Four Keys to Compliance Leadership

One of the most divisive moments in American history occurred on this date in 1868. On this day the US Senate voted against impeaching President Andrew Johnson thereby acquitting him of having committed “high crimes and misdemeanors” as required under the US Constitution. After all the arguments had been presented for and against him, Johnson waited for his fate, which hung on one swing vote, as there is a Constitutional requirement that requires a vote of 2/3rds of the Senate for impeachment. The vote was one short, at 35-19. Johnson was acquitted and finished out his term. If Johnson had been impeached, it surely would have led to a very different political development in the US, where not liking the sitting President could have become a constitutional basis for impeachment.

The Radical Republicans who ran the Congress immediately after the conclusion of the Civil War certainly did not think much of President Johnson’s leadership style. So what about you as a compliance officer? Certainly part of your leadership is implementing and enhancing policies and procedures? In many ways it is the human element, which President Johnson sorely lacked, that you may well need to devote most of your time focusing on. I recently read an excellent article it the Corner Office section of the New York Times (NYT), entitled “We’re Family Yes, but We’re Still Accountable”, in which Adam Bryant reported on his interview with Brooke Denihan Barrett, the co-Chief Executive Officer (co-CEO) of the Denihan Hospitality Group (Denihan), a 50-year old family business which focuses on the hospitality business.

Training

One of the things that Barrett has learned is how to train people. She explained that “I thought the way you got things done was by telling people what to do. That’s where I learned what not to do. I spent a good portion of my time telling people what they did wrong instead of really encouraging them about what they did right.” She came to realize that was perhaps not the best way to manage people and “learned to cut people some slack.” She said that she found “that you get a lot more with the carrot routine than the stick routine. I also realized that you really needed to explain the “why” of things. You need to give people a little bit of space to come around, and say, “Yeah, that makes sense,” before you really engage them in what needed to be done.”

I found that her final point may be critical for compliance training. By explaining the why of compliance, employees can better understand what the company is trying to accomplish. So if your goal is to do business in an ethical manner, then explain this and how the company’s compliance program will help to accomplish this goal through its policies and procedures.

Accountability

One of the things that Barrett emphasized was the erroneous perception that because her company was a family business there was no accountability. She made clear that “You have to set certain standards that you want people to live up to. And if people need help, then we want to help them along the way.” However, accountability is a two-way street. Just as the employee must be held accountable, so must the company in terms of providing support to allow employees who want to do the right thing and to do their job well. Barrett said, “Sometimes organizations can fall down if they don’t also ask: How do you give people the tools they need to be successful? How do you get that person to understand what change needs to happen, and how do you help them along the way? Because people can’t always figure it out on their own, and nor should you expect them to.”

Listening

Many of the CEOs that Bryant interviews for his Corner Office section speak about the need for listening skills. Barrett was no exception. But as CEO she found that employees were sometimes reluctant to speak openly and candidly with her. So she began to meet with employees in small groups of 10 to 12 people. At Denihan they call them ‘Roundtables’. Barrett said that she will say to them ““Tell me something I don’t know.” And I’ll get comments like: “Oh, but you know everything. You’re the C.E.O.” It’s just a reminder of the perceptions that people have of the head of the company. But every time I ask that question, I learn something new.” Imagine as a compliance officer if you were to ask that question in a roundtable, what do you think you might hear back from your company’s employees?

Barrett also spoke about how to have a ‘difficult conversation’. She said that if there is a mistake made she views it as an opportunity for learning and professional growth. At Denihan, they call them ‘lessons learned conversations’ and they may occur with a group where a problem has arisen. Barrett related, “we might bring people together in a room who were involved in a project and ask: What were the things that worked? What were the things that didn’t? What could we have done differently? And we’ve had some very spirited and cathartic conversations. You have to be able to let people put something on the table without actually pointing the finger. It allows things to come out in more of a non-accusatory manner.”

Hiring and Promotion

These are two key areas in compliance that are finally beginning to receive the attention that they deserve. Barrett’s thoughts on how she views these in the context of her interviewing are instructive. She acknowledged that by the “time somebody meets me, you can assume that the skills are there. So what I interview for is fit. And I’m always very curious to know, what is it about our company that appeals to that person?” She asks specifically about culture, requesting the candidate define it and how do you think that culture is special. She also asks candidates to talk about a failure and what lessons that they learned from the experience and how they dealt with the experience. I would suggest that both of those lines of inquiries should be used when evaluating a candidate for hire or promotion.

Barrett’s interview provided some interesting insights on leadership. Moreover, her experience in professional growth has shown there are different styles and techniques that you can successfully use in your company’s compliance program. Train people on the reasons why your company is doing compliance so that they will understand how to do it. Make them accountable but also provide them with the compliance tools and support to do business the right way. If there is a problem or issue, use it as a lesson learned so that employees can profit from the experience. Lastly, make a discussion of culture a cornerstone in your hiring interview or promotion interview process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

Many commentators are still mining the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (the “Guidance”), which was released last November. I continue to find nuggets to provide to the compliance practitioner, as do others. But as we are a Base 10 culture, today I want discuss the 10 points listed as the ‘Hallmarks of Effective Compliance Programs”. They are a change in style, but not content, from the prior 13 point minimum best practices that the DOJ has in the Deferred Prosecution Agreements (DPAs) since at least November, 2010 and, indeed, from prior information made available by the DOJ.

I.                   Where Have We Been

Beginning with at least the Metcalfe & Eddy Consent and Undertaking, filed in December, 1999, the DOJ has laid out its thoughts on what should go into a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. In the Metcalfe & Eddy Consent and Undertaking, the DOJ laid out ten points of an effective FCPA anti-corruption compliance program. This was modified somewhat in Opinion Release 04-02, which laid out a best practices compliance program in 12 points, where the DOJ reviewed the proposal by an investment group who were acquiring certain companies and assets from ABB Ltd. ABB Vetco Gray Inc. and ABB Vetco Gray (UK) Ltd., two of the entities being acquired, had previously pled guilty to FCPA violations. The investment group desired to protect itself from further liability, to the extent possible, by proposing to the DOJ a comprehensive best practices compliance program. While the DOJ noted that this compliance program was not a shield against future violations, the DOJ would not “intend to take an enforcement action [against the investors] for violations of the FCPA prior to their acquisition from ABB.”

In the Panalpina DPA, issued in November, 2010, the DOJ laid out a 13 point minimum best practices compliance program. This number was changed this past summer when the Data Systems & Solutions LLC (DS&S) DPA was announced. In this enforcement action the DOJ listed 15 points on its minimum best practices FCPA anti-corruption compliance program. Then later in the summer, the DOJ moved to a 9 point compliance program in the Pfizer DPA. Even with all these changes in the number, the substance of each compliance program has remained the same.

II.                Where Are We Now? Hallmarks of Effective Compliance Programs

The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes that depending on a variety of factors such as size, type of business, industry and risk profile that a company should determine what is appropriate for its own needs regarding a FCPA compliance program. But the Guidance makes clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

1. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
2. Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. The Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some of the risks a company should assess include “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”
3. Oversight, Autonomy, and Resources. This section starts with a discussion on whether a company has assigned a senior level executive to oversee and implement a company’s compliance program. Not only must a company assign such a person with appropriate authority but that person, and the overall compliance function, must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Additionally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
4. Risk Assessment. The Guidance states that “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
5. Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
6. Incentives and Disciplinary Measures. This involves both the carrot and the stick. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” These incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
7. Third-Party Due Diligence and Payments. Here the Guidance focuses on the ongoing problem area of third parties. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
8. Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
9. Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
10. Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration. Here the DOJ and SEC spell out what it expects in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information is not something that most companies had previously focused on. Basically, a company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

As I commented earlier in this article, the DOJ and SEC have communicated what they believe are the important parts of a risk based, anti-corruption compliance program for many years. I do not think that a compliance defense could be set out any more succinctly. However, I do like things set out in Base 10 and the “Hallmarks of Effective Compliance Programs” is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point for any compliance practitioner to implement a new compliance program or to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The Tube and Updating Your Compliance Policies

2013 is the 150^th anniversary of the London Underground, affectionately known as “The Tube.” It truly is one of the great urban architectural marvels of all-time. The oldest sections of the London Underground completed 150 years of operations on 10 January 2013. The Underground serves 270 separate stations and has 250 miles of track, 45% of which is underground. In 2011, it served over 1.2 billion riders but, like any transportation system, it has to be evaluated and upgraded. For my money, the most useful upgrade would be to air condition the cars as they can become unbearably hot in the summer but that may not be on the top of Prime Minister’s Cameron’s list about now.

I thought about this auspicious anniversary and maintenance of the London Underground when I read a recent article in the Compliance Week magazine by Michael Rasmussen, entitled “Improving Policies Through Metrics”. Rasmussen believes that effective policy management requires that a company must periodically review their policies to ensure that they are relevant and aligned with both current laws and corporate objectives. This is because today’s business environment is dynamic and involves both internal and external factors, so, consequently, as a company evolves and changes its policies need to be updated to reflect these changes.

One of the key components of any best practices compliance regime under any anti-bribery and anti-corruption program is policies. Policies tie together a company, its business environment, the risks it faces and the compliance requirements. Policies are a specific requirement for any anti-corruption/anti-bribery compliance regime. In the recently released Department of Justice (DOJ) Guidance on the Foreign Corrupt Practices Act (FCPA), it stated, “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” Under the UK Bribery Act, policies are discussed in the Six Principles of an Adequate Procedures compliance program under Principle V – Communication, where it states “The business seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the company through internal and external communication, including training, that is proportionate to the risks it faces.”

While I think that most compliance practitioners understand this need for policies one of the things that is not usually emphasized at a company is effective policy management. One technique which can be used is to elevate the policy function to the senior management level. One of my former employers, Halliburton, did this when it created a Vice President for Policies back in 2006. So kudos to Halliburton for leading the industry by creating the position of Vice President for Policies.

Rasmussen believes that at a minimum, policies must be reviewed annually. He recommends that each policy should go through a yearly review process to determine if it is still appropriate. There should be a “system of accountability and workflow that facilitates” any policy review process. The end product should be a decision to “retire the process, keep the policy as it is, or revise the policy.” Rasmussen lists five items that a policy owner should evaluate as a part of the policy review process.

• Violations. Here Rasmussen believes that information from reporting systems such as hotlines or other anonymous lines as well as internal or external investigations must be reviewed. Not only would such information indicate if a company policy was violated but the follow-up investigation would help to determine how the policy might have failed, whether it was through “lack of awareness, unauthorized exceptions [or] outright violations.”
• Understanding. Here Rasmussen writes that there should be an analysis of “training and awareness programs, policy attestations” and attendant metrics to determine an appropriate level of policy understanding. He believes that questions to a helpdesk or compliance department could help to discover any ambiguities in a policy that might need to be corrected.
• Exceptions. If you have a policy it should be followed. If an exception to a policy was granted the reason for the exception should have been documented. If there are too many exceptions granted for a policy, it might indicate that “the policy is inappropriate and unenforceable” and therefore should be revised.
• Compliance. A policy should govern and authorize internal controls. These internal controls should be reviewed in conjunction with the policy review to determine overall policy effectiveness. This is because “At the end of the day the policy needs to be complied with.”
• Environment. All the factors around a policy are in flux. This includes a company’s risk profile, its business strategy, laws and regulations. Since a business’ climate is dynamic, a policy should be reviewed in the context of a company’s overall situation and revised accordingly.

If there is a change in a policy it is important that not only the correct change be made but that any change is documented. An audit trail is a key component for a company to internally understand when a change is made and the reason for that change but also to demonstrate to a regulator effective policy management and to present “a defensible history of policy interactions on communications, training, acknowledgements, assessments and related details needed to show the was enforced and operational.” This audit trail should include “key data points such as the owner, who read it, who was trained, acceptance acknowledgements and dates for specific policy versions”. In addition to an audit trail, policy revisions should be archived for referral back at a later time. So, once again, the key message is document, document and document.

Just as best practices in the FCPA compliance arena evolve, so do business practices, markets and risks. If you throw in the complexities from an inter-connected global business milieu, the task becomes even tougher. Business policies are one of the keystones of a company’s communications to its employees on what it expects and what is required of its employees. To keep policies up-to-date and properly take advantage of this valuable tool, policies need to be evaluated and updated as appropriate. If your company fails to do so this takes away from the value of having policies in the first place. I hope that you will use the techniques which Rasmussen has described to help you effectively manage your policies going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Tyco NPA and Chris Economaki – Details from the Pits

“This is Chris Economaki in the pits.”

That was the signature line of race car announcer Chris Economaki, who died last week at the age of 91. For a generation of us who grew up watching ABC’s Wide World of Sports, Chris Economaki was the voice of the Indy 500, the Dayton 500, the Summer and Winter Nationals of the National Hot Rod Association (NHRA) and a host of other auto races. In addition to having one of the most unique names this Southerner had ever heard of, Economaki had a staccato vocal delivery that, as noted in his obituary in the New York Times (NYT) by writer Douglas Martin, “reminded some of a rumbling racing engine.”

The Bribery Schemes

I thought about Chris Economaki and the detail he brought as a track-side commentator to a generation of Wide World of Sports’ aficionados when considering the various documents released last week in connection with the Tyco International Ltd (Tyco) Foreign Corrupt Practices Act (FCPA) enforcement action. For the most comprehensive summary of the Department of Justice’s (DOJ) criminal enforcement action and the Securities and Exchange Commission’s (SEC) civil action, I recommend either of the FCPA Professor’s excellent posts on Tyco. In addition to the points raised by the Professor I believe that there are significant lessons learned for the FCPA compliance practitioner. With a tip of our collective caps to the baseball pennant races which are down to the final few days, I present the Tyco Bribery Box Score.

Tyco Subsidiary	Bribe Amount Paid	Profits Earned by Conduct
M/A Com	Not reported	$71,770
TTC Huzhou and TTC Shanghai	$196,267	$3,470,180
TWW Germany and Erhard	$2,371,094	$4,684,966
TFC HK and Keystone	$137,000	$378,088
TFCT Shanghai	$24,000	$59,412
ET Thailand	$292,268	$879,258
TFIS France	$363,839	$1,256,389
THC China	$250,000	$353,800
TVC ME	$488,479	$1,153,500
ADT Thailand	$78,000	$473,262
Tatra	$96,000	$226,863
Eurapipe	$358,000	$1,298,453
THC Saudi Arabia	Not reported	$1,900,600
Dulmison	$68,426	$109,249

I set out the full Box Score of bribes paid by Tyco in this detail to emphasize how bad the conduct of the company is and this is in the VERY BAD CONDUCT realm, coupled with the facts that (a) Tyco is now a two-time loser under the FCPA and (b) most of the illegal conduct occurred after Tyco agreed to an initial FCPA based Deferred Prosecution Agreement (DPA) in 2006 for prior FCPA sins. Yet even with all of this Tyco was able to obtain a Non Prosecution Agreement (NPA). Such a result is fairly stunning if you think about it in a superficial basis. However, if you consider what Paul McNulty continually says, and which I continually write about, the most important question will be What did you do when you found out about it?

As noted in the letter from the DOJ to counsel for Tyco, the DOJ entered into the NPA with Tyco based upon the following factors: (1) timely and voluntary self-disclosure; (2) a full and complete global investigation by Tyco; (3) extensive remediation including implementation of an enhanced compliance program, termination of employees responsible for the conduct at issue, severing contracts with third party agents who were parties to the frauds, closing subsidiaries involved in the illegal conduct; and (4) provide annual written reports to the DOJ on progress of the company’s enhanced compliance program.

Corporate Compliance Program

Tyco agreed to a robust corporate compliance program that either currently exists or will be implemented in the future. This Corporate Compliance Program is somewhat different than most of the 13 minimum best practices compliance regimes reported in DPAs and NPAs since the Panalpina DPA of November, 2010. Tyco agreed to a point compliance regime, which consists of the following.

1. High level commitment. The Company will ensure that its senior management provides strong, explicit, and visible support and commitment to its corporate policy against violations of the anti-corruption laws and its compliance code.

2. Policies and Procedures. Tyco will promulgate compliance standards and procedures designed to reduce the prospect of violations of the anti-corruption laws and the Company’s compliance code, and the Company should take appropriate measures to encourage and support the observance of ethics and compliance standards and procedures against foreign bribery by personnel at all levels of the company. These anti-corruption standards and procedures shall apply to all directors, officers, and employees and, where necessary and appropriate, outside parties acting on behalf of the Company in a foreign jurisdiction, including but not limited to, agents and intermediaries, consultants, representatives, distributors, teaming partners, contractors and suppliers, consortia, and joint venture partners (collectively, “agents and business partners”), to the extent that agents and business partners may be employed under the Company’s corporate policy. The Company shall notify all employees that compliance with the standards and procedures is the duty of individuals at all levels of the company. Such standards and procedures shall include policies governing:

1. gifts;
2. hospitality, entertainment, and expenses;
3. customer travel;
4. political contributions;
5. charitable donations and sponsorships;
6. facilitation payments; and
7. solicitation and extortion.

3. Internal Controls. Tyco will ensure that it has a system of financial and accounting procedures, including a system of internal controls, reasonably designed to ensure the maintenance of fair and accurate books, records, and accounts to ensure that they cannot be used for the purpose of foreign bribery or concealing such bribery. This system should be designed to provide reasonable assurance that:

1. Transactions are executed in accordance with management’s general or specific authorization;
2. Transactions are recorded to permit preparation of financial statements in accordance with GAAP;
3. Access to assets is permitted only in accordance with management’s general or specific authorization; and
4. Recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken if discrepancies are found.

4. Periodic Risk-Based Reviews. Tyco agreed to develop these compliance standards and procedures, on the basis of a risk assessment addressing the individual circumstances of Tyco, in particular the foreign bribery risks it faces including, its geographical organization, interactions with various types and levels of government officials, industrial sectors of operation, involvement in joint venture arrangements, importance of licenses and permits in the company’s operations, degree of governmental oversight and inspection, and volume and importance of goods and personnel clearing through customs and immigration.

5. Proper Oversight and Independence. Tyco will (or once again has) assign responsibility to one or more senior corporate executives of the Company for the implementation and oversight of the Company’s anti-corruption policies, standards, and procedures. Such corporate official(s) shall have direct reporting obligations to the Tyco’s independent monitoring bodies, including internal audit, the Board of Directors, or any appropriate committee of the Board of Directors, and shall have an adequate level of autonomy from management as well as sufficient resources and authority to maintain such autonomy.

6. Training and Guidance.

1. Training. Tyco will implement mechanisms designed to ensure that its anti-corruption policies, standards, and procedures are communicated effectively to all directors, officers, employees, and where appropriate, agents and business partners. These mechanisms shall include periodic training for all directors and officers, and, all employees in positions of leadership or trust or positions which might otherwise pose a risk of corruption to the company. The training shall also be provided to agents and business partners. Lastly there shall be biannual certifications by all such directors and officers, and, where necessary and appropriate, employees, agents, and business partners, certifying compliance with the training requirements.
2. Guidance. Tyco is required to maintain an effective system for providing guidance and advice to directors, officers, employees, and, where necessary and appropriate, agents and business partners, on complying with Tyco’s anti-corruption compliance policies, standards, and procedures, including when they need advice on an urgent basis or in any foreign jurisdiction in which Tyco operates.

7. Internal Reporting and Investigation. Tyco will provide an effective system for internal and where possible, confidential reporting by, and protection of, directors, officers, employees, and, where necessary and appropriate, agents and business partners, concerning violations of the Company’s compliance program. Tyco also agreed to dedicate sufficient resources to respond to such requests and undertaking necessary and appropriate action in response to such reports.

8. Enforcement and Discipline. Tyco will institute appropriate disciplinary procedures to address, violations of the anti-corruption laws and the Company’s anti-corruption compliance code, policies, and procedures by the Company’s directors, officers, and employees. This shall include disciplining of those within the company no matter how the position of the person or their perceived authority. In addition to discipline, Tyco agrees to add appropriate mechanisms to incentivize compliant behavior.

9. Third Party Relationships. Tyco agreed to institute appropriate due diligence and compliance requirements pertaining to the retention and oversight of all agents and business partners, including: (a) properly documented risk-based due diligence pertaining to the hiring and appropriate and regular oversight of agents and business partners; (b) informing agents and business partners of the Company’s commitment to abiding by laws on the prohibitions against foreign bribery, and of the Company’s ethics and compliance standards and procedures and other measures for preventing and detecting such bribery; (c) seeking a reciprocal commitment from agents and business partners and (d) including appropriate compliance terms and conditions in the contract.

10. Mergers and Acquisitions. Tyco agreed to develop and implement appropriate compliance policies and procedures for any acquisition based upon an appropriate risk-analysis which would be completed as soon as practicable. Further such changes would be implemented as soon as practicable. Directors, officers and employees of newly acquired entities would be trained as soon as practicable.

11. Monitoring and Testing. Tyco agreed to conduct periodic review and testing of its anti-corruption compliance code, standards, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and the Company’s anti-corruption code, standards and procedures, taking into account relevant developments in the field and evolving international and industry standards.

So the prior 13 point best practices program is now folded down to 11 for Tyco. Nevertheless, the general concepts are still the same for a company seeking to implement or enhance its compliance solution. Much like Chris Economaki reporting from the Pits at the Indy 500, the level of detail provided in the Tyco NPA should allow the compliance practitioner to evaluate their company’s compliance program.

============================================================================================

The Wall Street Journal has a series of articles today on the FCPA. In conjunction with these articles I will join Joe Palazzolo, Law Blog lead writer, for a conversation on the FCPA at 2:30 PM EDT. We will take your questions. To join us, click here.

===========================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

DS&S DPA: Lessons Learned for the Compliance Practitioner

On Monday, June 18, the Department of Justice (DOJ) announced the resolution of a matter involving violations of the Foreign Corrupt Practices Act (FCPA) by Data Systems & Solutions LLC (DS&S), a US entity based in Virginia. The settlement resulted in the company agreeing to a two year and 7 day Deferred Prosecution Agreement (DPA). The case was interesting for a number of reasons and it has some significant lessons which the compliance practitioner can put into place in a corporate compliance program. The charges related to DS&S’s business included the design, installation and maintenance of instrumentation and controls systems at nuclear power plants, fossil fuel power plants and other critical infrastructure facilities. In reading the Criminal Information, I can only say that this was no one-off or rogue employee situation but this was a clear, sustained and well known bribery scheme that went on within the company.

I.                   The Criminal Information

The bribery scheme involved payments made to officials at a state-owned nuclear power facility in Lithuania, named Ignalina Nuclear Power Plant (INPP). The payments were made to allow DS&S to obtain and retain business with INPP. The Information listed contracts awarded to DS&S in the amount of over $30MM from 1999 to 2004. Significantly, DS&S did not self-disclose this matter to the DOJ but only began an investigation after receiving a DOJ Subpoena for records.

The Players Box Score

DS&S Officials	INPP Officials	Subcontractors
Exec A – VP of Marketing and Business Development (BD)	Official 1 – Deputy Head of Instrumentation and Controls Department	Subcontractor A – Simulation Technology Products and Services
	Official 2 – Head of Instrumentation and Controls Department	Subcontractor B – Beneficially owned by Official 1 and which employed INPP Officials
	Official 3 – Director General at INPP	Subcontractor C – Shell company used a funneling entity to pay bribes
	Official 4 – Head of International Projects at INPP
	Official 5 – Lead SW Engineer at INPP

The bribery scheme used by DS&S recycled about every known technique there is to pay bribes. The Information listed 51 instances of bribes paid or communications via email about the need to continue to pay bribes. The bribery scheme laid in the Information reflected the following techniques used by:

•       Payment of bribes by Subcontractors to Officials on behalf of DS&S;
•       Direct payment of bribes by DS&S into US bank accounts controlled by INPP Officials;
•       Creation of fictional invoices from the Subcontractors to fund the bribes;
•      Payment of above-market rates for services allegedly delivered by the Subcontractors so the excess monies could be used to fund bribes;
•      Payment of salaries to INPP Officials while they were ‘employed’ by Subcontractor B;
•       Providing travel and entertainment to Officials to Florida, where DS&S has no facilities and which travel and entertainment had no reasonable business purpose; and last but not least…
•      Purchase of a Cartier watch as a gift.

II.                The Deferred Prosecution Agreement

I set out these details with some specificity for two reasons. The first is that the Information is a must read for anyone in Internal Audit who reviews books and records. It gives you the precise types of Red Flags to look for. But secondly is the fact that DS&S received a discount of 30% off the low end of the penalty range as calculated under the US Sentencing Guidelines. The calculation as listed in the DPA is as follows:

Calculation of Fine Range:

Base Fine $10,500,000

Multipliers 1.20(min)/2.40(max)

Fine Range $12,600,000/$25,200,000

The ultimate fine paid by DS&S was only $8.82MM, which the DPA states is “an approximately thirty-percent reduction off the bottom of the fine range…” So for the compliance practitioner the question is what did DS&S do to get such a dramatic reduction? We know that one thing they did NOT do was self-report as the DPA notes that this case began as a DOJ investigation and DS&S received Subpoenas “in connection with the government’s investigation.” However, after this initial delivery of Subpoenas DS&S engaged a clear pattern of conduct which led directly to this 30% discount of the low end of the fine range. The DPA reports that DS&S took the following steps:

 

• Internal Investigation. DS&S initiated an internal investigation and provided real-time reports and updates of its investigation into the conduct described in the Information and Statement of Facts.
• Extraordinary Cooperation. DS&S’s cooperation has been extraordinary, including conducting an extensive, thorough, and swift internal investigation; providing to the Department searchable databases of documents downloaded from servers, computers, laptops, and other electronic devices; collecting, analyzing, and organizing voluminous evidence and information to provide to the DOJ in a comprehensive report; and responding promptly and fully to the DOJ’s requests.
• Extensive Remediation. The number of steps DS&S took in regard to remediation included the following:
  • Termination of company officials and employees who were engaged in the bribery scheme;
  • Dissolving the joint venture and then reorganizing and integrating the dissolved entity as a subsidiary of DS&S;
  • Instituting a rigorous compliance program in this newly constituted subsidiary;
  • Enhancing the company’s due diligence protocols for third-party agents and subcontractors;
  • Chief Executive Officer (CEO) review and approval of the selection and retention of any third-party agent or subcontractor;
  • Strengthening of company ethics and compliance policies;
  • Appointment of a company Ethics Representative who reports directly to the CEO;
  • The Ethics Representative provides regular reports to the Members Committee (the equivalent of a Board of Directors in a LLC); and
  • A heightened review of most foreign transactions.
  • Enhanced Compliance Program. More on this in the next section.
  • Continued Cooperation with DOJ. The company agreed to continue to cooperate with the Department in any ongoing investigation of the conduct of DS&S and its officers, directors, employees, agents, and subcontractors relating to violations of the FCPA and to fully cooperate with any other domestic or foreign law enforcement authority and investigations by Multilateral Development Banks.

III.             Enhanced Compliance Obligations

One of the interesting aspects of the DS&S DPA is that there are 15 points listed in the Corporate Compliance Program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions are found on items 13 & 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full:

13. DS&S will develop and implement policies and procedures for mergers and acquisitions requiring that DS&S conduct appropriate risk-based due diligence on potential new business entities, including appropriate FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. If DS&S discovers any corrupt payments or inadequate internal controls as part of its due diligence of newly acquired entities or entities merged with DS&S, it shall report such conduct to the Department as required in Appendix B of this Agreement.

14. DS&S will ensure that DS&S’s policies and procedures regarding the anticorruption laws apply as quickly as is practicable to newly acquired businesses or entities merged with DS&S and will promptly:

a. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S’s policies and procedures regarding anticorruption laws.

b. Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable.

This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance during an attempted acquisition and the Johnson and Johnson (J&J) Enhanced Compliance Obligations which were incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during Mergers and Acquisitions (M&A). The five keys under these new items, 13 & 14 highlighted above, are: (1) develop policies and procedures for M&A work prior to engaging in such transactions; (2) full FCPA audit of any acquired entities “as quickly as practicable”; (3) report any corrupt payments or inadequate internal controls it discovers in this process to the DOJ; (4) apply DS&S anti-corruption policies and procedures to the newly acquired entities; and (5) train any persons who might “present a corruption risk to DS&S” on the company’s policies and procedures and the law.

IV.              Summary

The DS&S DPA provides some key points for the compliance practitioner. First and foremost, I believe that it demonstrates the reasonableness of the DOJ. The bribery scheme here was about as bad as it can get, short of suitcases of money carried by the CEO to pay bribes. The company did not self-report, yet received a significant reduction on the minimum level of fine. The specificity in the DPA allows a compliance practitioner to understand what type of conduct is required to not only avoid a much more significant monetary penalty but also a corporate monitor. Lastly, is the specific guidance on FCPA compliance in relation to M&A activities, to the extent that if anyone in the compliance arena did not understand what was required in the M&A context; this question would seem to be answered in the DS&S DPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

How Lin-sanity Informs Your Compliance Program: Lesson II

Lin-sanity still reigns. How can you make this determination? I will give you two signs to consider. First Spring Training is in full force and here I am not only thinking about the NBA but also writing about the NBA. Second, I ordered the NBA League Pass package so that I can watch Jeremy Lin play each night the Knicks are on television. (Sam Rubenfeld is smiling somewhere.) But Lin-sanity still continues to inform the compliance practitioner and compliance programs.

How does Lin-sanity continue to inform your compliance program? That question came to mind as I was reading the Saturday edition of the New York Times (NYT) in an article, entitled “The Evolution of a Point Guard”, by reporter Howard Beck. In his article Beck destroyed the myth that Jeremy Lin emerged literally “overnight” as a star in the NBA. Beck wrote that this part of the Lin Legend is “altogether flawed, or at least woefully incomplete.” In my last piece on Lin-sanity and compliance I wrote about the analyst who saw the seeds of Lin’s play in his years at Harvard. Beck goes further to point out that the Lin who graduated from Harvard, got cut from both the Warriors and the Rockets is very different from the Lin who is now starting for the Knicks. How is Jeremy Lin different? Through hard work in his profession, the craft of basketball.

What work did Lin do that led to Lin-sanity? Beck went into extensive detail to report on the shooting drills he put in with an old coach to improve his jump shot; the personal fitness coach he worked out with to increase muscle size and speed; the tape of elite NBA guards he studied to learn how to set up and execute a pick and roll; the Developmental League time he put in to learn how to better read defensive double teams; and finally the lonely gym work to develop a 3-point shot. All of this hard work led to, as Beck quoted, a former coach of Lin’s saying that “He’s in a miracle moment, where everything has come together.”

Our last lesson learned from Lin-sanity was to look and think outside the box for compliance resources within your company. Lin-sanity Lesson Learned II is that the initial implementation or enhancement of a compliance program is only the beginning. It is after that time, the hard work really begins. So Jeremy Lin obviously, at least to one analyst, had some amount of talent coming out of college, but Lin-sanity did not begin until he put in all the hard work that Beck detailed in his article, you as a Chief Compliance Officer (CCO) or other person tasked within your company to implement or enhance a compliance program, must work equally hard to make the program truly best practices.

What are some of the things that you should do after implementation or enhancement? You should begin by reviewing your risk assessment to determine the nature and quality of the compliance risks that were defined. Use that list as a starting point to put in the hard work of remedying or better yet managing those risks. Some of the areas that you may need to remediate, while you are going through the initial implementation or enhancement phase of the compliance program, may be one or more of the following.

Foreign Business Representatives

A usual high risk is found by the use of agents, resellers, or other non-employee sales representatives in your company’s sales chain. You need to design a database where you collect information on all such foreign business representatives, such as contract term, underlying due diligence performed, commissions or other payments made to them over the past five years, nature of product sold or service provided and geographic territory. From this database you should risk rank these foreign business representatives and begin the process of remedial due diligence. If your sales model is distributors, you may need to review and assess your contractual rights and requirements for sales to certain end users for your products.

Supply Chain

There may be many persons or entities that represent your company that are located in the Supply Chain, rather than the sales chain. This could include freight forwarders, visa processors, customs clearance companies, law firms, licensing representatives or any other service provider who might interact with a foreign governmental official on behalf of your company. In addition to the information that you should collect in a database, similar to the one described for Foreign Business Representatives above, you should also go back and audit invoices from such government service providers, to determine if there are any issues existing from before the go-live date of your compliance implementation or enhancement.

Internal Controls

Your compliance program should consist of policies and procedures. However, it should also have the appropriate internal controls in place to effectively implement these policies and procedures across the organization. This means that policies from every department of the company may be impacted. Groups disparate as Human Resources, Finance, Accounting, IT, Treasury and others, will all have corporate policies that need to be reviewed and assessed through a Gap Analysis of your internal controls. Any discovered deficiencies will need to be remedied so that writing policies may well be a large part of your compliance effort going forward.

Human Resources

HR is key in any compliance program implementation, enhancement or ongoing evolution. One of the reasons that HR is so critical is that it is the group within your company which will be charged with identifying, evaluating and developing persons with strong ethical values who could become the leaders of your company tomorrow. As a compliance officer you will need to spend significant time with HR representatives to detect, train and promote such persons within your company to leadership and senior management positions in the years ahead.

There will certainly be other areas of your company which will need attention during your initial compliance program implementation or enhancement. It most certainly will seem like an overwhelming task. But here is where the Jeremy Lin example really kicks in. You do not have to create and perfect everything at once. Each step in the compliance journey builds on the prior step. The point is to keep moving. Your best practices compliance program will not emerge overnight, but as with Jeremy Lin, if you keep doing the things you need to do to make your compliance program more robust, you may well bring everything together to create a world class compliance program for your organization.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

The TI Six Step Approach to Implementing or Enhancing a Compliance Program

I often write about what I call the McNulty Maxims of Compliance. I heard them in a presentation by Paul McNulty to the Houston Chapter of the Texas General Counsel Association in my most recent corporate position. They were (1) What did you do to prevent it?; (2) What did you do to detect it?; and (3) What did you do when you found about it? These three maxims generally translate into (1) Your compliance program, made up of policies and procedures; (2) Your internal controls to serve as both a front-line detection and back-up against corruption; and (3) What remedial steps did your company take when they discovered the issue of concern?

So how does a compliance practitioner create the compliance program, or in McNulty Maxim terms create a “What did you do to prevent it?” compliance program? Many companies are still in the infancy of creating their compliance programs with their General Counsel or perhaps hiring an initial Compliance Officer. This person or persons may be somewhat overwhelmed about how to even get started. Transparency International, in its “Business Principles for Countering Bribery: TI Guidance Document” (“Guidance Document”) has provided a specific road map for the implementation of a compliance program. Although the Chapter in the Guidance Document is designed for the Transparency International’s “Business Principles for Countering Bribery: TI Six Step Process”; this process can be used as a guide for any compliance practitioner who must create a compliance program or who needs a guide to assess whether a compliance program should be enhanced.

Step 1

Action: Decide to develop an anti-bribery and anti-corruption policy.

Primary Responsibility: Owner of Company/Board of Directors/Chief Executive Officer (CEO).

Process: Commitment to anti-bribery and anti-corruption policy from the top of the company. Appoint a senior manager to head the compliance function and cross functional Project Team.

Time Span: One Month.

Step 2

Action: Plan the compliance program implementation.

Primary Responsibility: Appoint a senior manager of the Project Team, preferably the new Chief Compliance Officer (CCO).

Process: Define specific company risks and review current practices through a risk assessment, review all anti-bribery and anti-corruption, develop an  initial draft of the compliance program and obtain buy-in from senior management and key stakeholders through the risk assessment process.

Time Span: 3 to 6 months

Step 3

Action: Plan the project implementation: Appoint a senior manager to head risk assessment or bring in an outside expert.

Primary Responsibility: CCO or outside expert.

Process: Integrate the compliance program into your company’s organizational structure and assign appropriate responsibilities, develop detailed implementation plan including human resources policies, a communications program and training programs.

Time Span: 3 to 6 months.

Step 4

Action: Implementation: Getting the compliance program working.

Primary Responsibility: CCO in conjunction with persons brought into the compliance function.

Process: Communicating the compliance program both internally and externally as appropriate through training courses for employees and appropriate third parties, establish anonymous reporting hotlines and advisory function channels to provide employees guidance on day-to-day compliance issues, introduce a sanctions process for violation of the compliance program and a rewards process for conducting business in an ethical manner.

Time Span: One year.

Step 5

Action: Monitoring of the compliance program.

Primary Responsibility: CCO, Compliance Department, Internal and External Auditors.

Process: Regular reviews of the compliance program through basic testing, detailing of and reporting of all hotline calls, statistical reporting of any events or other significant issues which may arise.

Time Span: Continuous.

Step 6

Action: Evaluation of the compliance program.

Primary Responsibility: CCO, in conjunction with specialized outside counsel or external auditors, reporting to Audit/Compliance Committee or Board of Directors.

Process: Annual compliance assessment; quarterly reports to Audit/Compliance Committee of Board of Directors; no less than annual reporting to full Board of Directors.

Time Span: No less than annually. Full compliance audit bi-annually.

The TI six step guide provides the compliance practitioner with a manner to think through how to approach and implement a full compliance program. It can also be used to internally market to management how the program should be created and implement. In short it is yet another example of tools that TI has created and made available at no charge to the compliance practitioner to assist in moving forward to create or enhance a compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

FCPA and Bribery Act Best Practices- Written Compliance Policies and Procedures

One of the areas which is universally listed as a component of a best practices compliance policy under the Foreign Corrupt Practices Act (FCPA), UK Bribery Act and OECD Good Practices is that of a written compliance code. However this is not an area that most compliance practitioners spend much time thinking about in the implementation, assessment or updating of their company’s compliance program. This article will discuss some suggestions to aid your efforts to create effective written compliance policies and procedures.

The following language for each of the above laws or policies sets out what is expected in the area of a written compliance policy and procedures:

• US Sentencing Guidelines-written standards and procedures to prevent and deter criminal conduct.
• UK Bribery Act-clear, practical and assessable written policies and procedures.
• OECD-written policy that clearly states that bribery is prohibited.
• Recent DPAs (IE, Panalpina Settlements)-clearly articulated and visible policy.

In his book entitled, “Achieving 100% Compliance of Policies and Procedures” author Stephen Page lists five key areas which he believes should be addressed in writing effective compliance policies and procedures. He believes that if a compliance practitioner follows these pointers in drafting and implementing compliance policies and procedures, the “highest degree of success” can be achieved. His five suggestions are as follows.

1. Management Commitment- A Key to Success or Failure. While it is true that without top management commitment, any compliance program will not succeed. However Page defines this as more than simply “Tone at the Top”. Here Page suggests have at least one senior management be a sponsor of written policies and procedures. This not only demonstrates commitment but also provides the compliance practitioner a liaison to other senior managers.
2. Importance of Writing “Effective” Policies and Procedures. Here Page focuses on the word “effective” and he defines this as “producing a decided, decisive, or desired effect.” He also suggests that the policies and procedures be well coordinated throughout and each written document should be “convincing, proficient and competent.”
3. Plan of Action for Writing Effective Policies and Procedures. In his book, Page lists out a very detailed 40-step plan of action for writing effective. This 40-step plan is broken down into four general areas. They include: (1) research and analyze; (2) publish and communicate; (3) check and audit; and (4) report and improve. The delineation of the 40-step plan into these four phases allows the work to be segmented, if appropriate into a group project.
4. Flow Chart. Page believes that by the use of a flow chart in the writing process, can show the author(s) where “fuzzy processes and procedures disrupt quality and productivity.” Such a technique allows the person or group involved in the drafting process to both “define the boundaries” of each policy and procedure and to assist in the final output.
5. Writing Format. Page defines this term as providing “a structure for information collected during the research and analysis phase of writing.” He notes that any reader of policies and procedures is there to find information quickly and efficiently. The writing format should be clearly understood and obvious to the reader. Headings should direct the reader’s attention and the content should be clear and concise. Lastly, any changes or revisions made to policies and procedures should be clearly set out so it is communicated to the reader.

As noted above, written compliance policies and procedures is a key to any best practices compliance program. Stephen Page has provided thoughtful, yet concrete guidelines to assist the FCPA or Bribery Act compliance practitioner to create written policies and procedures which are understandable and accessible to your company’s employees. We commend his book to you as a valuable resource.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011