FCPA Compliance and Ethics Blog

January 31, 2011

And Then There Were None-JGC Settles

Filed under: FCPA — tfoxlaw @ 8:36 pm
Tags: , ,

The blog site International Construction reported, on January 31, 2011 that the Japanese company JGC announced has agreed to pay a $244 million penalty to the Department of Justice (DOJ) to resolve charges related to the Foreign Corrupt Practices Act (FCPA) for its participation in a decade-long scheme to bribe the Nigerian government.

If this settlement is correct, the JGC resolution leads to an update to the monetary count paid to the US Treasury for the resolution of the Nigerian Bribery Scandal with the following Box Score:

SETTLEMENT BOX SCORE

Entity Fine, Penalty and Disgorgement of Profits
Halliburton + KBR $579 Million
Snamprogetti & ENI $365 Million
Technip $338 Million
JGC $244 Million
Total $1.526 Billion

So for those of you keeping score at home, there have been fines, penalties and profit disgorgement of over $1.526 billion. All of this for bribes paid on, by, or on behalf of, the four-company joint venture named TSJK, which totaled up to $180MM. This JV won four contracts, worth more than $6 billion, from the Nigeria government between 1995 and 2004 to build LNG facilities on Bonny Island.

This total settlement figure does not include any potential costs going forward such as reduction of credit ratings, the payment of legal fees and any forensic accounting fees during the pendency of the Deferred Prosecution Agreements (DPAs). The costs listed above do not include the total cost paid by JGC for its internal company investigation into this matter. However, based upon the reported fees to date paid by the other defendants, these investigation fees will surely be in the tens of millions of US$. Additionally the above Box Score does not take into account any fines or penalties paid by individuals, or the recent spate of fines paid by the defendants, to the Nigerian government. These last two sets of penalties will be explored in a subsequent blog.

As previously pointed out by the FCPA Professor, the amount of the settlement figure is quite a pretty penny for the US Treasury. He poses the question as to whether FCPA enforcement has become a “cash cow” for the US Treasury. As he has noted, this investigation started in a court in France, yet all the monies for fines and penalties are going to the US Treasury.

This question was also explored in a MainJustice posting by Chris Matthews, where he discussed the UK policy of making available some of the fines and penalties it collects as reparations to the country where the violative conduct occurred. Recently, the UK Serious Fraud Office (SFO) announced it would pay to the government of Tanzania almost €30 out of the BAE Systems resolution of its bribery and corruption matter.  Matthews reported Director Richard Alderman as saying “that compensating victims of corruption is a priority for the [SFO]”.

The  DOJ takes a different view on the subject of reparations.  Mark Mendelsohn, the former head of the US Justice Department’s Foreign Corrupt Practices Act team was quoted as saying, “There is a grave danger that you’re returning money to the very people that took bribes in the first place. The last thing one wants to do is fuel corruption in the name of fighting it.” Billy Jacobson, a former assistant chief on the US FCPA team and now Chief Compliance Officer at Weatherford International had a more nuanced view back in March, 2010 when he told MainJustice, “We’ve thought at DOJ from time to time about giving restitution, giving money to some of these governments,” he also went on to say “The problem is, almost by definition, you’re talking about corrupt governments. So we decided it really wasn’t the way to go. Maybe in some FCPA cases it is OK and in other’s it’s not, but as a matter of course DOJ doesn’t do it that way, and the SFO decided to do it that way.”

To quote Agatha Christie –  and then there were none…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

 

Internal Controls Under the FCPA

Most Foreign Corrupt Practices Act (FCPA) practitioners understand the requirement for a compliance policy under the FCPA. However many practitioners, particularly lawyers practicing in the compliance field, do not understand the requirement for proper Internal Controls. Generally speaking, Internal Controls are policies, procedures and training which are installed to safeguard that a business’ assets are utilized in an appropriate manner; with proper oversight and approval and that all company transactions are properly recorded in its books and records.

We have previously discussed the new book by Aaron Murphy in the FCPA arena entitled, “Foreign Corrupt Practices Act – A Practical Resource for Managers and Executives”. In this work, Mr. Murphy opines that Internal Controls can be delineated into five concepts, which are as follows:

I. Risk Assessment – A company should assess the compliance risks associated with its business.
II. Corporate Compliance Policy and Code of Conduct – A company should have an overall governance document which will inform employees throughout the company, of the conduct the company expects from an employee. If the company is global/multi-national, this document should be translated into the relevant languages as appropriate.
III. Implementing Procedures – A company should have a written set of procedures in place that instructs employees on the details of how to comply with the company’s compliance policy.
IV. Training – A company should have a training program in place to confirm that employees understand their obligations under the compliance policies and procedures.
V. Monitor Compliance – A company must test, assess and audit to determine if its compliance policies and procedures are a ‘living and breathing program’ and not just a paper tiger.

While all of the above may seem covered by the US Sentencing Guidelines, as the best practices of any robust compliance program, the lack of Internal Controls can bring serious consequences to any company found violating the FCPA. The failure to maintain proper Internal Controls can bring a separate civil charge, brought by the Securities and Exchange Commission (SEC). Such a charge can lead to a fine, injunction and profit disgorgement.

With the above in mind, we would propose, as a starting point for the FCPA practitioner, our own five questions to start the assessment of your company’s internal controls. They are:
1. What accounting processes, if any, occur outside your home office and at how many locations?
2. What ERP/financial accounting software system is used? Is the same system used at each location where accounting is performed?
3. Who are the independent auditors and for how many years have they been performing audits for the Company?
4. Has there ever been an independent assessment of Internal Controls, other than what is done in connection with the independent audit? (are you asking readers to contact you to discuss or is that something that the FCPA practitioner should say to the board?)
5. Has there ever been fraud detected in the Company?

While Internal Controls is often seen as the step-child in any FCPA compliance discussion, we believe that Internal Controls should be seen as a bulwark in a best practices compliance program to prevent, detect and help remedy any situation which may be violative of the FCPA. We would also note that robust Internal Controls is also considered to be a key component of any adequate procedures under the UK Bribery Act. We hope that the five questions we have listed above may be a good starting point for you to begin to assess your company’s Internal Controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011

January 27, 2011

FCPA and Bribery Act Compliance in the Global Supply Chain

Ed. Note-recently Harriet O’Brien, Program Director for Compliance in the Global Supply Chain, spoke with Adrian Mebane, Director of the Ethics and Compliance Group for Weatherford International Ltd., on issues relating to compliance in the global supply chain. The views stated herein are those of Mr. Mebane and not his employer. With permission, we reprint the issue on this posting.

Why is it important to focus on compliance in the context of the global supply chain?

In the various countries in which we operate, we’re always on the lookout for particular supply chain issues, specifically as they relate to procurement activities. We may encounter individuals not abiding by our procurement policy; either the global procurement policy that’s in place or the procurement policies in respective countries. By that I mean that vendors and/or suppliers may not have been selected appropriately, in that the business neglected to follow competitive bidding practices such as failing to obtain three quotes/bids or failed to have a clear segregation of duties. These practices can lead to an individual selecting a vendor or supplier in which they may have some sort of ownership interest or by showing preferential treatment to a company in which that individual’s family or friends may work. These conflicts of interest can potentially lay a foundation for code of business conduct violations. I’d say that these are some of the prevalent compliance issues companies’ encounter from a supply chain context.

Whilst these types of incidents thankfully do not expose companies to the same level of risk as other forms of corruption like improper payments and gifts to government officials in order to obtain or retain business, they  certainly can create headaches to operations and impact its bottom line. When we I initiate investigations into these matters, we conduct interviews and assess the sufficiency of the relevant documentation to attempt to determine if the business may be paying above market for goods and services and if so, whether employees may have  inappropriate relationships with vendors. We can then recommend remedial measures to ensure that the business is getting competitive rates, the best services and that the process in doing so is an efficient one. These supply chain issues come to our attention in a variety of ways but predominately via ‘Listen Up’, our anonymous hotline. As a result, and when we’ve been able to fully investigate these allegations, the majority of these matters have resulted in some form of disciplinary action, ranging from letters of reprimand to termination. Procurement involving vendors and suppliers is something our business units and product lines are keenly sensitized and an area in which our compliance team is acutely aware.

What would you say is the biggest challenge or risk for oil and gas companies with regards to compliance?

I’d say the biggest challenge or risk for many, if not all oil and gas companies, will always be with respect to 3rd parties and intermediaries acting on a company’s behalf in dealings with covered persons. We all do business in the “high risk” countries with reputations for corruption and we’re all somewhat reliant on sales agents, consultants and brokers in many of these countries. Many of the DOJ and SEC FCPA settlements we hear about started because of some bad act or acts by an agent for that company. Obviously, if you’re going to engage a 3rd party, the company must perform comprehensive due diligence and do all it can to have that 3rd party abide by its compliance policies.

How will the UK bribery act change the compliance landscape?

It will change the compliance landscape certainly but to what extent, it’s hard to tell. Many articles and FCPA practitioners refer to the UK Bribery Act as the “FCPA on steroids”. The Act incorporates many of the same elements that the FCPA has, but the envelope’s been pushed in some respects. For instance, the Act prohibits facilitation payments, although typically illegal in the countries where they’re being made anyway, there is at least the room within the FCPA to allow these “grease payments”. Serious Fraud Office (“SFO”) prosecutors will likely enforce this standard in a realistic and practical fashion but many companies are concerned. Given the fact that Weatherford operates in over 100 countries, we’ve banned facilitation payments at our company but for situations where employees are faced with an imminent threat to bodily harm and felt that it was just cleaner to do so. Keep in mind also that the Act provides a defense for companies with robust compliance programs and those companies, humbly; like Weatherford’s should be well insulated if the SFO comes knocking on the door. At the end of the day, I think the UK Bribery Act will be effective, and some companies are definitely looking to beef up their compliance programs to ensure that they do not fall afoul of the new act.

Adrian D. Mebane is the Director of the Ethics and Compliance Group for Weatherford International Ltd., joining the company in May 2009. Adrian is responsible for leading, managing, developing and implementing the global ethics and compliance program for Weatherford, which has operations in over 100 countries and more than 50,000 employees. For 4 years, Adrian was a federal prosecutor at the Fraud Section of the Department of Justice’s Criminal Division, where he prosecuted FCPA and other sophisticated white collar matters.

Adrian Mebane will speak at the conference, Compliance in the Global Supply Chain, in Houston, TX, on April 26 and 27. Through Friday, registrants can receive up to $400 USD off standard prices as well as an extra 10% for booking through this blog. Code to quote: FCPA2

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

 

 

January 26, 2011

FCPA and Bribery Act Counseling:Dr. No Versus Problem Solving Approaches

Filed under: FCPA — tfoxlaw @ 5:22 pm
Tags: , ,

Ed. Note-today we are pleased to host a guest post by our colleague Michael Volkov.

Mark Twain observed correctly about lawyers: “Lawyers are like other people–fools on the average; but it is easier for an ass to succeed in that trade than any other.”

When it comes to advising clients in the area of the FCPA and Bribery Act, counseling attorneys are critical players. We play an important role in the end in making sure a company complies with the law.Like in many other areas of life and work, the challenge is not just to be a nay-sayer, not just to parade out a bunch of horribles, kill a transaction or a deal, and then rest assured that I have served my client. Rather, the challenge is to look at a situation, factor in the business needs and impact, and develop creative solutions to the problem.

All too often, I hear complaints about compliance officers, general counsels, and outside counsels, who are the so-called “deal-killers” or “doomsayers.” The challenge within any organization is not to stop the work but to consult and advise on ways to meet the requirements of the law and figure out a way to make it work.

It is easy to be “Dr. No.” It is harder to say “That is a problem. How can we solve it? What can we do to make it work?” Such an approach is critical to establishing credibility with your client company, and making sure you are viewed as a part of the team.
Building your position as a problem solver ensures the most critical aspect of the lawyer-client relationship – Trust. Once you are viewed as a problem solver you establish yourself as a credible partner in the business and develop a rapport so that salespeople and other staff who are on the frontlines and in the trenches will come to you when they see a potential problem.

A successful general counsel is one who plays a critical role in the development and implementation of business strategy. Some general counsels like to sit back and wait for the problems to come to them. In contrast, some sit at the right hand of the CEO and advise on business just as much as legal issues – that is the challenge for our profession.

I know I am not supposed to criticize my profession – or say that we really are “fools on average” but as I see and hear more about compliance issues in the FCPA and Bribery Act industry, I would urge my brethren to take a deep breath, carefully assess the issue and make sure the first words out of your mouth are not “No, we cannot do that.” Rather, the challenge is to listen to the problem, and then say – “Let’s see if we can figure out a way to make it work, so that we are comfortable and we can further our business.”

Michael Volkov practices with Mayer Brown in Washington DC. He can be reached via email at MVolkov@mayerbrown.com and via phone at (202) 263-3288

Doing Business in Russia under the FCPA or Bribery Act

As reported by Andres Kramer in Tuesday’s New York Times, in an article entitled, “Russia, Facing Big Budget Gap, Warms to Foreign Investors”, the Russian government is actively seeking foreign capital and foreign investors. The article mentioned that several state-owned enterprises are up for investment. It is reported that the state owned bank VTB; the state-owned oil company Rosneft and the state-owned national hydro-electric RusHydro, among others are seeking foreign investment.

While these offerings may produce significant business opportunities, Kramer notes that doing business in Russia still presents significant risks. He reports that the British political risk consulting firm Maplecroft “ranked Russia 186th out of 196 countries for political risk to business”. The Transparency International Corruption Perceptions Index for 2010, released in November 2010, gives Russia a score of 2.1 or number 154 out of 178 countries rated.

The Consultative Guidance on an adequate procedures program on the Bribery Act lists geographic risk as one of the key risks to be assessed for compliance purposes. This means that any US company contemplating such an investment, or UK company which will soon be subject to the Bribery Act, will need to carefully tread in any investment. Yesterday at the ACI FCPA Boot Camp in Houston, Michael Volkov, noted FCPA attorney from the firm of Mayer Brown, spoke on a panel with Ryan Morgan, of World Compliance, on the topic of due diligence on third parties. Many of Volkov’s remarks are applicable for US or UK companies which may wish to invest in Russian companies. Volkov believes the key all compliance based issues is to document the evidence. If you ask questions and get answers, document the process. If you ask questions and do not receive answers, document that process too. But the key is to Document, Document, and Document.

Volkov believes that the entire process of screening and evaluation of a new third party relationship should be done at the highest level possible within a corporation. This means in the General Counsel’s office; the Chief Compliance Officer or other equally high office trained to not only perform due diligence but also evaluate the risk. This centralized review should also include a centralized review of contracts to ensure consistent standards. He emphasized that the in-country business unit should not be allowed to handle this task. He noted that after the relationship is established you can set up a different standard for monitoring the relationship going forward. The key in this post-contract execution area is that if you detect a problem, then how does your company deal with the problem? Once again he emphasized Document, Document, and Document.

Volkov gave his thoughts on some of the basic pieces of information to cover when a company might begin the due diligence process. This would include:

  1. Existence of relationships with foreign governmental officials.
  2. Prior history of bribery or other crimes.
  3. What is the nature of services provided?
  4. What is the compensation and what will be the payment method?
  5. Have a written contract in place with appropriate terms and condition’s including:
    1. Reps and Warranties on compliance;
    2. Right to inspect and audit books and records; and
    3. Right to terminate if you believe that a violation has occurred.

As noted by the Kramer in his Times piece, there may be great opportunity for investment. However the risks for such investment, both political and those in the areas of anti-corruption and anti-bribery, as prohibited by the Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act may also be great. Some companies may find that their risk appetite is not large enough for such an opportunity. We can only end with the words of Ronald Reagan, in a different type of transaction he conducted with the then Soviet Union, “Trust, but verify.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

 

 

 

January 25, 2011

What are the Odds in Your FCPA Compliance Investigation?

The experts have spoken and the Astros are a 75-1 long shot to win the World Series. But that is just what the experts predict and as we are 3 weeks away from pitchers and catchers reporting for Spring Training I prefer to take the pink cloud approach, that at least as of now, the Astros have as good a chance as any team to make it to the Fall Classic. Of course, in the 50+ years of professional baseball in Houston, the Astros (and their predecessor Colt 45s) have made it that far only once. But at least it happened in my lifetime…

All of which brings us to this posting’s topic, Catelas software. In my transaction lawyer life, I do work for some medium to small software companies, which license software generally related to the energy industry. One of the best pitches you can make about a software product is along the lines of the following, “I have this software which can do some really cool stuff.” I recently saw a demonstration of Catelas software and came away thinking, this is some really cool stuff. But even more than such platitudes, the software allows the FCPA compliance professional a different way to continuously monitor within a company for possible Red Flags and to begin, organize and implement a FCPA compliance investigation in a more cost effective manner.

The Catelas software imports and analyzes communications data, like email, IM, telephony and SMTP log files from systems such as Microsoft Exchange Servers and Lotus Notes. The Catelas product then leverages social network analysis and behavioral science algorithms to analyze this communications data. These interactions are used to uncover and display the networks that exist within companies and between the employees of companies. Additionally, relationships between employees and external parties such as private webmail users, competitors and other parties can be uncovered.

From this data, Catelas creates visual relationship maps. These maps can assist a company focus resources in any FCPA compliance investigation on any persons within the company an individual under investigation has interpersonal relationships. The thesis of this approach is that data and information move through trusted relationships. A person who may be involved in a FCPA compliance matter, would be more likely to use such trusted relationships within a company, rather than involving others, to transmit data and information or to engage in any FCPA violative activity.

This approach can assist an investigator in not only finding out what may have transpired in the past but it also allows the investigator to focus who should be questioned going forward. Such relationship maps can also inform the overall investigation protocol by allowing a company to key in on certain persons and transactions; rather than simply running the entire company’s email database through a key word search program, or worse yet, having a law firm (presumably young associate) read every email, at the earliest, preliminary investigative stage.

By automatically uncovering who is talking to whom, when they connected and how well they know each other, the Catelas software product identifies both the internal and external people most likely to be involved. This allows a company to review more relevant data and from that point, expand the scope of any FCPA investigation as warranted. The Catelas approach can assist a FCPA compliance investigation in at least three ways.

1. Early Assessment: quickly ascertain the scope, cost and risk associated with an incident or case making you better prepared, earlier. Determine if there is a FCPA violation, who is involved, both internal & external and uncover all relevant content.

2. Data Identification & Collection: determine who and what to investigate before collecting a single email or pulling data from computers. Eliminate the need to re-collect later, avoid spoliation. Eliminate early irrelevant custodians and avoid over collection.
3. Compliance: quickly uncover inappropriate relationships, non-obvious connections and webmail information theft by dynamically monitoring communications patterns of employees, partners and consultants inside and outside your organization.

If any of this piques your interest, I would suggest you check out the Catelas website. It provides visuals on what I have been describing. You are probably wondering how the Catelas product relates to the Astros and their 75-1 shot at making the Big Dance next fall. Well, if you utilize this software product, I believe it would put your odds at much better than the Astros winning the World Series. Moreover, Catelas will allow you to conduct a more efficient, more cost effective and focused FCPA compliance investigation.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011

January 24, 2011

Evaluation of FCPA Compliance Training

One of the key goals of any Foreign Corrupt Practices Act (FCPA) compliance program is to train company employees in awareness and understanding of the FCPA; your specific company compliance program; and to create and foster a culture of compliance. The testing and evaluation of your FCPA compliance training program is recognized under the US Federal Sentencing Guidelines as a key component in the overall effectiveness of a FCPA compliance program. Indeed the overall effectiveness of a FCPA compliance program is one of the factors that the Department of Justice (DOJ) reviews in determining whether or not to charge a company. In their book entitled, “Foreign Corrupt Practices Act Compliance Guidebook”, authors Martin and Daniel Biegelman explore some techniques which can be used to inform a company’s FCPA compliance training.

The authors suggest an approach, which is formulized by the acronym SMART, which is defined as follows:

  • Specific: clear and concise training which can be understood by all employees;
  • Measurable: the training has defined metrics requirement such as post-training testing and pass rates;
  • Achievable: reachable, sustained and reasonable results such as training attendance;
  • Relevant: a program which will inform and/or measure the desired behavior; and
  • Timed: a realistic time frame for completion.

The authors also list several other considerations in the delivery of FCPA compliance training. What is the most effective type of training for your organization? Obviously live training is an important method of delivery. But this may not always be possible so computer based training, video training, web-based training or a combination of these different types of training can be useful to your organization. (For our prior two part series on Effective Compliance Training, see here and here.)

While most people tend to overlook the issue of attendance at training, it is an issue that should also be considered. You should determine that all senior management and company Board members have attended FCPA compliance training. You should review the documentation of attendance and confirm this attendance. Make your department, or group leaders, accountable for the attendance of their direct reports and so on down the chain. Evidence of training is important to create an audit trail for any internal or external assessment or audit of your training program.

The authors encourage post-training measurement of employees who participate in training. A general assessment of those trained on the FCPA and your company’s compliance program is a starting point. They list five possible questions as a starting point for the assessment of the effectiveness of your FCPA compliance training:

  1. What does the FCPA stand for?
  2. What is a facilitation payment and does the company allow such payments?
  3. How do you report compliance violations?
  4. What types of improper compliance conduct would require reporting?
  5. What is the name of your company’s Chief Compliance Officer?

The authors set out other metrics which can be used in the post-training evaluation phase. They point to any increase in hot-line use; are there more calls into the compliance department requesting assistance or even asking questions about compliance. Is there any decrease in compliance violations or other acts of non-compliance?

In addition to the training and the  evaluation you perform on your company and its employees, you should also consider the FCPA compliance training of your business partners. Companies need to consider the FCPA compliance training of its supply chain vendors, contractors, agents, resellers, distributors, joint venture partners and others with which it does business or in some way represent your company. This requirement for training of third party business relations is becoming a more critical component of a best practices FCPA compliance program.

The DOJ has made clear that it believes that both assessment and evaluation of FCPA compliance training as a best practice. This overall evaluation should become a standard part of your FCPA compliance program. The authors Martin and Daniel Biegelman have provided a valuable resource to guide you in following this best practice.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

 

January 21, 2011

What Can Your CEO Do for Your FCPA Compliance Program?

So what can your Chief Executive Officer (CEO) do for your Foreign Corrupt Practices Act (FCPA) compliance program? It turns out quite a bit. Both the US Sentencing Guidelines, which are used as the basis for FCPA compliance programs, and the Consultative Guidance, which is the basis for the adequate procedures defense under the UK Bribery Act, make it clear that top company leadership on compliance and ethics is a key component of any successful anti-bribery and anti-corruption program. Many CEO’s desire to be leaders in this area for their businesses but do not know some of the specific steps that they can take to achieve this. In a book entitled, Building a World Class Compliance Program – Best Practices and Strategies for Success” author Martin Biegelman provides some concrete examples in the chapter entitled “Tone at the Top and Throughout”.

In this chapter Biegelman cites to a list used by Joe Murphy of actions that a CEO can demonstrate to set the requisite tone from the Captain’s Chair of any business. The list is as follows:
1. Keep a copy of the Constitution on your Desk. Have a dog-eared copy of your company’s Code of Conduct on your desktop and be seen using it.
2. Clout. Make sure your compliance department has authority, influence and budget within the company. Have your Chief Compliance Officer (CCO) report directly to the Board of Directors.
3. Make them Accountable. At Senior Executive meetings, have each participant report on what they have done to further the compliance function in their business unit.
4. Sticks and Carrots. Have both sanctions for violation of company compliance and ethics policies and incentives for doing business in a compliant manner.
5. Don’t do as I say, Do as I do. Turn down an expensive dinner or trip offered by a vendor. Pass on a gift that you may have received. Turn down a transaction based upon ethical considerations.
6. Be a Student. Be seen at intra-company compliance training. Take a one or two day course or attend a compliance conference outside your organization.
7. Award Compliance. You should recognize outstanding compliance efforts with companywide announcements and awards.
8. The Board. Recruit a nationally known compliance expert to sit on your company’s Board and chair the audit or compliance committee.
9. Independent Review. Obtain an independent, outside review of your company’s compliance program and report the results to the Board’s Audit Committee.
10. Vendors. Mandate that all vendors in your Supply Chain embrace compliance and ethics as a business model. If not, pass on doing business with them.
11. Network. Talk to others in your industry and your peers on how to improve your company’s compliance efforts.

Many companies struggle with some type of metric which can be used for upper management regarding compliance and communication of a company’s compliance values. We are indebted to our colleague, Stephen Clayton for the following idea. It is to require the CEO to post companywide emails or other communications once a quarter on some compliance related topic. The CEO’s direct reports would then also be required to email their senior management staff a minimum of once per quarter on a compliance topic. One can cascade this down the company as far as is practicable. Reminders can be set for each communication so that all personnel know when it is time to send out the message. If these communications are timely made, this metric has been met.

Biegelman begins the chapter discussed in this posting with the statement “The road to compliance starts at the top.” There is probably no dispute that a company takes on the tone of its top management. As we recently noted in our FCPA Blog posting on BP and the Deepwater Horizon disaster, based on the book Drowning in Oil-BP and the Reckless Pursuit of Profit” by Houston Chronicle business reporter Loren Steffy; the CEO of BP wanted the company to adopt the financial discipline that Exxon had shown after its own environmental disaster, the Exxon Valdez spill. However, he failed to also understand that “as closely as Exxon’s management watched costs, it also made clear to every worker that the one cardinal sin was skimping on safety.” So safety was not made the priority for BP.

As the compliance professional within your organization you may well be asked by your CEO to provide concrete actions that he or she can take to lead the company in compliance. There may be suggestions you wish to make to the same CEO and the actions presented by Biegelman in his book, and by Clayton herein, provide some concrete steps and actions you can have your CEO take.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011

January 19, 2011

Being a Great (Compliance) Leader

Filed under: Leadership — tfoxlaw @ 9:03 pm
Tags: ,

In the most recent issue of the Harvard Business Review, writers Linda Hill and Kent Lineback posed the question, “Are You a Good Boss – Or a Great One?” In this article they explore what they believe to be some of the imperatives of going from a good boss to a great boss. Recognizing that the focus of the article is to help people grow as leaders within their businesses; we believe that their ideas have application in the compliance arena. We will therefore review the article with a emphasis on helping employees to become great compliance leaders – whether you measure compliance through the US Foreign Corrupt Practices Act (FCPA); UK Bribery Act or any other standard.

Hill and Lineback begin with the thesis that most managers underestimate the transformational nature of the challenge of their roles as company leaders. To be a great leader a person must be dynamic and not complacent. If a leader stops growing and improving they run the risk of becoming a terrible boss. The authors believe that most managers stop working on themselves at some point in their career. Many managers are afraid of failure and this leads to a fear of change. Others do not receive proper training or support from their companies. Whatever the cause, the authors believe that most managers stop making progress because “they simply don’t know how to.” Even when there is adequate company support for change, it is sometimes difficult to know what is required to become an effective manager.

To aid such persons, the authors have developed what they term the “3 imperatives” to help managers on their “journey to becoming great bosses.” These imperatives are (1) Manage Yourself; (2) Manage Your Network; and (3) Manage Your Team. We will review  these and reference how they apply to being a great compliance leader.

Manage Yourself

The authors believe that most employees ask “Can I trust this person?” Leadership results, in large part, by the answer to this question. The authors state that trust has two components; the first is that the leader has confidence in his or her own competence; and the second is that employees have trust in the manager’s character. This means that your motives are good and that you want people to do well. If these characteristics are present a manager should be able to influence others.

Manage Your Network

The authors believe that building key relationships throughout an organization leads to the road for success. This means nurturing a broad network of company employees who can influence specific areas and the departments within a company. As scarce resources must be reckoned with on any project, the person who can show the interdependence of seemingly disparate groups, which may have conflicting goals and priorities, is the manager who achieves the most. This relationship building can be a key way to influence others within an organization over which a manager does not have direct control.

Manage Your Team

The authors believe that managing a team is a different dynamic than managing one-on-one. If a manager can influence a team, they have a greater chance of success as employees tend to be more creative and productive when working in groups. Accountability to other team members and a genuine convict that they are all in it together can lead to a group coalescing into a team. The culture of any team is important: values, standards and norms guide employees in what is expected of them. Attention must be paid to all team members and recognition for individual efforts within the team can bring greater effectiveness as well.

To be a great compliance leader, the compliance professional must use all of these techniques. To achieve many compliance goals within a company requires a manager to exert a great amount of influence. The techniques set out by the authors provide direct tools for the compliance professional to utilize in this task. Managing employees within any compliance department is the first step. A compliance professional must reach out across an organization to all groups and departments to develop relationships which can be used in furthering a company’s compliance goals. The foundation of this strong network is created by a compelling team. A strong network will allow your compliance team a path to achieve its goals within the company. But knowing where you are going is only half of the journey. The authors end with the admonition that “you need to know at all times where you are on the journey and what you must do to make progress.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

 

Jonathan Marks 13-Step FCPA Compliance Action Plan-the details

Ed. Note-we recently blogged about Jonathan Marks 13 Step FCPA Compliance Action Plan. Jonathan received numerous requests for more information on the plan and so he fleshed it out in a blog posting yesterday on his blog site, the FCPAExpert. He graciously allowed us to repost the details of his plan today. Jonathan Marks can be reached via email at jonathantmarks@verizon.net and phone at 267-261-4947.

On January 11, 2011, Tom Fox (see the Blog post below) was kind enough to post the “13 Step FCPA Compliance Action Plan” that I cobbled together.  Since that time I have received many calls and e-mails for more information, so I decided to post it for others to consider using in practice.  My goal is to continuously tweak the plan.  Your suggestions and comments are always welcome.

13 Step FCPA Compliance Action Plan

Note:  The draft guidance is not prescriptive and does not detail specific anti-bribery measures, but instead adopts a principles-based approach, which is intended to be used as a guide by a company when implementing their own anti-bribery compliance programs.

Governance

The audit committee is responsible for overseeing the financial reporting process and controls, the internal audit function, and the external auditors, including the appointment of the company’s external auditor. It oversees management’s implementation of policies that are intended to foster an ethical environment and mitigate financial reporting risks. In this process, the audit committee has the responsibility to see that management designs, documents, and operates effective controls to reduce the risk of financial reporting fraud to an acceptable level. The Sarbanes-Oxley Act also makes the audit committee responsible for establishing mechanisms for the receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or audit matters, and confidential, anonymous submissions by employees of concerns regarding questionable accounting and auditing matters (generally referred to as the ethics or whistleblower program).

In addition, it is increasingly common for the audit committee to have a link with the compensation committee through overlapping members, joint meetings, or attendance of the audit committee chair at certain compensation committee meetings. The objective of this process is to satisfy both committees that the executive compensation structure provides sound incentives for achieving corporate strategies without unintentionally providing motivations for fraud or other unethical behavior. The focus on compensation structures will likely increase as a result of legislation and regulatory rules regarding corporate compensation policies and practices.

Source: Center for Audit Quality Anti-Fraud Report: Deterring and Detecting Financial Reporting Fraud: A Platform for Action

1. Top level commitment – “Tone from The Top”

  • Top-level management (usually the board of directors and senior executives) must establish a culture within their company in which bribery is unacceptable.  They also should ensure that the company’s policy to operate without bribery is effectively communicated throughout the company.  The draft guidance provides examples of what top-level commitment should include:
  • a “zero tolerance policy” toward bribery in all parts of the company’s operation;
  • clear explanation of the consequences that employees and business partners will suffer if they violate the corporate policy;
  • personal involvement in the development of a code of conduct, or ensuring the publication and communication of anti-bribery measures to all employees, subsidiaries and business partners; and,
  • appointing a senior manager to oversee the development of an effective anti-bribery program.
  • “Top level commitment” is another commonly identified element of an effective compliance program.  This principle, as articulated in the draft guidance, appears to combine the requirement of a strong “tone at the top,” noted by almost every respected guide on compliance programs from the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) to the US Department of Justice, and the need for a clear, firm anti-bribery policy—a principle also widely endorsed in the compliance literature and by governmental organizations.

2. Corruption and Bribery Risk Assessment

The OECD Good Practice states that a compliance program should be developed on the basis of a risk assessment.

Conduct a comprehensive review of the company and assess the potential bribery and corruption risks associated with its products and services, customers, third-party business partners and geographic locations where it operates.

The risk assessment can serve as the documented rationale for the compliance program.

Businesses must be aware of the current bribery risks they face in the sectors and markets in which they operate.  The proper nature of any risk assessment procedures will depend on the size of the company, as well as its activities, customers and markets.  But company’s are generally advised to consider the following:

Whether those performing the risk assessment are “adequately skilled“; and,

What data sources should inform the risk assessment.  The draft guidance suggests the use of internal data (annual audit reports, internal investigation reports, focus groups and staff, client or customer complaints) and external data (analyzing publicly available information on bribery issues in particular sectors or jurisdictions).

For multinational corporations already subject to the US Foreign Corrupt Practices Act (“FCPA”) and other anti-bribery enforcement regimes, this requirement should be no surprise.  Section 8B2.1 of the US Sentencing Guidelines for Organizations already list periodic risk assessments as a component of an effective compliance program.  And the OECD’s Working Group on Bribery in International Business Transactions issued guidance in November 2009 that similarly advised risk assessments as a good practice for companies.  Regardless of official guidance, no company can properly design a compliance program without identifying and understanding the risks it wishes to guard against.

3. Internal Controls

  • Most companies struggle with implementing mitigating controls to support their internal anti-bribery and anti-corruption policies.
  • Develop, document and maintain a system of internal financial controls to ensure that all payments are accurately recorded in the company’s books and records in accordance with applicable regulatory requirements.
  • Special attention should be paid to those areas that may directly affect the anti-bribery and corruption compliance program such as procurement, on-boarding of vendors, agents, consultants, and other third-party business payees.
  • Gifts and entertainment controls.  Managing the offering and receiving of corporate gifts, entertainment and travel has become increasingly important in today’s environment of increasing regulatory oversight. Gifts given with the best of intention can be incorrectly perceived and lead to millions of dollars in government fines, as well as loss of potential business.

4. Structuring and Defining Roles & Responsibilities

  • Anti-corruption director (See Daimler)
  • Chief Compliance Officer or Other Senior Corporate Official
  • The assignment of responsibility to one or more senior corporate officials of implementation (see discussion within), oversight of compliance with policies, standards and procedures FCPA and other applicable anti-corruption official (the authority to report matters directly to the Board.
  • Understanding the US Sentencing Guidelines changes that became effective on November 1, 2010, and included a change related to the Direct Report. The amendment changed the reporting structure in companies where the Chief Compliance Officer (CCO) reports to the General Counsel (GC) rather than a committee on the Board of Directors.  The change reads “the individual…with operational responsibility for the compliance and ethics program…have direct reporting obligations to the governing authority or any appropriate subgroup… (e.g. an audit committee or the board of directors)”. If a company has the CCO reporting to the GC, who then reports to the Board, such structure may not qualify as an effective compliance and ethics program under the amended Sentencing Guidelines. The better practice would now appear to be that the CCO should be a direct report to the Board or appropriate subcommittee of the Board such as compliance or audit.

5. Risk-based Third Party Due Diligence

  • Develop and document an investigative due diligence protocol that will assess the potential bribery and corruption risks associated with third parties such as vendors, consultants, suppliers, agents and joint venture partners.
  • The nature and extent of the investigative due diligence should be based on the third party’s risk profile.
  • The protocol should set forth the remedial steps that may be taken for those parties that represent an elevated risk of bribery and corruption, including, but not limited to escalated due diligence or the termination of the relationship.
  • Types or Levels of Due diligence
  • Basic: simple database checks
  • Medium: more in-depth review
  • High: reputation checks, site visits, forensic review of financial statements, and investigative procedures outside the US

6. Clear, Practical, Current, And Accessible Policies And Procedures

  • There should be a clearly articulated policy against bribery and corruption that enforces a tone of compliance from the board and management.
  • Procedures and processes that clearly set forth permitted and prohibited conduct, supervisory and compliance approvals for certain conduct and documentation of such approvals.

7. Documenting a Detailed Multi-year Compliance Plan

Companies must embed anti-bribery policies and procedures throughout the business.  “Paper compliance” is insufficient.  Companies should consider establishing an implementation strategy detailing the rollout of these policies and procedures:

  • Who bears responsibility for program implementation;
  • How to communicate the policies and procedures internally and externally;
  • The content and nature of anti-bribery training and how to roll it out effectively;
  • How senior management will monitor the program’s implementation;
  • Whether and how the company will use external assurance processes;
  • The processes for monitoring compliance;
  • The implementation timetable;
  • An explicit statement of penalties for violating relevant anti-bribery policies and procedures;
  • The date of the program’s next review; and
  • A decision on whether to require or suggest that business partners take part in anti-corruption training courses.

Warning!  “Paper Compliance” is insufficient echoes warnings issued numerous times by US enforcement officials.  Indeed, US Deputy Attorney General Mark Filip’s famous 2008 memorandum on prosecuting business organizations explicitly cautions that a mere “paper program,” lacking the necessary design, implementation, and review, will not protect a company from prosecution.

8. Appropriate Disciplinary Procedures To Address Violations

Appropriate disciplinary procedures to address, among other things, violations of FCPA, UK Bribery Act, and other applicable anti-corruption laws or compliance code by directors, agents and business partners.

9. Ensuring Robust Monitoring and Review (Utilizing Internal Audit)

  • Develop and document processes and/or controls to periodically assess the effectiveness of the compliance program and potential vulnerabilities and monitor for employee compliance.
  • Such processes may include periodic testing and validation, review of available metrics and design of self-assessment forms and exercises.

10. Training

Develop training materials that clearly and concisely interpret applicable legal, regulatory, policy and procedural requirements as well as the possible ramifications associated with non-compliance. The training materials should be reviewed periodically to ensure their continued adequacy.

Training should be provided regularly to senior management and key compliance and business personnel.

11. An Effective System for Reporting Suspected Criminal Conduct and/or Violations of the Applicable Anticorruption Laws for Directors, Employees, Agents and Business Partners.

Develop and maintain a system for receiving complaints containing allegations of bribery and corruption as well as a system to investigate such allegations and document the actions taken with respect to such complaints and investigations.

12. Other Risk Mitigation Procedures

  • Standard provisions in contracts and agreements that include at a minimum:
  • Anti-corruption representations and undertakings relating to compliance with FCPA, UK Bribery Act and other applicable anti-corruption laws;
  • Rights to conduct audits of the books and records; and
  • Rights to terminate as a result of any violation of anti-corruption laws, and regulations or representations and undertakings related to such matters.

13. Annual Testing of The Compliance Program

The US Sentencing Guidelines state that there should be periodic reviews of a company’s compliance program, utilizing internal resources, such as a company’s Internal Audit function, and outside professional consultants. (emphasis added)

The OECD Good Practice states that a compliance program should be developed on the basis of a risk assessment addressing the individual circumstances of a company, in particular the foreign bribery risks facing the company (such as its geographical and industrial sector of operation). Such circumstances and risks should be regularly monitored, re-assessed, and adapted as necessary to ensure the continued effectiveness of the company’s internal controls, ethics, and compliance program or measures.

The UK Bribery Act Consultative Guidance, recently released by the UK Ministry of Justice, requires ongoing risk review, monitoring, and review by noting that a compliance program and procedures should be reviewed regularly and encourages senior management of higher risk and larger companies to consider external verification or assurance of the effectiveness of anti-bribery policies.

In a recent speech, Assistant Attorney General for the Criminal Division of the US Department of Justice, Lanny Breuer, indicated that such an external verification or assurance of the effectiveness of a compliance program is a key component to assist a company in maintaining a ‘best practices’ FCPA compliance program. He noted that it is through a mechanism such as an ongoing assessment that company could continue to evaluate its own compliance program with reference to compliance standards, which are evolving. Breuer has advocated an annual compliance program assessment by each company and I do as well.

Higher risk and larger companies should consider external verification or assurance of the effectiveness of anti-bribery policies.

Next Page »

Blog at WordPress.com.