Traffic Drives Nigerian’s Nuts, But a Trip to a Shrink May Go Too Far!

Ed. Note-today we host a posting from our colleague Mary Shaddock Jones.

Note from Mary Jones-There are some days when having the ability to write blogs, is just simply too much fun.  Today is one of those days.  But before you read my article, I must admit that I rarely get feedback from any that I publish, so often times wonder- is anyone reading what I am writing?  Is it helpful?  I would love to hear from you if you have any suggestions for blogs or topics you want to discuss.   So write me!  msjones@msjllc.com.  Let me know what you are interested in reading about.

In any event, getting back to today’s topic- the front page of the Wall Street Journal on Wednesday contained an article titled: Traffic Drives Nigerian’s Nuts, But a Trip to a Shrink May Go Too Far!” “Enforcement of One-Way Rules In Lagos Tests Motorists’ Sanity;  A Lot of Cannabis”.   The article contained the following statements.  “Seeking to stem an epidemic of wrong-way driving, Lagos authorities have ratcheted up the standard $160 fine.  Scofflaws (what is that?) now also face psychiatric evaluations.  Contesting the charges can jack up the fine to $1,600- and you still get sent to a shrink.”  Interesting, but the article continues on with a few of the following statements:  “And ordinary Lagosians routinely bribe security guards to let them cut across parking lots and construction sites. “ “Locals say the mental exams are less about health than wealth, because they give cops leverage to exact bribes”.  … “One morning last summer, Ikechukwu Ozoh , an oil industry engineer, was stopped by the special “Anti-One-Way Squad.  Mr. Ozoh pointed out that the one-way sign was hidden by a tree and the cops agreed, but when Mr. Ozoh refused to pay a bribe on the spot, the police impounded his car and said he couldn’t retrieve it until he passed a psychiatric test.  He hired a lawyer, but gave up and went for his psychiatric evaluation.  He was given a “Certificate of Sanity” and allowed to retrieve his car and drive.

Why write about this article today?  Because it is important to remember how important local laws and local customs are when training on compliance.  I traveled to Lagos to give face to face compliance training to the employees of my former employer. Thankfully I didn’t experience the “Anti-One’Way Squad!”,   However,  we believed then, and still do believe today, that face to face training in the country where employees are located is critical.  As I went around the world, from Lagos, to Luanda, to Mumbai to Brazil etc, I often heard “but Mary- you have no idea what we face in our jobs”.  I would say- “you are correct- I don’t know because I don’t live here and I don’t do your job.  But I do care, and I know that we must stand firm in abiding by the Foreign Corrupt Practices Act.  We will not pay bribes.  Period- end of conversation.”   Then I would say- but I need you to tell me what you are facing so that we can address the issues head on”.   I learned so much about my co-employees and some of the issues they faced when I made the effort to reach out to them on their home turf.

So next time you start to devise a training program, remember that in Nigeria, bribes are routinely demanded, and if you don’t pay- you could end up in a psychiatric hospital trying to get a “Certificate of Sanity”.   Your training needs to recognize what is happening in the area and then train your employees how to appropriately respond.  If that means an employee spends a day in the psychiatric hospital for doing the right thing- then so be it.  Let them be a role model to others… We do not pay bribes. Period.

The Board of Directors and Compliance

What is the role of a company’s Board when it comes to Foreign Corrupt Practices Act (FCPA) compliance? The Board should not engage in management but should engage in oversight of a Chief Executive Officer (CEO) and senior management, which they do by asking hard questions, risk assessment and identification. These questions were brought to the fore in an article in the Tuesday edition of the Wall Street Journal (WSJ) entitled, “News Corp. Board Challenged” by reporters Russell Adams and Joann S. Lublin. In this article they discussed the Board of Directors of News Corp and their response to the current scandal engulfing the company. While focusing the independence of the Board from the influence of the Murdochs, the article also discussed whether the structure of the Board will allow it to “properly police the company.”

While generally the role of a Board should be to keep really bad things from happening to a Company, once really bad things have occurred the Board needs to take charge and lead the effort to rectify the situation or perhaps even save the company. While giving oversight to risk management through an Audit Committee or a Compliance Committee is a good first step, such a committee needs to have sufficient independence from the management which got the company into such hot water to begin with. To this end the WSJ reports quoted corporate governance expert Neil Minow for the following, “The probe cannot be conducted effectively while Mr. Murdoch is in charge.”

In a White Paper entitled “Risk Intelligence Governance – A Practical Guide for Boards” the firm of Deloitte & Touche laid out six general principles to help guide Boards in the area of risk governance. These six areas can be summarized as follows:

Define the Board’s Role – there must be a mutual understanding between the Board, CEO and senior management of the Board’s responsibilities.

• Foster a culture of risk management – all stakeholders should understand the risks involved and manage such risks accordingly.
• Incorporate risk management directly into a strategy – oversee the design and implementation of risk evaluation and analysis.
• Help define the company’s appetite for risk – all stakeholders need to understand the company’s appetite or lack thereof for risk.
• How to execute the risk management process – the risk management process maintaining an approach that is continually monitored and had continuing accountability.
• How to benchmark and evaluate the process – systems need to be installed which allow for evaluation and modifying the risk management process as more information becomes available or facts or assumptions change.

All of these factors can be easily adapted to FCPA compliance and ethics risk management oversight. Initially, it must be important that the Board receive direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s Chief Compliance Officer (CCO) to either the Audit Committee or the Compliance Committee. This commentator recommends that a Board create a Compliance Committee as an Audit Committee may more appropriately deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information the Board can give oversight to any modifications to managing FCPA risk that should be implemented.

There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the Securities and Exchange Commission (SEC) desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Reg SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.

At this point it is not clear what, if any, of these factors or guidance the Board of News Corp has implemented. The WSJ reports that News Corp., has created a management and standards committee “tasked with cooperating on investigations into voicemail interceptions and alleged improper police payments at its U.K. newspaper unit.” Furthermore this committee will be “conducting its own enquiries” and proposing new standards.” So perhaps it may all work out in the end. Or perhaps this committee will continue to receive the rating given to the News Corp Board by Mr. Minow since 2003 for its governance and effectiveness; that being an “F”.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Will No One Rid Me of this Meddlesome Priest?

Tone at the Top has become a phrase inculcated in the compliance world. The reason it is so important to any compliance program is because it does actually matter. Any compliance program starts at the top and flows down throughout the company. The concept of appropriate tone at the top is in the US Sentencing Guidelines for organizations accused of violating the Foreign Corrupt Practices Act (FCPA); the Department of Justice’s (DOJ) best practices for effective compliance programs which have been released with each Deferred Prosecution Agreement (DPA) over the past year; the UK Bribery Act’s Six Principles of Adequate Procedures; and the OECD Good Practices. The reason all of these guidelines incorporate it into their respective practices is that all employees look to the top of the company to see what is important. Or to quote my colleague Mike Volkov, who quoted Bob Dylan, in opining “You don’t need to be a weatherman to know which way the wind blows”.

The US Sentencing Guidelines reads:

High-level personnel and substantial authority personnel of the organization shall be knowledgeable about the content and operation of the compliance and ethics program … and shall promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

The OECD Good Practices reads:

1. strong, explicit and visible support and commitment from senior management to the company’s internal controls, ethics and compliance programs or measures for preventing and detecting foreign bribery;

The UK Bribery Act Guidance for the Six Principles of Adequate Procedures reads:

The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.

Attachment C, to each DPA released in the past year, has the following

2. [The Company] will ensure that its senior management provides strong, explicit, and visible support and commitment to its corporate policy against violations of the anti-corruption laws and its compliance code.

The Foreign Corrupt Practices Act (FCPA) world is riddled with cases where the abject failure of any ethical “Tone at the Top” led to enforcement actions and large monetary settlements. In the two largest monetary settlements of enforcement actions to date, Siemens and Halliburton, for the actions of its former subsidiary KBR, the government specifically noted the companies’ pervasive tolerance for bribery. In the Siemens case, for example, the Securities and Exchange Commission (SEC) noted that the company’s culture “had long been at odds with the FCPA” and was one in which bribery “was tolerated and even rewarded at the highest levels”. Likewise, in the KBR case, the government noted that “tolerance of the offense by substantial authority personnel was pervasive” throughout the organization.

In addition to the two cases set out above, in a 2003 report, the Commission on Public Trust and Private Enterprise cited a KPMG survey covering selected US industries; found that 37 percent of employees had, in the previous year, observed misconduct that they believed could result in a significant loss of public trust if it were to become known. This same KPMG survey found that employees reported a variety of types of misconduct and that the employees believed this misconduct is caused most often by factors such as indifference and cynicism; pressure to meet schedules; pressure to hit unrealistic earnings goals; a desire to succeed or advance careers; and a lack of knowledge of standards.

So how can a company overcome these employee attitudes and replace the types of corporate cultures which apparently pervaded at News Corp and re-set its “Tone at the Top”? In a 2008 speech to the State Bar of Texas Annual Meeting, reprinted in Ethisphere, Larry Thompson, PepsiCo Senior Vice President of Governmental Affairs, General Counsel and Secretary, discussed the work of Professor Lynn Sharp at Harvard. From Professor Sharp’s writings, Mr. Thompson cited five factors which are critical in establishing an effective integrity program and to set the right “Tone at the Top”.

1. The guiding values of a company must make sense and be clearly communicated.
2. The company’s leader must be personally committed and willing to take action on the values.
3. A company’s systems and structures must support its guiding principles.
4. A company’s values must be integrated into normal channels of management decision making and reflected in the company’s critical decisions.
5. Managers must be empowered to make ethically sound decisions on a day-to-day basis.

So whether with malicious intent or simply said out of frustration, when Henry II uttered the words which are the title of today’s posting, it set the tone for the four knights which overheard him. They set off and murdered Thomas Becket. Perhaps less starkly into today’s world, if the tone from the top is that you must meet you quarterly numbers or the company will find someone else to do the job; that is the message that will come across to company employees. But whether you are the King of England, the CEO of a Fortune 500 company or simply in a leadership position in your company; the tone does matter.

=======================================================

Episode 13 of This Week in FCPA is up. Check out Howard Sklar and myself on this week’s topics.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

How Cyrano de Bergerac Portends the Compliance Assessment

In a recent article entitled “The Breakthrough Myth” author Clive Thompson postulates that most radical new technologies have been “percolating in plain sight for years.” He begins with the position that everyone is looking for the Next New Big Thing or as I like to say, the “New New Thing”. This is based upon the assumption that all breakthroughs are “inherently surprising, so it takes a special genius to spot one coming.”

Thompson goes on to point out that such breakthroughs are not how innovation works. He cites Bill Buxton for the proposition that “paradigm-busting innovations are easy to see because they are already lying there-close at hand.” Further, anything that will have an impact in the next ten years has already “been around for 10 years.” He cites Buxton for the name of this phenomenon, the “long nose theory of innovation.” Is this some type of reference to Cyrano de Bergerac (or perhaps more recently, Steve Martin in Roxanne)? No all this means is that big ideas poke their noses into consciousness very slowly, “easing gradually into view.”

I would add my own corollary for the compliance world, the train moves most slowly when leaving the station,but after it leaves, it certainly picks up speed. The most prescient example is the compliance assessment. At the Compliance Week 2010 Annual Conference one of the issues discussed by Lanny Breuer, Assistant Attorney General, for the Criminal Division of the US Department of Justice (DOJ), was what might constitute as some of the elements of an effective compliance and ethics program under the Foreign Corrupt Practices Act (FCPA). In the Q&A following his prepared remarks, Breuer answered a question from the floor and indicated that an annual assessment was one such element. This annual assessment is different from a biennial compliance audit, utilizing a company’s internal audit department or outside professional auditors.

One of the purposes of the compliance assessment is to determine if any new elements of an effective compliance program have been developed in the past year and if they should be incorporated into your company’s compliance program. After I blogged about this point, several people asked me for the text where Breuer spoke about this point and I informed them that it was raised in the unscripted Q&A session with Compliance Week Editor Matt Kelly. Back in May 2010, this was a new component of a best practices compliance program,  now one year later an annual assessment is viewed as a key component of such a compliance program.

To demonstrate the “long nose theory” one only need look at the Johnson & Johnson Deferred Prosecution Agreement (DPA), released in April of this year. In addition to the (now) standard Attachment C, in which the DOJ listed its minimums for a best practices compliance program, there was an Attachment D, entitled “Attachment D-Enhanced Compliance Obligations”, it was designed to be in addition to, and to build upon, the commitments made by Johnson & Johnson in Attachment C.

These enhanced obligations include the following:

1. Compliance Department – A senior executive will serve as the Chief Compliance Officer (CCO) and shall report to the Audit Committee of the Board. There shall be heads of compliance within each business sector and corporate function. There shall be a Global Compliance Leadership Team which reports to the CCO.
2. Gifts, Hospitality and Travel – Gifts are limited to those in “modest” value and appropriate under the circumstances. Hospitality and travel is limited to reasonably priced meals, accommodations and incidental expenses and should be a part of education programs, training, business meetings or conferences. Hospitality and travel are limited to the officials not others.
3. Complaints and Reports – In addition to maintaining a mechanism for making reports, the company shall create a “Sensitive Issue Triage Committee” to review and respond to any such FCPA issues as may arise.
4. Risk Assessments and Audits – The company will conduct risk assessment in markets where it has customers who are foreign governments. The company will annually conduct FCPA audits for a minimum of five operating companies who are in high risk markets and after the initial audit every three years for any such operating entity. These audits shall include, at a minimum: (1) onsite visits by auditors and where appropriate legal and compliance personnel; (2) review of payments to health care providers; (3) creation of action plans from these audits; and (4) review of the books and records of distributors and agents.
5. Acquisitions – To the extent possible, conduct a pre-acquisition FCPA audit of any acquisition target and after acquisition a full FCPA audit within 18 months and training of all relevant personnel and business representatives within one year of acquisition.
6. Relationships with Third Parties – The company shall conduct a thorough due diligence of all third party representatives including: (1) a review of the qualifications and business reputation of the third party; (2) written rationale for the use of the third party; and (3) a review of the FCPA risk areas. Due diligence is to be conducted by a local business and compliance representative and elevated for review if Red Flags appear or as appropriate. Contracts with such third parties are to include appropriate FCPA compliance terms and conditions including; (i) representatives and undertakings of the third party to compliance; (ii) right to audit; and (iii) right to terminate.
7. Training – Annual training to all directors, officers and employees who could “present corruption risk” to the company. The company shall provide enhanced and more in-depth training to those involved in company sponsored FCPA audits or those on the company acquisition team. Last, the company shall provide training to “relevant third parties acting on the companies behalf” at least every three years.
8. Annual Certifications – The company shall implement a system of certifications from “each of J&J’s corporate-level functions, divisions, and business units in each foreign country confirming that their local standard operating procedures adequately implement J&J’s anticorruption policies and procedures, including training requirements, and that they are not aware of any FCPA or other corruption issues that have not already been reported to corporate compliance.”

The J&J Enhanced Compliance Obligations would seem to fall under the “long nose theory” as the nine points set out as obligations are not unfamiliar to the FCPA compliance practitioner. They build upon concepts which have been articulated for some time in the compliance arena. But by utilizing the annual compliance assessment a company may more nimbly move towards a best practices compliance program by determining if it currently has these concepts incorporated into it program. If not it can implement these changes more easily than waiting every two years.

=======================================================

This Week in FCPA, Episode 13 is up. Check out Howard Sklar and myself as we discuss the week’s top FCPA developments. Click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

A Tip of the Hat to Cadel Evans and the Code of Conduct

If you are a cyclist, the most famous Aussie in the world today is Cadel Evans, the first Australian to win the Tour de France. In the compliance world, the other most famous Aussie is still Rupert Murdoch. So today we tip our hat to Cadel for a great three weeks of cycling and the time trial of his life on Saturday to win the Tour.

However, in the compliance world, the Murdochs and News Corp continue to provide a veritable plethora of lessons learned. Today we focus on that most basic step of any compliance program – the Code of Conduct. A written Code of Conduct is one of the key components of a best practices compliance program; whether that compliance program is based upon the US Sentencing Guidelines and the Foreign Corrupt Practices Act (FCPA); UK Bribery Act’s Adequate Procedures; or the OECD Good Practices. However, much more than a written Code of Conduct is required for any compliance program to succeed. I do not think that this statement would be news to any compliance practitioner or even controversial, nevertheless it was apparently news to News Corp. The lead article in Friday’s edition of Ethisphere Corporation’s Daily GRC Digest, discussed the following:

The top story today is that News Corp.’s much touted Code of Conduct is absolutely USELESS, as News Corp. failed to inform and educate employees about it. The new code, released in May, receives a B+ from Ethisphere, which is an improvement from the substandard C its former code, implemented in July 2006, received; however, with no clear communication and training plan, nor any comprehension aids in the code, News Corp.’s Code of Conduct is worthless in preventing wrongdoing like the voicemail-hacking and police-bribing scandal or protecting the company in the event of such malfeasance.

The GRC Digest article linked to an article in the July 19 edition of the Daily Beast by David Graham, where he discussed the 56 page News Corp Code of Conduct in the context of the UK Parliamentary hearings last week where both Rupert and James Murdoch testified. Graham reported that the Murdoch’s referred to the News Corp Code of Conduct as “setting up the code as the cornerstone of ethics at the company, and potentially a “paragon” for journalists across the globe.”

The GRC Daily noted that Ethisphere had graded the News Corp Code of Conduct as B+, which was an improvement over its prior Code of Conduct. However, such a robust 56 page Code of Conduct is not worth much value if, in the words of the GRC Daily, there is “no clear communication and training plan, nor any comprehension aids in the code, News Corp.’s Code of Conduct is worthless in preventing wrongdoing like the voicemail-hacking and police-bribing scandal or protecting the company in the event of such malfeasance.”

So the lesson learned from News Corp’s 56 page B+ rated Code of Conduct is that such a Code is worthless unless trained upon and actually implemented by management. I really don’t think this is news but if your management does not seem to understand this important concept perhaps you can pass this article along to them for easy reference.

=======================================================

Speaking of easy reference, the GRC Digest is yet another tool available to the compliance practitioner at no cost. It comes in a daily email blast, sent to you by Ethisphere, it contains news of the day, with links and highlights upcoming webinars and speaking engagements. It is easy to read, fun to digest and as the name implies, focused on governance, risk and compliance. To subscribe to the GRC Digest, click here.

Lucky Episode 13 of This Week in the FCPA is up. Howard Sklar and I talk about News Corp., Willis Ltd. and McMillan Publishing Company and debarment. To view Episode 13, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

The FSA Bares its Teeth: Be Aware of International Enforcement Regimes

While many companies here in the US complain about the enforcement of the Foreign Corrupt Practices Act (FCPA), and are actively seeking to soften its enforcement by lobbying Congress to amend the FCPA, just imagine how they might feel about paying a multi-million dollar fine for a situation in which no bribery was proven. That is the situation that UK insurance broker Willis Ltd., found itself in yesterday, in what reporter Sam Rubenfeld termed “the largest fine by the FSA (the UK Financial Services Authority) … ever imposed for failure to implement controls to prevent financial crimes”. The FSA announced on July 21 that it had assessed a penalty of £6.9MM to the insurance broker Willis Ltd., for failing to ensure payments it made to third parties were not used for corrupt purposes.

In an article in the Wall Street Journal’s Corruption Currents blog, entitled “FSA Fines Willis GBP6.9 Million For Anti-Corruption Failures”, Rubenfeld detailed that Willis had, from January 2005 through December 2009, made payments of over £27MM to foreign third party agents to assist in obtaining business of £60MM. Of this £27MM there were $227,000 (yes the FSA switched from GBP to USD in mid-Final Notice) identified in suspicious payments to counterparties in Egypt and Russia, which the FSA said were referred to the UK Serious Organized Crime Agency for further investigation.

Rubenfeld noted that the fine could have been significantly higher as the FSA recognized that Willis had “taken significant steps” to address failings identified by the FSA. These steps, together with Willis’ cooperation and willingness to settle, qualified the company for a 30% discount on its fine. He reported that without the discount, Willis would have had to pay £9.85 million. So for those of you keeping score at home, that is £60MM ($97MM) in business, generating £27MM ($44MM) in commissions, for which a ‘suspicious $227K’ was found. All of this resulted in a fine of £ 6.9MM ($11.2MM).

The FSA Final Notice detailed several clear guidelines which the UK Bribery Act or FCPA practitioner may find useful in establishing an adequate procedures or a best practices compliance program. The FSA stated that Willis had failed to:

• Make and document a business case for the payments to overseas third parties;
• No formal training was provided to Willis’ staff in analyzing requests for payments or third party billings;
• There was no risk assessment of the third parties;
• There was inadequate monitoring of the third parties;
• There was inadequate due diligence performed on the third parties, particularly their relationships to foreign governmental officials; and
• Willis ignored clear Red Flags that the third parties would make improper payments.

All of these factors led to an overall “weak control environment” regarding payments to foreign third parties. This gave rise to unacceptable risk that the payments made to these third parties could be used for the payments of bribes. The FSA noted that although Willis had introduced improved policies and guidance, aimed at reducing and better managing its compliance risks, the company failed to ensure that these new policies were followed. Additionally, although the Willis Board was involved in the new policy development, the Board did not receive adequate information from senior management to assess whether the risks of bribery and corruption “were effectively mitigated.

So while your company is complaining about the US enforcement regime, perhaps it might reflect on actual violations of the FCPA, or as our colleagues from thebriberyact.com, Barry Vitou and Richard Kovalevsky, QC, put it yesterday, “If your business is regulated by the FSA take note. This warning is directed to your business.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Identification of Legal and Regulatory Risks: Gap Analysis with the Human Resources Department

Today we have a guest post from our colleague, Mary Shaddock Jones.

Several weeks ago I wrote a series of articles entitled “Suggestions for Starting a Regulatory Compliance Risk Assessment”.   One article in the series was “Identifying Key Legal/Regulatory Compliance Risks” facing your company.  As we all know, laws and regulations can and do change on a regular basis.  Keeping up with the myriad of changes can be a difficult task for compliance and legal departments- especially at smaller firms or companies.  This is why we suggested that you need to “divide” the company into various “Risk Centers” and identify the “Risk Owners” within each Risk Center.  Responsibility for monitoring and notifying the Legal/Compliance departments of any change in the legal/regulatory requirements should remain with the “Risk Owner”.

The first element of an effective compliance program under the U.S. Sentencing Guidelines is to have Established Policies and Procedures to protect and detect non-compliance with regulations. While the U.S. Sentencing Guidelines specifically target “criminal conduct”, companies would be wise not to limit their “risk assessment” or “gap analysis” to only criminal conduct. Most, if not all, companies possess a number of corporate policies that govern employee behaviors.  The person in charge of the Compliance function should first identify the policies that exist across the company utilizing a gap analysis to catalog the existence of corporate policies across the company, noting policy gaps and inconsistent application of policies across various locations.  The Risk Centers and Risk Owners, perhaps with the assistance of the Compliance Department, will be tasked with filling the gaps and standardizing conflicting polices.

In order to be compliant, you have to know what you have to be compliant with!   So how do you work with the “Risk Centers” and the “Risk Owners” to structure the identification of legal and compliance risks in a way that can be managed and utilized with some degree of ease? The answer is, in my opinion, with a lot of hard work and persistence by working department by department!  Let’s start the process by focusing on the Human Resources Department (“HR”).

There are numerous labor and employment laws (International, Federal, State and Local) which govern the relationship between companies and their employees. Here are a few questions that the Compliance Officer may pose to the HR department in order to perform a gap analysis regarding policies and procedures:

1. Does the HR department have an inventory of policies, procedures, laws and regulations covering employees and employment related matters applicable to the company’s business?
2. If yes, do you have a specified person who is in charge of updating the inventory?
3. If no, what system does the HR department utilize to ensure that it is aware of the various laws and regulations and has a process to comply with them?
4. What evidence would the HR department be able to produce to the government to support a finding that the company has a solid compliance program for applicable labor and employment laws and regulations?
5. What types of training are mandatory for all employees, which are optional and how does HR track and document completion?  How is the training performed? Is it provided in the native language of the employee or only in English?
6. What types of enforcement actions are predominate in the labor and employment arena? How does the HR department track such actions? (i.e. I-9’s and Independent Contractor designations, to name two items which appear to currently be under the microscope)
7. Are employees within the HR department specifically trained to understand compliance requirements applicable to the labor and employment arena?
8. Does the HR department provide senior management with periodic updates on the monitoring of results, key risks, and compliance violations within HR?
9. Has the HR department established some type of escalation criteria to ensure that high-risk issues are reviewed at the corporate level?
10. Does the HR department have compliance monitoring standards in place?  Does the HR department perform periodic audits to ensure that the policies and procedures are being complied with?

These are only a few of the questions that you may want to ask to begin the process of assessing what labor and employment laws and regulations apply to your company.  In addition, I am always looking for good resources so that I don’t have to recreate the wheel.  Here are two few that I found searching the internet that may be of assistance in identifying legal and regulatory requirements applicable to HR department.

1. “Getting The Deal Through Online”  http://www.gettingthedealthrough.com/  This website (free for in-house counsel according to the website) provides international guides to law and regulation in 45 practice areas and more than 100 jurisdictions.  One of the books published is entitled “Labour & Employment 2010”.  The book is written in a question and answer format addressing many common issues that arise in the employment setting. Each chapter focuses on one of the 41 jurisdictions highlighted- such as United States, Argentina, Australia, Brazil, China, Columbia, etc.
2. Employment-Labor Law Audit (ELLA®). According to the website of The Institute of Internal Auditors- the ninth edition of ELLA® is the nation’s leading HR auditing and employment practices liability risk assessment tool and process.

My final suggestion is to work with the HR (and possibly the Audit) department to have a consolidated “Human Resources Compliance Audit Checklist” that can be used to audit (and document) the company’s HR Compliance Program.

When in doubt, contact a good labor and employment attorney both in the U.S. and locally in whatever foreign country you are operating, and have them review the HR Compliance Audit Checklist.  Enlist their help in keeping you advised of changes in the applicable labor and employment laws which apply to your company.

The key to compliance, in my opinion, is having the proper structure to identify the issues, implement policies and procedures to address the issues, audit for compliance and document, document, document.

Mary Shaddock Jones, Attorney at Law and former Assistant General Counsel and Director of Compliance at Global Industries, Ltd. can be reached via email at  msjones@msjllc.com or via phone at 337-515-8527 .

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

Ready for the Heat Wave – Con Ed’s Process in the Compliance Arena

In the Process Section of the August issue of Wired Magazine is an article by Mike Olsen entitled, “How Con Ed averts blackouts during a heat wave”.  Being from Houston and living in one of the hottest summers on record, I was interested in how the electric company in New York City might handle a heat wave and attendant overloading of the Big Apple’s power grid. The article set out the procedures which Con Ed has in place. While noting they were “worthy of NORAD”; the article drove home to me, once again, how important to a process is a Foreign Corrupt Practices Act (FCPA) compliance program.

Con Ed has a five step process to save its electrical grid in an overload situation. These steps are: (1) Recruit, (2) Monitor, (3) Escalate, (4) Make the Call and (5) Shut it Down. These five steps can be critical in a FCPA compliance program. So if your company is in New York, New England or any other place in the United States where an overloaded power grid looms this summer (i.e.: the entire US) perhaps you might consider this process in the context of your FCPA compliance program.

Recruit

Con Ed uses this step to recruit New Yorkers to put technology in place to allow it switch off central air conditioning units at the Utility’s discretion. In the compliance arena it would mean not only having the right technology in place but to recruiting personnel which will conduct business in a compliant manner. While this would point to a background due diligence and HR department interviews, it would also point to greater involvement by the Compliance Department. For high risk or senior management positions, it should also include some type of compliance interview with questions specifically designed to elicit responses of compliance, ethics and anti-corruption issues.

Monitor

Con Ed uses this step to monitor other media and information to predict when a heat wave might come through the city. For a company, it could mean to have the compliance nimbleness to react to changes in business circumstances to reassess it risks. If your business model changes or your company moves into a new geographic territory, the company should use the tools available to it to manage any new or additional risks which might arise.

For company personnel, an ongoing key is to monitor such personnel. You can do this through annual performance reviews, ongoing training and other mechanism. One of the keys is incentivizing such behavior in your company. This means not only in pay and benefits but through the promotion of persons who conduct business ethically and in accordance with  your company’s Code of Conduct. You should publicize compliance wins and successes throughout the company and make sure that other employees see that it is not simply a matter of hitting your numbers each quarter.

Escalate

When a massive heat wave hits or is predicted Con Ed sets up a situation room to monitor and coordinate responses. In the compliance arena, this means that your company needs to put the tools in place to allow company employees to escalate a compliance concern, issue or problem. Part of this is to put a reporting system, such as a hotline or reporting line, in place. However, there should also be training as to what an employee can do if “something in his or her guts” tells them that something is wrong. This also means there must a clear and concise NO RETALIATION policy for any such reports made in good faith. These reports need to be triaged as soon as possible.

Make the Call

Con Ed has specially trained personnel who are authorized to activate direct load controls on individual thermostats across the city to reduce power in emergency situation. Similarly, after triage of any escalated compliance issues, they need to be sent to the appropriate group within the company for further investigation. There needs to be a careful consideration of the steps forward. Companies do not want to be in the position of Renault but reacting decisively is equally important. What may be a key is that evidence needs to be secured and reviewed as soon as possible. But the key is to have processes in place to react to such escalated concerns and follow that plan based upon the circumstances presented.

Shut Down

For Con Ed, this may mean the rolling shut down of wattage across the company. For a company it could mean a full shut down, such as we saw recently with News of the World. However, the key is to have a plan and process in place. If there is such a plan and process in place News Corp may not have reacted in crisis mode but through pre-thought out leadership. If a shut down or suspension, due to compliance concerns, is warranted, this process can aid in a crisis situation.

Con Ed has a huge responsibility in New York City and its surrounding environs. Your Compliance Department has an equally large responsibility in your company in times of crisis. Is your process ready?

=======================================================

This Week in the FCPA, Episode 12, Part II is up. In the second half of Episode 12, Howard and I discuss:

1.  More on News Corp.
2.  Haiti Telecom case
3.  Armor Holdings
4.  Letter to the SEC from Sen. Crapo
5.  Opening up a whistleblower practice
6.  Is AML coming to Private Equity, and what does that mean.

To view it, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Casey Jones or How to Stop a Compliance Train Wreck

The evaluation of C-Suite leadership can be problematic in the best of times. In the compliance world, if a company has a serious violation of the Foreign Corrupt Practices Act (FCPA), it may be due to tone-deafness at the top. Worse than simple tone-deafness, the C-Suite can be an active part of the problem. While not FCPA violations, the criminal prosecutions at the highest echelon at Enron, WorldCom and Adelphia certainly speak to ethical lapses at the top. But the question remains, how can a Board evaluate a company’s top leadership for compliance and ethics?

In a posting on the HBR Blog Network, entitled, “News Corp and Questions Boards Need to Ask” author Rob Kaplan poses an interesting solution to this conundrum. Kaplan phrases the question as “how does a board really know the leadership style of its senior operating management and the culture of the company for which it has fiduciary responsibility?” He acknowledges that Boards often have very little process or procedure in place to judge the leadership style, daily behaviors, and cultural norms being established by their senior operating leadership. This can deprive Boards of sufficient information to make an informed decision and “by the time directors realize there is a culture or leadership style problem at the company, it is too late to have prevented real damage to the business, reputation, and careers of senior executives.”

While Kaplan discusses this in the context of the ongoing News Corp scandal, he sets forth an interesting mechanism by which a Board can fulfill its duty to make competent compliance and ethics evaluations; he calls it a “360-Review”. In a 360-Review, an outside professional firm is brought into the company to conduct discreet interviews with a number of company employees who interact with the senior executives under review. The key is that the interviews are discreet and “not for attribution.”

While noting that the 360-Review is “not without controversy”; Kaplan, nonetheless, posits that with improved insights Boards can “clear the air” with a Chief Executive Officer (CEO), or other C-Suite inhabitant. The 360-Review also can reduce general employee speculation about senior management deficiencies and can provide to the Board a better ability to coach the CEO and flag emerging cultural problems. He concludes by noting “This and similar types of constructive steps taken by the board can serve to preempt issues before they become a threat to the company and the CEO’s career.”

The UK Bribery Act Six Principles of Adequate Procedures; OECD Good Practices and the Department of Justice (DOJ) Best Practices released with recent Deferred Prosecution Agreements and Non-Prosecution Agreements (DPA/NPA) all speak to a system of disciplines AND incentives for behaviors in accordance with good compliance and ethics. Most companies which follow such best practices have policies, programs and procedures in place to punish those who violate compliance policies and reward those who conduct business in accordance with these compliance policies. However, the Board may be overlooking an evaluation of those at the highest level of the company’s management. If the inherent message of the C-Suite is to make quarterly or other numbers, and the pressure is solely on that issue, the Board needs to understand that a train wreck may be coming. Kaplan’s suggestion of a 360-Review, focused on compliance and ethical behavior, could be a mechanism which assists a Board in slowing down such an oncoming derailment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2011

Opinion Release 11-01: Lessons Learned on the Opinion Release Procedure

As most of the readers of this blog will recall, I recently discussed the substance of Opinion Release 11-01 and had some additional comments regarding the relative ease by which a lawyer or compliance office should have been able to research the question posed. I also opined that the issue posed in Opinion Release 11-01 was not a question which needed to be submitted to the Department of Justice (DOJ) for comment upon, as it was a waste of the DOJ’s resources and no doubt had a high cost in time and/or dollars for either an in-house lawyer or outside counsel to formulate and submit.

However my “This Week in the FCPA” colleague, Howard Sklar, speaking in our Episode 12, suggested that there might be another aspect to this specific Opinion Release that I had not considered. While I had discussed the above points from the perspective of an outside counsel, in-house lawyer or compliance office who specialized in FCPA compliance work; the Opinion Release Procedure is designed so that any person or company may submit a query to the DOJ. Howard suggested that the Opinion Release Procedure could be utilized by a company which does not have either an in-house compliance practitioner or even a General Counsel. A question can be submitted to the DOJ as straight forwardly as with a one page document setting forth the information required under the Opinion Release Procedure.

In his testimony before the House Judiciary Committee, DOJ Representative Greg Andres spoke about the Opinion Release Procedure as one of the mechanisms by which the DOJ can not only bring transparency to the area of information relating to Foreign Corrupt Practices Act (FCPA) but also can allow businesses with substantive questions seek and receive specific answers to queries regarding factual scenarios which they may face. So what are the requirements under the Opinion Release Procedure? Initially I would note that DOJ has posted on its website, the Foreign Corrupt Procedures Opinion Procedure, (28 C.F.R. part 8).

The stated purpose of the Opinion Procedures is “These procedures enable issuers and domestic concerns to obtain an opinion of the Attorney General as to whether certain specified, prospective–not hypothetical–conduct conforms with the Department’s present enforcement policy regarding the antibribery provisions of the [FPCA]” (§80.1). The requirements of the Opinion Release Procedure are (1) the submission must be in writing; (2) an original and copies must be provided; and (3) must be sent to address provided. (§80.2) In addition to these specific requirements there are certain general requirements listed. (§80.6) They include that complete copies of all operative documents and detailed statements of all collateral or oral understandings. The request must be signed by an appropriate senior officer.

While there is additional language in the Opinion Release Procedure that it only relates to the query submitted to the DOJ, does not bind any other agency or department and can change if different facts occur or that the DOJ can ask for additional information from the party making the request, it is required under the terms of the Opinion Request Procedure “within 30 days after receiving a request that complies with the foregoing procedure, respond to the request by issuing an opinion that states whether the prospective conduct, would, for purposes of the DOJ’s present enforcement policy, [violate the FCPA].” (§80.8)

So there may be an addition Lesson Learned from Opinion 11-01. This lesson is that the Opinion Release Procedure can be straight forward. The DOJ can be available to assist in interpreting the FCPA based upon the facts and circumstances which a company faces in the real world. I have argued for greater transparency by the DOJ in providing information for companies and the compliance practitioner and the Opinion Release Procedure is one of the mechanisms by the DOJ does provide transparency and information.

————————————————————————————————–

Vive le RESIST. The ToolKit RESIST is now available in Spanish and French, see here.

Episode 12 of This Week in the FCPA, Part I, is now up and available here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011