The Engineer’s Thumb and How to Bribe

We conclude our week of Sherlock Holmes inspired themes with one of the few cases in which Holmes fails to bring the criminals to justice, The Adventure of the Engineer’s Thumb. In this adventure a young engineer, Victor Hatherley, arrives at Dr. Watson’s surgery with a gruesome injury, a severed thumb. He relates his tale to Watson, who then takes him to see Holmes. Hatherley was hired to inspect a hydraulic press by one Lysander Stark, who claims that it is used to compress fuller’s earth into bricks. However when Hatherley goes to Stark’s country residence to inspect the machine he discovers that it is actually a printing press used to create counterfeit money. He tries to flee and in the process, Hatherley is forced to jump from a second story window, in the process getting his thumb severed by Stark’s cleaver. Hatherley, Watson and Holmes arrive at the Stark residence as the house is on fire, and the perpetrators have fled.

Once again using the Holmes tale as a contrast I refer to the recently released white paper, published by Transparency International UK (TI-UK), entitled “How to Bribe: A typology of Bribe-Paying and How to Stop It”. It was created by TI-UK, lawyers from the London firm of Pinsent Masons and thebriberyact.com, with principal author Julia Muravska and editors Robert Barrington and Barry Vitou. Just as Stark hid the true purpose of his hydraulic press, the title of this work does not convey its true use in how to stop bribes and bribery schemes by identifying them.

 Barry Vitou, partner in Pinsent Masons and co-founder of thebriberyact.com, states in the forward that “This handbook is perfect for General Counsel, Chief Compliance Officers and anyone in any company responsible for anti-bribery compliance from the Board of Directors, down. The purpose is to show how people pay bribes in practice. The examples are based on realistic experiences or real cases. Many bribery cases receive little attention. Often the focus is on the international examples in far away places where, it is sometimes said, you have to ‘pay the man’ to get business done. The impression given is that it would never happen at home. Yet it does. While the first two sections focus on the how, why and when bribes are sometimes paid in a short final section the handbook covers some examples of more prosaic bribery, at home. Who said it could never happen here? Transparency International deserve credit, once again, for putting together a document designed to be practical and helpful for those keen to avoid falling into the trap of bribery.” The white paper has three main sections.

Section I: What is a Bribe?

In this section, the authors review what constitutes a bribe. Recognizing that cash will always be king, they also take a look at excessive gifts, entertainment and travel, charitable donations and political contributions, favors to family members or friends and even the Foreign Corrupt Practices Act (FCPA) exempted facilitation payments. I particularly found the discussion of facilitation payments interesting in light of the recent claims that Archer Daniels Midland Company (ADM) in the Ukraine and Wal-Mart in Mexico were essentially making facilitation payments.

The authors end this section with the following guidance about the specific types of bribe and how to spot them.

Section 2: How Bribes are Paid?

In this section, the white paper lays out a variety of different bribery schemes. Of course they include agents, distributors, intermediaries, introducers, sub-contractors, representatives and the like. But they also detail schemes that the compliance practitioner should acquaint his or herself on. These bribery schemes include false or inflated invoicing or products, offshore payment arrangements and off-balance sheet payments, joint ventures, training, per diems and expense reimbursement arrangements, rebates and discounts and employment agreements. Once again, the authors end this section with the guidance on how to spot and stop each of the bribery schemes they detail.

Section 3: Bribery On Your Doorstep

In this section, the authors cite to cases and examples that were derived from real cases and illustrate how bribes can be paid within the UK. They note that even though “bribery is illegal across the board in the UK, experience shows that bribery also happens in the UK” and cite several reports. The first was by TI-UK and it showed that 5% of citizens polled in the UK said they had paid a bribe at least once in the past twelve months. Further, a recent survey of the construction sector found that more than a third of the industry professionals polled stated that they had been offered a bribe or incentive on at least one occasion. Lastly, the white paper notes that the first three prosecutions under the UK Bribery Act were for bribes paid in the UK. So the authors conclude “It is fair to say that in common with many other countries, UK public officials are susceptible to bribery. Public officials are almost all, universally, paid less than their peers may be paid in the private sector but in many cases in their hands rests the power to make decisions which have huge financial consequences for others. All the ingredients for paying a bribe exist. Likewise, bribes may be paid in the private sector, and there is increasingly a grey area between public and private sector as government services are contracted out.” In this section, some of the examples are inflated invoices, bribes to local planning departments, excessive expenses for training, and even an example of bribes paid to police.

Suggested Reading

Although neither this blog nor the books I have published on anti-corruption compliance made their list, there is an excellent resource list at the end of the white paper for additional reading and research on the subject. It ranges from government guidance’s to David Lawler’s excellent text “Frequently Asked Questions in Anti-Bribery and Corruption”.  Their list is an excellent resource in and of itself.

So we finish our Sherlock Holmes themed blogs. I hope that you have enjoyed the stories and tie-ins as much as I have enjoyed revisiting them this past week.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Inspector Lestrade – Does Leadership Matter?

Continuing our Sherlock Holmes homage, today we draw inspiration from the character of Inspector Lestrade as the theme of this blog post. In the original Doyle works, he appears in 13 of the stories and we are only introduced to him as Inspector G. Lestrade. In the current PBS series, we are informed his given name is Greg. Lestrade is not exactly the sharpest tack in the shed, as evidenced by Holmes comments that he is “an absolute imbecile” from the The Red-Headed League and the “best of a bad lot” from The Boscombe Valley Mystery.

I thought about Inspector Lestrade when I read some of the comments of UBS Chief Executive Officer (CEO), Sergio Ermotti, as reported in the Wall Street Journal (WSJ) article entitled “UBS Chief’s Plea: Stop ‘Lecturing’ to Bankers” by David Enrich and Francesco Guerrera. UBS has not exactly been a law abiding corporate citizen over the past few years. As you might recall this is from the company, which had a $2.3 billion trading loss from one individual. It is also from the company that assisted approximately 17,000 Americans clients with illegally hiding $20bn of assets to avoid paying taxes on this money. UBS paid a fine of $780MM for these actions. But there is much more, as UBS also agreed to pay another $1.5 billion fine for its criminal actions in manipulating the LIBOR. What would you say the ‘tone’ is at UBS about complying with the law?

With all of these fines, penalties and criminal pleas behind him, Ermotti does not seem to think there is any room for criticism of his company. Rather unbelievably, Ermotti was quoted as saying, “Life is hard enough, and I think this constant lecturing on ethics and on integrity by many stakeholders is probably the most frustrating part of the equation. Because I don’t think there are many people who are perfect.” For those of you who might want that translated to Texan, the equivalent phrase is a very nasal twang of “Glass houses dear”. For the more spiritual out there you could fall back on “Let he who is without sin cast the first stone.” Perhaps the most relevant question would simply be ‘How many angels dance on the head of a pin?’

Late last year, I engaged in a dialogue with other Foreign Corrupt Practices Act (FCPA) commentators about whether motives matter in anti-corruption enforcement actions. I opined, in a post, entitled “Does Motive Matter in Anti-Bribery and Anti-Corruption Enforcement?”, that it really does not matter what the motives are for the Chinese government officials in prosecuting western companies, which violate Chinese national anti-bribery laws, if a company breaks the law, it can be subject to prosecution. The FCPA Professor, in a post, entitled “Should Motivations Matter”, said that impure motives do matter in anti-corruption enforcement actions, whether in China or the US. Others have suggested that the FCPA enforcement itself is hypocritical because the US allows gifts, entertainment, charitable donations and a wide variety of other acts to be given as a quid pro quo to US government officials, usually without criminal prosecution.

But Ermotti takes this debate to an entire new level. Now you cannot even criticize his bank unless you are ‘perfect’. Further, showcasing the obvious knowledge of his 60,000 plus employee base, Ermotti “said in the interview that most of the bad behavior that has landed UBS and others in hot water was caused by small groups of rogue employees and doesn’t reflect broader cultural problems in the industry. “It’s not because you’re a banker that you’re a criminal”.” This was in the face of criticism at the World Economic Forum in Davos (where Ermotti was interviewed and made his remarks) that “In a private meeting held between bank CEOs and central bankers and regulators Friday, several participants pointed to banks’ “conduct” issues as undermining efforts to rebuild public and investor confidence in the industry, according to executives and central bankers who were there.” This can be contrasted with Bank of England Governor Mark Carney who said at the same conference, “Whether or not [the industry] thrives will rest on the efforts of individuals and organizations to re-establish the system’s reputation for integrity”.

Yet again Ermotti doubled down when he claimed that the group, which cannot criticize, includes regulators and enforcement officials. This statement is almost the equivalent of another equally enlightened (former) CEO, Bob Diamond, who once ran Barclays and “told British lawmakers in 2011 that “there was a period of remorse and apology for banks. That period needs to be over.” The next year, Mr. Diamond was forced to resign after Barclays admitted trying to rig interest rates.” Ooops.

What does all of this say about the top of this once august organization? First and foremost, how you would like to be the person who has to ‘speak truth to power’ if your CEO says that only the ‘perfect’ can bring forward criticism? Do the words ‘career suicide’ ring any bells here? But more importantly you have a company which entered into a Deferred Prosecution Agreement (DPA) regarding its tax evasion violations and then pled guilt to criminal conduct that as reported in another WSJ article “Regulators described the alleged illegality as “epic in scale,” with dozens of traders and managers in a UBS-led ring of banks and brokers conspiring to skew interest rates to make money on trades.” What would you say about its ‘tone-at-the-top’? Are they committed to following the law? How about complying with the terms of their multiple settlement agreements with US regulators? How about changing the culture in their organization, not simply to make compliance a goal but actually obey the law? What about instituting and then following a best practices program for compliance with anti-corruption laws such as the FCPA or Bribery Act; anti-tax evasion laws such as the Foreign Account Tax Compliance Act (FACTA); relevant anti-money laundering (AML) laws; or indeed others.

Without a hint of irony, the WSJ piece on Ermotti’s remarks ends with the following quote from him, “The banking industry is an easy target.” I wonder if Ermotti has the self-awareness of Inspector Lestrade to understand the wisdom of his words?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

The Sussex Vampyre and the ADM FCPA Settlement

Today I want to use the story of The Sussex Vampyre as the starting point for an inquiry into the recent Archer-Daniels-Midland Corp (ADM) Foreign Corrupt Practices Act (FCPA) enforcement action. In the story, Holmes receives a letter from Robert Ferguson, who has become convinced that his second wife has been sucking their baby son’s blood and is a vampire. He has a crippled son from his first marriage who is terribly jealous of the new baby in their home. It turns out that this lame son, Jack, has been shooting poisoned darts at his baby brother and his stepmother’s behavior is actually sucking the poison out of the baby’s neck. The baby’s wounds were caused by Jack sending the darts, not by the mother biting her baby. In other words, what might be seen as something very scary is easily explained.

Once again demonstrating that the FCPA Professor and myself look at the same thing and come to different conclusions are reflected by those he states in his article “Why You Should Be Alarmed By the ADM FCPA Enforcement Action”. I see the ADM enforcement action as a continuation of the available case law favoring interpretations of the business nexus requirement to be applied broadly, where it is clear that bribery and corruption have occurred.

When I look at the facts laid out in the ADM settlement documents, I see the following: four separate bribery schemes hidden in the companies books and records clearly designed to influence the decision of a foreign government official. From 2002 to 2010, the company’s Ukrainian subsidiary rolled up VAT receivables of up to $46MM. What I see is a company, which over several years of slow and no response to its application for VAT tax refunds for goods purchased in Ukraine, responded to this problem by engaging in bribery and corruption to help them get the money that they were believed they were owed.

So what were these bribery schemes? There was the Charitable Donation Scheme, which according to the SEC Complaint, “an ADM executive in the tax department sent an e-mail to the head of an international tax organization and stated, “One of our affiliates operates in the Ukraine. In order to recover 100% of their input VAT they have to pay 30% of the amount to local charities.”” Next was the Stevedoring Company Scheme where two ADM subsidiaries made “payments to a stevedoring company in the port of Odessa so that it could pass on nearly all of those payments to Ukrainian officials in order to obtain VAT refunds on behalf of ACTI Ukraine.” Next was the Mischaracterization of Write-offs Scheme where ADM’s German subsidiary reported to the US parent that they had to write off 18% of the tax refund due back to the company. However upon payment of the VAT refund it would be at 100% of the total due. As the German subsidiary had taken a write off of 18% of the total, the corresponding amount of money would be funneled to “third-party vendors so that nearly all of those monies could be provided to Ukrainian government officials.” Finally, and most ingenuously, was the Fake Insurance Premiums Scheme. In this scheme, ADM’s Ukrainian subsidiary, arranged for an insurance company to falsely bill it for crop insurance, which said “Insurance Company never intended to honor, adjusting the premiums to be roughly 20% of the VAT refund.” This inflated amount was then paid to Ukrainian officials.

The FCPA itself says:

(a) Prohibition

It shall be unlawful for any issuer which has a class of securities registered pursuant to section 781 of this title or which is required to file reports under section 780d of this title, or for any officer, director, employee, or agent of such issuer or any stockholder thereof acting on behalf of such issuer, to make use of the mails or any means or instrumentality of interstate commerce corruptly in furtherance of an offer, payment, promise to pay, or authorization of the payment of any money, or offer, gift, promise to give, or authorization of the giving of anything of value to—

(1) any foreign official for purposes of—

(A)

(i) influencing any act or decision of such foreign official in his official capacity,

(ii) inducing such foreign official to do or omit to do any act in violation of the lawful duty of such official, or

(iii) securing any improper advantage; or

(B) inducing such foreign official to use his influence with a foreign government or instrumentality thereof to affect or influence any act or decision of such government or instrumentality,

 in order to assist such issuer in obtaining or retaining business for or with, or directing business to, any person;

In the case of US v. Kay, the Fifth Circuit Court of Appeals exhaustively reviewed the legislative history of the FCPA, from its passage in 1977 through the two amendments in 1988 and 1998. The Kay decision stands for the proposition that the defendant intend the paying of bribes to be a quid pro quo, which would assist (or is meant to assist) the payor in obtaining or retaining business. Further, it specifically stated that the “business nexus is not to be interpreted narrowly.” The facts in Kay were different than those presented in the ADM matter. However, with the admonition that the business nexus requirement is not to be interpreted narrowly, I believe the holding in Kay is such that it is not a stretch to see the conduct engaged in by ADM did assist, or was meant to assist, it in doing business in Ukraine. Indeed, the Kay decision stated, “In addition, the concern of Congress with the immorality, inefficiency, and unethical character of bribery presumably does not vanish simply because the tainted payments are intended to secure a favorable decision less significant than winning a contract bid.” Thus I look at Kay and see the conduct of ADM as falling within the broad outlines of the Kay decision.

How about the facilitation payment exception and that somehow the ADM subsidiaries were making payments exempted out of the FCPA because they were for routine services?

The FCPA itself states:

(b) Exception for routine governmental action

Subsections (a) and (g) of this section shall not apply to any facilitating or expediting payment to a foreign official, political party, or party official the purpose of which is to expedite or to secure the performance of a routine governmental action by a foreign official, political party, or party official.

Further, the term “routine governmental action” is defined as one of the following:

1.  Obtaining Permits;
2. Processing visas and work orders;
3. Providing police protection, mail pick-up and delivery;
4. Providing phone services and utilities;
5. Actions of a similar nature.

There is nothing in the statute about processing multi-million dollar tax refunds as a routine governmental action. Once again the Kay decision spoke to the issue of facilitation payments, similar to those made in the context of the ADM settlement, when it said “This observation is not diminished by Congress’s understanding and accepting that relatively small facilitating payments were, at the time, among the accepted costs of doing business in many foreign countries.” One key there is that facilitating payments be “relatively small”. Whatever 18% of $46MM might be, it certainly is not “relatively small”.

All of this leads me to see the ADM settlement as a continuation of the very limited case law interpretation that exists around the FCPA. So just as Holmes looked at the facts in The Sussex Vampyre and did not see something which could not be explained or need be feared; I look at the ADM enforcement action and see a company which engaged in bribery and corruption, knew it was doing so and actively tried to hide the corrupt payments in its books and records.

And once again, I would cite that the easiest response to all of this might be the advice given by Department of Justice (DOJ) representative Greg Anders, in his testimony to the House Judiciary Committee regarding amending the FCPA, that being that companies should not engage in bribery.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Silver Blaze and Leadership-Find It, Fix It and Prevent It

Today, we continue our Sherlock Holmes week by drawing inspiration for lessons for the compliance practitioner from the story of Silver Blaze. In this story, a star racehorse disappears, Holmes pulls out his usual deductions to determine where the horse can be found but turns to the lack of an action to deduce why the horse was stolen. The lack of a dog bark in the horse’s stable tells Holmes that the thief was known to both the dog and to Silver Blaze.

I thought about the story of Silver Blaze when reading this week’s Corner Office column in the New York Times (NYT), entitled “Want to Succeed? Be Accountable”, by Adam Bryant, where he interviewed Noreen Beaman, the Chief Executive Officer (CEO) of Brinker Capital. Beaman was the oldest of four sisters and this gave her an interesting perspective growing up. She said, “Part of it was having a feedback loop of younger sisters. We were close in age, so they were some of my best informants in high school. They would say: “Really? That wasn’t a great idea. Maybe if you stopped and listened, you would’ve heard what someone was saying.” Clearly she received feedback but it was from a source that she listened to when it provided to her.

After a flush of early success in her career as a company Chief Financial Officer (CFO) she moved into sales. She made a major mistake on a transaction that went sideways. As Beaman put it “I was in the penalty box.” But through hard work and determination, she overcame this error and learned from it. She said that the entire experience made her both more accessible and “it made me have more humility”.

One of the most interesting things that Beaman said was that one of her company’s mantras is “Find it, fix it and prevent it.” That seems to me to be a pretty good way for a compliance practitioner to look at things, particularly if you consider the FCPA Guidance formula of “prevention, detection and remediation” for a best practices anti-corruption compliance program. To facilitate this culture, Beaman said that one of the skills valued at Brinker Capital is accountability. She said, “We make sure everyone’s in a position to be successful. Then, when you’re not successful, we have to have a conversation. You need to hold up your end of the bargain. Sometimes you’re not a good culture fit because you don’t want to be held accountable, and sometimes you’re a great culture fit and we just didn’t give you the right training, so we’ll do that. Sometimes you’ll make a mistake. Life happens. But let’s not do it again.”

For the compliance practitioner, I think that Beaman’s example demonstrates the need for a Chief Compliance Officer (CCO) to take the initiative in showing how the role they play inside the organization is far more than just a legal minimum or people-based risk management. A CCO, and indeed the entire compliance function, should be seen as a partner to the business folks. This will help to create the deeper relationships that will not only make it easier for the group to do its job, but also help it to be seen as a vital part of the organization’s long-term strategy. It will also help when there is something askance in the compliance function. As noted by Mike Volkov, in his blog post entitled “Chief Compliance Officers: Under a Microscope”, CCOs have to educate the Board and the C-Suite on what exactly is reasonable to expect and how the compliance program is designed to achieve these results.  Along the way, CCOs have to make sure they can show that compliance is a valuable contributor to the company’s bottom line.

Beaman also said one thing that I have heard numerous CEOs say over the years, which is that one of the most important skills they have learned is listening. Beaman related “You have to be a little more indulgent with people sharing ideas around the table, even if 25 percent of them are distractions. C.E.O.’s are usually Type A’s to begin with, and I’m a little chatty. And now I’m in this room full of smart, dynamic people who all want to be heard. So what I had to learn is to be quiet, to listen, to keep everyone committed and at the table.”

As a hard charger, she does want to make decisions and move on. So she has to consciously slow herself down, “to really slow down and be present in the moment.” Part of this turns on setting “realistic expectations and goals, and be sensitive to the tempo around you. It’s about meeting people where they are as opposed to expecting people to meet you where you are. Everyone comes from a different point of view. I have a big personality and I know that I can come on a little strong, so a lot of times I’ll slow it down.”

Beaman also had some interesting thoughts on interviewing. She is clearly engaged by potential hires that are intellectually curious. One of the things that she considers is whether the interviewee has any questions for her. She said that “One, it tells me if you’ve prepped. Two, it tells me how interested you are.” A second thing that she inquires about what books they read. If they are not a book reader, she asks about magazines and newspapers. She related that “I’m interested to know how intellectually curious you are. In our world today, if you’re not actively learning every day, you really are not competitive. There’s too much going on. I can never know everything going on around me, so I need to know that there are people around me who are learning other things, so we create a more cohesive view.”

For the compliance professional out there interviewing, I found these last couple of points quite instructive. Many times it seems that there is so much information in the compliance field that it is difficult to keep up in our profession. But here, the CEO of a major corporation wants to see intellectual curiosity in candidates because she believes this will make a better employee.

Beaman’s journey certainly has been wide-ranging. I believe that her experience can assist the compliance practitioner with ways to think about his or her position within a company and how it can be executed. And just like in Silver Blaze, sometimes when nothing is said, it speaks louder than mere words…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

The Abbey Grange, the Quality of Justice and Codes of Conduct

In honor of the return of Sherlock Holmes to PBS with Season 3, I begin a week of Sherlockian themed posts. Today we consider the quality of justice that Holmes discussed in The Abbey Grange, he allowed a man who murdered a wife-abusing husband to go free. Holmes concern with justice, as opposed to simply following the letter of the law, is an excellent introduction into the subject of Codes of Conduct.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), explored some of these questions in a recent article in Compliance Week, entitled “The Code of Conduct Conundrum”. As a part of her article, Switzer interviewed Jimmy Lin, Vice President (VP) of Product Management and Corporate Development at The Network and Kendall Tieck, VP of Internal Audit at Workday, for their thoughts on what makes an effective Code of Conduct.

Tieck views a Code of Conduct as not simply a static piece of paper or document but “but as a set of expected behaviors that are integral to the fabric of the business and an organization’s value system. A Code of Conduct is not a compliance activity, but how an entity demonstrates integrity and acquires trust from markets, shareholders, customers, partners, and governments. To achieve these outcomes, a careful plan, aligned with a policy lifecycle management framework, should articulate how the Code is integrated in the core of the company’s activities and culture.”

Switzer believes that one of the key components of a best practices Code of Conduct is to integrate the connection between a business’ objectives, its risk and compliance management. There are numerous factors, which can move a company towards having such an effective integration. Switzer wrote that some of these include, “external stakeholder expectations and pressures, internal culture and context, objectives for the code, process of development and implementation, content of the code, consequences for non-conforming conduct, strength of sub-codes (e.g. policies), and employee character.”

In a GRC Illustrated series, provided with Switzer’s article, entitled “The Next Generation Code of Conduct”, lays out six steps for the compliance practitioner to think through and implement during a Code of Conduct upgrade or rewrite. These six steps are (1) design; (2) deliver; (3) interact; (4) measure; (5) maintain; and (6) improve.

Design

Under this step, a company needs to define the behavior that it desires to inspire and allow employees to collaborate at all levels. Lin said that a key aspect was relevancy, “But times change—business environments change, cultures change, risk appetites change. We all need to keep in mind that the Code, the ultimate policy, should not be a stale document on the shelf. It needs to inspire, engage, and change with the organization.” Tieck said that your Code of Conduct should be “considered a part of the entity’s overall policy landscape. Leveraging an effective policy lifecycle management framework will promote integration and alignment across the policy governance landscape.”

Deliver

Switzer also identified the delivery of a Code of Conduct as a key element of its effectiveness. She said, “modern communication methods that allow the user to engage, interact, and research further behind the Code into related policies, procedures, and helplines for additional guidance can be better monitored and measured. Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.” This should also include relevant third parties such as suppliers and sales agents. “And failure to comply with the Code can be better identified and tracked, indicating possible need for clarification, additional training, or better screening of employees.”

Interact

Lin pointed out that a Code of Conduct is both a corporate governance document and a marketing document. As such you will need to create a marketing campaign to get the message of your Code of Conduct out to not only your employee base but also relevant third parties, such as suppliers and agents. If you have a large number of non-English speaking personnel or employees without access to online training, these factors needs to be considered when determining the delivery method.

Measure

Initially, you should prioritize both qualitative results with positive feedback by including such metrics as speed of completion, reminders, which must be sent to facilitate completion of Code of Conduct training, and the percent of employees and third parties who attest to review of your Code of Conduct. You should also measure the effectiveness of your communication campaign. Tieck suggests drilling down further because each component of your Code of Conduct sets “an expected behavior. Selecting a few critical behaviors to measure and monitor may be adequate for most organizations. These selected measures might represent an aggregate measure of the overall conformance to the code. Large organizations may be able to mine HR data to capture statistics associated with the identified behaviors. For instance, termination reason codes may be one source.”

Maintain

All commentators note that it is important to keep your Code of Conduct design and conduct fresh. One of the ways to do so is by employee feedback, which can assist you in identifying if your Code of Conduct is not only effective, but truly reflective of your company’s culture. Lin pointed out that to gain these insights you need to incorporate both formal and informal techniques for gauging the relevant employee and third party populations. Some of these techniques include “Questionnaires, surveys, forms and hotlines can be good anonymous sources, but engaging employees in conversation is just as, if not more, important. Make sure executives and managers alike spend time in small-group and one-on-one conversations. Have these conversations throughout the year and across your employee base to get the “real” story. This helps engage the employees and ensure they know you value their input.”

Improve

OCEG advocates that your Code of Conduct should be evaluated for revision at least every two years. This should be done to keep abreast of the changes in laws and regulations and your own business operations and risk tolerances. Switzer said that “Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving forward and as Holmes did in the Abbey Grange, further your cause beyond the simple letter of the law.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Getting Your Company Ready for M&A Compliance Due Diligence

Who was the absolute worst general during the Civil War? While there are many worthy candidates for this dubious honor, on the Southern side my vote goes to General John Bell Hood. One of the prime proponents of the Southern attack and die strategy, Hood’s leadership led to the destruction of 90% of his Texas Brigade at Antietam. But Hood is most famous for his utter destruction of the Army of Tennessee. In five months, from July to November of 1864 Hood unsuccessfully attacked Union General William T. Sherman’s army three times near Atlanta, relinquished the city after a month-long siege, then took his army back to Tennessee in the fall to draw Sherman away from the Deep South. Sherman dispatched part of his army to Tennessee, and Hood lost two battles at Franklin and Nashville in November and December 1864. There were about 65,000 soldiers in the Army of Tennessee when Hood assumed command in July. By January 1, there were only 18,000 men in the army. To top it off, it was not Sherman who burned Atlanta but Hood.

My thoughts turned to General Hood when I listened to a very interesting panel on Day 2 of the ACI FCPA Boot Camp about getting your target company ready to be scrutinized from the compliance context in mergers and acquisition (M&A) due diligence. On the panel were Alberto Orozco from PricewaterhouseCoopers (PwC), Joseph Burke, from Dell Inc., and Christina Lunders from the law firm of Norton Rose Fulbright.

Building on a fundamental theme from day one of the conference, Burke said that relationship building is also important in the M&A context, from the perspective as a buyer. Representing an acquirer, the key questions from his perspective were two-fold: whether or not we trust the company we are looking at and how will they integrate into our company? He believed that trust is what gets the deal done or does not. He begins by sitting down with his counter-part, senior management and key legal department personnel in the target company and talking to them. If they can talk with authority about their compliance function he can determine how much he will dig into the documents and records.

Orozco agreed with this perception but came at it from his accounting angle. He said that if your books and records are in order, you really do not need to do anything more. The next step he looks at is if you have a compliance program and do the targets employees know about it. This is critical so that the buyer will have an understanding of what is needed from the compliance perspective from day one of the acquisition closing.

They then turned to the perspective of a target and what you should have in place for such an analysis. It all begins with a compliance focused risk assessment and this should be done first as this is a key starting point to determine not only if the target has an effective compliance program but also if the target is actually ‘doing compliance’. Of course it is important for a target to know about its relationships with foreign governments, whether as customers or representatives on the sales side or in the supply chain.

They posited that a target should make sure that it has a compliance program, which is consistent with an international standard for an anti-bribery or anti-corruption program, whether it is the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or some other recognized international standard. The target should gather and verify the completeness of the following anti-corruption policies and procedures:

• Anti-corruption/anti-bribery;
• Petty cash;
• Travel, meals, and entertainment;
• Gifts, donations, sponsorships, political contributions, lobbying;
• Retention, use and compensation of intermediaries/third parties;
• Disbursements;
• Recording of intercompany transactions; and
• Authorization for expenditure/levels of authority.

They believe that it is important for a target to gather and verify the completeness of relevant books and records. They specifically listed the following:

• Monthly trial balances;
• Customer lists;
• Vendor lists;
• General ledger accounts for the following:
• Gifts, entertainment and hospitality;
• Travel;
• Donations, sponsorships, and political contributions;
• Marketing and commissions expenses;
• Consulting fees;
• Petty cash; and
• Miscellaneous expenses.

They next suggested the documents and records be readied for review from the compliance perspective, on the following topics:

• Facilitation payments;
• Advertising and marketing;
• Government tenders and bidding packages;
• Employee expense reports;
• Procurement;
• Licenses and permits;
• Records management;
• Transfer pricing; and
• Information on how policies/procedures are distributed and compliance acknowledged within the target organization.

Lastly, they provided a list of topics for which documents should be gathered and the target should be prepared to discuss early on with the compliance representative of the acquirer on the subject of any past corruption issues which may have arisen or been identified, together with their resolution. The target should be prepared to deliver factual details, relevant documents, and information on findings and how the matters were resolved. This group of documents should include internal or external reviews, audits or investigations over the past ten years, including any outstanding compliance issues, such as whistleblower and hotline complaints.

In the area of corporate governance they suggested that the target gather Board of Directors and any management meeting minutes from the past five years and have them available for review. A target should also be prepared to make available for interview key personnel including the General Counsel (GC), Chief Financial Officer (CFO), Chief Executive Officer (CEO) and the heads of Internal Audit, International Sales and Compliance.

From the perspective of the acquiring entity, they suggested that you take a close look at the files of as many of the target’s third parties as is reasonable for the size of the acquisition and the time frame you have. These include gathering and verifying the completeness of the following third party files: due diligence; contracts/agreements; records of compensation payment for past 5 years to determine whether compensation is reasonable, especially if in a high-risk area or for business involving foreign officials and, finally, make a determination of how to address any potential red flags.

They also discussed some of the potential red flags, which might be present in these documents. Some of these red flags could include a history of corruption in country where business occurs; numerous or frequent interactions with foreign officials; unusual payment patterns or arrangements with third parties or third parties which refuse to certify compliance, demand payment in cash, provide incomplete or inaccurate information, request payment made to someone else; a bank outside of country of domicile or is close with foreign government officials.

I thought Burke’s perspective was akin to trust but verify. He reiterated several times that it is reasonably straightforward to determine if a target company takes ‘doing compliance’ seriously. From there, you can use analytics to review the numbers and try and make a determination about obvious red flags and high-risk areas. This allows him to help to make a more accurate remediation plan to begin at closing. It also allows him to advise the business unit involved on what the cost for such integration would be, how long the business would be disrupted by such integration and the complexities of acquiring company’s compliance program implementation.

As to the cost for failing to do so, just think of the loss of the Army of Tennessee from the leadership of John Bell Hood.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Five Golden Rules of What Works – The Internal Marketing of Compliance

I am attending the ACI Foreign Corrupt Practices Act (FCPA) Boot Camp in Houston. It is one of the best FCPA events held in Houston annually. It brings together some of the top local compliance talent, together with top national practitioners. One of the presentations was on how to tell your compliance story. It presented several interesting aspects of how to not only communicate your internal compliance story but how to also market compliance within your organization. Céline Gearson, Chief Ethics and Compliance Officer at Cameron International, had an interesting perspective on how she internally markets her compliance function. She termed these as “The Five Golden Rules of What Works”.

 1. Socialize, Socialize, Socialize

Gearson believes that it is critical for the compliance practitioner to foster strategic relationships with key stakeholders within your company so that you can explain the compliance function on a one-to-one basis to get their buy-in. The importance here is to build those relationships prior to any compliance program implementation. She specifically mentioned the IT and Marketing departments. Another person I would add is the Corporate Secretary, the reason for this is that the Corporate Secretary has several constituencies within the company that he or she may work with and for. This can provide an opportunity to view a company’s ethics and compliance program and to help shape and direct it. The Corporate Secretary, head of IT or Marketing may be excellent resources to the Chief Compliance Officer (CCO), which may be under-utilized. It might be worth a cup of coffee or short meeting to see what they might think about your ethics and compliance program or how they might be able to assist you in your efforts.

2. Communicate metrics and near misses

Here Gearson said that it is important that the business units understand not only what you are doing from the compliance perspective but also how your actions are helping them do business more efficiently and, hopefully, more profitably. She gave an example of when she demonstrated the length of time required to approve sales agent. From this metric she was able to show how efficient it could be for the business unit if the onboarding of third parties was automated. With this information and the business units’ support, she was able to secure funding for this compliance initiative.

A second component of this rule is to use the investigations, audits and monitoring of compliance to show where the compliance function detected an issue before it became a compliance violation. This could occur in your routine audits or by spot-checking payment requests and invoices from certain third parties, either sales agents or vendors.

3. Create engagement and excitement

The organization in the middle will make or break your initiative so get them involved. So, for Gearson, it is imperative that you engage the employees in the middle of your organization before you rollout any implementation. She gave the example that for Cameron’s Compliance Week celebration, she calls upon employees to create the message. In this manner you can use your Compliance Week event not only as a springboard to internally publicize your compliance program but to foster a closer relationship with disparate groups within your company.

I would add that another part of this rule could be your financial incentives for doing business ethically and in compliance, such as a portion of a year’s salary in discretionary bonuses. While such financial rewards may be given in private, it is certainly true that those employees who are promoted for doing business ethically and in compliance are very visible and are public displays of an effective compliance program. I think that a company can take this concept even further through a celebration to help create, foster and acknowledge the culture of compliance for its day-to-day operations.

4. Become a marketing guru and IT expert

More than getting to know the folks in these departments, you need to know how they work and learn to speak their language. One of the things that you might try is to use social media to assist you. A key component of any effective compliance program is an internal reporting mechanism. The FCPA Guidance states “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” The Guidance further discusses the use of an ombudsman to address employee concerns about compliance and ethics. I do not think that many companies have fully explored the use of an ombudsman but it is certainly one way to help employees with their compliance concerns.

But, more than a reporting tool for compliance, there are other ways a company can help employees do business in a compliant manner. One commercial tool is Navigator, developed by the firm of Stroz Friedberg LLC, which the firm calls “a groundbreaking mobile and desktop application that makes your compliance program come alive! It automates clear answers and approval processes, and even offers data analysis for enhanced decision-making. The Navigator app is custom-tailored to each client and offers an array of benefits to any organization seeking easier ways to drive a positive corporate compliance culture.” I have seen this tool and it is way cool.

Yet there are other tools that are available, at no cost, and can be downloaded onto a mobile device such as a smartphone or iPad. These include the O’Melveny & Myers LLP Foreign Corrupt Practices Act Resource Guide, which concentrates solely on the FCPA and is primarily a new vehicle to distribute content it already makes available upon request. This content includes O’Melveny’s FCPA Handbook and In-House Counsel’s Guide to Conducting Internal Investigations. In addition, the app features five resource sections that serve as an interactive, illustrative directory with titles ranging from ‘O’Melveny Authored Client Alerts’ to ‘DOJ Opinion Releases.’

Another approach is found in the Latham & Watkins LLP’s AB&C Laws app which takes an international approach to anti-corruption and anti-bribery laws and its scope is international, with the content focused on organizing and easing access to statutes and regulatory guidance according to specific fields of interest, from legislative frameworks to extra-territorial application to enforcement and potential penalties. It also includes official guidance such as steps (where available) that can be taken to reduce the risk of liability for bribery and corruption.

5. Embed your initiatives into business processes

Gearson and several other speakers talked about the need to embed compliance into the fabric of the company. Arvind Sharma, Senior International Trade Counsel, Business Integrity & Compliance at the Flowserve Corporation, said that building trust with the business is the most important issue he faces. The building of this trust comes from the demonstration that the compliance function is not ‘The Land of No, run by Dr. No’ but runs at the speed of business. By such demonstrations he is able to win the trust of the business units and this allows him to embed compliance initiatives into the company’s business processes.

I would add that this also means demonstrating the cost savings that are derived by having business unit employees participate in the compliance function. An example given was regarding third party representatives. Does your company really need all of the sales agents it currently uses? Is there overlap or duplication in the Supply Chain? The answers to these questions can go a long way towards reducing overall compliance risk and adding points to the bottom line. Further, properly trained, a business unit employee can perform some of the underlying due diligence investigation work for any third party business representative. The self-management of the business unit to fulfill these functions can drive down the overall cost of compliance.

I found Gearson’s five rules to be quite useful as starting points for thinking about how the compliance function can interact and work through the business unit to further the company’s goals of compliance. You can use each one of these to begin to lay the foundation for your compliance initiatives going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Queen Victoria and Preparing for Your Risk Assessment

On this day in 1901, Queen Victoria died, ending an era in which most of her British subjects know of no other monarch. She was born in 1819 and came to the throne after the death of her uncle, King William IV, in 1837. Her 63-year reign was the longest in British history. She oversaw the growth of the British Empire on which the sun never set. Queen Victoria restored dignity to the English monarchy and ensured its survival as a ceremonial political institution. She also brought a stability to the monarchy that has stayed with the country as well.

How can you bring stability to your compliance program? One of the most important steps that you can take is to regularly assess your risks through a risk assessment. I often hear some of the following questions posed by compliance practitioners regarding risk assessments: What should you put into your risk assessment? How should you plan it? What should be the scope of your risk assessment? These, and other, questions were explored in a recent article in the ACC Docket, entitled “Does the Hand Fit the Glove? Assessing Your Company’s Anti-Corruption Compliance Program” by a quartet of authors: Jonathan Drimmer, Vice President and Assistant General Counsel at Barrick Gold Corp.; Lauren Camilli, Director, Global Compliance Programs at CSC; Mauricio Almar, Latin American Regional Counsel at Halliburton; and Mara V.J. Senn, a partner at Arnold & Porter LLP.

The authors note that with all compliance programs, there is no ‘one-size-fits-all’ so your risk assessment should be tailored for your organization. In this article I will focus on the steps that you need to take leading up to the initiation of a risk assessment. The authors believe that the planning and layout of your risk assessment is a critical element for success by stating the importance of this issue cannot be over-estimated or over-emphasized.

To begin, the design of your risk assessment should be “guided by its scope and purpose.” So if this is your initial risk assessment to begin the implementation phase of a compliance program, one type of risk assessment may be needed. Conversely, if you have a mature compliance program, another type of risk assessment may be called for. If your company has moved into new or different geographic areas or has new product lines, it may require a different inquiry. The authors note, “knowing why you are conducting the assessment and what your goals are up front will make for a more efficient process and allow you to decide how in-depth your review should be.”

The authors next explore the gathering of information and developing a methodology for analyzing the results because “how you choose to gather information and what questions to ask will determine how useful your risk assessment will be for understanding your company’s risks and appropriately responding to them.” You will need to determine the number of employees to interview and who these interviewees should be for the risk assessment. While a questionnaire can be useful, you will need to consider in-person interviews as well. If it is difficult to make an initial identification of who should be interviewed, you can perform a preliminary assessment from a wider audience and then “streamline and tailor the in-person interviews.”

It is important to speak with employees who are generally considered to be ‘high-risk’ for Foreign Corrupt Practices Act (FCPA) purposes. This would include “people who interact with the government, either as customers or as regulators; those responsible for internal financial controls, such as accounting and finance functions; and senior management with the authority to make significant and impacting decisions, such as a primary executive in a local market.” It is also important to include those employees who are the prime interactors with third parties, both on the sales and supply side. This should include employees who have a role in the selection of such third parties for business relations and those employees involved in managing those relationships.

You will need to garner a sense of the company’s structure and goals. Additionally in FCPA enforcement actions and in the FCPA Guidance, the Department of Justice (DOJ) laid out several factors to take into account, such as “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation, and oversight and exposure to customs and immigration in conducting business affairs.”

The authors end their section on risk assessment preparation by dividing the areas that they believe are most often visited into three categories: general corruption risks, specific commercial activity and existing corruption controls.

• General corruption risks – this category includes the corruption perception risk in the geographic areas where the company does business, directly or indirectly, through third parties. It also includes government touch points whether as a customer or regulator. Finally, it should include the corruption and bribery-related concerns of your business personnel.
• Specific commercial activities – this generally relates to third parties; how they are vetted, contracted with and managed. It also includes a review of travel, gifts, entertainment business courtesies, charitable donation and political contributions, mergers and acquisitions.
• Existing corruption controls – this area looks at not only financial controls such as monitoring and auditing but also training, employee incentives and hotline.

By laying out this risk assessment plan, you will have a good road map to think through not only how to work across a risk assessment but to begin to think how you can use it going forward. You will need to review and assess your highest risks first and then use that information to remediate any deficiencies going forward. I think what the DOJ wants to see is a well thought out plan for moving forward and forward movement toward the plan’s goal. These steps should help you in this journey.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

The Culinary Aspects of Homer’s Odyssey and Compliance Training

I recently came across a fascinating book entitled “The Meaning of Meat and the Structure of the Odyssey” by Egbert Bakker. In this work, Bakker looks at the culinary aspects of Odysseus’ journey home from the Trojan War. Peter Thonemann, writing in the TLS, said that “Bakker’s book is a powerful illustration of the importance of food and culinary practices to past society.” In other words, the eating habits could be used to not only understand the past but also perhaps train those in the present about the “wider moral culpability” found in Homer’s work.

I thought about this different way of learning as I was reading a recent article by the Open Compliance and Ethics Group (OCEG) President Carol Switzer in the Compliance Week magazine, entitled “Playing the Game of Risk in Workplace Education”. Her article was coupled with a roundtable discussion of the subject and another in the OCEG, GRC Illustrated Series entitled “Risk-Based Education and Training”.

In the article, Switzer reminds us “one size does not fit all in deciding the content and intensity of training needs for each role or individual”. Recognizing that it all starts with a risk-based analysis of who needs the training is just the start. Switzer believes that by engaging employees in the training, it can become more effective. She looks to the world of gaming when stating that, “Well-designed games encourage engagement, and more engagement means more reinforcement, and that leads to better recollection and application of the information. Situational decision making drives the player to think, not just act. Making wrong choices and seeing the consequences leads to desire to act the right way and gain rewards, be it advancing to the next level of the game, earning a prize for success, or understanding that in the real workplace world the reward may be achievement of personal and organizational objectives.”

In her roundtable, she posed the question, “How do you suggest companies decide on the appropriate amount of training? Earl Jones, Shareholder at Littler Mendelson PC, responded that a company needs to evaluate where its risks are, “If the company is betting on international expansion, then intensive anti-bribery and corruption intensive training is a necessity for key employees. Also design training to build and protect sources of value. If an intangible asset, like a brand, is an important source of value, thoroughly train employees to identify, understand, and react to events or behavior that could impair the brand.”

When it comes to the scope and style of training, Steve Perreault, Global Head of eLearning GRC for Thomson Reuter, suggested you should assess your training by employee groups. You should “Understand things like: How likely is a group of employees to participate in activity that is related to a particular regulatory area? How complex is that regulation? What controls are in place already? Is this employee group responsible for making sure others comply with policies and regulations? You also have to consider what you will need to provide to evidence to regulators and courts that the program exists and is effective. Once you get that figured out, you must ensure that you stay on top of changes in legislation and enforcement, and revise policy, procedures, and training accordingly.”

Switzer next turned to measuring the effectiveness of training and how a company might determine this. Alisha Lynch, Global Ethics and Compliance Education Leader at Dell Inc., said, “Determining the scope and style of training should have several input sources.  Most organizations have three- to five-year strategic plans, and training programs should be designed to support those plans and initiatives. One good analogy is that a training initiative should be like a physical fitness regime. You cannot exercise the same muscle every time to make significant improvements, and you cannot ignore the diet. A culture is like a diet. If the organization designs and delivers great training but the culture is toxic, probably no improvement will be made.”

In the GRC Illustrated Series, it suggests that companies take a risk-based approach to provide appropriate levels and types of training and education to different individuals across the organization. Some of the factors they suggest you review are the role of the individuals, geography, and their level of exposure to particular risk areas. Such an approach moves away from the ‘tick-the-box’ approach that generally renders such compliance useless. It also helps to ensure that there is a more effective use of budgetary resources by focusing training efforts to maximize the return on the investment. The piece advocates a three-pronged approach.

Define

The first step is to define what you are trying to achieve. The piece recognizes that “while some organizations limit their training programs to what is legally required, more successful ones know that there are many reasons for developing a thoughtful, well-designed approach to employee education.” It puts forward that if training is done right, it will help the organization to achieve several goals. These include: the business Objectives; managing threats and business opportunities; it will address change in positive manner; it can help to ensure integrity and the company’s reputation; it can strengthen the business’s culture and ethical conduct; and, lastly, it can provide evidence that the company has complied with legal requirements such as the US Sentencing Guidelines and the Ten Hallmark’s of an Effective Compliance Program.

Design

The next step is to design the training program, which is further broken down into three steps, which drill down into the specifics of training. By using these three steps, you can help to assure that the training will be effective for the individual but also for the nature of the risk involved.

The first is to design the training program. Steps include the development of curriculum using a risk-based model. You should set uniform methods for acquiring content, maintaining records, and reporting. This should be followed by the establishment of standards for selecting appropriate content, delivery methods, frequency, and assurance based on risk exposure. You can review any technological solutions for both e-learning delivery and documentation. Finally, you will need to consider training content revision when requirements or risk analyses change.

After the design of the training program, the next level is to design the specific training courses. Here you should establish your learning objectives and map the training to legal and competency requirements. You must always remember who is your audience and what their characteristics might be. You need to ensure that the content is timely and the instructors are effective. Finally, you will need to determine not only the most appropriate mechanism to deliver the content but also define the key performance indicators and determine methods to audit them.

The final design level is the individual’s training plan. Here you need to analyze what the person’s role is within the organization and use this to determine mandatory and risk-based training needs. You will need to consider modifying the risk profile based upon assessments given before and after the training is delivered and then adapt the training as an employee’s role and risk profile changes within an organization

Deliver

For the delivery of the training materials, they also have a tripartite scheme. They break it down into high risk exposure roles; medium risk exposure roles and low-risk exposure roles.

• High Risk Exposure Roles – are defined as those employees whose roles in an organization can significantly impact the company. Here expert subject proficiency is demanded and individuals should be able to act with confidence in a wide range of scenarios and conditions based on a strong understanding of the risks, requirements, and penalties. Training may be repeated frequently using several methods of delivery, have greater assurance through testing and certification of course completion, and include ongoing risk profiling of individuals through assessment of behavior choices in online courses or live simulation exercises.
• Medium Risk Exposure Roles – are defined as those employees who face risk on regular basis or present a moderate level of negative impact to a company if they mishandle the risk. These individuals should know the risks, requirements, and penalties and should be able to apply their knowledge to common scenarios using standards and tools given to them. Training should have content to make them proficient in the subject, be refreshed periodically, use a mix of modes of delivery, and have methods to prove evidence of understanding.
• Low Risk Exposure Roles – are defined as those employees with a low likelihood of facing the attendant risk. Persons in this category should be made aware of the risks, requirements, and penalties, as well as the organization’s expectations about how to address it. They should know relevant policies and procedures and where to get assistance in addressing a risk or making a behavior decision.

As with all areas in an anti-corruption compliance program, Switzer and the OCEG suggest that you monitor and audit your program so that you can review it and improve as circumstances warrant. I would add that you should also Document, Document and Document what you are doing for the same reasons. Just as Bakker’s new look at the culinary aspects of the classics can provide new insights into interpretation, it also shows the training that was written into Homer’s Odyssey.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Lessons from a Soccer Manager for the Compliance Practitioner

Compliance leadership can take many forms and inspiration can come from many different sources. I was reminded of this when I read an article in this past weekend’s Financial Times (FT), entitled “How I coach Ronaldo and other secrets”, by Simon Kuper who wrote the piece based upon his interview of Real Madrid manager, Carlo Ancelotti.

Ancelotti grew up professionally playing in Italy’s Seria A, the top league in that soccer-crazed country. So he brings a player perspective to his job. He also rose in the soccer coaching ranks, with stops at Juventus and AC Milan in Italy; then Chelsea in England; followed by Paris Saint-Germain in France before taking over the reins at Real Madrid in Spain. So he has been both a practitioner and an executive. I found some of his thoughts on coaching very insightful for the compliance practitioner.

Coaching a Multi-National Team – Translating Your Compliance Program into Native Languages

While at AC Milan, Ancelotti coached a wide number of different nationalities so being able to communicate with them was critical. This was important when coaching in Italy but Ancelotti found it much more difficult when he moved to England to take over as the manager for Chelsea. He said the hardest part of the communication piece was how “to show emotion”. As any compliance practitioner for an international business concern recognizes, communicating in a multiplicity of languages is a paramount skill.

This is an area that is receiving increasing attention from the Department of Justice (DOJ) as a component of a best practices compliance program. In the FCPA Guidance, under the Ten Hallmarks of an Effective Compliance Program, it intones that a company’s Code of Conduct and it’s compliance policies need to be clear and concise. However, equally noted is that the Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees.

Trusting Your Players – Getting Buy-In For Your Compliance Program

While managing Chelsea, before the 2010 FC Cup final against Portsmouth, “Ancelotti did something unusual: after naming the starting 11, he asked them to decide the match strategy themselves.” He recalls: “Everyone said one thing. For example, [goalkeeper Petr] Cech said, ‘You have to control the space behind, to avoid the counter-attack.’ That season we played 60 games, and 60 times I made the strategy. So I think the players understood very well what they had to do.” When asked why he would try something so risky before such an important match, Ancelotti responded, “I was sure the players followed the strategy, because they made the strategy. Sometimes I make the strategy, but you don’t know if the players really understand.” His tactic worked and Chelsea beat Portsmouth 1-0 to complete the rare double of winning the English Premier League and the FA Cup.

What Ancelotti had hit upon was engaging his players. You should view every interaction as an opportunity to tap into the expertise of your workforce. This requires you to let employees say what they think. One of the first (and most insistent) questions you will face as a compliance practitioner is explaining how and why the Foreign Corrupt Practices Act (FCPA) applies to a country and culture far from the United States. Another related question is often along the lines of the endemic corruption in a country and how the business unit personnel cannot do business any other way. Let your co-workers express these thought and sentiments and then explain why the law(s) applies and how they can do business going forward. The business unit will usually have a solution to these problems and if you can get them to engage with you, it may well be a solution for you and the company. My experience is that they will generally have the correct response for you, even if they do not understand the nuances of the FCPA, UK Bribery Act or other anti-corruption law. But if you can have the employees understand that it is there program, you will have greater buy-in and greater participation in your compliance regime.

Managing from the Ground Up – Thoughts on Building a Compliance Program

After his stint at Chelsea, Ancelotti moved on to Paris Saint-Germain in France. Here he found a different set of challenges. The first was dedication to the program and lack of professionalism. As Ancelotti explained, “The problem of the English player – sometimes it’s difficult for them to understand that they don’t have to work 100 per cent in training. There are some training sessions where it’s important not to work 100 per cent. The French don’t understand why they have to work 100 per cent every day.” This attitude was acerbated by factionalism; the team was made up of ethnic factions. Ancelotti said, “We had the South Americans, the French, the Italians,” and “The relationship is not easy. The South Americans like to play with each other. The Italians the same. The players were not used to having a winning mentality.” Simply put, he had to change the attitude of the players.

How can you begin this process in a compliance regime? Writing in the Harvard Business Review (HBR) authors Linda Hill and Kent Linebeck, in an article entitled “Are You A Good Boss or a Great One”, said that leadership had three imperatives, which are to (1) Manage Yourself; (2) Manage Your Network; and (3) Manage Your Team. These three imperatives provide a good framework for the compliance practitioner.

Most employees ask the question “Can I trust this person?” Leadership results, in large part, by the answer to this question. Trust has two components; the first is that the leader has confidence in his or her own competence; and the second is that employees have trust in the manager’s character. This means that your motives are good and that you want people to do well. If these characteristics are present a manager should be able to influence others.

Next building key relationships throughout an organization leads to the road for success. This means nurturing a broad network of company employees who can influence specific areas and the departments within a company. As scarce resources must be reckoned with on any project, the person who can show the interdependence of seemingly disparate groups, which may have conflicting goals and priorities, is the manager who achieves the most. This relationship building can be a key way to influence others within an organization over which a manager does not have direct control.

Lastly, managing a team is a different dynamic than managing one-on-one. If a manager can influence a team, they have a greater chance of success as employees tend to be more creative and productive when working in groups. Accountability to other team members and a genuine conviction that they are all in it together can lead to a group coalescing into a team. The culture of any team is important: values, standards and norms guide employees in what is expected of them. Attention must be paid to all team members and recognition for individual efforts within the team can bring greater effectiveness as well.

To be a great compliance leader, the compliance professional must use all of these techniques. To achieve many compliance goals within a company requires a manager to exert a great amount of influence. The techniques set out by the authors provide direct tools for the compliance professional to utilize in this task. Managing employees within any compliance department is the first step. A compliance professional must reach out across an organization to all groups and departments to develop relationships, which can be used in furthering a company’s compliance goals. A compelling team creates the foundation of this strong network and a strong network will allow your compliance team a path to achieve its goals within the company. But knowing where you are going is only half of the journey. The authors end with the admonition that “you need to know at all times where you are on the journey and what you must do to make progress.”

Obviously Ancelotti has been successful at many different stops in his career. Some of the tips that Kuper wrote about in this article can be useful for the compliance practitioner dealing with a diverse multi-national employee base.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014