FCPA Compliance and Ethics Blog

March 9, 2011

FCPA Risk Assessment: Hockey Stick Rather than Bell Curve?

In an interesting article posted in Industrial Week.com, entitled “Rethinking FCPA Compliance Strategies in a New Era of Enforcement” attorney William Athanas took a different look at assessing the risks for manufacturing companies under the Foreign Corrupt Practices Act (FCPA). His thesis is that such companies assume that FCPA violations follow a “bell-curve distribution, where the majority of employees are responsible for the majority of violations.”  However Athanas believes that the distribution pattern more closely follows a “hockey-stick distribution, where a select few…commit virtually all violations.”

Athanas believes that this faulty assumption has led companies to incorrectly assess their FCPA compliance risk. Based upon this incorrect risk assessment, companies implement strategies that not only are ineffective but can “cause actual harm” through the mechanisms of financial waste and exposure of companies to greater damage from a FCPA violation. These insufficient strategies can include some of the following: a FCPA compliance policy that is disseminated broadly but has “shallow preventative measures”; compliance monitoring efforts which review samples from “artificially inflated universes”; expanding the FCPA audience within the company, yet diluting the compliance solution.

Athanas argues that FCPA violations are different from ordinary compliance violations “not just in degree, but in kind.” He posits that while the payment of “anything of value” to a foreign official can assume a variety of forms, there are certain defining characteristics common to virtually all violations. Regardless of the size or type of operational environment where they occur, two properties are common to all FCPA violations:

  • Those individuals with the opportunity to interact with foreign officials have the greatest chance to commit FCPA violations.
  • Of that group, certain individuals also possess the necessary inclination, whether a personal financial incentive linked to the transaction or the inability to recognize the significant risks attendant to bribery.

To assess these risks, Athanas suggests an initial determination of the touch-points where the operations of manufacturing companies “intersect with foreign officials vested with discretionary authority.” This will lead to an understanding of the individuals who hold these roles within a company. This means that a simple geographic analysis is but a first step in a risk analysis. Thereafter companies should also focus on “those who authorize and record disbursements, as well as those who represent the company in situations where they may be solicited for payments.” The next step is to determine those company employees who may have the incentive “to pay bribes on the Company’s behalf.” This incentive can come from a variety of forms; such as a company compensation plan, which rewards high producer; employees who do not understand the risk they place the company (and themselves) in by engaging in tactics which violate the FCPA; and finally those employees who seek to place their individual interests above those of the company.

Athanas concludes by noting that is this limited group of employees, or what he terms the “shaft of the hockey-stick” to which a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts such as “intensive training sessions or focused analysis of key financial transactions — on those individuals with the opportunity and potential inclination to violate the statute.” This focus will provide companies the greatest “financial value and practical worth of compliance efforts.”

We found that Athanas’ article provides a different method of thinking through companies FCPA risks. Although he targets his article to those companies in the manufacturing section, we believe that it has applicability across industry and market lines. He article demonstrates once again that any successful compliance policy begins with an adequate risk assessment. Without properly assessing risks, companies will miss-apply the lessons and incorrectly target their compliance efforts. The 2011 enforcement actions in Alcatel-Lucent, Maxwell Technologies and Tyson Foods all make clear the importance of a coherent, focused risk assessment to lead your compliance program. Or as the UK Ministry of Justice said in its Consultative Guidance on Adequate Procedures, your risk assessment should “inform” you compliance program and not vice-versa.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011


Blog at WordPress.com.