FCPA Compliance and Ethics Blog

March 17, 2014

Join Us For Hanson Wade’s Compliance Strategy Day

Strategy DayOne of the best annual compliance and ethics conferences returns to Houston next month when Hanson Wade presents its 4th Annual Oil & Gas Supply Chain Compliance Community Week from April 14-17. While one past participant labeled the conference as the “Best of the best compliance conferences I have attended in the past 3 years”, the company has expanded its offering to provide the compliance practitioner with a wide range of presentations tailored to a wide variety of needs.

As usual, the event features the best of Houston’s multi-talented compliance practitioners including Jay Martin, Chief Compliance Officer (CCO) from Baker Hughes Inc., Melissa Bohannon, Director of Logistics, Global Supply Chain – Weatherford International Inc., Kwesi Baiden, CCO at ENSCO Inc., Fred Ratliff, Senior Counsel, Anti-Bribery and Corruption – Shell Oil Company, Graham Vanhegan, Deputy General Counsel, Corporate and CCO from ConocoPhillips Co, Ron de los Santos, Regional Ethics and Compliance Manager – Americas at American Bureau of Shipping (ABS) and Kim Walker, Associate General Counsel & Deputy CCO – Transocean Inc.

In addition to the Houston talent, there will be a wealth of top compliance practitioners from outside the city of Houston; including, Arvind Sharma, Senior International Trade Counsel from Flowserve Corp, Mike Volkov of the Volkov Law Group, Bill Fischer, Vice President and Chief Legal and Compliance Officer from T.D. Williamson Inc., Bruce Thames, Senior Vice President and Chief Operating Officer from T.D. Williamson Inc. From the world of non-governmental organizations (NGO’s) working towards anti-corruption and anti-bribery there will be representation from the always popular and excellent speaker Alexandra Wrage and David Woodcock, Regional Director of the Securities and Exchange Commission’s (SEC) Fort Worth Regional Office. There are many other excellent and knowledgeable speakers who will be presenting the event.

Some of the topics over the two days of plenary sessions include the following: Ensure the ‘Tone from the Top’ meets the ‘Message in the Middle’ by hearing how ConocoPhillips, GE Oil & Gas, T.D. Williamson, Flowserve & Transocean embed a culture of compliance in their organizations. Understand how the compliance model has shifted and how you can develop more effective partnerships with your third parties with new collaborative insights from representatives from Weatherford. You will be shown how to overcome the inhibitors to effective risk management in a complex global supply chain by learning from Parker Drilling, Navex and Statoil. Learn how compliance can create added value that executives, middle management and employees can get behind by learning from in a very interesting, unique joint insight from T.D. Williamson’s COO and CCO. Discover what to do once you have opened Pandora’s box by looking at how National Oilwell Varco responded to issues when conducting a corporate acquisition. Discover how to get a better return on your compliance spend by learning how to deploy a risk-based due diligence program that is defensible and cost-effective with TRACE. Understand how to benchmark your compliance program with the best of the best by hearing industry-first insights from Fluor, Technip, Cameron and Shell compliance professionals.

There are two separate workshops that will provide specific insight into two keys areas. The first workshop is how to develop a blueprint to increase the effectiveness of your compliance training. It will be led by Arvind Sharma and Flora Francis, Senior Compliance Counsel, Global Compliance Leader at GE Oil & Gas. This workshop will address several different areas of concern such as: How you can continually manage compliance risk amongst your employees worldwide; understanding how often to refresh your programs and catching up with new employees; how you can more effectively identify and classify “at risk” positions and red flags. You will also obtain an understanding of how programs have been rolled out effectively across the supply chain; how to overcome the risk of training fatigue and increase the effectiveness of your training and finally how to develop your own blueprint to enhance the effectiveness of your compliance training.

In the second workshop you will hear about new approaches to ensure your trade compliance program does not leave your business exposed to charges of Foreign Corrupt Practices Act (FCPA) violations. It will be led by three noteworthy compliance practitioners: James Scott, Exports and Compliance Manager from Hydrasun Ltd., Ron de los Santos from ABS and Cindy Johnson, Global Trade Compliance Specialist from FMC Technologies Inc. In this session you will hear about keeping on top of evolving export control laws and managing programs across international borders; defining your export compliance for different departments, divisions and businesses with their implication for business growth; and installing the compliance ethos and training across cultures throughout an international organization. From these topics you will be able to identify your biggest risks and set in place an export control program to suit your business; develop an understanding of what you need to do to receive customs clearance more swiftly and effectively; and finally, you will discover the steps you need to take to ensure you are not leaving your business exposed in this critical area of compliance.

Hanson Wade has added a new feature this year, which I think takes this conference up to a notch above their usual excellent event. They have added a fourth day, entitled Compliance Strategy Day. Presentations on this day have been designed to give the attendee an interactive opportunity to explore the strategic considerations you need to be aware of when it comes to managing regulatory and enforcement risks over the next 12 months. On this day, attendees will have the opportunity hear directly from the SEC, as well as gain perspectives from those with experience at the Department of Justice (DOJ), and gain insights from both outside counsel and industry as to how to best manage these strategic risks.

I will be speaking on the Compliance Strategy Day, looking back, for some hindsight, at the compliance lessons we have learned over the past year and forward to how we can put those lessons to use. I will also provide an update of the current state of anti-corruption compliance in Latin America. So I hope that you can join us. 

You can find out more about this event, by clicking here. Readers of this blog are entitled to a discount to this event. To receive this discount, please enter the following code FOXLAW10.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 14, 2014

The Ides of March and Evaluation of Compliance Risk

Ides of MarchTomorrow, March 15 is enshrined as one of the most famous days of all-time, the “Ides of March”. On this day in 44 BC, the “Dictator for Life” Julius Caesar was assassinated by a group of Roman nobleman who did not want Caesar alone to hold power in the Roman Empire. It was however, this event, which sealed the doom of the Roman Republic as his adopted son Octavian first defeated the Republic’s supporters and then his rival Dictator Marc Anthony and became the first Emperor of the new Roman Empire, taking the name Augustus.

One of the more interesting questions in any anti-corruption compliance regime is to what extent your policies and procedures might apply in your dealings with customers. Clearly customers are third parties and in the sales chain but most compliance programs do not focus their efforts on customers. However, some businesses only want to engage with reputable and ethical counter-parties so some companies do put such an analysis into their compliance decision calculus.

However, companies in the US, UK and other countries who do not consider the corruption risk with a customer may need to rethink their position after the recent announcements made by Citigroup Inc. regarding its Mexico operations.

In an article in the New York Times (NYT), entitled “Fraud Exposes Challenges for Citi in Mexico”, reporters Michael Corkery and Jessica Silver-Greenberg wrote about the troubles which have befallen “the bank’s “crown jewel” – a sprawling retail lender called Banamex.” Citigroup recognized there was risk in Banamex, even having, what the reporters said was, a “little black book” which was stated by one un-named top executive to be the “book of redlined clients” and was also described as “an informal tally of Mexican companies” that could imperil the company’s Mexican operations. The bank has come to grief with its involvement in a $400MM fraud “that was discovered last month highlights the limitations of that kind of culling, and more broadly points to the challenges of finding solid lending clients in a country where the line between big business and political cronyism can become blurred.”

While Citigroup blamed this problem on “bad luck and bad actors” the article revealed a more complicated picture. The picture was one where “the bank had been placing large bets on a few risky corporate borrowers”. The $400MM loss involved an oil services company, Oceanografía SA de CV. But the bank also sustained other losses where loans were made to building contractors, which after a Mexican government a policy shift it “effectively killed the developers’ suburban projects” and they were not able to repay the loans.

Moreover, with regard to Oceanografía, the bank itself recognized the inherent danger of doing business with the entity. The article noted that Banamex has extended $585MM in short-term credit to a company that Citigroup itself had warned its own bond investors was “from time to time subject to various accusations, including accusations of corrupt practices.” Oceanografía is a company that provided construction, maintenance and vessel-chartering services to Pemex’s exploration and production subsidiary. However, as the article noted, “Oceanografía’s fortunes, however, changed sharply last month after it became the subject of a new government review that resulted in a suspension of government contracts to Oceanografía for the next 20 months. Banamex had advanced as much $585 million to Oceanografía through an accounts receivable program. The program was supposed to work like this: Banamex would advance money to Oceanografía to provide services to Pemex. The oil giant would then pay back Banamex, verifying invoices provided by Oceanografía to confirm that the work had been completed. In theory, Banamex was relying on Pemex’s ability to pay back the bank.”

Unfortunately for Banamex, much like the developers “which relied on government subsidies to finance their suburban developments, Oceanografía’s business relied on government contracts from Pemex. But when those ties were cut, the problems quickly surfaced. Shortly after the suspension of government contracts to the oil services company, Citigroup said it discovered the fraud at its Mexican unit, involving Oceanografía.”

These losses were coupled with the semi-autonomous relationship that Banamex had with its parent, Citigroup. The article stated, “the bank he [Mr. Medina-Mora] built has been considered something of a “black box” — a highly profitable but not especially transparent unit that was run with great autonomy by its leader, according to current and former bank executives. Sometimes, though, that autonomy rankled other executives in New York, the people said.” Citigroup denied that Banamex was semi-autonomous and in a statement in the article said, “We dispute assertions that the management team is autonomous,” Further, “While Banamex is a subsidiary of Citigroup, it is absolutely subject to the same risk, control, anti-money laundering and technology standards and oversight which are required throughout the company.”

For the compliance practitioner there are several lessons to be garnered from Citigroup’s reported problems and Julius Caesar’s demise on the Ides of March. In Caesar’s case, he wholly ignored the resentment that had been welling up in the Roman aristocracy for his high-handed action in becoming a Dictator. Even on the day in question, he dismissed his personal guard detail as he was going to the Roman Senate and finally, although he allegedly was handed a written communication warning him of his impending doom, he never took the time to read it. In other words, not only did he miss the red flags, he ignored specific warning signs and reduced his risk management capabilities by dismissing his security detail.

Similarly, as reported by the NYT, Citigroup would seem to have missed the warning signs about Oceanografía and if the NYT article is correct, might have actually internally ignored red flags while broadcasting them to bond holding investors. Lastly, whether the Banamex unit was semi-autonomous, as alleged in the article, or not as claimed by Citigroup’s statement, the point is that there must always be oversight. More than simply a ‘second set of eyes’ there should be internal controls which can be reviewed and vetted.

Finally, as noted in the article, the loans in question involved businesses that relied on government contracts, payments or some other form of support. While that may be of some comfort in developing countries, it can also be a source of risk. It also points to another analysis, which is not always considered, that being if a proposition is high reward, it is probably because it is also high risk in some area. While many companies can evaluate high financial risk and hope for attendant high financial reward, they also need to consider how a high corruption risk might factor into their analysis.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 13, 2014

Harriet Tubman and Navigating to Become an Ethical Company

Harriet TubmanMarch 10th was the 101st anniversary of the death of Harriet Tubman. She was one of the greatest conductors on the Underground Railroad, which took slaves out of the old south and up to freedom in the north and into Canada. I read about her as a child and her story always moved me. The one thing I remembered is that when traveling at night in the pitched darkness, she would feel for the moss growing on trees so that she would always know which way to travel. Moss grows on the north side of a tree so she would always be able to move her way north and to freedom for those she helped escape.

I thought about Harriet Tubman and her story of how she could determine which way to travel in pitch darkness when I recently read an article in the Ethisphere Magazine, entitled “Ethics By Example”, by Gary E. McCullough. In his article he gave some specific steps that a company can engage in to help foster and create an ethical culture which he has learned over the past 25 years from working for companies as varied as Proctor and Gamble, Career Education Company and serving as an infantry officer in the US Army. 

1.    Implement structure and clear expectations. 

McCullough suggests that you should create a mechanism that allows employees to address issues. In doing so, you should also be able to demonstrate both senior management and the company’s commitment to ethics and compliance. He recommends the following steps:

  • Set clear policies and expectations through your vision statement;
  • There must be strong education and training programs;
  • Metrics and measurement systems are a must;
  • A visible compliance structure within your company;
  • A confidential helpline for reporting issues with a stout no retaliation policy; and
  • A method to investigate and resolve complaints. 

2.    Ignoring infractions is not an option.

McCullough recognizes that company leaders face ongoing struggles to balance being too harsh or too lenient. If the former occurs, a leader can run the risk of demoralizing his team. If it is the latter, a leader can simply be run over by his or her troops. But a company leader must address infractions of your internal Code of Conduct, or other similar policies, or no employee will take it seriously. 

3.    Make ruthless decisions, but execute them with compassion. 

Leaders have to make tough decisions. McCullough counsels that no matter how difficult a decision might be, it should be delivered with compassion. In other words, no termination communicated by email. Tell people in person and then give them the assistance to help moving forward. 

4.    Focus on the work. 

Channeling his inner Paul McNulty (he of McNulty’s Maxims), McCullough intones that the most critical thing is what you do after a problem arises. As McNulty might say, “What did you do after you found out about it?” Do not defend your past practices or say that everyone else does it but move forward to remediate the situation, fulfill your obligations and move forward. In the world of Foreign Corrupt Practices Act (FCPA) prosecution, it is clear from 2013 corporate enforcement actions that a company should remediate during the pendency of any FCPA investigation or enforcement action. Such remediation will go a long way in reducing the overall penalty, enhancing your credibility with the Department of Justice (DOJ) and helping to avoid the appointment of a corporate monitor.

5.    Be in alignment with your Board. 

McCullough believes that Boards share ownership of a company’s compliance function with the Chief Executive Officer (CEO), senior management and the compliance function. As such the best accomplishments in compliance comes when the Board, or a committee thereof, can bring a sustained outside perspective, methods and best practices to a company’s overall compliance regime.

6.    Instill it in the culture.   

I once explained a CEO’s role in compliance to a company executive and as I was going through various strategies, he looked at me and said, “You want me to be the ambassador for compliance.” I said that was exactly what I wanted him to do and it was the best description I have ever heard of what both McCullough and I believe a CEO can bring to the table. McCullough writes, “leaders must model the behavior expected from others. And when engaging with individuals, never let an opportunity pass to remind them of the company’s obligations to its stakeholders to always “do the right thing””. I could not have said it better myself.

McCullough’s points, while general in nature, are a good starting point for any compliance practitioner to review the overall nature of a company’s ethical and compliance health. For the compliance practitioner it provides some general, yet important points that they can discuss with a CEO or senior management about the company’s ethical direction. Much like Harriet Tubman’s ability to continue to move north on the Underground Railroad in pitch darkness, these guideposts will help your compliance program to move forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 12, 2014

FDR’s Fireside Chat and Risk Ranking of Third Parties Under the FCPA

FDR Fireside ChatOn this date in 1933, just eight days after he was inaugurated, President Franklin Roosevelt (FDR) gave his first Fireside Chat to the American public. FDR began his chat by stating, “I want to talk for a few minutes with the people of the United States about banking.” He went on to explain his recent decision to close the nation’s banks in order to stop a surge in mass withdrawals by panicked investors worried about possible bank failures. FDR had correctly assessed that the public had lost confidence in the US banking industry and, based on that assessment, he closed them in his famous Bank Holiday. In 1929, over 600 banks folded, the number by 1932 had increased to over 5100. But more than simply these bank failures was the perception that the US banking system was on the verge of collapse. FDR also announced that he was reopening the banks the next day. The US banking system has been secure since that time.

I thought about FDR’s ability to correctly assess the risk to the US banking system. As compliance programs mature, one of the things that companies struggle with is how to better assess third party risks so that the right resources can be delivered to manage these risks. In the most recent issue of Compliance Insider an article, entitled “Building a Risk-Scoring Methodology for Distributors and Resellers”, lays  out a decision making calculus which can assist a company to best utilize its resources to not only quantify a large number of third party risks, but manage those risks more efficiently.

The article notes that there are two main resources that a compliance practitioner will need to rate the risks of third parties. The first is information about the entity. This category of information can come from a number of sources including the third party itself, in the form of a questionnaire through  to various levels of due diligence. The second  resource is the people who use the information to make decisions.  As there is only a finite amount that you, the compliance practitioner, can find out about your third parties use the resources available as there is a substantial need to make the best use of that information. All of this must be balanced between spreading the decision making across a large number of people whilst ensuring that the decisions made are consistent. To assist in answering these issues, the article suggests a methodology “to help focus your controls and resources more efficiently”. 

1.          What is your aim? 

The initial step in any risk-scoring exercise is to clearly define what you are trying to achieve. The second part of clarifying the aim is to build an expectation and means of measurement so that you can assess the validity of your calculus. 

2.             Which information is relevant? 

Most generally, the main criteria are the location of the partner or where they will deliver the product or services, the type of service or product that the partner is providing and the value of that service. This initial analysis can help you to create a high, medium and low risk model. But other factors should be weighed which can provide a more sophisticated approach. Some of these factors include the following:

  • Are they new or existing partners?
  • Are they touching end-users?
  • Are they selling to government customers?
  • Do you have contracts with them?
  • Do they obtain licenses for selling products in that country on your behalf?
  • Do you provide market development funds to them? 

3.             Where can I find the information? 

This speaks to the heart of your due diligence process. Obviously a questionnaire forwarded to your potential third party is a starting point. However such information should be verified and cross-checked. Additional factors should be geographic risk, the value(s) of potential transactions and compensation to the third parties. Lastly is the traditional levels 2 and 3 due diligence.

4.             Consider the questions you will ask the third parties 

Here the author believes that an additional analysis of both the criteria required and the possible resources to garner datum to support the criteria should be considered. These considerations include:

  • Which is the most cost-effective source for the information?
  • What is the most accurate way of obtaining information?
  • Do you need to ask the question at all?
  • How should the questions be worded to ensure the greatest efficiency in getting to the required answer?
  • How do you write the questions to ensure the scores are usable?
  • Which questions and responses should be scored? 

5.             Are the responses accurate? 

Here is where ‘a second set of eyes’ is critical. The article suggests that “sanity checks to ensure that the answers respond to the question and that the responder seems to have understood the question – this is especially useful when the questions have been translated into other languages.” You should also endeavor to cross-check against other information known about the partner, with reviews by multiple persons in your organization. Finally, on the back you should build into your program audits and spot-checks to assess the accuracy and consistency of approvals.

6.             What does it all mean?

Now you have to start using the information. Recognizing that you may need to tinker with your system, it is important that you “design the overall process to allow changes to be made in the future, as you learn more about the results.”

7.             What happens next?

Now the time has arrived to score the results. After you determine who will make the decision and the path for review and escalation, if required, also you should consider the Tom Fox Mantra, Document, Document, and Document. In other words, how does the scoring and decision making process get documented in your organization?

8.             How will you carry out the review process? 

At this point, it is appropriate to consider whether you have met or are moving in the direction that you attempted to establish back in Step 1. You should consider:

  • Does your program accurately reflect the risks that you understood the partners posed?Is the final result of your process consistent?
  • Were decisions on the risk level made by the right people in your organization?
  • Were the necessary issues escalated to the right people?
  • Have the risks changed?
  • Can the process be changed, or has it been built into an inflexible technology or workflow? 

Once the review is complete any necessary changes should be communicated to the staff involved in the process to ensure they know how their role is impacted. The author ends with some reservations that you should expect to run into. These include:

  • don’t expect to use scoring to fully automate a process – the information available is generally not complete enough to provide an accurate model, so scoring is far better when used as a guide;
  • don’t assume you will get it right first time (or second) – it is important to have a clear understanding of what you are aiming at, and to build regular review into the program to recalibrate the scoring;
  • keep the process and scoring as simple as possible – most of the relevant risk-related information can be found in a few key criteria; and
  • your perception of risk will change when new information comes to light, so remember to document the decision-making process so that you can justify the final risk outcome. 

While FDR may have more intuitively known the real problem with the US banking system it was the perception that it was not solvent, you do not have to rely solely on your gut when making informed decisions about the Foreign Corrupt Practices Act (FCPA) risks that a third party may present to your company. For the Department of Justice (DOJ), I think the key is that you assess the risk and document that assessment. If you do so and a third party gets you into FCPA hot water, you have the best chance of coming out on the other side as well as the US banks did after their ‘holiday’ with FDR.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 11, 2014

Shifting Sands In Canadian Anti-bribery And Trade Control Laws Raise The Stakes In M&A Due Diligence

John BoscariolEd. Note-I recently saw an article on M&A compliance due diligence, from the Canadian perspective, by John Boscariol. I asked John if I could repost his article, which he graciously allowed me to do. 

Recent developments in Canadian anti-corruption, economic sanctions, and export control laws are having a significant impact on the due diligence that should be conducted on potential targets in the context of mergers and acquisitions as well as other business combinations such as joint ventures. 

New and expanding measures along with increased enforcement, particularly in the resource extraction industries such as energy and mining, have raised the stakes for those investing in Canadian companies. Today, it is becoming more common for potential acquirers or investors to delay, re-price or even walk away from transactions because of actual or perceived compliance failures in the target’s operations.

A misstep in this area can have significant ramifications – in addition to criminal prosecution and penalties, compliance failures can also result in significant expenditure on internal investigations, the inability to move product or transfer technology cross-border, delayed or cancelled customer orders, debarment from doing business with government, and substantial reputational costs in relationships with business partners, including banks, investors, customers, suppliers and other stakeholders. Further, the now well-established pattern in the United States of shareholder class action suits being launched following allegations of management failure to implement proper internal controls is beginning to take hold in Canada.

Canadian authorities becoming more aggressive

In recent years, Canadian authorities responsible for implementation and enforcement of trade controls and anti-corruption laws – including the Royal Canadian Mounted Police (RCMP), the Canada Border Services Agency, Foreign Affairs and International Trade Canada, and Crown prosecutors – have stepped up their game.

Canada’s experience in the anti-corruption sphere is a good example. After many years without any significant enforcement, in 2008 the RCMP formed a special unit responsible for the enforcement of the Corruption of Foreign Public Officials Act (CFPOA). In June of 2011, Nike Resources was convicted of violating the CFPOA and penalised $9.5m. In January of this year, Griffiths Energy was also convicted and fined $10.35m. At the present time, it is understood that the RCMP is conducting over 35 investigations of Canadian companies and individuals suspected of CFPOA violations.

Five areas deserving special attention for due diligence

Although not intended to be exhaustive, the following are five areas where you should at least initially focus before drilling down into any specific matters of concern:

Where is the target doing business? Identifying countries with which the target does business is critical to assessing risk exposure from both the anti-corruption and trade control perspective. Where are their customers, suppliers, licensees/licensors creditors and other business partners located?

Canada currently maintains trade controls of varying degrees of aggressiveness in respect of activities involving Belarus, Burma, Côte d’Ivoire, the Democratic Republic of the Congo, Cuba, Egypt, Eritrea, Guinea-Bissau, Iran, Iraq, Lebanon, Liberia, Libya, North Korea, Pakistan, Sierra Leone, Somalia, Sudan, Syria, Tunisia and Zimbabwe. Activities in these countries with entities based in these countries should be carefully reviewed to ensure compliance with economic sanctions and export controls.

Location also plays a significant role in assessing anti-corruption compliance risk. Developing or newly industrialised countries in Africa, the Middle East, Asia, and areas of Latin America are particularly vulnerable to corruption. Independent country rankings of corruption risk, including Transparency International’s Corruption Perceptions Index, are a helpful starting point.

What are the target’s ‘government touch-points’?Understanding how your target deals with government on a daily basis helps assess the exposure to potential opportunities for government corruption. This includes dealings with government owned entities, including commercial enterprises. Getting a list of the target’s government customers and suppliers is an obvious and important starting point.

It is also necessary to determine what licences or permits are required for the target’s operations and review its dealing in the negotiation of concessions, production sharing agreements or investment agreements with government. The extent to which the target imports or exports product, and therefore its dealings with customs authorities, is important but often ignored government touch-point. This is especially the case for oil, gas and mining companies that need to move heavy, high-value equipment in and out of the host country.

What is the nature of their products, services and technology?Canada controls the export and transfer of goods services and technology, under both export control laws and economic sanctions. These measures are not restricted to military or nuclear items but include many commercial dual-use items used in industry every day, including goods, software and technology for relatively low-level encryption and decryption. Goods and technology controlled for export or transfer from Canada are set out on the Export Control List. Economic sanctions measures also impose similar requirements based on the nature of the goods and technology being supplied – for example, Canada’s sanctions against Iran prohibit the transfer to Iran of any items, including technical data, used in the petrochemical, oil or natural gas industry.

In addition to understanding what product and services your target ultimately provides to its customers, you should consider what inputs are used in the process, how product research and development occurs, and what, if any, after sales service and support is provided. Keep in mind that these controls are not limited to physical export shipments, but include cross-border transfers of information that occur via email transmissions and server upload/download activity or during technical discussions with persons outside of Canada.

What is the target’s exposure to similar measures of other jurisdictions?Depending on the circumstances, Canadian companies can be subject to anti-corruption and trade control laws of other jurisdictions. The US Foreign Corrupt Practices Act (FCPA) is notoriously enforced on a broad, extraterritorial basis often ensnaring Canadian companies that had considered themselves to have little connection to the United States. For example, a Canadian company that causes, directly or through agents, acts in furtherance of a corrupt payment to take place within the territory of the United States is subject to the jurisdiction of the FCPA.

The FCPA obligations are in large part similar to those in the CFPOA. However, the United Kingdom’s Bribery Act 2010 contains some important differences, including the prohibition of private commercial bribery and no exclusion for facilitation payments.

A number of US sanctions and export control measures are also applied on an extraterritorial basis, especially in dealings with Iran or Cuba. In the latter case, Canada has implemented blocking legislation designed to address issues such as US extraterritorial measures. Canadian law prohibits a Canadian company or individual from complying with the US sanctions and export controls on Cuba. This presents a challenging conflict of laws when the target is or will be US-owned or controlled – on the one hand, the company is required to comply with the US trade embargo while on the other hand, to do so will constitute an offence under Canadian law and expose the Canadian company and its officers to potential liability.

What compliance measures does the target have in place? Although there is seldom enough time in the heat of an M&A transaction to conduct a thorough audit of the target’s compliance with anti-corruption and trade controls, there are basic minimum steps that can be taken to get a good sense of the target’s compliance profile and potential exposure. Basic elements we expect to see in any anti-bribery, economic sanctions and export control compliance programs include the following: a written compliance manual and procedures, screening of transactions and all involved parties against lists of sanctioned or designated entities and individuals, appointment of compliance officers, internal compliance auditing, non-compliance reporting, correction and voluntary disclosure, training programs, contract and project review, and procedures for dealing with inconsistent or conflicting laws.

Obtaining a description of the target’s anti-bribery and trade control procedures and a copy of the compliance policy manuals is an obvious start, but it is not enough.

It is also critical to review evidence of implementation of these measures across the operation. For example, how often are employees and executives trained on these policies? When are internal audits conducted and what are the results? How often are potential non-compliance events being reported internally? Is an employee hotline being used and what kind of reports are being made? What voluntary disclosures have they submitted to government authorities? Have they been subject to government investigations or audits and with what results? What is their process for reviewing and determining the control status of their goods, services and technology and what rulings have they obtained in respect of the same? In what circumstances have they terminated or refused to retain agents because of bribery concerns? What specific provisions has the target included in their contracts to address anti-bribery and trade controls compliance? What compliance certifications do they have from business partners? How do they use third parties to assist in implementation of compliance measures – e.g., screening transactions, due diligence of agents, internal review and audit, legal opinions?

What next?

Responses to these initial inquiries inevitably beget more questions in this process and the back and forth continues as you drill down into areas of concern and potential exposure for the target and, ultimately, the acquirer. Risks may be so high that the deal is scrapped or at least delayed until they can be addressed through the implementation of enhanced compliance measures or disclosures to the authorities if necessary. In other cases, representations and warranties as well as appropriate indemnities may be sufficient to address any concerns. Once the transaction closes, however, it is important to immediately begin conducting a more thorough review of the target’s compliance based on potential areas of vulnerability identified during the pre-acquisition due diligence phase and addressing any potential non-compliance.

John W. Boscariol is Leader of the International Trade and Investment Law Group at McCarthy Tétrault LLP. He can be contacted on +1 (416) 601 7835 or by email: jboscariol@mccarthy.ca.          

March 10, 2014

Compliance Leadership Lessons from Captain Kirk

Captain KirkAs readers of this blog know, I am an über Star Trek maven. Last week, in Episode 41 of  my podcast, the FCPA Compliance and Ethics Report,  I visited with John Champion, one of the co-hosts of the Mission Log podcast. Mission Log will eventually review all of the Star Trek television episodes and movie franchise entries. John and his co-host Ken Ray began their journey summer of 2012 and have managed to get through all 79 episodes of the original Star Trek television series. They will next turn to the Star Trek movies, the animated television series, then to Star Trek – The Next Generation and on down the line of the world built by Gene Roddenberry.

I met John at the NMX Annual Conference earlier this year. I heard him talking about his podcast and checked it out. I also asked him if I could interview him for my podcast, specifically on the leadership lessons that a compliance practitioner might draw from the original captain of the Enterprise, James T. Kirk. John graciously took time out of busy schedule to visit with me on leadership, Star Trek and his podcast, Mission Log.

Champion views the leadership style of Captain Kirk as one that greatly depends on the inputs from the group that surrounds him; specifically Lt. Commander Spock and the ship’s physician, Dr. Leonard McCoy (Bones). In other words, his senior management team. More insightfully, Champion noted that it is the interplay of these three characters, Kirk, Spock and McCoy that not only makes the television series work so well but it also informs what he termed the “leadership psyche” of ethos, pathos and logos.

In the Greek world, these three were believed to be the key to successful leadership. Ethos is the Greek word for ‘character’. Through ethos, a leader stands as an authority figure, through credibility, competence and/or special expertise. Pathos is the Greek word for both ‘suffering’ and ‘experience’. It is generally recognized as the more compassionate side of humanity. Logos generally refers to the more rational side of humans. The best definition I have found for logos is on the site, PathosEthosLogos.com, which says that “Logos is the Greek word for “word,” however the true definition goes beyond that, and can be most closely described as that by which the inward thought is expressed and the inward thought itself”.

In the original Star Trek all three of these traits are identified in one character. Kirk, the ship’s captain, is the authoritarian figure. Spock, the half-human, half-Vulcan subscribes to the Vulcan ideology of suppressing one’s emotions in favor of logic. Finally, Bones is the romantic of the three and clearly speaks for the Greek concept of pathos. Champion’s dissection of Kirk’s leadership is that he takes all three of these concepts and uses them in his analysis. While clearly, at the end of the day, the decisions are the final responsibility of Kirk, he does actively seek input from his trusted advisors before coming to his final choice.

For the compliance practitioner, this means that you should seek a wide variety of inputs for your decision-making calculus. The Machiavellian trait of seeking trusted advise from experienced advisors, (Subject Matter Experts – SMEs) is certainly in play here. But by incorporating these three very different concepts into the way you might think through an issue can help you to evaluate a greater range of considerations. Monitoring, auditing and similar oversight techniques can bring you the logical examinations through data. But data is, in the final analysis, a product of human actions so the data must be read with some measure of humanity or human character. Values are not numbers but how we assign actions to that raw data? Finally, the ethos must be taken into account. Obviously there must be an ethical component to any decision made, but ethos also speaks to the character of the decision. Was the decision made using all the facts that were, or should have been, available to the decision-maker?

I thought about Champion’s remarks when I read the New York Times (NYT) Corner Office column by Adam Bryant, entitled “When Ideas Collide, Don’t Duck”. In this article, Bryant reported on his interview with Jeff Lawson, Chief Executive Officer (CEO) of Twillio, a cloud communications company. Lawson spoke about all three Greek leadership concepts in both his education in being a company head. From the ethos perspective, he spoke about his grandfather who built and sold a hardware company in Detroit. Then in his 70s, his grandfather took a job as a manufacturer’s representative, selling paint accessories to hardware stores that had previously been his competitors. His grandfather did this for another 20 years and when he died, Lawson said, “The Owner of every hardware store in Detroit came to the funeral. It was amazing.”

Lawson had another insight, which related to pathos and it revolved around feedback. He said, “This is especially important with millennial workers, who really want feedback. They want to always be learning, always be growing, and they’re looking for that constant feedback. It’s not that they’re looking for constant praise, but rather they want to keep score. They want to know how they’re doing.  Part of it is the short cycle of Internet feedback, and people who grew up with the Internet just expect quick feedback on things. That’s just part of the changing ethos, especially with younger workers. If you get into the habit of regular feedback, it’s not confrontational; it’s just the ebb and flow of conversation and a constant tweaking of how you work with somebody.”

Lawson incorporates the logos concept into his leadership set as well. He does this in the context of empowering employees to come up with new ideas but requires these employees to validate them to move forward. He said, “A lot of our values are about empowering employees. “Draw the owl” is a favorite. It’s based on the Internet meme of how to draw an owl. It says: “Step 1, draw some circles. Step 2, draw the rest of the owl.” That’s what it takes to be an entrepreneur — you have to put aside all the reasons you think you can’t do something or figure it out. Our job is to come in every day and take a vague problem that we don’t know how to solve and figure out the solution.”

Does art imitate life or does life imitate art? I am never too sure. But from my chat with John Champion, it is clear that even such a cultural marvel as Captain James T. Kirk can provide leadership lessons for the compliance practitioner.

If you have not yet done so, I hope you will go over and check out my podcasts at the FCPA Compliance and Ethics Report. I am up to Episode 41 and should have a couple more up this week. 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 7, 2014

Machiavelli for Chief Compliance Officers

The PrinceLast year was the 500th anniversary of the publication of one of the most significant books on political theory ever written, The Prince by Niccolò Machiavelli. Just how evil do many people view the treatise? Consider that the book alone is responsible for bringing the word “Machiavellian” into usage as a pejorative term. It also helped make “Old Nick” an English term for the devil, and even contributed to the modern negative connotations of the words “politics” and “politician” in western countries (imagine him pre-saging the US Congress by 500 years). However, it is also view by many as one of the first works of modern philosophy, especially modern political philosophy, in which the effective truth is taken to be more important than any abstract ideal. It was also in direct conflict with the dominant Catholic and scholastic doctrines of the time concerning how to consider politics and ethics.

Many also find it a useful learning tool for a company’s management; though not the part about sawing a poor performing employee in half, literally. For instance in the Texas Lawyer, Work Matters column, Michael P. Maslanka wrote an article, entitled “Machiavelli’s 6 Insights for the General Counsel”. Duly inspired, I have adapted his thoughts for the Chief Compliance Officer (CCO).

Lesson No. 1 – Heed Selected Advice from Selected Advisors

While in medieval Florence, the Prince ruled as the supreme monarch, he still needed advisors. Today, we are called subject matter experts (SMEs). Maslanka advises that “the prince decides from whom and about what he wants counsel, plus when he wants the advisers to offer it.” More importantly, a “prince’s demeanor must encourage truth telling. This creates a virtuous circle from which “everyone may see that the more freely he speaks, the more he will be accepted.””

For the CCO this means that you should find a trusted SME or set of SMEs which you can bounce issues off and they will answer the question. This does not mean to provide you a Memo or some type of cover. You need advisors who will give answers as to what you can and cannot do under such laws as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Moreover, they should be able to point out how to manage risks with increasing oversight as the risk profile increases. 

Lesson No. 2 –  Niccolò is Not Tony Soprano

Unlike Tony, who can do whatever he wants, whenever he wants. Maslanka writes that “As law professor Philip Bobbitt observes in “The Garments of Court and Palace: Machiavelli and the World He Made,” this reasoning undergirds international law, allowing the aggrieved party to disavow its obligations because the reasons for entering into the agreement initially have evaporated.”

For the CCO this means something like the following story. If a company president says that he wants to engage in some transaction or engage a particular agent and you tell him if he does so, he runs the risk of violating the FCPA; he might have a couple of responses. First, he might say that such risk is above his risk tolerance and he will not engage in the behavior. However, he might also say, that you are the compliance professional, you figure out a way to do it legally. What I think that means is that as the risk goes up, the management of that risk also goes up. Would such a response be more costly or more intrusive? Probably, but if there is a way to manage a compliance risk and not violate the FCPA, I think you can legitimately suggest that to your company president.

Lesson No. 3  If you treat others well, they will treat you well

Channeling his inner Machiavelli and HR 101, Maslanka quotes from The Prince when he writes, “A prince must … show himself a lover of merit, give preferment to the able, and those who excel in every act.” Maslanka then notes, “Who invented the suggestion box (aka incentivized ideas)? That’s right: Niccolò. “The prince should offer rewards to whoever … seeks in any way to improve his city or state.””

For the CCO this means that if you are honest and fair with people they will be much more willing to accept bad news in return. This is the basis of the Fair Process Doctrine. If a whistleblower brings allegations of corruption or a violation of your company’s Code of Conduct, keep that whistleblower apprised of the situation as is reasonable to do so.

Lesson No. 4 – People are bad. Work with it

No doubt channeling his inner FCPA Professor on rogue employees, Machiavelli says that there are bad people out there. Maslanka writes, “Not only are they bad but they “are ungrateful, fickle, desolators, apt to flee peril, covetous of gain.”” There are people who will see compensation as the be-all and end-all of corporate life. There are those beyond that who will work to defraud companies. Maslanka’s reading of The Prince leads him to write, “Ditch the naïveté and embrace a complex world. Use a one/two punch: Yes, we must have good laws, but we also must have “good arms.” Yes, be a lion (it’s good for dismaying wolves) but also be a fox (that’s good for recognizing traps).”

For the CCO this means you should have a effective process to ‘prevent, detect and remediate’ violations of your FCPA compliance program.

Lesson No. 5 – Be neither a yellow stripe nor a dead armadillo

Maslanka states “Jim Hightower, former Texas agriculture commissioner, famously remarked that the only items in the middle of the road are yellow stripes and dead armadillos. Machiavelli could not have agreed more. His advice: Take sides. Do not stay neutral. Cowboy up.” In other words, man up.

For the CCO, I think this translates into ‘take a stand’ when you have to do so. Yesterday I wrote about CCOs and the analogy of the Alamo. If you have to draw a line in the sand, do so. The responses to the blog post were interesting in that they were thankful that I pointed out what might happen to a CCO when they do draw the proverbial ‘line in the sand’ but they thought they were better for having done so. Unfortunately if a company moves forward and does not heed such advise it may be the entity that faces sanctions for violating the FCPA.

Lesson No. 6 – Adapt, adapt, adapt

Maslanka wrote, “before Charles Darwin, Machiavelli grasped the power of adaptation. Whoever “adapts his mode of proceeding to the quality of the times is happy and similarly, he whose procedure disagrees with the times is unhappy.” Adaptation is crucial because fortune changes, the earth moving under our feet without warning. Machiavelli’s counsel: Adapt a mindset of being impetuous, not cautious; ferocious, not timid; calculating, not blindly trusting.” In other words, when in doubt, act.

For the CCO this means that you must assess and then act upon that assessment. In the compliance realm this is particularly true because risks change, now so quickly it is sometimes hard to keep track. Even if you perform a risk assessment every two years and believe you have assessed and remediated the new risks; how do you deal with the new environment in places like Ukraine and Turkey? What about China? Have you looked into your Chinese subsidiary’s use of travel agencies? How up to date is the due diligence on your third parties?

Maslanka ends his article with the following, “Machiavelli never wrote that the ends justify the means, and he didn’t intend that to be his message. He believed in what people now call “servant leadership,” which would be a subordination of the prince’s needs and ego to the greater good. In his case, that was a unified Italy, free of foreign domination, achieved by using the principled and humane values—yes, humane values—that he wrote about in “The Prince.” It’s this servant leadership that suits GCs and the C-level executives that they advise.”

I would heartily agree with his sentiment but revise ‘GC’ to CCO.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 6, 2014

Remember the Alamo: Analogy for Compliance Officers?

Remember the AlamoToday is the anniversary of the most historic day of many in the history of the great state of Texas, the date of the fall of the Alamo. While March 2, Texas Independence Day, when Texas declared its independence from Mexico and April 21, San Jacinto Day, when Texas won its independence from Mexico, probably both have more long-lasting significance, if it is one word that Texas is known for around the world, it is the Alamo. The Alamo was a crumbling Catholic mission in San Antonio where 189 men, held out for 13 days from the Mexican Army of General Santa Anna, which numbered approximately 1,800. But on this date in 1836, Santa Anna unleashed his forces, which over-ran the mission and killed all the fighting men. Those who did not die in the attack were executed and all the deceased bodies were unceremoniously burned. Proving he was not without chivalry, Santa Anna spared the lives of the Alamo’s women, children and their slaves. But for Texans across the globe, this is our day to Remember the Alamo.

While Thermopylae will always go down as the greatest ‘Last Stand’ battle in history, the Alamo is right up there in contention for Number 2. Like all such battles sometimes the myth becomes the legend and the legend becomes the reality. In Thermopylae, the myth is that 300 Spartans stood against the entire 10,000 man Persian Army. However there was also a force of 700 Thespians (not actors; but citizens from the City-State of Thespi) and a contingent of 400 Thebans who fought and died alongside the 300 Spartans. Somehow, their sacrifice has been lost to history.

Likewise, the legend that lifts the battle of the Alamo to the land of myth is the line in the sand. The story goes that William Barrett Travis, on the day before the final attack, when it was clear that no reinforcements would arrive in time and everyone who stayed would perish; called all his men into the plaza of the compound. He then pulled out his saber and drew a line in the ground. He said that they were surrounded and would all likely die if they stayed. Any man who wanted to stay and die for Texas should cross the line and stand with him. Only one man, Moses Rose, declined to cross the line. The immediate survivors of the battle did not relate this story after they were rescued and this line in the sand tale did not appear until the 1880s.

But the thing about ‘last stand’ battles is they generally turn out badly for the losers.  Very badly. I thought about this when a former Department of Justice (DOJ) official said at Compliance Week last year that he viewed anti-corruption compliance officials as “The Alamo” in terms of the last line of defense in the context of preventing violations of the Foreign Corrupt Practices Act (FCPA). I gingerly raised my hand and acknowledged his tribute to the great state of Texas but pointed out that all the defenders were slaughtered, so perhaps another analogy was appropriate. Everyone had a good laugh back then at the conference. But in reflecting on the history of my state and what the Alamo means to us all; I have wondered if my initial response too facile?

What happens to a Chief Compliance Officer (CCO) or compliance practitioner when they have to make a stand? Do they make the ultimate corporate sacrifice? Will they receive the equivalent of a corporate execution as the defenders of the Alamo received? This worrisome issue has certainly occurred even if the person ‘resigned to pursue other opportunities.’ My fellow FCPA Blog Contributing Editor Michael Scher has been a leading voice for the protection of compliance officers, as have Donna Boehme and Michael Volkov. In a post entitled “Michael Scher Talks to the Feds” he quotes, “a compliance officer (CO) working in Asia asked for recognition and protection: “A CO will not stand up against the huge pressure to maintain compliance standards if he does not get sufficient protection under law. Most COs working in overseas operations of U.S. companies are not U.S. citizens, but they usually are first to find the violations. Since the FCPA deals with foreign corruption, how could the DOJ and SEC not protect these COs?”” In the same post, he asked of the DOJ “Wal-Mart’s compliance officers and professionals allegedly were intentionally obstructed by senior executives from conducting a compliance review and subjected to career-ending retaliation. If confirmed, will the DOJ and SEC’s settlement demonstrate that such harassment of compliance professionals is not condoned? Will the DOJ and SEC also make it clear that compliance officers working for multi-national companies like Wal-Mart in countries outside of America will receive the same protections as those working in America?”

Writing about the MF Global scandal in the New York Times (NYT) in an article entitled “Another View: MF Global’s Corporate Governance Lesson” Michael Peregrine stated that the “compliance officer is the equivalent of a “protected class” for governance purposes, and the sooner leadership gets that, the better.” Particularly in the post Sarbanes-Oxley (SOX) world, a company’s CCO is a “linchpin in organizational efforts to comply with applicable law.” When a company fires (or asks him/her to resign), it is a significant decision for all involved in corporate governance and should not be solely done at the discretion of the Chief Executive Officer (CEO). Jonathan Marks has long advocated that the departure of a CCO from a company is such a material event that it should be disclosed by public companies.

In the area of anti-money laundering (AML) compliance professionals, Reuters reported, in an article entitled “Bankers anxious over anti-money-laundering push to go after individuals”, that at the Securities Industry Financial Markets Association conference, John Davidson, E*Trade Financial’s global head of AML, said that the “new push by regulators and lawmakers to hold individuals, rather than just institutions, accountable for regulatory violations involving money laundering is spooking members of the U.S. financial industry.” He further said that this aggressive trend and a new vigorous AML bill, introduced in Congress by Representative Maxine Waters, entitled “Holding Individuals Accountable and Deterring Money Laundering Act”, were all “a little scary.” He found the trend towards more AML enforcement against individuals “an incredibly disturbing trend.” The reason it is so scary, an un-named top level compliance officer said, is “that compliance officers at the largest Wall Street institutions were feeling especially nervous because the power structures in those institutions sometimes did not give compliance officers enough authority to act.”

Upon further reflection I now believe the Alamo reference appropriate for compliance officers. It is because sometimes we have to draw a line in the sand to management. And when we do, we have to cross that line to get on the right side of the issue, the consequences be damned. Remember the Alamo!

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 5, 2014

Overwhelmed? Planning and Execution in Compliance

IMG_3289What should you do when an event or series of events is so overwhelming that it staggers your ability to evaluate, plan and respond to it or them? I thought about that question when I read an article in the New York Times (NYT) about the role of the Mayor of Rio De Janeiro in the upcoming World Cup this summer and the 2016 Olympics, entitled “Rio’s Mayor, Shepherd of the City’s Rebirth, Feels the Strains, Too” by Simon Romero. In the article, the Mayor, Eduardo Paes, discussed the strains he is under in tearing and then rebuilding his city in anticipation of the globe’s two greatest sporting events. He was quoted as saying “Don’t ever in your life do a World Cup and Olympic Games at the same time. This will make your life almost impossible.”

What if something happens in your company, corruption-wise, and your life as the Chief Compliance Officer (CCO) or compliance officer is turned upside down, much like Paes?. My colleague Stephen Martin advocates having a 1-3-5 year plan in place to fall back upon. Martin believes that such a document would be an important item to produce to a prosecutor, who might be reviewing your compliance program in the event of a voluntary self-disclosure, a Dodd-Frank or other whistle-blower event, which has led your company to receive a subpoena or letter of inquiry or an industry sweep. He believes that such a strategic plan could well lead to the development of credibility for your company and your compliance program in the event of one of the aforementioned eventualities.

But, if you do have such a plan, how can you implement it in the face of something as overwhelming as is facing the current Mayor of Rio? In his book, “Achieving 100% Compliance of Policies and Procedures”, author Stephen Page discusses ‘Creating a Review and Communication Control Plan.’ In this section he sets forth several steps for the compliance professional to use in reviewing, creating and implementing updated compliance procedures. A review plan should be created to enable policies and procedures to “remain an integral party of the daily work lives of the target audience.” Page breaks down the process into three main categories: (1) General Review; (2) Ongoing Communications; and (3) Training Campaign.

The CCO or compliance practitioner should keep track of “external and internal events which may cause change to business process, policies and procedures.” He lists two examples of where new laws applicable to your business organization and internal events drive changes within a company. Such internal changes could be a company reorganization or major acquisition. This type of review appears to be similar to the Department of Justice (DOJ) advocacy of ongoing risk assessments. In several Deferred Prosecution Agreements (DPAs) announced this year, the DOJ listed several different areas to review, including:

  1. Geography;
  2. Interaction with types and levels of Governments;
  3. Industrial Sector of Operations;
  4. Involvement with Joint Ventures;
  5. Licenses and Permits in Business Operations;
  6. Degree of Government Oversight; and
  7. Customs and Immigration. 

Communications of the overall policies and procedures should not be a single event but continuous and ongoing. In other words, do not simply post your new policy on your company’s business policy website and let it sit there for years. You should make the announcement of policy implementation more public and such communication should be followed up. Page gives several examples of how policies can be communicated.

  1. Via company-wide email;
  2. Posters placed through the physically facilities;
  3. Strategic placement of information on company bulletin boards;
  4. In company meetings; and
  5. In newsletters.

Finally, ongoing training is a key component of an effective compliance program. He recognizes that training is constrained by budgetary realities. However there are various formats and media that can be used for training. These include in small workshop groups, presentations at company-wide conferences, smaller departmental meetings, internal webcasts/video casts and training DVDs.

The author concludes by noting that a review plan “is a great tool” for the compliance analyst as it provides a method for the ongoing evaluation of policies and sets forth a manner to communicate and train on any changes which are implemented. More than simply staying current, this approach will help provide the dynamics that the DOJ continually talks about in keeping your program fresh. Lastly, such a review plan can also guide the compliance practitioner in creating an ongoing game for compliance program upgrades and updates that Stephen Martin advocates.

 Another approach is one articulated by Jan Farley, the CCO at Dresser-Rand, which basically is ‘don’t spread yourself too thin”. Jan’s comments also echo something that I believe is clear from the Guidance: Don’t focus on the small stuff. Indeed the Guidance states, “Thus, it is difficult to envision any scenario in which the provision of cups of coffee, taxi fare, or company promotional items of nominal value would ever evidence corrupt intent, and neither DOJ nor SEC has ever pursued an investigation on the basis of such conduct.” In other words, do not waste your compliance time, resource or energy around these small issues. However, if these small issues are a part of a larger systemic or long standing course of conduct that violates the FCPA, then the DOJ may well look into these issues. You will want to show the DOJ you are focusing on the “big stuff”.

The Guidance also makes clear that each company should assess its risks and manage its risks. The Guidance specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and Securities and Exchange Commission (SEC) take into account when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.

Another approach was set out by Bruce Rector, in an article in the Houston Business Journal (HBJ), entitled “Strategic planning needs constant follow-up to be successful”. In the article Rector sets out steps to assist in utilizing a strategic plan. He recognizes that while a strategic plan can serve as guide for your company going forward, it must actually be utilized to garner any use out of it. Rector notes “if your company and management team have expended the time and resources to pull together a strategic plan, the next logical step is to follow up and keep things on track.” Revising Rector’s steps for the compliance practitioner I have set out the following.

  •  Review the Goals of the Strategic Plan. This requires that you arrange a time for the CCO and team to review the goals of the Strategic Plan. Rector advises that to the extent possible this should be done in person. The CCO should lead a discussion of the Strategic Plan and determine how this goal in the Plan measures up to its implementation in your company.
  • Design an Execution Plan. Here Rector advises that the “Keep it Simple Sir”, or KISS method, is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straightforward plan to ensure that the goal in question is being addressed. Rector notes that any “plan must be specific with clear tasking and deliverables and a definite timeline for delivery.”
  • Put Accountabilities in Place. In any plan of execution, there must be accountabilities attached to them. Simply having a time line is not enough. This means that the persons tasked with the responsibility of performing the tasks be clearly identified, by both the individual so tasked and the actual task they are assigned to complete. Accountability also includes a “follow-up mechanism to ensure that these vital goals are achieved.” This requires the CCO or other senior compliance department representative to put these in place and then mandate a report requirement on how the task assigned is being achieved.
  • Schedule the Next Review of the Plan. Most interestingly, Rector recommends a review of the foregoing process on a weekly basis. While noting that this may seem time consuming, he believes that once the group assigned with this responsibility gets “into the rhythm, it can go smoothly.” While I would not necessarily agree that weekly meetings are required, Rector does correctly note that such regularity allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis.

If you face a challenge as great as Mayor Paes, you will indeed need something to assist you in moving forward. While starting from scratch or implementing a compliance regime in the midst of an internal investigation or Foreign Corrupt Practices Act (FCPA) enforcement action can be daunting, the basic advice to put down a plan and follow that plan with reasonable actions and steps is solid advice. But keep in mind Jan Farley’s counsel as well and do not  spread yourself too thinly. Focus on your entity’s risk and then manage or, if need be, remediate your risk.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

 

© Thomas R. Fox, 2014

March 4, 2014

How Does the 20th Amendment Inform Your Compliance Program Incentives?

FDR InagurationOn this date in 1933, FDR held his first inauguration. It was also the final inauguration held in March before the passage of the 20th Amendment to the US Constitution that moved the inauguration date to January 20th. What was the reason the Constitution originally set an inauguration date in March, some six months after the November election? It is because a Roman Tribune’s annual term of office began in March, rather than in January. During this six month period, the old administration did not have much incentive to do anything, which could benefit the incoming Presidential administration, if they were from different parties. That was the driving force for the 20th Amendment.

I thought about this dis-incentive when considering the question of how could you incentivize your senior management team so that they will integrate compliance into their business routine? Put another way, how can you measure compliance in senior management or evaluate it for the purposes of a bonus calculation? This issue has often been difficult to sustain in a company because the compliance evaluation of whether a senior manager or company leader is often viewed as too subjective. However, in a recent article in the Compliance Insider magazine, put out by the Red Flag Group, I came across an article that directly addresses these issues and concerns.

The article was entitled, “Integrating Your Compliance Programme Into the Variable Compensation of Executives”. The article was built around a case study of the Sorin Group, which is a healthcare multinational and the company’s incentive program for its compliance regime. Interestingly, the reason the company created such an incentive program in the first place was to “influence actual behaviors, and not merely the consequences of any wrong doing that may occur.” With this premise, at the Sorin Group, compliance has been made an integral part of each manager’s performance objectives. Members on the company’s Executive Leadership Team (ELT) and the other leaders of all of its corporate functions and “business units are directly responsible for the culture, understanding, observance and adoption of the Sorin Code of Conduct, the Sorin United States and international compliance policies and procedures” and their respective health industry codes of practice.

Further, each of the different functions within the Sorin Group has adopted individual performance objectives specifically regarding compliance. The individualized “compliance objectives are agreed and documented every year for each function and senior manager, and form part of the process of continuous performance review (written reviews twice yearly) managed by Sorin’s human resources team. The responsible executive of each function or group is required to cascade each of the compliance obligations to those employees under them. This ensures that the whole company has compliance integrated into their variable remuneration.”

The company’s evaluation process includes the staff that report to each senior executive who are interviewed by the General Counsel (GC) or other member of the compliance function “to determine their adherence to the compliance objectives.” Additionally, “An assessment is performed alongside line managers and a member of the human resources team to determine whether the obligations have been met, and to what extent.” Lastly, this same system applies to the company’s Board of Directors and Chief Executive Officer (CEO).

The variable compensation awarded at the end of each year can be affected in two ways by his or her compliance evaluation. The first is for an entire group and “If a group fails to meet expectations for the specific objectives the executive and their whole team will miss out on the entire variable pay for that year.” But “If a group meets some expectations for the compliance objectives they will receive payment of the variable, with the amount dependant on the amount of objectives that have been met.” The same holds true for the individual within the group so that “if an employee fails to meet his or her compliance objectives, the whole bonus for that employee will remain unpaid.”

The article also gave some specific examples of compliance obligations that are measured and evaluated. This is an excellent list for the compliance practitioner to use in benchmarking a company’s compliance program in this area or instituting such an incentive compensation system for your company. They include the following.

For the ELT

  • Lead from the top – in your own conduct (lead by example) and in the decisions you take, to the resources and time you commit to compliance
  • Facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally
  • Support specific initiatives from the CEO, legal and compliance functions. 

For Department Heads

  • Demonstrate, facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally
  • Support specific initiatives from the legal and compliance functions
  • Ensure that all employees, agents and contractors directly or indirectly reporting to you fully complete all required training and communications in a timely manner
  • Provide full cooperation with investigations conducted by the compliance or legal functions of any alleged violation of compliance policies
  • Include the Chief Compliance Officer or another legal or compliance function representative in your management meetings at least twice per year, per geography
  • Identify instances of non-compliance and support compliance monitoring and reporting systems
    • Partner with compliance in resolving compliance issues.

For Country Heads of Sales

  • Certify that all employees, agents and contractors directly or indirectly reporting to you have fully reported all sales and marketing interactions with all HCPs (Health Care Professional) in a timely manner
  • Certify that all employees, agents and contractors directly or indirectly reporting to you have fully, promptly and accurately reported all expenses with HCPs on Concur. 

The article also speaks of five things to consider when developing such a compliance incentive program.  (1) The program needs to be cascaded down the organization so that it applies to all levels in the company. (2) Include both a 360 degree review and mid-year review. (3) To truly incentive senior management, the compliance objectives should be at least 25% of the overall discretionary bonus program. (4) Do not have simply ‘tick-the-box’ incentives but include subject incentives.

As the final item to consider, the article says that you need to have SMART compliance objectives, which are defined as:

  • Specific: A specific objective has a much greater chance of being accomplished than a general objective (e.g don’t just say “ensure training has been completed by your team”, say;
    • Who: who needs to be trained?
    • What: what training objectives do you want to accomplish?
    • Where: identify a location for the training
    • When: establish a time frame for the training to be completed
    • Which: identify requirements and constraints for any training
    • Why: provide specific reasons, purpose or benefits of accomplishing the training objective.
  • Measurable: Establish concrete criteria for measuring progress toward the attainment of each objective you set.
  • Aggressive but attainable: When you identify objectives that are most important to the compliance function and the relevant business, employees are more likely to see the value in making them come true.
  • Realistic: To be realistic, an objective must represent something which you are both willing and able to work toward.
  • Timely: An objective should be grounded within a timeframe. 

The article ends with some insights into lessons learned by the Sorin Group in its role of the compliance incentive program. These lessons included the following:

  • Top down: If your ELT is truly on board you can make big leaps and not limit your compliance ambitions to incremental steps.
  • Personalize: The objectives should be more personal to each function and more granular.
  • Balance: Have qualitative judgments but couple them with concrete and – most importantly – objective and measurable key performance indicators.
  • Publicize: Talking about the real company examples of its people make the difference.
  • Be positive: Focus your company’s efforts on positive incentive behaviors. In other words, use both the stick and carrot.
  • Just do it: Stop talking the talk and start walking the walk.

The FCPA Guidance made clear that the Department of Justice and Securities and Exchange Commission expect that incentives to be built into your best practices compliance program. The Sorin Group case study in Compliance Insider provides solid tips for the compliance practitioner on steps to take for his or her company’s compliance program. Is some of this subjective? Yes it is but that does not mean financial incentives cannot be written into the evaluation of any senior management to help guide ethical business practices.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

« Previous PageNext Page »

Blog at WordPress.com.