January

January 30, 2015

COSO and Internal Controls, Part II

Filed under: 2013 Framework,Best Practices,Compliance,Compliance and Ethics,compliance programs,COSO,FCPA,Internal Controls — tfoxlaw @ 12:01 am
Tags: COSO, FCPA, Internal Controls

This post continues my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adherence to the COSO 2013 Framework. Today I will begin a discussion of the updated COSO Framework. Brian Christensen, in an article in Corporate Compliance Insights, entitled “The Updated COSO Framework: Time for a Fresh Look at Internal Control”, said that the updated Framework retained the core definition of internal controls; those being control environment, risk assessment, control activities, information and communication, and monitoring activities. Further, these five operational concepts are still visually represented in the well-known three-dimensional “COSO Cube”. In addition, the criteria used to assess the effectiveness of an internal control system remain largely unchanged. The effectiveness of internal control is assessed relative to the five components of internal controls and the underlying principles supporting the components. However, it is the emphasis on the principles, which is new to the 2013 Framework.

Christensen believes that “COSO has chosen to formalize more explicitly the principles embedded in the 1992 version of the framework that facilitate development of effective internal control and assessment of its effectiveness. While the 1992 version implicitly reflected the core principles of internal control, the 2013 version explicitly states them in the form of 17 principles, each of which is mapped to one of the five components. The 17 principles represent fundamental concepts associated with the five components of internal control. There isn’t any new ground broken by these principles as they reflect widely known tenets of sound internal control that have been around for a long time.” The principles remain broadly stated as they are intended to apply to for-profit companies, not-for-profit entities, government bodies and other organizations. Moreover, “supporting each principle are points of focus, representing characteristics associated with the principles and providing guidance for their application. Together, the components and principles constitute the criteria and the points of focus provide the guidance that will assist management in assessing whether the components of internal control are present, functioning and operating together within the organization.”

The first of the five objectives is ‘control environment’. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said the control environment “sets the tome for the implantation and operation of all other components of internal control. It starts with the ethical commitment of senior management, oversight by those in governance, and a commitment to competent employees.” The five principles of the control environment object are as follows:

The organization demonstrates a commitment to integrity and ethical values.
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
Management establishes with board oversight, structures, reporting lines and appropriate authorizes and responsibility in pursuit of the objectives.
The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives.
The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective.

Commitment to integrity and ethical values

What are the characteristics of this principle? First, and foremost, is that an entity must have the appropriate tone at the top for a commitment to ethics and doing business in compliance. It also means that an organization establishes standards of conduct through the creation of a Code of Conduct or other baseline document. The next step is to demonstrate adherence to this standard of conduct by individual employees and throughout the organization. Finally, if there are any deviations, they would be addressed by the company in a timely manner. From the auditing perspective, I think that this principle requires an auditor to be able to assess if a company has the met its requirements to ethics and compliance and whether that commitment can be effectively measured and assessed.

Board independence and oversight

This principle requires that a company’s Board of Directors establish oversight of a compliance function, separate and apart from the company’s senior management so that it operates independently in the compliance arena. Next there should be compliance expertise at the Board level which allows it actively manage its function. Finally, and perhaps most importantly, a Board must actively provide oversight on all compliance control activities, risk assessments, compliance control activities, information, compliance communications and compliance monitoring activities. Here, internal auditors must interact with a Board’s Compliance Committee (or other relevant committee such as the Audit Committee) to determine independence. There must also be documented evidence that the Board’s Compliance Committee provides sufficient oversight of the company’s compliance function.

Structures, reporting lines, authority and responsibility

This may not seem as obvious but it is critical that a compliance reporting line go up through and to the Board. Under this principle, you will need to consider all of the structures of your organization and then move to define the appropriate roles of compliance responsibility. Finally this principle requires establishment of the appropriate authority within the compliance function. Here your auditors must be able to assess whether compliance responsibilities are appropriately assigned to establish accountability.

Attracting, developing and retaining competent individuals

This principle gets into the nuts and bolts of doing compliance. It requires that a company establish compliance policies and procedures. Next there must be an evaluation of the effectiveness of those compliance policies and procedures and that any demonstrated shortcomings be addressed. This principle next turns the human component of a compliance program. A company must attract, develop and retain competent employees in the compliance function. Lastly, a company should have a demonstrable compliance succession plan in place. An auditor must be able to demonstrate, through its compliance policies and equally importantly its actions, that it has a commitment to attracting, developing and retaining competent persons in the compliance function and more generally employees who accept the company’s general principle of doing business ethically and in compliance.

Individuals held accountable

This is the ‘stick’ principle. A company must show that it enforces compliance accountability through its compliance structures, authorizes and responsibilities. A company must establish appropriate compliance performance metrics, incentives to do business ethically and in compliance and finally clearly reward such persons through the promotion process in an organization. Such reward is through an evaluation of appropriate compliance measures and incentives. Interestingly a company must consider pressures that it sends through off-messaging. Finally, each employee must be evaluated in his or her compliance performance; coupled with both rewards and discipline for employee actions around compliance. This principle requires evidence that can demonstrate to an auditor there are processes in place to hold employees accountable to their compliance objectives. Conversely, if an employee does not fulfill the compliance objectives there must be identifiable consequences. Lastly, if this accountability is not effective, the internal controls should be able to identify and manage the compliance risks that are not effectively mitigated.

I will take a short break from my explorations of COSO and Internal Controls next week, but do not worry the subject will return the week of February 9. Next week I will have a series of guest posts from Joe Oringel, Principle at Visual RiskIQ on data analytics.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Leave a Comment

January 29, 2015

Welcome to COSO and the World of Internal Controls – Part I

Filed under: 2013 Framework,Aaron Murphy,Best Practices,Bio-Rad,COSO,FCPA,Henry Mixon,Internal Controls,Layne Christensen — tfoxlaw @ 7:55 am
Tags: COSO, Internal Controls

I have intentionally avoided a Top Five or Top Ten prediction list for Foreign Corrupt Practices Act (FCPA) enforcement going forward from 2014 into 2015. However there is one area of FCPA enforcement, which I think underwent a sea change in 2014 and has significant implications for the Chief Compliance Officer (CCO) and compliance practitioner in 2015 and far beyond. That change will be in the enforcement by the Securities and Exchange Commission (SEC) of the internal controls provisions of the FCPA. Last fall we saw three SEC enforcement actions, where there was no corresponding Department of Justice (DOJ) enforcement action yet there was a SEC enforcement action around either the lack or failure of internal controls. Those enforcement actions were Smith & Wesson, Layne Christensen and Bio-Rad.

Coupled with this new found robust enforcement strategy by the SEC, is the implementation of the COSO 2013 Framework, which became effective in December 2014. COSO stands for Committee of Sponsoring Organizations of the Treadway Commission, which originally adopted, in 1992, a framework for basis to design and then test the effectiveness of internal controls. It was deemed necessary to update this more than 20-year old COSO Framework, as modified in 2013, so that it provides a very supportable approach when adversarial third parties challenge whether a company has effective internal controls. While the COSO Framework is designed for financial controls, I believe that the SEC will use the 2013 Framework to review a company’s internal controls around compliance. This means that you need to understand what is required under the 2013 Framework and be able to show adherence to it or justify an exception if you receive a letter from the SEC asking for evidence of your company’s compliance with the internal controls provisions of the FCPA.

Because I believe this single area of FCPA enforcement is so important and will increase so much, I am going to dedicate several posts to an exploration of internal controls, focusing on the COSO 2013 Framework. In Part I, I begin with a review of internal controls under the FCPA.

What are internal controls?

What are internal controls in a FCPA compliance program? The starting point is the law itself. The FCPA itself requires the following:

Section 13(b)(2)(B) of the Exchange Act (15 U.S.C. § 78m(b)(2)(B)), commonly called the “internal controls” provision, requires issuers to:

devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that—

(i) transactions are executed in accordance with management’s general or specific authorization;

(ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets;

(iii) access to assets is permitted only in accordance with management’s general or specific authorization; and

(iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any

differences ….

The DOJ and SEC, in their jointly released FCPA Guidance, stated, “Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.”

Aaron Murphy, a partner at Foley and Lardner in San Francisco and the author the most excellent resource entitled “Foreign Corrupt Practices Act”, has said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Well-know internal controls expert Henry Mixon has said that internal controls are systematic measures such as reviews, checks and balances, methods and procedures instituted by an organization that performs several different functions. These functions include allowing a company to conduct its business in an orderly and efficient manner; to safeguard its assets and resources, to detect and deter errors, fraud, and theft; to assist an organization ensuring the accuracy and completeness of its accounting data; to enable a business to produce reliable and timely financial and management information; and to help an entity to ensure there is adherence to its policies and plans by its employees, applicable third parties and others. Mixon adds that internal controls are entity wide; that is, they are not just limited to the accountants and auditors. Mixon also notes that for compliance purposes, controls are those measures specifically to provide reasonable assurance any assets or resources of a company cannot be used to pay a bribe. This definition includes diversion of company assets, such as by unauthorized sales discounts or receivables write-offs as well as the distribution of assets.

The FCPA Guidance goes further to specify that internal controls are a “critical component” of a best practices anti-corruption compliance program. This is because the design of an entity’s “internal controls must take into account the operational realities and risks attendant to the company’s business, such as the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption. A company’s compliance program should be tailored to these differences.” After a company analyzes its own risk, through a risk assessment, it should design its most robust internal controls around its highest risk.

COSO and Internal Controls

Larry Rittenberg, in his book COSO Internal Control-Integrated Framework said that the original COSO framework from 1992 has stood the test of time “because it was built as conceptual framework that could accommodate changes in (a) the environment, (b) globalization, (c) organizational relationship and dependencies, and (d) information processing and analysis.” Moreover, the updated 2013 Framework was based upon four general principles which including the following: (1) the updated Framework should be conceptual which allows for updating as internal controls (and compliance programs) evolve; (2) internal controls are a process which is designed to help businesses achieve their business goals; (3) internal controls applies to more than simply accounting controls, it applies to compliance controls and operational controls; and (4) while it all starts with Tone at the Top, “the responsibility for the implementation of effective internal controls resides with everyone in the organization.” For the compliance practitioner, this final statement is of significant importance because it directly speaks to the need for the compliance practitioner to be involved in the design and implementation of internal controls for compliance and not to simply rely upon a company’s accounting, finance or internal audit function to do so.

So why will all of the above be a sea change for FCPA enforcement since after all, the requirement for internal controls has been around since 1977. The Smith & Wesson case shows the reason. In its Administrative Order, the SEC stated, “Smith & Wesson failed to devise and maintain sufficient internal controls with respect to its international sales operations. While the company had a basic corporate policy prohibiting the payment of bribes, it failed to implement a reasonable system of controls to effectuate that policy.” Additionally, the company did not “devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s general or specific authorization; transactions are recorded as necessary to maintain accountability for assets, and that access to assets is permitted only in accordance with management’s general or specific authorization.” All of this was laid out in the face of no evidence of the payment of bribes by Smith & Wesson to obtain or retain business. This means it was as close to strict liability as it can be without using those words. Kara Brockmeyer, chief of the SEC Enforcement Division’s FCPA Unit, was quoted in a SEC Press Release on the matter that “This is a wake-up call for small and medium-size businesses that want to enter into high-risk markets and expand their international sales.” When a company makes the strategic decision to sell its products overseas, it must ensure that the right internal controls are in place and operating.”

In Part II we will begin our exploration of the COSO 2013 Framework and what it requires in the way of internal controls for your FCPA compliance program.

© Thomas R. Fox, 2015

Leave a Comment

January 28, 2015

The Patriots, the NFL and Compliance

Filed under: Best Practices,Compliance,Compliance and Ethics,compliance programs — tfoxlaw @ 12:01 am
Tags: Deflategate

You knew it was coming. No, not a Cialis-themed blog post, but close enough, ‘Deflategate’ and the compliance angle. In honor of this weekend’s Super Bowl it is certainly worth considering. You might think with all that is going on in the world, the air pressure of footballs might not be too high on the list but unfortunately that will not be the case as most of the national news broadcasts over the past week have led off with this story. For those hermits among you reading this blog post, the claims relate to the footballs used in the American Football Conference (AFC) Championship game between the mighty New England Patriots and the Indianapolis Colts, said Pats have been accused of cheating by intentionally by under inflating the footballs used in their win over the Colts. The National Football League (NFL) is investigating and that alone should give you comfort that all will be done honorably given how well the NFL has handled itself over the past 12 months.

In a Press Conference last week, New England golden boy and quarterback (and most importantly-fellow UM grad) Tom Brady claimed, in an article by Ken Belson in the New York Times (NYT) entitled “N.F.L. Ends Silence on Underinflated Footballs to Say It Is Investigating”, to have “no knowledge of how the Patriots came to use underinflated footballs” in the Colts game. Unfortunately for Brady, his honesty appeared to be several notches below the norm when he made this assertion. If you saw the Press Conference itself, it was very clear the Golden Boy was uncomfortable even answering the question and there is usually a very good reason even a four year-old hems and haws when answering such a difficult question.

Moreover, he was skewered by former quarterbacks for Sgt. Schultz-like claims of “I know nothing.” Tim Hasselbeck was quoted in the NYT piece as saying, “The balls were evaluated at halftime and the only reason you do that is there is some concern. If the balls were O.K. before the game but not by halftime, and it was only New England’s balls that were suspect, then obviously something happened to the balls between the initial inspection and the second half.” Hasselback went on to say that “Because quarterbacks alone are responsible for choosing the game-day footballs, the N.F.L.’s inquiry will eventually center on Brady, because the Patriots’ staff members would be unlikely to deflate game balls on their own.”

Former quarterback Mark Brunnell was even starker when he said on ESPN, and reported in a Sports Illustrated article entitled “Mark Brunell on why he reacted so strongly to Brady’s press conference” by Richard Deitsch, that ““I did not believe what Tom Brady had to say,” said Brunell, in a segment where he nearly choked up. “Those balls were deflated. Somebody had to do it. And I don’t believe there is an equipment manager in the NFL that would on his own initiative deflate a ball without the starting quarterback’s approval.”

Patriots head coach Bill Belichick held two Press Conferences last week. In the first one he claimed never to have given the inflation of footballs so much as a moment’s thought during all his years of coaching. His performance was about as believable as Brady’s. However the Coach doubled down in a Vegas sort of way the next day, when he said that he had thoroughly studied the issue and (scientifically) postulated that it was the cold weather which caused the dramatic two pound deflation in the footballs in some 30 minutes or so. His performance was so theatrical that even Bill Nye, the Science Guy, weighed in to disprove Belichick’s tale of weather related woe. I guess maybe we should leave scientific inquiry to the scientists.

The ball boy did it! Admit it, you knew it was coming. That is the new excuse about how footballs became underinflated. We can all take comfort that at least in the NFL, the myth of the rogue employee is still alive and well. I wish I could say it was in some work of fiction but if I did, I do not think anyone would believe me. But for a multi-billion dollar enterprise, i.e. the NFL, that was good enough. Perhaps the NFL might need to consider the incentives put in place for the Patriots, that of winning games, and reform the incentive system which they apparently unfairly placed this formerly law-abiding ball boy in the untenable position of deflating the Patriots footballs because that was the only way to guarantee his incentive in the nefarious world of professional sports incentive programs.

The NFL might want to risk assess the points where a team can change physical properties of tools to provide unfair advantages (i.e. Cheat). Where are the places that a home team can change equipment to its (unfair) advantage? Any reasonable risk assessment might have turned up that tool, which happens to have the same name as the game that it is such an integral part of, football. If such a tool is susceptible to a risk of management, could that risk be managed?

There might be another way to try and handle this conundrum. Perhaps the NFL could put procedures in place to prevent and then detect violations of its inflation policies for game day footballs. For instance, the NFL itself could be in charge of the footballs throughout the process, thereby taking away this obviously too-great temptation away from this former law-abiding ball boy. The League might even require background checks into ball boys to see if they have been accused of deflating footballs at other jobs. A robust Google search might be just the ticket. Relying on No. 2 of McNulty’s Maxims of an effective compliance program, could there even be a detect prong by checking the air pressure on the footballs?

Maybe the problem is that there is no penalty when a part of the same organization which engages in the conduct, disciplines itself. Oops, the Patriots did engage in cheating and got caught in the Spygate scandal. Oh well, I guess recidivism is not considered a problem in the most profitable sports league in America. Boy the NFL really showed them with that penalty and laid down the law of DO NOT EVER cheat again. Wow, I feel better already.

What lessons are there for the compliance practitioner? Probably too many to list in one blog post. First up is what do you do with convicted cheats, such as Belichick, who in the second Press Conference was simply shocked that anyone would bring up his NFL tagged conviction and $500K fine for Spygate. Should being a recidivist matter in compliance? What if you say you are sorry? What if you take the Belichick approach and simply blame the weather?

What about the NFL and their role here? Of course they are studying the issue with all the integrity they have brought upon themselves over the past year with the concussion issue, the Ray Rice scandal and the Adrian Peterson matter. I am sure that the investigation will be as forthcoming as the one performed in the wake of the Ray Rice video issue. Of course there is still the issue of favoritism by the NFL towards the Patriots and their owner, Robert Kraft, who apparently is great buddies with NFL Commissioner Roger Goodell. I am sure that Goodell will not forget the favor he did Kraft and the Patriots when he destroyed all the Spygate tapes before anyone else could see them. I suppose Goodell will have to decide yet again if it is the responsibility of the Commissioner to simply protect the league or if he should act with some integrity. I guess in his mind they could well be the same things.

One Seattle player, Richard Sherman, was quoted in an ESPN article, entitled “Pats won’t be punished” by Josh Weinfuss, for his opinion on what might happen. He said, “Will they be punished? Probably not. Not as long as Robert Kraft and Roger Goodell are still taking pictures at their respective homes. You talk about conflict of interest. As long as that happens, it won’t affect them at all. Nothing will stop them.” The problem is that Goodell was partying with the same Robert Kraft the weekend of the Colts game. Kraft was so proud of it, he posted pictures of himself with the Commish at his house party before the game. A bromance can only be around the corner. Weinfuss went on to write, “Sherman doesn’t think there’s much of a difference between the perception of the Patriots and the reality of how close they get to toeing the line on the rules.”

What does it all mean? Belichick is often thought of as a coaching genius for taking the Patriots to now six Super Bowls. He does this, in large part, by creating an ‘us against the world’ mentality that everyone else hates us so we have to show them. I wonder what he was thinking for this Super Bowl to motivate his team? So is Belichick crazy, you bet he is … like a fox.

Go Pats.

© Thomas R. Fox, 2015

Comments (1)

January 27, 2015

Franchising and Liability Under the FCPA

Filed under: Aaron Murphy,Best Practices,FCPA,Franchisor Liability — tfoxlaw @ 12:01 am
Tags: FCPA

I am often asked about franchisor liability under the Foreign Corrupt Practices Act (FCPA). Franchising has been a successful model in the US and now many corporations are looking at overseas expansion opportunities. Franchise law has become well developed across the US, with many states developing laws to protect the rights and obligations of both parties in a franchise agreement. According to an International Franchise Association survey of nearly 1,600 franchise systems in 2008 it stated “nearly two-thirds (61 percent) of respondents currently franchise or operate in non-U.S. markets and three-fourths (74 percent) plan to begin international expansion efforts or accelerate their current ventures immediately.”

There are no reported FCPA enforcement actions regarding franchisors. However, the factors in a franchise relationship would appear to lead to clear FCPA responsibility of the franchisor for its overseas franchisee’s actions. Additionally, court interpretation of the FCPA has held that it is applicable where conduct, violative of the Act, is used “to obtain or retain business or secure an improper business advantage” which can cover almost any kind of advantage, including indirect monetary advantage even as nebulous as reputational advantage. As everyone knows, the FCPA prohibits payments to foreign officials to obtain or retain business or secure an improper business advantage. Nevertheless many US companies view franchisees as different from other types of more direct sales representatives, such as company sales representatives, agents, resellers or even joint venture (JV) partners, for the purposes of FCPA liability.

I believe that such an analysis is misguided as the Department of Justice (DOJ) takes the position that a US company’s FCPA responsibilities extend to the conduct of a wide range of third parties, including the aforementioned company sales representatives, agents, resellers, JV partners and distributors. It does not take too great a leap of imagination to see that a franchise relationship could be contained within this interpretation. It does not take too many legal steps to see that a franchisee’s actions can impute FCPA liability to a US franchisor.

There are other factors, unique to the franchise relationship, which would point towards FCPA liability of the US franchisor. A US franchisor’s intent and the degree of control it exercises over its overseas franchisees’ operations are factors the DOJ/Securities and Exchange Commission (SEC) might consider in determining whether to pursue a FCPA case against a franchisor for bribes made by one of its foreign franchisees. It is always in the financial interest of a US franchisor for its franchisees to be successful businesses. Additionally, most US franchisors require its overseas franchisee’s to use the same company name for branding. Of course, not only the initial franchise fee but the franchisee’s monthly royalty payment roll up into the books and records of a franchisor so that might well catch the attention of the SEC if there is a FCPA books and records violation.

Victor Vital and Jessica Parker-Battle, writing in the Franchise Law Journal, Winter 2012 Issue, in an article entitled “Implications of the Foreign Corrupt Practices Act for International Franchising”, believe that a franchisor may not have direct involvement in conduct prohibited by the FCPA, there may not be the requisite corrupt intent required under the statute. However, I believe unless a franchisor has an adequate compliance program in place, a franchisor may well find itself in the shoes of Frederick Bourke and sustain a finding of conscious indifference.

Most franchisors have thorough financial vetting requirements before allowing any person or business to become a franchisee. However, how many of these same businesses perform FCPA compliance due diligence on their prospective overseas franchises? How many US franchisors have FCPA compliance training programs? How many evaluate, on an ongoing basis, the FCPA compliance and program of their overseas franchisees? How many US franchisors have a compliance hotline or other reporting mechanism for any compliance violations made against their franchisees?

Vital and Parker-Battle suggest that franchisors conduct thorough research in both the foreign market they hope to enter and on their potential franchisees. The franchise agreement itself should have strong FCPA anti-corruption/anti-bribery language and any franchisee, and its key employees, should receive FCPA training. The franchisor also needs to have a compliance subject matter expert (SME) available for franchisees and they also suggest that the franchisor provide an anonymous reporting hotline for FCPA violations. They end some of their suggested practices for the franchisor with the following, “it would be prudent to pay particular attention and monitor those countries in areas where bribery or gifts are encouraged in business relations. In sum, franchisors must be diligent when entering a foreign market and make sure to use best practices routinely and consistently.”

Another way to look at this issue comes from Foley and Lardner attorney Aaron Murphy from his book, entitled “Foreign Corrupt Practices Act – A Practical Resource for Managers and Executives”. In a chapter entitled “You Do More With the Government Than You Think”, Murphy has several examples of how any US company doing business overseas will come into contact with a foreign governmental official and, thereby, create a possible FCPA liability. Many of these are areas which a US based franchisor would have to utilize to do business in a foreign country, including some or all of the following:

Interactions with Customs Officials. Every time your company sends raw materials into, or brings them out of, a country there is an interaction with a foreign governmental official in the form of a customs official. Every customs transaction involves a payment to a foreign government and every transaction involves some form of a foreign governmental regulatory process. While the individual payment per transaction can be small, the amount of total transactions can be quite high, if a large volume of goods are being imported into a foreign country.
Interaction with Tax Officials. While noting that interacting with international tax authorities can present problems similar to those with customs officials, Murphy observes that the stakes can often be much higher since tax transactions may be less in frequency but higher in financial risk. These types of risks include the valuation of raw materials for VAT purposes before such materials are incorporated into a final product, or the lack of segregation between goods to be sold on the foreign country’s domestic market as opposed to those which may be shipped through a free trade zone for sale outside that country’s domestic market.
Licensing and Permits. Your company is a retail seller of clothes and cosmetics and you do not understand how the FCPA applies to your foreign sales operations? Every physical location that you sell your goods in will require some type of license to operate your business. It could require multiple licenses such as a national license, state license and local municipal license, additionally you will need a building permit if you intend to build out or modify your retail stores.
Work Permits and Visas. If your company franchises overseas it will have to send someone from the home office to operate in-country at some point. In the post-9/11 world this probably means that, at a minimum, your company will have to obtain a visa for each employee who enters the foreign country and perhaps a work permit as well. The visa process can start in the United States with a trip to foreign government consulate or even the embassy and at that point you are dealing with a foreign governmental official. The work permit process can also begin in the United States but often may continue in the foreign country.
Inspections and Certifications. Consider the Tex-Mex restaurant chain that desires to take this cuisine across the world. In any city in the world there will be some type of certification process to enable to the business to set up and start operating and then there will be the need for ongoing inspections for sanitary conditions. Such inspections may be rare but if there is “slime in the ice machine” it may be grounds to close the restaurant.

How would all of this play out for a franchisor? As a franchisor moves into foreign markets there could well be the temptation to “grease the skids” and make payments or offer gifts to government officials, or their family members, to get the permits or permissions necessary to open and operate. In many countries, bribery is a common way of getting business done, and there can be tremendous pressure from local agents or franchisee candidates to follow regional customs and use bribes to become or remain competitive. Even if it is not the US franchisor’s own employees that engage in the FCPA violations, the US franchisor will still face the risk of an enforcement action if the franchisee’s employees engage in such conduct.

© Thomas R. Fox, 2015

Leave a Comment

January 26, 2015

Good Bye to Mr. Cub, the Siege of Vienna and Doing More Compliance with Less

Filed under: Best Practices,Chief Compliance Officer,Compliance,compliance programs,FCPA,Financial Times,Ft,Innovation — tfoxlaw @ 12:01 am
Tags: best practices, compliance programs, Cub, Ernie Banks, ethical leadership, ethics, ethics and compliance, FT

Let’s play two! That was perhaps the most famous maxim from Ernie Banks, who died this past weekend at the age of 83. As for a sobriquet, it does not get much better than being known as ‘Mr. Cub’ from any baseball fan from 9 to 90. Banks was famous as one of the greatest power-hitting shortstops, leading the National League (NL) in homers and runs batted in, while playing that position as an All-Star in 1958 and 1959. He ended up with over 500 career home runs, when that actually meant something. But he was also known as ‘Mr. Sunshine’ for having one of the most pleasant dispositions of anyone ever to play Major League Baseball (MLB). He remained close to the Cubs team and made frequent appearances at their spring training grounds, in Arizona. Author Harry Strong wrote in 2013 that “the Chicago Cubs do not have a mascot, but they hardly need one when the face of the franchise is still so visible.” Mr. Cub indeed.

I also considered the invasion of Europe by the Ottoman Empire that culminated in the siege of Vienna, in 1683. This marked the high-water mark for the Ottomans and after their defeat they began a long slide until they became known as the ‘sick man of Europe’ in the early 1900s. One of the more interesting things I learned was that the original walls surrounding Vienna had been constructed from monies paid to the Holy Roman Emperor as his ransom for releasing the English King Richard the Lionhearted back in 1194. Talk about getting some serious value for your spending.

I thought about that initial use of monies by the Holy Roman Emperor, who was then the King of Vienna almost 500 years before the Ottoman invasion and how the later walls of Vienna were re-engineered to repulse not only more modern siege weapons but even the advent of gunpowder and cannon fire which the Ottomans tried to use to batter the city into submission.

While the rest of the US economy is finally on an uptick, things down here in Texas are not so rosy with the price of oil hovering at less than $50 per barrel. Major energy service companies have announced cutbacks in spending and layoffs have commenced in a major way, with some companies trimming their work force by over 10% at this early stage. Even companies that have not laid off workers, as yet, are seriously considering no raises or bonuses for the largest parts of their employee base for 2015. For those in the compliance space, viewed as non-revenue generating overhead, things are beginning to get ugly, if not downright scary.

What does this economic reversal mean for compliance? First, and foremost, your compliance function has to continue to operate to prevent, detect and remediate compliance issues. The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) will not consider arguments that ‘we did all we could with what we had’ when you are still operating in places where there is a high indicia of bribery and corruption. But what do Mr. Cub and the Siege of Vienna have with this economic conundrum facing those Chief Compliance Officers (CCOs) and compliance practitioners in the energy space? Both of these examples point out that you can use other parts of your organization to affect your compliance efforts going forward. Banks was associated with the Cubs for over 60 years. The walls of Vienna, originally constructed in the 13^th century, were used as a base for the next 400 years. I have long advocated that your Human Resource (HR) function should be a first-rate friend of your compliance function. There are several areas where HR has expertise that can facilitate your compliance efforts going forward. These include hiring, employee evaluation and succession planning to help enable you to hire, reward and promote employees with the values that compliment your compliance efforts.

Other areas include the IT and Marketing departments. Another person I would add is the Corporate Secretary, the reason for this is that the Corporate Secretary has several constituencies within the company that he or she may work with and for. This can provide an opportunity to view a company’s ethics and compliance program and to help shape and direct it. The Corporate Secretary, head of IT or Marketing may be excellent resources to the CCO, that may be under-utilized. It might be worth a cup of coffee or short meeting to see what they might think about your ethics and compliance program or how they might be able to assist you in your efforts.

Another way to think through some of these issues was presented in a recent article in the Financial Times (FT) Fast Times column, entitled “Local lessons for taking on the world”, by Tyler Brûlé. In this article he pointed to some roundtable discussions he attended at the recent conference in Davos, where local mayors discussed some “tried – and – tested policies for governing thousands of people that can be applied to millions of people”. I found them some excellent thoughts for a CCO or compliance practitioner who might be required to do more with less on a rather immediate basis.

Degree or not degree. The Swiss do not believe that a person must have an advanced degree to fix high-speed cabling above a mountain pass or to be a fine hotel general manager. Brûlé notes there is “An emphasis on apprenticeships and vocational education means more workers with useful skills, rather than thousands of unemployed people with useless degrees.” For the CCO, think about using non-lawyer resources in key roles such as using a well-trained paralegal to oversee your ongoing third party program.

Support compliance locally. With an emphasis on not just locally grown but also locally made, the Swiss use this practice to aid many different and diverse areas from protecting small businesses to wasteful global logistics. Brûlé said that “Buying local helps expand the wealth base and forces big retailers to cater to an audience who appreciate that many items are still Made in Switzerland.” For the compliance practitioner this means using more local resources to home grow compliance in various regions outside the US.

Join the compliance community. Brûlé believes that “New arrivals need to recognize that they’re signing up to Switzerland’s social codes, and not the other way around.” While this might not seem Politically Correct from the political perspective, from the compliance perspective you should work more closely with HR to hire folks who profess the same values that you espouse.

High-value versus value engineering. Brûlé writes that the Swiss have “A tradition of building infrastructure, housing and offices right the first time rather than engineering them so they need to be updated constantly creates a culture where quality is admired and consumers expect value for money rather than settling for “good enough”.” I recognize that programs, policies and procedures need fine-tuning, however, from the walls of Vienna being in use for over 400 years to the Cubs using Ernie Banks as an institution for nearly that long shows that high-value can be derived from multiple sources. As a compliance practitioner you are only limited by your own imagination to make things work, through trial and error if need be but you can create something which will work for some time.

Talk to me. Interestingly Brûlé found that “the Swiss are among the lowest users of social media in Europe.” He chalked this up to “village life, good public transport and a sense of community.” If there is one skill a CCO or compliance practitioner should learn, work on and employ continuously it is to listen. Beyond that your employee base is in large part looking for your input on how to do business ethically and in compliance. So talk to them as well.

So farewell to Ernie Banks and I hope that the Cubs have a better century in the 21^st than they had in the 20^th.

© Thomas R. Fox, 2015

Leave a Comment

January 23, 2015

From NH to Hollywood and Compliance Lessons from the Twins-interview with Jay Rosen

Filed under: Compliance,Compliance and Ethics,compliance programs,FCPA,Jay Rosen,Language — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs

Where did you grow up? What was it like in NH?

I grew up in Manchester, NH which the largest “city” in Southern New Hampshire with 100,000 residents. We are effectively a bedroom community of Boston, which informs my fervent support of all things Boston: baked beans and Red Sox included as well as all things New England: clam chowda and Patriots!

In high school, I decided I wanted to see free movies and get free records (now I am dating myself). Thus I became the newspaper’s resident movie and music critic.

Where did you go to college, what did you study and why did you leave the family business?

I had had enough frozen mornings in New Hampshire, so I thought I would make my way south to The Wharton School at the University of Pennsylvania in Philly. There something happened along the way…. My roommate John Chadwick saw a flyer for UTV (University Television), the on-campus student TV station. He dialed up the number and shoved the phone in front of me – I stumbled and mumbled and said, “I would like to work at the station…”

What took you to LA? Describe your job progression.

After rising from production assistant (“PA”) to Station Manager three years later, I decided this entertainment thing was pretty cool. This led to Hollywood where I got my start working in the mail room at Triad Artists. In less than 6 months, I was being promoted to be an assistant on a Literary Agent’s desk. Literary agents represent .writers and directors, while talent agents represent actors. Right before my promotion, I received a call one morning at 6:00 AM. My new boss had accepted a job at a competing agency and asked if I wanted to join him.

First ethical lesson. I called my Dad and asked him whether I should go. He said that Triad had invested time and resources in me and suggested I stay. Then I called my Uncle Charles, who worked for Ogilvy & Mather. Charles said, “Pack your bags.” So I went to work that day waiting for my new boss to submit his resignation. Only problem was there was no one for him to quit to. Before I knew it, it was 2PM and still no call. Finally he calls. In less than four hours, I train my replacement, pack a banker’s box with my belongings and am escorted out of the office by a security officer. Welcome to the corporate world!

I continued on with the new agency and found my way to 20^th Century Fox where I had a wonderful mentor, Kimberly Cooper, who knew that I ultimately wanted to produce and write screenplays. This led to my brief career as a screenwriter where my writing partner and I got paid to write, rewrite and then paid not to write at all. During our creative partnership we wrote 10 screenplays, but unfortunately we were never able to get our projects on the big screen. My last fling with Hollywood was working as the assistant to the executive producer on “The Perfect Storm,” the film based on the novel by Sebastian Junger, directed by Wolfgang Peterson and starring George Clooney and Mark Wahlberg (Yes Rebecca, I purposely name-checked all these peeps just for you).

So I joined a middle market investment bank in Los Angeles which was started by former Houlihan Lokey and Merrill Lynch investment bankers. As this was a startup, in addition to my business development duties, I also received a crash course on investment banking. I helped the firm close transactions in the Consulting, Healthcare, Health Clubs, Restaurants and Recreation and eDiscovery sectors. All was going well until the fall of 2008. With the market crashing, and 8 month old twin daughters, now was not a good time to get downsized…. or was it?

How did these jobs lead you to translation services?

Life has a funny way of teaching you the skills and preparing you for the next steps in your career. Even though you may have little to no awareness that this is happening at the moment. As I needed to find my next gig, I reached out to my virtual network on LinkedIn. One of my vendors at the investment bank saw that I had an entertainment background. He and his firm wanted to use a virtual data room (VDR) as a green technology solution to securely share screenplay assets in a studio environment. When I started at the office, I learned that this company made the bulk of their revenue from selling translations. I soon began to absorb the legal translation sale process from my office mate. I next became involved with an end-to-end foreign language eDiscovery solutions called PEARL. One of the partners said that PEARL should be used for every FCPA matter. I rushed home. Googled “FCPA” and decided that the Fairfax County (home of my wonderful in-laws) Park Association was not the FCPA I was looking for… and then, two entries down the angels sang and I was bathed in the most incredible golden light. I had discovered the four most beautiful letters in the alphabet FCPA, the Foreign Corrupt Practices Act.

How has your view of translation services evolved from a reactive product to a preventative tool?

For me, it was quite intuitive. I posited that most FCPA matters, whether they were investigations, monitorships or preventative mandates would require some form of translations as these matters are global in nature. While Merrill has had the fortune to work on some major “above the fold” multinational FCPA investigations, transnational litigation and global IP litigation matters, I felt that there must be more we can do from a proactive perspective. Our clients began to ask us whether or not we could assist them with localizing their Code of Conduct as well as other global companywide communications.

I began to focus on a second front of not only helping our clients increase efficiency and save costs on their investigations, but I also began collaborating with my Merrill colleagues to reach out to our clients and educate them on the benefits or proactively using translations as an insurance policy to inoculate and insulate the Company’s anti-bribery and anti-corruption exposure with qualified, outsourced, independent translation solutions. Although many companies try to leverage existing internal translation solutions – such as foreign language fluent assistants, overseas associates or other on-the-ground personnel (forensic analysts and document reviewers), they fail to understand the risk they incur by using non-trained, translations resources who are not able to attest to and certify the accuracy of their translation work product. Beside incurring any internal and opportunity costs by avoiding professional translation resources, they potentially expose themselves to a greater risk.

You have written many ethics lessons you have learned from your daughters? Can you describe their similarities and differences AND what parts of you or Rebecca are in each.

Michaela and Millie were born 10 weeks premature on Sunday, February 3, 2008. The date of the Patriots first Super Bowl loss to the New York (Football) Giants. Michaela came out first and then it seemed like an eternity (4 minutes) until Millie was untangled from both umbilical cords and finally emerged. They went through a 41-day stay in the NICU and miraculously were discharged on the same day! Michaela, being the oldest, quite often takes the lead and asks for and usually gets whatever she wants. She is the plotter of the crimes and Millie executes. Millie is definitely a people pleaser and wants to make sure that not only her older sister, but her mom and dad are happy and content.

Millie is often concerned with fairness and this is something that she definitely gets from Rebecca. Michaela is more of the comedienne and quite often acts goofy, which is a reflection of me. Depending on who you ask and what day it is, people say Millie has my pudgy Rosen cheeks and Michaela has Rebecca’s fair complexion and straight hair. All I know is that Rebecca and I are so fortunate that we had the help of our doctors to conceive and bring these two wonderful girls into the world.

Jay Rosen can be reached at jay.rosen@merrillcorp.com.

The other day we were walking in our second home, the Happiest Place on Earth, Disneyland and Millie was casually strolling with her arm loosely draped over her sister’s back. I looked a Rebecca and she said, “Either we are doing something right or those two girls just love each other”. We both look forward to learning more lessons from them as the days and years go by.

© Thomas R. Fox, 2015

Leave a Comment

January 22, 2015

Both Sides Now and Asking the Right Compliance Questions

Filed under: Best Practices,Bribery and Corruption,Chief Compliance Officer,Compliance,Compliance and Ethics,compliance programs,Innovation,Marketing — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, ethical leadership, ethics and compliance

One of my favorite singers has always been Judy Collins. Like most of us, I was introduced to her through her interpretation of Joni Mitchell’s song Both Sides Now which she released in 1967. Joni Mitchell did not record her own version of this song until 1969. It was not until the 1990s that I became aware that Mitchell’s inspiration for the song was that she gave up a child she bore out of wedlock in the early 1960s. She managed to put all that pain into one of the most beautiful ballads I have ever heard. I also did not know that Judy Collins was the inspiration for the Crosby, Stills, Nash & Young song Suite: Judy Blue Eyes until I read an article about her in a recent Wall Street Journal (WSJ) article in Weekend Confidential column by Alexandra Wolf, entitled “Judy Collins”.

I thought about how long I mis-understood the genesis and import of these two songs when I read a recent article in the Winter 2015 edition of the MIT Sloan Management Review, entitled “The Power of Asking Pivotal Questions” by Paul J. H. Schoemaker and Steven Krupp. The authors posit that “In a rapidly changing business landscape, executives need the ability to quickly spot both new opportunities and hidden risks. Asking the right questions can help you broaden your perspective — and make smarter decisions.” Their findings showed that to help managers make better decisions they needed to (1) examine broad market trends and less visible undercurrents; (2) seek out diverse viewpoints to allow multiple views of complex issues; and (3) actually push back if consensus comes together too quickly. They posed six questions, which I believe have some direct insights and are important for the Chief Compliance Officer (CCO) or compliance practitioner so I have adapted their findings directly for the compliance function.

Think Outside In. The authors ask, “How well do you understand the implications of broad market trends and less visible undercurrents for your business and for upcoming strategic choices?” Here I think compliance practitioners need to understand not only what your business does but equally importantly where it is going. This is also true about where compliance itself is going as the Department of Justice (DOJ) now requires that companies which enter into Deferred Prosecution Agreements (DPAs) keep abreast of both technological innovations and also industry trends in compliance. To engage in some of the authors’ suggestions, you need to go to conferences outside the compliance function and to leverage your current networks and join new ones.

Explore Future Scenarios. In this query, you will need to consider, “How thoroughly have you analyzed major external uncertainties and future scenarios that could significantly impact your business decisions?” The authors point to war-gaming as an example of scenario planning. While a CCO may feel like he or she only has time to put out fires, you need to consider what may become the ‘elephant in the room’. Consider the example of GlaxoSmithKline PLC (GSK) in China. The new Chinese government had clearly been signaling an upcoming drive against bribery and corruption. It was only a matter of time until a western company got caught up in its dragnet. Yet, even with specific knowledge of a high ranking party functionary making internal whistleblower claims, GSK not only could not uncover its own systemic corruption but was caught flat-footed when Chinese officials brought forward substantive allegations and evidence of corruption. To help with this issue, the authors suggest you ask questions about the external business environment and to “scout for the periphery” of emerging compliance or regulatory trends. You should also follow developments in your industry to anticipate where the DOJ or Securities and Exchange Commission (SEC) might be going next with enforcement.

Be a Contrarian. This question focuses on diversity of opinions by asking, “Do you regularly seek out diverse views to see multiple sides of complex issues, and do you purposely explore important problems from several angles?” This is an ongoing battle that many corporate senior managers, including compliance practitioners, face, that being to “promote diverse and creative friction.” A CCO must learn to ask if the compliance team team has sought sufficient contrarian input and been exposed to all sides of an issue before reaching a decision. While it is possible to counter the tendency of many compliance practitioners to go along to get along; offering contrarian compliance views are particularly essential when tackling major strategic decisions in an uncertain environment. The authors recommend you use such techniques as fostering constructive debate in meetings, pushing back when consensus groups form too quickly and designate specific devil’s advocates to argue the case against the prevailing views or conventional wisdom.

Look for Patterns. Taking a more analytical approach, the authors inquired as to whether “you deploy multiple lenses to connect dots from diverse sources and stakeholders, and do you delve deep to see important connections that others miss?” Connecting the dots entered the lexicon most prominently after 9/11. However it is an importance concept for the compliance practitioner as well. You need to be able to “amplify discrete data points, connect them and take decisive action” because many compliance practitioners are limited by selective perception and seek information that confirms what they wish to believe.

To overcome this information bias, the authors suggest that you utilize the following strategies. One is to “Look for competing explanations to challenge your observations” as this allows you to “engage a wide range of stakeholders, customers and strategic partners to weigh in.” A second is that when you are “stuck trying to recognize patterns or interpret complex data, step away, get some distance and then try again. Sleep on the data, since the mind continues to process information when resting.” This is because each time you take “a break, and then reengaged, he got a deeper understanding and asked better questions.” Finally, do not forget the power of pictures, visualization and charts. You can “use visual graphs or flowcharts to juxtapose the larger picture with the individual puzzle pieces. Pattern recognition is easier when all the information is clearly laid out and presented in different ways.”

Create New Options. Under this prong, the authors investigate whether “you generate and evaluate multiple options when making a strategic decision, and do you consider the risks of each, including unintended consequences?” The authors believe that few senior leaders will “engage in creative thinking.” This can also be true for the compliance practitioner. The authors posit that “When people feel pressed for time, they become less flexible and much prefer certainty to ambiguity. Ambiguity aversion is typically heightened in crisis situations and can lead to cognitive myopia, a narrow focus that can be counterproductive.” To overcome this tendency to cut corners when we are under the gun the authors suggest the following. The first technique is to not simply present “binary go/no-go decisions, reframe a situation to always examine several more options.” Particularly as a compliance practitioner, with or without legal training, you should always inquire as to what else might we do? The second suggestion is to utilize “impromptu meetings when time is limited to generate more options, including unconventional choices. The Midnight Rambler crew did this during a major crisis.” Finally, you should work to “review alternatives based on clear criteria and rank options accordingly.” From this you should work to “Clearly define decision criteria, make them explicit, weigh them and then score each option against the criteria to identify the best choice. Be disciplined when it comes to making tough trade-offs.”

Learn From Failure. The authors want to know if you encourage experiments and “failing fast” as a source of innovation and quick learning? If there is one area that a compliance practitioner will always face, it is failure. There will always be instances where an employee violates your Code of Conduct or compliance program. It does not matter if you are the World’s Most Ethical Company or somewhere below that level in the compliance strata. But as Paul McNulty said, “What did you do about it when you found out?”, remember this is his Maxim Number 3. The authors write that “Learning from mistakes has much to do with a leader’s mind-set and the questions that he or she asks both before and after an unexpected event occurs. Strategic decision makers abandon the pursuit of perfection, allow some room for well-intentioned mistakes, and examine what went wrong and why. What matters is how well a team learns from setbacks and what mode of inquiry it allows. The best teams try to fail fast, often and cheaply in search of innovation.”

The authors suggest three steps to help facilitate McNulty’s Maxim Number 3. First is to “Shine a light on mistakes as a source of new learning.” Do not bury or hide your miss-steps. Be open about them. Second, you cannot learn from your mistakes unless you study them so if your compliance regime fails in some way, perform a root cause analysis to determine the reason. Lastly, use your miss-steps as teaching moments going forward. The authors note that you should “Publicize stories about failed projects that led to innovative solutions. Praise those who learned from their errors and try to extract learning from near misses.”

Leave a Comment

January 21, 2015

Just Say No, the Power of No and Compliance

Filed under: Best Practices,Chief Compliance Officer,Compliance,compliance programs — tfoxlaw @ 12:01 am

What is the first thing that you think of about Former First Lady Nancy Reagan? Right up there for me is three things actually Just Say No, which was her campaign against not only drug abuse but also premarital sex in the 1980s. Chief Compliance Officers (CCOs) fear being known as ‘Dr. No’ and compliance practitioners generally fear inhabiting the ‘Land of No’.

However sometimes as a compliance professional you are called upon to do just that, channel your inner Nancy Reagan and Just Say No. Occasionally you must say ‘No’ to conduct which might violate your company’s Code of Conduct or get your business in hot water for a violation of the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption compliance law. Sometimes, as Chuck Duross once intoned, you may have to be ‘The Alamo’ (not the slaughtered part, the line in the sand part). But sometimes you may want to say ‘No’ for yet another reason altogether; that being by saying ‘No’ you may actually be opening yourself up to other solutions.

I thought about this concept when I read an article in the Financial Times (FT) Undercover economist column, entitled “The power of saying ‘no’”, by Tim Harford. Hartford who looked at saying ‘No’ from an economist’s perspective referred to it as “hyperbolic discounting” which he, in part, defined as follows, “Adopt a rule that no new task can be deferred: if accepted, it must be the new priority. Last come, first served. The immediate consequence is that no project may be taken on unless it’s worth dropping everything to work on it. This is, of course, absurd. Yet there is a bit of mad genius in it, if I do say so myself. Anyone who sticks to the “last come, first served” rule will find their task list bracingly brief and focused.”

But there is another economic principle at play with the use of the word ‘No’. Harford said, “It’s the idea that everything has an opportunity cost. The opportunity cost of anything is whatever you had to give up to get it. Opportunity cost is one of those concepts in economics that seem simple but confuse everyone, including trained economists.” Moreover by saying ‘yes’ to one thing, we are by definition saying ‘No’ to something else. Harford believes that is something that should be considered if you do not say ‘No’.

This concept is what Jan Farley, the CCO at Dresser-Rand, talks about when he say that you do not want to spread your compliance program too thin. Farley has said that you cannot stretch your compliance program so thin that you try and cover everything so that you miss the larger FCPA or UK Bribery Act risks that your company faces. For the CCO or compliance practitioner, this requires you to assess your risks and then work to remediate those risks going forward. But you cannot deliver the necessary resources to a risk unless it is properly evaluated. With such a protocol in place, you will then be in a position to not only say ‘No’ but to be able to articulate your reasons for doing so if a regulator comes knocking.

So if your company’s sales model is to use third parties, that is probably your highest risk, then prioritize your time and compliance budget on managing that risk, initially before you move on to other compliance risks. Conversely, if your sales model is to use employees, then put your time and effort into managing that risk, through training and monitoring employees regarding their interactions with foreign officials. Do not spend your time, budget and energy on managing the risk of low to no-risk parties and issues. There is no substitute for carefully thinking through your company’s risk profile.

Just say no also relates to some ideas put forward in a recent New York Times (NYT) Corner Office column by Adam Bryant. In an article, entitled “The Upside of Being Replaceable”, Bryant interviewed Kristin Muhlner, the Chief Executive Officer (CEO) of NewBrand Analytics, a provider of social media monitoring. One of Muhlner’s early lessons in the corporate world was that everyone’s replaceable. She said this was because large companies are run like armies where everyone is replaceable. However Muhlner found not only an upside to this concept but also comfort in it. She said, “The wonderful thing is that you cultivate this sense that you are not the center of the universe. If you leave, someone will replace you, the circle will close and it just doesn’t matter. That lesson has been helpful because it is really easy, as you move up in your career, to think that you’ve got to be involved in everything.” In other words, you do not have to know everything and by extension, you do not have to do everything. You can just say no sometimes.

Another key lesson that Muhlner has learned is patience. This can be with a person or a situation where you may need to “let things play out a bit. People often come to you and say “We’ve got to fix this now.” And it’s very rare that you have to act immediately. You have to have the patience to say, “I’m going to evaluate the situation and the individuals involved, and I might choose to act on this, and I might not choose to act on this right now.””

Muhlner’s thoughts on how to advance culture were also insightful. She said that she has found employees want to feel connected. She said, “people just have this incredible thirst to be connected, and they need multiple reinforcing points of communication. I have to remind myself over and over not to assume that everyone knows something. I’ve started sending out an email once a week called “Where’s Waldo?” The email is just to say where people are, like that our V.P. of sales is meeting with this company. It’s amazing the reaction that it gets from people, because they feel like, wow, cool stuff’s happening, and now I know why he’s not responding to my email today. It helps.” For the compliance practitioner, this clearly shows the power of creating and distributing short messages about compliance.

Harford’s article and Muhlner’s interview drove home a message that compliance practitioners may not usually embrace. Saying ‘No’ can sometimes be the right call when it comes to delivering your compliance resources to your compliance issues. While saying no to high-risk business ventures may be a harder sell to CEO types, it may well be that Nancy Reagan’s admonition to Just Say No can be more effective to deliver a better and more efficient compliance service to those who may need it the most.

Leave a Comment

January 20, 2015

Language Solutions as Preventative Tool in Anti-Corruption Compliance

Filed under: Uncategorized — tfoxlaw @ 12:01 am

Ed. Note-I partnered with Merrill-Brink to write a White Paper on the use of local languages as a preventative tool in FCPA, UK Bribery Act and anti-corruption compliance. Today’s blog post is an excerpt from the full article entitled, “From ‘Detect’ to ‘Prevent’: Translation Solutions as a Preventative Tool in Your Anti-Corruption Program“, which can be found by clicking here.

I often write and talk about what I call ‘McNulty’s Maxims’ on the three questions he would ask to determine the effectiveness of an anti-corruption program. The queries are as follows: (1) What did you do to prevent it?; (2) What did you do to detect it?; and (3) What did you do when you found out about it? These three questions became part of the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) Foreign Corrupt Practices Act (FCPA) Guidance when they stated, “A well-constructed, thoughtfully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.”

The FCPA Guidance also goes on to say that use of local language is a key component to a minimum best practice FCPA compliance program when it said, “Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it.” But more than this simple prescription the understanding of how to treat foreign languages has bewildered many companies, particularly when they have faced a multi-nation and multi-lingual internal investigation.

Many compliance practitioners do not normally consider translations as a part of an effective compliance program. However, I believe that through the effective use of translation services, companies can use language localizations as a part of the answers to McNulty’s Maxims and to use language to move from detect to prevent in any best practices anti-corruption compliance program. The key is to think globally, both for the extraordinary events any multi-national company might face and the ordinary, day-to-day work of the compliance practitioner. By doing so you can move from a simple detect mode only to using language as a part of your preventative prong as well.

However, more than simply using language translation as a part of your detection prong of a best practices anti-corruption compliance program, through the localization of the languages in a multi-national organization, you can move towards prevention of a potential FCPA violation. Any best practices compliance program is going to have a wide number of documents to govern and guide its employees.

The FCPA Guidance provided a clear statement that the government expects language localization to be used. In two of the hypotheticals, the Guidance contrasted one company, which after an acquisition, circulated its “compliance policies to all new personnel after the acquisition, it does not translate the compliance policies into the local language or train its new personnel or third-party agents on anti-corruption issues.” When conduct violative of the FCPA continued to occur after the acquisition, the DOJ indicated that it would prosecute under the facts presented.

This was contrasted with a fact pattern where, in another post acquisition setting, Company B’s business lines were merged into Company A’s own robust internal controls, including “its anti-corruption and compliance policies, which it communicates to its new employees through required online and in-person training in the local language.” Based upon these factors, “DOJ and SEC have declined to prosecute companies like Company A in similar circumstances.”

It is clear from these hypotheticals, that the use of localized language can not only help a company demonstrate to the DOJ that it does have an effective compliance program but also that such localization of language can help to prevent conduct from becoming full blow FCPA violations. Consider what the Guidance says about training, “Regardless of how a company chooses to conduct its training, however, the information should be presented in a manner appropriate for the targeted audience, including providing training and training materials in the local language.” Simply giving your FCPA training in English, even if your company has a worldwide English language use policy in place, will not be sufficient.

By their nature FCPA investigations demand a different level of sophistication and execution. Moreover, document translation is not an isolated event. By engaging a professional LSP to help you set up a foreign document review protocol, you can leverage filtering and translation solutions that will result in a more cost and time efficient language management process and assist in preventing corruption issues from becoming FCPA violations. In other words, document translations can be a part of your preventative prong.

Depending on the type of organization, manufacturing, sales, distribution, or a combination of all three and the number of countries and the local languages where your company conducts global business, your business will most likely need to translate or localize some, if not all, of the following documents:

Code of Conduct
Anti-Bribery Policy
Anti-Corruption Policy
Third Party Due Diligence Questionnaire
Contracts

Ethics and legal compliance documents usually fall under the scope of corporate legal or compliance, HR, internal audit or training stakeholders. In some corporations, the documents may also belong to an import/export or ITAR group. Source material will most often be in English and require translation into a number of languages. These services may be sourced directly by your Company or through outside counsel.

Often, local stakeholders may suggest engaging “in-country” resources to translate these materials. These resources are often bi-lingual employees whose primary role is something other than translation. While certain internal communications may be best handled by “in-country” resources, the timely translation of ethics and compliance documents is usually best accomplished when outsourced to a trusted LSP who is accountable for meeting quality standards and delivery deadlines. “In-country” resources can be valuable partners for reviewing translated content to ensure it meets local standards but such partnerships between outside LSP and internal resources are highly recommended.

Once the documents have been translated, the LSP will maintain a Translation Memory (“TM”) that can be leveraged to minimize the costs of future code and policy updates as well as repurposing ethics and compliance material for eLearning, HR, internal audit, and training. This means that once you complete the initial translation of key compliance program documents, you will only need to update them on your regular updating rotation, typically every two to three years. Moreover, you can use your base compliance documents and your training documents on a rotating basis. Finally, you can use these same documents to expand the reach of your compliance program by training third parties in your sale side or supply chain, which is fast becoming a minimum best practice; which not only the DOJ and SEC expect to see, but also businesses up your chain that you might contract with.

Scott Killingsworth has coined the phrase ‘private-to-private’ or “P2P” for the phenomena that I called a business solution to a legal issue. In practice it works something like this. A company needs a product or service. As part of the regular contracting process, the company will inquire into the contractor’s compliance function and policy. If the contractor provides a service which deals with a foreign government in any way or has foreign government touch points, the service company may well come and audit the contractor’s compliance program prior to executing the contract. Thereafter the contractor is subject to being audited for not only the execution of the contract but also the continued maintenance of its compliance program. All of this is done for business reasons. It is a business response to a legal issue, that being compliance with the FCPA. However, through the use of localized language you will be able to go far towards satisfying any business partner who may want to review the overall effectiveness of your compliance program.

Finally, engage a LSP with specific subject matter expertise (SME) in FCPA and UK Bribery Act (UKBA) ethics and compliance translation and localization. This allows you to leverage not only your own company’s internal resources but a LSP with specific FCPA or UKBA experience. This experience will enable your compliance program to have the full benefit of service provider with a solid anti-corruption/anti-bribery focus to assist in the maturing of your compliance regime.

By seeking out a professional and reputable legal translation solutions provider, the Company will be taking an important first step in guaranteeing the quality of its ethics and compliance translations and establishing the cornerstone of a global corporate compliance and ethics translation program. You will also follow the prescripts of both McNulty’s Maxims and the FCPA guidance by moving the use of language from only a detect component of your anti-corruption compliance program but to a more sophisticated and more cost-effective prevent mode.

Leave a Comment

January 19, 2015

Revisiting The Raven and Visiting Foreign Subsidiaries

Filed under: Best Practices,Chief Compliance Officer,Compliance and Ethics,compliance programs,Department of Justice — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, ethical leadership, ethics and compliance

Today we celebrate the birth of one of America’s most iconic authors, Edgar Allen Poe, who was born on this day in Boston, Massachusetts. Anyone who reads or watches a mystery show on television owes a debt to Poe for inventing the genre. Poe flunked out of West Point but later became an editor at the Southern Literary Messenger in Richmond, Virginia. He wrote the poem The Raven and short stories like The Fall of the House of Usher and The Tell-Tale Heart. In the mid-1830s he began to write mystery stories, including The Murders in the Rue Morgue and The Purloined Letter – works that would earn him a reputation as the father of the modern detective story. He died in 1849.

I thought about his well-known sad tale when I read a recent article in the MIT Sloan Management Review by Cyril Bouquet, Jean-Louis Barsoux and Orly Levy, entitled “The Perils of Attention from Headquarters”. The authors had a very different perspective on what I thought to be a rather mundane issue; that being visits to markets outside the US by senior management from US corporate headquarters. The authors posited, “Operations in growing markets such as China often draw substantial attention from corporate headquarters. Unfortunately, that attention does not always add value — and can even impede performance.” The authors studied this issue in an international workshop they ran for “managers of foreign subsidiaries on how to manage the attention of headquarters staff.” Given the current attention that Chief Compliance Officers (CCOs) and compliance practitioners need to spend on China specifically, and international operations more generally, I thought the article had some excellent insights for the compliance function going forward.

The authors identified four major issues in their workshop. The first was the number of visits, which was articulated as “The overriding complaint from China subsidiary managers concerns the number of visits from head office staff.” I found a related complaint perhaps less self-obvious, “Not only do they come often, but they want to spend more time, and they all come on weekends! For my team, it means that nearly every weekend, there is somebody to entertain.” The second issued raised was the inevitable increased workload after such a visit. The authors wrote, “The visits also generate follow-up work and online meetings that can interfere with running the business. According to the China sales head of a European water utility group: “The local people get frustrated because the global people, after they return, keep asking for more information. … But we don’t have 500 people running around who are able to produce a report overnight.””

The next two concerns were closely related. They involved a lack of understanding and, more importantly, a lack of listening by senior management from western countries such as US, or those in Europe. While this first concern may not be as true in the area of compliance it is certainly worth noting that the authors said, “The third area of frustration had to do with the perceived lack of understanding and realism of headquarters executives. Although headquarters visits to China subsidiaries were intended to build trust and alignment, subsidiary managers reported that the visits often had the opposite effect.” Finally, is the age-old bugaboo of failing to listen. The authors stated, “Frequent visits from headquarters are allegedly driven by a desire to “learn,” “exchange ideas” or “help the local operations,” but that’s not how local managers always perceive these interactions. According to the subsidiary head of a European express delivery group, “The code word for ‘fix’ is ‘help.’ They say ‘we’re coming to help.’ No, they’re not. They’re coming to fix. Trust me.””

But the authors did more than simply list out the problems they observed in their workshop. They provided recommendations for “healthier dynamics between corporate headquarters and affiliates.” I have adapted them for the CCO or compliance practitioner.

Encourage open dialogue. As a precondition for adding compliance value, you, as a compliance practitioner, must work to understand the business of the foreign subsidiary, which requires a willingness to listen and to engage in unstructured interactions. “Where possible, try to spend time with customers and frontline employees, and to travel to places other than Shanghai and Beijing,” advised the China head of a US sanitation technology group.
Play the role of consultant or coach. Certainly in the current anti-corruption enforcement environment, a CCO or compliance function should put a foreign business unit interest in driving compliance at the top of the agenda. They quoted one China country manager of a US consumer goods company for the following, ““In our case, the affiliate is the entrepreneur and the corporate head office staff are the consultants who are here to support us,” he said. “The moment that you get experts coming out from the corporate headquarters telling you what to do, then that would be very frustrating, particularly in a place like China.”” A compliance function must to work not only with but also for an international business unit. Remember you are the compliance professional and expert.
Be a problem solver. The compliance practitioner should not be a problem creator but a problem solver, not Dr. No from the Land of No. So not only should you be challenging subsidiary managers and helping them develop their compliance plans, but you should work to “actually do things for the subsidiary managers. Indeed, rather than organizing their time in China around their own priorities, executives from headquarters should reserve some time to support the subsidiary managers’ priorities.” The authors quoted one Chinese business unit head of government affairs and corporate communications for a US health-care group for the following, ““Sometimes we need to leverage higher people from global to do what we cannot do [with] our own personnel in China.””

But there is also a role for the foreign subsidiary in this process. If something really is ‘mission impossible’ for the compliance function or other function in a foreign business unit, it is the responsibility of that group to raise the concern. Simply smiling and nodding your head will lead to a severe backlash after the corporate executive group leaves and the initiative or project is not met. A second area is that the subsidiary needs to help make the corporate folks understand the culture. Listening by corporate can only be facilitated if someone from the local subsidiary is communicating with them during a visit. The authors end by stating, “Ultimately, subsidiary managers need to move beyond their frustrations with headquarters and take some responsibility for managing the relationship. As a country manager who successfully turned around his corporation’s China operation observed, how a subsidiary manager frames the visits from headquarters executives is key: “If you see the visit as a burden, then it will be a burden for you. But you can also see it as an opportunity to bring across the core messages you want to deliver and to help people understand a specific topic.””

I found this article quite interesting because it tackles an issue from the perspective not often considered in compliance, that of the foreign subsidiary. There are many ways to do business ethically and in compliance. By taking the time to visit a foreign subsidiary and to listen, a CCO or compliance practitioner can go a long way toward communicating a culture of compliance to use going forward.

Leave a Comment

FCPA Compliance and Ethics Blog

January 30, 2015

COSO and Internal Controls, Part II

January 29, 2015

Welcome to COSO and the World of Internal Controls – Part I

January 28, 2015

The Patriots, the NFL and Compliance

January 27, 2015

Franchising and Liability Under the FCPA

January 26, 2015

Good Bye to Mr. Cub, the Siege of Vienna and Doing More Compliance with Less

January 23, 2015

From NH to Hollywood and Compliance Lessons from the Twins-interview with Jay Rosen

January 22, 2015

Both Sides Now and Asking the Right Compliance Questions

January 21, 2015

Just Say No, the Power of No and Compliance

January 20, 2015

Language Solutions as Preventative Tool in Anti-Corruption Compliance

January 19, 2015

Revisiting The Raven and Visiting Foreign Subsidiaries

Blogroll

Pages

Admin

Read by Email

Recent Posts from FCPA Compliance and Ethics Report: FCPA Compliance and Ethics Report

Episode 240-Bill Coffin on Compliance Week 2016

Episode 239-Jonathan Armstong On EU Privacy Shield

Episode 238-John Allen on HR Touch Points in Compliance

Episode 237-Steve McCalmont on the Avior Risk Management Platform

Episode 236-Adam Turteltaub and SCCE CCO Survey