Russian Compliance Practitioners in Texas

Yesterday I had the privilege of meeting a group of compliance practitioners from Russia who came to the United States to meet with US based compliance professionals and learn more about how the Foreign Corrupt Practices Act (FCPA) impacts how US companies do business overseas. The delegation was hosted by Washington-based Center for International Private Enterprise (CIPE), an affiliate of the US Chamber of Commerce.

The purpose for the visit was straightforward, to allow these Russian compliance specialists to understand more fully the obligations of US companies under the FCPA so that they, in turn, could educate Russian businesses which may want to do business with US companies. It is, as my colleague Jason Poblete often writes on his blog The DC Dispatches, a business approach to a legal problem. As this is Texas and the world famous Houston Rodeo is just beginning, we dined at lunch with some very excellent Bar-Be-Que. Meeting our Russian colleagues were some of Houston’s top in-house compliance officers and practitioners. While primarily drawn from the energy sector, there were representatives from public and private companies; multi-billion dollar companies down to entities with $100 million in annual sales; product manufacturers and service-oriented companies, some companies had larger compliance departments, down to one-man (compliance) bands

I learned quite a bit listening to the Houston based compliance specialists talk about the thing that was most important or significant when dealing with a third party. Their remarks were limited to 5 minutes so they could only talk about a few key points. By far the most important was to understand who they were doing business with in the third party. Not just the listed owners, officers, directors and key employees but who is the ultimate beneficial owner. It is because that understanding of ownership allows a determination to be made if there is a foreign government representative involved. While certainly this would raise a red flag, the Department of Justice (DOJ) Opinion Releases have shown that having foreign official ownership does not require a US company to decline to do business under all circumstances as the key is how is that relationship is managed.

A second point made was that if a Russian company had a compliance program in place and understood a US company’s obligations under the FCPA; it would clearly stand out as a market differentiator. So by having a program, training on it, having documentation of all of this a Russian company could stand out as a potential business partner of a US centric company, in a variety of manners such as an agent, sales representative, supplier, joint venture partner or even as a key customer.

Another Houston based compliance practitioner, whose company has more of a logistical focus, said that a key compliance indicator for his company is documentation. The more documentation that can be presented to support invoices, the more comfortable he can be that all assessed charges are legitimate and are levied with transparency.

The final topic was another point that the FCPA Guidance makes clear, which is not only do you need to assess your risks but you also need to manage your risk. Each Houston-based compliance officer discussed the risk profiles for their company and the FCPA risks that were presented to them. They each had a different focus for managing their attendant risk. It was a powerful way to view the clear import from the FCPA Guidance to assess your risk and then manage it.

One of the things that I found most fascinating were the lessons that I learned listening to my newfound Russian colleagues. While they may seem obvious when you think about some of these lessons. The first was regarding language. While all of our guests spoke English quite well, they provided a translator because the nuances of both compliance-speak and Texan would probably have been a bit too much for them to fully grasp. It made me understand that even with very good “English as a second language” speakers involved, it is far better to provide information and education in the native language. Clearly, when the FCPA Guidance suggested that a company’s Code of Conduct and its compliance training be in a subsidiary’s local language they were on to something important.

Another point was that the Russian compliance professionals innately understood that you need to look at several different factors on a company’s background in the performance of due diligence. One technique cited was the tendency of certain company owners to open and close several businesses, while running up huge debts and not paying them, thereby bankrupting not only their business but their unlucky suppliers. So there was a focus on company debt and length of time to pay suppliers that they believed was also a key factor in an appropriate due diligence investigation into a Russian company to determine if it was an acceptable business partner.

A final observation was the enthusiasm of the Russian compliance practitioners. Not only did they clearly understand that a company run ethically with good business practices was a better company; they also understood that Russian companies, who did business with US companies and were forced to have a FCPA compliance program, could help lead better business practices generally and more widely in Russia. In other words, they believed there is a market solution to help Russian companies do business ethically and that by requiring Russian companies to abide by anti-corruption laws like the FCPA and UK Bribery Act, it can help lead Russian businesses to more of an international position.

Our lunch ended and with much BBQ digested and we all said our good-byes. I hope that our Russian guests found us to be as gracious hosts as we found them to be guests. I also want to salute CIPE for organizing this trip and a shout out to my friends at the US Chamber of Commerce for putting together an NGO to help deliver business solutions to legal (and ethical) problems. As Mike Volkov wrote yesterday, compliance is much easier if you simply do not engage in bribery and corruption. CIPE helps non-US businesses and persons to follow that proscription and to help bring a more international effort to the fight against bribery and corruption.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Alfred the Great, GE and the Management of Third Party Risk

I am currently studying Medieval England including the reign of Alfred the Great. As you might expect with someone monikered as ‘The Great’ he is certainly considered right up there with the greatest Kings of England. Not only did he largely drive out the Viking invaders from his country but he also set the stage for the unification of England under one crown, for the first time since the days of Roman Britain under the Caesars. One of the innovations he developed was fortified towns, called burgs, from which to resist Viking raids and incursion. But more than simply walled cities for defense, within these fortified towns was a wide road running down the middle of the town called the ‘High Street’ and a street situated next to the town’s walls appropriately called ‘Wall Street’. These streets were wider than the others in the town to facilitate the movement of troops in the time of crisis, such as a Viking raid. In other words, Alfred evaluated the risk to his kingdom and put multiple layers of steps into place to manage those risks.

In the Foreign Corrupt Practices Act (FCPA) compliance world, one of the key components that the Department of Justice (DOJ) wants to see is a risk assessment and a company managing its risks, based upon said risk assessment. One company’s response to a risk or set of risks does not necessarily mean that another company must follow it. The DOJ’s Ten Hallmarks of an Effective Compliance Program are broad enough to allow companies to manage their own risks, hopefully effectively. I thought about this concept when I was listening to a presentation by Flora Francis and Andrew Baird of GE Oil & Gas at the 2014 SCCE Utility and Energy Conference in Houston this week on GE’s third party risk management. First of all, if you have the chance to hear a couple of nuts and bolts compliance practitioners from GE like these two speak, run, don’t walk, to their presentation. GE’s commitment to compliance is well known but also the company’s willingness to share about their compliance program is a great boon to the compliance community. Lastly, is the gold-standard nature of the GE compliance program and while it may be more than your company needs to manage their own risks, the GE compliance regime does shine a light that we can all aspire to in our own compliance programs.

Both speakers made clear that GE’s program was the company’s response to its assessed risks. Further, the compliance program has evolved, not only as the company’s risks have evolved but also as the company has determined what works and does not work as well. Within the realm of third parties’ the prescient question from compliance to the business unit would be ‘What is your “Go To Market Strategy” and how will your use of third parties assist you in carrying out that strategy?’ Some of the factors the speakers cited could include your company’s market coverage strategy, product segmentation, pricing and margin expectation, an added capability which your company may not possess such as technology, and finally there could be local legal requirements for a local content third party in certain countries.

Some of the factors which GE considers, when evaluating a third party, include the following: 

• Business Model: Do we need third parties to reach our customers or can we build the organization ourselves?
• In-house Capabilities: Do we already have the organization in place to handle these capabilities?
• Overlap: Do we already have a third party in the region/country that can handle our needs?
• Volume of Business: How much business will this third party bring to the company?
• Compliance Risk: Where is the third party located? Will they interact with government officials? Do they have same commitment to compliance?
• Regulatory Environment: Is it simple or strict? What are the chances of regulatory violations?
• Reputation: What is the third party’s reputation in the market? 

I was also intrigued to learn about the risk analysis process that GE uses with its third parties. Initially the process breaks the risks down into low risk and high risk. A low risk received a limited review and analysis, while a high risk receives an escalated review and analysis consisting of the following reviews: compliance, legal, business leadership and finance.

But more than simply the level of review, I was interested in the ‘Risk Score Drivers’ that GE has developed. Once again, the speakers emphasized that these are GE’s risk score drivers and have been developed over time through the company’s internal analysis and processes. Nevertheless I found them to be a very useful way to think about third party risk. The risk score drivers listed were:

•  Country channel where the third party is located in or where it sells into;
• Experience by the third party with the sales channel;
• Type of third party involved; agent, reseller, distributor;
• Commission rate, is it standard v. non-standard;
• Will any sub-third party relationships be involved;
• Will the third party sell to government entity or instrumentality;
• Do any of the third party’s principals, Officers or Agents work for a foreign government, state owned enterprise or political party;
• Was the third party mandated by customer or the end user;
• What is the third party’s contract duration;
• Is the third party involved in more than one project;
• Does the third party have any historical compliance issues;
• What is the percent of sales with products or services; and
• What is GE’s annual revenue with the third party?

GE compliance then takes these scoring factors and puts them into an evaluation matrix when determining the amount of risk involved and whether or not the company should move forward with a proposed third party. If the decision is made to move forward and create a commercial relationship, the third part must agree to commit to the compliance standards of GE; stay current with and obey all applicable legal and regulatory provisions; comply with all contractual provisions; grant to GE audit rights; agree to report any compliance violations; certify to all compliance requirements on a regular basis; receive and complete compliance training and to allow regular site visits. GE also requires each third party to have a relationship manager assigned to it who is there to establish ongoing communication, provide ongoing training and to provide a platform for business improvement. Internally GE has processes in place to refresh due diligence; review, renew and update as appropriate contracts; conduct regular site visits and periodic audits.

Flora and Andrew ended their presentation with the following quote from the US Sentencing Guidelines about the question – ‘When is Enough, Enough?’ When you can show the government agency asking that you have taken appropriate steps to design, implement, and enforce a compliance program that is generally effective in preventing and detecting criminal conduct.

Their presentation was an excellent mechanism for the compliance practitioner to assess their third party management program. Although they made clear that this program was not for all companies, there is enough meat present for anyone to use in evaluating where you might be and where you might need to go in management of your third parties. And just as Alfred the Great constructed a defense-in-depth in his fortified towns, so the GE program for the management of third party risk has several layers of protection so that when the crisis does arise, they can adequately respond when the government comes knocking.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

The Alchemist of Comedy and Utility Industry Compliance

Harold Ramis died on Monday. For a generation of comedians and fans of comedy he was one of the driving lights of that genre. He was one of the screenwriters of Animal House and wrote the screenplays for both of the Ghostbuster movies, in addition to starring in them. His New York Times (NYT) obituary called him the “Alchemist of Comedy” and quoted from Paul Weingarten, who wrote, in The Chicago Tribune Magazine in 1983, “More than anyone else, “Harold Ramis has shaped this generation’s ideas of what is funny.”” So thanks Harold Ramis for Blutto, Otter, Founder, D-Day, Dr. Spengler and all the rest.

I am currently attending the Society of Corporate Compliance & Ethics (SCCE), 2014 Utilities & Energy Conference. As usual, it is an excellent event for the compliance practitioner. One of the things that I find not only intriguing but also extremely useful about this conference is the pairing of compliance practitioners from the fields of energy and utility. I did not attend the utility focused sessions for the first couple of years but now prefer those sessions because they focus so much on the process of compliance. While the actual compliance issues are not anti-bribery or anti-corruption, the process-oriented approach utilized in the utility energy can be a great set of lessons for the energy industry compliance practitioner to consider when looking at an energy company compliance regime.

On Monday there was a presentation by David Douglass, Federal Energy Regulatory Commission (FERC) Compliance at Kansas City Power & Light Company. Initially, Douglass presented several different compliance models, which the anti-corruption compliance practitioner can use to benchmark or evaluate your company’s compliance program. The first one Douglass termed the Compliance Maturity Model – Compliance at Every Level. It included:

• Step 1 – Reacting only and engaging in panic. The elements of this level of maturity include the admonition to “Get it done”. Typically under this step compliance is operating in isolation and can only marshal resources as necessary and where ever they might be found.
• Step 2 – Anticipating and acceptance of compliance. This increased maturity can help to bring about some efficiency, usually through the accepted use of automation. This allows a compliance practitioner to see connections between multiple programs and take steps to plan future approaches to ongoing and ad hoc compliance challenges as they might arise.
• Step 3 – Collaborating. Under this step, compliance moves to being seen as a collaborative partner with the business units. This allows the identification of risks, the assessment of the company’s exposure to those risks and to prioritizing actions to meet those assessed risk. Finally, the collaboration step can allow for the re-use of technological components for multiple purposes, thus reinforcing great cost savings and value.
• Step 4 – Orchestrating through and with the rest of the company. Under this ultimate step in the model, compliance works to help set enterprise wide objectives to help to coordinate enterprise wide risk analysis and response. The corporate wide visibility to risk analysis, management and remediation as well as compliance performance.

In addition to the above Compliance Maturity Model, Dougalss discussed two of the programs were set out by federal utility regulators. The first was the FERC’s Effective Compliance Program, which has the following seven standards:

1.  Internal standards and procedures to prevent and detect violations;
2. High-level management knowledge and oversight of internal compliance programs;
3. Reasonable (due diligence) efforts to screen out “poor performers”;
4. Reasonable internal communications and training efforts;
5. Reasonable steps to evaluate program effectiveness, including confidential reporting options for employees;
6. Creating and enforcing compliance incentives and noncompliance sanctions;
7. After detection of a violation, companies shall take reasonable, responsive steps.

He then cited to the North American Electric Reliability Corporation’s (NERC’s) four hallmarks of effective compliance programs, which included the following:

1.    Senior management / leadership

• Compliance Program is established in the company.
• Compliance Program is formally documented and widely disseminated throughout the organization.
• The Compliance Program is supervised by a high ranking company representative.
• The head of the compliance function has access to President / CEO and Board.
• The Compliance Program is designed and managed with independence.
• There are sufficient resources dedicated to implement Compliance Program.
• The Compliance Program has the full support of all company leadership

2.    Preventive measures are in place

• A sufficient frequency of review of compliance program occurs.
• There is sufficient frequency of training of employees on compliance program.
• There is sufficiency of subject matter training of employees on compliance program.

3.    Prompt detection, cessation, and self-reporting

• There is a sustainable process to internally assess compliance with regulations.
• There is a sufficient response to identification of wrong-doing or misconduct.

4.    Effective remediation

• There are effective internal controls and procedures present to prevent recurrence of misconduct.

Douglass also discussed the ‘3-lines of defense concept” for a best practices compliance program. Under this concept a properly constructed compliance program has three lines of defense to prevent a compliance incident. These three lines of defense are identified as (1) the Risk Content Owners line of defense; (2) the Risk Process Owners line of defense; and (3) the Risk Content and Content Monitoring Owners line of defense.

 I.                Risk Content Owners

This first line of defense is the business owner(s) who are on the front lines for any company. Their roles include management of day-to-day business risks and to recommend actions to manage and treat that risk. This group also is tasked with complying with the company’s risk management process. Where appropriate, this group will implement risk management processes where applicable and this group will execute risk assessments and identify emerging risk.

 II.             Risk Process Owners

This second line of defense is typically the company legal and compliance departments. Not only are these the standard setters in an organization but they may also be charged with certain monitoring tasks. This group should establish policy and process for risk management. This group is the strategic link for a company in terms of risk. It should provide guidance and coordination among constituencies. It should identify enterprise trends, synergies, and opportunities for change. This group should also initiate change, integration and operationalization of new compliance best practices. Typically this group is the liaison between the third and first lines of defense. Lastly, this group will oversee certain risk areas and in terms of certain enterprise objectives such as compliance with regulations such as Foreign Corrupt Practices Act (FCPA), Export Control, etc.

III.           Risk Content and Monitoring Owners

This third, and final, line of defense is generally thought of as the Assurance Providers and consists of senior management, Internal Audit and up to the Board of Directors. Its roles include either working with or through senior management and/or the Board of Directors. This line of defense is tasked to rationalize and systematize risk assessment and governance reporting so that it is not only transparent but useful and stored in a manner that can be retrieved if a regulator comes calling. It will provide oversight on risk management content/processes, followed by the second line of defense. Finally, it will provide assurance that risk management processes are adequate and appropriate.

This tripartite model is an excellent way for a company to not only think through how to design an overall structure but as an outline to assess how well it may be doing in any one specific compliance area such as anti-corruption compliance under the FCPA. The first line of defense should be driven down to the Business Unit level. This will allow, indeed require, the Business Unit to buy into the overall compliance program. The legal and compliance departments are the key bridge that writes and leads implementation of the overall compliance program through training but also assesses whether the compliance program is effective and remains robust. The role of senior management is to provide overall leadership and deployment of resources throughout this entire process.

I have found that the anti-corruption compliance, or indeed the anti-money laundering (AML) or export-control practitioner can learn quite a bit from their peers in the utility industry. While they may not rise to the level of “Alchemist of Comedy”, as did Harold Ramis, you might want to listen to what they have to say.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Tales From the Crypt: Tale 2-Tough Choices for Tough Cookies

Ed. Note-today we continue our ‘Tales from the Crypt” series, which is penned by a couple of anonymous compliance practitioners who will write about some of the real world experiences that they have encountered. I hope that you will not only enjoy but find useful in addressing some compliance and ethics issues that you may face in your job.

Tough Cookie 1 has spent the more than half of her 20+ legal career working in the Integrity and Compliance field, and has been the architect of award-winning and effective ethics and compliance programs at both publicly traded and privately held companies.  Tough Cookie 2 is a Certified Internal Auditor and CPA who has faced ethical and compliance challenges in a variety of industries and geographies and recently led a global internal audit team. Our series “Tales from the Crypt: Tough Choices for Tough Cookies” are drawn largely from real life experiences on the front line of working in Integrity & Compliance, and personal details have been scrubbed to protect, well, you know, just about everyone… 

Do As You’re Told

Rule # 2 in the integrity and compliance field is that “Management Override is alive and kicking,” and all you worker bees better “do what the boss says” or else. Of course, those of us senior level professionals see it for what it really is – “Management Override” is the world’s oldest risk and is the Achilles ’ Heel of Fraud Prevention due to its cycle of dysfunction:

1. Economic conditions cloak poor management decisions;
2. Staff competency is suppressed in favor of “executive decision-making;” and
3. “At will” employment rules rescue dysfunctional managers from accountability.

Even the strongest corporate or personal codes of ethics oftentimes cannot penetrate this bubble of deception without the backing of  strong, courageous leadership and a rock solid culture of integrity.

On her first day on the job for a small,  privately-held freight trucking company (The Company), the controller was invited to a meeting between the owners of the Company and their bankers.  Surprise!  The Company had been planning to factor their accounts receivable as a cash flow stop gap and meetings with the bankers were well on the way to closing the arrangement.  While factoring can be a savvy way to tighten the cash flow cycle, it is not a panacea for businesses that do not have strong cash management.  The invitation for “Management Override” to come calling was firmly in the Company’s grasp. As the days and weeks went on, the controller realized that this small trucking company was undergoing significant expansion, adding warehouse and dock locations, backed with additional equipment and administrative staffing.  They were also adding more drivers, mostly owner-operators, and company-owned trailers.  The growth was financed with the Company’s receivables because it did not require a personal guarantee from the owners.

As with most receivables financing contracts, terms provide the lender with the most favorable accounts receivable.  The business was quickly running out of available cash to borrow.

The controller also identified another problem, collections on the accounts receivable.  The receivables aging reflected many old, unpaid invoices that were excluded from the borrowing base and the Company had no experienced collections staff.  Customers were mainly small “mom & pop shops” who did not feel compelled to pay for freight on merchandise they had already received.  The controller pressed the owners for a new customer approval process based on a credit review and received approval to hire an experienced collections clerk, and we began to see cash flow in from the efforts.

Some customers did not appreciate the outstanding debt reminders and complained to the sales team.  Concerned with growth and freight tonnage rather than cash, the owners directed the controller to cease collection activities and lay off the collections clerk (“at will” to the rescue!).

Uncontrolled spending continued until the borrowing base was at a maximum with invoices and payroll pending.  The owner approached the controller one morning and asked her to make changes to the accounts receivable ledger, changing names of customers that were an “excluded” class in the borrowing base so that they would appear to be valid within the borrowing base.  “For example,” the owner said, “change Yellow Freight to Yellow Mining and Manufacturing.” Refusing to compromise her integrity, the controller declined to follow the owner’s instructions, advising that the change was “unethical and illegal.”  Later that week, the Company used the “at will” provisions to relieve the controller of her duties for having “insufficient experience.”

Needless to say, the cycle of deception self-destructed, and approximately a year later, the Company filed Chapter 11 bankruptcy, and eventually Chapter 7.

This publication contains general information only and is based on the experiences and research of the authors. The authors are not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The authors shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

Commitment to Compliance: the Compliance Committee

Sunday was the 69th anniversary the most iconic photo of World War II, at least from the American perspective. Of course it was the raising of the American flag at Mt. Suribachi on Iwo Jima. To say that one photo cannot change the lives of those pictured is belied by this image. The photographer, Joe Rosenthal, won a Pulitzer Prize for the photograph. While three of the six flag-raisers died fighting on Iwo Jima, one survivor, Rene Gagnon appeared during half time at the 1969 Orange Bowl; Ira Hayes was immortalized songs both by Johnny Cash and Bob Dylan and the last remaining flag-raiser, John Bradley, died in 1994.

I once tried a lawsuit in Harlingen County, Texas, where the name of one of the flag-raisers, Harlon Block, is inscribed in the Memorial to the county’s deceased war veterans on the courthouse square. The Judge of the trial used it as an example of civic duty and, years later, when I read James Bradley’s book, “Flags of Our Fathers”, about his father John Bradley and the men who raised this flag, I learned that the Judge in my trial was one of 16 high school seniors from Harlingen High School who all volunteered for enlistment on the same day. Harlon Block was one of the Judge’s classmates and they volunteered together. I am still moved when I think of that story.

One of the commitments I believe can enhance a compliance program is the creation of a compliance committee. As far back as in the 2005 Monsanto Corporation Deferred Prosecution Agreement (DPA) the compliance committee concept appears to have found favor with the Department of Justice (DOJ). In Appendix B to the DPA, Monsanto agreed to, among other things, “the establishment and maintenance of a committee to supervise the review of (I) the retention of any agent, consultant, or other representative for purposes of business development or lobbying in a foreign jurisdiction”, or a Compliance Committee. Later, this concept was used in the settlement of Halliburton’s shareholder action around its Foreign Corrupt Practices Act (FPCA) enforcement action.

The Monsanto DPA provides guidance on this point by stating “The majority of the committee shall be comprised of persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transaction;” this would indicate that senior management should be involved in the Compliance Committee. It would also indicate that more than one department should be represented on the Compliance Committee. This would include senior representatives from the Accounting (or Finance) Department, Compliance & Legal Departments and Business Unit Operations.

The Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual suggests the following language in its proposed form of Compliance Committee Charter:

The compliance officer shall have ultimate responsibility for operating the compliance program, with the support and assistance of the compliance committee. The committee shall consist of ### members, representative of each major department or area. The committee may appoint ad hoc members, each to serve at the pleasure of the committee, to assist and advise the committee in carrying out this charter. While the ad hoc members of the committee are not entitled to vote on matters formally considered by the committee, the ad hoc members shall be entitled to call a meeting of the committee and, further, to have any matter included on the agenda of any meeting of the committee. The committee shall designate the proper manner for calling meetings and the setting of agendas thereto.

 The compliance officer and committee shall retain a direct line of communication with and a direct reporting responsibility to the board of directors, executive committee, and CEO.

In the November/December issue of the SCCE Compliance & Ethics Professional magazine, Donna Boehme wrote an article entitled “Building a horse and not a camel: The compliance committee”. Where she cautioned that “More often than not, a [compliance] committee that is conceived with all best intentions evolves into something less that ideal: (a) a team of micromanagers that routinely substitutes its judgment for that of the CCO; (b) a source of unnecessary red-tape and ‘make-work’ for the compliance function, (c) a filter between the CCO and the governing body.”

To remedy these potential pitfalls, Boehme recommends three rules for building an effective compliance committee.

1. The compliance committee should have a clear, written charter that sets out the functionality, goals, and parameters of the group, along the lines discussed above.
2. The CCO should chair a committee of her peers-senior level officers in a position to make decisions and marshal resources.
3. The compliance committee should be periodically reviewed for effectiveness and adjusted as necessary to meet the stated goals of the charter.

One of the things  Boehme makes clear is that “every compliance structure should be fit-for-purpose.” In other words, if your company’s highest compliance risk is third party relationships, I think you should focus your compliance committee resources on that issue. The scope of this was not fleshed out in the Monsanto DPA. However, it suggested that a company should incorporate both a pre-execution function and a post-execution management function in overseeing the full relationship with any third party. While this would most necessarily focus on FCPA compliance, there should also be a commercial component to this function.

To this end, a compliance committee should review all documents relating the full panoply of a third party’s relationship with a US company. This would begin with a review of any initial requests to engage a new third party. The information presented to the compliance committee would include a Business Unit’s request to engage the third party, the costs and benefits. The next step would be to review the due diligence and all background investigative materials on the prospective third party.

The compliance committee should receive copies of, and approve, all due diligence and background investigative materials before a contract is executed with a third party. Particular attention should be paid to the form of the contract. If there are deviations from the company’s standard form of agreement, with regard to the FCPA compliance issues, there should be a full explanation by the third party or Business Unit. The compliance committee should determine if the company is taking on any unwarranted FCPA compliance risk if non-standard FCPA compliance terms and conditions are used.

After the commercial relationship has begun the compliance committee should monitor this relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations on the third party with at least a minimum of a Level One Due Diligence and higher levels of Due Diligence based upon an appropriate risk rating. There should be an evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third parties. All FCPA compliance training should be reviewed and certifications confirmed. The compliance committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. As with all things FCPA the three most important words here are Document, Document and Document. If you cannot produce documentary evidence to the DOJ of your annual review and its findings, it is of no use to your company.

In addition to the above remedial review, the compliance committee should review all payments requested by the third party to assure such payments are within the company guidelines and are warranted by the contractual relationship with the third party. Lastly, the compliance committee should review any request to provide the third party with any type of non-monetary compensation and, as appropriate, approve such requests.

The compliance of a third party is one of the key tools that a company can use to prevent and detect any violation of its own Code of Ethics and Compliance and the FCPA. The proper structure of the compliance committee and its full engagement with all aspects of a company’s relationship with a third party is one of the areas that the DOJ will look for in a successful FCPA compliance program.

A compliance committee is a key tool, which can be utilized by a company to manage its relationships with its third parties. Its use has been commented upon favorably by the DOJ through its citation in the Monsanto DPA. A Compliance Committee does not replace any of the other key components of an effective FCPA compliance program but it does provide an additional level of protection, back-up and transparency for all deals with a third party. It should be employed by US companies as an additional protection against any type of FCPA compliance and ethics violation “slipping through the cracks” to become a much larger problem down the road.

But take Boehme’s cautionary words to heart, that the guiding principles of a compliance committee should be that it helps and does not hurt your overall compliance efforts going forward. And then use the raising of the flag on Iwo Jima to think about commitment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Nixon Goes to China and Management of Third Party Relationships

Today we honor one of the greatest diplomatic initiatives that occurred in my lifetime, Nixon’s trip to China; where he arrived on this date in 1972. Like most Americans I was caught completely unaware that Nixon was planning to go and create a diplomatic relationship with a country, which since 1949, had been the United States’ mortal enemy. While there are innumerable lessons to be drawn for the entire affair, the one that has resonated with me all these years is that only Nixon could go to China. Due to his hardline credentials in his prior dealings with the Chinese, when they were known in the US as Red China, Nixon had the political cache to make the political opening. While Nixon certainly had his missteps, his China opening was not one of them.

I thought about Nixon’s political acumen, at least in the arena of foreign affairs, when I read an article in this month’s issue of Compliance Week by noted GRC Pundit, Michael Rasmussen, entitled “Business Agility Across the Extended Enterprise”. In his piece, Rasmussen discusses business organization complexity and diversity and the lack of enterprise wide oversight into risk and compliance in the area of third party risk management. Rasmussen says that “The challenge is: “Can you attest that risk and compliance are managed across extended business relationships?” An organization can face reputation and economic disaster by establishing or maintaining the wrong business relationships, or by allowing good business relationships to sour because of weak oversight.”

He believes that these deficiencies are found because companies are focusing too much attention at the front end of business relationships and are failing to not only anticipate the issues which might later “cascade and cause severe damage to reputation, and exposure to legal and operational risk throughout the ongoing relationship.” Rasmussen contends that there are two common mistakes made by businesses along these lines.

The first is that risk is only considered during the onboarding process. This leads to a failure to consider new and additional risks that can arise during the course of the relationship. The second revolves around analytics, as Rasmussen asserts that “Often, metrics are focused on vendor delivery of products and services but do not include monitoring risks such as compliance and ethical considerations.” I often remark that in any process, which your company might use regarding third parties, the real work begins after the contract is signed and you must manage the relationship. Rasmussen’s approach bears this out.

To overcome these deficiencies, Rasmussen lays out a five-step approach, which he articulates will bring “an integrated approach to third-party management that brings together people, process, and technology to deliver not only efficiency and effectiveness but also agility.” Trying to accomplish this through the use of spreadsheets and “document-centric” processes will overwhelm any compliance practitioner or indeed an entire organization, so automation is a key component for success.

1. Define Your Program.  Rasmussen writes that the first step that the compliance professional needs to perform is to define the third party management program. Correctly noting that an individual needs to lead the third party management program, different parts of the organization work with this role. By defining your third party management program you will articulate “understanding board oversight and reporting for third party risk and compliance and a cross-functional team to ensure that the operational, reputational, and compliance risks in business relationships are appropriately addressed. This team needs to work with the relationship owners to ensure a collaborative and efficient oversight process is in place.”

2. Establish Frameworks. The third party management framework should be utilized to to manage and monitor the constantly evolving relationships, risks, and regulatory environments in any long-term or extended business relationships. Rasmussen notes that the “framework starts with developing a list of third party relationships cross-referenced to risks and regulations affecting those relationships. A framework is an organized set of controls used to measure compliance against multiple risks, regulations, standards, and best practices.”

3. Onboarding. While this is something that most companies are at least aware of, the evaluation of risk and compliance needs to be integrated with the process of procurement and the full range of third party relationships. This includes vendors, suppliers, and all other business partner relations. Rasmussen inscribes, “A business relationship is to be evaluated against defined criteria to determine if the relationship should be established or avoided. When there is a high degree of inherent risk, but the relationship still is necessary, manage the risk within tolerance level by establishing compensating controls and monitoring requirements.”

4. Ongoing Monitoring. There are certain many factors that can affect the success or failure of any given business relationship. Rasmussen lists some of these as “the potential for natural disasters, disruptions, commodity availability and pricing, industry developments, and geo-political risks. The potential risks relevant to each business partner should be taken into consideration to monitor the health and success of business relationships on an individual and aggregate level.” But with this identified wide variety of factors, comes the requisite monitoring relevant legal and regulatory environments in corresponding jurisdictions to identify changes that could impact the business and its extended relationships.

5. Resolve Issues. Rasmussen “believes that even the most successful business relationships encounter issues. These may arise from quality, health and safety, regulatory, environmental, business continuity, economic, fraud, or legal and regulatory mishaps. The fallout from incidents is exacerbated when everyone scrambles because nobody developed defined action and resolution plans ahead of time. Management of risk across extended business relationships should account for issues and plan for containment, mitigation, and resolution.” Or as Paul McNulty might say in McNulty Maxim No. 3, “What did you do when you found out about it?”

Rasmussen concludes his article by noting, “Third-party management is enabled at an enterprise level through implemen­tation of an integrated third-party man­agement platform. This offers the adapt­ability needed as a result of the dynamic nature and geographic dispersion of the modern enterprise. The right third-party management platform enables the organization to effectively manage risk across extended business relationships and facilitate the ability to document, communicate, report, and monitor the range of assessments, documents, tasks, responsibilities, and action plans.” The agility that he advocates is something that I believe we saw in Nixon’s rapprochement with China. But the good news for the compliance practitioner is that unlike the maxim I discerned from Nixon’s achievement; that only Nixon could go to China, you can employ the strategy delineated by Rasmussen for a more complete review, analysis and management of your company’s third party risk.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

C’Mon Man Or the End of the World?

It’s the end of the world as we know it,

It’s the end of the world as we know it

It’s the end of the world as we know it, and I feel fine

 The above lyrics came from REM and they reflect how I generally feel about law firm and lawyer pronouncements about the Foreign Corrupt Practices Act (FCPA) enforcement because [SPOILER ALERT] I am a lawyer, I do practice law and I do work for a law firm, the venerable TomFoxLaw. The FCPA Professor regularly chides FCPA Inc. for their scaremongering tactics, usually monikered as ‘Client Alerts’. Mike Volkov is even more derisive when he calls them the FCPA Paparazzi and cites examples from his days in Big Law, where law firm marketing campaigns are centered around doomsday scenarios about soon-to-occur FCPA; UK Bribery Act; or [fill in the anti-corruption law here] prosecutions and enforcement actions. I usually take such law firm scaremonger and blathering’s to be about worth as much as the paper they are printed on. Indeed I chide the FCPA Professor and Monsieur Volkov for their protestations. In other words, I feel fine.

I am a proud card-carry member of FCPA Inc. because not only can I spell FCPA (and UKBA for that matter), I also make FCPA related pronouncements from time-to-time and practice law in the FCPA space. I think we generally do a pretty good job of getting information out there. But last week one missive occurred that not only met the above impugning adjectives but created a veritable tsunami of mis-information as it made its way from China to Europe and to the US that even I thought was beyond the pale. How absurd was it? So absurd that not only did the FCPA Professor and I agree about it, but we decided to post blogs about it today.

On February 5 a law firm client alert stated, “While the number of enforcement actions may decrease or hold steady, we can expect some “blockbuster” settlements in 2014 of matters that have long been under investigation.” Blockbuster…really? Do you think this law firm was implying that the Siemens record FCPA fine of $800MM, plus its equivalent $800MM fine in Germany, that’s a total of $1.6 bn for those of you keeping score at home, is seriously in danger of falling by the wayside in 2014? How about Halliburton’s comparatively paltry $579MM penalty? To be slapped aside like a green-skinned witch yelling, “I’m melting!” BAE coming in at No. 3 with a measly $400MM must be quaking it is British Wellington boots about now.

As inane as this comment was, the thing that attracted my attention was the tidal force wave by which this quote rode its way all the way to the US. By February 10^th, this quote had morphed into the following, written in the South China Morning Post, “The United States is expected to impose “blockbuster” fines on companies bribing foreign officials this year, with China a likely target of US investigations, lawyers say. A report by US law firm WilmerHale predicts “blockbuster” settlements under the Foreign Corrupt Practices Act (FCPA). “US enforcement authorities have stated there are a number of very large settlements in the pipeline,” said Jay Holtmeier, a partner at WilmerHale. “Given the attention paid to China in recent years, it is a safe bet some of those large settlements will involve conduct in China.”” Two days later the full storm reached the shores of the US when this article was referenced in the Wall Street Journal’s (WSJ’s) Corruption Currents.

So now not only do we have ‘blockbuster’ FCPA settlements coming; we will have them coming out of China. Various marketing departments will use these statements as ‘authoritative’, yet another reason to purchase their company’s products or services.

There are plenty of great FCPA resources out there, which inform the compliance practitioner, or indeed the non-compliance specialist, about the costs of a FCPA enforcement action. But more importantly there is more than a wealth of free, at no cost, information about how to craft a compliance program with any anti-corruption law, which currently exists. There is the same amount of information about how to ‘do compliance’, once again free and available at no charge. Is it marketing? My answer is either yes or better yet; who cares? Good solid information is good solid information no matter what the motives behind putting it out there are.

But here is the problem with making such statements which newspapers then follow them up by brandishing them as even more dire predictions. Someone might actually believe it. Next Congress will want to investigate these ‘blockbuster’ settlements or, perhaps, why after it was reported that they were coming, the Department of Justice (DOJ) did not have any ‘blockbuster’ settlements in 2014?

I thought about writing this blog post around the tale of the Boy Who Cried Wolf but I realized there is always another law firm or lawyer out there will to say the end of the world is coming “this year”. But perhaps the better analogy is the ESPN segment entitled “C’Mon Man!” during which each color commentator will describe a play or series of plays that made them scratch their heads and say “C’Mon Man!” So while I generally feel fine about the information disseminated by and from FCPA Inc., my suggestion is that everyone just take a deep breath and consider such information for what it is worth.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Welcome to the Hotel California: FCPA Enforcement

This past weekend I saw The Eagles on their ‘History of The Eagles’ Tour. It truly was that, a complete musical history of the group, from the beginning in 1971 up until now. They played for well over 3 hours and it was fantastic. The Eagles were at their peak in the 70’s when I was at my peak as a rock and roller, both in high school and college, so the concert was a very memorable experience. In one interesting twist they did not allow videos to be taken of the concert with cell phones or any other types of recordings. Of course the concert ended with song Hotel California and its iconic line “You can check out but you can never leave.”

I thought about that final line and how true it was in the late 70s and how true it is now in the world of international anti-corruption enforcement when I read a front page article in Sunday’s New York Times (NYT), entitled “Eavesdropping Ensnared American Law Firm”, and an blog post by the FCPA Professor, entitled “FCPA Lawyers Would Be Wise to Review Recent Third Circuit Decision”.

We know from the American Spectator article, “Rise of the Surveillance State”, by James Bovard about the National Security Agency (NSA) program ‘Echelon’, which he described as “a spy satellite system run by the National Security Agency along with the United Kingdom, Australia, New Zealand, and Canada. Echelon reportedly scans millions of phone calls, e-mail messages, and faxes each hour, searching for key words.” Further, Bovard stated, “A February report by the European Union alleged that Echelon has been used for economic espionage. Former CIA Director James Woolsey told a German newspaper in early March that Echelon collects “economic intelligence.”” One example Woolsey gave was espionage aimed at discovering when foreign companies are paying bribes to obtain contracts that might otherwise go to American companies. Woolsey elaborated on his views in a March 17, 2001 Wall Street Journal (WSJ) Op-Ed piece, justifying Echelon spying on foreign companies because some foreigners do not obey the Foreign Corrupt Practices Act (FCPA).

After the NYT article, we know that US law firms can also fall under surveillance. The firm of Mayer Brown was monitored by the NSA’s Australian counterpart, the Australian Signals Directorate (ASD), regarding work the law firm was doing for the government of Indonesia in trade disputes with the US. It is of no consequence that it was the Australians doing the spying as under the “Five Eyes Alliance”, Australia is one of five countries the US shares intel with and agrees not to spy on. While most Americans would understand the need to place those dealing with terrorists under surveillance, the need to monitor US law firms giving legal advice in a legal trade dispute seems one or two steps past the safety of the US homeland. While only mentioned in the article, I also wonder about the effect of this surveillance on the attorney-client privilege, the basic reason that clients come to lawyers, for confidential legal advice. If you know that you are susceptible to espionage, why would a client ever trust the confidentiality of your communications or even that they are confidential to start with. Moreover, if you know you are subject to surveillance, is the privilege destroyed if a country does so and passes the information along to the US?

Equally unsettling as the revelations in the NYT article is the FCPA Professor’s report on a Third Circuit, Court of Appeals decision, entitled “In Re: Grand Jury Subpoena”. In this matter, an attorney was consulted on an international transaction, which was described as follows: “In April 2008, Client approached Attorney to discuss issues he was having with the project. Client explained that he planned on paying Banker in order to ensure that the project progressed swiftly, as Banker was threatening to slow down the approval process. Attorney did some preliminary research, found the FCPA, and asked Client whether the Bank was a government entity and whether Banker was a government official. Although Attorney could not ascertain given his limited research whether the planned action was legal or illegal, he advised Client not to make the payment. Despite this advice, Client insisted that his proposed payment did not violate the FCPA, and informed Attorney that he would go ahead with the payment. Attorney gave Client a copy of the FCPA. After this communication, Attorney and Client ended their relationship.” The opinion stated that the Client made a payment to the banker’s sister.

In other words, the client came for legal advice regarding an international transaction, the attorney advised against the transaction in question but the client did so against the advice of his attorney and the attorney thereafter terminated the relationship. There was no evidence the lawyer advised the client how to violate the FCPA or in any way helped the client ‘get around’ the law.

The attorney-client privilege is not sacrosanct. There are some limited exceptions to it and one of those is the ‘crime-fraud exception’ which the Court of Appeals explained is, “To circumvent [the attorney-client] privilege under the crime-fraud exception, the party seeking to overcome the privilege . . . must make a prima facie showing that (1) the client was committing or intending to commit a fraud or crime, and (2) the attorney-client communications were in furtherance of that alleged crime or fraud.” (All citations omitted) But, in this case, there was no evidence presented that the attorney involved gave advice that was in the furtherance of a crime but only that “The communication between Attorney and Client was brief, and consisted mainly of informing Client on the applicable law and advising that he not make the payment. However, we believe that the questions posed by Attorney to Client and the information that Client could gain from those questions are sufficient for us to conclude that the District Court did not abuse its discretion in determining that the advice was used in furtherance of a crime or fraud.”

What were the questions posed by the client or put another way, what was the legal advice sought by the client? The Court stated, the “questions about whether or not the Bank was a governmental entity and whether Banker was a government official would have informed Client that the governmental connection was key to violating the FCPA. This would lead logically to the idea of routing the payment through Banker’s sister, who was not connected to the Bank, in order to avoid the reaches of the FCPA or detection of the violation. Of course, it is impossible to know what Client thought or how he processed the information gained from Attorney. But the District Court did not abuse its discretion in determining that Client “could easily have used [the advice] to shape the contours of conduct intended to escape the reaches of the law.””

What does the spying on a US law firm and this court decision invalidating the attorney-client privilege mean for FCPA enforcement? I think that it means if you find yourself in the position of having violated the FCPA; your company now has an even greater incentive to self-disclose. If you are a non-US based company subject to the FCPA, the NSA is watching you. Further, if you are a non-US company, which seeks legal advice, you are now on notice that US laws firm are being spied on. Lastly, if you have violated the FCPA and seek legal advice; it may well come to pass that the lawyer whose advice you sought, can be compelled to testify about those conversations. So in the words of The Eagles, if you engage in conduct that arguably violated the FCPA, you can check out but you can never leave.

———————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————–

If you will be in Dallas this coming Thursday, February 20, I hope that you will join myself and fellow FCPA Blog Contributor Marc Bohn at the Corporate Compliance Summit on 2014 FCPA Concerns You Cannot Afford to Ignore. The event is complimentary and is sponsored by The Network. You can check it out and register by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Board Investigations and the Curse of the Mummy’s Tomb – Part II

Yesterday I began an exploration of a recent article in the Corporate Board magazine, entitled “Successful Board Investigations” by David Bayless and Tammy Albarrán, partners in the law firm of Covington & Burling LLP. In Part I, I reviewed the authors’ five key objectives, which they believe a board must pursue to ensure a successful investigation. Today, I will look at the authors’ seven considerations to facilitate a successful board investigation.

1.             Consider whether you need independent outside counsel

The authors consider that the appearance of partiality “undermines the objectivity and credibility of an investigation.” That means you should not use your regular counsel. The authors cite to the Securities and Exchange Commission (SEC) analysis of how independent board members truly are to explain the need for independent counsel. They state, “the SEC considers the following criteria when determining whether (and how much) to credit self-policing, self-reporting, remediation and cooperation” which will consist of the following factors:

• Did management, the board or committees consisting solely of outside directors oversee the review?
• Did company employees or outside persons perform the review?
• If outside persons, have they done other work for the company?
• If the review was conducted by outside counsel, had management previously engaged such counsel?
• How long ago was the firm’s last representation of the company?
• How often has the law firm represented the company?
• How much in legal fees has the company paid the firm?

As Andre Agassi might say, ‘perception is reality’.

2.             Consider hiring an experienced “investigator” to lead the internal investigation

Noted internal investigation expert Jim McGrath has written and spoken about the need to utilize specialized counsel in any serious investigation. If a board is leading an investigation, I would submit by definition it is serious. The authors say that your investigation needs to lead by a lawyer with significant experience in conducting internal investigations; a strong background in criminal or SEC enforcement; and has substantive experience in the particular area of law at issue. The traits are needed so that your designated counsel will think like an investigator, not like an in-house lawyer or civil litigator.

3.             Consider the need to retain outside experts

In any Foreign Corrupt Practices Act (FCPA) or other anti-corruption investigation, there will be the need for a wider variety of subject matter experts (SME’s) than a compliance professional. The authors correctly recognize that “ if there are accounting issues, forensic accountants might be needed. In this day and age, an electronic discovery consultant is often required, and can be a cost effective option for gathering and processing electronic data for review.” These types of investigations will most probably be cross-border as well and this will require other varieties of expertise. The authors caution that, “The lowest bid may not necessar­ily be the best for a particular investigation. While cost is important, understand the limitations of each consultant and, with input from your investigator, determine which consultant best meets your goals.”

4.             Analyze potential conflicts of interest at the outside and during the investigation

The authors see two types of conflicts of interest that may come to light during an investigation. First is the one which comes up when the law firm or lawyers conducting the inves­tigation are those whose prior legal advice has some bearing on the matters being investigated because a company’s regular outside lawyers represent the company. During an internal investigation, however, the lawyers may be hired by, and represent, the board or its committee. The second occurs when a lawyer or law firm jointly represents the board and employees at the company as regulators have become increasingly concerned with joint representations. Moreover, “The trickier question is what to do when there simply is a risk that representing one client could limit the lawyers’ duties to the other.” So in these situations, joint representation may not be appropriate.

5.             Carefully evaluate Whistleblower allegations

With the advent of Sarbanes-Oxley (SOX) and Dodd-Frank, whistleblowers have become more important and taking their allegations seriously is paramount. This does not mean trying to find out who the whistleblowers might be to punish or stifle them, even if they are located outside the United States and therefore do not have protections under these laws. They can still get hefty bounties. The authors recognize that companies can come to grief when “companies run into problems when whistleblower allegations are discounted, if not outright dismissed, especially if the whistleblower has a history of causing trouble or is perceived as incompetent. When this type of whistleblower makes a claim, it is easy to presume ulterior motives.” While such motives might exist, it does not matter one iota when it comes to the investigation, as “Regulators are very wary of boards that do not satisfactorily evaluate a whistleblower’s complaint based on a perception of the whistleblower himself, as opposed to the substance of the complaint.”

6.             Request regular updates from outside counsel, without limiting the investigation

These types of investigations are long and very costly. They can easily spin out of cost control. But, by trying to manage these costs, a board might be perceived as placing improper limits on the investigation. The “goal is to strike the right balance between the cost of the investigation and its thoroughness and credibility.” To do so, the authors advise that flexibility is an important ingredient. A board can begin the project with an agreed upon initial scope of work and then “revisit the scope of work as the investigation progresses. If conduct is discovered that legitimately calls for expanding the scope of the investigation, then the board can revisit the issue at that point. Put another way, the scope of what to investigate is not a static, one-time decision. It can, and usually does, evolve.” By seeking regular updates and questioning counsel on what they are doing and why, directors can manage costs, while at the same time ensuring that the investigation is sufficiently thorough and credible.

7.             Consider whether an oral report at the conclusion of the investigation is sufficient

While there may be instances in which, due to complexity and the nature of allegations involved, a written report is necessary, the authors believe that there may be times when an oral report delivered to a board is better than a written report for “a written report may be easier to follow and appear to be the logical conclusion to an investigation, it is an expensive and time-consuming endeavor, and it comes with great risk.” The authors indicate three reasons for this position.

First, it is much easier to inadvertently waive the attorney-client privilege if a written report is created and in the wrong hands, such a written report may well create “a road map to a plaintiff” in any shareholder action. Second, once those findings and conclusions are written they may become “set in stone. If later information comes to light that impacts the report’s conclusions, altering the conclusions may undermine the credibility of the entire investigation. So, retaining flexibility to change the findings if further information is later learned is a real advantage of an oral report.” Third, and finally, “it takes time to prepare a well-written and thorough report. When an internal investigation must be conducted quickly, spending time to prepare a written report may not be an efficient use of time.” For all of these reasons, and perhaps others, an oral report presented to the board and documented in the Board of Director meeting minutes may be sufficient.

The authors conclude their piece by stating, “By keeping in mind the issues addressed above, the board will be better prepared for the investigation and readily able to exercise good judgment throughout the review. A well-conducted investigation by the board may spare the company further disruption and costs associated with follow-on investigations by the regulators, or at the very least minimize the company’s exposure.” I would only add that by following some of the prescriptions set out by Bayless and Albarrán your Board might also avoid the fate that befell Lord Carnarvon and the Curse of the Mummy’s Tomb.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Board Investigations and the Curse of the Mummy’s Tomb – Part I

On this day in 1923, the tomb of King Tut was opened. It created a worldwide stir that has in many ways continued down into the 21^st century. Clearly, the boy ruler influenced Steve Martin , (How’d you get so funky?, Funky Tut). Moreover, when the King Tut exhibit first toured the US in the 1970s, it sold out everywhere that it went. And, of course, there was the Curse of the Mummy’s Tomb, which led to some great Universal classic horror pictures. This curse may have killed the dig’s benefactor, Lord Carnarvon who died just months after entering the tomb in November 1923, but the archeologist who discovered King Tut, Howard Carter, seemingly outlived the curse, dying at the age of 64 on the eve of World War II.

I thought about the techniques employed by these two archeologists in the Curse of the Mummy’s Tomb when I read an article in the Corporate Board magazine, entitled “Successful Board Investigations” by David Bayless and Tammy Albarrán, partners in the law firm of Covington & Burling LLP. Why the Curse of the Mummy’s Tomb? It is because if a Board of Directors does not get an investigation which it handles right, the consequences can be quite severe. Over the next two posts I will explore the article by Bayless and Albarrán. Today in Part I, I will review the author’s five key objectives, which they believe a board must pursue to ensure a successful investigation. Tomorrow. in Part II, I will review the authors seven considerations to facilitate a successful board investigation.

The authors recognize that the vast majority of investigations will be handled or directed by in-house counsel. However, if and when such an investigation is needed, it is critical that it be handled with great care and skill. The authors note that “While this task is fraught with peril, there are a number of steps a board can take to ensure that the investigation accomplishes the board’s goals, which will enable it to make informed decisions, and withstands scrutiny by third parties” because it is this third party scrutiny, in the form of regulators, government officials, judges/arbitrators or plaintiffs’ counsel in shareholder actions, who will be reviewing any investigation commissioned by a Board of Directors. The authors believe that there are five key goals that any investigation led by a Board of Directors must meet. They are:

Thoroughness – The authors believe that one of the key, and most critical, questions that any regulator might pose is just how thorough is an investigation; to test whether they can rely on the facts discovered without having to repeat the investigation themselves. Regulators tend to be skeptical of investigations where limits are placed (expressly or otherwise) on the investigators, in terms of what is investigated, or how the investigation is conducted. This question can be an initial deal-killer particularly if the regulator involved views an investigation insufficiently thorough, its credibility is undermined. And, of course, it can lead to the dreaded ‘Where else’ question.

• Objectivity – Here the authors write that any “investigation must follow the facts wherever they lead, regardless of the consequences. This includes how the findings may impact senior management or other company employees. An investigation seen as lacking objectivity will be viewed by outsiders as inadequate or deficient.” I would add that in addition to the objectivity requirement in the investigation, the same must be had with the investigators themselves. If a company uses its regular outside counsel, it may be viewed with some askance, particularly if the client is a high volume client of the law firm involved, either in dollar amounts or in number of matters handled by the firm.
• Accuracy – As in any part of a best practices anti-corruption compliance program, the three most important things are Document, Document and Document. This means that the factual findings of an investigation must be well supported. For if the developed facts are not well supported, the authors believe that the investigation is “open to collateral attack by skeptical prosecutors and regulators. If that happens, the time and money spent on the internal investigation will have been wasted, because the government will end up conducting its own investigation of the same issues.” This is never good and your company may well lose what little credibility and good will that it may have engendered by self-reporting or self-investigating.
• Timeliness – Certainly in the world of Foreign Corrupt Practices Act (FCPA) enforcement, an internal investigation should be done quickly. This has become even more necessary with the tight deadlines set under the Dodd-Frank Act Whistleblower provisions. But there are other considerations for a public company such as an impending Securities and Exchange Commission (SEC) quarterly or annual report that may need to be deferred absent as a timely resolution of the matter. Lastly, the Department of Justice (DOJ) or SEC may view delaying an investigation as simply a part of document spoliation. So timeliness is crucial.
• Credibility – One of the realities of any FCPA investigation is that a Board of Directors led investigation is reviewed after the fact by not only skeptical third parties but also sometimes years after the initial events and investigation. So not only is there the opportunity for Monday-Morning Quarterbacking but quite a bit of post event analysis. So the authors believe that any Board of Directors led investigation “must be (and must be perceived as) credible as to what was done, how it was done, and who did it. Otherwise, the board’s work will have been for naught.”

To help manage these five issues the authors have seven tangible considerations they suggest that a Board of Directors follow to help make an investigation successful. Tomorrow I will review and scrutinize these seven considerations.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014