FCPA Compliance and Ethics Blog

June 3, 2015

Senn on 10 Best Practices in a Cross-Border Investigation – Part II

Larry McMurtryToday we celebrate Texas Letters. I know that might sound counter-intuitive for a state that is bunkering down for the anticipated Jade Helm invasion but there is a literary tradition that is certainly well known. On this day 79 years ago in 1936 Larry McMurtry was born in Wichita Falls, Texas. He has many accomplishments over the years, starting at 25 when he published his first novel, Horseman, Pass By (1961), in 1966 he explored small-town society isolation in The Last Picture Show, . In 1983 Terms of Endearment became an award-winning movie and in 1986. He won the Pulitzer Prize for Lonesome Dove, his 1985 bestseller about a 19th century cattle drive.

Today I conclude a two-part series on how to formulate an effective best practices cross-border investigation based upon an interview I did with Mara Senn, a partner at Arnold & Porter LLP, who specializes in white collar defense and cases brought under the Foreign Corrupt Practices Act (FCPA). The interview was based on an article that Senn and a colleague, Michelle Albert, published in the FCPA Report, Volume 3, Number 1, entitled “Internal Investigations, How to Conduct an Anti-Corruption Investigation: Developing and Implementing the Investigation Plan”. Today I will review practices six through ten.

  1. Put Form in Native Translations

Senn noted that in the countries that have strict data privacy laws, there are times that the only way an investigation can collect an employee’s personal information is to obtain affirmative assent. Such information might include work documents, work emails, or similar information. However she cautioned that in this situation it is even more important to put the consent form in the native language. She said that you do not want the employee to later claim they did not understand the consent form or thought they were executing something different. It can be critical that you have informed consent, because if you do not have informed consent, that consent could well turn out to be void.

  1. Preserve the Attorney Client Privilege

I first asked Senn to briefly describe the attorney-client privilege. She responded that the attorney-client privilege is a communication between an attorney and a client for the purpose of seeking legal advice. The reason they have this privilege is to make sure that people are not afraid to go their lawyer. Further, the purpose of attorney-client privilege is set up so that you will be encouraged to have protected conversations with counsel, to make sure you understand the law so you can follow it. The US rule is relatively straightforward. It applies to both in-house and outside counsel.

However the rules outside the US can be quite different and perhaps a little bewildering. In many European countries there is no privilege from an in-house counsel, so if a General Counsel (GC) of a company speaks to the President or Chief Executive Officer (CEO) there is absolutely no privilege under basically any circumstances in Europe. Senn then noted that other jurisdictions have other kinds of laws, each with a slightly different parameter, leading to different attorney-client expectations. She gave one such example; where your client is headquartered in Germany and your in-house client is the GC, you cannot really use them as a point person to help you conduct the interview the way you would with the US in-house counsel, because they do not have the attorney-client privilege.

  1. Prepare for Local Enforcement Actions

Most American lawyers are aware that increasingly, as we have seen other jurisdictions, other countries are becoming more aggressive in their enforcement actions for bribery and corruption, sometimes based upon local and domestic anti-bribery laws. Senn pointed out that information which one government knows, whichever government that is, you should expect and assume that multiple governments are cooperating in some way. This then makes it more likely that there could well be some sort of local enforcement action against your client while you are investigating matters around a FCPA claim or potential FCPA claim.

Senn believes this is another area where your local counsel can be helpful in that they should be aware of the different enforcement agencies in different countries that have different ways of doing things. For instance some countries, such as China, like to perform dawn raids; where essentially they come, they get people when they are asleep or when they are just waking up, and they just arrest them or they come in and seize documents.

Yet there are other countries where that is extremely unlikely to happen and so again, local counsel can give you an idea of what the typical raid would look like. Sometimes they just very politely call you and say, “Can we make an appointment? We’d like you to come by.” While this might not occur if the local government officials are concerned that there is the potential for the destruction of evidence, also different countries have different traditions of what they do, so you must ensure that your client is prepared for whatever may come to pass.

  1. Prepare for Security Risks 

In this situation Senn was referring to personal security, physical and health safety. She gave a couple of examples that sometimes you may be going into situations or countries where it may be war torn. Or consider the recent situation when Ebola was going around Western Africa or Central Africa. If you are conducting an investigation in such ravaged areas you should not send your employees to Liberia at that time to interview people. The same can be true in worn-turn areas like Syria or similar locales.

Senn articulated that the better plan would be to remove the people you are interviewing and bring them to you or to a local hub outside of the impacted areas. That avoids a whole host of issues, as you do not want to have to pay for extra security, for example you do not want your employees to have to walk around with loaded machine guns protecting them; you have to make a judgment call as to where and whether these potential threats need to be addressed in some way.

  1. Protect Whistleblowers

Here Senn had some very practical advice, which while it might seem counter-intuitive on the surface due to certain legal decisions, it might actually provide more protections for companies in the long run. Senn began by noting the 2nd Circuit Court of Appeals ruling in the Liu case, which essentially found that the Dodd-Frank retaliation provisions that protect whistleblowers in the US do not apply abroad, so in other words, a foreign whistleblower brought a case saying, “I was retaliated against and I bring a case under the retaliation provisions of Dodd-Frank,” and they said, “No way, you can’t bring it.”

Senn believes that companies that use the Liu decision as a basis to retaliate against whistleblowers outside the US are wrong for several reasons. First, is that the Securities and Exchange Commission (SEC) has announced they will still pay whistleblower outside the US, who come forward and meet the requirements, the Dodd-Frank bounty of up to 30% of the penalty. This means that even if courts determine that the Dodd-Frank provisions do not apply for retaliation for foreign nationals, the SEC can still honor the communication and compensate the foreign whistleblower.

The second reason Senn listed is that the US Sentencing Guidelines make clear that part of an effective compliance and ethics program includes having a publicized system for employees or agents to report potential or actual criminal conduct without fear of retaliation. These Sentencing Guidelines apply to all US companies, both domestic and internationally. Senn believes that if your company retaliates against foreign whistleblowers, the US government can take that into account, which could be viewed in a negative way, meaning that you don’t have an effective compliance and ethics program.

Senn’s best practices around the issue of cross-border investigations are excellent points for you to review if you have to consider such an investigation. Further, if you retain outside counsel to lead your investigation, you can use her best practices as guideposts to scope, plan and assist your outside counsel going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 2, 2015

Senn on 10 Best Practices in a Cross-Border Investigation – Part I

Babe RuthToday we celebrate a closure for it was on this day in 1935 that probably the best-known baseball player in the history of the game, George Herman ‘Babe’ Ruth, retired. While many of his records were broken with the march of history, his career slugging percentage of .690 remains the highest in Major League history. He was an oversized character in every way, from the mammoth home runs that he hit, to his ingestion of hot dogs. While his lifestyle may not be considered best practices for today’s major leaguer to emulate, his name, nicknames and legend will live on as long as baseball is remembered.

I thought about Ruth as I begin a two-part series on how to formulate an effective best practices cross-border investigation based upon an interview I did with Mara Senn, a partner at Arnold & Porter LLP, who specializes in white collar defense and cases brought under the Foreign Corrupt Practices Act (FCPA). The interview was based on an article that Senn and a colleague, Michelle Albert, published in the FCPA Report, Volume 3, Number 1, entitled “Internal Investigations, How to Conduct an Anti-Corruption Investigation: Developing and Implementing the Investigation Plan”. Today I will review practices one through five.

  1. Offer Interview Translations

Senn believes that most people know English to a certain extent and that it is a very universal language nowadays. While many people outside the US have various levels of capabilities in a non-native language, when you get into the very detailed questions in an interview, they may have enough English skills that you assume they understand everything, but in fact, they do not. You may ask a key question, for example, about expense reports, maybe they understand conversational English, but there’s no reason for them to know expense reports. This makes it important to have someone present in the interview that speaks the witness’s native language, and just assume that there are going to be times where you’re going to need to call on that person. She cautioned that you should make it clear to the witness at the outset of the interview that you do not perceive a problem with their English and they understand the reason for the translator.

  1. Avoid Cultural Pitfalls

Here Senn noted that cultural pitfalls are really truly pitfalls and, unfortunately, they can be big deep holes that you do not know anything about, but you can fall into pretty easily. She provided the issue of personal privacy as an example, where most countries have a different concept of privacy, particularly about whether your work area is your own versus what really belongs to the company. In most states in the US, employees fully understand that your employer can come in and take anything from your office at any time, even if it is personal, because you’ve brought it to work. Yet in many other countries, this is not the case. Things at your desk generally are never touched or looked at by anybody else and that’s considered your sanctum where no one else can come. If you go in and do a regular document sweep, the way that you would do in the US, that could be perceived as horribly offensive. She cautioned you should seek local counsel guidance to understand what needs to be done and also explain to you the best way to do it without offending people.

She explained that you do not want witnesses to begin the interview process with a negative view of you and you want them to be cooperative in the interview. This makes it in your best interest to follow local cultural norms. Otherwise, interviews can become embarrassing and awkward at times, if you do fall into one of these cultural pitfalls.

  1. Observe Data Privacy Restrictions

Most American lawyers are aware of different data privacy restrictions and requirements in countries governed by the European Union (EU) and the US. Senn mentioned that some of that is related to employee and employment law; whether or not they have ownership of certain information, and then other parts of the law that really do have to do with data privacy, which means personal information that no matter what form it is in, it cannot be disseminated. But here the point under this best practice is that your analysis and response must go much further to satisfy the US Department of Justice (DOJ) if you want to claim that you cannot get certain information out of a country because of data privacy restrictions.

For instance if you have personal data that you are routinely sending cross-border yet when an investigation begins you claim that you cannot take it out of that same country, for instance Germany; the DOJ will take a dim view of that claim. Further, even if there is a data privacy law on the books, yet the country does not enforce the law, that could work against any data privacy claim as well. So you will need to be prepared to fully present persuasive evidence on this issue if you try and make such a claim.

  1. Comply with Labor Requirements

Similar to the long-standing Weingarten right of unionized employees in the US to have a representative present for interviews, in many countries outside the US there are Works Council and similar analogs in other countries, where, basically, the Works Council is responsible for the interactions between the employers and the employees. Moreover, employees have certain statutory or labor code based rights as employees, regardless of whether they are members of a labor union or not. These rights can drill down into the types of questions that you can ask or even prevent you from meeting with or interviewing certain employees.

Senn noted that you may well have to work through Works Council to make sure that the way you ask the questions, and those present for the company, are acceptable to Works Council. If you do not have this pre-approval it may be that the Works Council prevents you from meeting with certain employees. For each area that you operate in, you must engage the local legal counsel to determine what is the best way to work with the Works Council, or similar types of organizations, to ensure that you can get done what needs to get done in your investigation.

  1. Be Aware of Other Local Requirements

Points three and four certainly lead into Senn best practice No. 5. She believes it is incumbent that you work with local counsel in the country you are performing the interviews to garner an understanding of the witnesses rights and your obligations during any investigation. She explained that many ways a US lawyer would think about doing an investigation could be problematic in other jurisdictions. She gave the examples of taking pictures or physically removing documents from a location, which could be issues that you might face. You certainly need advice and counsel on what is legal and what might not be going forward.

Ruth and Senn; Senn and Ruth? Even if you do not immediately associate them, Mara Senn has once again provided the compliance practitioner with concrete steps to take around international investigations and their protocol. Tomorrow, I will consider her practices six through ten.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 29, 2015

Doing Compliance in an Economic Downturn, Part IV – Testing, Peer Groups and Talent Development

Edmund HillaryToday we celebrate the conquest of what the Tibetans call “Mother Goddess of the Land” and what the rest of us call Mount Everest. For on this date in 1953, Sir Edmund Hillary of New Zealand and Tenzing Norgay, a Nepalese Sherpa, became the first explorers to reach the summit of the highest point on earth. News of the success was rushed by runner from the expedition’s base camp to the radio post at Namche Bazar, and then sent by coded message to London, where Queen Elizabeth II learned of the achievement on June 1, the eve of her coronation. The next day, the news broke around the world. Later that year, Hillary and Norgay were both honored by the queen for their momentous achievement.

One of the things that made Hillary and Norgay’s ascent to the summit of Everest was the overall integration and teamwork of the entire group. The British team was led by Colonel John Hunt who set up a series of camps, allowing the expedition to push its way up the mountain in April and May. A new passage was forged through several previously un-surmounted obstacles to bring the team to about 26,000 feet. The first assault to the summit was launched on May 26 by Charles Evans and Tom Bourdillon, however they had to abandon their assent 300 feet from the top due to malfunctioning oxygen sets. Three days later, Hillary and Norgay were successful. In other words, teamwork and process were key to their success.

The accomplishment achieved by Hillary and Norgay drives the conclusion of my series on the steps you can take to improve your Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program and overall compliance function during a period of economic downturn. So when faced with reduced monetary resources and lessened head count you might want to consider the teamwork of compliance. To that end you might use a strategy of developing compliance talent and relationships for the compliance function. You could initiate a compliance talent development group where you rotate high potential individuals in your company through the compliance function in some manner.

My suggestion would be to work with senior management and your Human Resources (HR) function to identify some of the key talent within your company. They can come from any other area of the company; such as accounting, finance, internal audit, HR itself, sales or any other discipline. From there you can task them to lead a working group on a compliance related project. The project itself can be any project you would like to try and implement when funding becomes more available.

One company I worked at had such an organization called the President’s Team which was an annual group that developed projects for the company Chief Executive Officer (CEO). The concept is the same but the goal is having the high talent employees learn more about compliance. Equally important for you as the compliance practitioner is to develop relationships with such up and comers so you can access to them if they continue to progress up the corporate chain. Remember it is important to have relationships with those in power and those who will be in power.

In addition to the talent development group, you should also revisit your interactions with your Board or Audit Committee. You need to re-emphasize to them their responsibility for compliance going forward and that it will not diminish simply because the price of oil has gone south or any other reason why you may be in an economic downturn. If there are emergency projects or others which you believe should take priority this would be a good time to inform and educate the Board on them so that you can continue to maintain as much funding as is possible. This could come into play if you have a number of whistleblower complaints to triage and review in short order due to employee layoffs. But if you did not establish those relationships ‘yesterday’, you probably cannot call on them ‘tomorrow’ so you need to make sure they are in place now.

Another idea that you can try is something along the lines of a client advisory committee or peer group review. You can put together a peer group to help advise your compliance function. After all, one of your constituent groups is your employee base. So why not turn to that group to find out what is working and perhaps their views on what is not, in their eyes, from the compliance function. If they can provide feedback to you on how to streamline a compliance process you might well be able to incorporate such suggestions going forward. They will be aware of the resource constraints the company is under so it could be an avenue which you have not previously used. Further, as with the talent development group concept, you would have the opportunity to develop relationships with other leaders in your organization. Finally, the group would have greater investment in the compliance function going forward.

Next is one of your highest risks, that of third parties, which most compliance practitioners recognize as their highest risk in any FCPA anti-corruption compliance program. This risk does not lessen simply because of a downturn. My suggestion is that you test and review all of the indicia around the lifecycle of your third party risk management program. This is not a forensic audit or even standards that an auditor might use. But you can test and you can test the documentation around your program at little to no cost.

The lifecycle of a third party is the following: (1) Business justification, (2) Questionnaire, (3) Due Diligence and Evaluation, (4) Contract negotiation, and (5) Managing the relationship thereafter. You can perform testing on all of these steps by reviewing the documentation in your third party database. For each third party you should confirm that there is documentation in each file, which supports each of the five prongs. In addition to the document, document, document aspect of this exercise, you can also use it as a cross-check on your internal control mapping for each validated prong so this can also be considered an internal compliance control.

I hope that you have found some of these ideas for improving your compliance function in an economic downturn useful. Perhaps they have stimulated ideas or discussions within your organizations going forward. If you have any other ideas which you would be willing to share, I hope that you will pass them along to me. We are all in this compliance ride together anything we all can do to move things forward is progress in my mind.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 27, 2015

Economic Downturn Week, Part III – The Desktop Risk Assessment

Economic DownturnI continue my exploration of actions you can take to improve your compliance program during an economic downturn with a review of what my colleague Jan Farley, the Chief Compliance Officer (CCO) at Dresser-Rand, called the ‘Desktop Risk Assessment’. Both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) make clear the need for a risk assessment to inform your compliance program. I believe that most, if not all CCOs and compliance practitioners understand this well articulated need. The FCPA Guidance could not have been clearer when it stated, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” While many compliance practitioners have difficulty getting their collective arms about what is required for a risk assessment and then how precisely to use it; the FCPA Guidance makes clear there is no ‘one size fits all’ for about anything in an effective compliance program.

One type of risk assessment can consist of a full-blown, worldwide exercise, where teams of lawyers and fiscal consultants travel around the globe, interviewing and auditing. Of course this can be a notoriously expense exercise and if you are in Houston, the energy industry or any sector in the economic doldrums about now, this may be something you can even seek funding for at this time. Moreover, you may also be constrained by reduced compliance personnel so that you can not even perform a full-blown risk assessment with internal resources.

However if there is one thing that I learned as a lawyer, which also applies to the compliance field, it is that you are only limited by your imagination. So using the FCPA Guidance’s no ‘one size fits all’ proscription, I would submit that is also true for risk assessments. You might try assessing other areas annually, through a more limited focused risk assessment, literally while staying at your desk and not traveling away from your corporate headquarters.

Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:

  • Are resources adequate to sustain a culture of compliance?
  • How are the risks in the C-Suite and the Boardroom being addressed?
  • What are the FCPA risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
  • Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
  • Communication of information and findings – Are escalation protocols appropriate?
  • What are the opportunities to improve compliance?

There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.

You could assess your company’s senior management support for your compliance efforts through interviews of high-level personnel such as the Chief Financial Officer (CFO), General Counsel (GC), Head of Sales, Chief Executive Officer (CEO) and all Board, Audit or Compliance Subcommittee members to assess “tone from the top” and their actual knowledge about the Foreign Corrupt Practices Act (FCPA) and your compliance program. You can examine resources dedicated to compliance and also seek to understand the compliance expectations that top management is communicating to its employee base. Finally, you can gauge operational responsibilities for compliance.

Such a review would lead to the next level of assessment, which would be generally labeled as communications within an organization regarding compliance. You can do this by assessing compliance policy communications to company personnel but even more so by reviewing such materials as compliance training and certifications that employees might have in their files. If you did not yet do so, you should also take a look at statements by senior management regarding compliance, such as actions relating to terminating employees who do business in compliance but do not make their quarterly, semi-annual or annual numbers set in budget projections.

A key element of any best practices compliance program is internal and anonymous reporting. This means that you need to review mechanisms on the reporting of suspected compliance violations and the actions taken on any internal reports, including follow-ups to the reporting employees. You should also assess whether those employees who are seeking guidance on compliance for their day-to-day business dealings are receiving not only adequate but timely responses.

I do not think there is any dispute that third parties represent the highest risk to most companies under the FCPA, so a review of your due diligence program is certainly something that should be a part of any risk assessment. But more than simply a review of procedures for due diligence on third party intermediaries, you should also consider the compliance procedures in place for your company’s mergers and acquisitions (M&A) team; focusing on the pre-acquisition phase.

One area that I do not think gets enough play, whether in the FCPA Inc. commentary or in day-to-day practice is looking at what might be called employee commitment to your company’s compliance regime. So here you may want to review your compliance policies regarding employee incentives for compliance. But just as you look at the carrots to achieve compliance with your program, you should also look at the stick, in the form of disciplinary procedures for violations. This means you should see if there have been any disciplinary actions for employee compliance violations and then determine if such discipline has been applied uniformly. If you discipline top sales people in Brazil, you have to discipline your top sales folks in the US for the same or similar violations.

This list is not intended to be a complete list of items, you can pick and choose to form some type of Desktop Risk Assessment but hopefully you can see some of the areas you can assess. My suggestion is that you try identifying and focusing on core compliance components in your organization. Obviously there are probably a million things you could fix. However, you cannot fix everything, so you must make a decision about your primacies, and then act on them. A Desktop Risk Assessment may well help you to do so.

As with the other suggestions I have put forward during the Economic Downturn Week series, if you perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years or so, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. Moreover, when funds and resources do become available to you and the compliance function, you will have a stronger program and one which move towards best-in-class. Finally, do not forget that the FCPA Guidance ends its section on risk with the following, “When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” By using the Desktop Risk Assessment during an economic downturn, you can answer any regulator who asks what have you done to manage the risks in your company, by using the resources and tools that were available to you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Economic Downturn Week, Part II – The Golden Gate Bridge and Employment Separation – Hotlines and Whistleblowers During Layoffs

Golden Gate BridgeToday, we celebrate one of the greatest engineering achievements of the century. On this date in 1937, the Golden Gate Bridge opened. At 4200 feet long, it was at the time the world’s longest suspension bridge. But not only was it an engineering and architectural milestone, its aesthetic form was instantly recognized as classical and to this day is one of the most iconic structures in the US if not the world. With just a few years until its 80th birthday, it demonstrates that a lasting structure is more than simply form following function but contains many elements that inform its use and beauty.

I use the Golden Gate Bridge as an entrée to my continued discussion on the series on steps that you can use in your compliance program if you find yourself, your company or your industry in an economic downturn. Whether you are a Chief Compliance Officer (CCO) or compliance practitioner, these steps are designed to be achieved when you face reduced economic resources or lessened personnel resources going forward due to a downturn your economic sector. Yesterday, I discussed mapping your current and existing internal controls to the Ten Hallmarks of an Effective Compliance Program so that you can demonstrate your compliance with the Foreign Corrupt Practices Act’s (FCPA) internal control prong to the accounting procedures. Today I want to discuss the issues surrounding the inevitable layoffs your company will have to endure in a downturn.

In Houston, we have experienced energy companies laying off upwards of 30% of their workforce, both in the US and abroad. Employment separations can be one of the trickiest maneuvers to manage in the spectrum of the employment relationship. Even when an employee is aware layoffs are coming it can still be quite a shock when Human Resources (HR) shows up at their door and says, “Come with me.” However, layoffs, massive or otherwise, can present some unique challenges for the FCPA compliance practitioner. Employees can use layoffs to claim that they were retaliated against for a wide variety of complaints, including those for concerns that impact the compliance practitioner. Yet there are several actions you can take to protect your company as much as possible.

Before you begin your actual layoffs, the compliance practitioner should work with your legal department and HR function to make certain your employment separation documents are in compliance with the recent SEC v. KBR Cease and Desist Order regarding Confidentiality Agreement (CA) language which purports to prevent employees from bringing potential violations to appropriate law or regulatory enforcement officials. If your company requires employees to be presented with some type of CA to receive company approved employment severance package, it must not have language preventing an employee taking such action. But this means more than having appropriate or even approved language in your CA, as you must counsel those who will be talking to the employee being laid off, not to even hint at retaliation if they go to authorities with a good faith belief of illegal conduct. You might even suggest, adding the SEC/KBR language to your script so the person leading the conversation at the layoff can get it right and you have a documented record of what was communicated to the employee being separated.

When it comes to interacting with employees first thing any company needs to do, is to treat employees with as much respect and dignity as is possible in the situation. While every company says they care (usually the same companies which say they are very ethical), the reality is that many simply want terminated employees out the door and off the premises as quickly as possibly. At times this will include an ‘escort’ off the premises and the clear message is that not only do we not trust you but do not let the door hit you on the way out. This attitude can go a long way to starting an employee down the road of filing a claim for retaliation or, in the case of FCPA enforcement, becoming a whistleblower to the Securities and Exchange Commission (SEC), identifying bribery and corruption.

Treating employees with respect means listening to them and not showing them the door as quickly as possible with an escort. From the FCPA compliance perspective this could also mean some type of conversation to ask the soon-to-be parting employee if they are aware of any FCPA violations, violations of your Code of Conduct or any other conduct which might raise ethical or conflict of interest concerns. You might even get them to sign some type of document that attests they are not aware of any such conduct. I recognize that this may not protect your company in all instances but at least it is some evidence that you can use later if the SEC (or Department of Justice (DOJ)) comes calling after that ex-employee has blown the whistle on your organization.

I would suggest that you work with your HR department to have an understanding of any high-risk employees who might be subject to layoffs. While you could consider having HR conduct this portion of the exit interview, it might be better if a compliance practitioner was involved. Obviously a compliance practitioner would be better able to ask detailed questions if some issue arose but it would also emphasize just how important the issue of FCPA compliance, Code of Conduct compliance or simply ethical conduct compliance was and remains to your business.

Finally are issues around hotlines, whistleblower and retaliation claims. The starting point for layoffs should be whatever your company plan is going forward. The retaliation cases turn on whether actions taken by the company were in retaliation for the hotline or whistleblower report. This means you will need to mine your hotline more closely for those employees who are scheduled or in line to be laid off. If there are such persons who have reported a FCPA, Code of Conduct or other ethical violation, you should move to triage and investigate, if appropriate, the allegation sooner rather than later. This may mean you move up research of an allegation to come to a faster resolution ahead of other claims. It may also mean you put some additional short-term resources on your hotline triage and investigations if you know layoffs are coming.

The reason for these actions are to allow you to demonstrate that any laid off employee was not separated because of a hotline or whistleblower allegation but due to your overall layoff scheme. However it could be that you may need this person to provide your compliance department additional information, to be a resource to you going forward, or even a witness that you can reasonably anticipate the government may want to interview. If any of these situations exist, if you do not plan for their eventuality before you layoff the employee, said (now) ex-employee may not be inclined to cooperate with you going forward. Also if you do demonstrate that you are sincerely interested in a meritorious hotline complaint, it may keep this person from becoming a SEC whistleblower.

Just as the Golden Gate Bridge provides more to the human condition than simply a structure to get from San Francisco to Marin County, layoffs in an economic downturn provide many opportunities to companies. If they treat the situation appropriately, it can be one where you manage your FCPA compliance risk going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

 

 

May 26, 2015

Economic Downturn Week, Part I – Mapping of Your Internal Compliance Controls

Economic DownturnThis week I will present a series on steps that you can take in your compliance program if you find yourself, your company or your industry in an economic downturn. All of the recommendations I will make are ideas that have been put into action by companies currently facing these issues. They are ideas that you can use if you have scarce or lessened economic resources for your compliance function. Today I will take my cue from the recent Securities and Exchange Commission (SEC) enforcement action against BHP Billiton (BHP) as a key indicator of where greater and more rigorous SEC enforcement is heading. That is in the area of the enforcement of internal controls and steps that you can take right now, even with reduced head count and budgetary resources, to improve your Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption compliance program.

However, before we get to that subject, I want to remember Marques Haynes, who died last week. Haynes was a basket baller extraordinaire who played with the Harlem Globetrotters off and on for 40 years. As was set out in his New York Times (NYT) obituary last week, Haynes “whose dazzling ball-handling skills, exhibited for more than 40 years as a member of the Harlem Globetrotters and other barnstorming black basketball teams, earned him a place in the Naismith Basketball Hall of Fame and an international reputation as the world’s greatest dribbler”. He was the first Globetrotter inducted into the Naismith Memorial Basketball Hall of Fame. I saw Haynes play in the later stages of his career with the Globetrotters; both on ABC’s Wide World of Sports and through their non-stop touring when they came to even my Podunk hometown. So here’s to you Marques and I am sure you have called ‘Next’ for that great pickup game in the sky several times now.

As they made clear with several FCPA enforcement actions from last fall, the SEC has placed a renewed interest in the accounting provisions of the FCPA, specifically the internal controls provisions. The BHP enforcement continued this trend, where there was no evidence that bribes were paid or offered in violation of the FCPA, tet the poor internal compliance controls at BHP led to a $25MM fine. Indeed Kara Brockmeyer, the Chief, FCPA Unit; Division of Enforcement of the SEC, who spoke at the recently concluded Compliance Week 2015, in a session entitled “A New Look at FCPA Enforcement”, reiterated that the SEC was committed to protecting investors in US public companies and those which list other securities in the US, through enforcement of the accounting provisions, including internal controls provisions of the FCPA. It would seem that the reason is straightforward; a company with rigorous internal compliance controls is better able to prevent, detect and remedy any FCPA violations that may occur.

So, in the midst of an economic downturn, what can you do around the FCPA’s requirements for internal controls and current SEC emphasis? I would suggest that you begin with an exercise where you map the internal controls your company has in place to the indicia of the Ten Hallmarks of an Effective Compliance Program, as set out in the FCPA Guidance. While most compliance practitioners are familiar with the Ten Hallmarks, you may not be as familiar with standards for internal controls. I would suggest that you begin with the COSO 2013 Framework as your starting point.

As a lawyer or compliance practitioner you may not be familiar with all the internal controls that you have in place. This exercise would give you a good opportunity to meet with the heads of Internal Audit, Finance and Accounting (F&A), Treasury or any other function in your company that deals with financial controls. Talk with them about the financial controls you may already have in place. An easy example is employee expense reports. Every company I have ever worked at or even heard about requires expenses for reimbursement to be presented, in documented form on some type of expense reimbursement form. This is mandatory for IRS reporting; so all entities perform this action. See how many controls are in place. Is the employee who submits the expense reimbursement required to sign it? Does his/her immediate supervisor review, approve and sign it? Does any party in the employee’s direct reporting chain review, approve and sign? Does anyone from accounts payable review and approve, both for accuracy and to make sure that all referenced expenses are properly receipted? Is there any other review in accounts payable? Is there any aggregate review of expense reports? Is there a monetary limit over which additional reviews and approvals occur?

Now if an employee has submitted expenses for activities that occurred outside the US are there are any foreign government officials involved? Were those employees identified on the expense reimbursement form? Was the business purpose of the meal, gift or other hospitality recorded? Can you aggregate the monies spent on any one foreign official or by a single employee in your expense reporting system? All of these are internal controls that can be mapped to the appropriate prong of the Ten Hallmarks or other indicia of your compliance program.

You can take this exercise through each of the five objectives under the COSO 2013 Framework and its attendant 17 Principles. From this mapping you can then perform a gap analysis to determine where you might need to implement internal compliance controls into your anti-corruption compliance program. This can lead to remedial steps that you can take. For example you can recommend procedures be written for all key compliance areas in which there are currently no procedures and your existing procedures can be updated to include compliance issues and clear definition how controls are to be evidenced. Through this you can move from having detect controls in place, to having prevent controls, whenever possible.

As a Chief Compliance Officer (CCO) or compliance practitioner, this is an exercise that you can engage in at no cost. You simply investigate and note what internal controls you have in place and how they may be a part of your anti-corruption efforts going forward. As I said last week, compliance is a straightforward exercise. This does not mean that it is easy; you do have to work at it so that you will simply not have a paper, “check the box”, program. But using the excuse that you have limited resources is simply an excuse and a rather poor one at that. While the clear lesson from the BHP enforcement action is that you are required to have effective internal controls in place, by engaging in this mapping exercise you can then figure out what you have and, more importantly, what internal compliance controls that you do not have and need to institute.

Finally, if you do have resources and need some help, you can reach me at the email below.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 22, 2015

On the Oregon Trail: the BHP Enforcement Action and High-Risk Hospitality

Oregon TrailToday we celebrate American exceptionalism. As noted in ‘This Date in History’, on this date in 1834 the first wagon train, made up of 1,000 settlers and 1,000 head of cattle, set off down the Oregon Trail from Independence, Missouri, on the Great Emigration. After leaving Independence, the giant wagon train followed the Santa Fe Trail for some 40 miles and then turned to its northern route to Fort Laramie, Wyoming. From there, it traveled on to the Rocky Mountains, which it passed through by way of the broad, level South Pass that led to the basin of the Colorado River. The travelers then went southwest to Fort Bridger and on to Fort Boise, where they gained supplies for the difficult journey over the Blue Mountains and into Oregon. The Great Emigration finally arrived in October, completing the 2,000-mile journey from Independence in five months.

The settlers who took off on this Great Emigration on the Oregon Trail did not have anything in the way of a road map. Fortunately for the modern day anti-corruption compliance practitioner, you do have road maps that can guide your compliance with the Foreign Corrupt Practices Act (FCPA) going forward. Over the past few years the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have put out significant and detailed information on compliance failures, which have led to FCPA enforcement actions. For any Chief Compliance Officer (CCO) or compliance practitioner, these enforcement actions provide solid information of lessons learned which can be used as teaching points for companies. Further, these lessons can be used as road maps to review compliance programs to see what gaps, if any, may exist and how to implement solutions.

This trend continued with the release of the SEC FCPA enforcement action involving BHP Billiton Ltd. (BHP) this week. First and foremost to note is that it was a SEC enforcement action involving violations of the internal controls provision of the FCPA. There was no evidence of bribery leading to any DOJ enforcement action. Yet as I have been writing and saying for almost one year, SEC enforcement of the internal controls provision of the FCPA is increasing and companies need to pay more attention to this part of the FCPA. A bribe or offer to bribe does not have to exist for an internal controls violation to occur. CCOs and compliance practitioners need to be cognizant of compliance internal controls and put effective compliance internal controls in place that can be audited against to test their effectiveness.

The BHP enforcement action revolved around the company’s hospitality program for the Beijing 2008 Olympics. Every CCO and compliance practitioner should study this enforcement action in detail so that they can craft appropriate compliance internal controls for high dollar entertaining for big time sporting events. For any company that may be planning for high dollar hospitality spends for the 2016 Brazil Olympics, this enforcement action lays out what you should and should not do in your compliance program. But this holds true for any major sporting event such as the Super Bowl, World Cup or you name the event.

BHP had a paper program that appeared robust. As laid out in the Cease and Desist Order, “BHPB developed a hospitality application which business managers were required to complete for any individuals, including government officials, whom they wished to invite.” The application included these questions to be fully answered:

  • “What business obligation exists or is expected to develop between the proposed invitee and BHP Billiton?”,
  • “Is BHP Billiton negotiating or considering any contract, license agreement or seeking access rights with a third party where the proposed invitee is in a position to influence the outcome of that negotiation?”
  • “Do you believe that the offer of the proposed hospitality would be likely to create an impression that there is an improper connection between the provision of the hospitality and the business that is being negotiated, considered or conducted, or in any way might be perceived as breaching the Company’s Guide to Business Conduct? If yes, please provide details.”; and
  • “Are there other matters relating to the relationship between BHP Billiton and the proposed invitee that you believe should be considered in relation to the provision of hospitality having regard to BHP Billiton’s Guide to Business Conduct?”

So the right forms were in place and some of them were fully filled out. However, as the Cease and Desist Order made clear, an effective compliance program does not end at that point. Now would be an appropriate time to recall that high risk does not mean you cannot engage in certain conduct. High risk means that to have an effective compliance program, you have to manage that risk. A basic key to any effective compliance program is oversight or a second set of eyes baked in to your process. BHP formally had this oversight or second set of eyes in the form of an Olympic Sponsorship Steering Committee (OSSC) and Global Ethics Panel Sub-Committee.

Where BHP failed was that “other than reviewing approximately 10 hospitality applications for government officials in mid-2007 in order to assess the invitation process, the OSSC and the Ethics Panel subcommittee did not review the appropriateness of individual hospitality applications or airfare requests. The Ethics Panel’s charter stated that its role simply was to provide advice on ethical and compliance matters, and that “accountability rest[ed] with business leaders.” Members of the Ethics Panel understood that, consistent with their charter, their role with respect to implementation of the hospitality program was purely advisory. As a result, business managers had sole responsibility for reconciling the competing goals of inviting guests – including government officials – who would ““maximize [BHPB’s] commercial investment made in the Olympic Games” without violating anti-bribery laws.”

But there was more than simply a failure of oversight by BHP. The Cease and Desist Order noted that not all of the forms were filled out with the critical information around a whether a proposed recipient might have been a government official. Even more critically missing was information on whether the proposed recipient was in a position to exert influence over BHP business. Moreover, BHP did not provide training to the business unit employees who ended up making the call as to whether or not to provide the hospitality on payment of travel and hospitality for spouses. The Cease and Desist Order stated that BHP “did not provide any guidance to its senior managers on how they should apply this portion of the Guide when determining whether to approve invitations and airfares for government officials’ spouses.” Finally, there were no controls in place to update or provide ongoing monitoring of the critical information in the forms.

All of this led the SEC to state the following, “As a result of its failure to design and maintain sufficient internal controls over the Olympic global hospitality program, BHPB invited a number of government officials who were directly involved with, or in a position to influence, pending negotiations, efforts by BHPB to obtain access rights, or other pending matters.” This led to the following, “BHPB violated Section 13(b)(2)(B) because it did not devise and maintain internal accounting controls over the Olympic hospitality program that were sufficient to provide reasonable assurances that access to assets and transactions were in executed in accordance with management’s authorization.” Perhaps it was stated most succinctly by Antonia Chion, Associate Director of the SEC’s Division of Enforcement, in the SEC Press Release announcing the enforcement action when he said, “A ‘check the box’ compliance approach of forms over substance is not enough to comply with the FCPA.”

There is also clear guidance from the SEC about how BHP was able to obtain the reduced settlement it received. BHP “provided significant cooperation with the Commission’s investigation”. Moreover, the Cease and Desist Order laid out the remedial steps the company took. These steps included: (1) creation of compliance group independent of the business units; (2) review of its anti-corruption program and implementation of certain upgrades; (3) embedding of anti-corruption managers into the business units; (4) enhancements of “its policies and procedures concerning hospitality, gift giving, use of third party agents, business partners, and other high-risk compliance areas”; (5) enhancement of “financial and auditing controls, including policies to specifically address conducting business in high-risk markets”; and (6) enhanced anti-corruption compliance training.

FCPA compliance is a relatively simply exercise. That does not mean it is easy. For travels on the Great Emigration on the Oregon Trail, travel was neither simple nor easy. If you want to send government officials to high profile sporting events or provide other high dollar hospitality, the FCPA does not prevent you from doing so. But it is a high risk and to be in compliance you must to manage those high risks appropriately, all the way through the process. The BHP enforcement action provides you a detailed road map of what to do and what not to do.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 20, 2015

Levi Strauss and Auditing of Third Parties

Levi StraussToday we celebrate innovation. On this day in 1873, a patent to create work pants reinforced with metal rivets was granted. This marked the birth of one of the world’s most famous garments: the blue jeans. Jacob Davis, a tailor in Reno, Nevada, presented the idea to Levi Strauss in 1872 when he wrote Strauss a letter about his method of making work pants with metal rivets on the stress points to make them stronger. Davis didn’t have the money for the necessary paperwork and proposed that Strauss provide the funds and that they get the patent together. Strauss agreed and the patent for “Improvement in Fastening Pocket-Openings”, the innovation that would produce blue jeans, was granted.

Until Strauss opened a factory in 1880 the “waist overalls”, as the original jeans were known, were manufactured by seamstresses working out of their homes. Levi’s 501’s, previously known as “XX”, were soon a bestseller, and by the 1920s they were the top-selling work pant in the US. Over the decades the fad has grown and today they are a firm staple in closets around the globe.

I thought about this innovation and sustained excellence when I sat through a presentation at Compliance Week 2015 by two ladies from BakerHughes Inc. (BHI) Jennifer Ellison, Senior Legal Compliance Manager, and Marianne Ibrahim, Senior Counsel, on Audits and Investigations. They focused on three aspects of the company’s audit program in its compliance function, types and purpose of Foreign Corrupt Practices Act (FCPA) audits, planning for the audit and interviewing all in conjunction with your audit program for third parties.

When planning for such an audit they laid out the following steps. You should plan out four to six weeks in advance, you should perform the audit with your legal counsel’s lead to preserve privilege, work with the business sponsor to establish key business contacts, discuss audit rights and processes with the third party, you should prepare initial document request lists for financial information queries, take the time to review findings from previous audits and resolutions and also review details of opened and closed internal investigations, if there are any Code of Conduct questionnaires available take care to review and finally be cognizant of any related Department of Justice (DOJ) and Securities and Exchange Commission (SEC) enforcement actions.

They noted you should try and determine the entry points of foreign government involvement. They broke this down into (1) direct and (2) indirect. In the direct category they listed the following areas: customs and duties, corporate taxes and penalties, social security or national insurance issues for employees, obtaining in-country visas and work permits, public official gifts and entertainment, training of and attendant travel for employees of government owned entities, procurement of business licenses and permits to perform work and, finally, areas around police escort and security. In the indirect category, some of the key areas to review are: customs agents and freight forwarders, visa processors, commercial sales agents, including distributors and, finally, those who might be consultants or other channel partners.

Document review and selection is important for this process. They said that you should ask for as much electronic information as possible well in advance of your audit. They did recognize that it is much easier to get database records for internal audits than audits of third parties. One item they made sure to ask for in advance was records in database or excel format and not simply in .pdf. They suggested you ask for the following categories of documents; trial balance, chart of accounts, journal entry line items, financial and compliance policies, prior audited financial statements, bank records and statements, a complete list of agents or intermediaries and revenue by country and customer.

When you are ready to commence your interviews, they emphasized that the lead interviewer needs to be culturally sensitive, patient and must negotiate a good working relationship with auditors, who will be reviewing the documents from the forensic perspective. Regarding potential interviewees, they related you should focus on those who interact with government entities, foreign government officials or third parties, including those personnel involved with:

  • Business Leadership
  • Sales/Marketing/Business Development
  • Operations
  • Logistics
  • Corporate Functions: Human Resources, Finance, Health, Safety and Environmental, Real Estate and Legal.

For the interview topics, they suggested several lines of inquiry. Initially they noted you should conduct the audit interview as precisely that, an audit interview and not an investigative interview. You should not play ‘got-cha’ in this format. They said you should avail yourself of the opportunity to engage in training while you are interviewing people. The topics to interview on included:

  • General policies and procedures
  • Books and records pertaining to FCPA risks;
  • Test knowledge of FCPA and UK Bribery Act including facilitating payments and their understanding of your company’s prohibitions;
  • Regulatory challenges they may face;
  • Any payments of taxes, fees or fines;
  • Government interactions they have on your behalf; and
  • Other compliance areas you may be concerned about or that would impact your company, including: trade, anti-boycott, anti-money laundering, anti-trust.

Ellison and Ibrahim went into detail regarding the review you should make around the General Ledger (GL) accounts. They suggested you review commission payments to agents and representatives, any facilitating payments made, all payments around travel, meals and entertainment, payments made around training, gifts, charitable contributions, political donations and sales and promotion expenses. If there were payments made for customs or freight forwarders and other processing agents, permits, licenses, taxes and other regulatory expenses should be reviewed. Additionally any entries pertaining to community contributions and social responsibility payments should be assessed and, finally, they suggested that a review of any security payments, extortion payments, payments to legal consultants or tax advisors or fines and penalties should be considered.

Regarding bank accounts and cash disbursement controls, you should review the following:

  • Review controls around bank accounts and cash disbursements;
  • Identify and review authorized signers, approval levels, and bank reconciliations;
  • Ensure all bank accounts are included in the General Ledger;
  • Identify and review certain bank and cash disbursement transactions;
  • Identify offshore bank accounts.

In the area of cash funds review the following:

  • Review controls around petty cash funds;
  • Ascertain processes in place regarding disbursement and reconciliation of cash funds;
  • Identify and review payments to government officials, agents, or any unusual or suspicious activities; and
  • Identify and review certain bank transactions and test for any improper payments.

For gifts, travel and entertainment, you should explore payments made through employee-reimbursed expenses, scrutinize for any suspicious expenses submitted, expenses lacking adequate documentation, incorrect posting; and identify and review accounts associated with gifts, meals, entertainment, travel, or promotion. In the area of payroll, consider the risks around the use of ghost employees, hiring of relatives of government employees, and the use of bonus payments and be sure to request a payroll listing and review for any such persons.

Around training you should determine whether your company provides industry specific training to government entities, and review GL accounts and expenses for related items. In taking a look at payments under local law, you should obtain list of payments to the government required by local laws and identify and review payments to government authorities or employees, customs authorities or agents, income taxes authorities or license requirements. For payments made to third parties, you should review commission and expense payments for compliance with company policy and also trace payments to the third party’s bank account.

Ellison and Ibrahim provided solid, detailed information on not only what your audit protocol should be but also provided material on what you should look for and how you should do it. It was an excellent presentation.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 7, 2015

Doing Compliance – Released in Amazon Kindle and Apple iBook Formats

Doing Compliance 05I am extraordinarily pleased to announce that Compliance Week has released my most recent hardbound book, Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program, in both Amazon Kindle and Apple iBook formats. Of course you can also purchase a hard copy to keep on your reference shelf as well. It is the book that a compliance practitioner should use as a one-volume reference for the everyday ‘Nuts and Bolts’ work of anti-corruption compliance.

Just as the world becomes more flat for business and commercial operations, it is also becoming so for anti-corruption and anti-bribery enforcement. Any company that does business internationally must be ready to deal with a business environment with these new realities. Doing Compliance is designed to be a one-volume work that will give to you some of the basics of creating and maintaining an anti-corruption and anti-bribery compliance program that will meet any business climate you face across the globe. The book format is an easy reference to assist you with your compliance program and I have based my discussion of a best practices compliance program on what the Criminal Division of the US Department of Justice (DOJ) and Enforcement Division of the Securities and Exchange Commission (SEC) set out in their jointly produced “A Resource Guide to the U.S. Foreign Corrupt Practices Act” (the FCPA Guidance) and the “Ten Hallmarks of an Effective Compliance Program”.

The FCPA Guidance wisely made clear that there is no ‘one-size-fits-all’ approach when it stated, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors.” Thus, the book is written to provide insight into the aspects of compliance programs that the DOJ and SEC assess, recognizing that companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs.

The book has struck a cord with other well-known figures in the compliance community. Professor Andy Spalding, writing in the FCPA Blog, in a post entitled “Book Review: Tom Fox’s Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program”, said, “Compliance must be thorough, systematic, and highly attentive to detail. But no one ever said it had to be boring. And Tom Fox has proven this yet again. His Doing Compliance provides the most sophisticated and comprehensive compliance guidance available, with a delivery that is witty, lively, and even entertaining.”

The FCPA Professor, in a post entitled “Doing Compliance” – An FCPA Compliance Toolbox”, said, “Fox approaches the FCPA and related topics with a singular goal in mind: analyzing and articulating the vast body of literature on FCPA best practices in a digestible, practical, and workable way to be of value to compliance professionals in the field. In short, Fox is the “nuts and bolts” guy of FCPA compliance who not only offers his own insight and perspective on best practices, but also effectively aggregates the insights and perspectives of others. Fox’s latest book is “Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program” and in it he provides, in his words, “the basics of how to create and maintain an anti-corruption and anti-bribery compliance program to suit any business climate across the globe.” The nine chapters of the book are grouped around topics such as senior management commitment to compliance; written policies and procedures; conducting a risk assessment; training; hiring and other human resources issues; reporting and investigation; and merger and acquisition due diligence. “Doing Compliance” is peppered with many helpful checklists and factors that compliance professionals can use on a daily basis to implement, assess and improve FCPA compliance policies and procedures.”

This book does not discuss the underlying basis of the FCPA, the UK Bribery Act or any other anti-corruption or anti-bribery legislation. The book is about doing business in compliance with these laws. As with all Americans, I appreciate any list that is deca-based, so the format of 10 hallmarks resonates with me. I have used this basic ten-part organization in laying out what I think you should consider in your anti-corruption and anti-bribery compliance program. In addition to presenting my own views in these areas, I also set out the views of both FCPA practitioners and commentators from other areas of business study and review, including Mike Volkov, the FCPA Professor, David Lawler, Stephen Martin, Marjorie Doyle, Russ Berland and Scott Moritz, and many others.

If there is one book on the ‘Nuts and Bolts’ of how to design, create and implement a best practices compliance program, I submit to you this is the one. I hope that you will check it out in one of the new formats now available. Finally, the price is set at a very reasonable $69.95 so if you are a Chief Compliance Officer (CCO) or General Counsel (GC), you can purchase an entire set for your compliance team. You can even buy them for your friends and family if you want them to have a better understanding of what you do at work!

To purchase a copy of Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program click on one of the links below:

 Hard copy

Amazon Kindle

 Apple iBook

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 5, 2015

Ruth Rendell and Developing Better Compliance Solutions

Ruth Rendell MysteriesRuth Rendell died this past weekend. Along with Patricia Cornwell, she was one of the two greatest mystery writers for the past couple of decades. I thoroughly enjoyed her books which, as her New York Times (NYT) obituary said, were “intricately plotted mystery novels that combined psychological insight, social conscience and, not infrequently, teeth-chattering terror.” For a mystery writer, it does not get much better than those accolades. Another crime writer, the Scottish author Val McDermid, was quoted in the NYT that Rendell and P.D. James “transformed what had become a staid and formulaic genre into something that offered scope for a different kind of crime novel. In their separate ways they turned it into a prism for examining the world around them with a critical eye.” Rendell was truly an innovator and a one-of a-kind.

One of the things that Rendell continually challenged was our human bias. I thought about her writing when I read a recent article in the May issue of the Harvard Business Journal (HBJ), entitled “Outsmart Your Own Biases”, authored by Jack B. Soll, Katherine L. Milkman and John W. Payne. I found the article to have some interesting insights for the Chief Compliance Officer (CCO) or compliance practitioner. While noting that using your instincts is something we all engage in and can use to our benefit, the authors believe that “It can be dangerous to rely too heavily on what experts call System 1 thinking – automatic judgments that stem from associations stored in memory – instead of logically working through information that’s available.”

The authors believe the problem is that “Cognitive biases muddy our decision making… and even when we try to use reason, our logic is often lazy or flawed.” They cite the cause of this problem to be that “Instead of exploring risks and uncertainties, we seek closure – it’s much easier. This narrows our thinking about what could happen in the future, what our goals are, and how we might achieve them.” Finally, as a solution they suggest, “By knowing which biases tend to trip us up and using certain tricks and tools to outsmart them, we can broaden our thinking and make better choices.”

The authors suggest that to “debias” your decisions, you must broaden your perspective on three fronts. These are (1) thinking about the future, rather then simply one objective; (2) thinking about objectives, rather than simply the circumstances in front of you; and (3) thinking about options, rather than thinking in isolation.

Thinking About the Future

This is more than simply hedging your bets. The authors believe that “Because most of us tend to be highly overconfident in our estimates, it’s important to “nudge” ourselves to allow for risk and uncertainty.” They suggest that you use the four following techniques. (1) Make three estimates. The author’s state, “To improve your accuracy, work up at least three estimates—low, medium, and high—instead of just stating a range. People give wider ranges when they think about their low and high estimates separately, and coming up with three numbers prompts you to do that.” (2) Think twice. They suggest that you should “make two forecasts and take the average” because they believe that “when people think more than once about a problem, they often come at it with a different perspective, adding valuable information. So tap your own inner crowd and allow time for reconsideration: Project an outcome, take a break (sleep on it if you can), and then come back and project another.” (3) Use premortems. I found this exercise very interesting. The authors explained, “In a premortem, you imagine a future failure and then explain the cause. This technique, also called prospective hindsight, helps you identify potential problems that ordinary foresight won’t bring to mind.” (4) Take an outside view. Here, “You need to complement this perspective with an outside view—one that considers what’s happened with similar ventures and what advice you’d give someone else if you weren’t involved in the endeavor.”

Thinking About Objectives

The authors believe that too often, “people unwittingly limit themselves by allowing only a subset of worthy goals to guide them, simply because they’re unaware of the full range of possibilities.” You should generate objectives and you can work to sort through them as you progress because by “Articulating, documenting, and organizing your goals helps you see those paths clearly so that you can choose the one that makes the most sense in light of probable outcomes.”

The authors suggest two steps will help to ensure that you are “reaching high – and far – enough with your objectives.” First is that you should seek the advice of others, however you should “Outline objectives on your own before seeking advice so that you don’t get “anchored” by what others say. And don’t anchor your advisers by leading with what you already believe… If you are making a decision jointly with others, have people list their goals independently and then combine the lists.” Second you should cycle through your objectives by tackling them one at a time because by “looking at objectives one by one rather than all at once helps people come up with more alternatives. Seeking a solution that checks off every single box is too difficult—it paralyzes the decision maker.”

Thinking About Options

Here the authors believe you should have a “critical mass of options to make sound decisions, you also need to find strong contenders—at least two but ideally three to five.” They note, “Unfortunately, people rarely consider more than one at a time. Managers tend to frame decisions as yes-or-no questions instead of generating alternatives.” The authors also believe that corporate groupthink tends to avoid a loss rather than reaching for a win. To overcome this, they suggest two techniques.

First you should perform a joint evaluation because evaluating options in isolation do not ensure the best outcomes. They write, “A proven way to snap into joint evaluation mode is to consider what you’ll be missing if you make a certain choice. That forces you to search for other possibilities… That simple shift to joint evaluation highlights what economists call the opportunity cost—what you give up when you pursue something else.” Second they propose you should use the “vanishing-option test” which requires you to “Assume you can’t choose any of the options you’re weighing and ask, “What else could I do?” This question will trigger an exploration of alternatives… That might prompt you to consider investing in another region instead, making improvements in your current location, or giving the online store a major upgrade. If more than one idea looked promising, you might split the difference.”

Why is all this important for the CCO or compliance practitioner? It is because we are presented with options that appear to be simply Go/No Go or even one-off decisions. A Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption program should require a variety of responses. Just as all risks are different, the management of risks can be handled differently. As a CCO or compliance practitioner you cannot be Dr. No living in the Land of No; you must be proactive to come up with solutions to help your business unit folks to no only do business in compliance with the relevant laws but to actually do business. Just as Ruth Rendell was able to weave an intricate story line into the traditional mystery format, you, as the CCO or compliance practitioner, should be able come up with solutions to the compliance issues that you face.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

« Previous PageNext Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,349 other followers