FCPA Compliance and Ethics Blog

December 18, 2014

Ty Cobb and the Compliance Performance Appraisal Review

Ty CobbToday we celebrate greatness, in the form of one of the greatest baseball players ever, with the anniversary of the birthday of Ty Cobb. Coming up to the majors as a center fielder for the Detroit Tigers in 1905, he emerged in 1907 to hit .350 and win the first of nine consecutive league batting titles. He also led the league that year with 212 hits, 49 steals and 116 RBIs. In 1909 he won the league’s Triple Crown for the most home runs (9), most runs batted in (107), and best batting average (.377). In 1911, he led the league in eight offensive categories, including batting (.420), slugging percentage (.621), hits (248), doubles (47), triples (24), runs (147), RBI (144) and steals (83), and won the first American League MVP award. He batted .410 the following season, becoming the first player in the history of baseball to bat better than .400 in two consecutive seasons.

Cobb set a record for stolen bases (96) and won his ninth straight batting title in the 1915 season. He faltered the next year, but came back to win another three straight titles from 1917 to 1919. He left the team in 1926 and signed with the Oakland Athletics, hitting .357 and becoming the first-ever player to reach 4,000 total career hits before retiring after the 1928 season. His record of nine consecutive batting titles as well as his overall number of 12 will never be succeeded.

While Cobb certainly had quite a bit of natural ability, he was also a very dedicated baseball player, forever working to improve his craft. He might not have taken well to criticism but he did work to improve all aspects of his game. One of the modern ways to improve employee performance is through an annual employee performance review. Recently I read an article in the Houston Business Journal entitled “6 Ways To Make Performance Reviews More Productive” by Janet Flewelling. I found her article provided some interesting perspectives on some of the ‘nuts and bolts’ work that you can put into your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption program that can be relatively low-cost but can add potentially high benefits.

One of the ways to drive compliance into the DNA of an organization is through incentives such as making it a component of a year-end discretionary bonus payment. Indeed the FCPA Guidance states, “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership. Some organizations, for example, have made adherence to compliance a significant metric for management’s bonuses so that compliance becomes an integral part of management’s everyday concern.”

Most Human Resources (HR) experts will opine that properly executed performance appraisals are crucial to organizational productivity as well as the development of employee skills and employee morale. Moreover, they can serve a couple of different functions for a best practices compliance program. First, and foremost, they communicate to each employee their job performance from a compliance perspective. However, one key is not to approach the performance appraisal review as an isolated event but rather a continual process. This means that instead of trying to play catch-up at the last minute, supervisors should provide feedback and assess job performance throughout the year so annual reviews are grounded in a year’s worth of experience. This includes the compliance component of each job. The second area performance appraisals impact is compensation. As noted above, the DOJ and SEC expect that your compliance program will have both discipline and incentives. But those incentives need to be based upon something. The score or other performance appraisal metrics will provide to you a standard which you can measure and use to evaluate for other purposes such as employee promotion or advancement to senior management going forward.

In her article Flewelling provides six points you should consider which I have adapted for the compliance component of an annual employee performance appraisal. 

  1. Prioritize reviews in your schedule – You should schedule the employee performance appraisal at least several days in advance, rather than when a time slot suddenly opens up. You would make sure that you allot sufficient time for unhurried give and take between the reviewer and the employee.
  2. Review the entire year’s performance – You should resist the attempt to focus the discussion on the latest compliance experience. This is called recency bias. If a compliance issue arose in the past month or so, you need to keep it in perspective for the entire review period. Moreover, by focusing a review on a recent problem you may obscure prior accomplishments and make an employee feel demoralized. Take care not to go too much in the opposite direction as recency bias can work both ways, and one should not let a favorable recent compliance event overshadow the full review period.
  3. Do not hesitate to critique – Be generous with praise where it is warranted, but do not hesitate to discuss improvements needed in the compliance arena. Many supervisors are reluctant to confront and indeed desire to avoid confrontation. However remaining silent about an employee’s compliance shortcomings is a disservice to both the company and the employee.
  4. Do not dominate the conversation – Remember that you must give the employee time for self-appraisal and to ask questions or to comment about the feedback received from the compliance perspective. If there are specific questions or concerns raised by the employee you need to be prepared to address them as appropriate.
  5. Understand the employee’s role – You need to understand and appreciate that if the recent economy has resulted in many employees assuming the responsibilities of more than one position. If relevant to the employee, acknowledge that fact and take it into account in the review. This is certainly true from the compliance perspective as many non-Compliance Department employees have cross-functional responsibilities. If they claim not to have the time to handle their compliance responsibilities you will need to address this with the employee and perhaps structurally as well.
  6. Anticipate reprisal – Although it is rare, you can face the situation where an employee who is very dissatisfied with a review may refuse to sign it. The employee may be offered the opportunity to add a statement to the review. Also point out that the employee signature is an acknowledgement of receiving the review and does not signify agreement. If the employee still refuses to sign, have a second supervisor come in to witness the refusal. This may be particularly important from the compliance perspective.

Flewelling ends her piece by noting, “A proper annual review requires considerable effort from employee supervisors. It should be a full-year process involving regular guidance and feedback and perhaps several mini-reviews along the way. But rather than viewing it as onerous, supervisors should keep in mind that it is a tool for making their departments work more efficiently and yields better results for everyone involved.” I would add this is doubled from the compliance perspective. Nonetheless the potential upside can be significant from your overall compliance program perspective.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

December 12, 2014

Seamus Heaney and Compliance With a Seat at the Table

Seamus Heaney and beowulfI have long been fascinated with the Irish poet Seamus Heaney. I came to know him thought his 1999 translation of Beowulf. While I was aware that he had been awarded the 1995 Nobel Prize for Literature, I did not know his work as an Irish poet. However, this was rectified in a piece in the Times Literary Supplement (TLS), entitled “A stay against confusion – Seamus Heaney and the Ireland of his time”, by Roy Foster. In this piece he reviewed the evolution of Heaney’s poetry through the 1960s and 1990s. Foster believed that Heaney’s work in many ways mimicked the growth that “Irish intellectual as well as social and economic life”. Heaney began as a ‘nuts and bolts’ type of poet and moved to become a Yeatsian figure as the national poet of Ireland.

I thought about that growth and Foster’s article when I considered the question of what happens if you seek for something and then actually get it? For instance, you may have wanted a seat at the C-Suite table as a Chief Compliance Officer (CCO) and now you have one. What happens now, for instance in the situation where you find out that your company has decided to enter a new overseas market with a new product offering? The Chief Executive Officer (CEO) who championed you coming onboard with the big boys (or perhaps big girls) team looks down and says, “We need an analysis from the compliance perspective by the end of the week?” Where do you begin?

Obviously there are some preconditions for success such as your company should have a product that you can make and sell overseas for a profit. Further, you should have the time, money and sophistication to develop an international distribution network and you have the home office infrastructure to support a truly international business. Finally, you should have a senior management with at least an appreciation of compliance challenges in the target, with the personnel, technological solutions and internal training to address and meet these challenges. As you begin to think through this assignment you fall back on the four basic questions of (1) Who will we sell to? (2) What are we going to sell? (3) Where will we sell? (4) How will we sell?

Who will we sell to?

For any anti-corruption analysis you need to begin here as the Foreign Corrupt Practices Act (FCPA) applies to commercial relationships with foreign governments or instrumentalities such as state owned enterprises. Will your end using-direct customers be foreign governments or privately owned companies? What if your customers are distributors or other middlemen who will then sell to foreign governments or state owned enterprises? What about licenses; will you need special permits to sell to a foreign government or state owned enterprise or will you need some type of basic permit simply to transact business? If your company is subject to the UK Bribery Act this public/private distinction does not exist.

What are we going to sell?

What is the product or service you wish to take internationally? I will assume your company has done the market studies to ascertain it is a viable commercial concept. If it a product, is it a complete or partial product? Will you manufacture here in the US and only sell internationally or will you manufacture abroad as well? If it is here in the US, what about spare parts and accessories, will you need to obtain any licenses overseas? What about your technology, will that component require any licenses? If you will manufacture outside the corporate offices in the US, how will you assure quality in your supply chain? Conversely, if you manufacture in the US, do your supplier agreements allow you to resell outside the US?

Where will we sell? 

This question may seem more important for export control issues; however it is also important in the anti-corruption world. Obviously this is because certain geographic areas are more prone to corruption than others. A starting place might be the Transparency International-Corruption Perception Index but you can also use tools such as the recently released TRACE Matrix which provides a much broader assessment of corruption indices and give you additional insight into a fuller panoply of corruption risks in a country. In addition to the basic corruption analysis you need to ascertain whether you can even sell your products in a new country, either because of US export regulations or the end using jurisdictions laws. You should also focus on the business culture of a country and whether it is compatible in doing business in compliance with relevant anti-corruption legislation. This will also help you in your search to find any local business partners. 

How are you going to sell?

This is one of the most important questions you can ask under a FCPA analysis. It is because well over 90% of all FCPA enforcement actions involve third parties. If this is your first international sales effort, your company probably does not have an international based employee sales force. This means you will most probably need in-country partners for your target markets. Some of the most basic sales arrangements for third parties are as follows:

  1. Agent/Sales Representative – This person or entity is an independent third party from the company. Compensation is usually commission based or combined with a periodic fee plus commission. It is generally viewed as the highest risk from the anti-corruption perspective but you will have a direct relationship with the end-using customer.
  2. Distributor/Retailer – This person or entity is an independent third party from the company. Your company will sell to the distributor/retailer who then resells your product. You will have less visibility into the end user and hence a greater export control risk. Consignment is a variation on this model but if you are warehousing you will need to be aware of other US rules such as revenue recognition under US GAAP or local, indigenous rules on storage and warehousing.
  3. Consultant – This is also an independent third party who is paid a periodic fee. The fee can be more easily assessed for an hourly or service based rather than simply a commission based fee structure.

There are some other sales arrangements that you may whish to consider. You can acquire a local business and run it as your own company. Of course if you do so, you may buy all of these liabilities, both known and unknown. You can joint venture with another local company. Here you may have the dual problems of less actual control yet the same amount of potential exposure, particularly under the FCPA if you fail to perform the requisite pre-acquisition due diligence and allow any illegal conduct to continue going forward. You can issue a manufacturing license to an in-country manufacturer and allow them to make and then sell your product using your technology. Finally, you can issue a brand license where you license an existing company to put your brand name on your product manufactured by another entity. Of course if you use any of these types of arrangements you will need to go through a full third party management cycle; consisting of a business justification, questionnaire, due diligence, contract and management thereafter.

From the internal control perspective you will need to make sure you have several key compliance related controls in place. This will include the aforementioned vetting of all customers and third parties; appropriate controls over each transaction, including both quotes and contracts; empowered and non-conflicted employees; and finally training and self-auditing. You will need separate controls over payment terms and payment mechanisms and controls to align shipping and export controls. Finally, do not forget the omnipresent segregation of duties and control over the vendor master file.

Lastly, you should focus on your high-risk points in any of the above. These include your full vetting and management of third parties. You should pay attention as to how you became aware of these third party sales representatives. You will also need to pay attention to your freight forwarders and other export control representatives. You will need to be vigilant going forward for outright bribes paid in either cash or other values such as free products, lavish travel, gifts and entertainment, especially if the travel has no business purpose.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

December 2, 2014

Sherlock Holmes and Innovation in the Compliance Function, Part II – The Sign Of Four

Sign of FourToday we honor Conan Doyle’s second Sherlock Homes novel, The Sign of Four. The novel was published in 1890 but the story is set in 1888. The story entails a complex plot involving service in East India Company, India, the Indian Rebellion of 1857, a stolen treasure, and a secret pact among four convicts and two corrupt prison guards. It presents the detective’s drug habit and humanizes him in a way that had not been done by Doyle to-date. It also has a rather happy ending as it introduces us to Dr. Watson’s future wife, Mary Morstan to whom he proposes at the end of the novel.

The Sign of Four was an intricate tale with many strands woven throughout. I thought of this novel when reading the article entitled “Leading Your Team into the Unknown” by Nathan Furr and Jeffrey H. Dyer in the December 2014 issue of the Harvard Business Review (HBR). I found their insights quite useful for the Chief Compliance Officer (CCO) or compliance practitioner who might be faced with implementing or enhancing a compliance solution for an organization. But equally interesting, were that the authors’ insights could also be used to help a CCO or compliance practitioner help move a compliance function down into the DNA of an organization to make compliance a more standard process for doing everyday commercial operations.

The authors posit that “Innovation is at heart a process of discovery, and so the role of the person leading it is to set other people down a path, not to short-circuit it by jumping to a conclusion right at the start. To lead innovation, you don’t have to be the next Steve Jobs, nor do you need to guess the future. Rather, you must carve out the mental space within which the innovation process can be carried out. How? First, by setting the expectation that innovation will push boundaries. Fashion designers often include very bold designs in their lines to inspire customers to try more-flamboyant styles. . .You need not go so far. You can push boundaries just as dramatically by demonstrating a willingness to reimagine some of your organization’s most fundamental assumptions about products, customers, and business models.”

For the CCO or compliance practitioner, I think this means that innovation in the compliance function requires a different approach to leadership than the standard command and control or even collaborative approach. For a successful CCO or compliance practitioner this is accomplished by leading compliance integration into the DNA of a company through example and not simply dictated. The authors suggest, “by asking questions rather than making decisions; clearing a path to the unknown for the innovative team rather identifying the end goal; and give people the right kind of time, the right constraints and the right tools” to come up with a solution. I found the authors implications for such an approach appropriately inspiring, “Innovative leaders can create a sustainable competitive advantage not through superiority of a particular invention but by creating an organization that can learn from mistakes faster, more efficiently and more consistently than competitors do.”

The authors provide what they call “A Comprehensive Approach to Innovation” which I have adapted for the CCO or compliance practitioner to facilitate innovation in the compliance function. It consists of four steps. 

  1. Generate Insights. The authors state, “Use questioning, observational, and networking skills to search far and wide for broad insights into problems that may be worth solving.” As a CCO or compliance practitioner, you can push compliance boundaries just as dramatically by demonstrating a willingness to reimagine some of your organization’s most fundamental assumptions about products, customers, and business models. But it means getting out there and seeking input from those outside your direct compliance function.
  1. Identify an Important Problem. Here the authors recommend “Through direct observation look for an unsolved problem or an unfilled emotional or social need that enough people have for the opportunity to be worth pursuing.” This also means giving your team an opportunity to synthesize the issues. You will need to dedicate both resources and time for the process to run its course. I recognize that all corporate employees have a day job so you will need to set aside specific time for such issue identification. In addition to providing resources and time, you will need to provide your innovation team support by removing the inevitable organizational barriers, which will be thrown up in their path.
  1. Develop the Solution. The authors advocate constructing prototypes so rather than building a complete compliance solution, quickly construct a set of simple prototypes of many different compliance tools. For each, start with a theoretical example, if that looks promising internally, move to a virtual prototype to test throughout a pre-selected business unit or process. Start with a visual representation, which could be just a drawing; next move to testing a minimum viable prototype with internal consumers of the compliance solution through the simplest, quickest physical version of the offering you can devise. Finally, pilot test the full-blown compliance solution with a wider audience, including trusted and integral third parties to your organization.
  1. Devise the Business Model. Finally, the authors note that once you have worked out the offering, apply the same experimental approach to developing and testing the components of the business model, including approaches to implementation. They suggest that there are three values to such an approach. The first is that you will have generated “insight value-that is, the insight into the unknown that comes from reducing uncertainty.” The second is “option value-the option upon resolving an unknown, to pursue, alter, or abandon a course of action.” The third is “strategic value” which is both the value derived by your internal compliance consumers but also that of all the knowledge you will have gained throughout the course of the project; what worked and what did not work and, more importantly, why.

As a lawyer who moved into compliance, I initially thought that anti-corruption compliance was a function of telling everyone the rules and having them followed. Some companies are still at this stage of compliance. However, if there is one over-riding theme that the Department of Justice (DOJ) has communicated over the years it is that your compliance function needs to constantly evolve. It certainly must evolve as the corruption risks your company encounters develop but also it should also mature as your compliance program grows and becomes more ingrained in your organization. Innovation is not a concept that comes naturally to lawyers who are generally trained to study the past (i.e. read case law precedent) and apply it going forward. The idea of innovation simply does not jive with what many believe should be a static list of rules and regulations that businesses should operate under. However, as compliance moves into its next phase and becomes the best practice of a well-run business, innovation will become more of a focus.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

December 1, 2014

Sherlock Holmes and Innovation in the Compliance Function, Part I – A Study In Scarlet

A Study in ScarletToday begins a week of double themed blog-posts. First I am back with an homage to Sherlock Holmes, for it was in the magazine Beeton’s Christmas Annual that the characters Sherlock Holmes and Watson were introduced to the world in 1887, in the short story A Study in Scarlet. The second theme will be innovation in the compliance department. I will take some recent concepts explored in the December issue of the Harvard Business Review (HBR) and apply them to innovation and development of your compliance function. I hope that you will both enjoy my dual themed week and find it helpful.

Today I begin with the first novel, A Study in Scarlet. There are two items of note that I learnt in researching this work. The first is that it was written in 1886 and even Conan Doyle had trouble finding a publisher for what went on to become the most famous detective character of all-time. The second was the title. I had always thought it referred to the color of blood but it turns out that it comes from a speech given by Holmes to Dr. Watson on the nature of his work, in which he describes the story’s murder investigation as his “study in scarlet”: “There’s the scarlet thread of murder running through the colourless skein of life, and our duty is to unravel it, and isolate it, and expose every inch of it.” Furthermore, a ‘study’ is a preliminary drawing, sketch or painting done in preparation for a finished piece.

I thought Doyle’s first work would provide an excellent entrée into today’s topic, that being leadership in the compliance function. While many compliance departments may have begun more as a command and control function, set up by lawyers to comply with anti-bribery laws such as the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or others; this type of leadership model is now becoming outmoded in today’s world. It is not that employees are interested in the ‘why’ they should do business ethically and in compliance with such laws but it is more that power is shifting inside corporations. In a HBR article, entitled “Understanding “New Power””, authors Jeremy Heimans and Henry Timms explore how leadership dynamics are changing and what companies might be able to do to harness them. I found them to have some excellent insights, which a Chief Compliance Officer (CCO) moving to CCO 2.0 or compliance practitioner might be able to garner for a compliance function.

The authors begin by noting that ‘new power’ differs from ‘old power’ in a bi-lateral dimension of intersection. This intersection is between the models used to exercise power and the values which are now embraced. It is the understanding of this shift in power, which will facilitate the compliance function moving more to the forefront of a business integration role. The new power models are fourfold. Under sharing and shaping a company is much more integrated with its customers and supply chain. Second is funding which continues this integration by adding a vertical component of funding, whether equity positions or some other type of funding. Third is producing in which “participants go beyond supporting or sharing other people’s efforts and contribute their own.” Finally, there is co-ownership, which is the most decentralized, pushing participation down to the lowest or most basic levels.

But beyond these new power systems, the authors believe that “a new set of values and beliefs is being forged. Power is not just flowing differently; people are feeling and thinking differently about it.” The authors call them “feedback loops” which “make visible the payoffs of peer-based collective action and endow people with a sense of power. In doing so, they strengthen norms around collaboration”.

The authors lay out five new values. They include the area of governance where the authors note, “new power favors informal, networked approaches to governance and decision making.” Next is in the area of collaboration where the authors believe that this new power value rewards “those who share their own ideas, spread those of others, or build on existing ideas to make them even better.” The next new value is DIO or do it ourselves. Under this value, there is a “belief in amateur culture in arenas that used to be characterized by specialization and professionalization.” Next is transparency which, while not a new concept, says that more permanent transparency between business and social lives will lead to a “response in kind from our institutions and leaders who are challenged to rethink the way they engage with their constituencies” specifically including their employee base. The final new value identified by the authors is affiliation, which means that new and younger employees are less like to “forge decades-long relationships with institutions.”

The authors have three prescriptions that I found could be useful for the CCO or compliance practitioner to incorporate into a mature and evolving compliance program moving forward. Compliance functions need to “engage in three essential tasks: (1) assess their place in a shifting power environment, (2) channel their harshest critic, and (3) develop a mobilization capacity.

Assess where you are

This prong is quite close to something compliance practitioners are comfortable with in their role, a risk assessment. However the authors suggest that the assessment be turned inward so you should assess the compliance function on this “new power compass—both where you are today and where you want to be in five years.” You can benchmark from other companies in responding to this query. Internally, you can begin this process with a conversation about new realities and how the compliance function should perform. More importantly such an assessment can help you identify the aspects of their core models and values that should not be changed.

Incorporate business unit interests

The authors note, “Today, the wisest organizations will be those engaging in the most painfully honest conversations, inside and outside, about their impact.” However, I think this question should be asked first by the CCO or compliance practitioner. For it is not only what you are doing to work with your business units but more importantly what are you doing to incorporate their concerns and suggestions into your compliance regime. If you are going to ask the business unit to be a significant partner or better yet be your business partner, you will need to have a mechanism in place to engage your business unit so there can be an inflow of input before the compliance function has an output of requirements. As the authors write, “This level of introspection has to precede any investment in any new power mechanisms” to which I would add any successful compliance function.

Mobilize your capacity

Here I suggest you consider contracted third parties and other third parties such as joint venture (JV) partners as an avenue through which the compliance function can bring greater benefits to an organization. I have often heard compliance expert Mary Jones talk about her training of her company’s third parties and how thankful they were that when she, Global Industries Director of Compliance, would personally travel to their locations and put on in-person training. Her efforts to travel to their locations, spend the money required to do so not only directly strengthened Global Industries’ compliance function but created allies for her efforts by giving these suppliers the information and training they needed to comply with their customers requirements. By reaching out in this manner, Global Industries used its contracted third party suppliers to create a stronger company compliance program.

As the anti-corruption compliance profession matures, it will become more a component of a company’s business function. This means less of a lawyer’s top down mentality of do it because I said to do it, to more collaboration. It also means, as with the premier of Sherlock Holmes in A Study in Scarlet that something new is on the horizon and it could be here for quite sometime to come.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014


November 21, 2014

The Strategic Use of Compliance

StrategyWhat is your company’s compliance strategy? By this I do not mean what is your company doing to put in a place a best practices anti-corruption compliance program that meets the requirement of the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. My inquiry goes both further and deeper. Has your company moved beyond the view that compliance with the FCPA is simply enough by incorporating compliance into your business strategy to secure a competitive advantage going forward? I thought about this issue when I read a recent article in the MIT Sloan Management Review, entitled “Finding the Right Corporate Legal Strategy”, by Robert C. Bird and David Orozco. While the authors posed the questions from the legal perspective, I found their insights equally valid from the compliance perspective.

While I am fairly certain that Chief Compliance Officers (CCOs) and compliance practitioners understand the need for the integration of compliance into the day-to-day business operations of a company, many business types still view compliance “as a constraint on managerial decisions, primarily perceiving” compliance as simply a cost. The authors believe that the more enlightened approach is for companies to use functions such as compliance “in order to secure long-term competitive advantage.” To do so the authors detailed five different legal strategies, which they call pathways, that companies might use that I will translate into compliance strategies. They are in ascending order of importance: (1) avoidance; (2) compliance; (3) prevention; (4) value and (5) transformation. The right strategy for your company will depend on a variety of factors such as maturity of your compliance function, commitment by senior management to compliance, your business model and the compliance function’s ability to collaborate with business managers.


This is the idiot response where a company either disregards anti-corruption laws such as the FCPA or UK Bribery Act or engages in willful blindness. Unfortunately, there are many major US and foreign corporations that have come to grief under the FCPA because they did not take some of the most basic steps to comply with these laws. It is largely because senior management believes that compliance provides “little concrete value, so they make no effort to” even acquiring knowledge in the area. Worse yet are companies who gain a modicum of knowledge about such anti-corruption laws “only so that they can circumvent it to achieve a desired objective.” The authors note that while “An avoidance strategy can sometimes be effective…it can also lead to disaster.” This lead to the compliance function and the CCO only being called in an emergency, after the conduct has occurred so that compliance is always in a reactionary mode.


This pathway means complying with laws, not the compliance function itself. Under this pathway, “companies recognize that the law is an unwelcome but mandatory constraint on their activities.” So while following this strategy would allow a company to have subject matter expert (SME) practitioners in the field of compliance, it would exist only “so the business could operate within its legal bounds.” Under this pathway, companies still view compliance as a cost to be minimized. Moreover, anti-corruption laws such as the FCPA or UK Bribery Act are “viewed as primarily inflexible—externally imposed rules that cannot be changed or adapted to suit a particular corporate strategy.” This means that business managers will simply not understand that compliance can be used to further business goals. It also leads most business unit folks to believe that compliance is the Land of No and the CCO is in reality ‘Dr. No’ who is there “primarily as a watchdog that polices corporate conduct for illegal activity.”


Under the prevention pathway, senior management acknowledges that anti-corruption laws can be used as competitive advantage “to further well-defined business roles.” This means that the compliance is proactive rather than reactive. Senior managers understand how the law relates to their business areas “and they appreciate how it can be used to minimize particular business risks.” The compliance function “seeks partnerships with managers to help them achieve their risk-management goals.” This pathway has the added benefit that allows compliance practitioners to recognize the importance of measuring and quantifying compliance issues and data “as a part of a broader effort to support a business oriented strategy.” It also means that the compliance function is available to the business unit when the competitive landscape is “strategically assessed” by the business unit. This is more than simply having a seat at the table; it is being a part of and contributing to the commercial strategy.


Companies operating in this pathway use compliance to “create tangible and identifiable value.” But to do so requires a true corporate commitment because business unit managers will need to have a strong understanding of anti-corruption compliance and how it can be tailored to generate value for the company. The CCO, and indeed the entire compliance function, must see itself “as a key stakeholder in helping the company to increase its return on investment” and should see itself in helping to create value for the company. Usually this comes about in two ways. The first is by using compliance to lower costs of doing business, particularly through third parties. Here you can think of reducing the number of vendors who perform the same services or provide the same products to you by appropriate management of your third party compliance program. The second way is by using compliance to increase revenues.


In this final pathway, a company will incorporate compliance directly into its business model. While the authors note that few companies have been able to move this far in the legal arena, those who have done so possess a rare and valuable “capability that can provide a competitive advantage that is difficult for a business rival to imitate.” One of the keys to making this transformation is that not only is compliance integrated within “the company’s various value-chain activities; it is also linked with the value chains of important external partners as part of the larger business ecosystem.” This pathway is only available to companies with the most mature compliance function and most usually when compliance is combined with “the business model and core competencies of the company.”

Clearly there is no ‘one size fits all’ approach to compliance strategies. However if your compliance program has maturity and senior management can operate with their eyes open, they will see that while the first three strategies focus on managing risk, the final two are targeted towards generating business opportunities or least have compliance as a part of the team doing so. As compliance practitioners move into the CCO 2.0 role that I have advocated, these pathways can provide you with a tangible starting point to educate senior management on what compliance can bring to the (business) table.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

November 20, 2014

Compliance Lessons From Mom

John HansonEd. Note-the below post was on the site, thefraudguy.com, which is hosted by John Hanson. I found it so moving I asked John if I could repost on my site, which he graciously allowed me to do. 


If you were wondering whether or not I had dropped off the face of the earth for the last six weeks, you guessed right.  October of 2014 was a month that, along with September 2001, I would love to utterly erase from my memory.

My mother, who had been so courageously battling cancer for the last five years, lost the battle on October 17, 2014.  Despite a contractor catching my house on fire and a kidney stone suddenly showing up, I was able to get to Bristol, VA and be with my mom before her passing.  I remained in Bristol to support my dad and help with all of the funeral arrangements.  After the funeral, I packed their house up and moved dad up to Fredericksburg, VA with my family.

As I reflected on my mom’s life and lessons, there were a few in particular that I find relevant to the work I do today, particularly in the area of compliance and ethics.  My mom was raised in a second generation Italian family in extreme poverty in New Orleans.  I recall hearing stories of how she slept together with her sister and brother in a small room where they had to take turns staying awake to keep the rats off of them.

Despite the obstacles, mom appreciated the value of hard & honest work, education, and selfless service.  Working various jobs, she put herself through nursing school and began what became a forty-one year long career as a nurse.   Mom’s nursing accomplishments were of no comparison with Nobel Prize winners and will never be remembered outside of the small circles of those whom they affected, but they are nonetheless as profound and meaningful, both to those affected and to those who might see in her life and work the impact and role of a positive high ethical tone and commitment to always doing what was right and in the best interests of her “customers” – her patients.

My mom always stressed the importance of honesty and showed me the benefits of it every time I owned up to something I did wrong as a child.  As long as I was honest about my mistakes, the punishment was appropriately reduced.  Thank God – or I would still be in “time-out” some forty years later!   That is a lesson I have carried all my life and am trying hard to pass on to my children, as well as those with whom I work.

Positive ethical tone within an organization begins with honesty.  And ends with dishonesty.

An effective compliance & ethics program will include on-going education and training.  While my mom worked hard to put herself through school to become a nurse, she never stopped her education there.  Over the course of her career as a nurse, she took on many new challenges/specialties, some of which she did pioneering work in.  The lesson is that education never stops.  We never stop learning and we always have room to learn more, regardless of where we are now in our lives and careers.  Compliance training IS on-going education.  It is not checking a box.

Being a nurse is among the most altruistic jobs one might have.  Caring for those who, in many instances, can’t care for themselves.  Helping them with the most humbling and/or simple tasks – many tasks that even family might shy away from.  Not losing sight of their human dignity and treating them with respect, even as they lost respect for themselves.  My mom was always a champion of the patients, even when being so was not always in the financial best interests of the hospital or kindly looked upon by her superiors.  As best as I know, mom never had to deal with any “corporate” fraud issues as a nurse/employee, but she certainly had her share of ethical issues.  Sometimes described as a “firecracker” when it came to advocating for her patients, I am sure mom upset her share of hospital superiors of lesser ethical constitution over the years.

It’s a great lesson for us.  By placing greater value on what we do and doing things right (rather than on where our stock price is), we find a more fulfilling and long-lasting success.  When someone acts unethically or engages in some sort of misconduct, we have to speak up – until somebody listens.

I recall with both joy and sadness a little boy named Stephen, who was a cancer patient under my mom’s care in a pediatric intensive care unit.  I was living far away at the time, working as an FBI Agent.  In caring for Stephen, my mom had learned that he had dreamed of one day becoming an FBI Agent and so she asked that I might visit him when I next came to town – in fact, she made certain to remind me of it MANY times as I planned my next visit!

When I got to town, my mom made sure that the hospital was my very first stop.  She also insisted that I wear a suit – my official FBI Agent “uniform.”   After Stephen’s chemo treatment(s) that day, she rolled him in a wheelchair to a private little waiting area where she had asked me to wait.  Stephen was probably about ten years old and his cancer was terminal – in its latest stage.   It was obvious that this child had suffered much and long, and was still in pain.  He didn’t have a single hair on his head and maybe weighed forty pounds in all his clothes.  Yet when my mom introduced me as her FBI Agent son, he lit up like a Christmas tree.  My mom and Stephen’s mom left briefly, so that we could have our “top secret debriefing.”  I let him hold by badge and credentials, let him see my handcuffs and the gun holstered on my hip, and answered every question he could muster the strength to ask – and many that I knew he would ask if he could.

When our time was over, I gave Stephen an official FBI t-shirt, a junior FBI Agent badge, some FBI pens, and other little things that I can’t even remember – though they meant the world to him.  I learned a couple months later that Stephen had passed and that he had specifically requested that he be buried in that FBI t-shirt that I gave him.  To this day I can’t think about that without tearing up.

This is just one example of how my mom took the time to listen to her “customers” and to appropriately do more for them than what just her job required.   She got no honors, medals, promotions, mentions or bonuses for this – and that was fine by her.  The joy brought to Stephen was priceless.

I’ll miss you mom.  Thanks for all you did for me and for everyone you touched.  I hope I can pass on the lessons I learned from you to my children as well as you passed them on to me.  I also hope that I might follow your example(s) with the same humble obscurity as you sought and that I might touch just one tenth of the number of lives that you did.

Tell Stephen hello for me.

November 12, 2014

John Doar and the Bio-Rad FCPA Enforcement Action – Part II

John DoarJohn Doar died yesterday. He was perhaps most famously known for his role as the House Judiciary Committee Chief Counsel during the investigation of and impeachment proceedings against then President Nixon. However, it was his role in the civil rights movement in the South that in large part inspired me to become a lawyer. He rode with the Freedom Riders in Alabama; walked with James Meredith so that he could register to attend the University of Mississippi, then stayed in the same dorm room with Meredith while the campus rioted; prosecuted the KKK in Mississippi after the murder of three civil rights workers in 1964; and marched for voting rights with Dr. King in Selma. My favorite John Doar story was retold in his obituary in the New York Times (NYT), where he stopped a riot in its tracks with the following ““My name is John Doar — D-O-A-R,” he shouted to the crowd. “I’m from the Justice Department, and anybody here knows what I stand for is right.” That qualified as a full-length speech from the laconic Mr. Doar. At his continued urging, the crowd slowly melted away.”” In my book, he is right up there with Atticus Finch.

In an earlier post, I reviewed the Bio-Rad Laboratories, Inc. (Bio-Rad) Foreign Corrupt Practices Act (FCPA) enforcement action from the perspective of the Non-Prosecution Agreement (NPA) the company was able to secure with the Department of Justice (DOJ). Today I want to review the bribery schemes that the company used to either internally fund the bribes or attempt to evade internal detection. Both the NPA and the Securities and Exchange Commission’s (SEC) Order Instituting Cease-and-Desist Proceedings (Order). The compliance practitioner can use these bribery schemes not only for FCPA training but also to see if any such schemes or their indicia may be present in your company.

Initially I need to discuss the corporate structure. It was apparently quite decentralized. According to the Order, “Bio-Rad’s international sales organization (“ISO”) oversees the company’s international sales operations; this includes all locations outside the United States and Canada. In 2009, the ISO consisted of four sub-divisions: (1) Western Europe; (2) Asia Pacific; (3) Japan; and (4) Emerging Markets. Each sub-division had a general manager, reporting to the vice-president of ISO. The Asia Pacific sub-division included Vietnam and Thailand. The Emerging Markets sub-division included Russia and other eastern European countries. Some countries within the sub-divisions had a country manager who reported to the ISO sub-division general manager.” Emerging markets is clearly a high-risk area for pharmaceutical companies. If your business development or sales organization has such a designation, I would suggest that you check and see if there are sufficient protections in place to at least raise any red flags, which might need further investigation.

However, it was more than the management structure of the business operations that was decentralized, the compliance function was similarly structured. The NPA stated, “BIO-RAD also decentralized its compliance program such that its international offices were responsible for ensuring adequate compliance with its business ethics policy and code of conduct.” This decentralization so defanged the company’s compliance program that it could not perform even the most basic functions of a compliance organization; no due diligence on third parties, indeed no management of third parties at all from the compliance perspective; no risk assessments were performed and, finally, the most damning was that the compliance function could not even ensure compliance with the company’s own business ethics policy.

The Russia Scheme

However the company used third party representatives to facilitate the bribery scheme. In addition to the lack of due diligence or usual steps that a compliance practitioner might put in place to manage third parties under the FCPA there were several other items of note which constitute lessons learned by the compliance practitioner. First and foremost was the commission rate paid to these third parties, that being between 15%-30%. This alone may well have been enough to demonstrate “a conscious disregard for the high probability that the Russian Agents were passing along at least a portion of their commissions to Russian government officials to obtain profitable public contracts for the sale of medical diagnostic equipment.” Further, the payments made to these agents were sent to countries outside Russia, where neither the alleged services were delivered nor where the agents were legally domiciled. Moreover, not only did these agents have no offices in Russia, they had no employees in Russia either.

Apparently there were contracts in place with these agents. The services these agents were specified to deliver included, “acquiring new business, creating and disseminating promotional materials to prospective customers, distributing and installing products and related equipment, and training customers.” But it really is hard to deliver services if you have no employees. Apparently there were times these agents did deliver something identified as “distribution services” for the commission rates between 15%-30%. However the estimated value of these services for the company was between 2%-2.5% of the total sales.

Another area of obvious concern should have been the pre-payment of commissions to these agents. Any time you pre-pay before a service is delivered (other than a retainer into a lawyer’s trust account) you can potentially run into trouble. But Bio-Rad took it a step further by making pre-payments before contracts with the ultimate buyer were negotiated. Any ideas where those pre-paid commissions might have gone? Another area was the amount of the commissions. They were just less than $200,000, which happened to be the authority level of the head of Bio-Rad’s Emerging Markets business unit. So there was no oversight or second set of eyes on these pre-payments because it was within the manager’s authority level. Finally, these pre-payments were actually forbidden under the contracts but they were made anyway.

The Vietnam Scheme 

The Vietnam Country Manager had contracting authority up to $100,000 and sales commissions up to $20,000. From 2005-2009 Bio-Rad apparently paid bribes directly to health care workers so they would purchase the company’s products. When it was pointed out to the Country Manager this was illegal, he simply moved to a distributor “at a deep discount, which the distributor would then resell to government customers at full price, and pass through a portion of it as bribes…Between 2005 and the end of 2009, the Vietnam office made improper payments of $2.2 million to agents or distributors, which was funneled to Vietnamese government officials. These bribes, recorded as “commissions,” “advertising fees,” and “training fees,” generated gross sales revenues of $23.7 million to Bio-Rad Singapore.” 

The Thailand Scheme

In Thailand, it was an almost mundane bribery scheme involved compared to Russia and Vietnam. Bio-Rad acquired an interest in a Thai Joint Venture (JV) through an acquisition where it performed “very little due diligence” on the JV. Bio-Rad acquired a minority interest in the JV and it did not communicate directly with the JV’s distributors but only through the majority owners of the JV. The bribery scheme was funded through “an inflated 13% commission, of which it retained 4%, and paid 9% to Thai government officials in exchange for profitable business contracts.” The due diligence was so poor that Bio-Rad did not know that the prime third party sales representative for the JV were the same majority owners of the JV.

Tomorrow, I will discuss some of the internal controls that a company might employ to help prevent such a compliance failure as occurred at Bio-Rad.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

November 3, 2014

Giants Join Pantheon of Greats Through the Confluence of Culture and Strategy

Giants Win WSLast week the San Francisco Giants won their third World Series championship in five years. This elevates them into the conversation of the Pantheon of elite teams over the past 50 years. Only the New York Yankees (1998-2000) and the Oakland Athletics (1972-1974) can top the Giants for Worlds Series won in such a time frame. Sorry Red Sox nation, 3 titles in 10 years does not elevate you to the Pantheon, only to the very good. So congratulations to Series MVP Madison Bumgarner, most especially former Astro Hunter Pence, the rest of the team and Giants fans everywhere for having a team for the ages.

One of the things that I love about sports is when a player has a streak, game or season for the ages. We had one from Giants pitcher Madison Bumgarner this Series. Initially it appeared that he would have three wins to his credit, with one earned run. That record would have put him in the company of fellow Giant (albeit New York Giant) Christy Mathewson, who in the 1905 World Series pitched three complete shut-out games in six days. I say it appeared that Bumgarner had nearly equaled Mathewson’s record after his relief appearance in Game 7 where he shut down the Kansas City Royals. However after the game the Official Scorer changed Bumgarner’s Win to a Save. This change dropped Bumgarner into a two with Cincinnati Reds reliever Rawley Eastwick who won two games and saved one in the 1975 World Series. While he did not equal Mathewson’s 0.00 ERA with 3 wins and no losses, he did have a 0.25 ERA with 2 wins and 1 save.

How is it that Bumgarner went from having a Win to being credited with a Save? In an article in the New York Times (NYT), entitled “Win or Save” A Rule with Room for Judgment”, Benjamin Hoffman reported that “In general, if a starting pitcher does not complete five innings, and the score is tied, a victory is assigned to the pitcher of record when the lead changed hands. The exception is when the scorer determines the reliever of record was ineffective. While guidance is given that an ineffective outing would involve a pitcher going less than one inning and giving up two or more runs, Rule 10.17(c) states that it is up to the scorer to determine ineffectiveness.” The Giants relief pitcher immediately before Bumgarner was Jeremy Affeldt, who came into the game with “with runners on base, and pitched well for two and a third innings”. The original Scorer’s ruling was overturned and Affeldt was credited with the Win.

I thought about the Giants win and Bumgarner’s near mythic World Series run as I read a couple of articles in the Houston Business Journal (HBJ) dealing with culture and strategy and their implications for the compliance practitioner. The first was on CEO leadership and it featured Ryan Lance, the Chief Executive Officer (CEO) of ConocoPhillips. He detailed a leadership style that is relatively straightforward. He called it DAM, which he defined as Direction, Align and Motivate. This is a good way for any compliance practitioner to not only think through the implementation of a compliance enhancement or task but equally it should give a manner to use with senior executives to help them to understand their role in the compliance function in your company. Interestingly in the same article, Keith Mosing, CEO of Frank’s International, was quoted for the following, “No. 1 is integrity. I just can’t stress that enough. There are guys who are smarter, but if you don’t have morals and ethics, it’ll backfire on you.”

I considered these two approaches as I read the second article, which dealt more directly with execution of strategies, often the bane for a Chief Compliance Officer (CCO) or compliance practitioner. Why a bane? Because at least since Peter Drucker it has been observed that “Culture eats strategy” where it is the company culture which dictates how and when something might get done. This second article was by Connie Barnaba, entitled “Don’t let company culture eat you”, where she stated “Many brilliant strategies have fallen prey to culture because they fail to recognize that persuading people to accept a new way of doing things is…complicated.”

Company culture is what gives employees clues to what is important and how to act. Business strategy usually means something to change that culture. In the compliance arena this can mean changing the cultural imperative in a country or region that may have existed far before the US Company, subject to the Foreign Corrupt Practices Act (FCPA), came to exist in that location. A big part of any best practices compliance program is to recognize that changes in a business environment will lead to changes in the compliance risk. This change can be in products or services that are offered; locations where they are delivered or a new client base which might include foreign governments or state-owned enterprises. To meet these new compliance risks, there may need to be changes or enhancements to a compliance regime. However, such changes could fail because “they fail to recognize that persuading people to accept a new way of doing things over what is familiar is complicated.” To effectively execute a business strategy change to accommodate a new compliance initiative, a CCO or compliance practitioner should have a clear understanding of not only your company’s culture but also the cultures of the specific business units or geographic areas where you are making the enhancements. You will also need to understand the expectations of the key talent who will assist the compliance department in making the changes.

Finally Barnaba cautions against surprise, about the most detested thing I ever saw in a company. She wrote, “The element of surprise and little or no enemy resistance are the two weapons that make culture a formidable adversary. A business strategy that understands culture and has a well-considered battle plan is likely to overcome the attack and achieve the strategic goal. At the end of her piece, Barnaba provided seven best practices for effective strategy execution, which I have adapted for the compliance function.

  • Identify the changes that are critical to the execution of the compliance strategy.
  • Determine the people, processes and technology that will be impacted by the compliance enhancements.
  • Predetermine how the compliance enhancements will be received by the people who will be impacted by the changes.
  • Manage the business units’ expectations by giving clear reasons for the changes.
  • Provide compliance support to those in the business unit who will be most heavily impacted by the changes.
  • Share your timeline for implementation, including any transition period and the clear expectation of when the business unit will be measured on any change in performance standards.
  • Establish the transitional goal and then exceed it.

I think the Giants showed that compliance and strategy can not only exist together but together they can lead you to succeed at the highest levels. The message is that you have to work to integrate both but if you do, the results can be nothing short of spectacular.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 23, 2014

Five Quick and Easy Ways To Sabotage Your Compliance Training

Chris BauerEd. Note-today we have a guest post from noted ethics and compliance expert, as well as steel guitar player, Chris Bauer.

Okay, you know that you need to have effective compliance training but do you really know what will actually make it effective? The reality is that far too many compliance training program fail on multiple counts. With compliance as critical as it is, that is unacceptable. Thankfully, there are a few areas which, if attended to well, can correct many of the most-frequently seen problems with the development and execution of these programs.

Here are five of the areas I see getting missed time after time in compliance training programs.

Do you actually have a solid, working definition of what compliance is? I see ethics, compliance, and accountability as being ‘cross-defined’ all the time. Do they inter-relate? Absolutely and it’s even a great idea to inter-relate them in your training. However, until you are clear about what you mean by all three of those terms, your training will leave employees confused and confusion is never good for compliance training…

To Do – Find or create definitions for all three of these terms that are clear, concise and, above all, practical. The moment these terms become hazy or academic you have already lost too many of your employees’ ability to build your ideas into their minute-to-minute, day-to-day practices. Also, be sure to use language that fits the culture of your organization. Just because something sounds good in another organization – or another part of your organization – doesn’t mean that it will work for anyone, let alone everyone, in every corner of your company. This is one of the many reasons that ‘one size fits all’ training is rarely effective. Different parts of your organization are likely to need things said and demonstrated in different ways. You have the choice; you can whine about the inconvenience of that or go about creating a great compliance training program.

Is your training practical? An awful lot of compliance training is little more than a coma-inducing parade of Powerpoint slides with the rules, regulations, and, perhaps, a few key updates. Is that information critical? Perhaps so. However, for starters be sure that the information really is critical before overwhelming employees with so much information that they can’t actually retain it.

To Do – Always build in opportunities for employees to ask how your training really applies to what they do on the job. If they can’t fully see the behaviors in which they are and are not to engage – or if they don’t believe those behaviors are possible in their circumstances – your training has missed the mark. Also, remember that employees are unlikely to tell you spontaneously that they don’t think they can do what you’re asking of them. Be active in seeking out feedback on not only their level of understanding of the material but, as importantly, their confidence that they can do what you’re asking of them. If they don’t think they can do it, it is your job to help them figure out how to deal with any roadblocks – real or perceived – they might see.

Are you simply transferring information or are you providing employees with solid ideas and tools to put the rules and regulations into practice? If you want a culture where compliance is topmost in your employees’ minds, they had better be able to first mentally retain and then apply the mandated rules and regulations. If you aren’t helping them apply what you’re telling them, it will have been an entirely academic exercise.

To Do – Here again, everything you train on needs to have clear, ‘do-able’ behaviors attached. Employees have to know exactly what they need to be doing to bring your compliance program to life. It’s not enough for you to believe that they ought to be able to figure it out; they really need to know and they need to hear it from you. (Mind you, they may also have ideas you haven’t thought of yet. Great! Just don’t pretend it isn’t your job to help them figure it out.)

Are you creating information overload? True, there’s a lot out there that your employees will need to know about compliance. However, are you giving so much in each sitting that it simply can’t be retained? Again, if they can’t retain the information – or, at least, find it easily – they certainly can’t put it into practice. Consider providing training in smaller, on-going chunks. Less time-efficient? Maybe. However, that will more than pay off in having your employees actually recall and apply what they’ve been trained on.

To Do – Remember that smaller chunks of information ‘stick’ better. Further, information that clearly has practical applications does the same. Work to avoid simply smothering employees with regulatory and oversight information. Make it real for them by providing it in digestible, easily recalled, practical chunks. Here again, whine if you like about this being inconvenient but the facts remain; you need to attend to this if you really want your compliance training to be effective.

Are you making compliance a tool for your employees’ personal success? I see a lot of organizations doing a fine job of conveying to employees how their bottom line can be wildly, adversely affected by compliance problems. However, they fail to show employees how compliance is important to them personally. Sure, we all want our employees to put our organization first but, really, is that realistic? If your goal is to motivate employees to attend to compliance – and that had better be one of your goals – you’ll get far more bang for your buck if you can help them see how their lives and careers will be easier/better if they keep their mind on compliance.

To Do – Without your employees, your organization would quite literally be nothing. They are already contributing all day, every day, to the success of your organization. Make compliance training – along with every other training your provide – a tool that they can use for their personal success as well. Maybe that success has to do with advancement, maybe it has to do with some kind of incentive. At the rock bottom, it has to do with them keeping their job. The point is that there will always be ways you can think of to help them see that a focus on compliance is as much for their personal benefit as the company’s. Do your homework and figure out what those motivations are for your employees. It will not only make your training a whole lot more effective, it’s a nice thing to help your employees be successful, yes?

It is all-too-easy to overlook all five of the above requirements for effective compliance training. In fact, by ignoring them, it will be far easier for you to create your training program; just throw a bunch of regulatory requirements onto a Powerpoint presentation or webinar and slam through it for as long as it takes. You will, in fact, be telling your employees what they are required to hear. If, however, your goal is to not sabotage your training and actually get employees to take action and create a culture where compliance is top-of-mind, ignore any of the above five concerns at your own risk.

Christopher Bauer is an expert on creating cultures of ethics, compliance, and accountability. Information on his programs as well as his Trust Foundry blog can be found at www.ChristopherBauer.com. Information specific to his programs on professional ethics can be found at www.BauerEthicsSeminars.com. In addition to speaking, training, and consulting on creating cultures ethics, compliance, and accountability, he publishes a Weekly Ethics Thought seen by thousands or readers worldwide. Free subscriptions are available by visiting either of his websites.

October 13, 2014

Ringo, Sir Paul and an Effective Compliance Program

Paul McCartneySometimes the universe converges in ways that are beyond my simple comprehension. This past weekend was one of them. It began a few months ago when I saw an advertisement from StubHub that showed Ringo Starr playing in Houston on October 10 and Sir Paul McCartney playing in New Orleans on October 11. I figured if the two surviving members of the greatest rock and roll band in the history of the world were going to play on two consecutive nights it was a sure sign from the Oracle of Rock ‘N Roll that I was intended to attend both, lest I tempt a fate worse than going against an entity nearly as powerful as the Oracle of Delphi. Moreover, the Friday concert coincided with the birthday of my little sister who happened to be in town and one of the planets biggest Beatles fans, it made the convergence complete. Ringo Starr

I also learned two completely new and unrelated facts this weekend. The first is that a native of Liverpool, England, is called a ‘Scouser’. That comes from my Liverpudlian friend Pam, who also introduced me to the Liverpool Football Club. The second is that my wife is a closet Mr. Mister uber fan, who rocked out as a teenager to this group in the early days of MTV. On reflection that is perhaps the more odder convergence.

While there is clearly a reason Ringo Starr tours with true musical all-stars and Sir Paul McCartney has been raised to the peerage for his musical prowess, in many ways the Ringo Starr concert was the bigger revelation. I had wondered how Ringo would fill out an entire concert. He did it by surrounding himself with musicians fabulous in their own right. They included: Steve Lukather, former lead singer from Toto on vocals, lead and rhythm guitar; Gregg Rolie, former keyboardist from Santana and Journey on vocals, organ, keyboards; Richard Page, former lead singer from Mr. Mister, on vocals and bass guitar; and finally, best and certainly not least, Todd Rundgren on vocals, lead and rhythm guitar, bass guitar, percussion, harmonica and, occasionally, even keyboards.

So in addition to Ringo singing his standards of Photograph, It Don’t Come Easy, Yellow Submarine and (of course) With a Little Help From My Friends. We also got to hear songs first released by Santana, Toto, Mr. Mister and some great Todd Rundgren hits. The group clearly loved playing and jamming with each other. Further, these other groups’ songs were great fun to hear and as they may never reform, I would not otherwise have the chance to hear them performed lived.

Sir Paul McCartney. You really do not have to say much more. His concert did not exceed my expectations because they were about as high as expectations could have been. He seriously rocked out for over three hours, playing everything from the earliest Beatles songs up to a ballad for his latest wife. I cannot remember ever attending a concert where everyone one in attendance knew the words to every song but we all did and we all sung them all the way through the entire show.

What is the compliance angle to all of this? Just as there is more than one way to put on a great concert, there is more than one way to have an effective compliance program. This continual message from the Department of Justice (DOJ) came again earlier this month through remarks by Assistant Attorney General for the Criminal Division, Leslie R. Caldwell, at the 22nd Annual Ethics and Compliance Conference, where she made clear that while the FCPA Ten Hallmarks of an Effective Compliance Program is one set of guidelines for an effective compliance program, there is no “one-size fits all” compliance program. She laid out another way to think through, review and analyze your compliance program. 

  1. High-level commitment. A company must ensure that its directors and senior management provide strong, explicit, and visible commitment to its corporate compliance policy. Stated differently, and again, “tone from the top.”
  1. Written Policies. A company should have a clearly articulated and visible corporate compliance policy memorialized in a written compliance code. Again, employees need to know what to do–or not do–when faced with a tough judgment call involving business ethics. Companies need to make that as easy as possible for their employees.
  1. Periodic Risk-Based Review. A company should periodically evaluate these compliance codes on the basis of a risk assessment addressing the individual circumstances of the company. Companies change over time through natural growth, mergers, and acquisitions.
  1. Proper Oversight and Independence. A company should assign responsibility to senior executives for the implementation and oversight of the compliance program. Those executives should have the authority to report directly to independent monitoring bodies, including internal audit and the Board of Directors, and should have autonomy from management. Compliance programs needed to be funded; they need to have resources. And they need to have teeth and respect within the company.
  1. Training and Guidance. A company should implement mechanisms designed to ensure that its compliance code is effectively communicated to all directors, officers, employees. This means repeated communication, frequent and effective training, and an ability to provide guidance when issues arise.
  1. Internal Reporting. A company should have an effective system for confidential, internal reporting of compliance violations. I know that many companies have multiple mechanisms, which is good.
  1. Investigation. A company should establish an effective process with sufficient resources for responding to, investigating, and documenting allegations of violations. What this means on the ground will depend on the company. A sophisticated multi-national corporation obviously will be expected to have more resources devoted to compliance than a small regional company.
  1. Enforcement and Discipline. A company should implement mechanisms designed to enforce its compliance code, including appropriately incentivizing compliance and disciplining violations. Further, the response to a violation must be even-handed. People watch what people do much more carefully than what they say. When it comes to compliance, you must both say and do.
  1. Third-Party Relationships. A company should institute compliance requirements pertaining to the oversight of all agents and business partners. This cannot be emphasized strongly enough.
  2. Monitoring and Testing. A company should conduct periodic reviews and testing of its compliance code to improve its effectiveness in preventing and detecting violations. Kick the tires regularly. As I said, compliance programs must evolve with changes in the law, business practices, technology and culture.

Caldwell also emphasized that as important as the compliance program itself; the implementation is also reviewed and evaluated by the DOJ. When the DOJ investigates a case, they look at the messages about compliance that are given to employees; they look at what employees are told in their day-to-day work. This means the DOJ will look at emails, chats, and recorded phone calls. They will interview witnesses about the messages they received from their supervisors and management to determine if they received messages about compliance, or about making money at all costs.

Another consideration for the DOJ is incentives. The DOJ will examine the incentives that a company provides to encourage compliant behavior – or not. This means that if a company is actually encouraging compliance, if its values are to be ethical and within the law, this message must be conveyed to employees in a meaningful way. If not, it is likely that the DOJ will not view the compliance program as credible. Interestingly, Caldwell said that sometimes the effective implementation of a compliance program means standing apart from the other companies in your industry.

Just as Ringo and Sir Paul ably demonstrated, there is more than one way to put on a great concert. They both assessed their strengths and weaknesses and used that information to put great bands around them illustrated their strengths. The same is true in the world of Foreign Corrupt Practices Act (FCPA) compliance. The key is to review and assess your compliance risks and then manage them. And, as always, Document, Document, and Document whatever you do so that if a regulator comes knocking, you can demonstrate evidence of the above.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014




Next Page »

The Rubric Theme. Blog at WordPress.com.


Get every new post delivered to your Inbox.

Join 4,878 other followers