The FCPA Compliance and Ethics Report

If you have not done so, I hope that you might go over to my podcast site, the FCPA Compliance and Ethics Report,  to check out some of my recent podcasts. The episodes are between 20-30 minutes long and they are available for download on iTunes so you can listen to them on your commute to work or when working out at the gym.

Internal Controls

I have begun a series on internal controls in a best practices FCPA compliance program with noted internal controls expert Henry Mixon. In Parts I & II, Mixon and I discuss the basics of what are internal controls. These podcasts supplement some of my recent blogs on internal controls.

Episode 85-What Are Internal Controls, Part I

Episode 87-What Are Internal Controls, Part II

HR and Compliance

One of the best allies for the compliance function in any company is the Human Resources department. I explore how HR can assist compliance in a myriad of components of any best practices compliance program.

Episode 86-Use of HR in a Compliance Program

Continuous Improvement of a Compliance Program

In the FCPA Guidance and in almost every speech I have heard by a Department of Justice official, they talk about how your compliance program should evolve to meet new compliance risks, changes in best practices, geographic markets where your company does business and new product/service offerings. You can do this by continuous improvement of your compliance program.

Episode 84-Continuous Improvement of Your Compliance Program

The Compliance EcoSystem

Jon Rydberg is the Founder and CEO of Orchid Advisors. He is also the former CCO of Smith & Wesson and was at the company when it navigated it way through a FCPA investigation and enforcement proceeding. From these experiences, Rydberg has developed a holistic approach to compliance which he has trademarked as the “Compliance EcoSystem”. I explore his ideas on an fully integrated approach to compliance

Episode 83-Interview with Jon Rydberg

Use of Interviews in Your Compliance Program

Brian Ching is the most famous player in the history of the Houston Dynamos soccer club. Ching recently retired and moved into the front office as the General Manager of the Houston Dash, the Houston professional women’s soccer club. I interviewed Ching on his transition to management and how the Dash use the face-to-face interview process to not only assess the non-soccer skills that the team requires of its players but also to communicate the team’s expectations. There are some very significant insights about how a company can communicate its expectations regarding ethical business practices.

Episode 79-Interview with Brian Ching

The FCPA Professor

Finally and last but certainly not least, I bring back the FCPA Professor for a two-part podcast on his new book The Foreign Corrupt Practices Act In a New Era.

Episode 80, Interview with the FCPA Professor, Part I

Episode 81-Interview with the FCPA Professor, Part II

A good weekend to all.

Napoleon’s Invasion of Russia and Risk Management

Today, June 12 is the traditional date given for Napoleon’s invasion of Russia. I cannot think of a better anniversary to use to introduce the discussion of risk management.  Do you think he made a risk assessment so that he could manage his risks? If he did, what were his risks and how would he go about managing them. While more of a post-mortem than risk assessment, the chart at the right is probably the best statistical graphic ever drawn. It shows a data map drawn by Charles Joseph Minard, showing the losses suffered by Napoleon’s army in the Russian campaign of 1812. Beginning at the Polish-Russian border, the thick band shows the size of the army at each position. The path of Napoleon’s retreat from Moscow in the bitterly cold winter is depicted by the dark lower band, which is tied to temperature and time scales. Certainly an excellent visual representation.

I thought about risk assessments and risk management when pondering that as companies become more mature in their compliance programs, they can use the information generated in a risk assessment in a variety of ways to facilitate an overall risk management program. In an article in the June issue of the Harvard Business Review, entitled “Managing Risks: A New Framework”, authors Robert Kaplan and Annette Mikes posit that the initial step a company must take to create an effective risk management system is to understand “the qualitative distinctions among the types of risk that an organization faces.” The authors have separated business risk into three categories: (1) Preventable Risks; (2) Strategy Risks; and (3) External Risks. They state that companies should design their risk management strategies to each category because what may be an adequate risk management strategy for the management of preventable risks is “wholly inadequate” for the management of strategy or external risks.

Category I: Preventable Risks. These are internal risks, arising from within an organization. The authors believe that “companies should seek to eliminate these risks since they get no strategic benefits for taking them on.” The authors specifically mention anti-corruption and anti-bribery risks as falling in this category. This risk category is best managed through active prevention both through operational processes and training employees’ behaviors and decisions towards a stated goal. The control model to manage preventable risks is to develop an integrated culture and compliance model. Such a system would typically consist of a Code of Conduct or Business Ethics, standard operating procedures, internal controls to spell out the requirement and internal audit to test efficiencies. The role of the Compliance Department in managing Category I risks is to coordinate and oversee the compliance program and then revise the program’s controls as needed on an ongoing basis, all the while acting as independent overseers or the risk management function to the business units.

Category II: Strategy Risks. These risks are those which a company may accept in some form because they are “not inherently undesirable.” In other words, a company may be willing to accept some types of risks in this category so that it may increase profits. This category of risk cannot be managed through the rules based system used for preventable risks, instead the authors believe that “you need a risk management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur.”

The authors list several specific techniques to use as the control model for strategic risks. These include “interactive discussions about risks to strategic objectives drawing on tools” such as heat maps and key risk indicator scorecards. The Compliance Department’s role here is to run risk management workshops and risk review meetings, usually acting as the “devil’s advocate” to the business units involved. Another key role of the Compliance Department is the marshaling and the delivery of resources allocated to mitigate the strategic risk events identified in this process. Finally, the authors believe that the relationship of the Compliance Department to the business units in managing a Category II strategic risk is to act as “independent facilitators, independent experts or embedded experts.”

Category III: External Risks. These are risks which arise outside the company’s control and may even be beyond its influence. This type of risk would be a natural disaster or economic system shutdown, such as a recession or depression. The authors here note that as companies cannot prevent such risks, their risk management strategy must focus on the identification of the risk beforehand so that the company can mitigate the risk as much as possible. Recognizing the maxim that ‘you don’t know what you don’t know’; the authors see the control model for Category III risks as “envisioning risks through: tail-risk assessments and stress testing; scenario planning; and war-gaming” with the management team. Under this Category III risk, the authors believe that the relationship of the Compliance Department to the business units is to either complement the strategy team or to “serve as independent facilitators of envisioning exercises.”

The authors conclude with a discussion of the leadership challenge in managing risks, which they believe is quite different than managing strategy. The reason is that managers “find it antithetical to their culture to champion processes that identify the risks to strategies they helped to formulate.” Nevertheless without such preparation, the authors believe that companies will not be able to weather risks which turn into serious storms under the right conditions. They believe that the key element is that the risk management team must have a direct reporting line to senior management because “a company’s ability to weather [risk] storms depends very much on how seriously executives take their risk-management function when the sun is shining and there are no clouds on the horizon.” I could not have said it better myself.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Integrating Your Compliance Risk: Where the Rubber Meets the Road

In listening to companies discuss compliance in the areas of anti-corruption under the Foreign Corrupt Practices Act (FCPA), anti-money laundering (AML) or export control, one of the things that has consistently struck me is how siloed each of these groups invariably is within their company. Not only does this deny a company the ability to share a wide variety of talent and experiences, it can lead to the concept of what authors Robert Kaplan and Annette Mikes call the “functional trap” of labeling and compartmentalizing risk. In an article in the June issue of the Harvard Business Review, entitled “Managing Risks: A New Framework”, they declare that good risk discussions must be integrative in order for risk interaction to be evaluated. If not, a business “can be derailed by a combination of small events that reinforce one another in unanticipated ways.”

The authors posit that it is difficult for companies to accurately and adequately discuss risk for a variety of reasons. One of these reasons is the aforementioned silo effect which can lead to a lack of discussion by a wide group regarding a number of risks, for example compliance risk; reputational risk; brand risk; credit risk; human resources risk are but a few of the types of risks mentioned in their article. The authors believe that one of the ways to knock down these silos when it comes to a more complete management of risk is to “anchor their discussions in strategic planning, one integrative process that most well-run companies already have” in place.

I.                   VW do Brasil Risk Management Strategy

The authors cite to the example of Volkswagen do Brasil (VW) and the techniques used by its risk-management unit. Initially, the VW risk management unit uses the company’s overall strategy map as a starting point for internal discussions around risk. For each objective that the company sets, the risk management group identifies risk events which might cause the company to fall short of its objectives. Based upon this risk profile, the group creates a “Risk Event Card” for each risk on the strategy map, “listing the practical effects of the event on operations, the probability of the occurrence, leading indicators and potential actions for mitigation.” From this Risk Event Card, the risk management group creates a “Risk Report Card” which is a tool used to present and convey high level information to senior management within the company.

A.     Risk Event Card for the Objective of a Smoothly Functioning Supply Chain

Strategic Objective	Risk Event	Outcomes	Risk Indicators	Likelihood/ Consequences	Management Controls	Accountable Manager
Guarantee reliable and competitive supplier-to-manufacturer processes	Interruption of deliveries	OvertimeEmergency freightQuality problemsProduction losses	Critical items reportLate deliveriesIncoming defectsIncorrect componentshipments	1 2 3 X 4 5 1 2 3 4 5	Hold daily supply chain meeting logistics, purchasing, QAMonitor suppliers’ tooling to detect deteriorationRisk mitigation initiative: Upgrade suppliers’ toolingRisk mitigation initiative: Identify key supply chain executive at each critical supplier	Mr. O. Manuel director of manufacturing logistics

From this Risk Event Card, the risk management group will next create the Risk Report Card. It is organized by strategic objectives and allows senior management to see at a glance “how many of the identified risks for each objective are critical and require attention or mitigation.”

B.     Risk Report Card For Satisfaction of Customer Expectations

Strategic Objective	Assessed Risks	Critical Risk	Trend
Achieve market share growth	4	1	Flat
Satisfy the customer’s expectations	11	4	Upward
Improve company image	13	1	Flat
Develop dealer organization	4	2	Flat
Guarantee customer-oriented innovations management	5	2	Downward
Achieve launch management efficiency	1	0	Flat
Increase direct processes efficiency	4	1	Flat
Create and manage a robust production volume strategy	2	1	Downward
Guarantee reliable and competitive supplier-to-manufacturer processes	9	3	Flat
Develop an attractive and innovative product portfolio	4	2	Downward

II.                Risk Oversight Approach

The authors caution that beyond simply introducing a systematic process for identifying and mitigating key risks, companies should also employ a risk oversight structure. The authors discuss the experience of the Indian IT company, Infosys, which uses a dual structure. It consists of a central team that identifies general strategy risks and then establishes central policy, together with a specialized, decentralized functional team. This second team designs and monitors policies and controls in consultation with local business units. These decentralized teams have the authority and expertise to respond to changes in the company’s risk profile coupled with the nimbleness and agility of being in the field to deal with smaller issues before they become larger problems for the central team back in the corporate office.

All three of the components identified by the authors are relevant for your compliance program. Just as it is important to perform due diligence on third party representatives, before execution of an appropriate contract; the real work is in managing the relationship. In risk management, you must identify and assess the risk but the real work begins in managing the risk. This is where the rubber meets the road.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Compliance Self-Assessment: The Good, The Bad and The Ugly

Today we channel Sergio Leone and Clint Eastwood in the context of the compliance assessment, which has been something that has evolved into a key component of a minimum best practices Foreign Corrupt Practices Act (FCPA) compliance program over the past few years. Item No. 13 on the Department of Justice’s (DOJ’s) 13 steps for a minimum best practice compliance program reads:

13. Ongoing Assessment. A Company should conduct periodic review and testing of its anti-corruption compliance code, standards, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and the Company’s anti-corruption code, standards and procedures, taking into account relevant developments in the field and evolving international and industry standards.

While many commentators have argued that this item requires a professional, independent third party to perform this Ongoing Assessment, I recently came across an article which gave me pause to think that another avenue may be open to the compliance professional to follow this guidance.

The article published in the Sunday, April 1, New York Times Business Section, Corner Office Column, entitled “The Best Scorecard Is the One That You Keep for Yourself”, writer Adam Bryant interviewed Charlotte Beers, the former Chief Executive Officer (CEO) of Ogilvy & Mather Worldwide. Her thesis was that “it’s vital to make self-assessments, and to include the good, the bad and the ugly.”

Beers talked about her use of self-assessment in her rise up the corporate ladder until she became a CEO. She believes that continual self-assessment can provide self-knowledge which is the key for an employee to transcend up to become a superior employee and then a corporate leader. It will also improve your team relationships and enhance your ability to handle complex relationships. She says that you must reach for the “intangible and the invisible… but find out if they have confidence about the things that matter, their own ability to think and to get to the true center of things.”

I thought that the concepts discussed by Beers would be very useful in the compliance context. Many compliance practitioners have struggled with the assessment theory. When, how often, and who should perform it, are questions I am often asked. While having an outside third party perform an assessment at a one or two year basis may certainly be a good start, a compliance self-assessment should be integrated into your compliance program. It provides the benefits of a continual model which would allow you to test and assess various portions of your compliance program on an ongoing basis. Also the cost would not be great as you would not be required to bring an outside consultant.

You could begin by trying to determine your company employee’s real attitudes towards compliance. If they observed something amiss, would they have the “interior tensile strength” to report the matter? Has your company made reporting as easy and straightforward as possible? One former compliance officer told me that in auditing the company’s hotline in a Far East country it was determined that the toll free line did not ring through and the only way to call the home office in the US was by using a special cell phone provided only to senior managers of the company. How many calls do you think came through that hotline?

The more I have listened to ex-DOJ lawyers, like my former speaking partner Stephen Martin and his current law firm partner, Paul McNulty, the more I hear things like “move the ball forward” and “how did you use the resources you did have” to enhance your compliance program. Charlotte Beers observation that the “best scorecard is the one that you keep for yourself” clearly is a mechanism suggested by Martin and McNulty’s words of wisdom.

So how about Leone and Eastwood? For my money, the best movie of the first phase of the Spaghetti Western genre was their classic “The Good, The Bad and The Ugly.” That is the final word from Beers. In your self-assessment you must be prepared to look at all aspects, the good, the bad and the ugly. Learn and grow from each and all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012