FCPA Compliance and Ethics Blog

July 6, 2015

The All-Star Game and Tone at the Top

All Star GameToday is the 83rd anniversary of the initial Major League Baseball (MLB) All-Star Game, which took place on this date in 1933, in Chicago’s Comiskey Park. The brainchild of a determined sports editor, the event was designed to bolster the sport and improve its reputation during the darkest years of the Great Depression. The sports editor of the Chicago Tribune convinced his owner to allow him to lobby for the game with MLB’s Commissioner, Kenesaw Mountain Landis, and the owners. To win over the public, they allowed fan balloting for the Game’s players. The proceeds went to a charity for retired baseball players. The Game was a rousing success and has continued as an institution to this day.

The conception and execution of the first All-Star Game shows what a committed tone from top management can create. Last week I wrote a couple of posts dealing with the tone for an organization around compliance with anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA); one on tone in the middle and one on tone at the bottom. As usual, when I begin writing about a topic, I do not seem to be able to start where I thought I would end. So today, with the anniversary of the first MLB All-Star Game in mind, I decided to round out my triumvirate of posts by concluding with some thoughts on Tone at the Top and the reasons why it is so important to any anti-corruption compliance program.

Quite simply, any compliance program starts at the top and flows down throughout the company. Before you arrive at tone in the middle and bottom, it must start with a commitment at the top. All regulatory schemes for anti-corruption compliance recognize this key hypothesis. The concept of an appropriate tone at the top is in the US Sentencing Guidelines for organizations accused of violating the FCPA; the FCPA Guidance; the UK Bribery Act’s Six Principles of Adequate Procedures; and the OECD Good Practice Guidance on Internal Controls, Ethics and Compliance (OECD Good Practices). The reason all of these guidelines incorporate it into their respective practices is that all employees look to the top of the company to see what is important.

The US Sentencing Guidelines reads:

High-level personnel and substantial authority personnel of the organization shall be knowledgeable about the content and operation of the compliance and ethics program … and shall promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law. 

The OECD Good Practices reads:

  1. strong, explicit and visible support and commitment from senior management to the company’s internal controls, ethics and compliance programs or measures for preventing and detecting foreign bribery; 

The UK Bribery Act’s Six Principles of Adequate Procedures reads:

The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable. 

The FCPA Guidance, under the section entitled “Commitment from Senior Management and a Clearly Articulated Policy Against Corruption”, states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. Managers and employees take their cues from these corporate leaders. Thus, DOJ and SEC consider the commitment of corporate leaders to a “culture of compliance” and look to see if this high-level commitment is also reinforced and implemented by middle managers and employees at all levels of a business.” But the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) expect more than simply to have senior management say the right things. They both expect that such message will be pushed down the ranks of an enterprise so that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards. Compliant middle managers, in turn, will encourage employees to strive to attain those standards throughout the organizational structure. In short, compliance with the FCPA and ethical rules must start at the top. DOJ and SEC thus evaluate whether senior management has clearly articulated company stan­dards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”

The FCPA world is riddled with cases where the abject failure of any ethical “Tone at the Top” led to enforcement actions and large monetary settlements. In the two largest monetary settlements of enforcement actions to date, Siemens and Halliburton, for the actions of its former subsidiary KBR, the government specifically noted the companies’ pervasive tolerance for bribery. In the Siemens case, for example, the SEC noted that the company’s culture “had long been at odds with the FCPA” and was one in which bribery “was tolerated and even rewarded at the highest levels”. Likewise, in the Halliburton matter, the government noted that “tolerance of the offense by substantial authority personnel was pervasive” throughout the organization.

So how can a company overcome these employee attitudes and set, or re-set, its “Tone at the Top”? In a 2008 speech to the State Bar of Texas Annual Meeting, reprinted in Ethisphere, Larry Thompson, PepsiCo Executive Vice President (EVP) of Governmental Affairs, General Counsel (GC) and Secretary, discussed the work of Professor Lynn Sharp at Harvard. From Professor Sharp’s writings, Mr. Thompson cited five factors, which are critical in establishing an effective integrity program and to set the right “Tone at the Top”.

  1. The guiding values of a company must make sense and be clearly communicated.
  2. The company’s leader must be personally committed and willing to take action on the values.
  3. A company’s systems and structures must support its guiding principles.
  4. A company’s values must be integrated into normal channels of management decision-making and reflected in the company’s critical decisions.
  5. Managers must be empowered to make ethically sound decisions on a day-to-day basis.

David Lawler, writing in his book “Frequently Asked Questions in Anti-Bribery and Corruption, boiled it down as follows “Whatever the size, structure or market of a commercial organization, top-level management’s commitment to bribery prevention is likely to include communication of the organization’s anti-bribery stance and appropriate degree of involvement in developing bribery prevention procedures.” Lawler went on to provide a short list of points that he suggests senior management engage in to communicate the type of tone to follow an anti-corruption regime. I had a Chief Executive Officer (CEO) of a client who, after I described his role in a best practices compliance program, observed, “You want me to be the ambassador for compliance.” I immediately averred in the affirmative. The following is a list of things that a CEO can do as an ‘Ambassador of Compliance’:

  • Reject a ‘do as I say, not as I do’ mentality;
  • Not just ‘talk-the-talk’ but ‘walk-the-walk’ of compliance;
  • Oversee creation of a written statement of a zero tolerance towards bribery and corruption;
  • Appoint and fully resource, with money and headcount, a Chief Compliance Officer (CCO);
  • Oversee the development of a Code of Conduct and written compliance program implementing it;
  • Ensure there are compliance metrics on all key business reports;
  • Provide leadership to middle managers to facilitate filtering of the zero tolerance message down throughout the organization;
  • Not only have a whistleblowing, reporting or speak up channel but celebrate it;
  • Keep talking about doing the right thing;
  • Make sure that you are seen providing your CCO with access to yourself and the Board of Directors.

Coming at it from a different perspective, author Martin Biegelman provides some concrete examples in his book, entitled “Building a World Class Compliance Program – Best Practices and Strategies for Success”. He begins the chapter discussed here with the statement “The road to compliance starts at the top.” There is probably no dispute that a company takes on the tone of its top management. Biegelman cites to a list used by Joe Murphy regarding actions a CEO can demonstrate to set the requisite tone from the Captain’s Chair of any business. The list is as follows:

  1. Keep a copy of the Constitution on your Desk. Have a dog-eared copy of your company’s Code of Conduct on your desktop and be seen using it.
  2. Clout. Make sure your compliance department has authority, influence and budget within the company. Have your Chief Compliance Officer report directly to the Board of Directors.
  3. Make them Accountable. At Senior Executive meetings, have each participant report on what they have done to further the compliance function in their business unit.
  4. Sticks and Carrots. Have both sanctions for violation of company compliance and ethics policies and incentives for doing business in a compliant manner.
  5. Don’t do as I say, Do as I do. Turn down an expensive dinner or trip offered by a vendor. Pass on a gift that you may have received. Turn down a transaction based upon ethical considerations.
  6. Be a Student. Be seen at intra-company compliance training. Take a one or two day course or attend a compliance conference outside your organization.
  7. Award Compliance. You should recognize outstanding compliance efforts with companywide announcements and awards.
  8. The Board. Recruit a nationally known compliance expert to sit on your company’s Board and chair the audit or compliance committee.
  9. Independent Review. Obtain an independent, outside review of your company’s compliance program and report the results to the Board’s Audit Committee.
  10. Vendors. Mandate that all vendors in your Supply Chain embrace compliance and ethics as a business model. If not, pass on doing business with them.
  11. Network. Talk to others in your industry and your peers on how to improve your company’s compliance efforts. 

Many companies struggle with some type of metric that can be used for upper management regarding compliance and communication of a company’s compliance values. One technique might be to require the CEO to post companywide emails or other communications once a quarter on some compliance related topic. The CEO’s direct reports would then also be required to email their senior management staff a minimum of once per quarter on a compliance topic. One can cascade this down the company as far as is practicable. Reminders can be set for each communication so that all personnel know when it is time to send out the message. If these communications are timely made, this metric has been met.

I hope that you can use some of the techniques for setting, creating and moving an appropriate tone for compliance throughout your organization. And, of course, enjoy the 2015 All-Star Game. Although the Astros now play in the American League (AL), my heart is still with the National League (NL).

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

July 1, 2015

Mifune Gets a Star on the Walk of Fame-the Petrobras Scandal Only Gets Worse

MifuneIt was announced last week that actor Toshirō Mifune (1920-1997) will be honored with a star bearing his name on the Hollywood Walk of Fame. The Hollywood Chamber of Commerce will add the star in 2016, together with new stars in the motion picture category for Quentin Tarantino, Michael Keaton, Steve Carell, Bradley Cooper, Ashley Judd and Kurt Russell. For those of you who may not have heard of Mifune, he was a veteran of sixteen films directed by Akira Kurosawa as well as many other Japanese and international classics. His films with Kurosawa are considered cinema classics. They include Drunken Angel, Stray Dog, Rashomon, Seven Samurai, The Hidden Fortress, High and Low, Throne of Blood, Sanjuro, and Yojimbo. While there are many great, great performances in these films, my personal favorite is Yojimbo where Mifune plays an un-named Ronin, who cleans out a village infested by two warring clans. The film was the basis for the great first Sergio Leone/Clint Eastwood Spaghetti western, A Fistful of Dollars. 

I had always thought that the Hollywood Walk of Fame honors actors but it turns out that it honors a great many more performers. For instance, next year will also see names like LL Cool J, Cyndi Lauper, Shirley Caesar, Joseph B. “Joe” Smith, Itzhak Perlman, Adam Levine, and Bruno Mars added in the music category. I considered this category of entertainers wider than simply actors when I recently read more about the burgeoning scandal in Brazil around the state owned energy company Petrobras and its ever-growing fallout.

The fallout has extended far beyond Petrobras, Brazil and even the direct parties who may have been involved. In an article in the Financial Times (FT), entitled “Petrobras woes loom large in Shell deal for BG”, Joe Leahy, Jamie Smyth and Christopher Adams reported on how the ongoing matter is affecting the world of super sized mergers and acquisitions. The rather amazing thing about this issue is not that British Gas (BG) has been caught up in the scandal or even has been alleged to paying bribes to Petrobras.

Rather it is because of assets that BG has in its portfolio. The article said, “Brazil has the potential to become the location of the most troubled assets in BG’s portfolio because the UK company is partner to Petrobras in some of the vast pre-salt oilfields off the country’s east coast in the Santos Basin.” This has led to speculation that “There is a risk that Petrobras will struggle to fulfill its mandate as sole operator for all new pre-salt oilfields because of the corruption scandal, and that this leads to delays in developing the deepwater discoveries, including those involving BG.”

This development arising out of the Petrobras scandal is so significant that BG mentioned it in their annual report, saying “In Brazil, we are closely monitoring how the current corruption allegations affecting Petrobras may impact the cost and schedule of the Santos Basin [pre-salt] development because of supply chain disruption and/or capital and liquidity constraints placed on Petrobras.” Think about that statement for a moment. It is only in the annual report because it could have a ‘material’ effect on BG and BG is a company being acquired by Shell to the tune of £55 million. However, as noted in the FT article, “many analysts say that Petrobras, partly because of the magnitude of the scandal, does not have the capital or management bandwidth to be the sole operator of all new pre-salt fields.”

What if Petrobras becomes unable to develop enough resources to feed South America’s largest democracy’s need for energy? In 2014 alone, the company posted a new loss of $7.4 billion, of which $2.5 billion was attributable to the ongoing bribery and corruption scandal. How much will it cost the country of Brazil to bring in outsiders to develop its own natural resources? This is a real possibility and it was further driven home by another FT article by Joe Leahy, entitled “Petrobras plans 37% cut in investment”. Petrobras currently is required by Brazilian “government policy forcing it to import petrol at international prices and sell it in the domestic market at a subsidized rate.”

Things can only get worse as Leahy reported that the company announced it “was cutting its projection for investment in 2015-2019 to $130.3bn or by 37 percent in relation to its previous plan.” This would lead to a reduction in “domestic production to 2.8m barrels per day of oil equivalent by 2020 from the previous target of 4.2m.” The article ended by noting that Petrobras would “divest $15.1bn in assets and undertake additional restructuring and sales of assets totaling $42.6bn in 2017-18.”

All of this certainly bodes poorly for the citizens of Brazil. For those who claim that bribery is a victim-less crime; I would point to this as Contra-Example A. But this information is also of significance to any Chief Compliance Officer (CCO) or compliance practitioner for a US, UK or other western country. Not only must you review any contracts you had with Petrobras and any of its suppliers; now you must digger several levels deeper. If you are in an acquisition mode, you not only need to look at the contracts of your target to see if they may have been obtained through bribery and corruption, the simple fact of having a contract with Petrobras may put your potential portfolio asset base at risk. For if Petrobras has to cut back 37% on investments at this point, chances are it will only get much worse. This 37% reduction is based on only the first round of estimates of the cost to the company of the bribery scandal.

But more than simply contracts directly with Petrobras, if you are evaluating a target who has contracts with Petrobras suppliers, you may be at equal risk. Not only could those suppliers obtain their contracts with Petrobras through bribery and corruption, those same contracts, even if valid, may not be worth their estimated value if Petrobras cannot fulfill them or even worse, pay for the goods and services delivered thereunder. How about payment terms? Do think for one minute, Petrobras would not unilaterally extend payment dates out 30, 60, 90 even 180 days when it finds itself in more bribery and corruption hot water?

Finally, I think there is a very good chance the US Department of Justice (DOJ) or Securities and Exchange Commission (SEC) could come knocking, unannounced, for any US company doing business with Petrobras or even with significant operations in Brazil. The SEC could do something as simple as send a letter requesting clarification of your internal controls or books and records regarding subcontractors or other third parties in Brazil. If you received such a letter, would you be in position to respond from the requirements for a public company under the Foreign Corrupt Practices Act?

Toshirō Mifune had a long and distinguished acting career. While it is not clear how long, how far and how deep the Petrobras corruption scandal will reach, it is clear that its repercussions will extend far past the energy industry or even Brazil. You need to review and be prepared to respond now.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 30, 2015

Another Great Bassist Gone and Tone at the Bottom

 

Chris SquireAs readers of this blog know, I am a huge fan prog rock fan. So it was with deep sadness and melancholy that I read Chris Squire passed away this weekend. He was a co-founder and bassist for the seminal rock group Yes. The band was one of founders of the musical genre known as ‘progressive rock’ or simply prog rock. According to his obituary in the New York Times (NYT) he was “the only member to have played on every one of Yes’s albums and participated in every one of its tours”. The NYT went on to say that “Mr. Squire’s propulsive and often melodic bass playing was a key element of the Yes sound. A self-taught virtuoso, he has been cited as an influence by many other rock bassists.”

I found some of the tributes from his former band mates to be the most touching and telling of Squire. Bill Bruford, the band’s original drummer, said in statement quoted in the article, “He had an approach that contrasted sharply with the somewhat monotonic, immobile bass parts of today. His lines were important; counter-melodic structural components that you were as likely to go away humming as the top line melody; little stand-alone works of art in themselves.”

Daniel Kreps, writing in Rolling Stone online, in an article entitled “Jon Anderson, Rick Wakeman Remember Yes’ Chris Squire”, quoted Yes co-founder Anderson for the following, “He was an amazingly unique bass player – very poetic – and had a wonderful knowledge of harmony. We met at a certain time when music was very open, and I feel blessed to have created some wonderful, adventurous, music with him. Chris had such a great sense of humor… he always said he was Darth Vader to my Obi-Wan. I always thought of him as Christopher Robin to my Winnie the Pooh.” Keyboardist Rick Wakeman was quoted in the same article “We have now lost, who for me, are the two greatest bass players classic rock has ever known. John Entwistle and now Chris,” Wakeman wrote. “There can hardly be a bass player worth his salt who hasn’t been influenced by one or both of these great players. Chris took the art of making a bass guitar into a lead instrument to another stratosphere and coupled with his showmanship and concern for every single note he played, made him something special.””

As most rock aficionados know, rock music is basically a dialogue between the bass guitar and the drums. With this base line set, the lead guitars and keyboards can go soaring off. That was certainly the formula for Yes. But as it really does not work unless the bass guitar lays the foundation for the entire band, I thought that a tribute to Squire might be a good way to visit one of the points of doing compliance not discussed often enough. While Tone-at-the-Top is almost ubiquitous, one thing not talked about consistently is the tone on the front lines of an organization. Even with a great ‘Tone-At-the-Top’ and in the middle, you cannot stop. One of the greatest challenges for a compliance practitioner is how to affect the ‘tone at the bottom’.

In a MIT Sloan Management Review article, entitled “Uncommon Sense: How to Turn Distinctive Beliefs Into Action”, authors Jules Goddard, Julian Birkinshaw and Tony Eccles looked at this issue when they explored the “often overlooked, critical source of differentiation is [a] company’s beliefs.”

One of the questions that the authors’ answer is: how to tap into this belief system? They posit a structured manner to obtain this information. By using these techniques, they believe that companies can rethink their “basic assumption and beliefs” and identify new directions for their organization. The authors listed seven approaches that they have used which I believe that the compliance practitioner can use to not only determine ‘Tone at the Bottom” but to impact that tone. They are as follows:

  1. Assemble a group. You need to assemble a group of employees who are familiar with the challenges of doing business in a compliant manner in certain geographic regions. Include both long-time employees and those who are relatively new to the organization. The authors also suggest that if you have any employees who have worked for competitors or for other organizations in your industry you include them as well.
  2. Ask questions. You should ask the members of this group to articulate their basic assumptions about your compliance model, about the management model, about your company’s business model and the future of the industry in general. Ask them to do this individually and not as a group.
  3. Categorize the responses. Now comes the work by the compliance practitioner or compliance team, as the authors believe that these assumptions will usually fall into two groups. The first is assumptions that everyone agrees upon, and these are the common beliefs. The second is those assumptions that only a few of the participants will identify – this is what the authors call the “uncommon beliefs”.
  4. Develop tests for common beliefs. For those beliefs that are labeled common – you should consider how you know these to be true? The authors caution that simply because the group may believe that the company operates in a common industry or that we “do it because it has always been done this way” is not necessarily a “hard fact.” Consider what check you could perform to verify the common belief that you desire to test. The authors note that the purpose here is to “identify the ‘common nonsense’ beliefs that everyone holds that are not actually hard laws of nature.”
  5. Develop tests for uncommon beliefs. Here the authors suggest that you need to consider why some people think that these beliefs are true. What is the information or experience that they have drawn upon? Is there any way for you to test these uncommon beliefs?
  6. Reassemble the original group. You should reassemble the original group and have them consider the beliefs that were articulated by them individually in the context of your compliance model and how both your company and your industry do business. Lead a discussion that attempts to identify any assumptions or beliefs that “are quite possibly wrong, but worth experimenting with anyway.”
  7. List of Experiments to perform. The authors believe that the outcome of the first six steps will be “a list of possible experiments [tests] to conduct” to determine the validity of the common and uncommon beliefs. These tests can be accomplished in the regular course of business, through a special project with a special team and separate budget. You should agree on the testing process and review your testing assumptions throughout the process. This process can and should take some time so do not set yourself such a tight time frame that it cannot be fully matured.

The bottom line is that not only must a company ‘talk-the-talk’ of compliance but it must also ‘walk-the-walk’ of compliance. Donna Boehme says that it’s really about the culture of compliance in your organization. Put another way, as Mike Volkov said, in an article entitled “Mood in the Middle Versus Tone at the Top”, “Even when a company does all the right things at the senior management level, the real issue is whether or not that culture has embedded itself in middle and lower management. A company’s culture is reflected in the values and beliefs that exist throughout the company.” You must find a way to articulate and then drive the message of ethical values and doing business in compliance with such anti-corruption laws from the top down, throughout your organization.

So thanks for the tunes and memories Chris while I Keep Calm and Listen to Prog Rock.

Keep Calm and Listen to Prog Rock

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 29, 2015

Bristol Palin, Abstinence and the Compliance Defense

AbstinenceToday Bristol Palin informs the debate on the efficacy of a compliance defense to the Foreign Corrupt Practices Act (FCPA). A noted expert on many areas around ethical behavior and family values, Ms. Palin was credited by Mary Elizabeth Williams in a Salon article, entitled “Bristol Palin’s pregnancy announcement is her coming out”, as being the “world’s least successful spokesperson for abstinence” when she announced last week, that, for the second time, she was pregnant out of wedlock. Ms. Palin had previously been a spokesperson for the Candie’s Foundation on, you guessed it, prevention of unwanted pregnancy through abstinence. How does Ms. Palin’s announcement inform the debate on a compliance defense to the FCPA? Quite simply, much like abstinence, the compliance defense is not effective if you say you have one but only if you are doing compliance.

This rather sad fact that although both abstinence and a compliance defense are simple in concept but perhaps not easy to accomplish in the real world was further driven home last week in a Wall Street Journal (WSJ) article by Joel Schectman, entitled “Russian Uranium Probe Reaches Into Small-Town Ohio”, where he reported that “A widening U.S. bribery probe involving Russian uranium has reached from Moscow to a company in the heart of America’s Rust Belt. U.S. authorities are investigating whether an executive in Bremen, Ohio—a rural community with about 1,500 residents roughly 40 miles southeast of Columbus—bribed Russian energy officials to win his company millions of dollars in contracts to supply shipping containers for uranium, according to people familiar with the matter.”

The rather amazing thing about this report is not that bribery and corruption had occurred in the past century or even the past decade but that bribery is reported to have begun in 2011 by Westerman Company and continued at least through 2013 after the entity was acquired by Worthington Industries Inc. Indeed the article identifies the company executive “Barry Keller, a Bremen native who has spent more than three decades at Westerman, working his way up from the shop floor to senior management” as the person involved in paying the bribes. Further, it does not even appear that the bribery scheme itself was too sophisticated or unique. According to Schectman, it involved paying a Russian middleman who “arranged for the bribe payments to be channeled through a maze of secret accounts in Cyprus, Latvia and Switzerland, where they were collected by higher-ranking officials at Rosatom, Tenex’s parent.” The bribes were funded via “5% of a Westerman contract, and would be paid through a consulting invoice”.

Keller’s involvement brings up a key reason why I think having a compliance defense will not increase the doing of compliance. He was the head of the company and then head of the business unit. Is it really possible that a company that did business internationally, with a foreign state owned enterprise and was a US public company did not understand that it needed to have a FCPA compliance program in 2011? Even aside from the fact that the bribery is alleged to have begun when Westerman was an independent entity, did Worthington bother to perform any pre-acquisition due diligence in the FCPA arena when they purchased Westerman in 2012? If Worthington did bother to engage in any pre-acquisition due diligence prior to buying Westerman, how about when it integrated the newly acquired entity into its ongoing compliance program, trained Westerman employees and performed a full FCPA forensic audit of Westerman as surely it identified Westerman’s sales to “Tenex, part of state-owned Russian nuclear company Rosatom” as potentially high risk?

From Schectman’s article it does not appear that Worthington determined internally that there was any FCPA violation in its operations as he quotes the company’s General Counsel (GC), Dale Brinkman, for the following statement “We first learned of [the investigation] in November, and we are fully cooperating with the Justice Department.” That does not sound much like a company that has appropriate internal controls or keeps books and records in accordance with public accounting requirements under the FCPA. But as with abstinence, saying you engage in it is easy.

I think the lesson to be learned from the Worthington matter, and the clarion call for a compliance defense appended to the FCPA, is that adding a compliance defense to the FCPA will not increase compliance with the FCPA. Corporations take their lead from the top on their priorities. If there is not senior management desire to do business in compliance, it does not matter what the benefits of having a compliance defense bring. In 2015, if a company is doing business outside the US with foreign government officials or officials of state owned enterprises, someone in the business, i.e. their lawyers, their auditors or their Board of Directors, knows that they must do business in compliance with the FCPA. I would argue that it was just as well known in 2011 when Westerman Companies is alleged to have begun its bribery scheme. Having a compliance defense will not help drive compliance if the business owner, business leader or senior management is not committed to doing business in compliance with the FCPA.

For even if such a company does institute a compliance defense, it is the doing of compliance which makes a compliance program effective, not having a written program. A key is how a company incentivizes conduct. For doing compliance in any effective way, a company must commit time and resources to the effort. No ‘out of the box’ solution will allow a company to do compliance because the doing of compliance means dealing with an intersecting matrix of employees, technology and third parties. This means that there must be money spent on compliance. In addition to the resource issues, if the company bases its salary, compensation and benefits to employees solely or even largely on sales only; that is what will be emphasized in a company. If, however, there are incentives built into the compensation structure, it will emphasize the importance of the doing of compliance in the day-to-day work of a company.

Bristol Palin has announced she does not want to be ‘lectured’ about her current pregnancy. Maybe her unique intellect has allowed her some insight into the irony of her situation (or then again perhaps not). However she was right about one thing. If you want to ensure that you do not get pregnant, abstinence is about the best way to do so. But abstinence only works if you are doing abstinence, not simply saying you are abstinent. The same is true for adding a compliance defense to the FCPA. A compliance defense only works if you are doing compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 25, 2015

Custer’s Last Stand and Risk Management

Custer's Last StandOn this day in 1876 one of the greatest failures in risk management took place when Lieutenant Colonel George Armstrong Custer and his entire 7th Cavalry were wiped out at the Battle of the Little Big Horn. Custer had split his command into three wings and he took his battalion of 200 or so men down the center of what he thought would be little resistance. Instead he found that he was facing a far superior force of 3000 largely Sioux warriors who quickly overwhelmed and defeated Custer’s command, with all US troops being killed. There is now some debate on whether all the cavalrymen were actually killed by the Native Americans or took their own lives, saving the last bullet for themselves, in western parlance.

Historians have debated over time the reason for Custer’s defeat. Was it arrogance; bad intelligence; faulty command, just plain stupidity or even a wish for martyrdom by Custer? Whichever the cause, it was the worse defeat of the US Army by Native Americans in the Western campaigns of the later 1800s. Today, it might be termed as a faulty assessment and management of the risks involved.

I thought about Custer and his defeat when I read a recent article in the Harvard Business Review (HBR), entitled “Strategy How to Live With Risks. It presented risk, risk assessments and risk management in a new light, a key acumen being that risk management should be used as a “protection shield, not an action stopper.” It was based upon a research paper by the CEB, entitled “Reducing Risk Management’s Organizational Drag”, which I thought it had some interesting insights for the Chief Compliance Officer (CCO) or compliance practitioner.

The first insight is that, in many instances, companies are assessing risks that are in the rear-view mirror. The author pointed to the Sarbanes-Oxley (SOX) Act, passed in response to the Enron and Worldcom accounting scandals in noting, “In the wake of the 2008 financial crisis many large banks changed their business models, and other companies implemented systems to better manage credit risks or eliminate overreliance on mathematical models.” This type of mentality can lead to what the author says, is “a variation on what military historians call “fighting the last war.” As memories of the recession fade, leaders worry that risk management policies are impeding growth and profits without much gain.” The author went on to quote Matt Shinkman of CEB, a member based advisory company, for the following insight “Firms are questioning whether the models they put in place after the financial crisis are working—and more fundamentally questioning the role of risk management in their organizations.”

This retrospective look back is coupled with what the author says is a decision making process which “is too slow, in part because of an excessive focus on preventing risk” and not managing risk; in other words, companies were slowed down even further by something termed “organizational drag”. Companies need to find new mechanisms to assess and manage risk going forward. The best way to do so, many companies have indicated, is through reorganizing or reprioritizing risk management and the article presented “three best practices” in doing so.

Strike the Right Balance Between Risk and Reward

Recognizing that risk management is often simply ‘just saying no’, the HBR articcle suggests that “Today’s risk managers see their role as helping firms determine and clarify their appetite for risk and communicate it across the company to guide decision making. In some cases this means helping line managers reduce their risk aversion.” The interesting insight I found here is that if an asset is low performing it may be because the management is so risk averse. This may present a CCO or compliance practitioner with an opportunity to increase growth through other risk management solutions that they could implement.

Focus on decisions, not process

This insight is one that CCO and compliance practitioners should think about and try and implement. Recognizing that risk assessments are important, the author believes that risk managers should focus more on decisions concerning risk rather than the process of determining risk. This means, “In addition to relying on paperwork or process, risk managers are turning to tools (such as dashboards that show risks in real time) and training that help employees assess risk. They are also helping companies factor a better understanding of risk into their decision making.”

By having a seat at the senior management’s table, a CCO or compliance practitioner can help identify risk issues early on in planning. This allows a COO to help craft a risk management solution, or even better yet show colleagues how to “spot potential problems and managers see how their projects fit into the company’s overall portfolio of projects, each with its own set of risks.” The author again quoted Shinkman, “This is less about listing risks from a backward-looking perspective and more about picking the right portfolio of risky projects.”

Make employees the first line of defense

The author channels his inner Howard Sklar (water is wet) by stating, “Decisions don’t make themselves, people make them”. However from that insight, the author believes that “smart companies work to improve employees ability to incorporate appropriate levels of risk when making choices.” But this means you must not only adequately train your employees to spot the appropriate risk but you, as CCO must provide them with tools to manage the risk. The author wrote, “Companies are also trying to identify which types of jobs or departments face a disproportionate share of high-risk decisions so that they can aim their training at the right people. They’re focusing that training less on risk awareness and more on simulations or scenarios that let employees practice decision making in risky situations. Finally, risk managers are becoming more involved in employee exit interviews, because people leaving an organization often identify risks that others aren’t able or willing to discuss.”

The article ends by noting that the goal is “to transform risk management from a peripheral function to one with a voice integrated into the day-to-day management” of an organization. That is also viewed as a component of CCO 2.0 and a more mature model of improvement. By focusing on training employees on how to spot Foreign Corrupt Practices Act (FCPA) compliance risks and then providing them with the tools to adequately manage that risk, CCOs can deliver greater value.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 24, 2015

Pink Flamingos and the Compliance Audit

FeatherstoneThe creator of one of the most ubiquitous symbols of mid-century Americana died earlier this week. Don Featherstone, the creator of the pink plastic lawn flamingo, the ultimate symbol of American lawn kitsch, has died. He was 79. Featherstone, a trained sculptor with a classical art background, created the flamingo in 1957 for plastics company Union Products, modeling it after a bird he saw in National Geographic. Millions of the birds have been sold. Whether you think of the Pink Flamingo as a symbol of Miami Vice, Jon Waters and Devine or for something less salacious, here is to Featherstone, a true original.

While Featherstone created one of the ultimate symbols of the second half of the 20th century for a generation of South Floridians, the Japanese company Takata Corporation (Takata) continues to be in the news for much less prestigious reasons. As reported in the New York Times (NYT), in an article entitled “Senate Panel Says Tanaka Cut Audits on Safety”, Hiroko Tabuchi and Danielle Ivory said “In the middle of what would become the largest automotive recall in US history, the Japanese airbag manufacturer Takata halted global safety audits to save money”. Interesting (or perhaps ominously might be a better word) Takata responded by saying it had not halted safety audits for products but rather for worker safety. Doesn’t that give you some comfort?

A US Senate committee report found that “Takata halted global safety audits at its manufacturing plants in 2009, a year after Honda had started recalling a small number of cars to replace the airbags.” These audits were later restarted in 2011 but when they found safety issues related to airbag manufacturing in two key plants, “those findings were not shared with Takata’s headquarters in Tokyo, the report said, citing internal emails from Takata’s safety director at the time.” Moreover, “when the safety director returned to the plant months later to conduct a follow-up audit, employees appeared to scramble to create the appearance of a safety committee within the plant.” Finally, and perhaps most damningly, the report cited an internal Takata email which said, “No safety committee, as such, has been formed” at the plants in question.

Foreign Corrupt Practices Act (FCPA) compliance in many ways follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in US corporations. The safety committee and safety audits became mainstays of any best practices in the area of safety for a company. These techniques inform any anti-corruption best practices compliance program, either under the FCPA, UK Bribery Act or any other anti-corruption regime. Indeed audits are specifically delineated in the FCPA Guidance as a way to assist in the continuous monitoring of your compliance regime. Such an audit can be thought of as a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. There are three factors which are critical and unfortunately with Takata seemed to be lacking in its safety audit protocol: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited.

Auditing can take several different forms in an anti-compliance program. As a matter of course, you should audit the compliance program in your own organization. A forensic audit can collect and analyze accounting and internal-controls evidence in your compliance regime. This information can be used to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of a forensic audit can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Further, an internal audit can review a compliance process to determine if employees are following prescribed processes or internal controls, in an operational Sarbanes-Oxley (SOX) or FCPA compliance audit.

In addition to the collection and analysis of evidence, an auditor’s objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. Obviously one of the functions of such an audit is to determine if further investigation is warranted.

Now imagine if this scenario had been followed by Takata. The lack of a safety committee is a glaring omission at any manufacturing facility. Simply noting this and reporting it up the chain could have gone some way towards preventing the situation the company now finds itself in; with a worldwide recall of up to 32 million vehicles. The same is true for a compliance audit. Just as monitoring can provide information to you on a more real-time basis; a compliance audit compliments this real-time oversight with a much deeper dive into what has happened on a historical basis.

The recent BHP Billiton FCPA enforcement action is certainly one to look at in this context. Although there was a committee set up to review gifts and travel requests for the company’s 2008 Olympic hospitality program, the committee did not fulfill this charge. It was alleged in the Securities and Exchange Committee (SEC) settlement documents that this committee was never intended to pass muster on the applications for tickets and travel for government officials but was simply there to provide guidance.

Once again this situation points out the difference between having a paper compliance program in place and the actual doing of compliance. Even with an appropriate oversight structure in place BHP Billiton did not do the work of compliance by evaluating the applications for travel and tickets to the Beijing Olympics but left it to the devices of the business unit employees who were making the requests and ultimately most directly benefited from the gifting.

Another area ripe for audit in your compliance program is your third parties. While there is no one specific list of transactions or other items which should be audited when it comes to your third parties below are some of the areas you may wish to consider reviewing:

  • Contracts with supply chain vendors to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party vendor.
  • Review the FCPA compliance training program for any vendor; both the substance of the program and attendance records.
  • Does the third party vendor have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous, hotline or any other reporting mechanism.
  • Does the third party vendor have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review expense reports for employees in high risk positions or high risk countries.
  • Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party vendor’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party vendor’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party vendor.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

The compliance function still is behind the safety function in terms of maturity. Because of this there are many lessons which a Chief Compliance Officer (CCO) or compliance practitioner can draw upon from our colleagues in safety. The safety audit is certainly a technique that can be drafted into your compliance program. But as the ongoing Takata air bag debacle demonstrates, your audit only works if you actually perform it. In other words, the protocol is simple, everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 23, 2015

Fraud and the Detection of the Sources for Bribery

 

Detection of FraudIn a recent White Paper authored by Peter Smith for OFS Portal, entitled “Procurement and Fraud in the Supply Chain”, where he examined “fraud linked to procurement and supply chain activities.” Smith focuses on where fraud can occur in the procurement process. From this starting point, he suggests “mitigating actions that organisations can take to protect themselves against fraud.” I found this article to be an excellent review of Supply Chain (SC) activities which the Chief Compliance Officer (CCO) or compliance practitioner could put to good use in reviewing their company’s Foreign Corrupt Practices Act (FCPA) anti-corruption and anti-bribery regime.

A. The Problem – How Does Fraud Happen?

Smith starts by classifying fraud in way which will assist the reader in understanding how it occurs. He believes there are “three critical factors to consider: the perpetrator(s), the plan and the point of failure.” The perpetrator is the one “behind the fraud and either executes it directly or through others.” In the anti-corruption world of the FCPA, this can be through an agent or a supplier who is working to help execute the fraud.

Interestingly, in the area of these third parties (and hence the greatest area of risk for FCPA compliance practitioners to consider) Smith notes that “The plan and point of failure factors are linked in that often the plan relies on the point of failure. In other words, most frauds take advantage in some weakness in the process, technology, policy or systems of combination of those.” Smith writes that there are three key phases “in the procurement life-cycle that can be considered; (1) the supplier selection phase; (2) the contract negotiation and award phase; and (3) the contract delivery management phase.”

Phase I – Supplier Selection and Qualification

This phase should be well known to the compliance practitioner as a part of the third party life-cycle management step denominated as due diligence. But Smith asks that you consider factors other than simply whether someone is on the Denied Parties List (DNP) or is a Politically Exposed Person (PEP). He suggests that you consider misrepresentation by the third party in the nature of “concealing the true nature of its business, history or ownership when it bids for the work.” He also points out that through collusion and cartels, persons or entities can work to control a market. If you did any work with Petrobras over the years, you will certainly recognize that many if its approved suppliers operated in this manner. Given what we now know about how corrupt Petrobras was, this is not too surprising.

But Smith also suggests that employees may be involved in skewing the selection process towards a corrupt agent or other partner. He recommends reviewing the bid process to see if there was bias in the competition, which would push an otherwise arms-length award to a corrupt partner. This could occur through biased competition through specification, where an employee would “construct a specification that makes it likely or inevitable that a particular supplier will win the competitive process.” The next is biased competition through tailoring the evaluation process which gives weight to the specific strengths of a corrupt third party. Finally, Smith points out that there can be biased competition through information leakage when a company employee will leak confidential information to a third party to give them an advantage in the bidding process.

Phase II – Contracting

Smith says the “next critical point at which fraud can take place is during the contract negotiations and in agreeing the detailed terms and conditions.” Moreover, Smith believes this stage is critical if often overlooked because “the seeds are often sown at the contracting stage.” Scenarios can include where there is a certain level of ‘local content’ required “but without any clear contractual mechanism to explain how it will be measured or policed.” As any CCO or other FCPA compliance practitioner would recognize, local content is one of the easiest ways to get into FCPA high risk so managing that risk is critical. I found Smith’s concern with setting out the clear legal terms and conditions around any such requirement as a good way to manage the high risk.

Phase III – Contract Delivery and Management

Here Smith laid several different fraud schemes which could facilitate a bribery plan. The first is fake invoices which can rely on “poor processes within an organisation” to spot. However this scheme can also rely on a company insider to approve such fabrications. Next is “volume over-invoicing”. In this scheme, while a supplier does supply some goods or services, the invoice is raised for more than has been delivered. If there is a scheme to create a pot of money to be used to fund bribes, there will need to be an internal company accomplice to “smooth the way by authorizing receipts or invoices.” Next there is “price-related over-invoicing” the third party will over-price the goods or services, above what is allowed under the contract. Another scheme set out by Smith is “invoice diversion” where “a legitimate payment that should go to a certain supplier is diverted to a third party fraudulently.” Another scheme can simply be to ease the contract terms and conditions which allow the third party to receive a benefit with nothing in return being delivered back to the company. Finally, there is what Smith details as one of the “toughest frauds to detect”, that being the delivery of lower quality products than is contractually specified.

B.The Solution – How to Reduce Fraud

Smith believes that fraud prevention can be built around a troika of concepts. (1) You need to have “effective procurement and spend management policies in place. (2) You must “use appropriate and robust processes”. (3) Finally “applying the right technology to support and manage those processes.” In his paper he followed the same outline on how to reduce the instances of fraud.

Phase I – Supplier Selection and Qualification

While a clear procurement policy is the starting point, it is only the starting point. Having a transparent process is important as well as adequate supplier qualification details. He notes that multiple sign-offs should be in place to ensure that one person does not control the entire process. This should also be incorporated into the communications trail with the competitors to ensure that no one third party receives confidential information. Obviously an appropriate level of due diligence should be applied to confirm that not only are the third party’s who they represent themselves to be but that they are also qualified to do the work or deliver the services. Finally, there should be controls around onboarding “so that firms who are actually going to be suppliers go through more rigorous checks before they are accepted onto” the Vendor Master List.

Phase II – Contracting

Obviously the starting point for any business relationship should be a well-drafted contract. However, for larger organizations Smith believes that “a contracts database or contract lifecycle management system is essential.” To the greatest extent possible there should be standard compliance and legal terms and conditions, coupled with an “appropriate level of sign-off and approvals management for contracts.” Finally, segregation of duties (SOD’s) “to make sure that there are checks and balances and that no one person holds too much power in the process.”

Phase III – Contract Delivery and Management

As I often say in the lifecycle management of third parties, the real work begins when the contract is signed. Smith believes that many of the routes of fraud, “can be closed off by taking a few precautions” which include some of the following steps. First and foremost is “no purchase order, no pay” but this also means there should be an invoice from the vendor which is matched to the contract for accuracy. Once again checks and balances, SOD’s for sign-offs and approvals must be built into your payment system. There should be controls around changes to the contract and, more importantly, changes to any payment details. Lastly, ongoing oversight and monitoring through controls analytics and auditing should be employed on the back end to verify delivery of goods or services.

I found Smith’s White Paper to be an excellent review for the CCO or compliance practitioner around not only the mechanism of how fraud occurs but a review of the techniques for fraud prevention. While his concepts may seem like a review for the compliance practitioner, it also allows you to think through how corruption might take place in your organization. The briber has to get the money from some source and Smith’s White Paper can give you insights on where you might look.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

June 22, 2015

George Carlin and Erga Omnes: the Petrobras Bribery Scandal Expands

George CarlinOn this date in 2008 George Carlin died. If you grew up in the late 1960s or early 1970s and you had anti-parental or anti-establishment inklings, which of course all teenagers do, you knew about George Carlin. In the early 1960s, Carlin was a relatively clean-cut, conventional comic. But around 1970, he reinvented himself as an eccentric, biting social critic and commentator. In this new incarnation, Carlin began appealing to a younger, hipper audience. He grew out his hair and added a beard together with a wardrobe in the stereotypically hippie style.

Carlin’s comedy also became counter-culture, not Cheech and Chong, hippy-dippy dopers, but with pointed jokes about religion, politics yet with frequent references to drugs. His second album with his new routine, FM/AM, won a Grammy Award for Best Comedy Recording. My favorite cut was the 11 O’Clock News. But it was his third album Class Clown that had, what I believe, to be the greatest comedy monologue ever, the profanity-laced routine “Seven Words You Can Never Say on Television.” When it was first broadcast on New York radio, a complaint led the Federal Communications Commission (FCC) to ban the broadcast as “indecent.” The US Supreme Court later upheld the order, which remains in effect today. The routine made Carlin a hero to his fans and got him in trouble with radio brass as well as with law enforcement; he was even arrested several times, once during an appearance in Milwaukee, for violating obscenity laws.

Interestingly I thought about Carlin and his pokings of the Establishment (AKA The Man) when I read several articles over the weekend about the recent spate of arrests around the Petrobras bribery and corruption scandal. In article in the Wall Street Journal (WSJ), entitled “Brazil Probe Sweeps Up Corporate Magnates” Will Connors, Rogerio Jelmayer and Paul Kiernan reported that “Brazilian officials arrested the heads of two Latin American construction giants, alleging they helped to mastermind a cartel that stole billions of dollars from state-run oil company Petrobras with the help of corrupt politicians to whom they paid kickbacks.” Also arrested with the heads of the two companies, Marcelo Odebrecht, head of Odebrecht SA and Chief Executive Officer (CEO) of Andrade Gutierrez, Otávio Azevedo.

The WSJ article reported that “Odebrecht is Latin America’s largest construction conglomerate, with business in the U.S., Europe and Africa, and whose head, Marcelo Odebrecht, is a household name in Brazil. Andrade Gutierrez has business in 40 countries. The privately owned companies are deeply involved in the development of stadiums and infrastructure for the 2016 Summer Olympics in Rio de Janeiro.” Moreover, Odebrecht is reported to have “a presence in 21 countries”. Obviously a question is if the company had engaged in bribery and corruption in Brazil, did they do so in any of the other countries in which they are doing business?

Interestingly, these arrests “come months after the heads of other construction companies were detained by Brazilian authorities.” Indeed in a BBC article in , entitled “Petrobras scandal: Top construction bosses arrested in Brazil”, David Gallas said, “Odebrecht had been named by former Petrobras executives as one of the companies that allegedly paid bribes in exchange for contracts with the oil firm, but until now the firm had not been targeted by investigators.” The WSJ article quoted Brazilian prosecutor Carlos Fernando dos Santos Lima who said at a news conference that the executives from the two companies had not been arrested earlier as the entities, “had a more sophisticated system for making the alleged bribe payments, using foreign bank accounts in Switzerland, Monaco and Panama, so it took longer to prove their case.” David Fleischer, a Brasilia based political analyst, quoted in the WSJ article was even more circumspect. He said, “The prosecutors are very careful. If you’re going after big fish you want to make sure you can take them down.”

Brazilian police said the arrests were “Erga omnes” which the WSJ translated from Latin as “towards all”. I thought about that statement in light of the ongoing debate about enforcement of the Foreign Corrupt Practices Act (FCPA) here in the US. On one side is the Chamber of Commerce and their allies who raise the ever-burgeoning cry that the Department of Justice (DOJ) needs to prosecute the invidious ‘Rogue employees’ who violate the FCPA. You will notice they never want the DOJ to look at the executives who might facilitate payment of bribes in the first place; whether through faux commitment to doing business in compliance, failing to properly allocate resources to compliance and ethics, simply rewarding those employees who git ‘er done no matter what the circumstances or (my favorite) putting a paper program in place and calling it a best practices compliance program.

Indeed those progenitors of relaxed enforcement want the DOJ to back off and let them do business the old fashioned way. However, if the bribery and corruption news from the first half of this year has told the world anything, it is about the dire effects of allowing such illegal conduct to take place and warning against slacking off laws which mandate doing business without bribery and corruption. In another WSJ article, entitled “Roots of a Brazilian Scandal That Weighs Heavily on the Nation’s Economy, Politics”, Marla Dickerson noted, “The scandal has crippled Petrobras, Brazil’s largest and most important company. In late April, the company wrote off more than $16 billion related to losses from graft and overvalued assets. The company’s woes have all but paralyzed the nation’s oil and gas sector. Hurt by slumping oil prices and strapped for cash, Petrobras has slashed investments, sparking a wave of credit downgrades, bankruptcies and layoffs among its suppliers that the weighed on Brazil’s economy.”

I wonder what George Carlin might have thought about all of this. He might have said that what else would you expect but I am relatively certain he would have done so while also sticking his thumb in the eye of The Man. 

For a YouTube version of the 11 O’Clock News, click here.

For a YouTube version of the 7 words you can never say on television, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

June 19, 2015

Tribute to John David Crow and an Innovation Strategy for Your Compliance Program

John David CrowJohn David Crow died Wednesday. Until Johnny Football, he was the only football player from Texas A&M University to win the Heisman Trophy. He played under the legendary Paul ‘Bear’ Bryant at A&M and for all of Bryant’s success, Crow was the his only player to win the award given annually to the nation’s best collegiate football player. Crow had a productive professional football career making the Pro-Bowl four times. He was also the Athletic Director at A&M from 1989 to 1993. So here’s to John David Crow, one of the Junction Boys and one of the greatest players in the history of Texas A&M. Finally, let me say something I almost never say, Gig ‘Em, John David.

I thought about John David Crow and his legacy of greatness when I read an article in the June issue of the Harvard Business Review (HBR), entitled “You Need an Innovation Strategy”, by Gary P. Pisano. While Pisano’s article dealt more generally with innovation in marketing, I found it highly relevant for the Chief Compliance Officer (CCO) or compliance practitioner, particularly in the context a Foreign Corrupt Practices Act (FCPA) compliance program. Earlier this week, the Department of Justice (DOJ) announced the resolution of a FCPA investigation involving IAP Worldwide Services, Inc. (IAP) via a Non-Prosecution Agreement (NPA). In the NPA, the company committed to implementing and enhancing a best practices FCPA compliance program. Listed at element 18 of its compliance program is the following: “The Company will conduct periodic reviews and testing of its anti-corruption compliance code, policies, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and the Company’s anti-corruption code, policies, and procedures, taking into account relevant developments in the field and evolving international and industry standards.”[Emphasis supplied]

This means that the DOJ expects innovation in your compliance program to keep up with evolving international and industry standards. This requires you to implement an innovation strategy. While Pisano’s article does not specifically focus on compliance, I found that its concepts would help a CCO or compliance practitioner sustain the mandate for innovation in a compliance regime. Pisano’s article begins by stating the problem that many companies face is that “innovation remains a frustrating pursuit.” While acknowledging that failure to execute is an issue, Pisano believes the issue is deeper than simply a failure to execute, he believes there is a “lack of an innovation strategy.”

I found some of his basic definitions most useful for the compliance practitioner to think through innovation in the compliance function. Pisano wrote, “A strategy is nothing more than a commitment to a set of coherent, mutually reinforcing policies or behaviors aimed at achieving a specific competitive goal. Good strategies promote alignment among diverse groups within an organization, clarify objectives and priorities, and help focus efforts around them. Companies regularly define their overall business strategy (their scope and positioning) and specify how various functions – such as marketing, operations, finance, and R&D – will support it. But during my more than two decades studying and consulting for companies in a broad range of industries, I have found that firms rarely articulate strategies to align their innovation efforts with their business strategies.”

The key to success is something that every CCO or compliance practitioner should take to heart. Paraphrasing Pisano for the compliance practitioner is that the compliance function “should articulate an innovation strategy that stipulates how their [compliance] innovation efforts will support the overall business strategy.” Moreover, “creating an innovation strategy involves determining how innovation will create value for customers [of compliance, i.e. Employees], how the company will capture that [compliance] value, and which types of [compliance] innovation to pursue.”

Pisano posed several questions around this key area of connecting innovation to strategy. Initially he asked, “How will innovation create value for potential customers?” In my formula, customers become employees or others who will make use of your compliance innovation going forward. Here you should focus on the benefit for your end-using customer. Your innovation can make compliance faster, easier, quicker, more nimble and so on. But focus on that creation of value going forward. Pisano’s next question was “How will the company capture a shore of the value its innovations generate?” He suggests companies think through how to “keep their own position in the [compliance] ecosystem strong” through innovation. Pisano next asked, “What types of innovation will allow the company to create and capture value, and what resources should each type receive?” Here Pisano notes two major forms of innovation equally applicable to the CCO or compliance practitioner. They are a change in technology and a change in a business process. Both are equally valid.

Another problem that Pisano addresses is termed “overcoming prevailing winds” and this means that innovation can be driven downward or backward if there is not sufficient management support. This means not only must there be sufficient resource allocations but management must also incentivize the business units to proceed with implementing the innovations, particularly “when an organization needs to change its prevailing patterns.”

Another area Pisano addresses is “managing trade-offs” because it is inherent in any innovation strategy that there will be trade-offs. Here he terms the two key differences as “supply-push” and “demand-pull”. The supply-push approach comes when your innovation is focused on something that does not yet exist, for example if you are initially implementing a FCPA compliance regime. The demand-pull approach works more closely with your existing customer base to determine what they might need and work to implement innovation around those needs.

Interestingly Pisano ends his article with a discussion about “the leadership challenge”. I say interestingly because I would have thought that was required up front as it is the function of senior management to create the capacity for innovation in the first instance. Pisano writes, “There are four essential tasks in creating and implementing an innovation strategy.” Task 1 is to “answer the question “How are we expecting innovation to create value for customers and for our company?” and then explain that to the organization.” Task 2 “is to create a high-level plan for allocating resources to the different kinds of innovation.” Task 3 is “to manage trade-offs. Because every function will naturally want to serve its own interests, only senior leaders can make the choices that are best for the whole company.” Finally, task 4 dovetails with what almost every DOJ/SEC speaker I have ever heard say when they talk about the basics of any best practices compliance program. It is that “innovation strategies must evolve. Any strategy represents a hypothesis that is tested against the unfolding realities of markets, technologies, regulations, and competitors. Just as product designs must evolve to stay competitive, so too must innovation strategies. Like the process of innovation itself, an innovation strategy involves continual experimentation, learning, and adaptation.”

Pisano’s article provides the CCO or compliance practitioner with a framework to think through to help bring the innovation to a compliance program. I would have put leadership first, both in the compliance department and at senior management level. But however you go about it, you must recognize that your compliance program will have to evolve. That is one of the key differences between those who advocate static compliance standards embodied in a written compliance program and those who advocate that it is Doing Compliance that creates an active, vibrant and effect compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 16, 2015

Like a Rolling Stone and Charitable Donations Under the FCPA

Like a Rolling StoneToday we celebrate one of the seminal achievements in rock and roll for it was on this day, 50 years ago, in 1965 that Bob Dylan recorded his single Like a Rolling Stone. Columbia Records executives initially rejected the song as too long to be released as a single because it came in at over 6 minutes in length. However, through a campaign of subterfuge, Dylan’s manager was able to have it played by New York City DJs. The popularity of the song became so great that the same Columbia Records executives were forced to release it and it went to Number 2 on the Top 40.

According to the site ThisDayInHistory.com, “The most important impact of “Like A Rolling Stone” was not commercial but creative. Rolling Stone magazine said Dylan “transformed popular song with the content and ambition of ‘Like a Rolling Stone.’” Or as Bruce Springsteen said of the first time he heard it, “[it] sounded like somebody’d kicked open the door to your mind.”” And my favorite part is the opening organ riffs played by a 21-year-old Al Kooper who was just sitting in on the session.

I thought about this odd convergence that came together to create what Rolling Stone magazine named as the greatest song of all time in 2004 in the context of the continuing fallout from the ongoing scandal involving the governing body of international soccer, the Fédération Internationale de Football Association (FIFA). In a BBC Online article, entitled “Fifa corruption: South Africa cash ‘worrisome”, Andrew Harding wrote “A key figure in South Africa’s football World Cup bid has broken ranks with the government to suggest there might be some truth to a claim that a $10m bribe was paid to secure the 2010 tournament.” That figure is Tokyo Sexwale who was “a member of both the World Cup bid team and local organising committee”. Sexwale has now questioned whether the $10MM payment made to Jack Warner of Trinidad was truly a donation.

Sexwale went on to ask, “”Where are the documents, where are the invoices, where are the budgets, where are the projects on the ground?””

I thought about those questions in the context of a Chief Compliance Officer (CCO) or compliance practitioner working under a Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance program around charitable donations. There has been a paucity of FCPA enforcement actions around charitable donations. Both the Schering-Plough Corporation and Eli Lilly and Company enforcement actions centered in Poland were Securities and Exchange Commission (SEC) civil enforcement actions based upon violations of the books and records and internal controls provisions to the FCPA. There was no evidence of bribes being paid which rose to criminal conduct.

Generally, it is assumed that if you do the required review of the charitable organization that is due to receive a corporate donation and in this due diligence, there is no tie to a government official or family member, the donation can be made under the FCPA. However consider Sexwale’s comments around the evidence of whether a bribe was paid to Warner or if it was simply because “part of the feeling at the time – it’s a good thing, this [$10MM of] altruism (towards the African diaspora in the Caribbean)”. Yet even Sexwale noted the problem when he added, “The question is going to be: “What was done to make sure that your good intentions – you as the giver – have been realised?””

His comments gave me pause to think that companies who make charitable donations in foreign countries may now have to monitor these donations at a greater level and with greater scrutiny. The starting point may now well be as stated by Sexwale, “What was done to make sure that your good intentions – you as the giver – have been realized?” If this is now a standard of enquiry and oversight the Department of Justice (DOJ) will require validation on how your company can have assurances that your good intentions are realized? Once again you can look to the basic questions that Sexwale posed in the BBC online article, Where are the documents, where are the invoices, where are the budgets, where are the projects on the ground?

There have been four Opinion Releases around charitable donations under the FPCA. Opinion Release 95-01 was a request from a US-based energy company that planned to donate $10MM for equipment and other costs to a medical complex that was under construction near a large construction project. Opinion Release 97-02 dealt with a request from a US-based utility company who planned to donate $100K for construction and other costs to a government entity that proposed to build an elementary school near a facility. Before releasing funds, the utility company required certain guarantees from the government regarding the project, including that the funds would be used exclusively for the school. Also, the donation was directly to the foreign government and not a charity. Opinion Release 06-01 dealt with money to fund a pilot project in which the US Company would contribute $25,000 to the in country Ministry of Finance to improve local enforcement of anti-counterfeiting laws. The contribution was intended to provide incentive awards to local customs officials, needed because the African country involved was a major transit point for illicit trade and the local customs officials have no incentive to prevent the contraband. Finally, Opinion Release 10-02focused on the underlying due diligence engaged in by a US-based Micro Financial Institution (MFI) operating in an unnamed Eurasian country. The Release specified the three levels of due diligence that the US MFI had engaged in on the proposed locals MFIs which were listed as eligible to receive the funding. In addition to the specific discussion of the due diligence performed by the US MFI and noting the controls it had put in place after the funding was scheduled to be made the DOJ also listed several of the due diligence and/or controls that it had previously set forth in prior Opinion Releases relating to charitable donations.

While these Opinion Releases certainly imply a level of scrutiny at the post donation level, their primary focus is on who the donations are being made to and are they a government official. However, the DOJ may well expect both pre and post donation scrutiny, along the lines of Sexwale’s questions, which could demonstrate the legitimacy of the donation. However Sexwale’s questions also raise up something that the DOJ and SEC often say, that being that a good anti-corruption compliance program is really just good business. Shareholders and investors have the right to know how and where their money is begin spent. It would seem to behoove any company to want to the know the same thing that Sexwale wants to know about the $10MM payment to Jack Warner, What was done to make sure that your good intentions – you as the giver – have been realized? 

To hear the original version of Like a Rolling Stone on YouTube, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,349 other followers