Tone at the Top | FCPA Compliance and Ethics Blog

May 16, 2013

Four Keys to Compliance Leadership

Filed under: Adam Bryant,Best Practices,compliance programs,Culture,Ethical Leadership,Ethics,New York Times,Policies and Procedures,Tone at the Top,Training — tfoxlaw @ 1:01 am
Tags: best practices, compliance programs, ethical leadership, ethics, ethics and compliance, Hiring, New York Times, promotion, training

One of the most divisive moments in American history occurred on this date in 1868. On this day the US Senate voted against impeaching President Andrew Johnson thereby acquitting him of having committed “high crimes and misdemeanors” as required under the US Constitution. After all the arguments had been presented for and against him, Johnson waited for his fate, which hung on one swing vote, as there is a Constitutional requirement that requires a vote of 2/3rds of the Senate for impeachment. The vote was one short, at 35-19. Johnson was acquitted and finished out his term. If Johnson had been impeached, it surely would have led to a very different political development in the US, where not liking the sitting President could have become a constitutional basis for impeachment.

The Radical Republicans who ran the Congress immediately after the conclusion of the Civil War certainly did not think much of President Johnson’s leadership style. So what about you as a compliance officer? Certainly part of your leadership is implementing and enhancing policies and procedures? In many ways it is the human element, which President Johnson sorely lacked, that you may well need to devote most of your time focusing on. I recently read an excellent article it the Corner Office section of the New York Times (NYT), entitled “We’re Family Yes, but We’re Still Accountable”, in which Adam Bryant reported on his interview with Brooke Denihan Barrett, the co-Chief Executive Officer (co-CEO) of the Denihan Hospitality Group (Denihan), a 50-year old family business which focuses on the hospitality business.

Training

One of the things that Barrett has learned is how to train people. She explained that “I thought the way you got things done was by telling people what to do. That’s where I learned what not to do. I spent a good portion of my time telling people what they did wrong instead of really encouraging them about what they did right.” She came to realize that was perhaps not the best way to manage people and “learned to cut people some slack.” She said that she found “that you get a lot more with the carrot routine than the stick routine. I also realized that you really needed to explain the “why” of things. You need to give people a little bit of space to come around, and say, “Yeah, that makes sense,” before you really engage them in what needed to be done.”

I found that her final point may be critical for compliance training. By explaining the why of compliance, employees can better understand what the company is trying to accomplish. So if your goal is to do business in an ethical manner, then explain this and how the company’s compliance program will help to accomplish this goal through its policies and procedures.

Accountability

One of the things that Barrett emphasized was the erroneous perception that because her company was a family business there was no accountability. She made clear that “You have to set certain standards that you want people to live up to. And if people need help, then we want to help them along the way.” However, accountability is a two-way street. Just as the employee must be held accountable, so must the company in terms of providing support to allow employees who want to do the right thing and to do their job well. Barrett said, “Sometimes organizations can fall down if they don’t also ask: How do you give people the tools they need to be successful? How do you get that person to understand what change needs to happen, and how do you help them along the way? Because people can’t always figure it out on their own, and nor should you expect them to.”

Listening

Many of the CEOs that Bryant interviews for his Corner Office section speak about the need for listening skills. Barrett was no exception. But as CEO she found that employees were sometimes reluctant to speak openly and candidly with her. So she began to meet with employees in small groups of 10 to 12 people. At Denihan they call them ‘Roundtables’. Barrett said that she will say to them ““Tell me something I don’t know.” And I’ll get comments like: “Oh, but you know everything. You’re the C.E.O.” It’s just a reminder of the perceptions that people have of the head of the company. But every time I ask that question, I learn something new.” Imagine as a compliance officer if you were to ask that question in a roundtable, what do you think you might hear back from your company’s employees?

Barrett also spoke about how to have a ‘difficult conversation’. She said that if there is a mistake made she views it as an opportunity for learning and professional growth. At Denihan, they call them ‘lessons learned conversations’ and they may occur with a group where a problem has arisen. Barrett related, “we might bring people together in a room who were involved in a project and ask: What were the things that worked? What were the things that didn’t? What could we have done differently? And we’ve had some very spirited and cathartic conversations. You have to be able to let people put something on the table without actually pointing the finger. It allows things to come out in more of a non-accusatory manner.”

Hiring and Promotion

These are two key areas in compliance that are finally beginning to receive the attention that they deserve. Barrett’s thoughts on how she views these in the context of her interviewing are instructive. She acknowledged that by the “time somebody meets me, you can assume that the skills are there. So what I interview for is fit. And I’m always very curious to know, what is it about our company that appeals to that person?” She asks specifically about culture, requesting the candidate define it and how do you think that culture is special. She also asks candidates to talk about a failure and what lessons that they learned from the experience and how they dealt with the experience. I would suggest that both of those lines of inquiries should be used when evaluating a candidate for hire or promotion.

Barrett’s interview provided some interesting insights on leadership. Moreover, her experience in professional growth has shown there are different styles and techniques that you can successfully use in your company’s compliance program. Train people on the reasons why your company is doing compliance so that they will understand how to do it. Make them accountable but also provide them with the compliance tools and support to do business the right way. If there is a problem or issue, use it as a lesson learned so that employees can profit from the experience. Lastly, make a discussion of culture a cornerstone in your hiring interview or promotion interview process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Leave a Comment

March 15, 2013

Moving Compliance through an Organization

Filed under: Best Practices,compliance programs,Ethical Leadership,Ethics,FCPA,SCCE,Tone at the Top,Tone in the Middle — tfoxlaw @ 1:01 am
Tags: best practices, compliance programs, FCPA, Foreign Corrupt Practices Act, SCCE

We often talk about tone at the top. But in many ways it is tone further down the organization which is more important for this is where the rubber hits the road and compliance is done on a day to day basis. I recently saw a couple of articles in the March/April Issue of the SCCE Magazine which discussed the “How-To” of compliance. They drove home several excellent ideas on specific steps that the compliance practitioner can use to move the compliance discussion from simply a tone from senior management that we will do business the right way down into middle and lower levels of the company where most of the business gets done.

The first article entitled “Success: You hit the target you aim at” is by Frank Navran . In this article, one of the things that Navran discussed was expanding on the “How-To” of making change in ethics and compliance occurs throughout the organization. He listed seven steps which he believed can not only make change happen but can make it stick as well.

Position, philosophy and belief. Interestingly, Navran begins not with a top down item but a bottom up approach. He believes that an “organization’s and senior leadership’s positions can typically be improved, supplemented, and/or modified with input from employees and other stakeholders.” Further, once all company stakeholders, both up and down the chain, have inputted into the organization’s core beliefs, they will become “integral to the identity of an organization.”
Formal organizational systems. Navran believes that formal systems are needed to guide everyone’s “day-to-day behaviors” in an organization. Without these formal structures in place, even the most robust informal system for doing business in an ethical and compliant manner can be “demolished by one or two serious infractions.”
Informal leadership systems. Navran nails this concept by stating the “Informal leadership is not about what we say. Rather it is about what we do.”
Measures, rewards and sanctions. Navran notes that typically what we measure is what you get. This makes it imperative that ethical standards are communicated as clearly as the “objective outcomes that are the more conventional measures of success.” It is equally important that the sanctions for non-ethical or non-compliant behavior be levied and such conduct not allowed to continue.
Communications and education strategy. It matters not only what we say but how we say it. Navran emphasizes that “If we want our commitment to ethics to be credible, then it has to be reflected in both our words and actions. It has to be mirrored in what we teach, both formally and by example.”
Response to critical events. Navran believes that the most important indicia “in determining what others believe to be our priorities is how we behave in response to a critical event. What we do when the stakes are high, time is short, and the pressure is on reveals our priorities and our principles.” So when the pressure is on and the whole world is watching, if leaders act according to their stated vows of doing business ethically and in compliance, this will send a strong signal to the rest of the company. And, simply put, if they do not employees will understand their true values.
Hidden agendas. If employees believe that leaders have a hidden agenda, they lose credibility as a leader. Navran thinks that it is important that the “perceived motives and agendas are consistent with how we behave and what we say, expect, or require of others.”

Navran ended his story with an interesting parable, that of the “wrong rock”. In this story, a manager asks you to perform a task, which is to go outside and get a rock. You do so. When you return, the manager says that you did not get the rock he wanted. Navran derives from this tale, that “If you know the goal and the associated success criteria, it is easier to succeed the first time.” So if doing business in an ethical and compliant manner is your goal, it will help employees if you provide to them the values you wish them to hold through your own actions.

The second article which caught my eye was authored by Shelley Aul and Christina Reese and is entitled “Your board is engaged, but what about management?” In this article, the authors discuss some of the questions presented at a session at the SCCE 2012 Annual Conference. In this session, they asked the following questions, “what about your organization’s “mood in the middle” and “buzz at the bottom”?” They listed some of the successes they heard from the conference attendees for engagement of all employees in compliance and ethics. The suggestions included:

1. Create an Ethical leadership award - Award management and employees for going above and beyond expectations.

2. Host an internal ethics and compliance conference - Have your company host an in-person or virtual conference with management where they learn about ethics and compliance topics that are important to them and their roles.

3. Create ethics and compliance liaisons/champions/networks - Identify employees from across your organization who can act as an extension to your program. The representatives can be leveraged to share information with employees and they can relate information back to you to help improve the program.

4. Create ethics and compliance targets and goals - Implement an ethics and compliance component into performance reviews and bonus goals for all employees.

5. Sponsor Ethics and Compliance Week - Work with management to participate in a companywide Ethics and Compliance Week.

6. Leverage internal company e-newsletters - Add a “Compliance Corner” to an already existing management-only e-newsletter. In doing so, you can provide information and scenarios to discuss in their department/team meetings, without having to create an additional email.

7. Create Management toolkits - Develop a toolkit with ethics and compliance resources that management can easily use. Post the toolkit in an online portal and keep it updated when things change.

8. Meet with new hires - A compliance department representative should meet one-on-one with new hires or newly promoted managers. Explain to them your role, the resources available to them and follow-up with them periodically. The compliance function should develop such relationships early.

9. Develop peer-to-peer recognition programs - Proactively seek employees who are doing what’s right by asking them to nominate coworkers who have helped them in their jobs. Have management locally recognize those who are selected.

10. Train the trainers – Train your management to cascade training by having them train their staff on ethics and compliance-related matters.

Both of these articles lay out some excellent, practical ideas that the compliance practitioner can put to use or use to measure a compliance program against. If you are not a member of SCCE, you should join, the reason being is that the information it makes available to the compliance practitioner makes it one of the best value compliance resources on the market.

———————————————————————————————————————————————————————-

Compliance Week needs your help! Compliance Week and Kroll Advisory have teamed up to undertake a major survey on corporate anti-corruption programs, and are asking compliance executives to participate. The survey itself—the 2013 ‘Global Anti-Bribery Benchmarking Report’—can be found here:

http://surveys.harveyresearch.com/se.ashx?s=0D146E2D11F8D225

The survey should take no more than 20 minutes to complete. It asks about the bribery risks you have, procedures you use to train employees and vet third parties, the size of your compliance team, and more. Rest assured, all submissions will be secure and anonymous. The deadline to submit information is end of business on Friday, March 15.

Results of the survey will first be presented at the Compliance Week 2013 annual conference in Washington, May 20-22 (www.ComplianceWeek.com/conference), and later published in a special supplement of the Compliance Week magazine.

Anyone with questions can contact Compliance Week editor Matt Kelly at mkelly@complianceweek.com.

———————————————————————————————————————————————————————

© Thomas R. Fox, 2013

Leave a Comment

February 18, 2013

Doing Business In Italy-Step Up Your FCPA Compliance Now

Filed under: Craig Bloom,FCPA,Risk Assessment,Tone at the Top — tfoxlaw @ 1:01 am
Tags: best practices, compliance programs, Craig Bloom, FCPA, Foreign Corrupt Practices Act, Risk Assessment

Ed. Note-I met last week with Craig Bloom, a colleague who practices law in Houston. Craig, who is fluent in Italian, was telling me about some of the compliance issues that have been percolating in Italy and in Italian companies. I asked him if he would write a piece on his thoughts, which he graciously agreed to do…

———————————————————————————————————————————————————————-

Former Italian Prime Minister Silvio Berlusconi is no stranger to scandal and controversial statements, but lately his words and actions seem to be providing cause for concern outside of the European Union.

Last week, the Wall Street Journal, in addition to Italian media outlets, reported that the Chief Executive of one of Italy’s largest conglomerates, Finmeccanica, SpA, Giuseppe Orsi, was arrested under allegations of bribery in Finmeccanica’s sale of twelve helicopters to the Indian Government in 2010. As a result, the Indian Government has suspended the sale pending an investigation into these allegations. It is important to note here that according to the Wall Street Journal, the Italian Government owns just over 30% of Finmeccanica. Now, Italian investigators are looking into the company’s dealings in Latin America, Asia, and other EU countries.

But Berlusconi added even more fuel to the fire last week, while speaking to an Italian news channel, by stating his belief that bribes are a necessary part of doing business. Quoting the Italian newspaper Corriere Della Sera, in an article entitled, “Paying Bribes Abroad A Matter of Necessity”, he said “We can no longer compete abroad. We’ve been shooting ourselves in the foot. No one will do business any more with ENI, or ENEL, or Finmeccanica. Bribery exists. It’s pointless to ignore reality. Paying a bribe abroad is a matter of necessity.” But the former Prime Minister, who is running for reelection, did not stop with those remarks above. “Bribery is something that exists and you can’t ignore situations of necessity if you are going to negotiate with third-world countries or certain regimes.” Certainly, had these comments made by an American presidential candidate, they would be refuted in the strongest of terms by officials, if for no other reason than to distance themselves from the comments. Not so in Italy. Said the current Prime Minister Mario Monti, “It is a fact that bribes are often part and parcel of business, particularly in some countries, but that they should be looked on as necessary and unavoidable is something I reject.” It should be noted that Prime Minister Monti went on to blame Berlusconi for failing to pass an anti-bribery law during his tenure.

ENI’s Problems

According to its website, ENI, Italy’s largest petrochemical provider, currently conducts business in several American locations, including Houston, Fort Worth, and Anchorage, in addition to off-shore operations in the Gulf of Mexico. The Italian Government is a 30% shareholder in the company That ENI does business in the United States and is required to file reports with the SEC every year makes it subject to the jurisdiction of the FCPA.

There have been several investigations performed in response to allegations of bribery payments by ENI subsidiaries, specifically in Algeria. These investigations and allegations obviously make ENI a large target for Justice Department or SEC investigations, not only in the United States. Though it is outside the scope of this blog, companies doing business with ENI potentially leave themselves open to UK regulatory actions under the UK Bribery Act.

Effective Compliance in Light of These Developments

What does this mean for the compliance professional in the US or UK? The short answer is likely obvious — companies need to be extra diligent in their dealings in Italy and with Italian third parties, but this short answer ignores several nuances outlined in the hallmarks of an effective compliance program stated in the recently releases DOJ/SEC FCPA Guidance .

The Guidance places emphasis on risk management. Ostensibly, a corporate compliance professional should be more concerned about actionable FCPA violations in a country such as Somalia (dead last in the 2012 corruption index) than about violations in Denmark, New Zealand, or Finland (all tied for first). As a reference point, Italy’s place on the Transparency International Corruption Index last year was #74, #69 in 2011, and #67 in 2010. While that variance may be attributable to factors outside of Italy’s control, its overall score has been about average over the past three years. 42 in 2012, 39 in 2011, 39 in 2010. Transparency International’s report states that two-thirds of the over 170 countries on the list have a score of 50 or less, and this obviously includes Italy. According to Transparency International, these indices are determined based on perception. “Capturing perceptions of corruption of those in a position to offer assessments of public sector corruption is the most reliable method of comparing relative corruption levels across countries.” The recent statements made by both Mr. Berlusconi and Prime Minister Monti could not have been accounted for in these corruption indices. If, however, the true metric for measuring corruption truly is public perception, then these public statements cannot help but cast doubt on Italy’s true position on this list, and subsequently the perception of corruption. Imagine former President George W. Bush or former Prime Minister Gordon Brown making similar public statements with regards to the inevitability and persistence of bribery in developing nations… So regardless of specific formula or calculus, it would behoove any US or UK company doing business in Italy or with Italian companies to analyze bribery and corruption risks in light of these recent public statements.

Obviously this problem extends to third party representatives who perform services in Italy. While the Guidance cautions against a one-size-fits all policy, a willingness to step up due diligence in light of recent events involving Italy would also be good corporate governance. This can take many forms, but may include the necessity to scrutinize whether an Italian intermediary is truly necessary to accomplish the multinational organization’s goals. Additionally, the company might want to double their efforts to audit the Italian third parties, potentially performing more frequent audits or requesting more highly detailed reports. Finally, if the DOJ/SEC are aware that efforts have been increased to combat these prohibited practices, they are more likely to be lenient on the company.

A compliance practitioner should keep abreast of changes or other information which may indicate a greater risk of bribery and corruption. When the former Prime Minister of a country you are doing business in or with says that bribery is just a requirement of doing business this puts you on actual notice that something may well be amiss. The time is now for you to assess your risks, perform more or additional due diligence, monitor and audit your third parties in that country and then train any high risk parties. The same would be true for any joint venture relationships that you might be in with companies from said country. Do not wait, do it now as you have been warned….

———————————————————————————————————————————————————————-

If you need assistance regarding any Italian FCPA issues, I suggest that you contact Craig Bloom. He can be reached at craig.a.bloom@gmail.com.

———————————————————————————————————————————————————————-

Leave a Comment

January 31, 2013

How To You Move Ethical Values Down Through Your Company?

Filed under: Adam Bryant,Best Practices,compliance programs,Culture,Ethical Leadership,Ethics,FCPA,Tone at the Top — tfoxlaw @ 1:01 am
Tags: best practices, compliance, compliance programs, ethics, ethics and compliance, New York Times, Tone at the Top

What do employees want most in their company’s values? That is a question that has plagued companies for many, many years. I would argue that one of the concepts which should be in the conversation is respect for a company’s ethical values. One of the tasks in any company is to get senior and middle management to respect the stated ethics and values of a company, because if they do so, this will be communicated down through the organization. This topic was explored in a recent article, entitled “If the Supervisors Respect Values, So Will Everyone Else”, in the Corner Office section of the New York Times (NYT), when reporter Adam Bryant interviewed Victoria Ransom, the Chief Executive Officer (CEO) of Wildfire, a company which provides social media marketing software.

Company Values

Ransom spoke about the role of senior management in communicating ethical values when she said “Another lesson I’ve learned as the company grows is that you’re only as good as the leaders you have underneath you. And that was sometimes a painful lesson. You might think that because you’re projecting our values, then the rest of the company is experiencing the values.” These senior managers communicate what the company’s ethics and values are to middle management. So while tone at the top is certainly important in setting a standard, she came to appreciate that it must move downward through the entire organization. Ransom came to realize “that the direct supervisors become the most important influence on people in the company. Therefore, a big part of leading becomes your ability to pick and guide the right people.”

Ransom said that when the company was young and small they tried to codify their company values but they did not get far in the process “because it felt forced.” As the company grew she realized that their values needed to be formalized and stated for a couple of reasons. The first was because they wanted to make it clear what was expected of everyone and “particularly because you want the new people who are also hiring to really know the values.” Another important reason was that they had to terminate “a few people because they didn’t live up to the values. If we’re going to be doing that, it’s really important to be clear about what the values are. I think that some of the biggest ways we showed that we lived up to our values were when we made tough decisions about people, especially when it was a high performer who somehow really violated our values, and we took action.” These actions to terminate had a very large effect on the workforce. Ransom said that “it made employees feel like, “Yeah, this company actually puts its money where its mouth is.””

Ransom wanted to make clear to everyone what senior management considered when determining whether employees “are living up to the company culture.” The process started when she and her co-founder spent a weekend writing down what they believed the company’s values were. Then they sat down with the employees in small groups to elicit feedback. Her approach was to look for what they wanted in their employees. They came up with five.

Passion: Do you really have a thirst and appetite for your work?
Humility and Integrity: Treat your co-workers with respect and dignity.
Courage: Speak up – if you have a great idea, tell us, and if you disagree with people in the room, speak up.
Curiosity: They wanted folks who would constantly question and learn, not only about the company but about the industry.
Impact: Are you having an impact at the company?
Be outward-looking: Do good and do right by each other.

Leadership

Ransom came to realize that as her company’s leader, more was expected from her. Her employees listened to what she said. This is one of the best descriptions of ‘tone at the top’ that I’ve seen. Ransom “started to realize how what you say can have such an influence. You can’t just say things off the cuff anymore, because people take it so much more seriously than you ever meant it. And that can be good and bad. The bad is that you might say something sort of flippant, or you’re trying to be really transparent and honest with the team about the challenges we may have. But that can get passed on down the line and repeated until there’s a panic.”

But equally important was what she does not say. This is because she learned “how comforting what I say can be to the team, even if I’m not giving the answers. I thought at first that I always needed to be able to give them the solution, but I realized that actually that wasn’t needed at all. All that was needed was acknowledging the challenges, and showing that we’re on top of it and we get it.”

Ransom had an equally valuable insight when she talked about senior management and ethical values. She believes that “the best way to undermine a company’s values is to put people in leadership positions who are not adhering to the values. Then it completely starts to fall flat until you take action and move those people out, and then everyone gets faith in the values again. It can be restored so quickly. You just see that people are happier.”

I found the Ransom interview to be quite useful to the compliance practitioner. She makes clear that ‘tone at the top’ is only one key to instituting ethical values throughout your organization. It also means ‘tone in the middle’ and ‘tone at the bottom’. But she points out not only how to establish that tone but more importantly how to walk the walk of ethics and compliance. Her interview also showed the importance of establishing the values that you want in your company. By doing more than simply writing and then announcing them, through her work with small employee groups she was able to get buy-in from everyone. This was more than communication, this was collaboration. If you make your employees feel that they are a part of the process you will have greater success in your mission to bring ethical values to your organization.

============================================================================================

Please join Patrick Taylor, CEO of Oversight Systems and myself tomorrow afternoon for a webinar on Anti Corruption and On-going Transaction Monitoring. The webinar will be at 2 PM EST and is free. For registration and information click here.

============================================================================================

© Thomas R. Fox, 2013

Comments (1)

January 25, 2013

Chesapeake Lighthouses and Lighting the Way for Compliance

Filed under: Best Practices,compliance programs,Culture,Ethical Leadership,Ethics,FCPA,Hotline,Tone at the Top,Training — tfoxlaw @ 6:47 am
Tags: best practices, compliance, compliance programs, ethics, ethics and compliance, FCPA

In the winter 2013 issue of the Colonial Williamsburg magazine is an article by Michael Lombardi, entitled “Lighthouses Marked the Shoals of the Commerce Clause”. In this article, Lombardi wrote about four lighthouses authorized by Congress in the late 18^th and early 19^th century to light the way for sailors in Chesapeake Bay. The four lighthouses were the Cape Henry Lighthouse, the Old and New Point Comfort Lighthouses and the Smith Point Lighthouse. All four still exist today and one, the Old Point Comfort Lighthouse, is still in operation.

I thought about the story of these lighthouses and how they literally lit the way for sailors for over 200 years when I read an article in the Q2 issue of Ethisphere Magazine, entitled “Imagination Working with Integrity: How General Electric Creates a Global Culture of Ethics”, by Michael Price. Price discusses how General Electric (GE) has made “ethics and compliance a benchmark of its operations around the world, and is, in many ways the gold standard that other companies look to when it comes to modeling global compliance and ethics programs.”

I also considered these lighthouses in the context of how GE sets the tone for ethics and compliance and then communicates that commitment throughout its organization. Obviously it all starts at the top and GE is a prime example of this strength. Price noted that GE’s top brass meets annually at a conference where one of the frequent topics was ethics and compliance and the need for integrity in GE. Following this meeting of the GE senior management, they cascade down this commitment to middle management and emphasize the reputational risk to GE should there be a violation of the Foreign Corrupt Practices Act (FCPA) or other anti-corruption statute by the company. The middle managers then further cascade this message down so that it goes through the whole company at regular intervals.

Price made clear that one thing that GE will not tolerate is a manager who fails to take ethics and compliance seriously. This extends to managers who were ignorant of compliance issues in their units. He wrote that GE has “removed people from leadership positions when they didn’t know there was a problem”. GE demands that its management not only be aware of compliance in their units, but to ask “the right questions when they are faced with an uncertain situation”.

As you might expect from a company which has business in over 100 countries, GE has to work with many different cultural norms. It can be that “different cultures have different frameworks for understanding integrity and how to confront unethical conduct.” So, for instance, to overcome some cultural barriers of reporting unethical conduct GE has “five different pathways in which employees around the world can bring their concerns to management’s attention.” These pathways include the following:

Employees can talk directly to their managers;
Employees can go to talk to people in the compliance function;
Employees can go to talk to someone in the legal department;
Employees can take their concerns to HR; and
Employees can report anonymously to an ombudsman through a variety of channels.

GE provides several types of training in each of these methods and has “Compliance Days” in “which the company discusses compliance issues and reiterates the importance about employees raising concerns about unethical practices.” The article makes clear not only how seriously GE takes compliance but that it believes its commitment to ethical practices makes it stand out as a market differentiator. I would say that ethics and compliance is even a lighthouse for corporate culture at GE, in many ways, leading the way by which GE does business and conducts itself.

I once worked for a major oilfield service company where it was clear that safety was the Number 1 priority. We started every meeting with a safety moment. Each year, there was one day where the entire company stood down and met on safety on a world-wide basis. Both of these techniques emphasized to me not only the importance of safety but that safety was my responsibility as well, even though I was a lawyer doing international transactional work. This was another lighthouse but it was one for safety.

As a recovering trial lawyer who has handled many personal injury lawsuits and then worked in the energy industry, I will always consider safety as Mission Number 1 but I would like to propose that ethics and compliance is Mission 1A in your company. Try some of the techniques that GE uses to communicate its commitment to ethics and compliance. It does not cost anything to have senior management meet with middle management and tell them about the company’s commitment to integrity. It does not cost anything to allow employees to speak with their immediate managers about concerns over unethical practices, go talk to someone in the compliance department or legal department about such concerns or report their concerns to HR. If you do not have an anonymous reporting line, it is about time you invested in one. I do recognize that many companies do not have an ethics and compliance ombudsman but the key concept there might be that by having such an impartial position, employees believe they will be treated fairly.

How about having a compliance moment before every meeting? By having such a moment before every meeting you can not only provide some teachable moments but also drive home the concept that compliance is everyone’s responsibility not just the responsibility of the compliance or legal department. How about a Compliance Day? If you cannot go that far, I would suggest that you hold a series of brown bag lunches where you talk about doing business with integrity through ethical and compliant business practices. You could hold them throughout the company.

One thing I learned as a lawyer is that you are only limited by your imagination. Try to get the message out because compliance is in many ways, the 21^st century lighthouse for doing business.

© Thomas R. Fox, 2013

Leave a Comment

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

Many commentators are still mining the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (the “Guidance”), which was released last November. I continue to find nuggets to provide to the compliance practitioner, as do others. But as we are a Base 10 culture, today I want discuss the 10 points listed as the ‘Hallmarks of Effective Compliance Programs”. They are a change in style, but not content, from the prior 13 point minimum best practices that the DOJ has in the Deferred Prosecution Agreements (DPAs) since at least November, 2010 and, indeed, from prior information made available by the DOJ.

I. Where Have We Been

Beginning with at least the Metcalfe & Eddy Consent and Undertaking, filed in December, 1999, the DOJ has laid out its thoughts on what should go into a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. In the Metcalfe & Eddy Consent and Undertaking, the DOJ laid out ten points of an effective FCPA anti-corruption compliance program. This was modified somewhat in Opinion Release 04-02, which laid out a best practices compliance program in 12 points, where the DOJ reviewed the proposal by an investment group who were acquiring certain companies and assets from ABB Ltd. ABB Vetco Gray Inc. and ABB Vetco Gray (UK) Ltd., two of the entities being acquired, had previously pled guilty to FCPA violations. The investment group desired to protect itself from further liability, to the extent possible, by proposing to the DOJ a comprehensive best practices compliance program. While the DOJ noted that this compliance program was not a shield against future violations, the DOJ would not “intend to take an enforcement action [against the investors] for violations of the FCPA prior to their acquisition from ABB.”

In the Panalpina DPA, issued in November, 2010, the DOJ laid out a 13 point minimum best practices compliance program. This number was changed this past summer when the Data Systems & Solutions LLC (DS&S) DPA was announced. In this enforcement action the DOJ listed 15 points on its minimum best practices FCPA anti-corruption compliance program. Then later in the summer, the DOJ moved to a 9 point compliance program in the Pfizer DPA. Even with all these changes in the number, the substance of each compliance program has remained the same.

II. Where Are We Now? Hallmarks of Effective Compliance Programs

The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes that depending on a variety of factors such as size, type of business, industry and risk profile that a company should determine what is appropriate for its own needs regarding a FCPA compliance program. But the Guidance makes clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. The Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some of the risks a company should assess include “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”
Oversight, Autonomy, and Resources. This section starts with a discussion on whether a company has assigned a senior level executive to oversee and implement a company’s compliance program. Not only must a company assign such a person with appropriate authority but that person, and the overall compliance function, must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Additionally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
Risk Assessment. The Guidance states that “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
Incentives and Disciplinary Measures. This involves both the carrot and the stick. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” These incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
Third-Party Due Diligence and Payments. Here the Guidance focuses on the ongoing problem area of third parties. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration. Here the DOJ and SEC spell out what it expects in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information is not something that most companies had previously focused on. Basically, a company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

As I commented earlier in this article, the DOJ and SEC have communicated what they believe are the important parts of a risk based, anti-corruption compliance program for many years. I do not think that a compliance defense could be set out any more succinctly. However, I do like things set out in Base 10 and the “Hallmarks of Effective Compliance Programs” is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point for any compliance practitioner to implement a new compliance program or to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

© Thomas R. Fox, 2013

Leave a Comment

October 29, 2012

10 Questions to Better Management Practices in a FCPA Program

Filed under: FCPA,compliance programs,Bribery Act,Tone at the Top,Harvard Business Review,Ethics,Ethical Leadership,Best Practices,Department of Justice,Top Level Commitment — tfoxlaw @ 1:01 am
Tags: best practices, Bribery Act, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, HBR

One of the things that I sorely lacked when I worked in-house was any guidance on management practices towards the implementation of either legal or compliance initiatives. Most legal and compliance departments do not train their attorneys or compliance practitioners on management practices for compliance program implementation, enhancements or upgrades after a risk assessment. I was therefore very intrigued when I came across an article in the November issue of the Harvard Business Review, entitled “Does Management Really Work?” by Nicholas Brown, Raffaella Sadun and John Van Reenen. I found the article very useful because it gave succinct advice about what a business can do to improve its management practices and determined that this advice can be applicable to a compliance program.

The authors tested three essential practices which they believe can address even the most complex global problems. The three principles which they believe “are generally considered to be the essentials of good management” are:

Targets: Does the organization support long term goals with tough but achievable short-term performance benchmarks?
Incentives: Does the organization reward high performers with promotions and bonuses while retraining or moving underperformers?
Monitoring: Does the organization rigorously collect and analyze performance data to identify opportunities for improvement?

You might read these and immediately think about Paul McNulty’s (Three) Maxims. I, however, believe that these three management practices can provide some assistance beyond McNulty’s queries. In the article the authors research showed that by the use of these three techniques businesses could not only set parameters but also measure on them, generally had more and better productivity and overall better financial health.

From the compliance perspective how can one use these three relatively straight forward techniques? Interestingly the authors revealed some of the questions used in interviews with over 8,000 manufacturers who were interviewed in this project. I have selected 10 questions which you might want to put use as a starting point for managing your compliance initiatives going forward as I believe that they are very good questions to use in formulating a plan for compliance program implementation or upgrade. I would challenge you to think about some of the answers to these questions in the context of your compliance program.

Interconnectedness of Targets – How are compliance goals cascaded down to individual workers? Everyone recognizes the importance of ‘tone-at-the-top’ as it is enshrined in the US Federal Sentencing Guidelines, the Department of Justice’s (DOJ) minimum best practices compliance regime and the UK Bribery Act’s Six Principles of an Adequate Procedures compliance program. However, as many commentators now recognize, it is also tone in the middle and at the bottom, which may equally matter. So how do you ascertain and ensure that top management’s message gets cascaded down into your organization?
Clarity and Comparability of Goals – Does anyone complain that your compliance targets are too complex? Certainly the initial role out of a compliance program can be quite a large undertaking. Perhaps another approach might be to focus on high risk areas and remediate them by rolling out initiatives to manage those risks first and then move to other areas. Many companies have reviewed and remedied the third party sales side of their business but are only now looking at the Supply Chain or Procurement side of the equation. If you work on one such problem at a time, it can help move the overall process forward in a more orderly fashion.
Consequence Management – How do you deal with repeated compliance failures in a specific business segment or compliance program area? This is certainly one question that you would want to consider carefully. Do you have problems with one business unit or one geographic area from the compliance perspective? Are gifts in China, for example, an ongoing issue for your company? What about travel and entertainment? Areas that show up again and again will merit more focused attention.
Instilling a Mind-Set – How do senior managers show that attracting and developing talent who will engage in ethical business conduct is a top priority? Here you should consider bringing in your Human Resources Department for not only assistance but their expertise. If top management will make a commitment to this, you should work to create the appropriate mind-set of doing business the right way throughout your organization.
Removing Poor Performers – How long is compliance underperforming tolerated? In many ways, this question is the flip side of number 4 above. I think that many companies would clearly say that they will discipline, up to and including discharge, any employee who engages in practices which violates the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. But this question drills deeper and forces a more rigorous analysis on not just FCPA failures by employees but poor ethical choices which may be less than full FCPA violations.
Unique Employee Value Proposition – What makes it distinctive to work at your company? More pointedly, how can your compliance challenges be turned into business leadership opportunities? Ethisphere annually shows that its top list of the Most Ethical Companies out performs the Standard & Poor (S&P) 500. If you can turn the distinctiveness of what your company does into a compliance plus in the marketplace, it could well make your business more profitable.
Continuous Improvement – How do compliance programs that are not working typically get exposed and fixed? There is a difference between auditing and monitoring. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. A robust program should include separate functions for auditing and monitoring. While unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For example, if you notice a trend of suspicious payments in recent monitoring reports from a country in the Far East, it may be time to conduct an audit of those operations to further investigate the issue.
Performance Tracking – What key compliance indicators do you use for compliance tracking? Here you need to look at the metrics which you have developed. A good starting point can be with your hotline or helpline. What can you determine from the calls or reports which come in through these systems? What if you have not had any reports for several years, what should that be telling you about your communication to your employee base? Or does it mean that people have not been properly and effectively trained that a hotline or helpline exists and is available for their use or, more ominously, are afraid to make any reports for fear of retaliation or even losing their jobs? This is certainly something you should take a good look into, whichever way the metrics are going for your company.
Performance Dialogue – For a given compliance problem, how do you identify the root cause? If you do not know what the cause of a problem is, you cannot successfully work towards remedying that problem. This does not simply mean firing any persons involved in a potential FCPA violation. You need to dig down and found out what allowed this issue to arise. I once heard that the difference between Japanese and American post-incident investigations is that in the US there is an attempt to assess blame, conversely in Japan there is an attempt to find a solution to the problem. This is the approach that I believe compliance practitioners should take, to try and find a solution by determining the root cause of a compliance failure.
Retaining – What are you doing to retain your top employees from the compliance perspective? This is not a question that is typically asked in the compliance department. But one thing you can look at is what your company is doing to retain, promote and take to senior management those employees who do business in an ethical manner and in compliance with your company Code of Conduct.

I found the article to be very useful when applied to the compliance practitioner by not only using the triumvirate of targets, incentives and monitoring as a management practice but also the questions that the authors posed in the context of your company’s own compliance program. We continually face the challenge of keeping up with the ever evolving compliance best practices with little or no budget increase. I found that this article had points which you can ask yourself, and of your compliance program, which can facilitate a robust discussion that can highlight areas for improvement.

© Thomas R. Fox, 2012

Leave a Comment

September 7, 2012

The Five Essential Elements of a Corporate Compliance Program-Part I

Filed under: Best Practices,Bribery Act,compliance programs,Ethical Leadership,FCPA,Federal Sentencing Guidelines,OECD,Risk Assessment,Stephen Martin,Tone at the Top — tfoxlaw @ 1:28 am
Tags: best practices, Bribery Act, compliance, compliance programs, Department of Justice, DOJ, FCPA, Risk Assessment

Next Tuesday morning, at the University Club of Chicago, Stephen Martin and I will co-present at a Foreign Corrupt Practices Act (FCPA) event hosted by Kreller. If you are in or near Chicago I hope that you can join us. The title of our presentation is “Anti-Corruption/FCPA Developments & Best Practices” and we will focus on a concept that Stephen and his partners at the law firm of Baker & McKenzie have developed which are five essential elements of a corporate compliance program. Over the next two posts, I will sketch out what Stephen and I will be presenting. In today’s post I will present the background to the development of the five essential elements and in Part II, I will go through the remaining elements.

First a word about Stephen Martin; for those of you who do not know Stephen Martin, he has a long and distinguished legal and compliance career. He was at the Department of Justice (DOJ) and then moved in-house, helping some of America’s largest companies to wade through major corporate scandals. He was most recently the General Counsel (GC) at Corpedia before heading into private practice at Baker & McKenzie. He has been around the (compliance) block more than once and I can assure you that he knows his FCPA compliance stuff. He is certainly one of the practitioners that I would go see to make a FCPA compliance presentation.

Why is it important to have such a compliance program? I will answer in two words, Morgan Stanley. The declination to prosecute, issued by the DOJ, provides the most recent and powerful evidence of the benefits of investing in compliance. Morgan Stanley’s pre-existing compliance program was highlighted in press releases and public comments as the biggest reason for the Government’s decision not to prosecute the bank. The decision not to prosecute was based on evidence of:

• Rigorous internal controls;

• Regular training and reminders on FCPA policy and compliance;

• Internal policies addressing the corruption risks associated with the giving of gifts, business entertainment, travel, lodging, meals, charitable contributions and employment, that were updated regularly to reflect regulatory developments and specific risks;

• Compliance program monitoring and auditing; and

• Extensive pre-retention due diligence on business partners and stringent controls on payments to business partners.

The five essential elements of a corporate compliance program are based upon the best practices as set out in the seven elements of a corporate compliance program under the US Sentencing Guidelines; the 13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance; and the UK Bribery Act’s Six Principles of an Adequate Procedures compliance program. The following chart lists the elements of each.

While the above guidelines and statutes vary in length, tone and detail, depending on the jurisdiction and the enforcement agency, from this comparison Martin and his colleagues distilled five essential elements which they believe make up a best practices compliance program. They are as follows:

Leadership – color coded Red.
Risk Assessment – color coded Yellow.
Standards and Controls – color coded Blue.
Training and Communication – color coded Green.
Oversight – color coded Grey.

I. Leadership

The point means more than simply “Tone-at-the-top”. A successful compliance program must be built on a solid foundation of ethics that are fully and openly endorsed by senior management; otherwise the program may amount to little more than a hollow set of internal rules and regulations. There should be an unambiguous, visible and active commitment to compliance. But even more than support or the right tone, compliance standards require that companies must have high-ranking compliance officers with the authority and resources to manage the program on a day-to-day basis. And compliance officers must have the ear of those ultimately responsible for corporate conduct, including the board of directors.

Some of the questions you might think about in connection with the leadership of your compliance program are the following: How is board oversight implemented? Is there an ethics or audit committee reporting to the full board? What is the role of the Chief Compliance Officer? What is the role of the General Counsel? How do the legal and compliance departments interact? Does the CCO have “real power”? Is she or he treated as a second-class citizen?

Equally the Board of Directors has a key role to fulfill. The Board must ensure compliance policies, systems and procedures are in place and it should monitor implementation and effectiveness of the compliance program:

Be actively involved
Attend Board meetings
Review, consider and evaluate information provided
Inquire further when presented with questionable circumstances or potential issues
Once Board knows of a potential compliance issue it must act.
Regularly receive compliance briefings and training.

I think everyone agrees and understands that the Chief Compliance Officer (CCO) is a key, if not the key, role in a company’s compliance program. Some of the important indicia of a CCO are that they are high ranking within the company and are dedicated to compliance and responsible for day-to-day management and oversight of compliance program. The position should have direct access to the Board or appropriate Board committee and the Compliance Department should be provided sufficient resources to achieve its goals.

In addition to the role of the CCO, there should be compliance officers in high-risk markets who regularly communicate with managers in the field because country and/or regional managers are often the employees in the trenches who are responsible for overseeing sales people and third-party agents who are producing, selling and distributing the company’s products and services. Lastly, local managers are often in the best position to set the tone for compliance and to detect and address illegal or unethical practices before they become issues that put the company at risk.

II. Risk Assessment

The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high risk areas first.

What are some of the areas where you need to assess your risks? As set out in the DPA’s of Tyson Foods, Alcatel-Lucent and Maxwell Technologies the following are suggested:

Country Risk - What is the correlation between growth markets and corruption risk and what is the perceived level of corruption? In other words, the Transparency International Corruption Perceptions Index or similar list.
Sector Risk - Has government publicly stated industry is under scrutiny or already conducted investigations in sector? Are there corruption risks particular to the industry?
Business Opportunity Risk - Is the business opportunity a high value project for your company? Are there multiple contractors or intermediaries involved in the bidding or contract execution phase?
Business Partnership Risk - Does this business opportunity require a foreign government relationship? Does a foreign government require you to rely upon any third parties?
Transaction Risk - Will your company be required to make any “compelled giving” through any requirements for political or charitable contributions? Are you required to use any intermediaries to obtain licenses and permits?

In addition to an initial risk assessment to either (1) inform your compliance program or (2) help you to identify high risks and prioritize their remediation, risk assessments should be a regular, systemic part of compliance efforts rather than an occasional, ad hoc exercise cobbled together when convenient or after a crisis. These should be conducted at the same time every year and deputize a consistent group, such as your internal audit department or enterprise risk management team, to conduct the annual review. Such annual risk assessments act as a strong preventive measure if they are performed before something goes wrong. In addition, enforcement trends and government priorities change rapidly so it is vital to stay up to date and conduct regular assessments. Lastly, it avoids a “wait and see” approach.

Risk assessments should also be used to scrutinize new business partners and third-party agents. The majority of FCPA/anti-corruption investigations and enforcement actions involve some use of third parties, including consultants, distributors, contractors and sales agents. By conducting a formal risk assessment each year it provides an opportunity to take a closer look at recently-established business relationships to make sure partners and third parties do not have improper connections to government officials or some involvement in unethical or illegal conduct. Additionally conducting such a risk assessment allows your company to proactively address and remediate any risks that are uncovered.

Stephen Martin and the Baker & McKenzie team have put together an excellent resource for the compliance practitioner in their five essential elements of a corporate compliance program. I hope that you can attend our FCPA event next week. For those of you who cannot attend in person, you can email me for the slide deck and other materials after the event.

Comments (1)

July 15, 2012

Penn State, the Freeh Report and Implications for the FCPA Compliance Practitioner

Filed under: Board of Directors,compliance programs,Culture,Department of Justice,Ethical Leadership,Ethics,FCPA,Hotline,Investigations,Tone at the Top — tfoxlaw @ 2:44 pm
Tags: compliance, DOJ, FCPA, Freeh Report

The Freeh Report was released last week. It detailed a series of actions and inactions taken by officials at Penn State University (Penn State) which allowed Jerry Sandusky to continue his abuse of young boys from at least 1998 up until the time he was arrested. This incident is the worst scandal involving the American higher education system that I have witnessed in my lifetime. As noted in a New York Times (NYT) articled published on July 13, entitled “In Report, Failures at Every Level of Hierarchy”, the Freeh Report found a series of failures all the way up the Penn State chain of command. The article stated, “shortcomings that were the result of any insular and complacent culture in which football was revered, rules were not applied and the balance of power was dangerously out of whack.” As bad a situation as the Freeh Report portrays, I believe that there are significant lessons for the Foreign Corrupt Practices Act (FCPA) compliance practitioner and this post will try draw out some of these lessons learned.

I. Insular and Complacent Culture

A. Failure of Top Officials and Role of a Board of Directors

The Freeh Report portrayed the Penn State Board of Trustees, the University equivalent to a corporate Board of Directors, “as passive overseers, so in thrall to the president and the coach that they failed to demand even the barest displays of accountability.” Even if the University President actively withheld information from the Board, a Board has the responsibility to ask tough questions. The NYT article quoted Anne Neal, president of the American Council of Trustees and Alumni for the following, “For too long, the boards have been viewed more as boosters that as legal fiduciaries.”

In the aftermath of the Wal-Mart scandal, the FCPA Professor opined that the problems Wal-Mart encountered were largely a failure of corporate governance. While I disagree with the FCPA Professor on the quanta of the role of the Wal-Mart Board, I do agree that the Wal-Mart Board did not ask tough questions of its senior management regarding its FCPA compliance. If senior management deceives its own Board that is certainly a big problem but it is also a problem, if the Board never makes the inquiries. In both the Wal-Mart case and the Penn State scandal, it appears the respective Boards abrogated their duties.

B. Reporting of Violations – Anonymous Reporting Hotline

One thing that the Department of Justice (DOJ) has insisted on for several years as a minimum best practice in a FCPA compliance reporting is anonymous reporting and can be found in its current formulation of minimum best practices which reads:

9. Ongoing Advice and Guidance. The Company should establish or maintain an effective system for:

a. Providing guidance to directors, officers, employees, and its agents and business partners, on complying with the Company’s anti-corruption compliance policies, including when they need advice on an urgent basis or in any country in which the Company operates;

b. Internal and confidential reporting and protection of those reporting breaches of the law or professional standards or ethics concerning anticorruption occurring within the company, suspected criminal conduct, and/or violations of the compliance policies directors, officers, employees; and

c. Responding to such requests and undertaking appropriate action in response to such reports.

There were at least two separate instances where low level employees witnessed Jerry Sandusky abusing children. An incident witnessed by Graduate Assistant Mike McQueary, who did report the incident to his supervisor, Head Coach Joe Paterno. While Paterno did report this incident to the University President, the Freeh Report found that the University President did not report this incident to any police or other authorities. As troubling as this incident is, perhaps more troubling is incident involving Penn State employee Jim Calhoun, a school janitor who witnessed Sandusky abusing a child earlier, in 2000. Although Calhoun told another employee and his supervisor of the incident, not one of these three men reported the incident to the police or other authorities because they were all afraid of losing their jobs. This was after Jerry Sandusky had ‘retired’ from Penn State in 1999. So they should not have been afraid that Sandusky would threaten them. These men were so afraid of implicating the power of the Penn State football program that they were afraid to report the conduct. Apparently there was no anonymous mechanism for them to do so.

This description makes crystal clear why a company must have an anonymous reporting system. While I firmly believe that most employees will report misconduct if they see it or become aware of it if they care at all about their company, the Penn State situation makes clear that if there is fear and trepidation for such reporting, a system must be put in place to facilitate it. But a company cannot stop there. A company must have both the commitment to non-retaliation and train people on this key company component.

II. Rules Were Not Applied and Compliance with Legal Requirements

One of the laws that has become more widely known in the general populace since the Sandusky scandal broke is the Clery Act. This federal law requires colleges (and universities) “to pull together on crime from a variety of sources and warn the university community about potential threats. The law holds a wide range of college employees – including football coaches – responsible for contributing to the report.” While this law has been on the books since 1990 the NYT article said in the Freeh Report that the Penn State officials, “did not know until recently that anyone but the campus police had that obligation, and the police paid little attention to the law until 2007.” More damningly, Penn State did not even adopt a plan for complying with this law until 2009 and, when the Sandusky scandal was revealed last fall, the 2009 plan had still not even been adopted by Penn State.

The FCPA has been the law of the land since 1977. However, there are a large number of US companies which have never adopted any compliance program or have one that is so old, it bears little to no resemblance to current minimum best practices. The Clery Act was well known within the academic community just as the FCPA is well known within the US international business community. Simply put you must comply with the law. The legal liability for such failure can be astronomical. It could well lead to personal criminal liability for senior management of a corporation.

III. Where the Balance of Power is Dangerously Out of Whack – When a Football Program Runs a University

I grew up in a small town in Texas. Friday Night Lights was true then and it’s true now. My hometown is appended to a major university where football is king on Saturday afternoon. I attended a university in Texas where football is just as big as it was at Penn State during Joe Paterno’s tenure. In short, I have lived in a state where the culture of football is a religion and the Head Coach is viewed with near godlike status (that’s god with a little ‘g’; not the God). Even though I can understand how it might happen, it does not mean that it is right. At a major university, just as in a small town school district, even the head coach is an employee who reports to someone; the University President, the Athletic Director or the School District Administrator. And even in Texas, the primary mission of a University and school district is education, not football.

A football program must be subject to the same rules and regulations as others departments. The Freeh Report noted that the Penn State football program chose not to participate in the “university’s efforts to train people in recognizing and reporting violence and sexual abuse.” Get that – the football program chose not to even participate in such training, let alone recognize that the same rules applied to it. The NYT article quoted Alison Kiss, Executive Director of the Clery Center for Security on Campus, who said that “In our experience, when an athlete or coach is involved, many times it does get treated differently. We have to change that culture.”

In the corporate world, remember Enron, where the traders ran the company. Look at Enron today, oops it doesn’t exist anymore and most of its top management went to prison, hmmm what does that tell you? Or for a more contemporary example, how about Barclay’s where the traders told the bankers what information to report to set the LIBOR rate. For the compliance practitioner, I think all of this means that your corporate culture must not only be dedicated to doing business legally and ethically but dedication must be translated through constant communication, including training to your employees. I recognize that compliance and ethics training fatigue can set in at some point. But think back to Morgan Stanley and its declination in the Garth Peterson enforcement action. Morgan Stanley had very novel and creative ways to communicate compliance to its employees on a worldwide basis. Even something as simple as an email reminder was cited by the DOJ as evidence of the robustness of Morgan Stanley’s compliance program.

The Sandusky scandal and the Freeh Report will reverberate for a long time to come. For the compliance practitioner, there are several lessons learned that you should take away from this terrible and preventable tragedy. If you work in a university environment, I think that Monday morning you need to sit down and read the entire Freeh Report and then hire an outside third party to come in and within the next 30 days assess the university’s culture, governance, compliance policies and procedures for protecting our children. Please, for the sake of our children.

Comments (2)

June 19, 2012

Ethical Leadership: Leading a Company Conversation on Compliance

Filed under: Best Practices,Bribery Act,compliance programs,Culture,Ethical Leadership,Ethics,FCPA,Harvard Business Review,Tone at the Top,Top Level Commitment — tfoxlaw @ 1:01 am
Tags: Bribery Act, compliance programs, Department of Justice, FCPA, Harvard Business Review, HBR, Tone at the Bottom, Tone at the Top, Tone in the Middle

Ethical leadership is absolutely mandatory to have a successful compliance program, whether it is based upon the US Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act. Senior management must not only be committed to doing business in compliance with these laws but they must communicate these commitments down to the organization. But leadership is not limited only to senior management within an organization. Tone at the Top begets Tone in the Middle; which begets Tone at the Bottom. At each rung there is the need for compliance leadership. In an article in the June issue of the Harvard Business Review, entitled “Leadership is a Conversation”, authors Boris Groysberg and Michael Slind discuss how to improve employee engagement in today’s “flatter, more networked organizations.”

The authors posit that the issue of how leaders handle communications within their organizations is as important as the message. They believe that the process should be more dynamic and more nuanced and is a process that they term “conversational”. Building on this concept they suggest a model of leadership which they call “organizational conversation” which resembles ordinary person-to-person conversations. They believe that this model has several advantages, including that it allows a large company to function like a small one and it can enable leaders to “retain or recapture some of the qualities…that enable start-ups to out-perform better established rivals.” The authors have found four elements of organizational conversation which “reflect the essential attributes of an interpersonal conversation.” They are: intimacy, interactivity, inclusion and intentionality.

Intimacy: Getting Close

Here the authors appear to focus on two works: listening and authenticity. Recognizing that physical proximity may not always be feasible but emotional or mental proximity is required. They advise leaders to “step down from their corporate perches and then step up to the challenge of communicating personally and transparently with their people.” This technique shifts the focus of change from a top-down hierarchical model to a “bottom-up exchange of ideas.”

Interactivity: Promoting Dialogue

Interactivity should make a conversation open and more fluid. You can obtain this by talking with and not just talking to an employee. The purpose of interactivity builds upon the first prong of intimacy. The authors believe that efforts to close the gap between employees will founder if both tools are not in place along with institutional support which gives employees the freedom and courage to speak up. The authors believe that social media can be a useful tool to help foster such interactivity, but care must be taken to ensure that managers do not simply use social media as another megaphone. The authors suggest that more than just social media is required and that something extra is needed and that is social thinking.

Inclusion: Expanding Employees Roles

Following on intimacy is inclusion as intimacy should force a leader to get closer to employees while inclusion challenges the employee to play a greater role in the communication process. Inclusion expands on interactivity by enabling employees to put forward their ideas “rather than simply parrying the ideas that others present.” Clearly this is the prong that brings employee engagement into the communication process by calling on employees to “generate the content that makes up a company story.” Employees who become committed to a message can become the best brand ambassadors that a company can ever hope to have on its payroll.

Intentionality: Pursuing an Agenda

While the first three prongs of the authors’ model focuses on opening up the flow of communication, intentionality is designed to bring a measure of closure to the process. The goal here is to have voices merge into a single vision of what the company’s communication is for. In other words, the conversation should reflect a “shared agenda that aligns with the company’s strategic objectives” that will allow employees to “derive a strategically relevant action from the push and pull of discussion and debate.” The leaders role here is to “generate consent rather than commanding assent” for a strategic objective. The authors believe that this enables employees at the top; at the middle; and at the bottom to “gain a big-picture view of where their company stands” on any issue which has gone through the process.

The Box Score of Organizational Conversation

	Intimacy	Interactivity	Inclusion	Intentionality
Old Model: Corporate Communications	Information flow is primarily top down;Tone is formal and corporate	Messages are broadcast to employees;Print newsletters, memos and speeches	Top Execs create and control messaging;Employees are passive consumers of information	Communication is fragmented, reactive and ad hoc;Leaders use assertion to achieve strategic alignment
New Model Organizational Communications	Communication is personal and direct;Leaders value trust and authenticity	Leaders talk with employees, not to them;Organizational culture fosters back and forth, face-to-face interaction	Leaders relinquish a measure of control over content;Employees actively participate in organizational messaging	A clear agenda informs all communications;Leaders carefully explain the agenda to employees;Strategy emerges from a cross-organization conversations
What it means for employers and employees	Leaders emphasize listening to employees, rather than just speaking to them;Employees engage in a bottom-up exchange of ideas	Leaders use video and social media tools to facilitate two-way communication;Employees interact with colleagues through blogs and discussion forums	Leaders involve employees in telling the company story; Employees act as brand ambassadors and thought leaders	Leaders build their messaging around company strategy;Employees take part in creating strategy via specifically designed communication vehicles

Reading this article was a real eye-opener for me. I could not stop thinking about the possibilities for the compliance practitioner in using these techniques throughout an organization. Just think how employees might feel if senior management engaged them directly regarding compliance and how the company is going to do business ethically. As a compliance practitioner you can leverage this to seek more ideas from business unit folks on how to do compliance more efficiently and most probably with greater results for the company. Also imagine what it might do for employee moral if they thought that senior management “had their backs” when it came to being rewarded or even acknowledged for doing business the right way. The possibilities seem endless and you are only limited by your own imagination. But read the article, as I have only scratched the surface of the content that the authors have presented.

Leave a Comment

FCPA Compliance and Ethics Blog

May 16, 2013

Four Keys to Compliance Leadership

March 15, 2013

Moving Compliance through an Organization

February 18, 2013

Doing Business In Italy-Step Up Your FCPA Compliance Now

January 31, 2013

How To You Move Ethical Values Down Through Your Company?

January 25, 2013

Chesapeake Lighthouses and Lighting the Way for Compliance

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

October 29, 2012

10 Questions to Better Management Practices in a FCPA Program

September 7, 2012

The Five Essential Elements of a Corporate Compliance Program-Part I

July 15, 2012

Penn State, the Freeh Report and Implications for the FCPA Compliance Practitioner

June 19, 2012

Ethical Leadership: Leading a Company Conversation on Compliance

January

Blogroll

Pages

Admin

Read by Email

Follow “FCPA Compliance and Ethics Blog”

May 2013
M	T	W	T	F	S	S
« Apr
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31