FCPA Compliance and Ethics Blog

July 29, 2014

Bringing It All Home, the Two Tough Cookies Wrap It Up For You, Part II

Tales from the CryptNote-I asked the Two Tough Cookies if they could put together a series of blog posts wrapping up the lessons they have seen and learned and written about in their series of Tales from the Crypt. They graciously put together a series of posts on the seven elements of an effective compliance program from their 10 tales of Business Conduct. Today, Part II of a Three Part Series…

3. Exercise Due Diligence to Avoid Delegation of Authority to Unethical Individuals

This one is tough, especially in global organizations. In many countries, you simply cannot run a background check, as criminal records are not public. In others, you can run them, but the criminal offense must be related to the job to exclude the candidate from being hired.   In yet others, you can run them, but you can’t use them due to overly strict privacy rules. Then there’s the matter of cost relating to doing all this due diligence. The best thing you can do is determine the following:

  • First, is your business subject to a potential FCPA violation? If you are not “at risk” of public corruption because you are not engaging at any level with foreign government officials, then half the battle is won. Of course, you still run the risk of commercial corruption (bribes, kick backs, etc. with trading partners), but at least the spectre of government sanctions is not looming so large over you.
  • If you are “at risk” of an FCPA violation (you have interaction with govt. officials, including customs) have you developed a robust due diligence program, based on some corruption index to determine the level of due diligence required for your staff, your trading partners?
  • Have you identified your red flags thoroughly to spot anomalies in your business that would signal a deeper view is recommended?
  • Do you have staff to conduct the due diligence, or a vendor to do it on your behalf?
  • Are background checks run on everyone, or just certain individuals, or certain risk areas?
  • Have you taken a hard look at your gift policies to determine whether or not there are glaring holes that could give rise to inappropriate influence in business dealings?
  • Have you taken cultural considerations under advisement in your gift policies? Are they more stringent, or lax, compared to the US? Are the gift policies in Russia different than the gift policies in the US, because someone convinced someone else that you just can’t get things done without greasing a palm here or there?
  • Do you have a formal committee reviewing all charitable contributions, or, are ‘charitable contributions” acceptable as “facilitation” to get non-discretionary government functions moving along? Does your organization allow “facilitation payments” – if so, you better take a second, third, fourth look….

The point I’d like to emphasize here is that even companies that make it on the “World’s Most Ethical Companies” list also make it to the DOJ’s investigation list for foreign corruption, or violation of embargoes, sanctions, and the like. People interpret rules when the rules change, depending on the country. People then make mistakes in favor of what makes business sense to them, in their country, in their environment. You just have to make sure you’ve done what’s reasonable to prevent those mistakes.

  1. Communicate and Educate Employees on Compliance and Ethics Programs

Here’s where the tone from the top, middle and bottom are key to your culture. This is probably the most important thing you want to measure. I am fond of saying 90% of a good ethics & compliance program is communication, and 10% is actions/deeds. While deeds do speak louder than words, it’s the communications – what you say, how you say it, what you mean by it, your intent – that frames up the actions of others.     So you want to measure

  • Are the messages the same, the deeper you get into the organization? Is the understanding of the messages cascading from above the same the further down you go? Easy enough to measure with post-learning survey tools. Give all top, middle, and lower management the same “meeting in a box” and see if the understanding after delivery is the same. Reminds me of that campfire game, where the story starts at one end of the circle, and is completely different by the time the last person hears the tale. Your objective, of course, is to ensure that every person in the corporate audience hears the same message, and has the same take-aways, no matter who is telling the tale.
  • What kind of audience do you have? Does everyone have access to a computer, or do you have the challenge of manufacturing workers, with multiple languages and facilities to manage, and no technical means of reaching them? Have you done what’s necessary to ensure your training and communications mechanisms address every type of audience, or are pockets left out of the mix?
  • What learning aids do you have to help with understanding the code of conduct? Are the examples you use for harassment appropriate for your audience? Do you have a team of global reviewers who will not only preview your training, but offer suggestions on how to localize it to make it appropriate, meaningful and relevant to the teams they serve? If so, do they look at all communications pieces, or only certain ones? If only certain ones, which ones? And why?
  • Are there any leaders who go above and beyond when you launch your annual or quarterly training? I had an Asian business President who made sure he took the course the first day it was launched, and then sent a message to his leadership team about what he learned from the course, and what he wanted them to take away to their teams after they took the course. All of his team had the course done within the first month. I wanted to clone the guy, I swear!

I’m also reminded of mandatory harassment training I gave in Brazil one year. I relied upon the canned on-line training to help with my meeting amongst management, who all spoke English well. I was planning on asking them to cascade the messages to their teams while I was there, but they pointed out that the training was a farce. Women, they told me, wanted wolf calls lobbed in their direction in Brazil – it was not only culturally acceptable, but encouraged. This was substantiated by the several women in the room. Check. Fortunately, I had other examples at the ready to use for a facilitated session, which I vetted with the women on the team prior to delivery. Lesson learned? Make sure your ethics & compliance steering committee has global membership, and are willing to preview your training and communications prior to launch to ensure cultural relevance. If you don’t do this, your ethics & compliance program will be perceived as a joke. Not a desirable outcome, I would say….

  1. Monitor and Audit Compliance and Ethics Programs for Effectiveness

So, how do you measure a non-event? I often ponder…. The challenge in highly ethical organizations is that you have, at first blush, very little to measure. If everyone’s doing a good job, how do you measure effectiveness. Is it because you have a great program that you have absolutely no calls on the hotline? Or is it that everyone is trembling in fear of retaliation the reason for no calls to the hotline? Hmmm.

Some of the things you can measure include

  • Indicators and ‘yardsticks’ – do you crawl, walk, or run to goals?
  • Do you seek periodic stakeholder feedback (including E&C council input)
  • What kind of documentation do you collect – trend analyses of HelpLine metrics, feedback on program enhancements as they are implemented, feedback on training and communications
  • Do you routinely conduct a “Lessons Learned” exercise after substantiated hotline calls?
  • Does your HR team engage in site assessments when a location, facility, or team seems to have a lot of issues that arise from a single manager or set of team leaders?
  • How often are your Code, policies, procedures updated and reviewed?   Are they tested for readability and understanding? Are they just published, or is training introduced for new policies as they are issued?
  • Do you conduct risk assessments and/or change training or communications based on perceived risk areas?
  1. Ensure Consistent Enforcement and Discipline of Violations

Does your organization allow for mistakes? Many will say they do, but when the rubber meets the road, you will find that they can be unforgiving for some transgressions, and unbelievably forgiving for others…. You will want to measure

  • Whether or not there appears to be wiggle room when folks stray. Deeds in this aspect do speak louder than words.
  • Are roles and responsibilities clearly defined, with escalation clauses when things go wrong?
  • Does your organization communicate when things go wrong as well as when things go right? I know one organization that struggled mightily when I suggested we let everyone know what actions we took for certain code violations. The attorneys were all worried that someone would sue, of course, but in the end, integrity prevailed. We were able to sanitize the situations in such a way to communicate what had been done, and what discipline was taken, without anyone learning personal details. Importantly, it drew a virtual line in the sand by publicizing transgression and discipline, so that people knew boundaries. Of course, this was after years of me observing that discipline seemed to be discretionary within the organization, and as a result, trust in management “doing right” was eroding significantly. It didn’t hurt that my observations were followed by multiple hotline calls saying the same thing… but it should never get to that point, should it?

Also measure whether or not policies and communications:

  • Encourage reporting
  • Identify resources to raise concerns
  • Prohibit retaliation for good faith concerns
  • Identifies management as the primary resource for issues or concerns
  • The average timeline to resolve complaints
  • Whether or not you benchmark reports that express fear of retaliation or unwillingness to consult with management first. This is tough to do, unless you build it in to your hotline reporting mechanism as a “customer service” function at the end of every call or report, actively soliciting this very feedback when a report is made.
  1. Respond Appropriately to Incidents and Take Steps to Prevent Future Incidents

So, you are at the point where you have confidence you have the right policies and procedures in place to keep yourselves honest. But in case someone didn’t get the memo of “expected behavior” you have to make sure you respond appropriately, and take steps to avoid future missteps. One organization I worked at realized the culture of an acquired subsidiary was so awful that it opted to sell it off rather than try to fix it. They had other issues in the larger organization, but they knew a bad deal when they saw it, and took steps to rid themselves of an untenable position. Another organization I worked at kept throwing money at a subsidiary, when it probably would have been better to toss in the towel. Different organization, different results, neither perfect, but it fit them as they saw things.

When gauging the culture of your organization, some things you want to look at are the rewards and sanctions for behavior:

Positive rewards:

  • Retention of employment
  • Recognition
  • Appreciation
  • Commendation
  • Monetary or stock reward

Negative sanctions:

  • Termination or Suspension
  • Demotion
  • Probation
  • Appraisal comments/warnings
  • Reduction in compensation or bonus

You also want to measure your Performance Appraisal Systems, and look to see whether or not they include sections on:

  • Demonstrated Ethics and values in workplace conduct
  • Good communication skills
  • Building trust with stakeholders
  • Being fair or equitable
  • Maintaining a high level of quality or integrity in decision-making
  • Reporting Concerns
  • Empowering subordinates to reporting concerns
  • Training and development initiatives for the team

Tomorrow the Two Tough Cookies sum it all up…

This publication contains general information only and is based on the experiences and research of the authors. The authors are not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The authors, their affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Authors give their permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the authors.

 

May 23, 2014

Trip To Annapolis and Teaching Leadership

Naval AcademyMonday is Memorial Day and is the day wherein the men and women who died while serving in the United States Armed Forces are remembered. The holiday is celebrated every year on the final Monday of May. The first recorded Memorial was held on May 1, 1865 in Charleston, South Carolina to commemorate the soldiers who died in the Civil War. By the 20th century, Memorial Day had been extended to honor all Americans who have died while in the military service.

I thought about Memorial Day when I toured the US Naval Academy this week. This is also Commissioning Week for graduating seniors who will become officers in the Navy or Marine Corps this coming Saturday. One of the buildings that I toured was the US Naval Academy Museum. The mission of the Naval Academy Museum is to collect, preserve, and exhibit the artifacts and art that are the physical heritage of the US Navy and the Naval Academy in order to instill in Midshipmen a knowledge of the history and heritage of the Navy and the Naval Academy and to supplement the instruction of all academic departments of the Academy, as well as to demonstrate to the public the contributions of Academy graduates to the military services and to the Nation. And to motivate in young people a desire to become part of the Brigade of Midshipmen and to begin a career of service to their Nation.

The Museum is many ways a teaching museum. One of the courses taught directly in classrooms in the building is on leadership. Of course, the curriculum teaches the overriding theme of the Naval Academy, which is Duty Honor Loyalty, but it goes beyond this to a moral and ethical dimension to its leadership classes. The firm belief at the Academy is that leadership can be taught through the modeling from prior leaders.

I thought about this concept of modeling leadership in the context of compliance. One area that is not focused on too often in company-sponsored training is that of leadership. Moreover, while many business leaders receive substantial training on the technical aspects of doing business, they rarely receive training or are even assessed on leadership attributes to do business ethically and in compliance with laws such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. It occurred to me that if the US Naval Academy can teach leadership, this is something that US businesses could also teach.

While you are pondering this question, I hope that you might think about all the men and women who have gave their lives so that we might live in freedom and are honored this and every Memorial Day. While in Annapolis I had another reminder of their sacrifice. While having some lunch at Chick and Ruth’s, the owner came over the PA and asked us all to stand and say The Pledge of Allegiance. He said the reason that he made the request was “because we could stand and say it.” I realized that we are honoring those people who made ultimate sacrifice.

Happy Memorial Day to all but I would ask that you take a moment to thank all those we honor for this holiday and to honor the men and women of the US Naval Academy who will be commissioned this weekend and will serve us all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 12, 2014

Shirley Temple and Excellence in FCPA Training Video

Lead and LearnToday we honor one of the most interesting personalities of the 20th century, Shirley Temple, who died yesterday. She was probably the greatest child actress of all-time, being the lead grossing star for five straight years during the 1930s. But the thing I found most remarkable about this woman was her third career, after marriage and motherhood, in the US Diplomatic Corp. President Richard Nixon appointed her as a Representative UN. Nixon later appointed her as Ambassador to Ghana. President Ford named her to be the first female Chief of Protocol of the US. Finally, the first President Bush appointed her as Ambassador to Czechoslovakia. But whatever role Shirley Temple chose she did it with excellence.

Just as Ms. Temple had a commitment to excellence, so does my colleague, Mike Koehler, the FCPA Professor. Recently the FCPA Professor announced that he had partnered with Emtrain to create a best in class Foreign Corrupt Practices Act (FCPA) compliance training video. I had the opportunity to view the video and I can agree that it is certainly an excellent training video, which you should consider for use in your company’s ongoing compliance training and communication. As you would expect from the FCPA Professor, each slide is well documented and provides the basis for the training. However, the thing that I thought made the training stand out was the variety of techniques used throughout the video.

There are separate chapters on the following subjects: an Introduction to the FCPA, the social and business case for the FCPA, the definition of bribery under the Act, a definition of what constitutes “Anything of Value” under the Act, who is a Foreign Official under the Act and who else might be covered by the FCPA, what does it mean to “Obtain or Retain Business”, the high nature of Third Parties under the FCPA and how to manage that risk, what might be available as an exception to the Act and defenses under the FCPA, Books and Internal Controls, a discussion of the UK Bribery Act, Red Flags that you should be aware, creation of a FCPA compliance policy and self-reporting of violations to the DOJ/SEC and a summary section. After completion of the course you should be able to describe how corruption impedes global economic development and how it undermines the ability to compete fairly in business; outline three fundamental elements of a bribery offense that can lead to prosecution of companies as well as individuals; identify various red flags that can be indicators of bribery and outline how, and to whom, you should report concerns about possible bribery and corruption.

The video training includes the following:

  • Executive and non-executive versions
  • The ability to configure the course with company-specific policies, videos, graphics, text, and employee hotline or reporting information
  • 20+ video clips to illustrate real-world business scenarios that present risk
  • An Enforcement Risk Spectrum that helps learners “issue spot” bribery and corruption risk
  • The ability to use video scenes outside the e-Learning experience in live training, discussion groups, or company emails and reminders
  • A compliance Learning Management System (LMS), enabling an administrator to launch and track training efforts and generate audit-ready training reports showing time spent on each video, screen, policy, etc.
  • There will be productions available in Mandarin Chinese, Russian, Arabic, Portuguese, French, and other languages upon request.

But the video is more than simply a recitation of what is required under the FCPA. The thing that makes it stand out for me is the different types of training it employs to hold the listener’s attention. First is the length of 60 minutes for an executive/high risk trainee and a shorter length for those who do not fall into those categories. Next, for those who may desire to devolve deeply into the subject matter, are short concise descriptions of the legal and compliance concept involved in the discussions. For instance, in the section on the definition of bribery there is a discussion of the Organization for Economic Cooperation and Development (OECD) established standards to combat bribery and the United Nations Convention Against Corruption (UNCAC), which established guidelines for codes of conduct for public officials, transparent and objective procurement systems, and increased accounting and auditing standards for the private sector. Added to this is a short piece on the UK Bribery Act. All of these non-US laws are then tied into the FCPA so the listener will have a broad understanding of what they may be facing in any multi-national business from the anti-corruption compliance perspective. Significantly, and most soberingly, the video points out that according to the World Bank Institute, more than $1 trillion is paid globally in bribes each year. Some of the worst affected countries are the poorest ones in the world.

What I think makes the video unique and frankly enjoyable to watch, is that it  has several interactive features. The first is that it opens with an interactive pre-assessment that is designed to determine how much you already know about global bribery and corruption. From there, each section has a short interactive questionnaire at the conclusion of the video on the section’s topic. These features allow the participants to examine their own expertise and then self-assess the lessons that they have learned throughout the presentation. By making each session interactive, you not only hold the attention of the listener but also garner their participation in the training. Any time you can get participation in training, you are a long way towards having an effective training program.

There are a couple of other cool features. It allows your company to customize the training by attaching some of your key anti-corruption policies and procedures for review during the Policies section of the training. Additionally, and following my mantra of Document, Document and Document, after completion of the training, your participation is electronically noted for record keeping, along with a copy of the training materials. So when the regulators want to see not only who was trained but also the materials they were trained on, you have easily assessable records to document the event.

So when the FPCA Professor says he has created a best in class FCPA training program, I heartily agree. You can check out a demo version of the training video by clicking here.

=======================================================================================================================================================================================================================

As many of you know, Jon Rydberg and I wrote and published a book at the end of last year, entitled “Global Anti-Corruption & Anti-Bribery Leadership Practical FCPA and U.K. Bribery Act Compliance Concepts for the Corporate Board Member, C-Suite Executive and General Counsel”. On Thursday, February 13, we will discuss our book in a webinar hosted by Hiperos LLC. Hiperos President, Greg Dickinson, will be interviewing Jon and myself about the book, its genesis and our thoughts on ‘doing compliance’ as opposed to simply having a compliance program. The event is free and you can find details and register by clicking here.

=======================================================================================================================================================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 21, 2014

The Culinary Aspects of Homer’s Odyssey and Compliance Training

Culinary in the Odyessy

I recently came across a fascinating book entitled “The Meaning of Meat and the Structure of the Odyssey” by Egbert Bakker. In this work, Bakker looks at the culinary aspects of Odysseus’ journey home from the Trojan War. Peter Thonemann, writing in the TLS, said that “Bakker’s book is a powerful illustration of the importance of food and culinary practices to past society.” In other words, the eating habits could be used to not only understand the past but also perhaps train those in the present about the “wider moral culpability” found in Homer’s work.

I thought about this different way of learning as I was reading a recent article by the Open Compliance and Ethics Group (OCEG) President Carol Switzer in the Compliance Week magazine, entitled “Playing the Game of Risk in Workplace Education”. Her article was coupled with a roundtable discussion of the subject and another in the OCEG, GRC Illustrated Series entitled “Risk-Based Education and Training”.

In the article, Switzer reminds us “one size does not fit all in deciding the content and intensity of training needs for each role or individual”. Recognizing that it all starts with a risk-based analysis of who needs the training is just the start. Switzer believes that by engaging employees in the training, it can become more effective. She looks to the world of gaming when stating that, “Well-designed games encourage engagement, and more engagement means more reinforcement, and that leads to better recollection and application of the information. Situational decision making drives the player to think, not just act. Making wrong choices and seeing the consequences leads to desire to act the right way and gain rewards, be it advancing to the next level of the game, earning a prize for success, or understanding that in the real workplace world the reward may be achievement of personal and organizational objectives.”

In her roundtable, she posed the question, “How do you suggest companies decide on the appropriate amount of training? Earl Jones, Shareholder at Littler Mendelson PC, responded that a company needs to evaluate where its risks are, “If the company is betting on international expansion, then intensive anti-bribery and corruption intensive training is a necessity for key employees. Also design training to build and protect sources of value. If an intangible asset, like a brand, is an important source of value, thoroughly train employees to identify, understand, and react to events or behavior that could impair the brand.”

When it comes to the scope and style of training, Steve Perreault, Global Head of eLearning GRC for Thomson Reuter, suggested you should assess your training by employee groups. You should “Understand things like: How likely is a group of employees to participate in activity that is related to a particular regulatory area? How complex is that regulation? What controls are in place already? Is this employee group responsible for making sure others comply with policies and regulations? You also have to consider what you will need to provide to evidence to regulators and courts that the program exists and is effective. Once you get that figured out, you must ensure that you stay on top of changes in legislation and enforcement, and revise policy, procedures, and training accordingly.”

Switzer next turned to measuring the effectiveness of training and how a company might determine this. Alisha Lynch, Global Ethics and Compliance Education Leader at Dell Inc., said, “Determining the scope and style of training should have several input sources.  Most organizations have three- to five-year strategic plans, and training programs should be designed to support those plans and initiatives. One good analogy is that a training initiative should be like a physical fitness regime. You cannot exercise the same muscle every time to make significant improvements, and you cannot ignore the diet. A culture is like a diet. If the organization designs and delivers great training but the culture is toxic, probably no improvement will be made.”

In the GRC Illustrated Series, it suggests that companies take a risk-based approach to provide appropriate levels and types of training and education to different individuals across the organization. Some of the factors they suggest you review are the role of the individuals, geography, and their level of exposure to particular risk areas. Such an approach moves away from the ‘tick-the-box’ approach that generally renders such compliance useless. It also helps to ensure that there is a more effective use of budgetary resources by focusing training efforts to maximize the return on the investment. The piece advocates a three-pronged approach.

Define

The first step is to define what you are trying to achieve. The piece recognizes that “while some organizations limit their training programs to what is legally required, more successful ones know that there are many reasons for developing a thoughtful, well-designed approach to employee education.” It puts forward that if training is done right, it will help the organization to achieve several goals. These include: the business Objectives; managing threats and business opportunities; it will address change in positive manner; it can help to ensure integrity and the company’s reputation; it can strengthen the business’s culture and ethical conduct; and, lastly, it can provide evidence that the company has complied with legal requirements such as the US Sentencing Guidelines and the Ten Hallmark’s of an Effective Compliance Program.

Design

The next step is to design the training program, which is further broken down into three steps, which drill down into the specifics of training. By using these three steps, you can help to assure that the training will be effective for the individual but also for the nature of the risk involved.

The first is to design the training program. Steps include the development of curriculum using a risk-based model. You should set uniform methods for acquiring content, maintaining records, and reporting. This should be followed by the establishment of standards for selecting appropriate content, delivery methods, frequency, and assurance based on risk exposure. You can review any technological solutions for both e-learning delivery and documentation. Finally, you will need to consider training content revision when requirements or risk analyses change.

After the design of the training program, the next level is to design the specific training courses. Here you should establish your learning objectives and map the training to legal and competency requirements. You must always remember who is your audience and what their characteristics might be. You need to ensure that the content is timely and the instructors are effective. Finally, you will need to determine not only the most appropriate mechanism to deliver the content but also define the key performance indicators and determine methods to audit them.

The final design level is the individual’s training plan. Here you need to analyze what the person’s role is within the organization and use this to determine mandatory and risk-based training needs. You will need to consider modifying the risk profile based upon assessments given before and after the training is delivered and then adapt the training as an employee’s role and risk profile changes within an organization

Deliver

For the delivery of the training materials, they also have a tripartite scheme. They break it down into high risk exposure roles; medium risk exposure roles and low-risk exposure roles.

  • High Risk Exposure Roles – are defined as those employees whose roles in an organization can significantly impact the company. Here expert subject proficiency is demanded and individuals should be able to act with confidence in a wide range of scenarios and conditions based on a strong understanding of the risks, requirements, and penalties. Training may be repeated frequently using several methods of delivery, have greater assurance through testing and certification of course completion, and include ongoing risk profiling of individuals through assessment of behavior choices in online courses or live simulation exercises.
  • Medium Risk Exposure Roles – are defined as those employees who face risk on regular basis or present a moderate level of negative impact to a company if they mishandle the risk. These individuals should know the risks, requirements, and penalties and should be able to apply their knowledge to common scenarios using standards and tools given to them. Training should have content to make them proficient in the subject, be refreshed periodically, use a mix of modes of delivery, and have methods to prove evidence of understanding.
  • Low Risk Exposure Roles – are defined as those employees with a low likelihood of facing the attendant risk. Persons in this category should be made aware of the risks, requirements, and penalties, as well as the organization’s expectations about how to address it. They should know relevant policies and procedures and where to get assistance in addressing a risk or making a behavior decision.

As with all areas in an anti-corruption compliance program, Switzer and the OCEG suggest that you monitor and audit your program so that you can review it and improve as circumstances warrant. I would add that you should also Document, Document and Document what you are doing for the same reasons. Just as Bakker’s new look at the culinary aspects of the classics can provide new insights into interpretation, it also shows the training that was written into Homer’s Odyssey.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

December 13, 2013

More Compliance Lessons from the Asiana/SFO Crash Investigation

I have long been interested in the intersection in the changes in attitude regarding safety in the workplace by corporations and the changing attitudes on doing business through bribery and corruption. As a trial lawyer defending corporations in catastrophic accident lawsuits, I saw a sea change in the corporate attitude regarding safety, beginning in the 1980s through the 1990s. Many of the arguments used against safety during that era are used now. Some of my favorites are: (the financial excuse) it costs too much and doesn’t contribute to the bottom line; (the traditional excuse) we’ve always done it that way; and (my personal favorite) you can’t stop humans from screwing up and trying to injure themselves. But the reality is that safety at the work place did improve and now most companies not only say that safety is job No. 1 but they live and breathe that motto. Does this sea change mean that serious accidents do not happen at the workplace? Of course not, but it does not mean that companies have or even should give up the quest for zero accidents at work.

Part of the ongoing debate about compliance is whether the Department of Justice (DOJ) approach of corporate enforcement actions and the use of Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs) help or hurt compliance with the Foreign Corrupt Practices Act (FCPA). Some commentators remark that the simple fact that there are enforcement actions is indicia itself that the DOJ approach is not working. Mike Volkov took on this topic in his post, entitled “The Sky is the Limit: Escalating Fines, DPA/NPAs and Deterrence”, by asking if “it is important to ask the question whether the current enforcement scheme adequately punishes and deters corporations”? In his discussion he points to some who want more prosecution of individuals as a greater deterrent and others, notably the FCPA Professor, who want greater corporate protections against prosecution through the addition of a compliance defense as a mechanism to give corporations more incentive to do business in compliance with the law. Volkov ends by observing the DOJ’s current enforcement focus “will not change unless and until there is a good reason to do so – so far no one has pointed to any significant reason for the Department of Justice to change its practices.”

I thought about all of the above in the context of the hearings in Washington in front of the National Transportation Safety Board (NTSB) surrounding the crash of the Asiana jet at San Francisco’s airport last summer. Earlier this week I wrote about one of the lessons from the hearings which was the need for enhanced training by Asiana pilots on not only the specific planes they pilot but also training that they can speak up when they see something that they believe is not right.

This need for training was made even more acute when the story about the testimony given by the Captain on board the flight in question in a New York Times (NYT) article, entitled “Pilots in Crash Were Confused About Control Systems, Experts Say”, where Captain Lee said that he told investigators that any of the three pilots on the plane could have decided to break off the approach, but he said it was “very hard” for him to do so because he was a “low-level” person being supervised by an instructor pilot. But more than even the failure to raise his hand and speak up, Lee did not heed the warning of a junior officer. As reported in an article by the Associated Press, entitled “Pilot who crashed at SFO was worried about landing”, after the accident, Lee told NTSB investigators that neither he nor the instructor pilot onboard the flight said anything when the first officer raised concerns four times about the plane’s rapid descent. Further, he was very concerned about his ability to make a visual landing. So not only was Lee afraid to speak the truth to a superior, he didn’t listen when questioned by a junior. In the world of workplace or airline safety, this is a recipe for disaster.

I think the key to overcoming these problems is training, which has long been recognized as a cornerstone of any best practices ethics and compliance program. I thought it might be an appropriate time to review the training statements made regarding the FCPA. The US Sentencing Guidelines list “Conducting effective training programs” as one of the factors the DOJ will take into account when a company accused of a FCPA violation is being evaluated for a sentence reduction. The Sentencing Guidelines mandate:

(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities. 

After the promulgation of the Sentencing Guidelines, the DOJ and Securities and Exchange Commission (SEC) gave their views on training in the 2012 FCPA Guidance. Their Ten Hallmarks of an Effective Compliance Program listed Training and Communication as one of the key elements. In this section they said that anti-corruption and anti-bribery compliance policies cannot work unless effectively communicated throughout a company. They advised that “a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” But more than a simple dyadic promulgation of a rule, a company should tailor its training to its needs and its risks. This means that any “information should be presented in a manner appropriate for the targeted audience, including providing training and training materials in the local language.

In addition to the FCPA Guidance, the UK Ministry of Justice (MOJ) has stated that training is one of the Six Principles of an effective compliance program. Under Principle V, it states that “The business seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the company through internal and external communication, including training, that is proportionate to the risks it faces.” The Guidance recognizes that communication and training deters bribery by companies, their employees and those persons associated with it, by enhancing awareness and understanding anti-corruption policies and procedures and the company’s commitment to their proper application. It therefore follows that making information available on legal requirements, obligations and policies and procedures for implementation of the same assists in more effective monitoring, evaluation and review of bribery prevention procedures. Anti-bribery training should provide, to company employees and those persons and entities associated with the company, the knowledge and skills needed to implement and utilize the anti-bribery procedures and handle in a satisfactory manner any bribery related problems or issues that may arise.

Fortunately violations of the FCPA rarely result in loss of life or limb. But that does not diminish the responsibility of companies to comply with the law. And just as corporate attitudes around safety changed dramatically, corporate attitudes about following the FCPA can change as well. Indeed they could even take the basic approach suggested by (the then) DOJ representative Greg Anders in testimony about attempts to amend the FCPA before the House Judiciary Committee, don’t pay bribes.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

December 11, 2013

Keep Your Hand on the Control

#14748 Hand on the Throttle by Karl-Heinz Morawietz 2011-01-27Yesterday Nelson Mandela’s casket was driven to the state capital where he will lay in state until his funeral on Sunday 15th December. Dignitaries from all over the world will attend. Mandela was praised for his non-violent approach to ending apartheid in South Africa and his leadership in the peaceful transition of power. But he was also recognized as incorruptible. So today we honor that aspect of his career.

I am continually amazed at the seemingly disparate current events which provide tangible lessons for the compliance practitioner. In an article in the New York Times (NYT), entitled “Hearings on San Francisco Crash Set to Explore Broader Problems”, reporter Matthew L. Wald wrote about the upcoming National Transportation Safety Board (NTSB) hearings on the deadly plane crash last July at San Francisco International Airport. Investigators quickly were able to determine the immediate cause of the crash; that being the pilots failure to monitor their airspeed. However these hearings will go further and try to determine more basic reasons which led to the pilots to make the decisions which caused or contributed to the disaster.

The first was an over-reliance on technology. Crews for the airline involved, Asiana, are “accustomed to programming the autopilot to land their planes” rather than manually taking over during the landing procedure. The first problem was compounded and became disaster when a second problem apparently arose which was that the pilots had “evidently limited ability to manage the ubiquitous automated systems in the cockpit.” So they flew expecting the auto-pilot to land the plane but did not realize or appreciate that the auto-throttle portion of the system was in the off position. The article was clear that, even with these reasons, the problems which led to the crash were “more broad than bad pilots.”

The reliance on technology or big data has become an issue in the Foreign Corrupt Practices Act (FCPA) or other anti-corruption laws such as the UK Bribery Act. The Department of Justice (DOJ) has brought up the tool of transaction monitoring as a best practice at least since the Morgan Stanley Declination. But, just as these tools are important to the compliance practitioner, it is important to keep in mind that one of the remedies certain US based airlines have come up with will make it harder for crews to overlook problems like low airspeed, even when a plane’s auto-pilot is turned on during a descent. The solution is elegant for its simplicity, certain airlines mandated that “a pilot keep a hand on the throttle, to sense its position, during descent.” Simple, elegant and cost effective I would add.

For the compliance professional this also means a compliance program is more than simply about numbers and systems. As Paul McNutly and Stephen Martin say in their five essential elements of an effective compliance program, it is important to not only understand but ascertain if your employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. Two of the seven compliance elements in the Federal Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three highlighted activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

The next area that the NTSB hearings will look at is training and procedures. One thing that US pilots are trained on and given a wide berth to do is to “speak up if they sense a problem, even if the pilot at the controls has seniority, and to listen to subordinates.” Recognizing that part of the issue here is cultural, because South Korean crews “have had trouble with those procedures”,  the clear message here is training. For the compliance practitioner, the message is also clear, again it is training, training and training. Whether you call it a ‘Speak Up, Speak Out’ or ‘Raise Your Hand’ culture, such a system must be put in place to allow an employee who senses a problem to get that information to people who can take a more focused look at the problem.

But, more than training, the company has to commit to more than having a system. The company must commit to listening. One of the biggest changes in the airlines cockpits is that more senior pilots are instructed listen to junior pilots. The same must be true in a company. The company has to listen to employee concerns. This requirement to listen has been made even stronger with the Dodd-Frank Whistleblower provisions. But the clear message for the compliance practitioner is that speaking up and listening are a two-way exercise.

Just as in every catastrophic accident, in almost every circumstance regarding a compliance issue which becomes a FCPA violation, there is at some point a situation where an employee did not report a situation or event up to an appropriate level for additional review. This failure to escalate led to the issue not reaching the right people in the company for review/action/resolution and the issue later became more difficult and more expensive to deal with in the company. This means that a company needs to have a culture in place to not only allow elevation but to actively encourage elevation. Additionally, both a structure and process for that structure must exist. Lastly, while a whistleblower process or hotlines are necessary these should not be viewed as the only systems which allow an employee to escalate a concern. In the cockpit it means a junior pilot can speak directly to a more senior pilot.

One of the things that I have learned practicing compliance is that process is very important. But the investigation into the Asiana crash shows that keeping your hand on the throttle to understand the pulse of things is a very good technique to maintain.

—————————————————————————————————————————————————————–

Please join myself and Eddie Cogan, CEO of Catelas as we discuss Risk-Based 3rd Party Vetting, Screening and Monitoring Strategies for High Risk Jurisdictions Thursday, December 12. For information and registration click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 15, 2013

The Texans Are 2-7: What is Missing from Your Compliance Program?

I usually do not write about the Houston Texans because (1) unlike the sad sack Astros, they are not often relevant enough to care about and (2) they usually are relatively well-run. They continue to be not relevant this year, coming into this week’s game with a sterling 2-7 record. However, they showed themselves not be too well run this week when they summarily dismissed from the team  safety Ed Reed, after he publicly said that the Texans were “out-coached and out-played” last week following the team’s seventh straight loss. As my friend and colleague Richard Lummis is fond of saying “No sh– Sherlock.”

For those of you who do not know Ed Reed, he is in his 12th season of playing in the National Football League. He is a two-time Super Bowl Champion, a nine-time Pro Bowler, a former NFL Defensive Player of the Year and a sure-fired first ballot Hall of Famer. In other words, he not only knows pro football but he is winner. Reed played his first 11 seasons with the Baltimore Ravens and was signed as a Free Agent by the Texans to bring some professionalism and winning attitude to the club. He had surgery in the offseason which slowed him down to the point he longer started but he still has the attitude and credentials of a winner. So what does it say about the Texans when a player of Reed’s stature speaks the truth and is summarily cut the next day. How many top notch free agents or top talent would want to play with an organization that punishes people who publicly complain about losing?

I thought about Reed and the Texans when I read a post from the noted site JDSupra entitled, “What’s the One Thing Missing From Your Corporate Compliance Program?” They put that question to various compliance attorneys writing on JD Supra, asking each to commit to just one essential element that, in their experience, they regularly see missing from corporate programs; IE., programs that are required to address myriad regulatory issues to do with privacy and data security, insider trading, bribery and corruption, and other such matters across numerous jurisdictions. I found the replies quite interesting and perhaps some insights which the Texans can use.

From Jeremy B. Zucker, Co-chair, International Trade and Government Regulation practice at Dechert LLP: “For a compliance program to be truly effective, personnel must take ownership of their behavior and take pride in being part of the team. To achieve this, a truly effective compliance program must demonstrate that a values-based approach is relevant to the daily conduct of business…”

From Charles F. Connolly, partner in Akin Gump’s white collar practice in Washington, D.C.: “…the key question enforcement authorities ask when evaluating a company’s compliance program is ‘does it work?’  The only way to answer that question proactively is to review – and test – the program on a regular basis.”

From Joe Bermudez, partner at Wilson Elser: “Crisis management policies, protocols and procedures are a necessary element for any company’s compliance program. Often overlooked because companies refuse or fail to consider the contingencies involved with catastrophic or tragic events, an effective crisis management plan may be the difference between a company surviving a crisis event and not…The issue is not when a crisis will strike, the issue is whether the company is prepared to survive the event.”

From Peter Menard, senior partner in the Corporate Practice Group at Sheppard Mullin: “Forms of policies, procedures and contract provisions are widely available on the Internet to ensure compliance with such diverse regulations as FCPA and other anti-bribery rules, prohibitions on insider trading, protection of confidential personal financial and health records, and import/export controls…Lawyers can draft the most comprehensive policy, but only management can take the policy out of the file cabinet and make it an integral part of the corporate culture…”

From Chester Hosch, partner in the Corporate and Tax Group at Burr Forman: “The one thing lacking in most corporate compliance programs is a culture of unshakable commitment to integrity and ethics. The commitment has to be embraced and encouraged notoriously, unambiguously and completely by senior management. The commitment will manifest itself in adequate funding, effective training and consistent monitoring. In the end, the compliance officer will have absolute confidence top management will remain true to the commitment, no matter the consequences.”

From Bettina Eckerle at Eckerle Law: “In my experience, often companies do not treat their compliance program as living breathing organism that need to be tested, reviewed, changed, brought up-to-date as market conditions, business practices and the regulatory environment evolve.  One should never think one is ‘done’ with what is in place but rather incorporate compliance in the day-to-day ebb and flow of the business.”

From yours truly: Document Document Document

These observations bring to bear a different set of focuses which you should consider in the context of your compliance program. Take each point raised and ask yourself, do we have this concept or protocol in place? If you do, then ask yourself my mantra: Did you Document Document Document it so that if a regulator, from the US to China comes knocking you will be able to demonstrate that you did have such protocol or concept in place.

As to the Texans, I think the thing that they are missing is reality. They should ask themselves about now if they are dedicated to winning or something else. After losing seven straight games it is even obvious to my English wife that they are being out-coached and out-played. Fortunately she cannot be fired from her job for saying so.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

October 24, 2013

How Do You Develop a Compliance Practitioner?

The Morrill Act was a seminal moment in American education. This law, passed in 1862, provided that land-grant institutions of higher learning should be created “without excluding other scientific and classical studies and including military tactic, to teach such branches of learning as are related to agriculture and the mechanic arts, in such manner as the legislatures of the States may respectively prescribe, in order to promote the liberal and practical education of the industrial classes in the several pursuits and professions in life.”

Under the Act, each eligible state received a total of 30,000 acres of federal land, either within or contiguous to its boundaries, for each member of congress the state had as of the census of 1860. This land, or the proceeds from its sale, was to be used toward establishing and funding the educational institutions described above. The law had been introduced in the 1850s but the Southern land aristocracy, who most assuredly did not want universal education for the masses, prevented it from being enacted into law. With the South in rebellion, the measure passed in the first Congress elected after the Civil War had begun.

I was at Michigan State University (MSU) this past weekend and one of the school’s biggest points of pride is that it was an original land-grant college, originally named Michigan Agricultural College. I met with the Director of my old graduate program, which is now Human Resources-Labor Relations (HR-LR), Bill Cooke. One of the things that the school does is to train HR professionals. I talked with Director Cooke about my beliefs on how HR ties into a company’s compliance program. That led to a discussion about the training HR professionals receive on anti-corruption compliance programs such as those designed to comply with the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act.

My visit to MSU, and the discussions about training in graduate programs, got me to thinking about the training of a compliance profession. How do you do it? What should go into it? Most compliance practitioners’ experience is somewhat similar to mine; I am a lawyer and worked in a corporate legal department. I was thrown into a compliance role with not little training, but no training. It was simply go to a seminar and learn about FCPA compliance. And, of course, good luck. I had the same happy experience when I was appointed as world-wide export control director. At least I could spell FCPA when I started that role.

What is available out there if you want to learn how to become a compliance practitioner? If you are a law student and attending Southern Illinois University (SIU) School of Law, you could take the FCPA Professor’s upper-level elective course entitled “Current Developments in American Law: Foreign Corrupt Practices Act”. The Professor was interviewed about his class in the Chicago Daily Law Bulletin, in an article entitled “Students take bribe(ry class).” The article noted that through this study of the FCPA itself, its history, judicial decisions involving it, enforcement of it and resolved FCPA enforcement actions, the FCPA Professor believes that “Understanding how the law is enforced and critically analyzing it and developing FCPA compliance skills is really a skill set for any future lawyer to have.” The FCPA Professor also uses this course to expose his students to other areas, “including corporate criminal liability, U.S. Department of Justice and SEC enforcement policies and “a working knowledge of resolution vehicles that are used to resolve FCPA enforcement actions.””

But this is a law school class for (most probably) prospective lawyers. There are many compliance practitioners out there who are not lawyers. In my discussions with Director Cooke there are so many areas where a HR professional can help inculcate compliance into a company’s DNA. Think about some or all of the following areas that are in the core function of HR.

Training – A key role for HR in any company is training. This has traditionally been in areas such as discrimination, harassment and safety, to name just a few and based on this traditional role of HR in training it is a natural extension of HR’s function to expand to the area of FCPA compliance and ethics.

Employee Evaluation and Succession Planning - One of the very important functions of HR is assisting management in setting the criteria for employee bonuses and in the evaluation of employees for those bonuses. This is an equally important role in conveying the company message of adherence to a FCPA compliance and ethics policy. In addition to employee evaluation, HR can play a key role in assisting a company to identify early on in an employee’s career the propensity for compliance and ethics by focusing on leadership behaviors in addition to simply business excellence.

Hotlines and Investigations - One of the traditional roles of HR in the US is to maintain a hotline for reporting of harassment claims, whether based on EEOC violations or other types of harassment. It is a natural extension of HR’s traditional function to handle this role.

I believe that the compliance practitioner needs a multi-disciplinary training. The legal training is a good basis but if you went to a law school like mine, real world discussion were considered what ‘other’ law schools did. Further, there are non-legal areas such as review of financial data and financial controls which are a part of any compliance practitioners remit which also need to be considered. Most of these areas are a part of separate disciplines which need to be tied together for the compliance practitioner.

One resource for such training is the SCCE, which provides a compliance certification through its Compliance Certification Board (CCB) which has developed criteria to determine competence in the practice of compliance and ethics across various industries and specialty areas, and recognizes individuals meeting these criteria through its compliance certification programs. But even these programs only provide a starting point as best practices in a compliance regime continue to evolve, particularly through the use of advanced analytics.

Just as the Morrill Act provided an initial basis for professional studies in agricultural and mechanical disciplines, land-grant colleges continue to evolve. MSU, for instance, wants to be a university to the world. The same evolution is true for compliance practitioners. As our field matures, the need for the development of compliance practitioners will increase. Courses like the FCPA Professor leads for lawyers and the SCCE puts on for compliance practitioners will help drive the next generation of compliance professionals.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

June 13, 2013

Why Can’t We Be Friends? Compliance and HR

I have long been an advocate of the compliance function working with the Human Resources (HR) function in any company to help achieve greater compliance under anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. I think that HR is uniquely situated to ‘connect the dots’ in many areas of compliance. My thoughts on this subject were echoed in a recent article in the June issue of Compliance Week Magazine, in an article by Jaclyn Jaeger, entitled “How Compliance and HR Can Get It Together”. Jaeger quoted Alex Weisgerber for the following, “Boards are increasingly asking their executive teams to identify and address major people risks.” He further stated that “The HR-compliance partnership can help anticipate this request and set the organization’s human capital risk management agenda proactively.”

However, Jaeger wrote that in some companies this cooperation towards the goal of greater compliance has been found to be lacking. There may be several factors which lead to a more asymmetrical approach by these functions, particularly due to “gaps in communication and collaboration between compliance and HR.” She quoted Weisberger that “The two groups simply haven’t found many opportunities to collaborate in supporting organizational performance.” While I disagree with this statement, Jaeger’s article does detail some of the steps the compliance practitioner can take to bring these two corporate functions into alignment.

Jaeger quotes Shanti Atkins, for the following, “The first challenge to overcome is the “deeply held stereotypes that legal, compliance, and HR typically have of each other.” It’s important to talk about those if we are to get past them.” But perhaps more importantly is the notation held in many legal departments and compliance functions that “the HR function is not a strategic player in the company—that its central function is to manage paperwork, schedule training sessions, and mediate mundane spats such as who hogs the best space in the parking lot.”

As mentioned above, I have long advocated that HR is uniquely situated to connect the dots and along this line of thought, Jaeger wrote that “Getting employees to function as a coherent, engaged unit has to do with people, not policies—and people issues are exactly where HR excels, or course. HR has its finger on the pulse of employee culture, Atkins says because it is the primary channel employees use to complain when there is a problem—and those problems are usually a warning sign of wider compliance-related issues.” What are some of the areas that HR can assist the compliance function with? I believe that there are five key areas. They include the following.

Training

A key role for HR in any company is training. This has traditionally been in areas such as discrimination, harassment and safety, to name just a few, and based on this traditional role of HR in training this commentator would submit that it is a natural extension of HR’s function to expand to the area of FCPA compliance and ethics. There is a training requirement set forth in the US Sentencing Guidelines. Companies are mandated to “take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”

Employee Evaluation and Succession Planning

What policy does a company take to punish those employees who may engage in unethical and non-compliant behavior in order to meet company revenue targets? Conversely, what rewards are handed out to those employees who integrate such ethical and compliant behavior into their individual work practices going forward? One of the very important functions of HR is assisting management in setting the criteria for employee bonuses and in the evaluation of employees for those bonuses. This is an equally important role in conveying the company message of adherence to a FCPA compliance and ethics policy. In addition to employee evaluation, HR can play a key role in assisting a company to identify early on in an employee’s career the propensity for compliance and ethics by focusing on leadership behaviors in addition to simply business excellence. If a company has an employee who meets, or exceeds, all his sales targets, but does so in a manner which is opposite to the company’s stated FCPA compliance and ethics values, other employees will watch and see how that employee is treated. Is that employee rewarded with a large bonus? This requirement is codified in the Sentencing Guidelines with the following language, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.”

Hotlines and Investigations

One of the requirements for a company under the Sentencing Guidelines is that they “… have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.” This requirement is met by having a hotline. One of the traditional roles of HR in the US is to maintain a hotline for reporting of harassment claims, whether based on EEOC violations or other types of harassment. It is a natural extension of HR’s traditional function to handle this role.

Regarding investigations, HR can bring broad benefits to any FCPA compliance and ethics program through an efficient investigation process. It is recognized that a Legal or Compliance Department may wish to take over and complete an investigation process. However, HR can bring a consistency in both the process and any discipline which is imposed. Such consistency reinforces the senior management’s message of commitment by the company to FCPA compliance and ethics. Such a function by HR can lead to an understanding of emerging risks. Lastly, it may be that employees are more willing to speak up to HR and the building of trust can be utilized to assist in overall risk mitigation.

Background Screening

A key role for HR in any company is the background screening of not only employees at the time of hire, but also of employees who may be promoted to senior leadership positions. HR is usually on the front lines of such activities, although it may be in conjunction with the Legal Department or Compliance Department. This requirement is discussed in the Federal Sentencing Guidelines for Organizations (FSGO) as follows “The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.”

When the Government Comes Calling

While it is true that a company’s Legal and/or Compliance Department will lead the  response to a government investigation, HR can fulfill an important support role due to the fact that HR should maintain, as part of its routine function, a hard copy of many of the records which may need to be produced in such an investigation. This would include all pre-employment screening documents, including background investigations, all post-employment documents, including any additional screening documents, compliance training and testing thereon and annual compliance certifications. HR can be critical in identifying and tracking down former employees. HR will work with Legal and/or Compliance to establish protocols for the conduct of investigations and who should be involved.

Lastly, another role for HR can be in the establishment and management of (1) an Amnesty Program or (2) a Leniency Program for both current and former employees. Such programs were implemented by Siemens during its internal bribery and corruption investigation. The Amnesty Program allowed appropriate current or former employees, who fully cooperated and provided truthful information, to be relieved from the prospect of civil damage claims or termination. The Leniency Program allowed Siemens employees who had provided untrue information in the investigation to correct this information for certain specific discipline. Whichever of these programs, or any variations, that are implemented HR can perform a valuable support role to Legal and/or Compliance.

Doing More with Less

While many practitioners do not immediately consider HR as a key component of a FCPA compliance solution, it can be one of the lynch-pins in spreading a company’s commitment to compliance throughout the employee base. HR can also be used to ‘connect the dots’ in many divergent elements in a company’s FCPA compliance and ethics program. The roles listed for HR in this series are functions that HR currently performs for almost any company with international operations. By asking HR to expand their traditional function to include the FCPA compliance and ethics function, a US company can move towards a goal of a more complete compliance program, while not significantly increasing costs. Additionally, by asking HR to include these roles, it will drive home the message of compliance to all levels and functions within a company; from senior to middle management and to those on the shop floor. Just as safety is usually message Number 1, compliance can be message Number 1A. HR focuses on behaviors, and by asking this department to include a compliance and ethics message, such behavior will become a part of a company’s DNA.

If your company does not integrate HR into several ongoing roles for FCPA compliance I believe that is high time you did so. Jaeger’s article points out several steps you can take to bring these two functions into greater collaboration. From my perspective, HR can be a valuable partner for compliance and one that you should begin to take advantage of now.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 29, 2013

Kroll and Compliance Week Survey Anti-Bribery and Anti-Corruption

Not many people realize that the US has elected one president who served as a prisoner of war. That man was Andrew Jackson, who was captured by the British during the Revolutionary War. Now, can you name the American President who killed another man in a duel? If you guessed Andrew Jackson you are right and if you knew that today is the anniversary you receive extra credit and can proceed directly to Final Jeopardy.

I thought about the somewhat surprising history on Jackson when I read the recently released the “2013 Anti-Bribery and Corruption Benchmarking Report-A joint effort between Kroll and Compliance Week” (the “Survey”). Much like Jackson himself, the Survey had some interesting and somewhat disturbing findings as well regarding companies and their third parties. The findings were troubling because I think that most compliance practitioners recognize that their highest compliance risks under the Foreign Corrupt Practices Act (FPCA) and UK Bribery Act revolve around third parties. Some of the highlights of the survey are as follows.

I.                   Risks

While 43% of respondents said their bribery and corruption risks have increased in the last two years, another 39% said those compliance risks have remained mostly the same and, finally, 7.7% reported that they believe their compliance risks have actually fallen. Regarding future corruption risks, the respondents were split with half saying they expect compliance risks to rise in the next 12 months, and half do not. The single most common reason given for increasing compliance risks was expansion into new markets, followed by more vigorous enforcement of current anti-bribery laws. The Survey reported the “good news is that 57% of respondents say they conduct an enterprise-wide assessment of bribery and corruption risk annually. The bad news: the other 43% conduct such an assessment less than once a year, and 16.9% say they’ve never conducted a corruption risk assessment at all. A solid majority of companies also say they have some sort of documented approach to managing bribery and corruption risks; 37.7 say they have a “well-defined, documented process dedicated solely to global bribery risks,” and another 42.7% say they treat corruption risks as part of a larger documented process to address all compliance risks.”

II.                Due diligence

The Survey indicated that most companies have a good understanding of the need to, and performance of due diligence on third parties or acquisition targets. It found that 87% perform at least some sort of due diligence on third parties, and the criteria that help a compliance department decide how much diligence to perform generally seem risk-based. The top criteria were, in order, the nature of the work a third party would provide; the amount of contact the third party has with foreign officials; and where the third party is domiciled. A variety of tools were used to perform due diligence. These tools included: certifications from the third party that it has no corruption problems; reviews by your company’s legal or finance team; and data collected by your local business-unit leaders. Reference checks, on-site interviews, and research from professional investigators were some of the less-used techniques.

III.             Third parties

The Survey found that many companies are still struggling with ongoing anti-corruption monitoring and training for their third parties. Regarding training, 47% of the respondents said that they conduct no anti-corruption training with their third parties at all. The efforts companies do take to educate and monitor third parties are somewhat pro forma. More than 70% require certification from their third parties that they have completed anti-corruption training; 43% require in-person training and another 40% require online training. Large companies require training considerably more often than smaller ones, although when looking at all the common training methods, fully 100% of respondents say their company uses at least one method, if not more.

An astonishing 47% of all respondents said they conduct no anti-corruption training with their third parties at all. The numbers are even higher for companies based outside of North America (51%) and those with less than $1 billion in annual revenue (55%). Violet Ho, senior managing director for Kroll’s practice in greater China, was quoted as saying, “A lot of companies have very good intentions of doing a thorough job looking at their third parties,” Ho says. “But ultimately when you are a very large organization with more than 10,000 vendors, it’s not financially viable. You do not really have the time or resources to look deep into each and every one of them.” Another factor that Ho noted was significant is that companies often do not even know how many third parties they use, which makes training all of them impossible. Moreover, corporations typically have much less bargaining power with third parties, especially when they are located in far-flung jurisdictions. The result: if a company is using only one vendor to source an item and asks that vendor to promise to follow some anti-corruption code of conduct, the vendor feels emboldened to refuse.

Lastly, Ho stated “Trying to reach all third parties with a generic, headquarters-issued policy is a waste of time and money. Such policies tempt employees and third parties to find loopholes, and they ignore important regional differences. On-the-ground workers, are focused on revenue and profit, not compliance. Those goals aren’t mutually exclusive, but they do require coordination for a policy’s effective implementation—which adds all the more pressure on compliance officers to articulate why strong anti-corruption programs are good for business.” Clearly this Survey shows the challenges around third parties.

IV.              Effectiveness

For all a company’s efforts at risk assessment, due diligence, and monitoring third parties, the ultimate question for a compliance officer is simply does my system work? Questions about effectiveness, therefore, get to that core issue of whether all the compliance activities outlined above actually make the business less vulnerable to corruption risk. The Survey found that the responses in their anti-corruption procedures depended on how close to home the tasks actually are. 73% rated their training of domestic employees as “effective” or “very effective.” That figure dropped to 63.8% for foreign employees, and only 30% for third parties.

Melvin Glapion, Kroll managing director in EMEA, said that this phenomenon was the “downward and outward” problem. He explained that this meant that companies tend to overestimate how seriously messages sent from corporate headquarters are received elsewhere. Cultural differences abound, and many employees don’t see how anti-bribery policies apply to them in their daily jobs. Worse, the person doing compliance checks is often less senior than the executives he or she is monitoring.

Companies with less than $1 billion in revenue were actually more confident in their procedures’ effectiveness than larger businesses, the survey showed. Glapion was quoted as saying “that may be because smaller organizations have less bureaucracy and fewer third parties, or they may feel that they are not necessarily in the firing line.”

The Survey appears to indicate that companies still have a long way to go in certain areas, particularly third parties. The Survey provides the compliance practitioner with a good benchmark to look at the overall company program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,655 other followers