Creating a “Gap” Analysis and Sharing Issues with Management

Our colleague, Michael Portorti continues his series on risk assessments from a CPA perspective. He has previously provided guest posts on The Auditor’s Role in FCPA and UK Bribery Act Compliance and  Performing a Risk Assessment for FCPA and UK Bribery Act Compliance .

A formalized risk assessment should be completed to identify the areas where the Company is exposed under the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act (UKBA). Subsequent to this identification, specific and detailed questions should be asked of relevant risk area management/employees to determine if “Best Practice” controls are in place. 

Interviews should be scheduled between responsible parties and an objective interviewer. A tool that can be used by the interviewer to track responses would be a document containing the following:

• Area Being Investigated
• Model Control Description
• Control Risk
• Actual Control
• Individual Responsible
• Deficiencies Identified

The deficiencies identified should be accumulated in a “Gap Analysis” document. This document should contain the following:

• Area Being Investigated
• Description of Deficiency
• Action Plan to Remediate Deficiency
• Individual Responsible
• Action Plan Due Date

The Gap Analysis document can then be used to track status of deficiencies and used as a source to update Executive Management as necessary. It also can expose bottlenecks and identify potential revisions for controls that need additional tailoring to fit in with the Company’s operational environment.

Accumulating deficiencies in this manner keeps all parties up-to-date on remediation progress so overall compliance efforts can move along at an acceptable rate.

Micheal Potorti can be reached at mpotorti@mp-audit.com. 

=============================================================================================

Episode 9 of This Week in the FCPA is now up and available for viewing. Check out Howard Sklar and myself with our weekly commentary on all things FCPA.

This Week’s Show Notes include the following topics:

1.  Three Articles on FCPA and International Rule of Law issues
2.  Tyson Foods case (one of the three articles)
3.  Private Equity and the UK Bribery Act
4.  Niko Resources

Four Steps to Resolving Your FCPA Compliance Issues

As regular readers of this blog know I often cite the three maxims of Paul McNutly as the basis for a good compliance program. They are the questions that the government will ask when they come knocking: (1) What did you do to prevent it?; (2) What did you find when you looked into it?; and (3) What did you do when you found out about it?. One of the keys of these ideas is that if you look for something, through investigation or audit, you cannot be afraid to find something, recognize that it is a problem, then move forward to remedy the problem and use it as a lesson learned going forward. I recently saw an advertisement in the Harvard Business Review for the Columbia Business School which was entitled, “How to realize leadership potential” it occurred to me that it was a way to think through and act upon McNulty’s point 3. So with some modification I present a practical method to implement McNulty.

1.     Recognize Compliance Problem

The key here is to provide the tools to company employees through training that allow them to recognize when a compliance problem has arisen. Your compliance program must have a written Code of Conduct or other formation document which clearly articulates what is expected from the compliance perspective. However, because compliance programs also have a requisite financial controls component, as required by the books and records portion of the Foreign Corrupt Practices Act (FCPA), there also needs to be a clear policy statement which employees can read and understand. This does not mean a compliance policy written by lawyers for lawyers, with lengthy citations to the FCPA, direct cut-out quotes from the US Sentencing Guidelines and other terminology on a lawyer can read and understand. The compliance policy needs to written in plain English or at least in language that a business person can understand. There should also be a detailed statement of the compliance procedures which explain the financial process by which your company will manage the compliance risk.

All of this should be encapsulated in a training program. There are various and numerous approaches to training. It can be live, via video, through a Webex, via audio, computer based or any combination thereof. The key is to provide sufficient training to allow employees to recognize compliance problems. I tell employees that they do not have to understand all the nuances of FCPA law or make a decision on whether the FCPA has been violated. I ask them that if something strikes them as wrong; their gut tells them its an issue; or the hair on the back of their neck stands up-recognize this as a problem and move to Step 2…

2.     Call for Help

So what should you do if you recognize a compliance problem? I train employees to raise there and escalate the problem. Tell your boss, call the compliance or legal department, use the hotline or do something to escalate the problem so that it can be investigated. Here the actions of the company are critical. A company must provide the training for an employee on what they are to do; where they can go. This message must be reinforced by emails, posters, reminders by management and any other form of media to communicate and keep communicating this message.

But this next part is absolutely critical. Your company must be absolutely, positively committed to accepting the employees concern and there must be NO RETALIATION. I know that every company in America will swear up and down that they embrace this basic of compliance; just as they do for all other areas where employees can bring claims, such as harassment, discrimination, SOX concerns or a myriad of others. But if there is one hint or even a whiff of retaliation, it will end, for all time, employees bringing compliance concerns up the line. All of which leads to Step 3, which is…

3.     Address the Issue

There must be a thorough and competent investigation. Do not wait one or two months to perform the investigation. In addition to the mundane concern of evidence becoming stale or disappearing, the reporting employee or other witnesses being harassed; you will lose credibility the longer you wait. Employees who make such reports expect, and I believe reasonably so, for their concerns to be taken seriously. Here I do not mean have the President of your company go in front of the national press to announce the termination of the alleged wrong-doers, well before your President has the correct facts in hand, such as was the case with the recent Renault matter.

My colleague Jim McGrath, author of the Internal Investigations Blog, writes about the use and need for specialized investigative counsel to assist a company at this juncture. Even if you do not follow Jim’s advice, you must get a lawyer on the ground as soon as is possible. This lawyer should be trained in how to investigate; he/she must have an investigation protocol and a good understanding of the facts through a comprehensive review of all documents, before the interviews begin. So perhaps you do need specialized investigative counsel as Jim suggested so as not to any conflict of interest in pursuing any leads in the compliance investigation. With that we move on to Step 4, which is…

4.     Apply Resolution

Here your company must be fearless. It must be not afraid of what may be found in the investigation, it must not be afraid to remedy the issue. Remember McNulty’s Maxims? The third question the government will ask is “What did you do when you found out about it?” You must follow your compliance policy. If discipline is warranted, you must administer it. The discipline must be administered fairly but equally across the globe. I once was at a company which fired Brazilian employees for making mis-statements on their expense accounts but gave a US employee a “Letter of Warning”. What kind of message do you think that action sent?

There may be other resolutions which may not require the administration of discipline. It may be that your internal controls need to be strengthened. Although not in the compliance world, how do you think Citigroup is feeling about its internal controls today; as it had an ex-employee charged with embezzling over $19MM for over a year before he was caught? But the key is to resolve the matter. Use it as a lesson learned and as a teaching tool. Do not hide the issue and if it is a FCPA violation, consult with counsel regarding a self-disclosure to the Department of Justice (DOJ) and Securities and Exchange Commission. If all this happened in your UK subsidiary and your complete your investigation after July 1^st, self-disclose to the Serious Fraud Office.

I hope you can use these four steps to assist you in implementing McNulty’s Maxims. This is what the DOJ wants to see if they come knocking.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Regulatory Compliance Risk Assessment: Ranking Risks

Ed. Note-I recently posted an article by Mary Shaddock Jones entitled “Suggestions for Starting a Regulatory Compliance Risk Assessment”.   Based on the response to the posting, I asked Mary to drill down a little more in subsequent articles on a few of the steps she suggested outlined in that article.  Unfortunately I posted the third article out of sequence. This is the second posting in this follow up series.

[Remember that the hypothetical in the original article was that you had just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates.] 

As stated in the previous article, we believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis.  In the previous article, we discussed identifying Risk Centers and Risk Owners as one way of identifying all of the various legal/regulatory compliance risks that could impact your company.  Once the risks are identified, under the ERM Framework, the next step in the process would be to rate the “Significance” and the “Likelihood” of compliance failure in order to establish a Priority Rating.  Significance X Likelihood= Priority Rating.

What do we mean by this?  Develop a “Significance” Rating Guide with numbers 1-5 with 1 being “Extreme” and 5 being “Negligible”.  Then develop a “Likelihood” Rating Guide with numbers 1-5 with 1 being “Almost Certain” and 5 being “Rare”.  The next step is to develop a “Priority” Rating Guide from 1-25 with 1 & 2 being “Severe” and 20-25 being “Trivial”.  At the recent Compliance Week 2011 meeting in Washington DC, I saw an excellent presentation by Michele K. Abraham, Corporate Attorney-Ethics & Compliance with The Timken Company.  This is how The Timkin Company rated “Significance”, “Likelihood” and “Priority Rating”:

“Significance” Rating Guide:

Rating	Assessment	Evaluation Criteria- What is the Impact on the Business
1	Extreme	Consequences would threaten survival of the business or would result in outside monitoring and enforcement.
2	Very High	Consequences would have a material impact on the operations of the Company or could result in outside monitoring and enforcement.
3	Medium	Consequences would result in significant review or changed ways of operating by outside enforcement agency.
4	Low	Consequences would contribute to the failure to accomplish business objectives.
5	Negligible	Consequences would not effect any constituent in any material manner.

“Likelihood” Rating Guide:

Rating	Assessment	Evaluation Criteria- How likely is this event to occur at your company?
1	Almost Certain	Highly likely, this event is expected to occur.
2	Likely	Strong possibility than an event will occur and there is sufficient historical incidence to support it.
3	Possible	Event may occur at some point, typically there is no history to support it.
4	Unlikely	Not expected, but there is a slight possibility that it may occur.
5	Rare	Highly unlikely, but may occur in unique circumstances.

“Priority” Rating Guide:

Rating	Assessment	Evaluation Criteria- What Action is Required?
1-2	Severe	Immediate action is required to address this risk, in addition to inclusion in training and education and audit and monitoring plans.
3-4	High	Should be proactively monitored and mitigating through inclusion in training and education and audit and monitoring plans.
5-7	Significant
8-14	Moderate
15-19	Low	Risks at this level should be monitored, but do not necessarily pose any serious threat to the organization at the present time.
20-25	Trivial

These rating guides are a terrific model for you to use to develop the Rating Guides for your business. But remember, each business is different.  The evaluation criteria must be tailored to your company.

Let’s take a look at an example:

Scenario:

Your company sells ready-mix concrete in Louisiana.  With the economic downturn in the housing market, the demand for ready-mix concrete is declining.  You have a competitor who also sells in the same area.  During the risk identification brainstorming sessions with the Sales Department, you learn that at a recent industry wide event your salesman has approached the salesman for the competition and “suggested” that a good price for X pounds of ready-mix concrete is $X dollars.  You recognize that this action is probably a violation of the U.S. anti-trust laws.  How do you rate the “Significance” of this event?  What about the “Likelihood”?  You learn from the legal department that the maximum fine for violating the Sherman Act is $100 million for corporations. You also learn that the maximum fine may be increased to twice the gain derived from the crime or twice the loss suffered by the victims of the crime, if either of those amounts is greater than the statutory maximum fine.  Given the fines and penalties, would you rate this risk a “1” “Extreme” because you believe that the consequences of such an event would threaten the survival of the business or would result in outside monitoring and enforcement?  What about the likelihood? Perhaps you would rank the likelihood as a “2” “Likely” because you believe that there is a strong possibility than an event will occur and there is sufficient historical evidence to support it.  In this case, then the “Priority” rating for an anti-trust violation would be “2” which according to your Priority Rating Guide, suggests that immediate action is required to address this risk.

The questions for us to discuss in the next segment are “How do you manage the risk”? What internal controls do you have or can you implement to mitigate the risk?”

Mary Shaddock Jones, Attorney at Law.  msjones@msjllc.com; 337-515-8527 (c); 337-513-0335 (0)

 

Regulatory Compliance Risk Assessment: Managing Risks with Internal Controls

Ed. Note-I recently posted an article by Mary Shaddock Jones entitled “Suggestions for Starting a Regulatory Compliance Risk Assessment”.   Based on the response to the posting, I asked Mary to drill down a little more in subsequent articles on a few of the steps she suggested outlined in that article.  This is the third  and final posting in this follow up series.

[Remember that the hypothetical in the original article was that you had just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates.] 

As stated in the previous article, we believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis.  In the first article, we discussed identifying Risk Centers and Risk Owners as one way of identifying all of the various legal/regulatory compliance risks that could impact your company.  As discussed in the second article, once the risks are identified, under the ERM Framework, the next step in the process would be to rate the “Significance” and the “Likelihood” of compliance failure in order to establish a Priority Rating.  We believe that the third step in the process it to determine how the various identified risks are managed and/or mitigated using risk specific internal controls.

What do we mean by this?  One definition of “Internal Control” is the following:

Internal control- Systematic measures (such as reviews, checks and balances, methods and procedures) instituted by an organization to (1) conduct its business in an orderly and efficient manner, (2) safeguard its assets and resources; (3) deter and detect errors, fraud, and theft, (4) ensure accuracy and completeness of its accounting data, (5) produce reliable and timely financial management information, and (6) ensure adherence to its policies and plans.

We think most people when they hear the word “internal control” automatically assumes that it is referring to accounting or financial controls.  While that may be true, we believe that internal controls, as systematic measures (such as reviews, checks and balances, methods and procedures) can be used in the compliance risk assessment process.  A few types of internal controls that may be used to mitigate identified compliance risks are the following:  (1) Control Environment, (2) Policies, and, (3) Procedures.  Some of the controls may need to be on an entity-level, while others may be process specific.

Why does all of this matter? The process your company puts into place to identify, prioritize and mitigate and/or manage compliance risks matters in many respects.  First and foremost, it is a systematic driven way of trying to prevent criminal behavior.  Second, the process helps you to put in Compliance and Ethics program which should be considered “effective” under the US. Sentencing Guidelines.

 

 §8B2.1. Effective Compliance and Ethics Program

 (a)    To have an effective compliance and ethics program, for purposes of subsection (f) of §8C2.5 (Culpability Score) and subsection (c)(1) of §8D1.4 (Recommended Conditions of Probation – Organizations), an organization shall—

 (1)   exercise due diligence to prevent and detect criminal conduct; and

(2) otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

Such compliance and ethics program shall be reasonably designed, implemented, and enforced so that the program is generally effective in preventing and detecting criminal conduct. The failure to prevent or detect the instant offense does not necessarily mean that the program is not generally effective in preventing and detecting criminal conduct.

(b)  Due diligence and the promotion of an organizational culture that encourages ethical conduct and a commitment to compliance with the law within the meaning of subsection (a) minimally require the following:

 (1)  The organization shall establish standards and procedures to prevent and       detect criminal conduct.

 (2) (A) The organization’s governing authority shall be knowledgeable about the content and operation of the compliance and ethics program and shall  exercise reasonable oversight with respect to the implementation and effectiveness of the compliance and ethics program.

(B) High-level personnel of the organization shall ensure that the organization has an effective compliance and ethics program, as described in this guideline. Specific individual(s) within high level personnel shall be assigned overall responsibility for the compliance and ethics program.

  (C)  Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

 (3)  The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.

(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subparagraph (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.

 (B)  The individuals referred to in subparagraph (A) are the members of the governing authority, high-level personnel, substantial authority personnel, the organization’s employees, and, as appropriate, the organization’s agents.

 (5) The organization shall take reasonable steps—

 (A) to ensure that the organization’s compliance and ethics program is followed, including monitoring and auditing to detect criminal conduct;

 (B) to evaluate periodically the effectiveness of the organization’s compliance and ethics program; and

(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

 (6)  The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate  incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.

 (7)  After criminal conduct has been detected, the organization shall take reasonable steps to respond appropriately to the criminal conduct and to prevent further similar criminal conduct, including making any necessary modifications to the organization’s compliance and ethics program.

 (c)   In implementing subsection (b), the organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement set forth in subsection (b) to reduce the risk of criminal conduct identified through this process.

 What should be clear is that the U.S. Sentencing Guidelines do not tell you HOW to identify, assess, prioritize, mitigate or manage risks. It just tells provides guidance on what are the elements of an Effective Compliance and Ethics Program, including, (as a summary only), that  (a) you have to establish standards and procedures to prevent and detect criminal conduct; (b)  you have to have specific individuals (arguably at all levels of the organization) who are knowledgeable and responsible for the program; (c) you communicate the policies and procedures; (d) you have to monitor for compliance; (e) take reasonable actions to respond to criminal conduct and prevent or detect future conduct and (f) periodically assess the risk of criminal conduct and take appropriate steps to design, implement, or modify the controls to reduce the risk of criminal conduct.

We believe that the Enterprise-Wide Risk Management format is an excellent tool to assist your company in creating and maintaining an Effective Compliance Program.   Hopefully,  by utilizing some of the suggestions in this series of articles, the task of performing a regulatory compliance risk assessment in all of the countries that your company currently operates  will  not be as quite as daunting as you originally feared.

Summary:  (1) Identify the Risk Centers; (2) Identify the Risk Owners within each Risk Center; (3) Work with the Risk Centers/Owners to identify the Legal/Regulatory requirements applicable to each of their Risk Centers; (4) Prioritize the risks using a “Significance” and “Likelihood” rating guide; and (5) identify and/or implement internal controls to minimize the identified risks.

 Mary Shaddock Jones, Attorney at Law.  msjones@msjllc.com; 337-515-8527 (c); 337-513-0335 (0)

Silver Lining to the FCPA or How to Create Jobs by Following the Law

As most baseball fans know, the Houston Astros, after being tied with the Boston Red Sox through the first six games of the season with joint 0-6 records, the teams have gone their separate ways. The Red Sox have gone 44-25 and now lead the American League East. The Astros have gone 27-43 and now have the worst record in baseball. I mention this for two reasons; the first is that the Red Sox come to Houston for a 3 game set of Interleague Play, beginning July 1, so please wish us some luck as we will need it; and the second is the stunning triumvirate of articles which appeared Friday and Saturday in the Wall Street Journal (WSJ) and New York Times (NYT) pointing out the positives of the Foreign Corrupt Practices Act (FCPA). For those of you keeping score at home; it was two in the WSJ and one in the NYT.

Even at this point I cannot pronounce which of the three articles was more stunning for they all had aspects which have not been previously seen in print; that is, at least not in print in America’s top two newspapers.

I.                WSJ-Defense of the FCPA

One thing I had not expected to see in the WSJ was any type of defense of the FCPA. On Friday, June 24, reporter John Bussey wrote an article entitled, “The Rule of Law Finds Its Way Abroad-However Painfully.” He began his article by noting the internal investigation that Avon is currently conducting regarding possible violations of the FCPA and that Avon has spent over $100 million on this internal investigation to-date.

However, Bussey, quite quickly, moved into one of the positive aspects of the FCPA. He stated:

The silver lining? The FCPA—passed in 1977 and still controversial with many U.S. companies—may be proving more effective than any other U.S. initiative in extending the rule of law into developing markets. For all its warts, the rules are changing the often lawless marketplace abroad.

He went on to report  that while the US was initially a leader in enacting anti-bribery and anti-corruption legislation, many other countries have now passed similar legislation. Many US companies operate  internationally and “now heavily vet their potential suppliers, partners and acquisitions abroad and have extensive training and compliance programs on the FCPA. U.S. business groups from Egypt to Singapore to China run briefings on the law.” Further many US companies are now the “greatest proselytizers” of rules and regulations against corruption and bribery across the globe.

He also reported that the FCPA is having an effect on the world-wide fight against corruption and bribery. Jeffrey Eglash, a lawyer for GE was quoted as stating, “It’s having an impact, and vendors and suppliers increasingly adopt our policies and embrace our training.” Alexandra Wrage stated that what may have been acceptable conduct in the past, regarding bribery to obtain business, was no longer acceptable, “If a Wal-Mart or General Electric or Pfizer can convey to tens of thousands of partners, suppliers, distributors and other intermediaries world-wide that antibribery compliance is valued, the norms would change.”

II.             WSJ-Alcoa Speaks

In a second article on Friday, June 24, in the WSJ online edition, entitled “Alcoa Exec Says Business Leaders Should Stick Up For The FCPA”. Alcoa Vice President for Sustainability and Environment, Health and Safety, Bill O’Rourke, was quoted in remarks he made to the Carnegie Council roundtable earlier this month, on a question about the importance of having these anti-corruption rules, such as in the FCPA, in place and the interest of America in having anti-corruption and anti-bribery laws in place globally. O’Rourke stated in part:

It’s myopic for the business leaders not to take a stance. Business is in a position now to make more of an influence on how the world is run than we have taken. Business needs to stand up and take positions, and not be afraid to. They should be standing up and taking these positions. It’s even in their own self-interest to have those rules in place to protect us when we are in certain jurisdictions and we can point to them. That could be self-interest.

But it’s the right thing to do. It’s myopia that is going on in an awful lot of corporate practices—that this might hurt me or my image might get distorted because of that. It’s just the opposite. Your image might get raised a little bit if you start speaking out on the right issues.

O’Rourke provided a concrete example of how the FCPA had helped Alcoa in Russia when faced with numerous solicitations for bribes from towns Alcoa was transporting equipment through. Alcoa simply said they would not pay. It told the Russian federal government that if it wanted Alcoa’s business, which included its modern equipment to refurbish aging Russian factories, that Alcoa would not pay bribes to transport Alcoa equipment on trucks through Russia. He said the Alcoa approach worked because the company was “sticking to our guns.” The people in Russia realized that it was a benefit to do business with Alcoa and that they would make money the old fashioned way-by earning it.

III.           NY Times – Tyson Foods – Why No Prosecution of Individuals?

Taking a somewhat different approach, and certainly a different view, was James Stewart, writing in the Saturday, June 25 edition of the NYT in an article entitled, “Bribery, but Nobody Was Charged”. In this article, Stewart detailed conduct not only violative of the FCPA in Tyson Food’s Mexican food processing facility but also detailed discussions internal to Tyson about ways to shift the illegal payments after they were initially discovered.

Stewart reported that Tyson Foods’ Mexican food processing facility was paying the wives of the Mexican food inspector as if they were employees while they did no work at the facility. After this was discovered, a “group of executives ‘were tasked with investigating how to shift the payroll payments to the veterinarians’ wives directly to the veterinarians,’ according to a subsequent statement of facts negotiated by Tyson’s lawyers and the Department of Justice (DOJ). Stewart then wrote that a subsequent memo written by Tyson’s audit department concluded that the “doctors [the wives] will submit one invoice which will include the special payments formally [sic] being made to their spouses along with there [sic] normal consulting services fee.” The invoices would be identified as “professional honoraria.” Stewart found this conduct by Tyson to be one of “only finding a new way” to make the same payments which violated the FCPA. Stewart did name some of the Tyson Foods’ executives involved in the meetings detailed in the above events:

1. President of Tyson International Operation – Gregg Huett
2. Vice President for Operations
3. Vice President for Internal Audit
4. Chief Administrative Officer – Greg Lee

Stewart reported that when he contacted Tyson Foods’, a company spokesman told him that all company officials involved with this matter were “either no longer with the company or were disciplined.” I certainly hope those folks who engaged in or approved any bribery scheme were terminated.

IV.            The Upshot

What is the upshot of these three articles and how do they relate to the Astros and Red Sox? Just as the Red Sox have clearly turned their season around by getting back to their strengths, the FCPA has many strong, positive aspects which were not discussed in the recent House Judiciary Committee hearings on FCPA enforcement. In contrast to last year’s Senate hearings, neither Chairman Sensenbrenner nor any of the other House panel members seemed concerned about the lack of individual prosecutions under the FCPA. Stewart’s article clearly names some of the Tyson Foods’ executives who were involved in the decisions around the company’s conduct which was found to violate the FCPA but none of the named individuals were charged.

However, it was the two WSJ articles which seemed to most directly contradict the thesis that the House Republicans were trying to articulate; that somehow the DOJ’s enforcement of the FCPA is costing US companies jobs. It is not the FCPA which costs US companies jobs, but the failure of other countries to adopt and enforce the Rule of Law which allows companies from other foreign countries to engage in bribery and corruption which causes US companies to lose business. Both Bill O’Rourke of Alcoa and several persons interviewed by John Bussey for his article pointed out the positive benefits of the FCPA and how it allows US companies to lead the world into a stance of greater rejection of corruption and bribery to successfully secure and transact business.

Indeed, the Alcoa example is one precisely anticipated by the legislators who enacted the FCPA. In the Preamble to the FCPA, one of the reasons listed for its enactment is that by having such robust anti-corruption legislation in place, US companies could more easily resist the demand for payment of bribes by corrupt foreign officials. One of the guiding principles of a robust FCPA compliance and ethics business program for a US company is to have a Code of Business Ethics which prohibits bribery and other forms of corruption of foreign governmental officials and most US companies doing business internationally have such a Code in place. These Codes uniformly cite FCPA inspired language which prohibits such conduct. This enables a US company employee transacting business overseas to correctly and accurately state that his or her employer specifically prohibits the payment of bribes and engaging in corruption. Such a strong statement of US policy, when delivered by an individual employee, may be the strongest manifestation of the goal of this final prong listed in the Preamble to the FCPA; a tangible business reason, why a US company must not, cannot, and will not engage in corruption of a foreign official.

The House Committee also focused the alleged loss of jobs by US companies due to the FCPA. Just imagine how many jobs that Avon could have created if it had not engaged in “possible” FCPA violations and did not have to spend north of $100 MM to internally investigate these “possible” FCPA violations. Even Tyson Foods, with a scorecard of no individual prosecutions for self-admitted violations, could have used some of its reported $5.2MM in fines and penalties paid to the DOJ and Securities and Exchange Commission (SEC) to create jobs. So maybe the answer to job creation is not to amend the FCPA but that US companies should do as DOJ witness Greg Andres stated at the House hearing and not engage in bribery.

Alas the Astros have now become the first team to reach the 50 loss mark in the Major Leagues this year. Unfortunately it does not appear that the Astros have such strong basics to a fall back on this year so the only way the Astros may relate to this discussion of the FCPA is to conclude that we may only be able to enjoy the show the rest of the year.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Regulatory Compliance Risk Assessment: Identifying Key Legal/Regulatory Risks

Ed. Note-I recently posted an article by Mary Shaddock Jones entitled “Suggestions for Starting a Regulatory Compliance Risk Assessment”.   Based on the response to the posting, I asked Mary to drill down a little more in subsequent articles on a few of the steps she suggested outlined in that article.  This is the first posting in this follow up series.

Remember that the hypothetical in the original article was that you had just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates. 

We believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) ERM Framework defines ERM as follows:

 

Enterprise risk management is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

 

The key is that ERM is process.  It is not a “one time” exercise.  The same holds true for Legal/Regulatory /Compliance risks facing your company.  Laws and regulations can change on a regular basis.  Keeping up with the myriad of changes can be a difficult task for compliance and legal departments- especially at smaller firms or companies.  This is why we suggest that you need to “divide” the company into various “Risk Centers” and identify the “Risk Owners” within each Risk Center.  Responsibility for monitoring and notifying the Legal/Compliance departments of any change in the legal/regulatory requirements should remain with the “Risk Owner”.

So who are some of the key “Risk Owners” in any organization?  Clearly the Human Resources department is one key “Risk Center”.  There are a myriad of U.S. Federal and State employment laws including, but not limited to: (a) Title VII of the Civil Rights Act of 1964; (b) Age Discrimination in Employment Act; (c) Americans with Disabilities Act; (d) Equal Pay Act; (e) Immigration Reform and Control Act of 1986. In addition, if you are a company operating internationally, you must have a “risk owner” who has responsibilities for the local Human Resources laws.  For instance did you know that the Mexican Constitution (at least at one point in time) contained a “Declaration of Social Rights” that deals with minimum working conditions, salaries, equality of treatment, job security, the right to strike, and mandatory profit sharing?  The Brazilian Labor Code has adopted many of the same principles and has created a system of Labor Courts that are quite favorable to all Brazilian workers – both blue and white collar.  But there are small differences in the employment laws between Mexico and Brazil that require someone with specialized knowledge within your company to “own” the risk.

Another “Risk Center” could be the Logistics or Supply Chain Management Department.  If this Department is responsible for interfacing with Freight Forwarder companies (i.e. A company which is hired to move shipments between foreign and domestic locations, or a portion of the way.  Freight forwarders handle many of the formalities involved in exporting and importing such shipments), then it should “own” the legal/regulatory compliance risks associated with exporting and importing.  Again, there are a myriad of U.S. Federal and State laws and regulations touching upon Import and Export activities including, (a) The Export Administration Act; (b) The Export Administration Regulations (EAR); (c) The International Traffic In Arms (ITAR); (d) Trading with the Enemy Act; (e) Antiboycott Regulations; (f) Foreign Corrupt Practices Act, to name a few.  In addition to the U.S. laws, there are significant local laws in foreign countries that regulate the importation and exportation of goods into the countries.  Did you know that there are different laws for the importation of vessels into Brazil depending upon whether or not the vessel is being used in the oil and gas industry?  Or that there are laws regarding the importation of automobiles into China? The point is that there are so many laws and regulations in every aspect of doing business that the most practical way of ensuring compliance is by having identifiable “Risk Centers” which designate a “Risk Owner” who has the compliance responsibility.  The compliance department can then act as the repository of the information, but the Risk Owner (i.e. that person closest to the risk).

What about Financial Record Keeping and Reporting?  Tom Fox has written numerous blogs regarding the Books and Records requirements contained within the Foreign Corrupt Practices Act.  The FCPA requires “issuers” (any company including foreign companies) with securities traded on a U.S. exchange or otherwise required to file periodic reports with the Securities and Exchange Commission (“SEC”) to keep books and records that accurately reflect business transactions and to maintain effective internal controls.  Another U.S. law which has significant internal Control requirements in the Sarbanes-Oxley Act of 2002.   Clearly, the Accounting/Financial Department(s) are another “Risk Center”.

What are the laws/regulations under each area? What is the appropriate “Risk Center” for each law/regulation for your company? Who is the designated “Risk Owner”?  Mapping out the answers to these questions will clearly be a step in the right direction in performing your Legal/Regulatory Risk Assessment.   Here are a few legal risk areas for your consideration: (a) Antitrust; (b) Bribery, Gifts and Entertainment; Conflicts of Interest; (c) Consumer Protection; (d) Customs, Import and Export Controls; (e) Environmental, Health and Safety; (f) Labor and Employment Law; (g) Financial Record Keeping and Reporting; (h) Government Contracting; (i) Intellectual Property; (j) HIPAA/ Security and Privacy; (k) Records Management; (l) Securities and Insider Trading;  and (m) Anti-Money Laundering.   This doesn’t even touch applicable international laws!  But it should help you get started with your Risk Assessment.  Good Luck!

Mary Shaddock Jones, Attorney at Law can be reached via email at  msjones@msjllc.com or via phone at 337-515-8527 (c); 337-513-0335 (0).

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

The Failure to Escalate or It Didn’t Make Sense

In a previously life I was a civil trial lawyer. For a portion of that career I defended companies in catastrophic injury cases. One common themes running through each of the catastrophes which underlay the inevitable litigation was there was always one point where if an action had been taken, or in some cases not taken, and accident would probably not have occurred.

That concept also translates to the compliance world as well. In almost every circumstance where a significant FCPA or Bribery Act compliance violation has arisen, if the issue had been reported or at least sent up the chain for consideration, there is a good chance that the incident would not have exploded into a full FCPA compliance violation. Matthew King, Group Head of Internal Audit at HSBC calls this concept “escalation” and he believes that one of the more key features of any successful compliance program is to escalate compliance concerns up the chain for consideration and/or resolution.

This means that in almost every circumstance regarding a compliance issue he had been involved with, at some point a situation arose where an employee did not report a situation or event up to an appropriate level for additional review. This failure to escalate leads to the issue not reaching the right people in the company for review/action/resolution and the issue later beomes more difficult and more expensive to deal with in the company. A company needs to have a culture in place to not only allow elevation but to actively encourage elevation. This requires that both a structure and process for that structure must exist. Then the company must train, train and train all of its employees. Lastly, while a whistleblower process or hotlines are necessary these should not be viewed as the only systems which allow an employee to escalate a concern.

The starkest example of which I am aware of this failure of escalate is the HP matter involving its German subsidiary and allegation of bribery to receive a contract for the sale of hardware into Russia. The Wall Street Journal has reported that at least one witness has said that the transactions in question were internally approved by HP through its then existing, contract approval process. Mr. Dieter Brunner, a contract employee who was working as an accountant on the group that approved the transaction, said in an interview that he was surprised when, as a temporary employee of HP, he first saw an invoice from an agent in 2004. “It didn’t make sense,” because there was no apparent reason for HP to pay such big sums to accounts controlled by small-businesses, Mr. Brunner said. He then proceeded to say he processed the transactions anyway because he was the most junior employee handling the file, “I assumed the deal was OK, because senior officials also signed off on the paperwork”.

Think what position HP might be in today if this temporary employee had escalated his concern. Initially, HP would not have been under investigation by governmental authorities inGermanyand Russian. In the United States, both the DOJ and SEC are investigating the transaction. More ominously for HP, investigators from these jurisdictions are also now investigating other international operations, including those in Russia and the former CIS states to ascertain if other commissions paid involved similar allegations of bribery and corruption as those in this German-subsidiary’s transaction.

The key would appear to be both having the systems in place to allow such escalation and to train all employees, including contract employees on how to escalate an issue. So is your company encouraging its employees to escalate their concerns regarding a transaction or do your employees simply approve a transaction because everyone else has done so?

Matthew King, Group Head of Internal Audit at HSBC was interviewed by Project Counsel Founder Gregory P. Bufithis. A YouTube video of the Gregory P. Bufithis interview of Matthew King, see may be viewed by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Stephen Clayton Reviews Mukasey’s Proposed FCPA Amendments

Ed. Note-today we have a guest post from our colleague Stephen Clayton, who has prepared a lengthy review and commentary on the written testimony Michael Mukasey submitted in the Sensenbrenner hearings in House of Representatives on June 15th. The full article is available here.  A shorter summary is below.

The proposals for reform being made by Mr. Mukasey could severely curtail the ability of the government to prosecute violations of the FCPA and could have the effect of reducing the incentive for companies to introduce or continue robust FCPA compliance programs.  The proposed amendments may make the world a safer place for those who pay bribes in international business.

My article agrees that clarifications to the way FCPA enforcement is done by the DOJ and SEC are necessary. But it joins with others who recommend this be done by guidance, not amendment to the FCPA itself.

In covering each of Mr. Mukasey’s 6 numbered proposals  – and 2 other proposals Mukasey references in his written testimony, the article hits the following points:

1. Adding a  Compliance Defense

Basing a major change to a working US law on the examples of untried UK and Italian laws is ill advised.   The details of the compliance defense in the UK law are not in the law but contained in Guidance from the Ministry of Justice. The UK affirmative defense of “having in place adequate procedures to prevent persons associated with the company from bribing” only applies to the strict liability crime of “Failure of Commercial Organisations to Prevent Bribery” stated in Section 7 of the Bribery Act. The FCPA does not contain the strict liability crime of Failure of a Commercial Organization to Prevent Bribery.  The combination of the Federal Sentencing Guidelines and guidance from the DOJ on the elements of an adequate FCPA compliance program (see Attachment C to the 2010 Alcatel-Lucent DPA) is more clear than the status of what constitutes “adequate procedures” under the UK law.

2. Clarifying the meaning of “Foreign Official” and “Instrumentality“

The confusion Mukasey fears in this area is not serious and reducing the scope of these definitions is not critical to companies which already have in place robust FCPA Compliance programs. They have dealt with these issues and moved on to determining how to deal with private corruption which generally accompanies government corruption.  The rule now and for the last 4-5 years has been, “Don’t Bribe Anyone.”  It is very important to know when your customers and business partners are “government.” and companies must make  a serious effort to know that.  That being said, improved guidance from the DOJ would be welcome.

3.  Improving Guidance from the DOJ

Mr. Mukasey correctly states that there is need for more guidance and direction from the DOJ and SEC.  The article provides  some specific examples including a leniency program and publication of information on decisions to not prosecute. The DOJ should take the efforts by the Chamber of Commerce to push amendments to the FCPA seriously and move to put in place guidance which negates the need for amendment.

4. Limiting Successor Liability

There is  a danger that creating a statutory  limitation of successor liability will allow companies to use or even create an acquisition to shield themselves from liability for corruption.  Mukasey’s statements that companies do very robust, exhaustive FCPA due diligence in merger and acquisition transactions is wishful thinking.  FCPA due diligence in most M & A transactions is far from adequate.   DOJ provided guidance in its Opinion on Halliburton’s request, and should provide further specific guidance in this area.  The FCPA should not be amended  to allow the profits and business gained by  international bribery to be passed to a successor with no liability.

5. Adding a Willfulness Requirement for Corporate Criminal liability

Mr. Mukasey’s is proposing a defense based on company senior management not knowing what its employees, subsidiaries and business partners are doing. To exempt  companies from responsibility because management does not make the necessary effort  to understand and control their employees and business would be bad for reducing corruption and bad for business.  Companies can actually set up business systems to know what their employees and subsidiaries are doing. A good FCPA compliance program will help with that business goal.

Mukasey introduces 2 additional reforms in this section:

– A Rebuttable Presumption that Gifts of De Minimis Value are not a Violation. This is a solution looking for a problem from a practical point of view. Companies with adequate FCPA compliance programs have dealt with it, but it should be the subject of DOJ guidance; and

– A Materiality Standard for Books and Records and Corporate Controls violations.   This proposal is an insidious attempt to gut enforcement of the Books and Records and Corporate controls parts of the FCPA.  Bribes made in international business are almost never material in monetary amount, they are material precisely because they are a violation of criminal law.

6. Limiting Parent Liability for Subsidiary Conduct Not Known to the Parent

Parent companies have complete power to manage and operate their subsidiaries, hire and direct their management and have full access to all to the subsidiary’s records and information.  Amending the law to allow a parent to use a subsidiary as a conduit to pay bribes and a shield from liability for corrupt activities based on the parent failing to understand what is going on in this part of its business would be a huge step backwards for reducing corruption.  It would reward poor management.

Mukasey bases his argument that amendments are necessary on faulty premises. His arguments are based the illusion that all companies have robust, state of the art FCPA compliance programs and are going to great expense to comply with a confusing and poorly written law.  Despite their sincere efforts to comply, they are being subjected to oppressive prosecution by the SEC and DOJ. They are being prosecuted for matters which are beyond their knowledge and control. Therefore substantial changes must be made to the law.  The trouble is that is not true.

Bribery in international business is common in many parts of the world and pervasive in some countries. Falsification of corporate books and records for various reasons is not unusual in international business.  There is an international trend towards criminalizing bribery in international business which has been led by the USA for 30 years. Weakening the FCPA through the amendments Mukasey advocates could end that US leadership and lead to more corruption. Companies can deal with bribery in their own business by instituting good business practices.  Companies with robust FCPA compliance programs are rarely subjected to prosecution. Despite the past 5 years of increased enforcement, most companies still have inadequate FCPA compliance programs which are not properly budgeted or staffed – or have no program at all. Many business people still do not take the law seriously.  The information is available for companies to determine how to assess their specific risks and set up a cost effective FCPA compliance program to prevent bribery and detect occurrences of corruption that slip through despite reasonable efforts.  Companies would be helped by further guidance from the DOJ and SEC.

Stephen Clayton ran the global anti-corruption compliance and investigation program for Sun Microsystems and has been an international business lawyer for over 30 years. He is now doing FCPA consulting in the San Francisco Bay Area and teaching a course in International Anti-corruption at Golden Gate University School of Accounting. He can be reached at stephen@stephenclaytonlaw.com.

Guidance on Good Practice Related to Extortion and Solicitation

I recently wrote about the White Paper, “Resisting Extortion and Solicitation in International Transactions” (RESIST). It is a practical tool to help companies train employees to respond appropriately to a variety of solicitations. In addition to the 22 scenarios which discuss solicitation of bribes, in the context of project implementation and in day-to-day project operations, RESIST provides an Annex entitled “Guidance on Generic Good Practice Related to Extortion and Solicitation.” The Annex is designed to provide an overview of generic responses to demands for these types of payments, as well as addressing major aspects of these individual risks.

The Annex sets out, for the compliance practitioner, a spectrum of practical actions to avoid or combat solicitation or extortion scenarios. The information is intended as practical suggestions, but the information is not intended as alternatives for sound ethical management judgment and common sense, based on appropriate professional legal, accounting, tax and other specialized advice when addressing a specific situation, in particular the advice necessary to understand and comply with national laws and regulations.

The Annex guidance is broken into two general areas. (1) Demand Prevention and (2) Demand Response. The suggestions are as follows:

I.      Demand Prevention – How to reduce the probability of the demand being made in the first place

General company anti-corruption policies

• Implement and enforce a zero tolerance anti-bribery policy.
• Establish a no-bribe and zero tolerance reputation by publicizing anti-corruption policies efforts and the related anti-corruption program.
• The company policies should be publicly available.
• Set up clear company directives including a whistleblowing policy.
• Provide training to operational and field personnel on relevant regulations and competition laws. Emphasize the criminal and reputational risks for the company and employees.
• Require high risk employees to sign a code of conduct statement no less than annually.
• Introduce anti-corruption clauses and audit rights in contracts with business partners, e.g. suppliers and sub-contractors, agents and consultants.
• Ensure that employees understand they should not refuse payment if faced with threats of violence.

Policies on Facilitation Payments

• Whenever feasible for your operations, implement a zero-tolerance policy against facilitation payments.
• If this is not possible, then implement a policy that rejects facilitation payments whenever possible, permitting only payments that are clearly unavoidable, requiring clear documentation of any such payment and having as an ultimate goal the elimination of such payments.
• Make demanding facilitation payments more difficult, e.g. having employees advise officials demanding payments that they must record and escalate within the company the payment and the relevant details, including the official’s name.

Policies for Company Representatives Who May be Exposed to Corruption Risks

• Train and discuss anti-corruption polices with relevant personnel before the start of a project.
• Consider incentives to report bribery demands.
• Consolidate disbursement mechanisms for high risk personnel.
• Whenever possible, operate as a team consisting of at least two employees who must comply with strict reporting directives and control mechanisms.
• When meeting with other parties, request to be accompanied by a lawyer, other professional adviser or another third party to reduce the probability of being asked for a bribe.
• Be on alert for inappropriate schemes; consult experts familiar with international transactions (financial, tax and legal) where concerns exist.
• Set up an action plan, in particular security measures, that can be relied upon to anticipate and manage the retaliation risk against people and assets.

Dealing with Specific Risk

• Establish a zero tolerance policy against payment or receipt of kickbacks from private business partners.
• Have a clear policy addressing conflicts of interest.
• Have a clear policy addressing gifts, entertainment and hospitality.
• Have a clear policy addressing political donations and charitable contributions.

Due Diligence and Management of Intermediaries and Agents

• Perform due diligence on agents, consultants and others involved in dealings with government agencies or business partners.
• Have clear guidelines governing selection of intermediaries.
• Ensure internal authorizations are obtained by appropriate corporate officials  prior to engaging a consultant or agent and making any fee payments.
• Enter into written agreements with intermediaries that include description of services provided, anti-corruption undertakings, maximum commission, termination and legal compliance clauses, including prohibition against payments to public officials and the right to audit intermediaries’ accounts.
• Ensure that all payments made by intermediaries are approved and/or co-signed by the company, and that company employees or representatives (e.g. lawyers) attend meetings between agent and public officials.

Implement Additional Control Procedures

• When beginning operations in a country, ensure that your company has sufficient knowledge of relevant laws, rules and procedures.
• Plan for project delays caused by your refusal to pay bribes.
• Ensure that your company complies with all relevant regulations and official requirements for operations in a country.
• Identify relevant key public officials and make them acquainted with your company and its anti-corruption policy and programs.
• Challenge illegitimate claims by public officials after seeking professional advice.

Support Transparency of the Procurement Process with Foreign Governmental Officials

• Engage in a dialogue with the appropriate foreign governmental officials to improve procedures in the procurement process and increase transparency.

Additional Precautions on the Procurement Process Involving Foreign Governmental Tenders

• Include assessment of corruption risk as standard procedure when selecting proposal opportunity.
• Assess corruption risks at the project level before engaging in bidding process.
• When bidding for large contracts, favor projects that are financed by multilateral financial institutions (e.g. World Bank) and that have a clear anti-corruption policy.
• Standardize review of bids by non-project team members, including senior operational personnel, risk management and finance specialists.
• Maximize opportunities for detection by employing additional control procedures to detect bribes.
• Segregate disbursement activities related to the bid from bid approval processes.

Initiation of Collective Action to Improve Business Integrity

• Encourage local professional and business associations and NGOs to engage with the government to enact laws and rules for transparent projects and transactions.
• Seek the leverage of international financial institutions to enhance the quality and predictability of public procurement.

Legal and Financial Precautions

• State in contracts that contractual disputes will be submitted to international arbitration on neutral ground.
• Provide contractually for disputes to be submitted to the jurisdiction of the International Centre for the Settlement of International Disputes if the host country and the country of the investor are parties to the ICSID Convention.
• Apply for guarantee by the Multilateral Investment Guarantee Agency (MIGA) if the host country and the country of the investor are MIGA members, or by a similar national organization of the country of the investor.

II.   Demand Response – How to react if such a demand is made?

Immediate Response

• Take time to think about the situation, do not act alone, and stick to your mandate.
• Answer that the solicitation (direct or indirect) is to be made in writing and needs to be reported to your management.
• Refuse payment on the grounds that any solicitation violates the business principles of your company.

Report Internally

• Immediately report to management or the appropriate officer assigned with matters involving the code of conduct (e.g. compliance officer) and define an appropriate strategy.
• Record the incident and make an internal assessment to define corrective actions.

Investigate

• Investigate the deal and the intermediary, as well as past deals with the same counterparties and/or intermediary in same country or even other countries.
• Include legal, operational and risk management specialists.
• Retain investigation results for both legal implications and future risk assessments.

Discuss With the Relevant Parties

• Go back to the soliciting person or his/her superior with at least one witness (management, adviser, bank representative) with the following position: Reaffirm your willingness to do business, perform the project or transaction, carry out the activity and ignore the solicitation.
• Report (directly or anonymously) to the appropriate level of the organization allegedly represented by the person demanding the bribe.
• Explain to the persons making the solicitation that the proposed scheme could expose all the parties (individual and company) to a prosecution risk not only in the country where the deal occurs but also in OECD countries under regulations fighting corruption or money laundering.
• Convene meetings of all parties and discuss potential challenges to successful dealings such as requests for bribes, without disclosing too many details this should serve as a deterrent to the guilty party.

If Suspicions are Substantiated, Disclose Externally

• Government – use various governmental agencies to report corrupt organizations.
• Embassy or consulate representing your home country to seek guidance and support.
• Financing institutions, if any export credit financing or coverage is proposed.
• Competitors, if they are subject to a regulatory environment similar to yours.
• Industry trade association in the host country to report on a “no name” basis and in a collective manner such solicitation to relevant authorities.

Withdraw

• Withdraw from the project or transaction and disclose the reasons for the withdrawal to the public, to international organizations and/or selected officials of the country organizing the tender.

This list is not designed to be exhaustive. Each situation may demand unique responses. Nevertheless, the above list is an excellent road map by which the compliance practitioner can evaluate several aspects of a company’s compliance program. We recommend it to you.

The full document may be downloaded at http://www.iccwbo.org/policy/anticorruption/index.html?id=37568.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Why Perform FCPA Due Diligence? (and what happens in you don’t)

So what are Red Flags and where do they appear? What level of due diligence does your company require for an entity based in the United States? How often during the pendency of a transaction or business relationship should your company update its due diligence? These questions and others were brought up in a recent article in the Wall Street Journal (WSJ) about a civil-racketeering lawsuit by the government of Ukraine against Olden Group, an Oregon based company. In the June 13, 2011 edition of the WSJ was an article by Dionne Searcy entitled, “Court Order US Firm to Pay Ukraine”. The article details a lawsuit which stemmed from an investigation, ordered by the President of the Ukraine, into medical supplies purchased by the government administration which preceded the most current administration.

The investigation was assisted by the US Company Kroll Inc., which issued a report on Olden Group. In its report, Kroll noted that Olden was tied to a “web of offshore companies registered in the US and tied Olden to past fraudulent schemes.” The Kroll Report and other information led the Ukrainian government to file the lawsuit. The Ukraine lawsuit alleged that Olden entered into sham contracts with a Ukrainian firm named Interfarm LLC to submit “phony customs declarations” which misstated prices that the Ukrainian government paid for vaccines. These overcharged monies were then laundered through both US and Latvian banks. These monies have disappeared.

As reported in the WSJ, based upon corporate records obtained from the state of Oregon, Olden Group is owned by two separate companies. The first is named Worldwide Management and has an address which is a post office box in Belize. The second is an entity named International United Holding AG and is based in Niue, an island in the South Pacific. Further these two companies are shareholders of numerous companies owned by two individuals, Charles Mathias and W. Rick Fletcher, who were reported in WSJ article to be “shareholders in numerous companies incorporated in Oregon.” When reached by the WSJ for comment, Mr. Mathias related that he has “registered numerous firms on behalf of several Eastern European organizations.” State of Oregon records revealed that Mr. Mathias had registered about 2,762 companies in Oregon.

The WSJ article also noted that one of the firms related to the Olden Group was named in the US Department of Justice’s (DOJ) bribery and corruption case against Daimler. This allegation involved one of the 2,762 companies which Mr. Mathias had incorporated in Oregon, United Petrol Group. It was alleged by the DOJ to be a part of Daimler’s corrupt acts to bribe certain Latvian government officials to obtain contracts. Lastly another entity formed by Mr. Mathias, Ronberg Gruppe, was placed on the World Bank blacklist in September 2010 for having “engaged in fraudulent practices relating to a [World Bank] project in Afghanistan.

I have set out this rather detailed description of the WSJ article to illustrate, once again, the need for continued vigilance throughout the due diligence process. Simply because your agent/vendor/business relationship is located in the United States, does not mean that you can automatically limit your due diligence inquiry to a Level One search. You must also be vigilant in obtaining related party information on the entity with which you are doing business with and obtain a list of the principles and check on them as well. The experience of the Ukraine government and the information from the Wall Street Journal article clearly demonstrates the pitfalls of failing to do so.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011