Don’t Spread Your Compliance Program Too Thin

“You do not want to be spread too thin”. When I heard that phrase a light bulb went off inside my head. It was uttered to me by Jan Farley, the Chief Compliance Officer (CCO) of Dresser-Rand. I asked Jan what he meant by the phrase and he explained that you cannot stretch your compliance program so thin that you try and cover everything; so that you miss the larger Foreign Corrupt Practices Act (FCPA) or UK Bribery Act risks that your company faces. I thought about Jan’s phrase in the context of the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance. I have written that under the FCPA Guidance companies should have carefully designed and well thought out compliance programs.

If your company’s sales model is to use third parties, that is probably your highest risk, then prioritize your time and compliance budget on managing that risk, initially before you move on to other compliance risks. Conversely, if your sales model is to use employees, then put your time and effort into managing that risk, through training and monitoring employees regarding their interactions with foreign officials. Do not spend your time, budget and energy on managing the risk of low to no-risk parties and issues. There is no substitute for carefully thinking through your company’s risk profile.

Jan is one of several current CCOs in Houston who began their compliance department careers at Baker Hughes working for Jay Martin. Prior to joining Dresser-Rand, he was the Senior Ethics and Compliance Counsel – Eastern Hemisphere for Baker Hughes stationed in London, England. During Jan’s tenure at Baker Hughes it paid the then largest fine ever for FCPA violations ($44MM in 2007).  Baker Hughes was under a very robust Deferred Prosecution Agreement (DPA) and a Corporate Monitor and expended a significant amount of time, money and effort on its compliance program. This experience gave Jan an in-depth view of the issues in implementing and working with a FCPA compliance program in the corporate setting.

Jan’s comments also echo something that I believe is clear from the Guidance: Don’t focus on the small stuff. Indeed the Guidance states, “Thus, it is difficult to envision any scenario in which the provision of cups of coffee, taxi fare, or company promotional items of nominal value would ever evidence corrupt intent, and neither DOJ nor SEC has ever pursued an investigation on the basis of such conduct.” In other words, do not waste your compliance time, resource or energy around these small issues. However, if these small issues are a part of a larger systemic or long standing course of conduct that violates the FCPA, then the DOJ may well look into these issues. You will want to show the DOJ you are focusing on the “big stuff”.

The Guidance also makes clear that each company should assess its risks and manage its risks. The Guidance specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and SEC take into account when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.

In addition to being one of the many experienced compliance practitioners in Houston, Jan also speaks at various compliance conferences and events. He is doing so at the upcoming Hanson Wade Oil & Gas Supply Chain Conference in Houston from April 29 to May 2. Jan was recently interviewed in connection with the event.

Over the last year what changes have you seen with regard to FCPA implementation and enforcement action by the government?

Over the last year I haven’t seen any really big changes, but a steady course of enforcement of the laws and regulations. Of course, one of the big stories is the allegations against Wal-Mart out of Mexico. From that you can see how an issue raised in one country can call into question the potential for issues in other countries, and so you have a kind of knock-on effect and an expanded search for issues elsewhere.

Another big item this past year was the Department of Justice and SEC guidance issued in November. It is a very good consolidation of the information and views that have developed over the course of time. I think it is very beneficial to have and you should read and study it if you work in compliance.

A lot of people are also talking about the Department of Justice declination against pursuing any criminal penalties against Morgan Stanley. The DOJ acknowledged what a good anti-corruption program that Morgan Stanley had in place. I think that was the first time that had been specifically mentioned as a factor for declining to prosecute.

How has recent enforcement action and regulatory focus highlighted the need for an effective compliance program?

The enforcement actions over the last five or six years has been pretty steady. I think it’s clear that it’s not something that’s going to decrease any time soon. There is a steady focus in pursuing enforcement actions because the government is obtaining a lot of money from it and so that enables them to have the resources to keep pursuing these actions. So it will continue to be extremely important to have an effective compliance program.

What are the main challenges you face when it comes to remaining compliant?

I think giving the proper training and education to your employees and business partners regarding the importance of compliance with anti-corruption laws, and communicating the program to a diverse workforce across the world, whilst keeping the message fresh is a major challenge. In order to meet this challenge you’ve got to work to make the policies as simple and straightforward as they can be. Importantly, you want to be able to communicate those policies in the local language to be sure that they’re understood by your employees and business partners.

Also, it’s very important to have proper internal controls. You want to make sure that you’re closely reading your internal audit reports that your company is getting in the various countries. You can look to see what implications the reports have for your compliance program. And you want to make sure that internal audit is auditing for potential compliance issues.

I found Jan’s thoughts on don’t spread your compliance program too thin to be an excellent insight into how to assess and then manage the compliance risks that your company faces. His ideas echo the FCPA Guidance and put into words one of the very strong messages that is made clear throughout the Guidance. Take a look at your company’s risks and do not scatter your compliance resources everywhere or too thinly.

============================================================================================

For full details on the Hanson Wade 3rd Annual Oil & Gas Supply Chain Conference, click here. Readers of this blog are entitled to a discount on the registration charge. So use the code FOXLAW13 when registering.

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013