legal Division.

II. Attachment C.3 – Corporate Compliance Reporting

Here Pfizer agreed to conduct an initial report and two follow up reports during the pendency of the DPA. These reports would be set forth in a complete description of its FCPA and anti-corruption related remediation efforts to date, its proposals reasonably designed to improve the policies and procedures of Pfizer for ensuring compliance with the FCPA and other applicable anti-corruption laws, and the parameters of the subsequent reviews. The two follow up reports will incorporate any comments provided by the DOJ on the Initial Report, to further monitor and assess whether the policies and procedures of Pfizer are reasonably designed to detect and prevent violations of the FCPA and other applicable anti-corruption laws.

These enhanced obligations could well become the new minimum best practices in the FCPA compliance arena. You should take a look at these obligations and compare them with your program to see where you might be lacking or need to enhance your compliance coverage.

© Thomas R. Fox, 2012

Leave a Comment

July 26, 2012

The Role of a Board in Compliance and Ethics: How We Arrived and Where We Are Going

Filed under: Board of Directors,compliance programs,Culture,Ethical Leadership,Ethics,FCPA — tfoxlaw @ 1:01 am
Tags: best practices, compliance programs, Department of Justice, DOJ, FCPA

Yesterday, the Houston Astros traded Wandy Rodriguez, the last remaining member of the 2005 National League (NL) champs. The Astros have traded away their five ‘top’ players over the past three weeks, coincidently turning in a sterling 2-20 run. Whoever they got for their top talent sure has not helped very much. The Astros now sit in dead last place in wins and losses in the current Major League Baseball (MLB) standings at 34-64 with a .347 winning percentage. This translates into a 105 loss season, which is actually a one-win improvement over last season’s 106 losses. But our new owner keeps telling us he has a plan. It’s pretty obvious that it is to have the absolute lowest payroll so he can service his mountain of debt that he incurred from purchasing the team. And did I mention that the Astros are moving to the American League (AL) next year? At least then we will no longer be worst team in the National League…

I thought about my beloved Astros and what their Board of Directors might think about all of this; that is, if they had a Board of Directors. For instance, would a Board of Directors throw in the towel for being competitive in not only this season but for at least three more just to save some money? But the Astros do not have a Board, they only have an owner, so a special thanks to Jim Crane for not only selling out by agreeing to send up to the AL but for ending any chances of the Astros being in the playoffs anytime soon.

Fortunately US public companies do have a Board of Directors and these same Directors have a role in their company’s Foreign Corrupt Practices Act (FCPA) compliance program. Corpedia, in a recent White Paper entitled “The Importance of Board Oversight: The Role That Directors Play in an Organization’s Ethics and Compliance Program”, detailed why a Board of Directors has a role in a company’s FPCA compliance program and provided some guidance as to their views on what may constitute “appropriate Board oversight”.

Responsible Corporate Officer Doctrine

The duty began with the formulation of the Corporate Office Doctrine by the US Supreme Court. Under this Doctrine, officers and directors could be held liable under the following three conditions. First the person in question occupied a position of responsibility and authority in the corporation. Second the individual in question had the power to prevent the violation of law. Third, the person failed to do so. Although the Doctrine was originally narrowly focused, it has been expanded to other areas of the law such as the Sherman Act, securities laws and environmental laws.

Delaware State Court Cases

In the Caremark decision, the Delaware Court of Chancery held as a part of a Board’s duty of good faith, directors have an obligation to ensure that a corporate information and reporting system exists. This was followed up by the case of Stone v. Ritter for the proposition that “a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists.” Lastly, is the case of In re Walt Disney Company Derivative Litigation, from which can be drawn the principle that directors should follow the best practices in the area of ethics and compliance.

US Sentencing Guidelines

US Sentencing Guidelines and Department of Justice (DOJ) Prosecution Standards for guidance as to the obligations of a company’s Board regarding FCPA compliance. These began with the Sentencing Reform Act of 1984, which led to the first sentencing guidelines for corporations. These were modified and evolved under the 2004 Amendments to the Organizational Guidelines and the 2010 Amendments to the Sentencing Guidelines. Under these versions a Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. Additionally the DOJ has added guidance for the prosecution of corporations. In the DOJ US Attorneys’ Manual (2009) they posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program?; and (2) Are Directors provided information sufficient to enable the exercise of independent judgment?

What Constitutes Appropriate Board Oversight?

Corpedia ends its White Paper with suggestions about what types of information a Board of Directors should periodically receive. First and foremost are reports of “suspected misconduct and of the company’s responses to those allegations.” Next, Boards should be involved with the approval process for creation of or amendment to the company’s Code of Conduct and related policies. In addition to those areas, Corpedia suggests that a Board receive information on the following:

The structure and resourcing of the company’s compliance program and whether the Chief Compliance Officer (CCO) has sufficient authority to implement the program.
The structure of the company’s reporting system and the company’s policies regarding response to such misconduct.
The types of compliance training that employees receive.
The company’s risk assessment process and results and the methods developed by the company to prioritize and address the risks identified.
The audit program for the compliance program and investigation protocol for substantive violations.
The perception of whether the company has a culture of compliance, whether employees fear retaliation for reporting violations and whether the employees believe that the company is truly committed to compliance.

The Corpedia White Paper provides a good review to understand the legal and statutory basis for a Board of Directors’ obligations under the FCPA. Too bad the Houston Astros did not have a similar group looking after the interests of the Astros stakeholders.

Errata-the Astros’ record over the past three weeks is 2-22 not 2-20.

© Thomas R. Fox, 2012

Comments (2)

July 15, 2012

Penn State, the Freeh Report and Implications for the FCPA Compliance Practitioner

Filed under: Board of Directors,compliance programs,Culture,Department of Justice,Ethical Leadership,Ethics,FCPA,Hotline,Investigations,Tone at the Top — tfoxlaw @ 2:44 pm
Tags: compliance, DOJ, FCPA, Freeh Report

The Freeh Report was released last week. It detailed a series of actions and inactions taken by officials at Penn State University (Penn State) which allowed Jerry Sandusky to continue his abuse of young boys from at least 1998 up until the time he was arrested. This incident is the worst scandal involving the American higher education system that I have witnessed in my lifetime. As noted in a New York Times (NYT) articled published on July 13, entitled “In Report, Failures at Every Level of Hierarchy”, the Freeh Report found a series of failures all the way up the Penn State chain of command. The article stated, “shortcomings that were the result of any insular and complacent culture in which football was revered, rules were not applied and the balance of power was dangerously out of whack.” As bad a situation as the Freeh Report portrays, I believe that there are significant lessons for the Foreign Corrupt Practices Act (FCPA) compliance practitioner and this post will try draw out some of these lessons learned.

I. Insular and Complacent Culture

A. Failure of Top Officials and Role of a Board of Directors

The Freeh Report portrayed the Penn State Board of Trustees, the University equivalent to a corporate Board of Directors, “as passive overseers, so in thrall to the president and the coach that they failed to demand even the barest displays of accountability.” Even if the University President actively withheld information from the Board, a Board has the responsibility to ask tough questions. The NYT article quoted Anne Neal, president of the American Council of Trustees and Alumni for the following, “For too long, the boards have been viewed more as boosters that as legal fiduciaries.”

In the aftermath of the Wal-Mart scandal, the FCPA Professor opined that the problems Wal-Mart encountered were largely a failure of corporate governance. While I disagree with the FCPA Professor on the quanta of the role of the Wal-Mart Board, I do agree that the Wal-Mart Board did not ask tough questions of its senior management regarding its FCPA compliance. If senior management deceives its own Board that is certainly a big problem but it is also a problem, if the Board never makes the inquiries. In both the Wal-Mart case and the Penn State scandal, it appears the respective Boards abrogated their duties.

B. Reporting of Violations – Anonymous Reporting Hotline

One thing that the Department of Justice (DOJ) has insisted on for several years as a minimum best practice in a FCPA compliance reporting is anonymous reporting and can be found in its current formulation of minimum best practices which reads:

9. Ongoing Advice and Guidance. The Company should establish or maintain an effective system for:

a. Providing guidance to directors, officers, employees, and its agents and business partners, on complying with the Company’s anti-corruption compliance policies, including when they need advice on an urgent basis or in any country in which the Company operates;

b. Internal and confidential reporting and protection of those reporting breaches of the law or professional standards or ethics concerning anticorruption occurring within the company, suspected criminal conduct, and/or violations of the compliance policies directors, officers, employees; and

c. Responding to such requests and undertaking appropriate action in response to such reports.

There were at least two separate instances where low level employees witnessed Jerry Sandusky abusing children. An incident witnessed by Graduate Assistant Mike McQueary, who did report the incident to his supervisor, Head Coach Joe Paterno. While Paterno did report this incident to the University President, the Freeh Report found that the University President did not report this incident to any police or other authorities. As troubling as this incident is, perhaps more troubling is incident involving Penn State employee Jim Calhoun, a school janitor who witnessed Sandusky abusing a child earlier, in 2000. Although Calhoun told another employee and his supervisor of the incident, not one of these three men reported the incident to the police or other authorities because they were all afraid of losing their jobs. This was after Jerry Sandusky had ‘retired’ from Penn State in 1999. So they should not have been afraid that Sandusky would threaten them. These men were so afraid of implicating the power of the Penn State football program that they were afraid to report the conduct. Apparently there was no anonymous mechanism for them to do so.

This description makes crystal clear why a company must have an anonymous reporting system. While I firmly believe that most employees will report misconduct if they see it or become aware of it if they care at all about their company, the Penn State situation makes clear that if there is fear and trepidation for such reporting, a system must be put in place to facilitate it. But a company cannot stop there. A company must have both the commitment to non-retaliation and train people on this key company component.

II. Rules Were Not Applied and Compliance with Legal Requirements

One of the laws that has become more widely known in the general populace since the Sandusky scandal broke is the Clery Act. This federal law requires colleges (and universities) “to pull together on crime from a variety of sources and warn the university community about potential threats. The law holds a wide range of college employees – including football coaches – responsible for contributing to the report.” While this law has been on the books since 1990 the NYT article said in the Freeh Report that the Penn State officials, “did not know until recently that anyone but the campus police had that obligation, and the police paid little attention to the law until 2007.” More damningly, Penn State did not even adopt a plan for complying with this law until 2009 and, when the Sandusky scandal was revealed last fall, the 2009 plan had still not even been adopted by Penn State.

The FCPA has been the law of the land since 1977. However, there are a large number of US companies which have never adopted any compliance program or have one that is so old, it bears little to no resemblance to current minimum best practices. The Clery Act was well known within the academic community just as the FCPA is well known within the US international business community. Simply put you must comply with the law. The legal liability for such failure can be astronomical. It could well lead to personal criminal liability for senior management of a corporation.

III. Where the Balance of Power is Dangerously Out of Whack – When a Football Program Runs a University

I grew up in a small town in Texas. Friday Night Lights was true then and it’s true now. My hometown is appended to a major university where football is king on Saturday afternoon. I attended a university in Texas where football is just as big as it was at Penn State during Joe Paterno’s tenure. In short, I have lived in a state where the culture of football is a religion and the Head Coach is viewed with near godlike status (that’s god with a little ‘g’; not the God). Even though I can understand how it might happen, it does not mean that it is right. At a major university, just as in a small town school district, even the head coach is an employee who reports to someone; the University President, the Athletic Director or the School District Administrator. And even in Texas, the primary mission of a University and school district is education, not football.

A football program must be subject to the same rules and regulations as others departments. The Freeh Report noted that the Penn State football program chose not to participate in the “university’s efforts to train people in recognizing and reporting violence and sexual abuse.” Get that – the football program chose not to even participate in such training, let alone recognize that the same rules applied to it. The NYT article quoted Alison Kiss, Executive Director of the Clery Center for Security on Campus, who said that “In our experience, when an athlete or coach is involved, many times it does get treated differently. We have to change that culture.”

In the corporate world, remember Enron, where the traders ran the company. Look at Enron today, oops it doesn’t exist anymore and most of its top management went to prison, hmmm what does that tell you? Or for a more contemporary example, how about Barclay’s where the traders told the bankers what information to report to set the LIBOR rate. For the compliance practitioner, I think all of this means that your corporate culture must not only be dedicated to doing business legally and ethically but dedication must be translated through constant communication, including training to your employees. I recognize that compliance and ethics training fatigue can set in at some point. But think back to Morgan Stanley and its declination in the Garth Peterson enforcement action. Morgan Stanley had very novel and creative ways to communicate compliance to its employees on a worldwide basis. Even something as simple as an email reminder was cited by the DOJ as evidence of the robustness of Morgan Stanley’s compliance program.

The Sandusky scandal and the Freeh Report will reverberate for a long time to come. For the compliance practitioner, there are several lessons learned that you should take away from this terrible and preventable tragedy. If you work in a university environment, I think that Monday morning you need to sit down and read the entire Freeh Report and then hire an outside third party to come in and within the next 30 days assess the university’s culture, governance, compliance policies and procedures for protecting our children. Please, for the sake of our children.

Comments (2)

April 10, 2012

What is the Role of a Board of Directors?

Filed under: Best Practices,Board of Directors,compliance programs — tfoxlaw @ 1:33 am
Tags: Audit Committee, Board, Board of Directors

Aeschylus was the first of the three ancient Greek tragedians whose plays can still be read or performed; the others are Sophocles and Euripides. He is often described as the father of tragedy. In his life he fought for the Athenian democracy, most notably at the Battle of Marathon. When asked if he wanted to be remembered for his plays or his service to his country, he responded by having the following epithet inscribed on his burial site: “Beneath this stone lies Aeschylus, son of Euphorion, the Athenian, who perished in the wheat-bearing land of Gela; of his noble prowess the grove of Marathon can speak, and the long-haired Persian knows it well.” Sometimes it is the simple rather than the complex that we should focus on and for my money, the epithet of Aeschylus is one of the classic examples.

One of the ongoing topics for various Foreign Corrupt Practices Act (FCPA); UK Bribery Act or other anti-corruption and anti-bribery compliance conferences is what information does a Board of Directors want or need for oversight of a compliance program? However today I would like to step back and focus on the initial question of “What is the role of a Board of Directors?” In a recent preliminary draft of a White Paper entitled “Corporate Governance of Social Enterprises” (herein “the White Paper”) a group of European authors, Ann-Kristin Achleitner, Judith Mayer, Andreas Heinecke, Mirjam Schöing and Abigale Noble (collectively “the authors”), explored this most basic question and others including such topics as Board of Directors make-up and selection; Board of Directors meetings and management of the Board and its relationship with a company’s management.

A Board of Directors will probably have an Audit Committee or Compliance Committee. I would like to focus on the role of the entire Board of Directors, rather than a specialized subcommittee. By reviewing the role of a Board of Directors within an organization, this should shed light on the types of information that a compliance officer should be prepared to present to the. Starting with the proposition that a “well run Board can lift a significant burden off of the management team in the short-term and ensure the long-term success” of an organization, the authors posit three general areas. They are (1) Support; (2) Supervision; and (3) Approval of Management Decisions.

Support

In the area of support a Board of Directors should provide strategic guidance but should not simply take what management may tell it or even feed to it. A Board member must be ready to challenge management, particularly the Chief Executive Officer (CEO). A Board must hold the CEO accountable for running the company’s business but should not go so far as to become bogged down in the day-to-day details of running the company.

Supervision

Here a Board of Directors should monitor the performance of management against prescribed benchmarks. The financial bottom line is obviously a key performance indicator. However, there are other areas which the Board will need to monitor. Clearly the compliance arena is now one which a Board must become familiar with and have visibility into but there may well be a variety of other legal issues, such as regulatory or even intellectual property protection in a situation where a company’s main, if not only asset is some type of intellectual property. This should be broad enough to ensure that management complies with its own governing documents. The authors note that ideally Boards should “have a list of the compliance requirements and periodically check if they are being met.”

Approval of Management Decisions

The authors believe that betwixt and between the concepts of Support and Supervision lays the area where a Board must approve certain management decisions. Board approval of these decisions should “serve to guarantee conformance with the overall mission” of the organization. While each organization could certainly have a greater number of these areas, the authors believe there are basic areas that, at a minimum, should require Board approval. These areas are:

The organization’s annual budget;
Decisions on significant financing and significant changes in the ownership structure;
Succession planning for the CEO and remuneration as well as key members of the company’s management team; and
Decisions about overall company strategy.

The authors provide a summary of some of a Board’s “Do’s and Don’t’s” which I have put into the following box:

DO’s	DON’T’s
Define Success with the Board	Spend time on the trivial
Let Board’s create their own agenda	Short term and reactive bias
Direct questions to specific members	Overly involve the Board
Focus on shaping the future of the organization	Just review the past
Invite external experts	Let company executives control the Board

The authors end their White Paper with a very useful Appendix of country-by-country listing of corporate governance guidelines and codes of best practices for Boards of Directors.

While the White Paper has a focus on social enterprises, the concepts that it puts forward can inform the types of information that as a compliance officer, you can suggest to your organization’s Board of Directors that they begin to review. In the US and UK, many Boards will have an Audit or Compliance Committee, which will desire more detailed information. A report, annual or other, to a full Board of Directors is an important component of a minimum best practices compliance program. The compliance function should be prepared to lead your company’s Board through this journey.

Leave a Comment

March 23, 2012

To Boldly Go…Where the Board Needs to Go

Filed under: Best Practices,Board of Directors,compliance programs,Ethical Leadership,Ethics,FCPA — tfoxlaw @ 1:11 am
Tags: Board, Department of Justice, DOJ, FCPA, Star Trek

Belatedly, we boldly go where no Canadian actor has ever gone before, to celebrate yesterday’s birthday of William Shatner, Captain Kirk of the original Starship Enterprise. I thought about Captain Kirk and his leadership of the Enterprise in the context of a panel at Ethisphere’s 2012 Global Ethics Summit. In a moderated keynote session, entitled “View from the Board”, moderator Stephen Jordan lead the panel in an exploration of issues relating the Board of Directors responsibility in a company’s compliance program.

What is the relationship between leadership and culture? Panelist Sheila Penrose, Chairman of the Board at Jones Lang LaSalle and Board member of the McDonald’s Corporation, said that she views the Board of Directors as the “curator of a company’s culture.” As a Board member she wants to know if there is a clear framework to determine and measure certain key facets of a compliance program. These key facets include: (1) tone of the company towards doing business in a compliant manner; (2) the effectiveness of the company to understand new compliance issues as they arise; and (3) the process and dynamics of the company’s compliance program. Her view of a Chief Compliance Officer (CCO) is that he or she should have “good professional judgment” and be able to communicate to the Board about their judgment of ethical behavior in the company.

Presentations to the Board

Regarding presentations to the Board of Directors, Penrose said that she desired to have two general types. The first is training the Board of Directors on emerging issues that the company might face from the compliance context and to direct how the Board of Directors might think about these issues, particularly in regard to how they would affect the risk profile of the company. The second is a report of the trends emerging from internal reporting on compliance issues. This could include hotline reports or surveys that the compliance group performs to determine if there are any emerging or systemic issues relating to compliance that should be addressed. From these metrics Penrose said that she is always keen to know if there are any lessons to be learned which can be applied to future situation or to stop certain behaviors.

The second panelist, Daniel Tishman, Board member of AECOM Technology Corporation, said the initial issue to determine is the type of Board. Is it the Board of a new or relatively new entity, populated with friends of the Chief Executive Officer (CEO) and with persons who either work in or have significant experience in the core business of the company? Conversely, is it the Board of a more mature company? If it is the former, Tishman believes a CCO will have to provide much more basic compliance education to the Board.

As to the types of presentations he prefers, Tishman focused his answer on the types of information that he expects if a serious compliance issue has arisen, which may well be a violation of a substantive anti-corruption law such as the Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act. He said there are four points that he would like to receive guidance on or through. First, he demands prompt reporting to the Board. Second, all reporting must have complete transparency to the Board. Third, he expects proactive action by the CCO, rather than simply waiting for instructions. Lastly, Tishman would expect to be told if any event is a one-off or a systemic problem, coupled with a fair appraisal if the event is a true crisis or is it is more of a “regular issue”.

Metrics

Both panelist discussed metrics as a key component of Board reporting. Tishman said that he prefers to receive metrics which focus on new or emerging areas for the company. So if the company is opening up with a new product line or service, or is moving into a new geographic area, he wants to see the compliance risks assessed and reported to the Board of Directors.

Penrose advocated metrics to measure three areas: (1) measures of magnitude; (2) measures of direction; and (3) measure of penetration. By measures of magnitude, she said that she desired information on how well the company’s compliance regime had been communicated throughout the target audience of employees and third parties, or “exposure”. The measures of directions are designed to present information on trends that compliance is seeing within the company, an example she gave was a review and summary of hotline reporting. The final measure of penetration was designed to drill down further than the measure of magnitude to provide metrics on how well the compliance program had penetrated down into the employee base and third parties with whom the company might be working with to obtain or retain business.

And what of Captain Kirk, his leadership and lessons learned for the compliance profession? He did not have to deal with a Board of Directors, in the form of Star Fleet Command, too often so that probably is not a helpful analogy. However, Kirk did lead from the front and that is what a CCO must do. Penrose said that she expects her CCO to “manage by walking around” to go out into the field and get the message of compliance to the troops. If you are the CCO, or compliance professional, you need to either be on the Away Team or lead the Away Team and boldly go where no CCO has gone before.

To get yourself in a Star Trek frame of mind, cue the iconic original television series opening theme here.

Leave a Comment

March 21, 2012

OCEG Illustrated Series: Managing Corruption Risks

Filed under: Best Practices,Board of Directors,compliance programs,Ethical Leadership,Ethics,FCPA,Internal Controls,OCEG,Risk Assessment — tfoxlaw @ 1:15 am
Tags: Compliance Policies, compliance programs, OCEG, Policies and Procedures

How do you move off dead center? That was a question posed by my colleague Mary Jones in a recent guest blog post. She gave several concrete steps in answer to her own question. This question was further explored in the January issue of the Compliance Week magazine which began a six-part “Anti-Corruption Illustrated” series by Carol Switzer, President of the Open Compliance and Ethics Group (OCEG). OCEG is an organization which “develops standards and guidance to help organizations achieve Principled Performance”; that is, “the reliable achievement of objectives while addressing uncertainty and acting with integrity.” OCEG’s Illustrated Series is a teaching method developed to visually represent how to set up processes and procedures in various areas and disciplines. This Anti-Corruption Illustrated Series is a very useful tool for the compliance practitioner to use in explaining the components of an effective compliance program.

In the first article of her series, Switzer shares her views on how anti-corruption programs enable business agility. In addition to her own thoughts, Switzer moderated and reported on a roundtable discussion of compliance experts who shared their views on managing corruption risks. These experts included Steven Kuzma, Global Leader in Corporate Compliance at Ernst & Young, Jay Martin, Chief Compliance Officer at Baker Hughes, Mike Rost, Vice President at Thompson Reuters GRC and Jim Slavin, Senior Director at SAI Global.

Assess the Risk – In this step you identify corruption risk factors that your company may face. These can be based upon several different factors including the nature and location of your company’s business activities; your company’s third party relationships; and your company’s methods for obtaining and retaining business. You should evaluate and then rank these risks based upon your company’s risk appetite and be prepared to respond to internal or external forces that might change this risk assessment.
Develop the Program – You should develop “a comprehensive and balanced anti-corruption program that corresponds to the risks identified in the assessment process.” This should include written policies, procedures and internal controls for all levels within your organization. You will need to obtain Board of Directors and senior management endorsement of your strategies and communication of this support.
Define and Implement Policies – In this step you should consider the written policies which map to the applicable regulations, obligations and business processes that you have created. Ownership of these requirements within the business is critical to their success and there should be communication to key stakeholders including “staff, third parties, auditors and customers.”
Build and Operate Controls – Nest you will need to establish “procedures and controls to prevent, detect, correct, and mitigate the risks” which you have identified and ranked. There needs to be ownership established to monitor these controls with regular documentation, continued assessment and testing of these controls.
Train and Educate – You must develop and deliver training to “raise stakeholder awareness and competence regarding anti-corruption goals, policies, procedures and [internal] controls.” This should include identification of “role-specific programs with desired outcomes” with delivery methods to get your message across to the various target audiences.
Monitor and Evaluate- Here OCEG suggests a five step process to track and assess policies and controls for effectiveness.
1. Screen – Monitor vendor, partner and customer records against trusted data sources for red flags.
2. Identify – Establish helplines and other open channels for reporting of issues and asking questions by employees and appropriate third parties.
3. Investigate – Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
4. Analyze – Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
5. Audit – Finally, your company should have regular internal audit reviews and inspections of your company’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.
6. Review, Realign and Report – This step requires you to “take timely corrective and disciplinary action for violation” of your company’s program. Your program should be regularly evaluated and aligned with any new or additional corruption risks which are found. Both the Board of Directors and senior management must be informed through regular reporting. Finally, there should be a professional external review on no less than a two year basis to determine your program’s overall sufficiency.

Switzer’s article and report on the roundtable discussion are very useful tools for the compliance practitioner. Her article includes a removable copy of the OCEG Illustrated Series on managing corruption risk. I heartily recommend it to you.

Leave a Comment

FCPA Compliance and Ethics Blog

February 12, 2013

The HP Acquisition of Autonomy – Lessons Learned for Doing Compliance ‘By the Book’

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

January 20, 2013

Tribute to Stan The Man and 11 Rules for Compliance Success

August 14, 2012

Pfizer DPA Part III – What Does It All Mean?

August 12, 2012

Pfizer DPA Part II – Enhanced Compliance Obligations and Corporate Compliance Obligations

July 26, 2012

The Role of a Board in Compliance and Ethics: How We Arrived and Where We Are Going

July 15, 2012

Penn State, the Freeh Report and Implications for the FCPA Compliance Practitioner

April 10, 2012

What is the Role of a Board of Directors?

March 23, 2012

To Boldly Go…Where the Board Needs to Go

March 21, 2012

OCEG Illustrated Series: Managing Corruption Risks

January

Blogroll

Pages

Admin

Read by Email

Follow “FCPA Compliance and Ethics Blog”

May 2013
M	T	W	T	F	S	S
« Apr
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31