FCPA Compliance and Ethics Blog

November 6, 2014

Supplier Risk Management – Interconnected Processes

The Last EmpireI recently read a book review in the Times Literary Supplement (TLS) by Archie Brown, entitled “One into fifteen”, where he reviewed the book “The Last Empire” by author Serhii Plokhy. Plokhy’s book is about the dissolution and final days of the Soviet Union. One of the more interesting precepts from the book is end of the Soviet Union as announced on Christmas Day, 1991, by then Communist Party Secretary Mikhail Gorbachev. Brown wrote, “All too often the dissolution of the Soviet Union is conflated with the end of Communism and with the end of the Cold War. But the book points out that the Politiburo had ceased to be the ruling body of the USSR in March of 1990 and thus it was “entirely fallacious to speak of either Communism or the Cold War as having ended in December 1991. The transformation of the system was a precondition for the demise of the state, with the latter being an unintended consequence of the former. But these were distinctive, albeit interconnected processes.””

I considered ‘interconnected processes’ when I saw the Compliance Insider, Illustrative Case Study Series, entitled “Supplier Risk Management”, in which The Red Flag Group laid out in a visual format how a company can effectively identify and manage risks in its supply chain. The process is dubbed ‘Report, Review and Improve’ and consists of six steps.

Step 1 – Collect information on the suppliers. This step begins with a review and assessment of your own Vendor Master files to make an initial determination if a new or indeed other supplier is needed. If there is a business justification for bringing the supplier into a commercial relationship with your company, then you should gather performance data on the proposed vendor. The article suggests that a technological solution can help to provide risk-rated questionnaires to facilitate the process by building workflows and approvals directly into your questionnaires.

Step 2 – Validate the collected information. This is the investigative step. You should take the information provided to you by the proposed supplier and test it. You can check on references. You should also engage the supplier directly by interviewing the internal staff of the proposed supplier and review documents and records as appropriate. When necessary, you may also wish to consider the use of outside experts or internal consultants for recommendations or validations. This step should end with the creation of a risk score of the data you have gathered. Here a technological solution can assist by automating your analysis of completed questionnaire with a risk-based scoring of the answers to facilitate the validation process.

Step 3 – Rate the risk of the supplier. This is the analysis step where you should “compare the risks against your complete knowledge of the proposed supplier.” You should also compare your assessed risks against industry data and the risk-rank the proposed supplier or suppliers. A technological solution can also help to crunch large amounts of numbers or other data to give a first pass on your risk-ranking which can be further refined if required.

Step 4 – Implement risk management controls. The article posits that this step should include the conducting of background due diligence and integrity analysis by screening against known watch lists, sanctions lists and those of politically-exposed-persons (PEPs). A technological solution can help this step by managing the request and delivery of due diligence reports, aid in the reviewing, approving and tracking of completed reports and ensure ongoing compliance with automated daily reviews of such lists. Another suggested component of this step is to meet with your internal and external stakeholders to convey expectations. From this point you should be ready to enter the contracting phase, with appropriate compliance terms and conditions. To the extent required, you should also create and manage your compliance policy for the supplier at this stage as well.

Step 5 – Assess and monitor the supplier. In any relationship with a third party in the compliance world, this step is where the rubber hits the road and you have to manage the relationship. The article discusses custom eLearning that can allow you to quickly and efficiently create training programs for your suppliers based upon your compliance regime and not hypothetical training based on legal standards. A technological solution can also assist you in obtaining online certifications to certify that your supplier is in compliance with your company’s business requirements and internal controls. Finally such a solution can help to automate the process going forward to ensure that certification updates are provided, executed and tracked. But more than the ongoing certifications and training, you will need to monitor the transactions you engage in with a supplier. This may entail reviewing a large amount of data through transaction monitoring but it may also entail going to visit a supplier and going through the deep dive of an audit.

Step 6 – Continuous reporting, review and monitoring. All of this information you obtained must be fully documented. Of course, it must be documented to produce to a regulator if the government comes calling. However, this information can also be used to improve the supplier relationship and perhaps even your vendor system. One of the most interesting suggestions was to create a ‘Virtual Data Room’ dedicated to your suppliers. Not only would the creation of such a stored environment enable you to call up information requested by a regulator on short notice, you would also have it in an accessible format for supply chain process improvements. The article suggests trying such techniques as implementing performance incentive programs which can push compliance culture and behavior changes based upon the data you collect. Interesting the clothing company Levi Strauss instituted just such a policy for suppliers in the area of corporate social responsibility, it announcing it earlier this week.

If you do not subscribe to The Red Flag Group’s Compliance Insider publication, I suggest that you do so. It is one of the very best periodicals around on the building blocks of compliance. The six steps it has laid out for process of identifying and managing your supplier compliance risks under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act demonstrates the thesis of Plokhy’s book reviewed in the TLS; that it is interconnected processes which usually mark change and management. In the case of the former Soviet Union, it may be been drawn by more human factors but there are now a variety of technological tools available to assist your facilitation of this process under any anti-bribery or anti-corruption compliance regime.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 13, 2014

Thinking Through Risk Rankings of Third Parties

7K0A0014-2One question often posed to me is how to think through some of the relationships a company has with its various third parties in order to reasonably risk rank them. Initially I would break this down into sales and supply chain to begin any such analysis. Anecdotally, it is said that over 95% of all Foreign Corrupt Practices Act (FCPA) enforcement actions involve third parties so this is one area where companies need to put some thoughtful consideration. However, the key is that if you employ a “check-the-box” approach it may not only be inefficient but more importantly, ineffective. The reason for this is because each compliance program should be tailored to an organization’s specific needs, risks and challenges. The information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company, generally, to prevent violations, detect those that do occur, and remediate them promptly and appropriately.

Sales Side

I tend to view things in a straightforward manner when it comes to representatives on the sales side of your business. I believe that third party representatives you might have, whatever you might call them, i.e. sales reps, sales agents, sales agents, commissioned sales agents, or anything else, are high risk and therefore they should receive your highest level of scrutiny. This is also true with any party that might be called, charitably or not, ‘a partner’ whether that is a joint venture (JV) partner, plain old partner, Teaming Partner or another monickered ‘partner’. However, under this approach you should also consider the perception of corruption in the geographic area that you will use the third party. I recognize that you can overlay a financial threshold but the reality is that if a sales representative generates such a small amount of money for your business you probably do not need them as representative.

At least with distributors, I have seen merit in more sophisticated approaches such as that set out by David Simon, a partner at Foley & Lardner LLP, who advocates a risk analysis should more appropriately based on the nature of a company’s relationships with their distributors. The goal should be to determine which distributors are the most likely to qualify as agents; for whose acts the company would likely to be held responsible.  He argues that it is a continuum of risk; that is, on the low-risk end are distributors that are really nothing more than re-sellers with little actual affiliation with the supplier company. On the high-risk end are distributors who are very closely tied to the supplier company, who effectively represent the company in the market and end up looking more like a quasi-subsidiary than a customer.

Simon looks at agency principles to guide his analysis of whether a distributor qualifies as an agent for FCPA purposes. He argues that factors to consider include:

  • The volume of sales made to the distributor;
  • The percentage of total sales of the distributor’s total business the principal’s product represents;
  • Whether the distributor represents the principal in the market, including whether it can (and does) use the company trademarks and logos in its business; and

Whether the principal company is involved in the running of the distributor’s business (such as by training the distributor’s sales agents, imposing performance goals and objectives, or providing reimbursement for sales activity).

Once a company segregates out the high-risk distributors that likely qualify as agents and potentially subject the company to FCPA liability from those that are mere re-sellers and pose less FCPA risk, FCPA compliance procedures can be tailored appropriately. For those distributors that qualify as “agents” and also pose FCPA risk, full FCPA due diligence, certifications, training and contract language are imperative. For those that do not, more limited compliance measures that reflect the risk-adjusted potential liability are perfectly appropriate.

Supply Chain

This determination of the level of due diligence and categorization of a supplier should depend on a variety of factors, including, but not limited to, whether the supplier is (1) located, or will operate, in a high risk country; (2) associated with, or recommended or required by, a government official or his or her representative; (3) currently under investigation, the subject of criminal charges, or was recently convicted of criminal violations, including any form of corruption; (4) a multinational publicly traded corporation with a recognized exemplary system of compliance and internal controls, that has not been recently investigated or convicted of any corruption offense or that has taken appropriate corrective action to remedy such conduct; or (5) a provider of widely available services and products that are not industry specific, are offered to the public at large and do not fall under the definition of Minimal-Risk Supplier detailed below.

A High-Risk Supplier is an individual or an entity that is engaged to provide non-project specific goods or services to a company. It presents a higher level of compliance risk because of the presence of one or more of the following factors: (a) It is based or operates in a country (including the supply of goods or services to a company) that poses a high risk for corruption, money laundering, or commercial bribery; (b) It supplies goods or services to a company from a high-risk country; (c) It has a reputation in the business community for questionable business practices or ethics; or (d) It has been convicted of, or is alleged to have been involved in, illegal conduct and has failed to undertake effective remedial actions. Finally, it presents one or more of the following factors,: (1) It is located in a country that has inadequate regulatory oversight of its activities; (2) it is in an unregulated business; (3) its ultimate or beneficial ownership is difficult to determine; (4) the company has an annual spend of more than $100,000 with the supplier; (5) it was established or registered in a jurisdiction where ownership is not transparent or that permits ownership in the form of bearer shares; (6) it is registered or conducts business in a jurisdiction that does not have anti-corruption, anti-money laundering and anti-terrorism laws comparable to those of the United States and the United Kingdom; or (7) it lacks a discernable and substantial business history.

A Low-Risk Supplier is an individual or a non-publicly held entity that conducts business such as a sole proprietorship, partnership or privately held corporation, located in a Low-Risk Country. Some indicia include that it (1) supplies goods, equipment or services directly to a company in a Low-Risk Country; (2) a company has an annual spend of less than $100,000 with the supplier; and (3) the supplier has no involvement with any foreign government, government entity, or Government Official. However, if the supplier has other indicia of lower risk such that it is a publicly-held company, it may be considered a Low-Risk Supplier because it is subject to the highest disclosure and auditing and reporting standards such as those under the US Securities Exchange Act of 1934, including those publicly traded on a reputable and highly regulated stock exchange, such as the New York or London exchanges, and are, therefore, subject to oversight by highly regarded regulatory agencies.

Below the high and low risk categories I would add the category of ‘Minimal-Risk Suppliers’ who generally provide to a company goods and services that are non-specific to a particular project and the value of the transaction is $25,000 or less. Some examples might be for the routine purchase of fungible items and services, including, among others: Office supplies, such as paper, furniture, computers, copiers, and printers; Industrial or factory supplies, including cleaning materials, solvents, safety clothing and off-the-shelf equipment and parts; Crating and other standard materials for packing products for shipping; Leasing and rental of company cars and other equipment; and Airline or other travel tickets or services. This category would also include those third parties that provide widely available services and products that are not industry specific, are offered to the public at large. Here you might think of periodicals, florists, daily limousine and taxi, airline and food delivery (including coffee shops, pizza parlors and take out) services.

Last, but certainly not least, is the category of Government Service Providers, which includes entities that generally come into a company through the supply chain, who interact with a foreign government on behalf of your company. Examples might be customs brokers, providers who obtain and process business permits, licenses, visas, work permits and necessary clearances or waivers from government agencies; perform lobbying services; obtain regulatory approvals; negotiate with government agencies regarding the payment of taxes, tax claims, and tax audits. These third parties present some of your highest risks so they need to have not only the highest level of scrutiny but post contract-signing management as well.

The risk ranking of third parties is one of the areas that seems to continue to cause confusion, if not outright bewilderment. The manner in which the articulated risk rankings presented herein is not to be the ‘be-all and end-all’. As the FCPA Guidance reminds us, “An effective compliance program promotes “an orga­nizational culture that encourages ethical conduct and a commitment to compliance with the law.”…A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” If you think through your risk rankings and can articulate a reasonable basis for doing so followed by documentation, I think your own risk ranking system will survive regulatory scrutiny.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

November 21, 2013

Edison, the Phonograph and Supply Chain Audits

Today we celebrate Thomas Edison. It is not his birthday but the 127th anniversary of Edison announcing his first recording invention, the phonograph. According to This Day in History “Edison stumbled on one of his great inventions–the phonograph– while working on a way to record telephone communication at his laboratory in Menlo Park, New Jersey. His work led him to experiment with a stylus on a tinfoil cylinder, which, to his surprise, played back the short song he had recorded, “MARY HAD A LITTLE LAMB”. Public demonstrations of the phonograph made the Yankee inventor world famous, and he was dubbed the “Wizard of Menlo Park.”” For any audiophile, the phonograph was one of the greatest inventions of all-time.

I thought about Edison and the evolution of his invention in the context of how the audit requirement has been viewed under the Foreign Corrupt Practices Act (FCPA). In my last corporate position, my company was at the cutting edge because we required compliance related audits for vendors in the supply chain. This was cutting edge in 2007-08. However, now an audit for adherence to FCPA compliance requirements has become a standard best practice in the management of business relationships with third party vendors which work with a company through the supply chain. In several settlements of enforcement actions through both Deferred Prosecution Agreements (DPA) and Non-Prosecution Agreements (NPA and, in last year’s FCPA Guidance, the Department of Justice (DOJ) made it clear that a best practices FCPA compliance program includes the right to conduct audits of the books and records of the agents, business partners and supplier or contractors to ensure compliance with the foregoing. Many companies have yet to begin their audit process for FCPA compliance on vendors in their supply chain. I thought this might be a good time to review some of the items you should consider in this area.

I.                   Right to Audit

Initially it should be noted that a company must obtain the right to audit for FCPA compliance in its contract with any third party vendor in the supply chain. Such an audit right should be a part of a company’s standard terms and conditions. A sample clause could include language such as the following:

The vendor shall permit, upon the request of and at sole discretion of the Company, audits by independent auditors acceptable to Company, and agree that such auditors shall have full and unrestricted access to, and to conduct reviews of, all records related to the work performed for, or services or equipment provided to, Company, and to report any violation of any of the United States Foreign Corrupt Practices Act, UK Bribery Act or any other applicable laws and regulations, with respect to:

a.                  the effectiveness of existing compliance programs and codes of conduct;

b.                  the origin and legitimacy of any funds paid to Company;

c.                   its books, records and accounts, or those of any of its subsidiaries, joint ventures or affiliates, related to work performed for, or services or equipment provided to, Company;

d.                  all disbursements made for or on behalf of Company; and

e.                   all funds received from Company in connection with work performed for, or services or equipment provided to, Company.

II.                Structure of the Audit

 In the December 2010 issue of the Industrial Engineer Magazine, authors Aldowaisan and Ashkanai discussed the audit program utilized by the Kuwait National Petroleum Company (KNPC) for its supply chain vendors. Although the focus of these audits is not to review FCPA compliance, the referenced audits are designed to detect and report incidents of non-compliance, which would also be the goal of a FCPA compliance audit. Utilizing ISO 19011 as the basis to set the parameters of an audit, the authors define an audit as a “systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled.” The authors list three factors, which they believe contribute to a successful audit: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited. In a webinar hosted by Securities Docket, entitled “Follow the Money: Using Technology to Find Fraud or Defend Financial Investigations”, noted fraud examiner expert Tracy Coenen described the process as one to (1) capture the data; (2) analyze the data; and (3) report on the data.

There is no one specific list of transactions or other items which should be audited, however some of the audit best practices would suggest the following:

  •  Review of contracts with supply chain vendors to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party vendor.
  • Review FCPA compliance training program; both the substance of the program and attendance records.
  • Does the third party vendor have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained. Review any reports of compliance violations or issues that arose through anonymous, hotline or any other reporting mechanism.
  • Does the third party vendor have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review expense reports for employees in high risk positions or high risk countries.
  • Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party vendor’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party vendor’s compliance program designed to identify risks and what has been the result of any so identified.
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party vendor.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

III.             Conclusion

 As noted the above list is not exhaustive. For instance, there could be an audit focus on internal controls or segregation of duties (SODs). Any organization which audits a business partner in its supply chain should consult with legal, audit, financial and supply chain professionals to determine the full scope of the audit and a thorough and complete work plan should be created based upon all these professional inputs. At the conclusion of an audit, an audit report should be issued. This audit report should detail incidents of non-compliance with the FCPA compliance program and recommendations for improvements. Any reported incidents of non-compliance should reference the basis of any incidents of non-compliance such as contractual clauses, legal requirement or company policies.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

November 11, 2013

Honor Our Veterans and Compliance in the Supply Chain

Today is National Remembrance Day for Veterans who served their country and across the world. In the US we call it Veterans Day. In the UK, it is called Remembrance Day. Whatever it is called, it is designed so that we may never forget the sacrifices that the men and women made so that we can live in a free society. So today, I ask you to personally thank a veteran, buy them a cup of coffee or simply reflect on those who made the ultimate sacrifice to allow us all to go forward into the 21st Century.

My father is a veteran of both World War II and the Korean Conflict. I saw him this weekend and at 87 he is still kicking along, reading, studying and thinking about the relevant issues of the day. He gave to me a copy of the Fall 2013 issue of the University of Illinois, College of Law, Comparative Labor Law & Policy Journal which had an article, entitled “Toward Joint Liability in Global Supply Chains: Addressing the Root Causes of Labor Violations In International Subcontracting Networks”, by authors Mark Anner, Jennifer Bair and Jeremy Blasi. So to honor my father’s continuing interest in anti-corruption compliance, today I will write about this article and how it informs anti-corruption compliance in the Supply Chain.

The authors starting point is that of the Rana Plaza building collapse in Bangladesh, which killed at least 1129 workers, which has led to a “significant departure from the extant model of labor compliance that has developed over the past two decades”. The previous model of labor compliance had assumed that labor issues were a “factory-level problem and the only entity that needs to be regulated is the contractor factory.” This was enforced by companies adopting codes of conduct and then monitoring their suppliers for compliance. However, after the Rana Plaza tragedy, certain western corporations adopted the Bangladesh Accord, which anticipates joint responsibility for labor issues between both vendors and the purchasers of their goods and services. Further, the Bangladesh Accord is not merely like the prior general statements of intent but brings binding, contractually enforceable duties.

While the focus of the article was on labor issues such as pay, safety and retaliation for raising such concerns, the article did point to some interesting ideas which could be applied to this issue as it relates to anti-corruption compliance under laws such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Obviously both laws require a specified protocol for the hiring of third parties which represent companies. These concepts and techniques are now being used for third parties who develop relationships with companies through the supply chain. Companies such as freight forwarders, visa processors and customs brokers have foreign governmental touch points which clearly mandate a through due diligence process under the FCPA and Bribery Act. However, many companies may not recognize their potential exposure for companies which supply them but engage in bribery and corruption to fulfill their contracts.

Using the authors discussion of the regulatory scheme for compliance of labor and safety issues for suppliers under the Bangladesh Accord I have adapted them for anti-corruption compliance. The intention is to create stable, long term relationships and also to promote a stable core of suppliers who are FCPA or Bribery Act compliant in anti-corruption and anti-bribery. These points can incentive suppliers to not only become more compliant in anti-corruption and anti-bribery programs but also reward them for doing business with other like-minded sub-suppliers and sub-contractors. They include:

  • Requiring suppliers to designate all sub-suppliers and sub-contractors that they will use.
  • Restrict the subset of sub-suppliers and sub-contractors to those who have been certified, through a recognized Non-governmental organization (NGO) or company, in anti-corruption.
  • Prohibit retaliation against supplier employees who report, in good faith, allegations of bribery and corruption.
  • Require a supplier to register the number of sub-suppliers and sub-contractors that it intends to use for a company.

For US, and other western companies, I think that there are some lessons which might be drawn from the authors’ piece in connection with their compliance programs around the Supply Chain.

Know Your Suppliers

When it comes to anti-corruption compliance in the Supply Chain, many companies either fail to embrace this concept or, worse yet, do not understand how this concept is interwoven into an overall compliance program. Indeed, one of the perceived banes of compliance is that a company is responsible for the actions of its suppliers. Nevertheless, if companies understand that suppliers are a critical component of an overall compliance program it becomes much easier to understand how such a model can and should be used as a guidepost for the Supply Chain and compliance.

The Compliance Oversight Committee

The Oversight Committee is a key component of any best practices compliance program. Not only should it be used for reviewing and managing traditional high risk areas such as third party business representatives in the sales chain; a company can create such committees for other high risk issues particular to a company. Witness the Johnson & Johnson (J&J) Deferred Prosecution Agreement (DPA) and its “Enhanced Compliance Obligations”. In this J&J agreed to establish “a “Sensitive Issue Triage Committee” to review and respond to any such [Foreign Corrupt Practices Act] FCPA issues as may arise.” This is precisely the type of rigor which should be included in a best practices compliance program. Compliance Committees can serve to escalate compliance issues before they become violations of the FCPA or UK Bribery Act and are becoming a part of a best practices compliance program. If a company decides to disband such a committee it must clearly perform rigorous audits or place such safeguards in place to send a message to both vendors in the Supply Chain and employees that compliance is still held in the highest regard by the company.

Risk Assessments – Don’t Let Growth Overwhelm Your Compliance Program

The Department of Justice (DOJ) continually reminds us of the need for risk assessments. One of the areas often overlooked in risk assessments is growth. Growth and indeed explosive growth can be pursued or occur while not fully assessing or even appreciating the risks involved. This could mean that there were many new vendors in the Supply Chain that did not receive the rigorous due diligence and training in anti-corruption and anti-bribery compliance. A company can also hire huge numbers of new contract employees who do not receive the same anti-corruption training as previously hired employees. These can lead to organizational incentives that become skewered towards growth and not compliance.

If a company wants to move forward with an aggressive growth model, it should assess the compliance risks of doing so. Through a risk assessment, it might be determined that compliance might suffer through the increased use of new vendors. For the compliance practitioner, these risks might also be that new vendors in the Supply Chain need full and complete compliance training, that contract employees need the same compliance training as full-time employees; additionally new vendors need rigorous screening through a robust due diligence process to not only identify Red Flags regarding corruption but to help educate them that your company takes compliance very seriously.

So today I honor my father and all Veterans everywhere. And thanks to my father for continuing to be interested enough to read articles which help inform my knowledge of anti-corruption compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

March 13, 2013

Lessons from Bill Belichick for the Compliance Practitioner

I recently read “War Room: The Legacy of Bill Belichick and the Art of Building the Perfect Team” by Michael Holley which is about Bill Belichick, the rise of the New England Patriots and the sophisticated player evaluation system that Belichick and others installed in New England. The book also talked about Belichick disciples Scott Pioli and Thomas Dimitroff who took this player evaluation system to new General Manager positions at Kansas City and Atlanta respectively. Neither disciple has had the sustained success that Belichick has maintained for a full decade now. In fact Pioli was fired this year from his position after three straight losing seasons in Kansas City. Dimitroff has achieved a bit more success, with Atlanta winning its first playoff game under his regime this year.

One of the things that struck me about the Belichick player evaluation system and how it was used by all three men for their respective teams is that is a building block system. It takes a system and builds that system, building block by building block until the overall system is completed. This is then fine-tuned and updated through continuous monitoring, assessment and review. For the compliance practitioner, I found this approach to have several valuable lessons.

The values of a risk assessment are well known. It is something that should be a part of every compliance program. I recently wrote in praise of the mock audit where an in-house team performs a preliminary assessment of a utility plant to get that facility ready for a more formal federal or state regulatory mandated audit. The concepts of monitoring and reviewing are also well known if often being confused. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records.

However using the Belichick model as a guide, I also think that it also points to less formal, but equally useful reviews of the process and system of compliance. Of course you can take a look and self-assess your overall program, particularly if you benchmark it against the US Sentencing Guidelines, Seven Elements of an Effective Compliance Program or the FCPA Guidance’s Ten Hallmarks of an Effective Compliance Program. So I think you should take the opportunity to perform informal testing throughout the year. My colleague Mary Jones told me that she would occasionally pull third party representative invoices and review them to determine if they were billing as per their contract with Global Industries and whether the descriptions for services raised any red flags. This allowed her to catch any problems early in the cycle but also gave her the chance to informally determine if the training she was putting on was effective or if it needed to be modified in any manner.

Sitting on the flip side of continued updating is how this building block system can help a compliance practitioner when they are faced with what may appear to be an insurmountable compliance related task. I have often heard stories where an Associate General Counsel (AGC) is tasked with putting together a vendor compliance program or other task that simply seems so large it is difficult to even get one’s arms around it before the task is due to be completed. It may be a full policy and procedure update, writing a new set of internal controls or any other task that simply seems monumental.

The Belichick player evaluation system provides a guide which is to construct your overall system, building block by building block. You can think about constructing your compliance program in the same manner. The added benefit to this approach is that comports with what I believe to be one of the key takeaways from the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance, that being that a company should assess its risk and then manage those risks, starting with the highest risks and moving on from there. Another way to put it might be construct your compliance program, building block by building block, beginning with the high risk and use that as the foundation to construct your overall program.

Getting back to the AGC tasked with the Supply Chain task, one approach might be to risk rank the vendors based on the following approach:

  1. Government Services Providers – Any vendor who represents your company before a foreign government, such as a freight forwarder, logistics company, import/export services provider or customs broker.
  2. High Risk Supplier – Any supplier who meets one of the following criteria: (A) Is based in or supplies goods/services from a high risk country; (B) Is more of a business partner, similar to a joint venture partner; (C) It has been convicted of, or is alleged to have been involved in, illegal conduct and has failed to undertake effective remedial actions.
  3. Low Risk Supplier – Any supplier who meets the following criteria: (A) Is based in a low risk country where the goods or services are delivered, it has no involvement with any foreign government, government entity or Government Official; or (B) Is subject to the US Foreign Corrupt Practices Act (FCPA) and/or Sarbanes-Oxley (SOX) compliance.
  4. Nominal Risk Supplier – Is a supplier who meets the following criteria: (A) Supplies goods or services which are non-specific; (B) For any particular job or assignment; and (C) The value of each transaction is less than $10,000.
  5. Supplier of General Goods and Services – Is a supplier who: (A) Supplies goods or services which are widely available to the public; and (B) Does not fall under the definition of Minimal Risk Supplier.

Based upon this risk ranking, you can set your compliance process, building block by building block. You start with the highest risk ranking and move down from there. Indeed this is what I believe the FCPA Guidance suggests when it says the following, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors. When it comes to compliance, there is no one-size-fits-all program. Thus, the discussion below is meant to provide insight into the aspects of compliance programs that DOJ and SEC assess, recognizing that companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs. Indeed, small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations”. That means you can use a system like the one I laid out above or come up with your own system but make it one that works for your company and your risk profile.

If you focus on the risks to your company, I think that you can use the model of Bill Belichick and the New England Patriots as a guide. Build from the ground up by assessing your risk and then managing that risk. When you have completed the part of your compliance program which deals with the highest risk that you have assessed move on to the next risk or level of risk and begin the process of constructing a compliance system to assess that level of risk. But do not forget the second part of the Belichick formula. You do not have to wait until an annual assessment to revamp your system. You can take more informal input from a variety of sources to tweak your program and move it forward. Constant evaluation and improvement are the hallmarks of any successful system and you should incorporate these concepts into your compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

January 28, 2013

Boeing and the Conduct of Due Diligence on Sub-Suppliers

The Foreign Corrupt Practices Act (FCPA) act has language which makes illegal a direct or indirect act which might be used to obtain or retain business from prohibited parties. This has caused companies to begin to look at their suppliers as one area which might give them FCPA exposure. I have been considering the role of suppliers in a compliance program as I followed the issue of the smoldering batteries in the Boeing 787 Dreamliner.

As reported in a New York Times (NYT) article by James B. Stewart, entitled Japan’s Role in Making Batteries for Boeing, the construction of the batteries at issue was outsourced by Boeing to a Japanese company called GS Yuasa. Stewart’s article points out the need for close review of suppliers and what can happen if the quality does not meet the standards required for the project. However, I considered the article from the FCPA perspective. Stewart initially noted that “No one has claimed that GS Yuasa was chosen for the 787 for anything but merit.” But then he goes on to say that “Boeing has long been dogged by suspicion that in return for awarding major contracts to Japanese companies, which also receive subsidies from the Japanese government, the countries airlines buy Boeing aircraft almost exclusively.”

The question all of this raised for me is just how much due diligence should a company engage in for its suppliers? The first thing to note is that GS Yuasa is not a direct contractor to Boeing. The Japanese company is a subcontractor to a French company named Thales, which was contracted by Boeing to supply the electrical system. However, Stewart noted that Boeing approved the Thales/GS Yuasa contract and relationship. Does this mean that Boeing performed any kind of due diligence on GS Yuasa? The article does not specify any of these facts. However, Stewart asks the question of whether the outsourcing of this work was a for the benefit of sales of planes to Japan? He quotes Richard L. Aboulafia who said, “And then there’s Japan. All the normal ways of doing business are upended.” When asked if there might be a ‘quid pro quo’ Aboulafia said, “Yes, absolutely. But no one will talk about it, and no one can prove it.” He went on to say that in Japan “there is a unique relationship between the airlines, the suppliers and the government. The government supported the airlines, the government and the industries and they developed together. The government has enormous influence. They all work together.”

Are these questions which should be explored in due diligence? I think this situation brings up the issue of how far down in the supply chain that a company needs to go in performing due diligence. Many contracts with suppliers require that if there is a sub-supplier that sub needs to go through due diligence. However, in the case of GS Yuasa, Boeing had the right to select the supplier and if you have that right you probably need to perform due diligence on the supplier.

The key question that Stewart raises in his article is whether Boeing is using the hiring of GS Yuasa as leverage to gain sales to the Japanese government. GS Yuasa admitted that the battery component of its company is a money loser, even with the Boeing contract. This obviously raises the question of why the company is in such a business. The company also admitted that it had received subsidies to the tune of $3.5 billion from the Japanese Ministry of Economy, Trade and Industry to “begin mass production of lithium-ion batteries…”.

However, does Boeing has strong supplier relationships with other Japanese companies? In addition to the sales to Japan Air, Boeing works closely with Japan’s Defense Ministry and Boeing was quoted in the article as saying that it had “a long history of working together to meet Japan’s defense needs.” In addition to the hiring of GS Yuasa, Boeing said that its Japanese partners had “designed and developed 35 percent of the 787 airframe structure, including the main box wing, which is the first time Boeing has ever entrusted such a critical design component to another company.”

Stewart penultimately notes that “any questions about GS Yuasa may be premature.” In addition to the investigation of GS Yuasa, both the French company Thales and Securaplane, an American subsidiary of the UK engineering company Meggitt which makes the battery chargers, are also being looked at in connection with the fires aboard the Boeing planes. Stewart does believe the “whatever the outcome, experts said that with so many lives at stake, the design and manufacturing of new aircraft should be based solely on legitimate issues of cost and quality, and the selection process for suppliers should be transparent and untainted by other commercial or political concerns.

To end his article, Stewart quotes Aboulafia who states that “The greatest enemy of good aircraft is people who interfere with the freedom to shop for the highest quality.” I think that the same could be said in conjunction with the FCPA and the Supply Chain.  If a company allows inferior quality into its supply chain through the bribery or corruption that the FCPA is designed to stop it could well allow an inferior product to be constructed. While such actions may not have the catastrophic and very public impact that the apparent battery failures on the 787 have sustained the damage can be severe.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

August 8, 2012

Compliance in the Supply Chain – The Lesson of Gibson Guitar and the Lacey Act

Filed under: Best Practices,Bribery Act,compliance programs,FCPA,Supply Chain — tfoxlaw @ 1:16 am

Just when you think things cannot get any worse for the forlorn AAA Houston Astros, aka Lastros, last night they sank to a new low, while riding their current 3-35 streak (109 loss season projected – ouch!). After managing to take the National League East leading team the Washington Nationals into extra innings the Lastros executed what can only be called the best Little League – Bad News Bears play of the season. With a National runner on first the batter bunted down the first base side of the diamond, the Astros Pitcher and First Baseman smashed into each other as the First Baseman picked up the ball and pivoted, while falling, and whizzed his throw into Right Field. Not to be outdone, the Astros Right Fielder retrieved said throw and then sailed the ball over the head of the Astros Catcher while the Nationals runner scored all the way from First Base. For those of you scoring at home it was single, E-3, E-9, or as Houston Chronicle beat writer Zach Levine said, “arguably the lowlight of the lowest season in Astros history.” To see a video of the play, click here.

I thought about the Astros futility when reading about the Criminal Enforcement Agreement (CEA) entered into by Gibson Guitar Corp (Gibson) for violations of the Lacey Act, which is a 111-year-old law, originally enacted to protect wildlife and expanded in 2008 to cover wood products. I say futility because as recently as a couple of weeks ago, the Chairman and Chief Executive Officer (CEO) of Gibson, Henry Juszkiewicz, wrote in a piece appearing in the July 20, 2012 edition of the Wall Street Journal (WSJ), entitled “Gibson’s Fight Against Criminalizing Capitalism”, that on August 24, 2011, “Without warning, 30 federal agents with guns and bulletproof vests stormed our guitar factories in Tennessee. They shut down production, sent workers home, seized boxes of raw materials and nearly 100 guitars, and ultimately cost our company $2 million to $3 million worth of products and lost productivity.” Two weeks later, his company admitted to violations of the same federal law that he protested did not apply to his company. In addition to the cost of non-compliance laid out by Juszkiewicz in the article, Gibson agreed to a CEA, a penalty in the amount of $300,000 and a community service payment of $50,000. It also agreed to a withdraw claims for wood seized by federal agents in the course of the criminal investigation, specifically “including Madagascar ebony from shipments with a total invoice value of $261,844.”

So what’s the compliance lesson here? First and foremost, understand the laws that apply to you and put a system in place to comply with those laws. It does no good to claim that if you are investigated it’s “an attack on capitalism”. On the other hand, if your company does feel that it has been prosecuted by the “overreach of government authority” and you are indeed being picked on by the US Department of Justice (DOJ) and the Fish and Wildlife Service, you can always go to court to assert your innocence. Of course, to successfully assert innocence it really helps to be innocent.

But more than the ‘water is wet’ lesson that Gibson has reminded us all still exists; the CEA entered into by Gibson had a guide to the creation of a Lacey Act Compliance Program (Appendix B to the CEA). While this Lacey Act Compliance Program was designed to “support legal wood sourcing” and to “expand upon the sustainability goals of Gibson’s existing Responsible Wood Purchasing Program” it provides some excellent guidance to the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance practitioner for questions to ask of third parties doing work with or for your company. Prior to purchasing wood products, Gibson employees are required to exercise “due care” in evaluating its supply chain. Gibson agreed to take the following steps:

  1. Communicate with suppliers about Gibson’s policies to see if any suppliers cannot implement the compliance program.
  2. Ask questions about the supplier and its source of wood.
  3. Conduct independent research to identify high risk sources.
  4. Request documentation prior to purchase that the wood in question was legally harvested.
  5. Make a reasoned determination based upon a review of all information.
  6. Maintain records documenting these steps.
  7. If there is uncertainty in any of the above steps, do not engage in the transaction.

The Lacey Act Compliance Program also had several other steps which should be incorporated into any FCPA or Bribery Act compliance program and they are:

  • If Gibson finds out that an importer/exporter with which it is doing business violates the law, it will cease doing business with them and where appropriate, notify the relevant enforcement agency.
  • Gibson will encourage its suppliers to work with third parties to certify that they are in compliance with the relevant laws.
  • Gibson will work with other organizations dedicated to sustainable sourcing to supplement these practices.
  • Gibson will, on no less than an annual basis, perform due diligence on its suppliers to determine if they are on any government watch lists for illegal acts.
  • Gibson will on an annual basis, audit its Supply Chain practices, policies and procedures. If there are any material weaknesses identified, there will be appropriate corrective action.
  • Gibson will train its employees on this compliance program.
  • Gibson will retain its Compliance Program records for a minimum of five years.
  • Gibson will discipline employees who violate its Compliance Program and maintain records relating to such discipline.

The CEA also included an Attachment A, which was a sample checklist of questions that its employees should ask suppliers. I found this list to be a very good list of basic questions that can be used when questioning representatives from a vendor in your company’s Supply Chain.

So will the futility of Gibson’s claim that the Lacey Act does not apply to them continue? Probably not as they have also agreed in the CEA to commit no criminal violations going forward. I should note that the Chairman/CEO of Gibson was quoted in a WSJ article that “he felt the company was targeted inappropriately. He added that the company settled the dispute to avoid the cost of litigation…” So perhaps Gibson will continue to assert that it was the evil government that caused his company to act illegally. But such conduct might be as futile as the Astros 2012 season…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

 

May 10, 2012

Jesse Owens and Hanson Wade’s FCPA in the Supply Chain Conference

What is the greatest one hour in the history of track and field? I would put forward the 45 minutes on May 25, 1935, when Jesse Owens, at the Big 10 Track and Field Championship run in Ann Arbor, Michigan, broke the world records in three events: the 220-yard dash, the 200-hurdles and the long jump. He also tied the world record in the 100-yard dash. Not a bad afternoon’s work.

Next month, Hanson Wade is putting on a conference in Houston which may be worthy of such a record. It is the “Oil and Gas Supply Chain Compliance” conference and the list of speakers is simply stunning. It includes the following Chief Compliance Officers (CCO): Dan Chapman, Parker Drilling; Brian Moffet, ENSCO, Jay Martin, BakerHughes; Julie Symon, KBR, Jan Farley, Dresser-Rand; John Sardar, Noble Drilling and a host of other luminaries in the field of Foreign Corrupt Practices Act (FCPA) compliance, including, in his only Texas appearance, the FCPA Professor, Mike Koehler. Even if you live outside of Houston, the FCPA compliance talent at this event will rival any other event in the US and for such an event not held in Washington DC or New York City, it is simply outstanding.

Some of the panels and topics for discussion include: Performing Adequate Risk Weighted FCPA Due Diligence for Acquisitions and Joint Ventures; Special Due Diligence and Contracting Considerations in Managing FCPA Risk Associated with Major International Freight Forwarders; Fresh Insights Into Mitigating FCPA Compliance Risks Through Effective Auditing; Embedding a Compliance Culture into Your Organization: Proven Intelligence on the Impact of Good Training; and the ENI experience on How to Address Specific Concerns in Procurement. These are but some of the sessions and there are many other excellent panels, sessions and speakers which I have not mentioned.

Recently one of the star speakers, Dan Chapman, Chief Compliance Officer for Parker Drilling, visited with Sara Patella about some of the issues facing US companies when dealing with third parties. Recognizing that it may be difficult for companies to know precisely what their third party partners may be doing at a specific time, Chapman stated that “The goal of a good due diligence program isn’t necessarily to identify improper activities from a retroactive standpoint.  Instead, an effective due diligence program assesses the character and propensities for improper conduct of your agents and other representatives that may act on your company’s behalf before they are engaged and then again at periodic intervals.”

Chapman also spoke about the differences in risks between developing and developed countries. He noted that in a developing country, “the bureaucracy may be so stagnant and inefficient that in order to perform services for their clients, certain vendors may feel pressure to engage in improper conduct.” This is usually coupled with a lack of internal enforcement in the developing country for those government officials who accept bribes or are otherwise engaged in corruption. Conversely in a developed country, there are usually more resources to fight corruption and perhaps greater political will as well. Wherever you might be doing business Chapman advises that the current FCPA enforcement regime should “encourage companies to avoid getting into trouble in the first place.” For the full text of the Chapman interview, click here.

I hope that you can attend this most excellent FCPA conference next month. Very few FCPA conferences focus on the supply chain and the information that you will receive at this one should be first rate. Will your day be as good as the one hour Jesse Owens had in Ann Arbor those many years ago? Why don’t you attend the event and see for yourself. It should be well worth the price of admission.

============================================================================================

For complete information on the Hanson Wade Conference, “Oil and Gas Supply Chain Conference“, click here. For readers of this blog, a discount is offered by Hanson Wade. You can receive the discount by entering the online discount code: FOXLAW. You can also use this discount code if you register directly with Hanson Wade.

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

February 27, 2012

How Lin-sanity Informs Your Compliance Program: Lesson II

Lin-sanity still reigns. How can you make this determination? I will give you two signs to consider. First Spring Training is in full force and here I am not only thinking about the NBA but also writing about the NBA. Second, I ordered the NBA League Pass package so that I can watch Jeremy Lin play each night the Knicks are on television. (Sam Rubenfeld is smiling somewhere.) But Lin-sanity still continues to inform the compliance practitioner and compliance programs.

How does Lin-sanity continue to inform your compliance program? That question came to mind as I was reading the Saturday edition of the New York Times (NYT) in an article, entitled “The Evolution of a Point Guard, by reporter Howard Beck. In his article Beck destroyed the myth that Jeremy Lin emerged literally “overnight” as a star in the NBA. Beck wrote that this part of the Lin Legend is “altogether flawed, or at least woefully incomplete.” In my last piece on Lin-sanity and compliance I wrote about the analyst who saw the seeds of Lin’s play in his years at Harvard. Beck goes further to point out that the Lin who graduated from Harvard, got cut from both the Warriors and the Rockets is very different from the Lin who is now starting for the Knicks. How is Jeremy Lin different? Through hard work in his profession, the craft of basketball.

What work did Lin do that led to Lin-sanity? Beck went into extensive detail to report on the shooting drills he put in with an old coach to improve his jump shot; the personal fitness coach he worked out with to increase muscle size and speed; the tape of elite NBA guards he studied to learn how to set up and execute a pick and roll; the Developmental League time he put in to learn how to better read defensive double teams; and finally the lonely gym work to develop a 3-point shot. All of this hard work led to, as Beck quoted, a former coach of Lin’s saying that “He’s in a miracle moment, where everything has come together.”

Our last lesson learned from Lin-sanity was to look and think outside the box for compliance resources within your company. Lin-sanity Lesson Learned II is that the initial implementation or enhancement of a compliance program is only the beginning. It is after that time, the hard work really begins. So Jeremy Lin obviously, at least to one analyst, had some amount of talent coming out of college, but Lin-sanity did not begin until he put in all the hard work that Beck detailed in his article, you as a Chief Compliance Officer (CCO) or other person tasked within your company to implement or enhance a compliance program, must work equally hard to make the program truly best practices.

What are some of the things that you should do after implementation or enhancement? You should begin by reviewing your risk assessment to determine the nature and quality of the compliance risks that were defined. Use that list as a starting point to put in the hard work of remedying or better yet managing those risks. Some of the areas that you may need to remediate, while you are going through the initial implementation or enhancement phase of the compliance program, may be one or more of the following.

Foreign Business Representatives

A usual high risk is found by the use of agents, resellers, or other non-employee sales representatives in your company’s sales chain. You need to design a database where you collect information on all such foreign business representatives, such as contract term, underlying due diligence performed, commissions or other payments made to them over the past five years, nature of product sold or service provided and geographic territory. From this database you should risk rank these foreign business representatives and begin the process of remedial due diligence. If your sales model is distributors, you may need to review and assess your contractual rights and requirements for sales to certain end users for your products.

Supply Chain

There may be many persons or entities that represent your company that are located in the Supply Chain, rather than the sales chain. This could include freight forwarders, visa processors, customs clearance companies, law firms, licensing representatives or any other service provider who might interact with a foreign governmental official on behalf of your company. In addition to the information that you should collect in a database, similar to the one described for Foreign Business Representatives above, you should also go back and audit invoices from such government service providers, to determine if there are any issues existing from before the go-live date of your compliance implementation or enhancement.

Internal Controls

Your compliance program should consist of policies and procedures. However, it should also have the appropriate internal controls in place to effectively implement these policies and procedures across the organization. This means that policies from every department of the company may be impacted. Groups disparate as Human Resources, Finance, Accounting, IT, Treasury and others, will all have corporate policies that need to be reviewed and assessed through a Gap Analysis of your internal controls. Any discovered deficiencies will need to be remedied so that writing policies may well be a large part of your compliance effort going forward.

Human Resources

HR is key in any compliance program implementation, enhancement or ongoing evolution. One of the reasons that HR is so critical is that it is the group within your company which will be charged with identifying, evaluating and developing persons with strong ethical values who could become the leaders of your company tomorrow. As a compliance officer you will need to spend significant time with HR representatives to detect, train and promote such persons within your company to leadership and senior management positions in the years ahead.

There will certainly be other areas of your company which will need attention during your initial compliance program implementation or enhancement. It most certainly will seem like an overwhelming task. But here is where the Jeremy Lin example really kicks in. You do not have to create and perfect everything at once. Each step in the compliance journey builds on the prior step. The point is to keep moving. Your best practices compliance program will not emerge overnight, but as with Jeremy Lin, if you keep doing the things you need to do to make your compliance program more robust, you may well bring everything together to create a world class compliance program for your organization.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

January 25, 2012

Improving Compliance Performance in Your Supply Chain

One of the areas moving towards being incorporated into a best practices compliance program is that of the supply chain. While many companies have focused significant compliance program effort towards the sales chain, the supply chain is now viewed as an area which requires compliance scrutiny. One of the questions I routinely hear is how to endow vendors in your supply chain with the same urgency of compliance initiative that is present in your company. I recently read an article, in the winter 2012 issue of the MIT Sloan Management Review, which provided some guidance on this issue. It also has wider implications for improving compliance not only in the supply chain but also in the sales chain arena of your company. The article is authored by Erica Plambeck, Hau Lee and Pamela Yatsko and is entitled “Improving Environmental Performance in your Chinese Supply Chain.”

The authors break their analysis down into two general areas. The first is “Getting to Know Your Supply Chain” and the second is “Act on Knowledge from Improved Chinese Transparency”.

Getting to Know Your Supply Chain

In this section, the authors suggest five activities which can help your company to foster identification and visibility of compliance into your supply chain.

  1. Provide incentives for identifying, disclosing and addressing problems. The authors note that many companies will audit suppliers, which they term “the checklist approach” but that such an approach does little to change behavior. The authors believe that incentivizing suppliers to do business in a more compliant manner will yield more significant compliance performance.
  2. Collaborate with NGOs to facilitate compliance education and monitoring. You should encourage suppliers to work with non-governmental organizations (NGOs) in the anti-corruption area so that your suppliers will take greater responsibility towards compliance. This can be done by working with TRACE International, Transparency International or a NGO which works towards a global business ethic of anti-corruption and anti-bribery.
  3. Make use of changing governmental attitudes towards corruption. Just as the Chinese government has changed its tune on environmental issues, it has recently done so regarding anti-corruption. This change can be used as a signal to Chinese companies of the need for increased awareness and importance.
  4. Work with multi-brand forums to standardize compliance audits. This is an interesting concept which would allow a supplier to receive a compliance audit which could then be used as a reference point in the compliance due diligence portion of your supplier approval process.
  5. Encourage anti-corruption transparency as an efficiency tool. While many believe that transparency means additional costs and slows down a sales or production cycle, many have found the opposite to be true. Companies which operate with greater compliance transparency not only do so more efficiently but also in a more cost effective manner.

Act on Knowledge from Your Supply Chain

With visibility into the five areas identified above, your company is now poised to improve performance. Once again, the authors are focusing on improving environmental performance, but I believe that their seven listed action steps work in the compliance arena as well; they are as follows:

  1. Encourage training of compliance professionals. US companies can work towards training Chinese compliance professionals at their home companies. I realize that many out there will proclaim that such training cannot be done but several US companies provide such training to their third party business partners.
  2. Put skin in the game. Prospects for the greatest compliance improvements and conducting business in an ethical manner come from locations where both the US Company and Chinese supplier have a stake in the outcome. Not only is training a key, as noted above, but insert a compliance component into the financial of the relationship. Also work with the Chinese company to improve its compliance function through audits and assessments.
  3. Learn from your suppliers and facilitate learning among your suppliers. US companies need to confront directly the cultural differences between both cultures. Additionally, a successful compliance program does not simply ram a US law, here the Foreign Corrupt Practices Act (FCPA), down the throats of local suppliers. Learn the nuances of local culture regarding gifts and entertainment from your suppliers and incorporate that knowledge into your training.
  4. Collaborate with other US companies to drive change across suppliers. Work with industry groups to mandate that any supplier conducts business in an ethical manner.
  5. Build collaborative training centers. This will not require your company to violate the Sherman Anti-Trust Act. Be a leader in your company and set up collaborative learning or training centers for compliance. Just as compliance is the most open business function within the US business community in terms of sharing best practices, use this compliance community to lead to ethical business in local suppliers.
  6. Use your suppliers to train Tier 2 suppliers. This is a key component of the authors’ thesis. You should be able use your direct suppliers to train their suppliers. By creating such multi-stakeholder approaches, the DNA of compliance will be driven further down the supply chain.
  7. Tailor programs to local realities. Similar to step 3 above, you must tailor your message to your local audience. This includes your message roll out. Your compliance program roll out must take into account both human resources constraints and other local conditions while providing incentives to suppliers to take ownership of compliance.

This program may not be easy. However, the authors have provided a framework from which you can design an overall approach to inculcating compliance in your supply chain. I believe it portends a growing trend towards partnering with your business relationships to ensure compliance with not only international anti-corruption and anti-bribery regimes, such as the FCPA and UK Bribery Act, but also local anti-corruption laws. The article is well worth a look.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,878 other followers