An Inspired Choice – Ethical Leadership Under Difficult Circumstances

I am attending Compliance Week 2013 through Wednesday. As usual Matt Kelly and the Compliance Week team have put together a first rate program for the event. There have been, and will be over the next couple of days, some very informative panels, speakers, roundtables and conversations. The conference began today with a talk by Retired Major General Lewis MacKenzie, the former head of the United Nations peacekeeping forces. Although General MacKenzie’s choice as the initial keynote speaker of the conference might not seem self-obvious, I found Matt Kelly’s invitation to the General to speak and his position as the first speaker on the first day of the conference, were both inspired decisions.

The theme of his talk was how to maintain ethical leadership under difficult circumstances. Matt Kelly posed the question to the General of “how do you speak the truth to power?” The General began his remarks by giving his definition of leadership, which as he said was “getting people to do what they don’t want to do and having them enjoy it while they are doing it.” Based on that definition and his remarks below, I came to see why Matt wanted the General to speak to a gathering of compliance professionals on ethical leadership under difficult circumstances.

The General said that it all starts with a leader being him or herself, after they take the reins of leadership. He believes that people usually rise to a high level in an organization because of technical competence, coupled with the relationships they developed along the way. He believes that a leader must strive to maintain those relationships because that is the key to information flow both upwards to the top and down through the organization. A leader must take all pains not to become isolated.

The General believes that relationships work in several critical areas. The first is that a leader can utilize the talents of his subordinates to not only understand but to overcome obstacles. But equally important is that by having a relationship with someone, it may provide an avenue to resolve a matter before it blows up into a full financial reporting issue or even criminal issue. He said that he would try to find out the one thing that his troops were passionate about and he could use that information “as a window into what they think about the organization.”

He designated his next point with the acronym, LWWA, or ‘leading while walking around’. He said that to get people to do things, a leader must get out of the office and talk to people. But he cautioned that it is more than simply talking to people, as he believes a critical skill of a leader is to listen as well. To this skill, he said that rather than hear someone and think about what your response might be, you should actually listen to what they have to say. He found that by listening good ideas could come up to him and then he could implement them and get the credit.

The General talked about courage. By this he did not mean the courage to lead a charge up a hill, but rather, he meant the courage to say no and to hear someone who says no to you. He believes it is the job of a leader to set the tone for an organization. A leader must teach his subordinates to have the courage to disagree with him or as he said “disagree without being disagreeable”. If one of the first things you do in a leadership position is belittle or defame publicly someone who disagrees with you, no one will do so in the future.  For a leader to succeed, the General believes that a speak up culture must exist. To do so, a leader must make it acceptable and safe for subordinates to say no.

It is the job of a leader to accept responsibility. In an interesting exercise, the General asked the entire audience of over 500 conference participants to raise their hand if they had ever been criticized for being ‘too responsible’. He then asked anyone in the audience to raise their hand if they had criticized someone else for being ‘too responsible’. No one person raised their hand in response to either query. It is clear that the General believes a leader must take responsibility. Further, there is no ‘but’ which follows the line “I am responsible”. In other words, no ifs, ands, or buts are allowed when it comes to a leader taking responsibility.

The General said that one of the best ways he found to motivate people was to give them a job which had difficult but not impossible objectives to success. This has two benefits. The first was that most people would be motivated to try and achieve the difficult objective. However the second was more long term. By achieving the results, the person or team had something to brag about and it gave them greater confidence going forward. This is particularly true if there is a metric which can be used to demonstrate the overcoming of the obstacle. However, a leader must not set a high or unreasonable objective that it can only be achieved by “breaking the back of the organization.”

The General took some questions from the audience. One that I found applicable to the compliance arena was about resources. Specifically he was asked how to carry out missions with limited resources. He tied his answer back into his thoughts on relationship. He said that people want to contribute their ideas. If you give them a means to do so, in a speak up culture, they can be your best resource. An army has often times to do more with less and must do so on the fly. But this same concept translates to civilian employees who want their company to succeed and can stand ready with ideas to assist you moving forward toward your objective.

If you are a Chief Compliance Officer (CCO) or in a senior leadership position, you should think about the General’s remarks in the context of what you and how you do it, within your organization. Do you have relationships with other key members of senior management so that you can go to them, not only when things are going well, but more importantly when they are not going well or a crisis has arisen? Do you have a speak up culture at your company? If not why not, as that certainly is a part of any best practices compliance program under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act.

Lastly, think about the General’s remarks on resources. One never has all the resources you need or even think that you want. But use the talent that is available to you. There are other professionals in your company who do not work in the compliance department but are equally dedicated to doing business ethically and in compliance. Human Resources and Internal Audit are but two prime examples. Seek them out and ask their assistance. I think you may be well surprised at the solutions they can provide or suggest to you.

As I said, by the end of General MacKenzie’s talk, I had come to believe that Matt Kelly made an inspired decision not only to invite him to speak to the conference but to be the first speaker out of the box. It has set a great tone for the event.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The Drugstore Cowboy and Compliance

One does not have to look very far in the business world to come across the phrase “Know Your Customer.” A company certainly needs to know if an entity that it may sell products or provide services to will pay for those items. Running a Dun & Bradstreet credit check is routinely performed to ascertain if a counter-party is a good credit risk. But how much more should a company do in regards to its customers? Clearly banks, other financial institutions and even casinos need to assess a customer from the perspective of anti-money laundering (AML). Is there a reason grounded in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act that would suggest that customers should go through background scrutiny from the anti-bribery/anti-corruption compliance perspective?

I thought about internal controls regarding due diligence requirements on customers, effective compliance programs and third party validation of credentials when reading an article in June issue of Wired Magazine, entitled “Drugstore Cowboy”, by Jake Pearson. I found this article to be a very cautionary tale for those companies which need to consider just whom they are doing business with or for. The story involved an undercover sting operation by the US government against Google. The operation involved a convicted felon, one David Whitaker, who convinced law enforcement authorities that Google had assisted him, in violation of its own internal protocols and US laws, to sell illegal “black market steroids and human growth hormones” online. Whitaker told federal officials that “Google employees had actively helped him advertise his business, even though he made no attempt to hide its illegal nature.” Based upon his experience, Whitaker believed that Google must be “helping other rogue Internet pharmacies too.”

On paper, it appeared from the article that Google has a systems designed to ferret out sites which used words or had other indicia that they were selling illegal drugs. There was an initial screening by a Google sales representative. There was an automated program which searched for key words that might indicate illegal drugs were being sold. There was a review of the website itself to see of other factors were present which might show that illegal products were being sold. Finally, Google used a third party verification service, to attest that any site selling pharmaceutical products was properly licensed.

Based upon his experiences, the government set Whitaker up with an alias, fake company, bank account and phone lines and then monitored and watched him to see if his claims were true. He was told to see if Google would actively assist him to sell advertising for a non-existent company called “SportsDrugs.net, a website that sold HGH and steroids from Mexico, with no doctor’s prescription.” The plan that Whitaker used was straightforward.

1. Establish a fake identity. Whitaker made cold calls to representatives of Google to get set up as an account in the company’s system.
2. Submit the site. The feds designed the sting operation so that it would be obvious the false company was selling illegal drugs. So it offered HGH and steroids, had pictures of the drugs and even had a ‘Buy Now’ button to make clear that no doctor’s prescription was required. The Google sales representative passed the fake sales site along for “policy review, an automated process that Google uses to vet all advertisers.”
3. Scrub the site. After the fake sales company was initially rejected by the policy review process, a Google representative agreed to help “tweak it” so that it would pass through the Google approval process. The Google sales representative advised Whitaker to rename the site, remove the pictures of the illegal drugs and delete the ‘Buy Now’ button from the site.
4. Rework the site. After the suggested changes were made by Whitaker, his fake site was approved by Google. Thereafter the items which had been removed from the website, including both the photos of illegal drugs and ‘Buy Now’ button were added back into the site, all with the assistance of the Google sale representative.
5. Raise the stakes. In this phase, the undercover sting operation widened. After their initial success with SportsDrugs.net; the feds created other fake websites for Whitaker, all of which purported to sell illegal drugs. The other sites included one selling “RU-486, better known as the abortion pill, which is normally taken under close supervision of a doctor.”  Another site sold the psychotropic drugs Xanax and Valium, both without any need of a doctor’s prescription. In a final example the feds created a ‘Trojan Horse’ site; in which a pharmacy site that held a valid license also had sales for “three clearly disreputable online pharmacies.”

The chilling thing I found in this article was it reported that in each one of the false scenarios, Whitaker was reported to have explained to the Google representative the true nature and purpose of the site. All of the information that Whitaker conveyed made clear that these sites were designed to sell drugs which are illegal in the US, without a doctor’s prescription. In just over the span of three months, the undercover operation spent over $200,000 with Google.

Google ended up settling with the US government for a fine of $500 million. Although Pearson did not quote the US Assistant District Attorney, who headed the investigation and enforcement action, Peter Neronha, was quoted as telling the Wall Street Journal (WSJ) the “culpability went far higher than the sales reps that Whitaker worked with. Indeed, he said, some of the company’s most powerful executives were aware that illegal pharmacies were advertising on the site.” Google itself would not comment for the Pearson article.

From the account in the Pearson piece it would appear that Google had a system in place to check and make sure that it was not advertising sites which sold illegal drugs but that system, both human and automated, was worked around. For the anti-corruption compliance practitioner, I think that there are several key lessons which can be learned from this tale.

Train, Train, Train. If you sell services, which can be used to facilitate illegal conduct, you need to train your sales force to watch out for signs of that illegal activity. The initial Google sales representative who was contacted by Whitaker should have been the first line of prevention to stop the issue before it came up for the company.

Monitor, Monitor, Monitor. There should be several types of monitoring. If a business name comes through your system and it is rejected, there should be a monitoring mechanism in place to note if it reappears later or is approved through some other means, as was done in this situation. Similarly, if the name of a business owner comes up in connection with another company, there needs to a mechanism in place to perform a cross check. The sales representatives should also be monitored to determine if they are manipulating the system.

Incentives, Incentives, Incentives. While not discussed in the Pearson article, what do you want to bet that the Google sales representatives were compensated, at least in part, with a commission based upon the number of GoogleAds that they sold? If your compensation structure or other incentive structure rewards people who use shortcuts, then there will always be employees who take them.

Audit, Audit, Audit. Remember the part of the story about how the Google sales representative would advise Whitaker how to scrub his website of key words, search terms and other information which would indicate that it was selling illegal pharmaceuticals only to reinsert those on the site after the scrubbed site had been approved? You need to audit to determine if any illegal conduct has begun after the contract is signed. And if you do not have audit rights, you have a very slim chance of actually performing an audit.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Tell a Story to Drive Compliance

Sometimes a story will help you understand just what you did not understand. Did you know that the Federal Bureau of Investigation (FBI) launched a formal investigation in 1964 into the supposedly pornographic lyrics of the song “Louie, Louie.” That FBI investigation concluded that the lyrics of “Louie Louie” were officially “Unintelligible at any speed”. While this did not quite exonerate the song in the eyes of disapproving parent, it may have contributed to the song becoming one of the most-covered songs in rock-and-roll history. I thought about this oddity of history when reading an article in the most recent issue of In-House Texas, by Michael Maslanka, entitled “Tell Stories to Handle Client Frustration”. In his article he gives stories, as below, to use for 10 memorable scenarios of client frustration. They are certainly just as applicable to the Chief Compliance Officer (CCO) as they are a General Counsel (GC).

No. 1: “We’re in the right. Surely, that counts for something.” A California lawyer with whom I work tells clients, “I understand that you’re in the right. So is the pedestrian who always crosses on the green light and looks both ways. But he still can be flattened by an inattentive bus driver.”

Like stories, analogies can do the heavy lifting of delivering bad news, thus insulating the GC from being shot as the messenger.

No. 2: “We will fight this lawsuit, no matter the cost, for as long as it takes, whatever it takes.” Sometimes C-level executives imagine themselves as Winston Churchill, fighting on the beaches and the landing grounds, never surrendering.

But sooner or later it occurs to them that it’s only a lawsuit, not the fate of western civilization. They then start looking for a way out of the proverbial painted corner. At that point, an in-house counsel can paraphrase Voltaire, who said there were only two times in his life when he went broke: when he lost a lawsuit and when he won one. Stories help clients in many different ways. Allowing them to save face is one.

No. 3: “We can’t rush this decision. We need more time to make it. Issues of integrity and ethics are at stake.” A client seeks certainty, but the law provides only probabilities. This can lead clients to anguish over a decision. The wise counsel will listen for this phrase: “We could do X or Y, but isn’t that a slippery slope?” Sometimes clients say this when they don’t want to make a tough call.

The GC who needs to jostle a client toward a final answer can invoke Oscar Wilde, who famously remarked that morality, like art, requires drawing a line somewhere.

No. 4: Client at mediation: “Their opening offer is seven figures. We’re leaving.” Sometimes storming out is an effective tactic, and sometimes it’s not. To show internal clients that the GC is willing to fight, without getting mired down in pointless chest-thumping and other macho displays, this story from Texas history can help.

In October 1835, relations between Texan colonists and Mexico were tense. The Mexican army marched to Gonzales to ask for the return of a cannon the citizens had borrowed to fight off attacks by Native Americans. The response was a raised flag with a blue cannon on a white background, emblazoned with “Come and take it.”

No. 5: “We’ll look weak if we don’t fight on X issue. We can’t afford to cave in.” A year or so ago, I was working with a GC, deciding whether to risk forcing the EEOC to subpoena some documents. Our arguments for not turning them over voluntarily were weak, so we decided not to take the chance. But the GC’s internal clients wanted to fight. The GC asked them this question: “Is this the hill we want to die on?”

The GC attributed this story to a grizzled non-commissioned officer in Vietnam, who asked it of an inexperienced lieutenant before the start of a battle. Packaging stories in the form of questions is effective and engaging, and engagement leads to better decisions.

No. 6: “We fired the plaintiff in a knee-jerk reaction because he is a jerk. But, we need a reason that sounds better. I don’t want to sound dumb.” When in doubt, resort to the truth, counseled Mark Twain.

Why don’t people use the truth more frequently? Managers want to appear as if they always act wisely and deliberately, not emotionally and in haste. But jurors understand jerks, having certainly worked with one. Embrace truth; eschew elaboration.

No. 7: “But I was so close to the plaintiff. How could she do this to me?” I defended a case that involved a manager accused of sexual harassment. He was so upset by the allegations that he would get up in the middle of the night and re-read the complaint, trying to answer this anguished question.

Sometimes, there’s no answer to find beyond the truth of who the players are. My mother said that people never change; they only reveal themselves.

No. 8: “I can’t change my position. I’ll look like a fool.” Consistency is a virtue. But any virtue, taken to its extreme, becomes a millstone, not a life vest. According to U.S. Supreme Court Justice Felix Frankfurter, upon changing his mind on a legal issue, “Wisdom too often never comes, and so one ought not to reject it merely because it comes late.”

No. 9: “XYZ is wrong. I’ve got to blow the whistle right now.” No column about stories is complete without at least one reference to the Bible. Ecclesiastes 9:4 counsels, “For to him that is joined to all the living there is hope: for a living dog is better than a dead lion.”

Yes, something may be wrong, and a time comes when a person must stand up for what is right. But, all too often, a client only will get to do so one time before facing termination and possible ostracism. So, the client needs to make it count. Ecclesiastes delivers this message better than all the bloviated advice counsel can give.

No 10: “Just tell me what to do. You’re the general counsel.” The client, through the board and the C-suite team, makes decisions — not the legal department. As the Buddha told his disciples, people must be “lights unto themselves.” Counsel only can advise, never direct.

Maslanka ends his piece by stating that “even GCs in the biggest companies, possess zero organization-chart authority to direct those outside the legal department to do things. But, like all lawyers, they have something more powerful: moral authority. Stories help lawyers leverage that authority, because they are not lectures, which are ineffective, but reminders, which are effective.” I would hold that the same is true for the CCO. So, as Maslanka says, “Here’s to stories. Tell one.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Scam Artists from Texas and Compliance Risk Management

Billie Sol Estes died yesterday and when it comes to scam artists from the great state of Texas, before there was Allen Stanford and his magical Certificates of Deposits located in his private bank in Antigua, there was Billie Sol Estes. Before Sir Allen came along, Billie Sol had a 50 year run as the King of Texas Swindlers. He was most well-known for his scam involving phony financial statements and non-existent fertilizer tanks to loot a federal crop subsidy program. He went to jail for mail fraud over this scheme, although his conviction was later over-turned. But his lasting legacy may be the following quote by former Associated Press (AP) correspondent Mike Cochran, who recalled writing how Estes made millions of dollars in phone fertilizer tanks scam and noted “how many city slickers from New York or Chicago can make a fortune selling phantom cow manure?”

Billie Sol’s risk tolerance was quite high and his implementation of a risk management plan may have seemed, well, rather 1950ish. Hopefully your company is a tad more mature in this process. But after you have identified a compliance risk, what should the next steps be for a company’s Chief Compliance Officer (CCO)? This question was explored in an article by C. J. Rathbun, in the May/June issue of Compliance and Ethics Professional Magazine, in an article entitled “You’ve identified a corporate risk—what next?”. Rathbun believes that any consideration of such an identified risk will be in the context of three key questions:

1. The severity of the risk weighed against the company’s appetite for risk.
2. How the company has performed in the past on managing similar risks and if so, what the impact might be on the company if the risk actually occurred.
3. The probability or likelihood of the risk event occurring.

I.                   The Compliance Report

Rathbun explained that a CCO needs to consider several questions when shaping the report which will go to the management group or Chief Executive Officer (CEO) to make any decision on whether a new risk should be accepted. These questions include:

• Who is the audience for the report? Will it be the CEO, Board of Directors or some other senior management group or council? Further, what is the level of trust between the CCO and those constituent groups? Has the CCO been elevated to a C-Suite level position within the company? Could the audience be a regulatory body or perhaps even a Judge?
• What is your company’s organizational structure? In this question you need to consider how decisions of this dimension are usually made in your company.
• What reputational risk for the company should be anticipated? This is the Wall Street Journal (or New York Times) questions. How would your CEO feel if he woke up to read about your company and its decision being on the front page of the Wall Street Journal?
• What should be incorporated into the report? Should other business concerns be incorporated into the report, such as financial or other legal issues?
• How should the report be presented? In what format or with what technology should the report be presented? Will the group or person tasked with making the decision accept a written report or will it simply be a high-level PowerPoint presented to a Board of Directors?

 II.                Weighing the Options

Once the report is considered and the options weighed, what are some of the possible outcomes that a company may utilize? Rathbun breaks the options down to four. The first is risk avoidance, where a company decides that the risk is simply too great. The second option is risk management, where the company implements procedures to manage the risk and then monitors the risk closely. The third is risk shifting where some portion of the risk is transferred through insurance or other mechanism. Fourth, and finally, is that the company can simply accept the risk, so risk acceptance.

III.             Implementation

Rathbun believes that the risk management choice is the one which may well take the most work, particularly for a CCO. You may be required to create new policies and procedures to assist in the risk management process. Any new policies and procedures will need to be implemented with attendant training for the affected employees. There will need to be follow-up monitoring to ensure engagement and accountability.

IV.              Confirming Changes in Behavior

Rathbun articulates that are two mechanisms by which a “checkback” can be performed on policies, procedures, actions and employee accountability. These two mechanisms are monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, more aggressive approaches may be required such as the addition of follow-up assessments to confirm effective management of the new risk.

Rathbun cautions that the use of more standard tools to “checkback” should also be utilized. These include compliance by third parties, testing or otherwise gauging employee knowledge regarding the risk management program and even hotline complaints. Rathbun also suggests that relatively new tools such as transaction monitoring, relationship monitoring and real-time party monitoring of third parties should be considered.

V.                 End Goal

Rathbun believes that the end goal should be “to allow the company to identify a growing concern before it becomes an issue—before consumers are harmed or regulators become concerned.” While a well-structured program does require vigilance it also allows the opportunity for continuous improvement for your company. Rathbun concludes by stating that your goal should be to “help ensure that you and your company ‘will get the first crack’ at addressing a problem, if one occurs.”

I found the Rathbun article to provide a good method for the compliance practitioner to think through, then design and implement a risk management plan, within the context of your overall compliance program. Although she never states it, a key component that she outlined is the Document, Document, Document component of any compliance program. The Department of Justice and Securities and Exchange Commission said in their FCPA Guidance “In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.” I believe that you can achieve such a carefully designed and earnestly implemented risk management program by using Rathbun’s suggestions.

Finally, if a long, tall Texan comes to you wanting to borrow money against some fertilizer tanker; do not just turn and walk, run in the other direction.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

DPAs and NPAs – Useful Tools to Achieve Compliance

The debate on whether the use of Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs) has become lively again over the past couple of weeks. Last week, there was a panel hosted by the Corporate Crime Reporter conference at the National Press Club. The panel was moderated by Steven Fagell, a partner at Covington & Burling LLP, and the panelists included Denis McInerney, the Criminal Division’s Deputy Assistant Attorney General, David Uhlmann, the former chief of the Environmental Crimes Section at the Department of Justice (DOJ), and currently a Professor of Law at the University of Michigan, the FCPA Professor, Michael Koehler, Kathleen Harris, a partner at Arnold & Porter LLP in London, and Anthony Barkow, a partner at Jenner & Block in New York.

The FCPA Professor wrote about the conference in two posts this week. The second post, entitled “Seeing the Light from the ‘Dark Ages’”, reported on the panel discussion. In this post, the Professor flatly says that DPAs and NPAs should be abolished in the context of Foreign Corrupt Practices Act (FCPA) enforcement and that a compliance defense should be added to the FCPA. In the other corner stands Mike Volkov, who said in a recent post, entitled “The Continuing Controversy Over DPAs and NPAs”, that DPAs and NPAs are part of the growing arsenal of prosecutorial tools that can be brought to bear by the DOJ and now the Securities and Exchange Commission (SEC).

The Professor previously articulated his views against DPAs and NPAs last fall in a post entitled “Assistant Attorney General Breuer’s Unconvincing Defense Of DPAs / NPAs”. In that post he said that the “use of NPAs or DPAs allow “under-prosecution” of egregious instance of corporate conduct while at the same time facilitate the “over-prosecution” of business conduct.” The ‘under-prosecution’ comes “because they [DPAs and NPAs] do not result in any actual charges filed against a company, and thus do not require the company to plead to any charges, allow egregious instances of corporate conduct to be resolved too lightly without adequate sanctions and without achieving maximum deterrence.” The ‘over-prosecution’ comes “because of the “carrots” and “sticks’ relevant to resolving a DOJ enforcement action often nudge companies to agree to these vehicles for reasons of risk-aversion and efficiency and not necessarily because the conduct at issue actually violates the law.” Volkov, being a former prosecutor, says that “Prosecutors like to have a variety of tools. An up or down decision system – indict or decline to indict – does not give prosecutors any ability to address the hard cases, where they are more inclined to decline prosecution rather than indict.”

However, I am neither a former prosecutor, like Volkov, nor a former white collar defense lawyer, like the Professor. I am a recovering trial lawyer who then went in-house. From this background I think that there is another line of reasoning as to why DPAs and NPAs are useful FCPA compliance enforcement tools and that line of reasoning is certainty. The primary reason for the prosecution and a company entering into a DPA/NPA is certainty. The one thing I learned in almost 20 years of trying cases is that nothing is certain when you leave the final decision to an ultimate trier of fact who is not yourself, whether that trier of fact be a jury, judge or arbitrator. The most important thing for a company is certainty and that is even more paramount when a potential criminal conviction looms over its corporate head. Certainty is equally critical for the prosecution. No matter how ‘slam dunk’ the facts are, or appear to be, once a prosecutor turns over the final decision in a case to another trier of fact; the prosecution has lost certainty in the final decision. Every corporate defendant who goes to trial can and should raise all procedural and factual defenses available to it. No prosecutor can ever be 100% certain that it will win every court ruling or that a guilty conviction will be upheld on appeal. However, a DPA/NPA can bring certainty. For a company, certainty in its rights and obligations, for the prosecution the same is true.

There was another article which considered the panel discussion held at the Corporate Crime Reporter conference entitled “McInerney Defends Deferred and Non Prosecution Agreements”. This article included quotes from David Uhlmann, who said that he believes, “This is about a profound ambivalence in parts of the Department about the very notion of corporate criminality.” Uhlmann believes that it this ambivalence which has driven the use of DPAs. He believes that the DOJ should make an “up or down” decision on whether a corporation should be prosecuted or not. He was quoted as saying “There is no more important role that the Justice Department plays than its role investigating and prosecuting crime. And if the Justice Department believes that a particular case warrants criminal prosecution, it should bring criminal charges. It should not sacrifice criminal prosecution to a private agreement never entered in court, never overseen by a judge in any meaningful way that doesn’t involve any public hearing, that doesn’t involve any corporate officials coming into the courtroom admitting guilt. On the other hand, if the Justice Department doesn’t believe that a criminal prosecution is necessary or warranted, then they should decline. They should decline prosecution in favor of — in most cases they have the option of civil or administrative enforcement.”

The Professor had a slightly different take on the use of DPAs in the context of criminal prosecutions of corporations. He was quoted as saying, “The Department has become so uncomfortable with the traditional notions of corporate criminal liability that they have constructed and indeed championed this alternative reality that is equally problematic.” Further, “These resolutions have had a troubling, distortive and toxic effect on this one area of law,” Koehler concluded. “There is no judicial scrutiny of most fcpa enforcement theories.” And, lastly, “Of course, the Justice Department is in favor of these because it makes their job easier. Of course, the FCPA bar and FCPA Inc. is in favor of these it expands the market for legal services.”

Criminal Division Deputy Assistant Attorney General McInerney made clear that he is not ambivalent at all about corporate criminal liability and specifically stated this. So let me speak from the perspective of a lawyer from Houston, who has represented companies in the energy space for quite some time. The frustration that boiled over from the lack of prosecutions regarding the financial troubles of the recent years should not obscure the fact that the DOJ has and will continue to pursue criminal cases against corporations.

But to paraphrase Joe Jackson, something else is going on ‘round here with prosecutions of corporate criminal conduct and the use of DPAs/NPAs. While one role of the DOJ is to prosecute law breakers; I believe that another role of the DOJ is to increase and encourage compliance with laws. The DPA/NPA debate does not stand in a vacuum. I believe that by offering incentives for companies to self-disclose and cooperate, the DOJ is increasing compliance with the FCPA. If there is no incentive to cooperate, there will be none. Period. If a company will face a criminal indictment or charge if it investigates a matter and self-discloses to the DOJ, how many companies will do so? McInerney was quoted as saying, “You are disincentivizing companies in terms of doing the right thing. You are not crediting companies for doing the right thing.”

Now let me take the flip side; Arthur Anderson. For all the howls that there is no empirical evidence that indicting and convicting companies puts them out of business; I am certainly not persuaded. I saw it happen, here in Houston. Was it in the interest of the US government to put Arthur Anderson out of business? Did it further the policies of this country to go from the Big Four to the Big Three? What about all the Arthur Anderson employees who did not work on the Enron account, what policy did it further to have them lose everything they invested in their professional life? If DPAs/NPAs are less draconian in their effect than destruction of a corporation’s existence, does that make them somehow less useful? If the DOJ wants to put such a factor into their decision making, I find that to be an appropriate calculus.

As to the charge that the FCPA Bar/FCPA Inc. used DPAs/NPAs to expand their market for work? [Full disclosure - I am a member of the FCPA Bar and ergo, FCPA Inc.] I think that it is the job of a lawyer to advise his or her clients on their legal obligations and to assist in fulfilling those obligations. Is it in my own myopic self-interest to advocate compliance with the FCPA? Or am I a part of the FCPA Bar and Inc. which assists companies to comply with a now 35 year old law? Whichever answer you prefer, I believe that there is more compliance now and that the use of DPAs/NPAs is a contributing factor to this increased compliance.

Another panelist, Anthony Barkow posited yet another angle. He said “one the primary policy justifications — or certainly a significant policy justification — is — getting DPAs and NPAs is easy. “It’s a lot easier than charging a company,”” Barkow said. “And it’s a lot easier than charging it and to try to get a plea.” While I do not pretend to know the intricacies of obtaining an indictment or going before a grand jury, it is always easier to settle something rather than try a case. But that does not mean any less work goes on, either from the corporate side or especially from the government side. FCPA enforcement actions are huge, document intensive cases and from what little I know of the process, the DOJ works quite hard to craft an appropriate resolution for each case. Further, there are multiple levels of review in the DOJ so many sets of eyes look at these matters. So while it may be easier to reach a resolution rather than charging and criminally trying a corporation, that does not mean in any way, shape or form that this work is easy. The work is hard, time intensive and takes literally thousands of man-hours by all parties involved to reach any resolution. Simply because a new enforcement tool is available, which is short of a criminal indictment and trial, does not mean that it is not a useful tool and should not be used.

Mike Volkov ended his post with the following, “The debate will continue – I have no doubt of that.” I would certainly second that notion. But from where I sit the use of DPAs/NPAs has improved compliance with the FCPA because their use has given corporations a real incentive to thoroughly investigate allegations of bribery and corruption and then work with the government to appropriately remediate the situation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Get Out of the Ivory Tower – Using Internal Corporate Resources to Facilitate the Compliance Function

The second day of Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston packed as much solid information into it as did the first day. One of the sessions dealt with utilizing other corporate functions to assist a compliance department in implementing or enhancing a compliance program. There are many resources which currently exist inside your organization and if you are in the position where you must use internal rather than external resources, this post will detail some of the functions which you may be able to call upon inside your organization.

You should start with a basic approach which the speaker termed “Get Out of the Ivory Tower”. He explained that the compliance department must obtain realistic input from geographies, cultures, business units and corporate functions within the company. As he rather succinctly put it to the audience “A procedure which may work in Texas may not work in Indonesia.” He also counseled to train in local languages. This may mean more than translating your talk into one language. He gave the example of his training in Spain where he had dual translations going, from English into Spanish and Catalan.

Part of this translation issue led to his next point, which was not to believe your own story or even worse, your own propaganda. Simply because a Country Manager says something is true means does not mean that it is true. Internal controls, monitoring and auditing are important to test that you are actually doing compliance rather than simply saying you are in compliance.

In determining what other departments might be able to assist the compliance function, the speaker suggested that you should start with three inquiries. They were:

1. What can yours do? This is the initial assessment that you need to make about what your compliance department can do. What are your resources and budget? Start with this question.
2. What can theirs do? In looking around your company, next ask this question. What are the functions of the departments? Are there things that they are currently doing which can supplement the compliance function? Are there functions in that department’s core function which can assist the company in the doing of compliance?
3. How many employees does each of you have? An obvious concern is the number of employees that are available to assist the compliance function.

What are some of the other corporate functions that might assist the compliance department going forward? An obvious starting place is Human Resources (HR). The speaker listed several areas in which HR can bring expertise and, in my experience, enthusiasm to the compliance function. Some of the reasons include the fact that HR is physically located at or touch every site in the company, globally. HR is generally seen as more approachable than many other organizations in a company, unfortunately including compliance. A person’s first touch point with a company is often HR in the interview process. If not in the interview process, it is certainly true after a hire is made. Use this approachability.

Obviously, HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the Document, Document Document portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be on each audit. Further, compliance risks can also be evaluated in this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert so you can turn to them for any of your compliance program requirements which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If you company uses SAP and you make an acquisition of an entity which does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

There are many ways to implement or enhance a compliance program in a company. If you do not have the luxury of creating an entire compliance department with an unlimited budget, you may be able to call upon other areas of corporate expertise to facilitate your role. Do not be an Ivory Tower.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

My FCPA and Bribery Act Musings Continue

This past week, my second book, “Best Practices Under the FCPA and Bribery Act” was released. Over the past few years I have tried to provide the compliance practitioner with solid information that can be used to implement, review and enhance a US Foreign Corrupt Practices Act (FCPA) or UK Bribery Act based compliance program. I am often asked to collect my blog posting regarding what are the current best practices for an anti-corruption/anti-bribery compliance program. In other words, what are the specifics of a compliance program. This volume will provide the compliance practitioner with information that can be used for the ‘nuts and bolts’ of compliance.

Using the format of the most recent US Department of Justice (DOJ) and Securities and Exchange Commission (SEC) “A Resource Guide to the U.S. Foreign Corrupt Practices Act. The Foreign Corrupt Practices Act (FCPA)” [the “FCPA Guidance”]; I have included some of my thoughts on what you can do to create and maintain a best practices compliance program. I have also included some thoughts on how to create and maintain such a compliance program using the Six Principles of an Adequate Procedures compliance regime under the UK Bribery Act.

I was honored to have the FCPA Professor, Mike Koehler, pen the forward and he said, in part, “In the current global marketplace, Foreign Corrupt Practices Act (“FCPA”) risk needs to be on the radar screen of most companies – large and small, public and private, and across industry sectors. Given the current enforcement theories of the Department of Justice and Securities and Exchange Commission, FCPA risk is not always apparent from reading the statute. There is no way for business organizations to truly eliminate FCPA risk, but such risk can be effectively managed and minimized through pro-active policies and procedures and other means of risk assessment.”

I hope that you can use this volume, in conjunction with the FCPA Guidance and the Ministry of Justice’s Six Principles of an Adequate Procedures compliance program, to implement or enhance your compliance regime. Both the FCPA Guidance and Six Principles make clear that there is no ‘one size fits all’ compliance program. The key is to assess your company’s risks and to manage those risks appropriately. This volume will help you to determine the type and scope of program that is appropriate for your company and will assist your compliance efforts going forward.

Best Practices Under the FCPA and Bribery Act is available exclusively on amazon.com. For a copy, click here.

Edgar Allen Poe and Innovation in the Compliance Function

Tomorrow, April 20 is the anniversary of a truly innovative work of literature. On April 20, 1841, Edgar Allen Poe’s story, The Murders in the Rue Morgue, first appeared in Graham’s Lady’s and Gentleman’s Magazine. The tale is generally considered to be the first detective story. The genre is distinctive from a general mystery story in that the focus is on analysis. The story describes the extraordinary analytical powers used by Monsieur C. Auguste Dupin to solve a series of murders in Paris. The character of Dupin became the prototype for many future fictional detectives, including Arthur Conan Doyle’s Sherlock Holmes and Agatha Christie’s Hercule Poirot. Like the later Sherlock Holmes stories, the tale is narrated by the detective’s roommate. Poe biographer Jeffrey Meyers sums up the significance of “The Murders in the Rue Morgue“: “[it] changed the history of world literature.” Poe’s role in the creation of the detective story is reflected in the Edgar Awards, given annually by the Mystery Writers of America. For both myself and the many worldwide fans of Sherlock Holmes, we owe a tip of the hat to Poe for inventing the genre.

As Poe demonstrated, innovation can come in many forms. Earlier this week I wrote about some of the innovative ways that Joel Katz, of CA Technologies, had improved his company’s compliance function. In this post, I will discuss how Katz was able to increase the participation of business leaders into the doing of compliance. He did so by the creation of ‘Regional Business Ethics Councils.’ I found the CA Technology creation and use of these Regional Business Ethics Councils as an innovative approach to help move compliance into the company’s DNA in a robust manner.

The Regional Business Ethics Councils are designed to “largely serve as a communication vehicle between our corporate compliance team in the United States, business leaders, and employees.” These Regional Business Ethics Councils were created in the company’s three major geographic regions which consisted of the Americas, Europe and the Middle East (EMEA) and Asia-Pacific (APAC). Each Regional Business Ethics Council is comprised of six to eight senior business leaders from each part of the company’s functional business, including legal, finance, HR, sales, development, administration, and others. The Regional Business Ethics Councils meet quarterly.

Katz believes that the Regional Business Ethics Council members play a critical role with compliance messaging to employees in their respective regions. Their meetings are used to “discuss current compliance issues and internal and external trends, significant legal or regulatory changes that impact the business, and upcoming compliance initiatives.” This structure allows the company to be more nimble and be in a position to respond more quickly to different external issues that may arise and impact the compliance function.

CA Technologies also uses the Regional Business Ethics Councils as a mechanism to “solicit feedback from the business on the current business environment, any concerns the business leaders may have about our business or our compliance program, and any other issues they wish to discuss.” One of the constant challenges for employees is getting foreign employees to trust and communicate with the compliance function. The Regional Business Ethics Council can provide another route by which information and concerns can be conversed up to the compliance function.

Katz acknowledged that the level of engagement of the individual council members varies from both person to person and Regional Business Ethics Council to Regional Business Ethics Council. Nevertheless, the company has found that the Regional Business Ethics Council initiative “has succeeded in creating more visibility into the compliance function for company business leaders and more visibility into the global business for our compliance team.” Additionally, the Regional Business Ethics Councils can assist the compliance group by focusing on issue-spotting and awareness-raising within their specific region. Katz believes that this is helpful because it “is consistent with our belief that if we can get people talking about compliance and asking questions, we can address most issues long before they become compliance problems.”

Katz ended his article by explaining that at CA Technology “compliance training and communication plan is and will always be a work in progress” which he believes is appropriate for “every organization, as such organizations and legal and regulatory landscapes will undoubtedly evolve and change over time.” His article helps to drive home the message that a company “should examine its plan at least annually to ensure it is still viable and continually look for opportunities to improve it. This iterative approach to training and communication will help ensure that messages are being heard, understood, acted upon and appreciated by your employees.”

I have often written about the need for some type of management oversight above the compliance function which sits below a company’s Board of Directors. The CA Technology approach of using the Regional Business Ethics Council provides another level of engagement by corporate functions. But just as a Regional Business Ethics Council can be used to communicate from areas outside the US back to the corporate headquarters, the Council structure allows the compliance function to communicate back into the regions. I believe that this can help companies to communicate the importance of compliance more thoroughly and more effectively throughout an organization.

Lastly, one of Katz’s themes is to help the company employees understand that compliance is there to help them do work business more efficiently and at the end of the day in a manner more consistent with the company’s overall ethical values. I believe that the use of the Regional Business Ethics Council program can be a key way to demonstrate this commitment to employees. I would suggest that this type of program may be something that you should consider for your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

In the Limelight-the Theater, Lady Gaga and Compliance

What is your favorite Canadian group? For my money it is the band Rush. My favorite Rush song is probably “Limelight”. How many times have you heard about ‘being in the limelight’? The phrase comes from the British theater where lights in the theater used quicklime. Although long since replaced, lighting in the British theater is still called ‘limes’.

I thought about Rush and their hit song when I recently read a couple of articles on leadership in the theater. I found that some of the insights in these articles could be applied in a compliance program for a multi-national company. In an article in the New York Times (NYT) Corner Office Section, entitled “First, Make Sure Your Idea Works On a Small Stage”, reporter Adam Bryant interviewed Francesca Zambello who is both the general and artistic director of the Glimmerglass Festival and the artistic director of the Washington National Opera.

Think Small

Zambello had a very interesting point that I do not consider often. She said that one of the most memorable lessons that she ever learned from a mentor was to make sure that your creative idea will work on the small stage. By this she did not mean that you cannot have a big idea or large concept. Instead “The most important thing he ever taught me was that if you don’t make sure the show is right in a small room, it will never be right in a big space, on a big stage.”

I found this comment particularly insightful in the context of the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance. The FCPA Guidance makes clear that a company should design a compliance program which is appropriate for its size, markets and risks. There is no one standard and the FCPA Guidance states: “DOJ and SEC have no formulaic requirements regarding compliance programs. Rather, they employ a common-sense and pragmatic approach to evaluating compliance programs, making inquiries related to three basic questions: • Is the company’s compliance program well designed? • Is it being applied in good faith? • Does it work?”

I have seen many instances where a company will try and implement a compliance regime which is appropriate for a company many times its size. It becomes a top down exercise but as noted in the Zambello interview, it does not work well in the smaller setting because it is not assessing and managing the risks appropriate to a small company. Here a bottom up approach can be much more effective. Certainly this could be accomplished through a formal risk assessment but it may also come through talking and meeting with your internal business units or partners. Such informal assessments can provide valuable information which may work on a ‘smaller stage’ than a compliance program designed for a multi-billion, multi-national company.

Learn How to Fail

Another insight I garnered from the Zambello interview for the compliance practitioner was what she termed “You have to learn how to fail.” She believes that in any position you are in, that you are going to fail. But the real key is that “if you don’t fail, you are probably not that good.” Lastly, if you fail you have to learn to pick yourself up, “The more you get knocked down, the more you learn to pick yourself up.”

In the context of the FCPA Guidance, “DOJ and SEC understand that “no compliance program can ever prevent all criminal activity by a corporation’s employees,” and they do not hold companies to a standard of perfection. An assessment of a company’s compliance program, including its design and good faith implementation and enforcement, is an important part of the government’s assessment of whether a violation occurred, and if so, what action should be taken.” Clearly how a company handles any Foreign Corrupt Practices Act (FCPA) violation is an important key to any DOJ or SEC analysis regarding enforcement.

However, the other point for the compliance practitioner is that not everything should always go right under your compliance regime. Not every third party business representative you look at should pass muster under your process for approval. If everyone does, your process may not be robust enough. Not all of your employees do everything right all the time. If you have never disciplined an employee for a violation of your company’s Code of Conduct or compliance program, you should look to determine if this area needs to be explored as not every expense report is always correct. Lastly, if there has never been a substantial tip to your anonymous reporting line, this is an area which should also be explored. You may need to conduct more, or better, training so that employees understand that they can report incidents in confidence, without fear of retribution.

Be Courteous

Another interesting topic that Zambello discussed was the following, “I think that good manners matter a lot…Some of those are old fashioned things, but manners don’t cost anything.” Think about it – when was the last time you had a discussion of manners or even courtesy? This point is not something which is discussed much in the compliance arena but I think that courtesy is something that compliance practitioners need to be aware of when involved in a multi-national compliance program. Be sensitive to cultural norms in other countries and be respectful of them. As my very southern grandmother used to say, you are never wrong being courteous. Lastly, do not forget the cost for being courteous, nothing. But the benefits can be quite great.

From Lady Gaga to Compliance

For a different type of theater and how it relates to your compliance program, I recently came across an article in the Financial Times (FT), entitled “In need management tips? Try Lady Gagahttp://www.ft.com/intl/cms/s/2/da6559ce-a289-11e2-9b70-00144feabdc0.html#axzz2Qcpc6zzT”, by reporter Miles Johnson. (While some might suggest that Lady Gaga is a musician, I certainly think she is all about theater so it ties in with the above, really.) Johnson’s article reviews the work of Salvador Lopéz, a marketing and research professor at Spain’s ESADE business school. Lopéz believes that the world of business can learn quite a bit from the Lady Gaga’s of the world and I found that a couple of them apply to the compliance arena.

The first is that Lady Gaga generates emotions in her fans. Lopéz likened this to Steve Jobs who created “an entire style at Apple and made people feel things through his products.” Here I think that this applies to compliance because most employees want to do the right thing and will feel better about themselves if they conduct business in an ethical manner. The key for the compliance professional is not only to provide the processes and procedures for them to do so but to also acknowledge those employees who follow a company’s ethical business values. This can occur through financial incentives such as part of an employee’s discretionary bonus awards; promotion of employees who conduct business in accord with a company’s ethical practices or even something as simple as a companywide acknowledgement. The point is to make people feel that something positive for doing compliance the right way.

The second point that Lopéz gleans from performance artists like Lady Gaga is that they are much better in the use of technology than most companies. There are now a plethora of technological tools available to assist the compliance practitioner. I firmly believe that the DOJ and SEC have communicated that transaction monitoring will become a standard best practice quite soon, but certainly within the next 18 months. There are companies, such as Oversight Systems to name but one, which have technological tools to help move to this standard. But that is only one of many tools available to assist in your compliance program. So take a clue from Lady Gaga and ‘keep it fresh’.

These two articles demonstrate that the compliance practitioner can draw from a wide variety of sources and disciplines for inspiration to incorporate into a FCPA or UK Bribery Act compliance program. Further, the tools are out there to help you. I hope that this article has given you some ideas while drumming your fingers along to Rush or Lady Gaga for that matter.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

How To Demonstrate Ethics and Compliance – Earn It, Re-Earn It and Re-Evaluate It

What should your company do if it finds itself in a situation where some of its senior leadership has engaged in conduct which violates its own ethical standards or external legal standard such as the Foreign Corrupt Practices Act (FCPA)? Assume your company is now in McNulty Maxim No. 3 of “What did you do about it?” as you have investigated the conduct and disciplined the senior management in question. However, you want to go further and try to take steps that will detect and prevent the conduct in the future.

A current example of this is going on in the US military. In reaction to recent scandals involving lapses of personal character, the US military has instituted a series of changes to help military commanders to focus on ethical standards. In an article in the New York Times (NYT), entitled “Conduct at Issue as Military Officers Face a New Review”, Thom Shanker discussed a range of responses that the military will pursue. He reported that “The new effort is being led by Gen. Martin E. Dempsey, the chairman of the Joint Chiefs of Staff, as part of a broad overhaul of training and development programs for generals and admirals. It will include new courses to train the security detail, executive staffs and even the spouses of senior officers.” The article quoted General Dempsey as saying, “Conversely, you can have someone who is intensely competent, who is steeped in the skills of the profession, but doesn’t live a life of character. And that doesn’t do me any good.”

The military has initiated three broad responses. The first is a “regularly scheduled professional reviews would be transformed from top-down assessments to the kind of “360-degree performance evaluation” often seen in corporate settings.” A 360-degree review is one which comes from members of an employee’s immediate work circle. Most often, 360-degree feedback will include direct feedback from an employee’s subordinates, peers, and supervisor(s), as well as a self-evaluation. It can also include, in some cases, feedback from external sources, such as customers and suppliers or other interested stakeholders. The results from a 360-degree evaluation are often used by the person receiving the feedback to plan and map specific paths in their development.

While acknowledging the challenges from that comes from a subordinate review in a top-down hierarchical structure, such as the military, General Dempsey stated that “we’ve developed some bad habits” and that “It’s those bad habits we are seeking to overcome.” The article quoted Richard H. Kohn, a professor emeritus at the University of North Carolina, Chapel Hill, who specializes in military culture who said “he thought the 360-degree evaluation would have a positive effect on the leadership styles of many officers. He also stated that “It will reduce what the military calls ‘toxic leadership,’ elevating those who are highly competent but also fair and less brusque and peremptory.”

The second response was increased training on values. “General Dempsey said the demands of combat deployments in the past decade had prevented officers from attending the academic programs that historically had been integrated into an officer’s career every few years, and he pledged to rebalance that.” I found this quote very fascinating as it showed the extent that the military uses outside resources, I.E. civilian academic programs to supplement training on military values. Due to the increased deployments since 9/11, these traditional academic rotations have been less ongoing. Dr. Kohn found that these new training programs are a good enhancement to military training as “most officers need to be reminded of the rules and regulations on a routine basis.” But this training will go past simply the senior officers as “new programs will be instituted to ensure that a commander’s staff, and a spouse, are fully aware of military regulations.”

The third component will be more internal audits. The articled noted that “Under General Dempsey’s plan teams of inspectors will observe and review the procedures of commanders and their staffs. The inspections will not be punitive, but will provide a “periodic opportunity for general officers and flag officers to understand whether, from an institutional perspective, we think they are inside or outside the white lines.”” I found this component to be similar to the ‘Mock Audit’ concept that is used in the power industry that I recently wrote about in the post “In Praise of the Mock Audit”. A ‘Mock Audit’ is a mechanism by which a compliance team can go into a facility and not only try to determine what might need remediation but, equally importantly, help the employees in that facility to move towards greater compliance.

For the FCPA compliance practitioner, this response by the US military has some very interesting parallels to what the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) say should be in your FCPA compliance program. The DOJ/SEC FCPA Guidance demonstrates that a company should strengthen and supplement its compliance program on causes underlying the compliance issues which arose. The Guidance states, “An effective compliance program promotes “an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” Such a program protects a company’s reputation, ensures investor value and confidence, reduces uncertainty in business transactions, and secures a company’s assets. A well-constructed, thoughtfully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations. [emphasis supplied] Further, in its section on Declinations, one of the six common elements which companies that received declinations engaged in was to make their compliance program more robust around the FCPA violation which arose. Clearly the DOJ and SEC believe that a company with a strong compliance system and culture will not only be in better position to comply with the FCPA but will be a better company.

General Dempsey clearly believes that the military has high ethical values. Shanker wrote that “He said the issue of understanding the military as a profession, and not just an occupation, had fascinated him since his days as a junior officer; he would be subject to the same rules, regulations and assessments he now is championing.” Shanker ended his article with the following quote from General Dempsey, “In my 39 years in the military, I have learned that you are not a profession just because you say you are,” he said. “You have to earn it and re-earn it and re-evaluate it from time to time.”

To me that sounds something like the following-you are not an ethical company because you say you are but because you do compliance by putting in the policies and procedures to do so.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013