Training | FCPA Compliance and Ethics Blog

May 16, 2013

Four Keys to Compliance Leadership

Filed under: Adam Bryant,Best Practices,compliance programs,Culture,Ethical Leadership,Ethics,New York Times,Policies and Procedures,Tone at the Top,Training — tfoxlaw @ 1:01 am
Tags: best practices, compliance programs, ethical leadership, ethics, ethics and compliance, Hiring, New York Times, promotion, training

One of the most divisive moments in American history occurred on this date in 1868. On this day the US Senate voted against impeaching President Andrew Johnson thereby acquitting him of having committed “high crimes and misdemeanors” as required under the US Constitution. After all the arguments had been presented for and against him, Johnson waited for his fate, which hung on one swing vote, as there is a Constitutional requirement that requires a vote of 2/3rds of the Senate for impeachment. The vote was one short, at 35-19. Johnson was acquitted and finished out his term. If Johnson had been impeached, it surely would have led to a very different political development in the US, where not liking the sitting President could have become a constitutional basis for impeachment.

The Radical Republicans who ran the Congress immediately after the conclusion of the Civil War certainly did not think much of President Johnson’s leadership style. So what about you as a compliance officer? Certainly part of your leadership is implementing and enhancing policies and procedures? In many ways it is the human element, which President Johnson sorely lacked, that you may well need to devote most of your time focusing on. I recently read an excellent article it the Corner Office section of the New York Times (NYT), entitled “We’re Family Yes, but We’re Still Accountable”, in which Adam Bryant reported on his interview with Brooke Denihan Barrett, the co-Chief Executive Officer (co-CEO) of the Denihan Hospitality Group (Denihan), a 50-year old family business which focuses on the hospitality business.

Training

One of the things that Barrett has learned is how to train people. She explained that “I thought the way you got things done was by telling people what to do. That’s where I learned what not to do. I spent a good portion of my time telling people what they did wrong instead of really encouraging them about what they did right.” She came to realize that was perhaps not the best way to manage people and “learned to cut people some slack.” She said that she found “that you get a lot more with the carrot routine than the stick routine. I also realized that you really needed to explain the “why” of things. You need to give people a little bit of space to come around, and say, “Yeah, that makes sense,” before you really engage them in what needed to be done.”

I found that her final point may be critical for compliance training. By explaining the why of compliance, employees can better understand what the company is trying to accomplish. So if your goal is to do business in an ethical manner, then explain this and how the company’s compliance program will help to accomplish this goal through its policies and procedures.

Accountability

One of the things that Barrett emphasized was the erroneous perception that because her company was a family business there was no accountability. She made clear that “You have to set certain standards that you want people to live up to. And if people need help, then we want to help them along the way.” However, accountability is a two-way street. Just as the employee must be held accountable, so must the company in terms of providing support to allow employees who want to do the right thing and to do their job well. Barrett said, “Sometimes organizations can fall down if they don’t also ask: How do you give people the tools they need to be successful? How do you get that person to understand what change needs to happen, and how do you help them along the way? Because people can’t always figure it out on their own, and nor should you expect them to.”

Listening

Many of the CEOs that Bryant interviews for his Corner Office section speak about the need for listening skills. Barrett was no exception. But as CEO she found that employees were sometimes reluctant to speak openly and candidly with her. So she began to meet with employees in small groups of 10 to 12 people. At Denihan they call them ‘Roundtables’. Barrett said that she will say to them ““Tell me something I don’t know.” And I’ll get comments like: “Oh, but you know everything. You’re the C.E.O.” It’s just a reminder of the perceptions that people have of the head of the company. But every time I ask that question, I learn something new.” Imagine as a compliance officer if you were to ask that question in a roundtable, what do you think you might hear back from your company’s employees?

Barrett also spoke about how to have a ‘difficult conversation’. She said that if there is a mistake made she views it as an opportunity for learning and professional growth. At Denihan, they call them ‘lessons learned conversations’ and they may occur with a group where a problem has arisen. Barrett related, “we might bring people together in a room who were involved in a project and ask: What were the things that worked? What were the things that didn’t? What could we have done differently? And we’ve had some very spirited and cathartic conversations. You have to be able to let people put something on the table without actually pointing the finger. It allows things to come out in more of a non-accusatory manner.”

Hiring and Promotion

These are two key areas in compliance that are finally beginning to receive the attention that they deserve. Barrett’s thoughts on how she views these in the context of her interviewing are instructive. She acknowledged that by the “time somebody meets me, you can assume that the skills are there. So what I interview for is fit. And I’m always very curious to know, what is it about our company that appeals to that person?” She asks specifically about culture, requesting the candidate define it and how do you think that culture is special. She also asks candidates to talk about a failure and what lessons that they learned from the experience and how they dealt with the experience. I would suggest that both of those lines of inquiries should be used when evaluating a candidate for hire or promotion.

Barrett’s interview provided some interesting insights on leadership. Moreover, her experience in professional growth has shown there are different styles and techniques that you can successfully use in your company’s compliance program. Train people on the reasons why your company is doing compliance so that they will understand how to do it. Make them accountable but also provide them with the compliance tools and support to do business the right way. If there is a problem or issue, use it as a lesson learned so that employees can profit from the experience. Lastly, make a discussion of culture a cornerstone in your hiring interview or promotion interview process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Leave a Comment

May 2, 2013

Get Out of the Ivory Tower – Using Internal Corporate Resources to Facilitate the Compliance Function

Filed under: Best Practices,Compliance Champion,compliance programs,ERM,Ethics,Gap Analysis,Hotline,Human Resources,Internal Audit,Internal Controls,Training — tfoxlaw @ 5:34 am
Tags: best practices, compliance, compliance programs

The second day of Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston packed as much solid information into it as did the first day. One of the sessions dealt with utilizing other corporate functions to assist a compliance department in implementing or enhancing a compliance program. There are many resources which currently exist inside your organization and if you are in the position where you must use internal rather than external resources, this post will detail some of the functions which you may be able to call upon inside your organization.

You should start with a basic approach which the speaker termed “Get Out of the Ivory Tower”. He explained that the compliance department must obtain realistic input from geographies, cultures, business units and corporate functions within the company. As he rather succinctly put it to the audience “A procedure which may work in Texas may not work in Indonesia.” He also counseled to train in local languages. This may mean more than translating your talk into one language. He gave the example of his training in Spain where he had dual translations going, from English into Spanish and Catalan.

Part of this translation issue led to his next point, which was not to believe your own story or even worse, your own propaganda. Simply because a Country Manager says something is true means does not mean that it is true. Internal controls, monitoring and auditing are important to test that you are actually doing compliance rather than simply saying you are in compliance.

In determining what other departments might be able to assist the compliance function, the speaker suggested that you should start with three inquiries. They were:

What can yours do? This is the initial assessment that you need to make about what your compliance department can do. What are your resources and budget? Start with this question.
What can theirs do? In looking around your company, next ask this question. What are the functions of the departments? Are there things that they are currently doing which can supplement the compliance function? Are there functions in that department’s core function which can assist the company in the doing of compliance?
How many employees does each of you have? An obvious concern is the number of employees that are available to assist the compliance function.

What are some of the other corporate functions that might assist the compliance department going forward? An obvious starting place is Human Resources (HR). The speaker listed several areas in which HR can bring expertise and, in my experience, enthusiasm to the compliance function. Some of the reasons include the fact that HR is physically located at or touch every site in the company, globally. HR is generally seen as more approachable than many other organizations in a company, unfortunately including compliance. A person’s first touch point with a company is often HR in the interview process. If not in the interview process, it is certainly true after a hire is made. Use this approachability.

Obviously, HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the Document, Document Document portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be on each audit. Further, compliance risks can also be evaluated in this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert so you can turn to them for any of your compliance program requirements which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If you company uses SAP and you make an acquisition of an entity which does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

There are many ways to implement or enhance a compliance program in a company. If you do not have the luxury of creating an entire compliance department with an unlimited budget, you may be able to call upon other areas of corporate expertise to facilitate your role. Do not be an Ivory Tower.

© Thomas R. Fox, 2013

Leave a Comment

April 17, 2013

Got 20 Minutes? Spicing Up Compliance Training

Filed under: Best Practices,compliance programs,FCPA,Training — tfoxlaw @ 1:01 am
Tags: best practices, compliance programs, Compliance Week, FCPA

How can you create or revise your compliance program? One of the first steps you should take is to devise an action plan. A recent article in the March edition of the Compliance Week magazine, entitled “Putting Together an Action Plan for Compliance”, Joel Katz, the Chief Ethics and Compliance Officer (CECO) for CA Technologies, wrote about his experiences in updating the company’s compliance training program.

He said that after the company had gone through a compliance investigation, it created a “best-in-class” compliance program. However, after a few years of intensive training and continued corporate reminders about compliance, the employees began to suffer from ‘compliance fatigue’. Katz decided it was time to come up with a way to determine what was working and what was not working regarding the company’s compliance program in the “eyes of the employees”. To facilitate this Katz literally went around the CA Technology world listening to employees, both in focus groups and individually, about what they thought was working and what they thought did not work. He found that the company’s managers and employees generally had the same four critiques, which were:

The compliance training was ineffective; it was too long, often too esoteric, and very often not helpful to employees because it did not relate to their core job responsibilities. Employees expressed a strong desire for training that was more engaging and relevant to their jobs.
Employees wanted live training but in their local language. Although most employees are fluent in English, many expressed the desire to be trained in the local language to ensure that nothing was getting “lost in translation.”
There was a lack of understanding regarding the role of the compliance group within the company. Both employees and managers at all levels felt that the compliance organization was a bit of a mystery to them – they did not fully understand what the compliance organization did on a day-to-day basis and felt that they lacked any real visibility into the types of compliance issues that the company was encountering.
At times compliance seemed liked the ivory tower as employees also felt that messaging around compliance was, at times, either condescending or written in a way that made it appear that the company did not trust its employees.

I found Katz’s responses to the training critiques very interesting and had some components that you may wish to incorporate into your program. CA Technologies decided to ditch all outside vendors for training and put it on using internal resources. The company also “made a conscious choice to focus our compliance training energies on issue spotting and awareness-raising, rather than on in-depth subject matter expertise” which was done for two reasons. First, the company did not believe that employees were retaining the information being covered in courses that attempted to deliver in-depth learning. Second, by “Focusing on issue-spotting and awareness-raising is consistent with our belief that if we can get people talking about compliance and asking questions, we can address most issues long before they become compliance problems.”

To make the training more real and more entertaining, the company began to use examples of “compliance related transgressions” demonstrated by the fictional character “Griffin Peabody” in courses and awareness campaigns. The company also used this character in company training videos that its employees starred in as participants. To help with the logistics of training, the compliance department enlisted the CA Technology law and HR departments to assist in putting on the training. Interestingly, compliance did not specify to the trainers how to put on the training, instead they gave them the flexibility to put on training in variety of ways such as ‘lunch-n-learns’ or other less formal training. But here is the real kicker – Katz “issued a mandate that no compliance course would take longer than 25 minutes to complete. We would rather have two 20 minute courses than one 40 minute course. Our experience has been that even the most interested audience begins to fade after about 20 minutes.”

To help de-mystify the role that the compliance function had in CA Technology, the group published “a quarterly newsletter called “Walk the Talk.” Each newsletter includes profiles of real-life, company compliance cases and quarterly compliance statistics (including the number of compliance cases by geographic region with a comparison from the prior year, as well as a breakdown of the types of compliance issues we are addressing, such as fraud, conflicts of interest, and others).” Katz noted that the names were removed to protect the innocent and guilty but that the company did “provide comprehensive descriptions of the compliance issues and how the issues were resolved (in many instances, employees were either disciplined or dismissed).” What Katz found was that CA Technology employees said that “they particularly liked reading the real-life cases and learning about how the company resolved these cases. Not all compliance officers agree with providing this level of transparency to employees, but our experience has been, thus far, very positive.”

In the article, Katz admitted that the compliance group “might, on occasion, come off as sounding a bit “preachy” to employees when discussing certain compliance issues”. To address this issue, the compliance team worked with the company communications team and the company’s global leadership team to “help ensure that our messaging has the right tone to effectively resonate with our employees. We strive to create communications that are engaging and easily understood by all employees.” With this assistance, Katz believes that the compliance group ensures “that we take the time to focus on how we are messaging things to our employees and this has helped improve employee perception about the compliance function.”

Katz’s article had several salient points around training for the compliance practitioner. His change in focus of the company’s compliance training from the subject matter expertness to issue raising awareness is something that certainly resonates with me. Employees can be your first and, many times, best line of defense from a compliance issue becoming a full bore Foreign Corrupt Practices Act (FCPA) or other legal violation. Giving them to tools to know when and how to raise their hand when something does not make sense is more important than droning on about the elements of a FCPA violation. Also the CA Technology methods for delivering compliance training are quite innovative but in many ways very cost effective. By moving the training in-house and allowing the trainers to determine how to deliver the training, you can obtain greater buy-in and participation. Lastly, how many of you out there put on training for only 20 minutes? Do you think that would make your employees sit up and take notice, if not smile, if they could get their compliance training in 20 minute increments?

© Thomas R. Fox, 2013

Leave a Comment

April 16, 2013

In the Limelight-the Theater, Lady Gaga and Compliance

Filed under: Best Practices,compliance programs,Culture,Department of Justice,Ethical Leadership,Ethics,FCPA,FCPA Guidance,Training — tfoxlaw @ 5:38 am
Tags: best practices, Bribery Act, compliance, compliance programs, Department of Justice, DOJ, ethical leadership, ethics, ethics and compliance, FCPA, Foreign Corrupt Practices Act, FT, New York Times

What is your favorite Canadian group? For my money it is the band Rush. My favorite Rush song is probably “Limelight”. How many times have you heard about ‘being in the limelight’? The phrase comes from the British theater where lights in the theater used quicklime. Although long since replaced, lighting in the British theater is still called ‘limes’.

I thought about Rush and their hit song when I recently read a couple of articles on leadership in the theater. I found that some of the insights in these articles could be applied in a compliance program for a multi-national company. In an article in the New York Times (NYT) Corner Office Section, entitled “First, Make Sure Your Idea Works On a Small Stage”, reporter Adam Bryant interviewed Francesca Zambello who is both the general and artistic director of the Glimmerglass Festival and the artistic director of the Washington National Opera.

Think Small

Zambello had a very interesting point that I do not consider often. She said that one of the most memorable lessons that she ever learned from a mentor was to make sure that your creative idea will work on the small stage. By this she did not mean that you cannot have a big idea or large concept. Instead “The most important thing he ever taught me was that if you don’t make sure the show is right in a small room, it will never be right in a big space, on a big stage.”

I found this comment particularly insightful in the context of the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance. The FCPA Guidance makes clear that a company should design a compliance program which is appropriate for its size, markets and risks. There is no one standard and the FCPA Guidance states: “DOJ and SEC have no formulaic requirements regarding compliance programs. Rather, they employ a common-sense and pragmatic approach to evaluating compliance programs, making inquiries related to three basic questions: • Is the company’s compliance program well designed? • Is it being applied in good faith? • Does it work?”

I have seen many instances where a company will try and implement a compliance regime which is appropriate for a company many times its size. It becomes a top down exercise but as noted in the Zambello interview, it does not work well in the smaller setting because it is not assessing and managing the risks appropriate to a small company. Here a bottom up approach can be much more effective. Certainly this could be accomplished through a formal risk assessment but it may also come through talking and meeting with your internal business units or partners. Such informal assessments can provide valuable information which may work on a ‘smaller stage’ than a compliance program designed for a multi-billion, multi-national company.

Learn How to Fail

Another insight I garnered from the Zambello interview for the compliance practitioner was what she termed “You have to learn how to fail.” She believes that in any position you are in, that you are going to fail. But the real key is that “if you don’t fail, you are probably not that good.” Lastly, if you fail you have to learn to pick yourself up, “The more you get knocked down, the more you learn to pick yourself up.”

In the context of the FCPA Guidance, “DOJ and SEC understand that “no compliance program can ever prevent all criminal activity by a corporation’s employees,” and they do not hold companies to a standard of perfection. An assessment of a company’s compliance program, including its design and good faith implementation and enforcement, is an important part of the government’s assessment of whether a violation occurred, and if so, what action should be taken.” Clearly how a company handles any Foreign Corrupt Practices Act (FCPA) violation is an important key to any DOJ or SEC analysis regarding enforcement.

However, the other point for the compliance practitioner is that not everything should always go right under your compliance regime. Not every third party business representative you look at should pass muster under your process for approval. If everyone does, your process may not be robust enough. Not all of your employees do everything right all the time. If you have never disciplined an employee for a violation of your company’s Code of Conduct or compliance program, you should look to determine if this area needs to be explored as not every expense report is always correct. Lastly, if there has never been a substantial tip to your anonymous reporting line, this is an area which should also be explored. You may need to conduct more, or better, training so that employees understand that they can report incidents in confidence, without fear of retribution.

Be Courteous

Another interesting topic that Zambello discussed was the following, “I think that good manners matter a lot…Some of those are old fashioned things, but manners don’t cost anything.” Think about it – when was the last time you had a discussion of manners or even courtesy? This point is not something which is discussed much in the compliance arena but I think that courtesy is something that compliance practitioners need to be aware of when involved in a multi-national compliance program. Be sensitive to cultural norms in other countries and be respectful of them. As my very southern grandmother used to say, you are never wrong being courteous. Lastly, do not forget the cost for being courteous, nothing. But the benefits can be quite great.

From Lady Gaga to Compliance

For a different type of theater and how it relates to your compliance program, I recently came across an article in the Financial Times (FT), entitled “In need management tips? Try Lady Gagahttp://www.ft.com/intl/cms/s/2/da6559ce-a289-11e2-9b70-00144feabdc0.html#axzz2Qcpc6zzT”, by reporter Miles Johnson. (While some might suggest that Lady Gaga is a musician, I certainly think she is all about theater so it ties in with the above, really.) Johnson’s article reviews the work of Salvador Lopéz, a marketing and research professor at Spain’s ESADE business school. Lopéz believes that the world of business can learn quite a bit from the Lady Gaga’s of the world and I found that a couple of them apply to the compliance arena.

The first is that Lady Gaga generates emotions in her fans. Lopéz likened this to Steve Jobs who created “an entire style at Apple and made people feel things through his products.” Here I think that this applies to compliance because most employees want to do the right thing and will feel better about themselves if they conduct business in an ethical manner. The key for the compliance professional is not only to provide the processes and procedures for them to do so but to also acknowledge those employees who follow a company’s ethical business values. This can occur through financial incentives such as part of an employee’s discretionary bonus awards; promotion of employees who conduct business in accord with a company’s ethical practices or even something as simple as a companywide acknowledgement. The point is to make people feel that something positive for doing compliance the right way.

The second point that Lopéz gleans from performance artists like Lady Gaga is that they are much better in the use of technology than most companies. There are now a plethora of technological tools available to assist the compliance practitioner. I firmly believe that the DOJ and SEC have communicated that transaction monitoring will become a standard best practice quite soon, but certainly within the next 18 months. There are companies, such as Oversight Systems to name but one, which have technological tools to help move to this standard. But that is only one of many tools available to assist in your compliance program. So take a clue from Lady Gaga and ‘keep it fresh’.

These two articles demonstrate that the compliance practitioner can draw from a wide variety of sources and disciplines for inspiration to incorporate into a FCPA or UK Bribery Act compliance program. Further, the tools are out there to help you. I hope that this article has given you some ideas while drumming your fingers along to Rush or Lady Gaga for that matter.

© Thomas R. Fox, 2013

Leave a Comment

March 21, 2013

What To Do If Your Gut Says It’s Wrong: Lessons from Project Alpha

Filed under: compliance programs,Department of Justice,FCPA,FCPA Guidance,Hotline,SEC,Training,Wall Street Journal — tfoxlaw @ 1:01 am
Tags: compliance, compliance programs, DOJ, FCPA, Foreign Corrupt Practices Act, Project Alpha, SEC

I often write about what can happen to companies who run afoul of the Foreign Corrupt Practices Act (FCPA). Usually enforcement actions focus on companies and not individuals. However, as is often pointed out by commentators other than Mitt Romney, corporations are not humans but consist of people. It is individuals who engage in conduct that violates the FCPA, just as it is individuals who engage in conduct which violates other US securities laws.

I was reminded of this in an article by Loren Steffy, of the Houston Chronicle, entitled “She offers cautionary tale for corporate employees”. In this article Steffy writes about Helen Sharkey, who worked for Dynegy Inc, a Houston company which was involved in energy trading and gas transportation. Sharkey was an accountant who worked on an assignment known as Project Alpha, which Steffy wrote was “a $300 million scheme that inflated Dynegy’s cash flow.”

In an interview with Steffy she told him that she was the lowest of seven employees assigned to the project. According to the Securities and Exchange Commission (SEC) Sharkey and others disregarded the company’s external auditor’s advice that certain forms of risk-hedging involving derivative instruments, such as commodity price swaps and interest rate swaps, would defeat Dynegy’s goal of accounting for Alpha as an ordinary operating contract and require recording it as a financing. As reported by Steffy, “If the banks didn’t have risk, it meant the deal was a loan and required different accounting treatment.”

While the Enron Corporation is the poster child for corporate fraud in Houston, three Dynegy employees went to jail over Project Alpha: Sharkey; Gene Foster, who was Dynegy’s Vice President of Taxation during the relevant period; and Jamie Olis, who was Dynegy’s Senior Director, Tax Planning and International. Foster received a sentence of 15 months in jail. Olis, who went to trial, received a whopping sentence of 24 years by the trial judge, although this was later reduced to six years.

What did Sharkey think about the deal at the time? As quoted by Steffy, “Did I feel in my gut that it was wrong? Absolutely. Did I think it was illegal? No way.” Unfortunately Sharkey did not apparently have a mechanism that she could use to raise this concern that was in her gut.

What are some of the lessons that current compliance practitioners can draw from Sharkey, Dynegy and Project Alpha?

Hotlines

One of the results from the actions that companies like Dynegy, Enron and others was the passage of Sarbanes-Oxley (SOX). SOX required publicly traded companies to set up anonymous hotlines to allow employees to report company wrong-doing. This is enshrined in the FCPA world as one of the Ten Hallmarks of an Effective Compliance Program as set out in the Department of Justice (DOJ)/ SEC FCPA Guidance. Under the section entitled “Confidential Reporting and Internal Investigation”, it states, “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation. Companies may employ, for example, anonymous hotlines or ombudsmen.”

Generally, employees tend to trust hotlines maintained by third parties more than they do internally maintained systems. By submitting reports through an external hotline there is a perceived extra layer of anonymity and impartiality compared to a system developed in-house. This is because there can be a fear of retaliation by employees. This fear can destroy the effectiveness of the internal reporting process and poison the corporate culture. The hotline must be seen to offer the highest levels of protection and anonymity. To encourage employee participation, the hotline should allow them to bring their concerns directly to someone outside their immediate chain of command or workplace environment – especially when the complaint concerns an immediate superior. A third party provider is also more likely to bring specialist expertise that’s difficult to match within the organization.

Failure to Escalate

In almost every circumstance where a significant FCPA compliance violation has arisen, if the issue had been reported or at least sent up the chain for consideration, there is a good chance that the incident would not have exploded into a full FCPA compliance violation. Matthew King, Group Head of Internal Audit at HSBC, calls this concept “escalation” and he believes that one of the more key features of any successful compliance program is to escalate compliance concerns up the chain for consideration and/or resolution.

This means that in almost every circumstance regarding a compliance issue he had been involved with, at some point a situation arose where an employee did not report a situation or event up to an appropriate level for additional review. This failure to escalate leads to the issue not reaching the right people in the company for review/action/resolution and the issue later becomes more difficult and more expensive to deal with in the company. A company needs to have a culture in place to not only allow escalation but to actively encourage escalation. This requires that both a structure and process for this must exist. Then the company must train, train and train all of its employees. Lastly, while a whistleblower process or hotlines are necessary these should not be viewed as the only systems which allow an employee to escalate a concern.

The starkest example of which I am aware of this failure to escalate in the FCPA arena is the Hewlett-Packard (HP) matter involving its German subsidiary and allegation of bribery to receive a contract for the sale of hardware into Russia. The Wall Street Journal (WSJ) has reported that at least one witness has said that the transactions in question were internally approved by HP through its then existing, contract approval process. That witness, Dieter Brunner, a contract employee who was working as an accountant on the group that approved the transaction, said in an interview that he was surprised when, as a temporary employee of HP, he first saw an invoice from an agent in 2004. “It didn’t make sense,” because there was no apparent reason for HP to pay such big sums to accounts controlled by small-businesses, Mr. Brunner said. He then proceeded to say he processed the transactions anyway because he was the most junior employee handling the file, “I assumed the deal was OK, because senior officials also signed off on the paperwork”.

Training

Why is training of employees regarding a hotline and the ability to escalate important in the context of an anti-corruption/anti-bribery compliance program? Training is recognized as one of the points in the Ten Hallmarks of an Effective Compliance Program and one of the elements under the US Sentencing Guideline’s Seven Elements of an Effective Compliance Program. It is also recognized in Principle 5 of the Six Principles of an Adequate Procedures compliance program as set out by the UK Ministry of Justice (MOJ). Lastly, it is recognized by the OECD in its 13 Good Practices for Internal Controls, Ethics and Compliance.

In the case of HP, think what position the company might be in today if Brunner had been trained on the company’s system for internally reporting compliance issues? If Brunner had escalated his concern that the payment to the agent “didn’t make sense” perhaps HP would not have been under investigation by governmental authorities in Germany and Russia. In the United States, both the DOJ and SEC have announced they are investigating the transaction, for potential FCPA violations. Further, HP is now investigating other international operations to ascertain if other commissions paid involved similar allegations of bribery and corruption as those in this German subsidiary’s transaction.

Dénouement

Steffy penultimate paragraph states, “her story lends insight into one of the most enduring questions that linger from a decade ago – how corrupt corporate cultures encouraged so many who considered themselves law-abiding citizens, to commit crimes, often without realizing it.” One of the things that I emphasize in training to employees is that if their guts turns in knots, the hair on the back of their neck stands up or if something doesn’t smell right, just raise your hand. You don’t have to know the ins and outs of the FCPA, but if something does not feel right, raise your hand and get the matter to someone who does know the ins and outs of the FCPA and who can thoroughly investigate the issue that you do not feel right about. If you do not do so, you may end up like Sharkey and, as Steffy writes as the final sentence of his piece, “The one time she wavered became a mistake she’ll regret the rest of her life.”

© Thomas R. Fox, 2013

Comments (1)

January 25, 2013

Chesapeake Lighthouses and Lighting the Way for Compliance

Filed under: Best Practices,compliance programs,Culture,Ethical Leadership,Ethics,FCPA,Hotline,Tone at the Top,Training — tfoxlaw @ 6:47 am
Tags: best practices, compliance, compliance programs, ethics, ethics and compliance, FCPA

In the winter 2013 issue of the Colonial Williamsburg magazine is an article by Michael Lombardi, entitled “Lighthouses Marked the Shoals of the Commerce Clause”. In this article, Lombardi wrote about four lighthouses authorized by Congress in the late 18^th and early 19^th century to light the way for sailors in Chesapeake Bay. The four lighthouses were the Cape Henry Lighthouse, the Old and New Point Comfort Lighthouses and the Smith Point Lighthouse. All four still exist today and one, the Old Point Comfort Lighthouse, is still in operation.

I thought about the story of these lighthouses and how they literally lit the way for sailors for over 200 years when I read an article in the Q2 issue of Ethisphere Magazine, entitled “Imagination Working with Integrity: How General Electric Creates a Global Culture of Ethics”, by Michael Price. Price discusses how General Electric (GE) has made “ethics and compliance a benchmark of its operations around the world, and is, in many ways the gold standard that other companies look to when it comes to modeling global compliance and ethics programs.”

I also considered these lighthouses in the context of how GE sets the tone for ethics and compliance and then communicates that commitment throughout its organization. Obviously it all starts at the top and GE is a prime example of this strength. Price noted that GE’s top brass meets annually at a conference where one of the frequent topics was ethics and compliance and the need for integrity in GE. Following this meeting of the GE senior management, they cascade down this commitment to middle management and emphasize the reputational risk to GE should there be a violation of the Foreign Corrupt Practices Act (FCPA) or other anti-corruption statute by the company. The middle managers then further cascade this message down so that it goes through the whole company at regular intervals.

Price made clear that one thing that GE will not tolerate is a manager who fails to take ethics and compliance seriously. This extends to managers who were ignorant of compliance issues in their units. He wrote that GE has “removed people from leadership positions when they didn’t know there was a problem”. GE demands that its management not only be aware of compliance in their units, but to ask “the right questions when they are faced with an uncertain situation”.

As you might expect from a company which has business in over 100 countries, GE has to work with many different cultural norms. It can be that “different cultures have different frameworks for understanding integrity and how to confront unethical conduct.” So, for instance, to overcome some cultural barriers of reporting unethical conduct GE has “five different pathways in which employees around the world can bring their concerns to management’s attention.” These pathways include the following:

Employees can talk directly to their managers;
Employees can go to talk to people in the compliance function;
Employees can go to talk to someone in the legal department;
Employees can take their concerns to HR; and
Employees can report anonymously to an ombudsman through a variety of channels.

GE provides several types of training in each of these methods and has “Compliance Days” in “which the company discusses compliance issues and reiterates the importance about employees raising concerns about unethical practices.” The article makes clear not only how seriously GE takes compliance but that it believes its commitment to ethical practices makes it stand out as a market differentiator. I would say that ethics and compliance is even a lighthouse for corporate culture at GE, in many ways, leading the way by which GE does business and conducts itself.

I once worked for a major oilfield service company where it was clear that safety was the Number 1 priority. We started every meeting with a safety moment. Each year, there was one day where the entire company stood down and met on safety on a world-wide basis. Both of these techniques emphasized to me not only the importance of safety but that safety was my responsibility as well, even though I was a lawyer doing international transactional work. This was another lighthouse but it was one for safety.

As a recovering trial lawyer who has handled many personal injury lawsuits and then worked in the energy industry, I will always consider safety as Mission Number 1 but I would like to propose that ethics and compliance is Mission 1A in your company. Try some of the techniques that GE uses to communicate its commitment to ethics and compliance. It does not cost anything to have senior management meet with middle management and tell them about the company’s commitment to integrity. It does not cost anything to allow employees to speak with their immediate managers about concerns over unethical practices, go talk to someone in the compliance department or legal department about such concerns or report their concerns to HR. If you do not have an anonymous reporting line, it is about time you invested in one. I do recognize that many companies do not have an ethics and compliance ombudsman but the key concept there might be that by having such an impartial position, employees believe they will be treated fairly.

How about having a compliance moment before every meeting? By having such a moment before every meeting you can not only provide some teachable moments but also drive home the concept that compliance is everyone’s responsibility not just the responsibility of the compliance or legal department. How about a Compliance Day? If you cannot go that far, I would suggest that you hold a series of brown bag lunches where you talk about doing business with integrity through ethical and compliant business practices. You could hold them throughout the company.

One thing I learned as a lawyer is that you are only limited by your imagination. Try to get the message out because compliance is in many ways, the 21^st century lighthouse for doing business.

© Thomas R. Fox, 2013

Leave a Comment

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

Many commentators are still mining the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (the “Guidance”), which was released last November. I continue to find nuggets to provide to the compliance practitioner, as do others. But as we are a Base 10 culture, today I want discuss the 10 points listed as the ‘Hallmarks of Effective Compliance Programs”. They are a change in style, but not content, from the prior 13 point minimum best practices that the DOJ has in the Deferred Prosecution Agreements (DPAs) since at least November, 2010 and, indeed, from prior information made available by the DOJ.

I. Where Have We Been

Beginning with at least the Metcalfe & Eddy Consent and Undertaking, filed in December, 1999, the DOJ has laid out its thoughts on what should go into a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. In the Metcalfe & Eddy Consent and Undertaking, the DOJ laid out ten points of an effective FCPA anti-corruption compliance program. This was modified somewhat in Opinion Release 04-02, which laid out a best practices compliance program in 12 points, where the DOJ reviewed the proposal by an investment group who were acquiring certain companies and assets from ABB Ltd. ABB Vetco Gray Inc. and ABB Vetco Gray (UK) Ltd., two of the entities being acquired, had previously pled guilty to FCPA violations. The investment group desired to protect itself from further liability, to the extent possible, by proposing to the DOJ a comprehensive best practices compliance program. While the DOJ noted that this compliance program was not a shield against future violations, the DOJ would not “intend to take an enforcement action [against the investors] for violations of the FCPA prior to their acquisition from ABB.”

In the Panalpina DPA, issued in November, 2010, the DOJ laid out a 13 point minimum best practices compliance program. This number was changed this past summer when the Data Systems & Solutions LLC (DS&S) DPA was announced. In this enforcement action the DOJ listed 15 points on its minimum best practices FCPA anti-corruption compliance program. Then later in the summer, the DOJ moved to a 9 point compliance program in the Pfizer DPA. Even with all these changes in the number, the substance of each compliance program has remained the same.

II. Where Are We Now? Hallmarks of Effective Compliance Programs

The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes that depending on a variety of factors such as size, type of business, industry and risk profile that a company should determine what is appropriate for its own needs regarding a FCPA compliance program. But the Guidance makes clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. The Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some of the risks a company should assess include “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”
Oversight, Autonomy, and Resources. This section starts with a discussion on whether a company has assigned a senior level executive to oversee and implement a company’s compliance program. Not only must a company assign such a person with appropriate authority but that person, and the overall compliance function, must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Additionally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
Risk Assessment. The Guidance states that “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
Incentives and Disciplinary Measures. This involves both the carrot and the stick. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” These incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
Third-Party Due Diligence and Payments. Here the Guidance focuses on the ongoing problem area of third parties. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration. Here the DOJ and SEC spell out what it expects in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information is not something that most companies had previously focused on. Basically, a company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

As I commented earlier in this article, the DOJ and SEC have communicated what they believe are the important parts of a risk based, anti-corruption compliance program for many years. I do not think that a compliance defense could be set out any more succinctly. However, I do like things set out in Base 10 and the “Hallmarks of Effective Compliance Programs” is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point for any compliance practitioner to implement a new compliance program or to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

© Thomas R. Fox, 2013

Leave a Comment

January 18, 2013

How to Reach Your Audience in Compliance Training – The Use of Charisma

Filed under: Best Practices,Bribery Act,compliance programs,FCPA,Financial Times,Training — tfoxlaw @ 1:01 am
Tags: compliance programs, compliance training, FCPA, FT, training

One often hears or reads about complaints that compliance training is dull, nay even boring. I mean, how many times can you expect someone to be lectured to on the riveting subject of the Foreign Corrupt Practices Act (FCPA) or even the UK Bribery Act? Coupled with the legally spellbinding subject, the sessions are often led by lawyers who are training non-lawyers. What can I say; the audience does not always have the appreciation of the subject that I do. I thought about this ongoing conundrum when I came across a recent article in the Financial Times (FT), entitled “The subtle secrets of charisma”, by author Alicia Clegg. The focus of her article was that senior managers, by learning techniques of rhetoric, vocal cadence and gesture, can help make senior managers more like leaders. However, I thought that her tips could also help the compliance practitioner in the more mundane area of compliance training.

In her article, Clegg cited to the example of an Infosys executive who was introducing a “controversial HR policy to his company.” During the talk, he felt that his audience was quite restless and “sensed that he was failing to take his listeners with him.” The Infosys executive was quoted as saying “After the talk, people asked me, privately ‘Do you really think this is the right thing to do?’” “I thought: ‘Well, yes, actually, I do. Isn’t that what I said?’” He had failed to convince. Today, however, the executive would deliver a far different talk. Clegg said that “he would acknowledge his colleagues’ concerns, share his own feelings and perhaps tell a personal story. He might modulate his voice; organise his key points into pithy three-part lists; use metaphors; smile or frown occasionally, while gradually building to a statement of personal conviction or a vision of a better future.” In other words, he would work these concepts of ‘charisma’ into his chat.

Clegg discussed the work of John Antonakis, a professor of organizational behavior at Lausanne University. In a June Harvard Business Review article he published, along with colleagues Marika Fenley and Sue Liechti, entitled “Leaning Charisma”, Antonakis argues, however, that having charismatic qualities can turn a competent manager into someone that others notice and want to follow. Antonakis and his team claim to have identified twelve communication habits, rooted in the principles of “classic rhetoric, that make a speaker appear more authoritative, trustworthy and persuasive – in short, more like a leader. Nine of the techniques are verbal: using metaphors and easy-to-remember three-part lists; telling stories; drawing vivid contrasts; asking rhetorical questions; expressing moral conviction; reflecting an audience’s sentiments; and setting high but achievable goals. The rest are non-verbal: raising and lowering your voice, letting your feelings show in face and hand gestures to reinforce what you say.” Their case for their charisma training runs counter to a recent theme in management ideas that plays down corporate stars in favor of teams.

Clegg writes about old ways of making new points. She says that the modern-day science of persuasion is rooted in three “rhetorical appeals” described long ago by Aristotle. The three are: ethos, logos and pathos.

Ethos – establishing your credentials and building rapport. Here you should use “useful ethos techniques include speaking your audience’s language and reflecting their concerns in what you say.” You should recognize that staff are likely to be more interested in what’s changing for them – how will their job be different?

Logos – persuading through logic. Under this you should consider “using useful logos techniques include contrasts and rhetorical questions, which can clarify choices by juxtaposing good and bad outcomes and combine reason with emotion; three-point lists are easy to recall and suggest completeness.” As a lawyer, I found comfort that, as stated in the article, using trios of points can add a purposeful edge to your presenting technique.

Pathos – persuasion with emotion. Under this technique you should endeavor to use “useful pathos techniques include stories, metaphors, lowering or raising your voice; while gestures and facial expressions can heighten emotional force.” But here one must be careful to respect cultural differences, as “What Asians consider over-the-top, southern Europeans may consider emotionally repressed.”

Clegg cites to other examples of effective rhetoric. She quotes Sam Leith, author of “You Talkin’ to Me?” who says “Effective rhetoric need not be fancy rhetoric.” Rather than cultivating a high-flown style, he advises novices to tune into how their audience thinks, and to listen to how they speak. He identifies General George Patton as a master of the art of persuasive plain-speaking. In the final weeks of World War II, the general exhorted his troops to redouble their efforts with the words “The quicker they are whipped, the quicker we can go home”. This got the audience of his troops on his side because getting home was what mattered to them the most.

Clegg also discussed the well-known technique of repetition. She included Martin Luther King’s ‘I Have a Dream’ speech where King used the device of repeated phrases at the start of successive clauses so that there develops ‘an appreciation of what is easy on the ear is important.” Clegg also discussed the technique of chiasmus, “in which the second half of a statement reverses the order of words in the first − as in “ask not what your country can do for you – ask what you can do for your country”. The words were simple and direct – and their impact all the greater.”

Antonakis argues that these techniques can be taught and, more importantly, learned and that “everyone can improve with practice.” But Clegg cautioned that there is more than simply having commanding rhetoric. A good leader must be a good listener as well. She cites to the work of Harvard academician Rosabeth Moss Kanter who argues in her blog that “it is how well you listen, rather than how well you talk, that persuades people to do things.”

Clegg appropriately ends by noting that no matter how good your rhetorical techniques are, “It is not just what you say, or how you say it, that convinces people you are not phony. You can dress things up with all the anaphora and epistrophe in the world, but if you don’t have a deep sense that something is important you’re not going to persuade anyone.”

So for the compliance practitioner who puts on training there is plenty of good advice on rhetorical techniques that you can use. But, most importantly, don’t be phony.

Leave a Comment

October 16, 2012

The Battle of Hastings and Diversity – How to Integrate It Into Your Compliance Culture

Filed under: Best Practices,compliance programs,Culture,Department of Justice,Ethical Leadership,Ethics,FCPA,Morgan Stanley,Training — tfoxlaw @ 1:05 am
Tags: Battle of Hastings, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, SEC

Sunday, October 14^th was the anniversary of the Battle of Hastings, in 1066. In addition to being the last time there was a successful invasion of Britain, several other positive things came from this most historic event for English-speaking people. An article in the Telegraph, entitled “In everything we say, there is an echo of 1066”, writer Alan Massie said that “the most enduring legacy is also the richest: our wonderful hybrid language and the golden treasury that is English literature.” He went on to state that “Without the Norman Conquest, Shakespeare would not have been Shakespeare, because his language would have resembled 16th-century German or Dutch. He would never have written a phrase like “the multitudinous seas incarnadine”. Our language often loses vitality if it moves too far from the Anglo-Saxon and is overweighed by Latinate words, but much of its richness and scope derives from its dual inheritance. “Shall I compare thee to a summer’s day? / Thou art more lovely and more temperate.”

I thought about Massie’s article when reading this past Sunday’s New York Times (NYT) Corner Office section in which reporter Adam Bryant interviewed Hilton Worldwide President and Chief Executive Officer (CEO) Christopher Nassetta, in an article entitled “On a Busy Road, a Company Needs Guardrails”. For all you compliance practitioners who work at large multi-national companies with employee numbers between 50,000 to 100,000; you should think about the compliance challenge at Hilton, which has over 300,000 employees worldwide. Nassetta said that one of the things he found when he initially took the position was that “I discovered when I joined the company five years ago is that we had a lot of segments of the company that operated very independently, and we had massive amounts of duplication and fragmentation. We needed alignment. We needed people to understand who we were, what we stood for and the key priorities of the company. And we needed them, once they understood that, to get their oars in the water and head in a common direction.” Nassetta traveled all over the world and met with employees. He believed that Hilton employees had good values but that as many times as he asked what the company values were, he got as many different answers. There were so many different value formulations that he “stopped counting when I got to 30 different value statements at our offices.” Nassetta viewed his job, as the CEO, was “to create the right culture, set the tone, the high-level strategy.” To accomplish this in the company Nassetta set up teams around the world to look at their value statements and “boil them down.” They then took all of the formulations and derived 6, which they stated as follows:

H for hospitality
I for integrity
L for leadership
T for teamwork
O for ownership
N for now.

He felt by using the Hilton name as the acronym for the company’s values, it could be reinforced every time the name was used. In other words, it drove these values down into the company’s DNA by continual reinforcement. While acknowledging that repeating can lead to value fatigue, Nassetta felt like he and the company could not say it enough. He stated, “in my case, there are 300,000 people who need to hear it, and I can’t say it enough. So what might sound mundane and like old news to me isn’t for a lot of other people. That is an important lesson I learned as I worked in bigger organizations.”

Nassetta’s message drove home to me that a company cannot only integrate a wide variety of compliance values into its culture but more so, that the message needs to be repeated. I thought about the Morgan Stanley declination which was released in May. As a part of the Department of Justice (DOJ) release they noted that Morgan Stanley had done the following for the employee Garth Peterson, who pled guilty to violations of the Foreign Corrupt Practices Act (FCPA): The Securities and Exchange Commission (SEC) Complaint detailed the compliance program Morgan Stanley had in place and how it directly related to Peterson. The Compliant specified:

(1) Morgan Stanley trained Peterson on anti-corruption policies and the FCPA at least seven times between 2002 and 2008. In addition to other live and web based training, Peterson participated in a teleconference training conducted by Morgan Stanley’s Global Head of Litigation and Global Head of Morgan Stanley’s Anti-Corruption Group in June 2006.

(2) Morgan Stanley distributed to Peterson written training materials specifically addressing the FCPA, which Peterson maintained in his office.

(3) A Morgan Stanley compliance officer specifically informed Peterson in 2004 that employees of Yongye, a Chinese state-owned entity, were government officials for purposes of the FCPA.

(4) Peterson received from Morgan Stanley at least thirty five FCPA-compliance reminders. These reminders included FCPA-specific distributions; circulations and reminders of Morgan Stanley’s Code of Conduct, which included policies that directly addressed the FCPA; various reminders concerning Morgan Stanley’s policies on gift-giving and entertainment; the circulation of Morgan Stanley’s Global Anti-Bribery Policy; guidance on the engagement of consultants; and policies addressing specific high-risk events, including the Beijing Olympics.

(5) Morgan Stanley required Peterson on multiple occasions to certify his compliance with the FCPA. These written certifications were maintained in Peterson’s permanent employment record.

(6) Morgan Stanley required each of its employees, including Peterson, annually to certify adherence to Morgan Stanley’s Code of Conduct, which included a portion specifically addressing corruption risks and activities that would violate the FCPA.

(7) Morgan Stanley required its employees, including Peterson, annually to disclose their outside business interests. In other words, Morgan Stanley continued to drive home the message of compliance during the tenure of Peterson’s employment with the company.

Further, when the DOJ came calling, Morgan Stanley was able to prove to the DOJ’s satisfaction that the company had indeed done what it had claimed because the documentation was available to present to the DOJ. So just as Nassetta continues to preach the HILTON values of the company, Morgan Stanley was providing direct information to Peterson on his responsibilities under the FCPA. Nassetta said one other thing that struck me as important in his interview. He said, “One simple philosophy I have as a leader of a big organization is to have really steady hands on the wheel. In a tumultuous world, with so many things going on around you, you have to know who you are, what you stand for and where you are going, and keep everyone pointed in the same direction and have the discipline to stick with it.”

From this I understand that if you know your values and have the discipline to stick with them during turbulent times, these values will protect you. I think that Morgan Stanley shows that training on the FCPA, certification by its employees to abide by it, training on their Code of Conduct or Business Ethics, including conflicts of interest and annual certifications; can go a long way towards protecting a company in the event of a FCPA investigation. And please do not forget those email compliance reminders, the DOJ specifically pointed out that Morgan Stanley sent Peterson 35 email reminders about the FCPA over 7 years. Even with my trial lawyer math, that is only 5 per year.

Massie in his article about what the Battle of Hasting meant for Britain wrote, “So, if you were to begin by asking, in Monty Python style, “what have the Normans ever done for us?” you might first reply that the most enduring consequence of the Conquest is the richness of the English language, with its Anglo-Saxon base and Franco-Latin superstructure. This mixture gives us a huge vocabulary, and many words with essentially the same meaning, yet a different shade of emphasis: fatherly and paternal, for example.” This richness came from diversity. The values of the Hilton Corporation came from the values of its 300,000 employees. The richness is out there and one of your jobs as a compliance practitioner is to use that diversity to create a compliance program that works for your entire company.

Leave a Comment

October 3, 2012

NFL Replacement Referees-the Lessons of Training Temporary Employees

Filed under: Best Practices,compliance programs,FCPA,Financial Times,Training — tfoxlaw @ 1:26 am
Tags: compliance programs, compliance training, FCPA, FT, training

The short autumn of our discontent is over as the United States has ended one of its greatest national convolutions of recent memory. Am I speaking of the attack on the US Consulate in Libya; the current stalemate of US politics and the Presidential race or the upcoming financial cliff on which the US may dive over on December 31?

No, I am talking about the debacle of replacement referees by the National Football League (NFL). After an eight week lockout by management, including three regular season games, the results were so catastrophic for America that the NFL finally game to its senses and settled the labor dispute.

How bad was the fallout? So bad that the controversy not only made the front page of the Financial Times (FT) last week but it also made the FT’s Op-Ed page on September 29, in a piece written by FT Senior Editor Christopher Caldwell, in an article entitled “NFL falls foul of the ‘drunken Santa’ problem”. Caldwell used the (unfortunately) well known fact of US department stores hiring alcoholics to pose as Santa Claus during the Christmas holidays as the lead in for a discussion of “O-Ring Theory of Economic Development” as articulated by Michael Kremer. Kremer’s thesis is that in “high-value added fields, where one malfunction in a complex chain can destroy all value, special rules apply.” This leads to the concept, found in the employment relations context, where there is a “positive correlation between the wages of workers in different occupations within enterprises.”

I would add one additional corollary to the above. That is training. The replacement referees obviously did not know the rules and when they did know the rules, they had great trouble applying them in game situations. In other words, they had not been properly trained.

Why is training of temporary employees important in the context of an anti-corruption/anti-bribery compliance program? I would point to the ongoing Foreign Corrupt Practices Act (FCPA) investigation into the activities of Hewlett-Packard (HP) as the Poster Child for training of temporary (or contract) employees on your company’s anti-corruption, anti-bribery program. As reported by Karin Matussek of Bloomberg News on September 13, 2012 three former HP managers were charged in Germany in a corruption investigation over improper payments made to win a €35 million ($45 million) sale of computers to Russia about nine years ago. One of the ex-managers charged is a Finnish woman; the other two are men, one American and one German. The German authorities started their probe back in 2009, after provincial tax authorities found, in a routine audit of an unrelated company, evidence of payments for which “real use could be established for some payments found in the accounts. The owner of that company was charged.” German Prosecutors also requested and received permission from the Court to make HP an associated party to the case. Prior to the Court ruling on this request, Matussek quoted Wolfgang Klein, spokesman for Saxony’s Chief Prosecutor’s Office, who told her that “If the court grants that request and the allegations are proved, Hewlett-Packard’s profits from the transaction may be seized”.

The HP story was broken in the US by the Wall Street Journal (WSJ) in April, 2010. In the article it was reported that one witness said that the transactions in question were internally approved by HP through its then existing, contract approval process. Mr. Dieter Brunner, a bookkeeper who is a witness in the probe, said in an interview that he was surprised when, as a temporary employee of HP, he first saw an invoice from an agent in 2004. “It didn’t make sense” because there was no apparent reason for HP to pay such big sums to accounts controlled by small-businesses. He then proceeded to say he processed the transactions anyway because he was the most junior employee handling the file, “I assumed the deal was OK, because senior officials also signed off on the paperwork”.

Think what position HP might be in today if this temporary employee had been trained on the company’s system for internally reporting compliance issues? If Brunner had escalated his concern that the payment to the agent “didn’t make sense” perhaps HP would not have been under investigation by governmental authorities in Germany and Russian. In the United States, both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have announced they will also investigate the transaction, which it can only be supposed are for potential FCPA violations. While HP has not made any public announcements regarding the costs of the investigation date, it can only be speculated that the costs are in the millions because HP is the subject of investigations in at least three separate jurisdictions, the US, Germany and Russia, regarding the transaction at issue. Further, HP is now investigating other international operations to ascertain if other commissions paid involved similar allegations of bribery and corruption as those in this German subsidiary’s transaction.

Training is recognized as one of the points in the 13 point minimum best practices compliance program as delineated by the DOJ and as one of the elements under the US Sentencing Guideline’s Seven Elements of an Effective Compliance Program. It is also recognized in Principle 5 of the Six Principles of an Adequate Procedures compliance program as set out by the UK Ministry of Justice (MOJ). Lastly, it is recognized by the OECD in its 13 Good Practices for Internal Controls, Ethics and Compliance.

When refereeing a sporting event, one has to know the rules and how to apply them. What were the real referees doing while the NFL had locked them out? They were training. Each week, they took a written test on the rules of football. Each week they studied the games which were played for issues that arose. In other words, during the NFL lock-out of its referees, the referees were still training. This ongoing training for the real referees was nothing new or different than they have traditionally done as they did so when a contract existed and they were working NFL games.

I understand that compliance training fatigue can set in if such training is given too often. However companies need to realize that when professionals handle job duties which are high risk within the context of a FCPA or UK Bribery Act compliance regime; there must be training on not only the specifics of a company system but also on how to escalate a concern. Think about where HP might be right now if the contract accountant had been trained on how to use the company hotline.

So the autumn of our discontent has turned into glorious fall colors with the return of the real referees. But for the compliance professional, the real lesson is training. Coupled with the ongoing HP FCPA investigation matter as a teaching moment, I would suggest that you review how many contract employees your company has in high risk compliance positions. Do not simply look at persons in the sales chain but also those in positions who may be reviewing high risk transactions. Do you have any contract accountants, such as HP had in its German subsidiary? How about contract attorneys or even outside counsel reviewing such transaction? What about contract personnel in internal audit? If so, have they been trained on your company’s compliance program and how to escalate a concern?

I hope that you will consider these questions before you end up as a national laughingstock or on the front page of the FT.

Leave a Comment

FCPA Compliance and Ethics Blog

May 16, 2013

Four Keys to Compliance Leadership

May 2, 2013

Get Out of the Ivory Tower – Using Internal Corporate Resources to Facilitate the Compliance Function

April 17, 2013

Got 20 Minutes? Spicing Up Compliance Training

April 16, 2013

In the Limelight-the Theater, Lady Gaga and Compliance

March 21, 2013

What To Do If Your Gut Says It’s Wrong: Lessons from Project Alpha

January 25, 2013

Chesapeake Lighthouses and Lighting the Way for Compliance

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

January 18, 2013

How to Reach Your Audience in Compliance Training – The Use of Charisma

October 16, 2012

The Battle of Hastings and Diversity – How to Integrate It Into Your Compliance Culture

October 3, 2012

NFL Replacement Referees-the Lessons of Training Temporary Employees

January

Blogroll

Pages

Admin

Read by Email

Follow “FCPA Compliance and Ethics Blog”

May 2013
M	T	W	T	F	S	S
« Apr
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31