What Are The Essential Elements of a Corporate Compliance Program?

Can you synthesize and reconcile the world’s leading laws, regulations and commentaries on the best practices an anti-bribery and anti-corruption compliance program. I recently saw one such approach by Paul McNulty and Stephen Martin of the law firm, Baker and McKenzie. They have developed what they term the five essential elements of a corporate compliance program. These five elements are based upon the best practices as set out in the seven elements of a corporate compliance program under the US Sentencing Guidelines; the 13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance; the FCPA Guidance’s Ten Hallmarks of Effective Compliance Program and the UK Bribery Act’s Six Principles of an Adequate Procedures compliance program. The five elements are:

• Leadership
• Risk Assessment
• Standards and Controls
• Training and Communication
• Oversight

I.                   Leadership

The point means more than simply “Tone-at-the-top”; a successful compliance program must be built on a solid foundation of ethics that are fully and openly endorsed by senior management. There should be an unambiguous, visible and active commitment to compliance. But even more than support or the right tone, compliance standards require that companies must have high-ranking compliance officers with the authority and resources to manage the program on a day-to-day basis. And compliance officers must have the ear of those ultimately responsible for corporate conduct, including the board of directors.

Some of the questions you might think about in connection with the leadership of your compliance program are the following: How is board oversight implemented? Is there an ethics or audit committee reporting to the full board? What is the role of the Chief Compliance Officer? What is the role of the General Counsel? How do the legal and compliance departments interact? Does the CCO have “real power”? Is she or he treated as a second-class citizen?

Equally the Board of Directors has a key role to fulfill. The Board must ensure compliance policies, systems and procedures are in place and it should monitor implementation and effectiveness of the compliance program:

• Be actively involved
• Attend Board meetings
• Review, consider and evaluate information provided
• Inquire further when presented with questionable circumstances or potential issues
• Once Board knows of a potential compliance issue it must act.
• Regularly receive compliance briefings and training.

II.                Risk Assessment

The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high risk areas first.

What are some of the areas where you need to assess your risks?

1. Country Risk – What is the correlation between growth markets and corruption risk and what is the perceived level of corruption? In other words, the Transparency International Corruption Perceptions Index or similar list.
2. Sector Risk – Has government publicly stated industry is under scrutiny or already conducted investigations in sector? Are there corruption risks particular to the industry?
3. Business Opportunity Risk – Is the business opportunity a high value project for your company? Are there multiple contractors or intermediaries involved in the bidding or contract execution phase?
4. Business Partnership Risk – Does this business opportunity require a foreign government relationship? Does a foreign government require you to rely upon any third parties?
5. Transaction Risk – Will your company be required to make any “compelled giving” through any requirements for political or charitable contributions? Are you required to use any intermediaries to obtain licenses and permits?

In addition to an initial risk assessment to either (1) inform your compliance program or (2) help you to identify high risks and prioritize their remediation, risk assessments should be a regular, systemic part of compliance efforts rather than an occasional, ad hoc exercise cobbled together when convenient or after a crisis. They should be conducted at the same time every year and performed by a consistent group, such as your internal audit department or enterprise risk management team. Such annual risk assessments act as a strong preventive measure if they are performed before something goes wrong as it avoids a “wait and see” approach.

III.             Standards and Controls

Generally, every company has three levels of standards and controls. (1) Code of Conduct. Every company should have a Code of Conduct which should express its ethical principles. However, a Code of Conduct is not enough. (2) Standards and Policies. Every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. (3) Procedures. Every Company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

IV.              Training

Another pillar of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct. Simply conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The Department of Justice’s (DOJ) expectations of effectiveness are measured by who a company trains, how the training is conducted and how often training occurs.

There are several key elements to training. First is that you need to train the right people. You must prioritize which audience to educate by starting your training program in higher risk markets and focus on directors, officers and sales employees who may have direct contact with government officials or deal with state-owned entities. Again, focus initially on training country managers in your company’s high-risk markets, then expand geographically and through the ranks of employees.

Second, in high risk markets and for high risk employees or third parties you should conduct live, annual training. Enforcement officials have made it clear that live, in-person training is the preferred method in high-risk markets and also that it should be regular and frequent. Another benefit of live training is the immediate feedback from employees that would be much less likely to occur during a webinar or other remote training. Lastly, during live training, employees are more likely to make casual mention of a potentially risky practice, giving you the opportunity to address it before it becomes a larger problem.

It is important that you pay attention to what employees say during training. This is because training can alert you to potential problems based on the type of questions employees ask and their level of receptiveness to certain concepts. For example, during training employees might ask specific questions about important compliance considerations such as their interactions with government officials or gift-giving practices. Such questions can raise red flags and uncover issues that should be reviewed and addressed quickly.

V.                 Oversight – including monitoring, auditing and responses

The issue your company should focus on here is whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. These ongoing efforts demonstrate your company is serious about compliance.

Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem.

Finally, what are your remediation efforts? Your company should remediate problems quickly. A key concept behind the oversight element of compliance is that if a company is policing itself on compliance-related issues, the government will not have to do it for them. Remediation, then, is an important component of oversight. It is not enough to just gather information and identify compliance problems through monitoring and auditing. To fulfill this essential element of compliance, you also have to respond and fix the problems.

I have found that the Baker ‘Five Essentials’ approach is an excellent way to think through your obligations under a wide variety of anti-corruption and anti-bribery requirements. It allows you to put in place a program which should meet virtually any legal requirements you may come up against by doing business anywhere in the world. Lastly, the five-step approach is an excellent way for you to benchmark your current compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

My FCPA and Bribery Act Musings Continue

This past week, my second book, “Best Practices Under the FCPA and Bribery Act” was released. Over the past few years I have tried to provide the compliance practitioner with solid information that can be used to implement, review and enhance a US Foreign Corrupt Practices Act (FCPA) or UK Bribery Act based compliance program. I am often asked to collect my blog posting regarding what are the current best practices for an anti-corruption/anti-bribery compliance program. In other words, what are the specifics of a compliance program. This volume will provide the compliance practitioner with information that can be used for the ‘nuts and bolts’ of compliance.

Using the format of the most recent US Department of Justice (DOJ) and Securities and Exchange Commission (SEC) “A Resource Guide to the U.S. Foreign Corrupt Practices Act. The Foreign Corrupt Practices Act (FCPA)” [the “FCPA Guidance”]; I have included some of my thoughts on what you can do to create and maintain a best practices compliance program. I have also included some thoughts on how to create and maintain such a compliance program using the Six Principles of an Adequate Procedures compliance regime under the UK Bribery Act.

I was honored to have the FCPA Professor, Mike Koehler, pen the forward and he said, in part, “In the current global marketplace, Foreign Corrupt Practices Act (“FCPA”) risk needs to be on the radar screen of most companies – large and small, public and private, and across industry sectors. Given the current enforcement theories of the Department of Justice and Securities and Exchange Commission, FCPA risk is not always apparent from reading the statute. There is no way for business organizations to truly eliminate FCPA risk, but such risk can be effectively managed and minimized through pro-active policies and procedures and other means of risk assessment.”

I hope that you can use this volume, in conjunction with the FCPA Guidance and the Ministry of Justice’s Six Principles of an Adequate Procedures compliance program, to implement or enhance your compliance regime. Both the FCPA Guidance and Six Principles make clear that there is no ‘one size fits all’ compliance program. The key is to assess your company’s risks and to manage those risks appropriately. This volume will help you to determine the type and scope of program that is appropriate for your company and will assist your compliance efforts going forward.

Best Practices Under the FCPA and Bribery Act is available exclusively on amazon.com. For a copy, click here.

Q: Do You Tell The Central Bank What To Do? A: ‘In Which Country’?

Last weekend in the Financial Times (FT) was a report by Tim Burgis of an interview he held over a lunch meeting with the Angolan Isabel dos Santos, who Forbes magazine recently declared “the continent’s first female billionaire.” Ms. dos Santos is the daughter of José Eduardo dos Santos, who has been Angola’s president for the past 33 years. The interview was a fascinating insight into how doing business in some countries under US or UK anti-corruption and anti-bribery laws can be so challenging.

Burgis quoted an un-named expert who described Angola as a place of “corny capitalism” where those with connections to “the Futungo, as the presidential coterie is known (after Futungo de Belas, the old presidential palace) have made fortunes.” Ms. dos Santos denied that she is involved in politics, claiming that she is only interested in business. Interestingly, Burgis quoted her as stating “I’m not involved in politics and I’ve never had any political role. I’ve never been in office. I’ve never taken any public administrative jobs. So, like I said, I don’t work with the government.”

Some of her business interests “include stakes in two Portuguese banks, BIC and BPI, and a communications group called ZON Multimédia and an indirect holding in Galp, a Portuguese energy group with assets from Mozambique to Venezuela.” While admitting that the “oil industry is politically driven” she insisted that in the business sectors in which she is involved “politics don’t come into it”, she says, even if her own big moment came when she was part of a consortium that won a public tender for Angola’s second mobile telephony licence in the late 1990s.”

Burgis noted that there are believed to be many ways for the well connected to make lots of money in Angola. He wrote, “There are, however, easy ways to make money if you’re connected in Angola, particularly in the resources industries, where top officials and generals have been known to take hidden stakes in ventures led by oil majors and to enjoy titles to diamond-bearing land.” He also went on to note that these systems may be perpetuating the overall poverty in African countries such as Angola when he said that “There are those who would say that corrupt models lie at the heart of the power structures that keep most Africans poor and unable to call their rulers to account.”

He noted that Ms. dos Santos has recently become involved in the energy sector through her partnership with the Portuguese businessman, Américo Amorim and his company Amorim Enereria. Burgis wrote “I ask her to clarify how those energy interests tie in with Sonangol, the Angolan state-owned oil company with assets from Iraq to Brazil that some critics perceive as a Futungo fiefdom. She fends off my questions before fixing me with the look one might give a particularly vexing eight-year-old. “The business is relatively complex because, when you structure a business, you have to look at different aspects from legislation to taxation, to governance, issues like that.”

Near the end of their lunch Burgis asks the following question do you “call up the governor of the central bank and tell him what to do? “In which country?” she quips. We laugh merrily.” She went on to explain how she did have the reputation for extraordinary power. Burgis quoted her as saying, “Well, it’s very difficult, I would imagine, to distinguish father and daughter. And maybe some of it comes as I’m doing my thing and my father being a very strong political African figure for so many years. Whatever he does is almost like some kind of cloud on top,” she says, reaching for the right metaphor and waving a hand over her head, as though her father were some celestial phenomenon. “So maybe some of these ideas come from this cloud-over effect from his position. But, no, I don’t call the central bank and I most certainly don’t give them instructions.”

Even from the head feigns, non-responsive and jocular tone of many of these answers, one can see just how challenging doing business in Angola can be for any company subject to the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. The first issue that would seem to pop up is just who are you doing business with and are they a Politically Exposed Person (PEP). Burgis specifically states “top officials and generals have been known to take hidden stakes in ventures led by oil majors”. Whether such interests are hidden or not, it is the responsibility of any US or UK company to perform the appropriate level of due diligence to ascertain whether they are doing business with such governmental officials. I have heard more than one Chief Compliance Officer (CCO) say that they had to pull the plug on a business proposition because they could not determine the beneficial owners of an entity with which they were considering doing business.

What about a country such as Angola, where people move freely between government and business. Once again if it is later determined that your company is in a joint venture or other business relationship, and your local partner obtains a government appointment during the pendency of the business relationship, it is up to your company to find out that information. This requires ongoing monitoring through company or software which alerts you when someone moves to becoming a PEP.

This is where it is critical that compliance terms and conditions be put into a contract for any such business relationship. Initially, you should have contract protections in place which require any business partner who obtains a government appointment to notify you. This should also be included with a clause that allows the contract to be terminated if the appropriate anti-corruption/anti-bribery protections cannot be put in place if such an eventuality occurs.

Clearly there are no easy answers to the quandary of doing business in a country such as Angola. With many of the top government officials, energy company higher-ups and extractive mineral elite not only closely related to each other but moving seamlessly between all three groups; a company under the FCPA or Bribery Act must tread very carefully. Or to quote the signature line from Hill Street Blues, “Let’s be careful out there.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The Five Essential Elements of a Corporate Compliance Program – Part II

Tuesday morning, at the University Club of Chicago, Stephen Martin and I will co-present at a Foreign Corrupt Practices Act (FCPA) event hosted by Kreller. If you are in or near Chicago, I hope that you can join us for this presentation. The title of our presentation is “Anti-Corruption/FCPA Developments & Best Practices” and we will focus on a concept that Stephen and his partners at the law firm of Baker & McKenzie have developed which are five essential elements of a corporate compliance program. In Part I, I discussed the background to the development of the five essential elements. In today’s installment, Part II, I will detail the remaining elements in the five elements of an essential compliance program.

III.             Standards and Controls

Generally, every company has three levels of standards and controls. (1) Code of Conduct. Every company should have a Code of Conduct which should express its ethical principles. However, a Code of Conduct is not enough. (2) Standards and Policies. Every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. (3) Procedures. Every Company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

IV.              Training

Another pillar of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct. Simply conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The Department of Justice’s (DOJ) expectations of effectiveness are measured by who a company trains, how the training is conducted and how often training occurs.

There are several key elements to training. First is that you need to train the right people. You must prioritize which audience to educate by starting your training program in higher risk markets and focus on directors, officers and sales employees who may have direct contact with government officials or deal with state-owned entities. Again, focus initially on training country managers in your company’s high-risk markets, then expand geographically and through the ranks of employees.

Second, in high risk markets and for high risk employees or third parties you should conduct live, annual training. Enforcement officials have made it clear that live, in-person training is the preferred method in high-risk markets and also that it should be regular and frequent. Another benefit of live training is the immediate feedback from employees that would be much less likely to occur during a webinar or other remote training. Lastly, during live training, employees are more likely to make casual mention of a potentially risky practice, giving you the opportunity to address it before it becomes a larger problem.

It is important that you pay attention to what employees say during training. This is because training can alert you to potential problems based on the type of questions employees ask and their level of receptiveness to certain concepts. For example, during training employees might ask specific questions about important compliance considerations such as their interactions with government officials or gift-giving practices. Such questions can raise red flags and uncover issues that should be reviewed and addressed quickly.

Thirdly, you should tailor your training to each country. This means that employing a generic script for compliance training is a mistake. To be effective, training programs should be customized by region, country, industry, areas of compliance and types of employee. In addition to Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and OECD guidelines, focus on compliance risks in the country where the employees being trained are working. For example: In China, address the many corruption risks involved in dealing with state-owned entities.

V.                 Oversight – including monitoring, auditing and responses

The issue your company should focus on here is whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. Two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit and respond quickly to allegations of misconduct. These three highlighted activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

Many companies fall short on effective monitoring. This can sometimes be attributed to confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it’s effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

Finally, as was emphasized again with the recent Pfizer Deferred Prosecution Agreement (DPA), your company should establish protocols for internal investigations and disciplinary action. The Pfizer “Enhanced Compliance Obligations” included the following on investigative protocols: (a) On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training; (b) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with, and payments to, individual foreign government officials or health care providers, as well as other high-risk transactions in the market; (c) Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and (d) a review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk. Prior to such an investigation, however, the company should have procedures – including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently – in place to make sure every investigation is thorough and authentic.

Finally, and consistent with Stephen Martin’s Baker & McKenzie partner Paul McNulty’s Maxim Three (What did you do about it?), is your remediation efforts. Your company should remediate problems quickly. A key concept behind the oversight element of compliance is that if companies are policing themselves on compliance-related issues, the government won’t have to do it for them. Remediation, then, is an important component of oversight. If your company’s sales force in Thailand is engaged in potentially improper activity due to a lack of adequate training, remediate the deficiency and schedule that training now. In the end, it’s not enough to just gather information and identify compliance problems through monitoring and auditing. To fulfill this essential element of compliance, you also have to respond and fix the problems.

Stephen Martin and the Baker & McKenzie team have put together an excellent resource for the compliance practitioner in their five essential elements of a corporate compliance program. I hope that you can attend our FCPA event this week. For those of you who cannot attend in person, you can email me for the slide deck and other materials after the event.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Jon Jordan Renews the Call for a Compliance Defense to the FCPA

Yesterday I witnessed true greatness. In the final at Wimbledon, Roger Federer won his record seventh singles title, equaling Pete Sampras and William Renshaw for this  number of titles. He did this while beating Andy Murray, a Scot who the entire United Kingdom had embraced as its own throughout the Tournament and especially in the finals. So congratulations Roger, you certainly wear it well.

We recently saw the entry of a new voice for the addition of a compliance defense as an amendment to the Foreign Corrupt Practices Act (FCPA). This voice was Jon Jordan, Senior Investigations Counsel with the US Securities and Exchange Commission’s (SEC) FCPA Unit, a national unit within the SEC specializing exclusively on FCPA and foreign bribery matters. Jon’s ideas appeared in a law review article, entitled “The Adequate Procedures Defense Under the UK Bribery Act: A British Idea for the Foreign Corrupt Practices Act” found in Volume 17, No. 1, Fall 2011 edition of the Stanford Journal of Law, Business & Finance.

Jon had previously published two other law review commentaries on the FCPA, one on facilitation payments, found in the University Of Pennsylvania Journal of Business Law, and a second on trends towards greater accountability in the international fight against bribery under the FCPA and UK Bribery Act, published in the New York University Journal of Law and Business. I reviewed his article on facilitation payments in a prior post, entitled “The End is Nigh for Facilitation Payments – Get Ahead of the Breeze”. Recognizing that although Jordan works for the SEC, the Commission has disclaimed any and all responsibility for the statements made in the articles by Jordan. The views expressed in Jordan’s articles are those of himself and do not necessarily reflect the views of the SEC, the SEC’s FCPA Unit, or any of his other colleagues on the staff of the SEC.

Jordan’s thesis is that the US should adopt a compliance procedures defense similar to the Adequate Procedures defense available to UK entities under the UK Bribery Act. He argues that such a defense would be a good policy for companies who are seeking to do the right thing by instituting a minimum best practices compliance program from the ravages of a rogue employee who violates the FCPA. Such a compliance program should consist of minimum best practices which Jordan articulates but can be specified by “relevant government authorities, including the United States Department of Justice (DOJ).”

Prior to articulating his thoughts on what should constitute a compliance program which would be acceptable to the DOJ, Jordan sets out three requirements for such a defense to be considered. First is that a company must establish that it had an adequate compliance procedures program in place during the time of the violative conduct. Second is that a company must establish that it has satisfactorily implemented an adequate compliance procedures program because, as Jordan correctly notes, “adequate compliance procedures are useless without proper implementation.” Jordan suggests that this could be done in a couple of different ways; through a senior officer’s certification or through document, document and document the implementation and execution of the company’s compliance program. The third and final prong is that the company did not know or should not have known about the violative conduct at issue. This would mean that there was no corporate knowledge of the relevant conduct “rising to the headquarters or senior management level” nor were there any ‘red flags or other warning signs that should have alerted them to the wrongful conduct.”

Jordan lists the components of what he believes are the minimum requirements of an adequate compliance program. He includes 11 elements in his plan. They will not be new or unusual for the compliance practitioner as he has drawn them from FCPA enforcement actions, DOJ Opinion Releases and the UK Ministry of Justice’s Six Principles of Adequate Procedures. They are as follows.

1. A clearly articulated policy against the violations of the FCPA and other relevant non-US anti-bribery and anti-corruption laws.
2. The compliance procedures should apply to all officers, directors, employees and outside parties acting on behalf of the company.
3. Senior corporate officials should be assigned for the implementation and oversight of the compliance program.
4. The compliance program must be effectively communicated to all officers, directors, employees and outside parties acting on behalf of the company.
5. There should be a system in place so that all officers, directors, employees and outside parties acting on behalf of the company can report violations of anti-corruption laws without fear of retribution.
6. There should be appropriate disciplinary procedures in place to address violations of anti-corruption laws.
7. There should be appropriate due diligence and oversight of all agents, business partners, third parties and any other outside parties acting on behalf of the company.
8. There should be appropriate compliance terms and conditions in all contracts with agents, business partners, third parties and any other outside parties acting on behalf of the company, including a certification of compliance with anti-corruption laws.
9. The compliance procedures should be developed on the basis of a risk assessment.
10. There should be periodic testing and review of the company’s compliance procedures.
11. There should be financial and accounting procedures, including internal controls, designed to ensure maintenance of accurate books and records.

I found Jordan’s article very interesting and certainly a welcomed new addition to the debate regarding amending the FCPA to add a compliance defense. It is also very interesting the SEC would allow an employee, even acting on his own, to publish such a paper, given the DOJ’s vehemence in resisting this change. So kudos to Jon Jordan and a big congratulations shout out to Roger Federer.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Henry V and Principle V of the Six Principles of Adequate Procedures: Communication

Henry V is a truly inspiring play. Whether one sees it on the stage or on the big screen with the 1944 Olivier or 1989 Branagh version, one cannot help but draw inspiration about the story of the former Prince Hal, from Henry IV, who becomes a regal monarch and leads the English army to a defeat of the French at the Battle of Agincourt. One of the things that Henry V does extraordinarily well is communicate; about his goals and rousing his subjects to help achieve them. Today we use the prism of Henry V to look at Principle V of the Six Principles of Adequate Procedures; that being “Communication (including training)”.

I.                   Commentary

The Guidance for the Six Principles of an Adequate Procedures, anti-bribery program states in Principle V that “The business seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the company through internal and external communication, including training, that is proportionate to the risks it faces.” The Guidance recognizes that communication and training deters bribery by companies, their employees and those persons associated with it, by enhancing awareness and understanding anti-corruption policies and procedures and the company’s commitment to their proper application. It therefore follows that making information available on legal requirements and obligations and policies and procedures for implementation of the same assists in more effective monitoring, evaluation and review of bribery prevention procedures. Anti-bribery training should provide, to company employees and those persons and entities associated with the company, the knowledge and skills needed to implement and utilize the anti-bribery procedures and handle in a satisfactory manner any bribery related problems or issues that may arise.

II.                      Communication

The Guidance begins by recognizing that the content, language and tone of communications for internal consumption may vary from external use in response to the different relationship the audience has with the company. Further, the nature of communication will vary enormously between businesses in accordance with the different bribery risks faced, the size of the business and the scale and nature of its activities.

a.   Internal Communications

It all starts with ‘tone from the top’ but communications within a business need to also focus on the implementation of the company’s anti-bribery policies and procedures. The Guidance lists several areas which it believes such communication should provide instruction upon. These include company policies on “decision making, financial control, hospitality and promotional expenditure, facilitation payments, training, charitable and political donations, penalties for breach of rules and the articulation of management roles at different levels.” Another critical aspect of internal communications is the establishment of an ethics helpline. Such a helpline should be secure, confidential and accessible for both employees and those outside the company to elevate concerns about bribery on the part of associated persons, to provide suggestions for improvement of bribery prevention procedures and controls and for requesting advice. The Guidance calls such a tool a “Speak-Up Line” but whatever name it is given, it is clear that those both inside and outside a company need to be furnished with a secure, confidential and safe manner to report ethical concerns to an appropriate level of management.

b.   External Communications

Just as risk assessment and due diligence on third parties form a critical component of an Adequate Procedures based anti-bribery corruption program, the Guidance also speaks to the need for external communication of bribery prevention policies through a statement or Code of Conduct, which should act as a deterrent to those intending to bribe on a business’s behalf. The Guidance relates that external communications can include information on bribery prevention procedures and controls, sanctions, results of internal surveys, rules governing recruitment, procurement and tendering. The Guidance also recognizes that businesses may consider it proportionate and appropriate to communicate its anti-bribery policies and commitment to a wider audience, such as other companies in their sector, trade association members and to organizations that would fall outside the scope of the range of its associated persons, or to the general public.

III.                   Training

Restating again that the number one key to an Adequate Procedures anti-bribery compliance program, a company should develop its training protocol based upon a risk assessment. The Guidance recognizes that all employees should receive some training which is likely to be effective in firmly establishing an anti-bribery culture whatever the level of risk. This general level of training can be centered on raising employee awareness about the threats posed by bribery in general and in the industry in which the company operates in particular, and the various ways it is being addressed.

There should be mandatory, general training for new employees or for agents (on a weighted risk basis) as part of the employee indoctrination process, but it should also be tailored to the specific risks associated with specific posts. The Guidance indicates that a company should tailor its training to the special needs of those involved in any procedures and higher risk functions such as purchasing, contracting, distribution, marketing, and those working in high risk countries. It is important to note that for training to be effective it should be continuous, regularly monitored and evaluated.

The Guidance also suggests that associated persons to undergo training. This will be particularly relevant for high risk associated persons. The better practice is to require such anti-bribery training as a part of compliance contractual terms and conditions and then provide such training to the highest risk third party representatives. But the Guidance does recognize that a company may wish to encourage associated persons to adopt bribery prevention training. If this is done, the training should be evaluated and appropriate records of business partner training be submitted to the company on no less than an annual basis.

The Guidance also recognizes that there are various media which can be used to deliver training. It lists some of the different training formats which are available in addition to the traditional classroom or seminar formats, such as e-learning and other web-based tools. However, a company should not lose sight of a risk based approach, so that those employees or third parties deemed the highest risk need to receive the most intensive training. Finally, whatever the format of the anti-bribery training, it should seek to achieve its objective of ensuring that those participating in it develop a firm understanding of what the relevant policies and procedures mean in practice for them.

So how can you channel Henry V to help your compliance program? Perhaps you could begin by re-reading the play or some of its most inspiring scenes or even watching them on You Tube. You can start with the St. Crispin’s Day Speech, ride once more into the breach, or even the Prologue to learn about communication.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Turning Compliance Beliefs Into Action-Impacting Tone at the Bottom

Tone at the Top has become almost a by-word in the compliance world these days. It is specifically mentioned in the US Department of Justice’s (DOJ) 13-point minimum best practices compliance program as well as the UK Ministry of Justice’s (MOJ) Six Principles of Adequate Procedures. How does a compliance practitioner tap into ethical beliefs of a company’s employee base? However, a company’s ‘tone’ is much more than that simply at the top of the organization. There is tone at both the middle and bottom. One of the greatest challenges of a compliance practitioner is how to affect the ‘tone at the bottom’. In a recent article in the Spring 2012 Issue of the MIT Sloan Management Review, entitled “Uncommon Sense: How to Turn Distinctive Beliefs Into Action”, authors Jules Goddard, Julian Birkinshaw and Tony Eccles looked at this issue when they explored the “often overlooked, critical source of differentiation is [a] company’s beliefs.”

One of the questions that the authors answer is: how to tap into this belief system? They posit a structured manner to obtain this information. By using these techniques, they believe that companies can rethink their “basic assumption and beliefs” and identify new directions for their organization. The authors listed seven approaches that they have used which I believe that the compliance practitioner can use to not only determine ‘Tone at the Bottom” but to impact that tone. They are as follows:

1. Assemble a group. You need to assemble a group of employees who are familiar with the challenges of doing business in a compliant manner in certain geographic regions. Include both long-time employees and those who are relatively new to the organization. The authors also suggest that if you have any employees who have worked for competitors or for other organizations in your industry you include them as well.
2. Ask questions. You should ask the members of this group to articulate their basic assumptions about your compliance model, about the management model, about your company’s business model and the future of the industry in general. Ask them to do this individually and not as a group.
3. Categorize the responses. Now comes the work by the compliance practitioner or compliance team. These assumptions will usually fall into two groups. The first is assumptions that everyone agrees upon-the common beliefs. The second is those assumptions that only a few of the participants will identify – this is what the authors call the “uncommon beliefs”.
4. Develop tests for common beliefs. For those beliefs that are labeled common – you should consider how you know these to be true? The authors caution that simply because the group may believe that the company operates a common industry or that we “do it because it has always been done this way” is necessarily a “hard fact.” Consider what test you could perform to verify the common belief that you desire to test. The authors note that the purpose here is to “identify the ‘common nonsense’ beliefs that everyone holds that are not actually hard laws of nature.”
5. Develop tests for uncommon beliefs. Here the authors suggest that you need to consider why some people think that these beliefs are true. What is the information or experience that they have drawn upon? Is there any way for you to test these uncommon beliefs?
6. Reassemble the original group. You should reassemble the original group and have them consider the beliefs that were articulated by them individually in the context of your compliance model and how both your company and your industry do business. Lead a discussion that attempts to identify any assumptions or beliefs that ‘are quite possibly wrong, but worth experimenting with anyway.”
7. List of Experiments to perform. The authors believe that the outcome of the first six steps will be “a list of possible experiments [tests] to conduct” to determine the validity of the common and uncommon beliefs. These tests can be accomplished in the regular course of business, through a special project with a special team and separate budget. You should agree on the testing process and review your testing assumptions throughout the process. This process can and should take some time so do not set yourself such a tight time frame that it cannot be fully matured.

I find this list to be a very interesting way for a compliance practitioner to get at ‘tone at the bottom’. By engaging employees at the level suggested by the authors I believe you can find out not only what the employees think about the company compliance program but use their collective experience to help design a better and more effective compliance program. It is my belief that employees want to do business in an ethical manner. Given the chance to engage in business the right way, as opposed to cheating; will win the hearts and minds of your employees almost all of the time. By using the protocol suggested by the authors you can not only find out the effect of your company’s compliance program on the employees at the bottom but you can affect it as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Henry IV and Adequate Procedures

As a father, I have come to appreciate Shakespeare’s Henry IV more and more; particularly more than I did when I was only a son. Part of the play deals with how Henry IV got his crown, by deposing Richard II and the battles he had to fight to keep it. But a large part of the play deals with his riotous son, Hal, drinking and philandering with Falstaff before he grew into the great monarch Henry V. With that in mind, we continue our exploration of the Six Principles of an Adequate Procedures compliance defense with a look at Principle IV – Due Diligence.

I.                   Commentary

Principle IV of the Six Principles of an Adequate Procedures compliance program states, “The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.” The purpose of Principle IV is to encourage businesses to put in place due diligence procedures that adequately inform the application of proportionate measures designed to prevent persons associated with a company, whether on the sales and distribution side or in the supply chain, from bribing on their behalf. The Guidance recognizes that Due Diligence procedures act both as a procedure for anti-bribery risk assessment and as a risk mitigation technique. The Guidance believes that Due Diligence is so important that “the role of due diligence in bribery risk mitigation justifies its inclusion here as a Principle in its own right.”

II.                Who is an Associated Person?

Who is an Associated Person? The Guidance intones that a company is liable if a person ‘associated’ with it bribes another person intending to obtain, retain or a gain an advantage for the business. The definition is quite broad and is applicable to basically anyone who ‘performs services’ for or on behalf of the business. This can be an individual, an incorporated entity or unincorporated body. The capacity in which the services are provided is not dispositive, so employees, agents and subsidiaries are included. This also means that a supplier can properly be said to be performing services for a company rather than simply acting as the seller of goods, it may also be an ‘associated’ person. Taken further, if a supply chain involves several entities, or a project is to be performed by a prime contractor with a series of sub-contractors, a business is likely to only exercise control over its relationship with its contractual counterpart and this means a company could have responsibility for those acting on its behalf in a wide range of arenas, with a wide range of titles. This could include all of the following: agent, sales agent, reseller, distributor, partner, joint ventures, consortium partner, contractor, subcontractor, vendor, supplier, affiliate, subsidiary or any other similar moniker.

III.             Joint Ventures

As for joint ventures (JV), these come in many different forms, sometimes operating through a separate legal entity, but at other times through contractual arrangements. In the case of a JV operating through a separate legal entity, a bribe paid by the JV may lead to liability for a member of the JV if the JV is performing services for the member and the bribe is paid with the intention of benefiting that member. However, the existence of a JV entity will not of itself mean that it is ‘associated’ with any of its members. A bribe paid on behalf of the JV entity by one of its employees or agents will therefore not trigger liability for members of the JV simply by virtue of them benefiting indirectly from the bribe through their investment in or ownership of the JV.

The situation will be different where the JV is conducted through a contractual arrangement. The degree of control that a participant has over that arrangement is likely to be one of the ‘relevant circumstances’ that would be taken into account in deciding whether a person who paid a bribe in the conduct of the JV business was ‘performing services for or on behalf of’ a participant in that arrangement. It may be, for example, that an employee of such a participant who has paid a bribe in order to benefit his employer is not to be regarded as a person ‘associated’ with all the other participants in the JV. Ordinarily, the employee of a participant will be presumed to be a person performing services for and on behalf of his employer. Likewise, an agent engaged by a participant in a contractual JV is likely to be regarded as a person associated with that participant in the absence of evidence that the agent is acting on behalf of the contractual JV as a whole.

IV.              Procedures

Maintaining a consistent theme throughout this Guidance on the Six Principles of an Adequate Procedures anti-bribery program, it is incumbent that a company’s Due Diligence procedures should be proportionate to the identified risk. Due diligence should be conducted using a risk-based approach. For example, in lower risk situations, companies may decide that there is no need to conduct much in the way of due diligence. In higher risk situations, due diligence may include conducting direct interrogative enquiries, indirect investigations, or general research on proposed associated persons.

However, the appropriate level of Due Diligence to prevent bribery will vary enormously depending on the risks arising from the particular relationship. So, for example, the appropriate level of due diligence required by a company when contracting for the performance of Information Technology (IT) services may be low, to reflect low risks of bribery on its behalf. Conversely, a business entering into the international energy market and selecting an intermediary to assist in establishing a business in such markets will typically require a much higher level of due diligence to mitigate the risks of bribery on its behalf.

One company I know, The Risk Advisory Group, has put together a handy chart of its Level One, Two and Three approaches to integrity and due diligence. I have found it useful in explaining the different scopes and focuses of the various levels of due diligence.

Level	Issues Addressed	Scope of Investigation
One	That the company exists Identities of directors and shareholders Whether such persons are on regulators’ watch lists Signs that such persons are government officials Obvious signs of financial difficulty Signs of involvement in litigation Media reports linking the company to corruption	Company Registration and Status Registration Address Regulators’ watch lists Credit Checks Bankruptcy/liquidation proceedings Review Accounts and Auditors comments Litigation Search Negative Media Search
Two	As above with the following additions: Public Profile integrity checks Signs of official investigations and/or sanctions from regulatory authorities Other anti-corruption Red Flags	As above with the following additions: Review and summary of all media and internet references Review and summary of relevant corporate records and litigation filings, including local archives Analysis and cross-referencing of all findings
Three	As above with the following additions: But seeking fuller answers to any questions raised by drawing on a wider range of intelligence sources and/or addressing specific issues of potential concern already identified	As above with the following additions: Enquiries via local sources Enquiries via industry experts Enquiries via western agencies such as embassies or trade promotion bodies Enquires via sources close to local regulatory agencies

The Guidance suggests that more information is likely to be required from companies than from individuals because on a basic level more individuals are likely to be involved in the performance of services by a company and the exact nature of the roles of such individuals or other connected bodies may not be immediately obvious. Therefore a business seeking to retain another company as a business partner should engage in greater Due Diligence such as through direct requests for details on the background, expertise and business experience, of relevant individuals. Continued monitoring is also suggested, rather than simply annually or bi-annually.

So what’s the message from Henry IV? It is to soldier on, keep the faith that your son will eventually grow up and the keep your head about you. Principle IV of Adequate Procedures would seem to call for the same patient work. You should identify those parties that you need to investigate from an anti-bribery perspective, risk rank them and then perform the appropriate level of due diligence. If you need help determining what the appropriate level of due diligence is, you can always give the folks at The Risk Advisory Group a call.

———————————————————————————————————————————————————————

Ed. Note-an earlier version of this post incorrectly identified its source of the chart as The Control Risk Group. The chart was provided to the author by The Risk Advisory, who consented to its inclusion in the is blog post.

——————————————————————————————————————————————————————–

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Bonnie Prince Charlie, Charlie Chaplin and Proportionate Procedures

Continuing our UK theme this week, we note a birthday anniversary and the anniversary of an event involving two quite different Charlie’s. The first is the anniversary of the Battle of Culloden, where in 1746 the English forces, led by the Duke of Cumberland, defeated the Scottish Jacobites, who supported the last serious Stuart Pretender to the English throne, Bonnie Prince Charlie. This battle not only cemented the House of Hanover’s seat on the English throne but also led to the decimation of the Scottish Highland Clans. In a very different anniversary celebration, we also note the birthday of Charlie Chaplin, born in 1889. Yes, the Little Tramp was a Brit.

Whilst flying over to the UK I caught up on some reading, including the Saturday Wall Street Journal (WSJ). In an article, entitled “Why Airport Security is Broken-And How to Fix It”, Kip Hawley, the former head of the US Transport Security Administration (TSA) provides his prescription on how to fix what he calls “the national embarrassment that our airport security remains”. Pretty strong language by someone who has been “to the top of the mountain.” While I find the security checks we all now go through only mildly inconveniencing, Hawley writes that the US airport security remains “hopelessly bureaucratic and disconnected from the people whom it is meant to protect.”

Hawley believes that the TSA has an incorrect approach to proportionality of the risk faced. He says that by attempting to eliminate all risk, the system is not only a “nightmare for U.S. and visitors from overseas” but that this system is “brittle where it needs to be supple.” In the aftermath of the post 9-11 attacks the system was designed so every passenger could avoid harm while traveling. Hawley believes that some of the risk factors which led to the 9-11 attacks have been remedied, such as box cutters or a small knives that could breach a cockpit door; more Federal Air Marshalls traveling on flights and greater passenger awareness and willingness to respond to such an emergency. He believes that the risk, which is now paramount, to manage is to stop a catastrophic attack. In short the risks have changed but the TSA have not changed to manage new or other risks.

Hawley lays out five changes which he believes would go a long way towards allowing the TSA to properly manage this risk of catastrophic attack:

1. No more banned items. By listing every banned item, you make each X-Ray scan an “Easter-egg hunt” and provide terrorists with the list of items the TSA will look for.
2. Allow all liquids. Hawley believes that “simple checkpoint signage, a small software update and some traffic management are all that are standing between you and bringing all your liquids on a plane. Really.”
3. Give TSA officers more flexibility and rewards for initiative and hold them accountable. There must be more independence for TSA officers ‘on the ground.’ Currently if you initiate independence as a TSA officer, you are more likely to be disciplined rather than rewarded.
4. Eliminate baggage fees. The airlines bags fees cause more passengers to bring bags on planes, which requires more security, increases costs and slows down the process which in turn requires airlines to charge more for tickets because there are more delays.
5. Randomize security. If terrorists know what to expect at airport security, they have a greater chance to evade the system. Hawley’s answer is to randomize more security checks while not subjecting every passenger to the current full security compliment.

I have set out Hawley’s thoughts in some detail because they point to how the UK Ministry of Justice (MOJ) suggests that a company should begin its anti-bribery/anti-corruption compliance program. It discusses what constitutes the Six Principles of an Adequate Procedures compliance program in Principle 1, entitled Proportionate Procedures, the MOJ Guidance states, “A commercial organisation’s procedures to prevent bribery by persons associated with it are proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organisation’s activities.” In other words, adequate anti-bribery prevention procedures should be proportionate to the bribery risks that a company faces. It all begins with a risk assessment, but the Guidance recognizes that “To a certain extent the level of risk will be linked to the size of the organisation and the nature and complexity of its business.” However, company size is not to be the only determining factor as certainly smaller entities may face quite significant risks and, therefore, need more extensive procedures than their counterparts facing limited risks. The Guidance does recognize that the majority of small organizations are unlikely to need procedures that are as extensive as those of a large multi-national organization.

The level of risk that a business may face will also vary with the type and nature of the persons with which it is has third party relationships. A company that properly assesses it has no risk of bribery on the part of one of its third party relationships will accordingly require nothing in the way of procedures to prevent bribery in the context of that relationship. By the same token the bribery risks associated with reliance on a third party agent representing a company in negotiations with foreign public officials may be assessed as significant and accordingly require much more in the way of procedures to mitigate those risks. This means that companies will be required to select procedures to cover a broad range of risks but any consideration by a “court in an individual case of the adequacy of procedures is likely necessarily to focus on those procedures designed to prevent bribery on the part of the associated person committing the offence in question.”

Near the end of this section of the Guidance it states, “the procedures should seek to ensure there is a practical and realistic means of achieving the organisation’s stated anti-bribery policy objectives across all of the organisation’s functions.” This sounds quite similar to Hawley’s plea that the TSA needs to change its risk management away from protecting every passenger from harm while traveling to preventing a catastrophic attack. But perhaps this final point from the Guidance points up to why the TSA cannot or will not make this change in risk management. They have not received firm guidance from the Executive Branch or from US Congress on what their primary mission is, and hence the primary risk the TSA must manage. In other words, if top management does not support the Compliance Department or forces it to focus on the wrong risks, a Compliance Department may well miss the mark and cause its clients, the business unit personnel to become fed up and just as irritated with the Compliance Department as Hawley believes the traveling public is with the TSA. In other words, tone at the top does matter. Not only must senior management support the compliance function but it should support it, with the appropriate financial resources and tools to manage the correct risks.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

OCEG on Third Party Anti-Corruption Due Diligence

My grandfather was a comic book collector. He collected all kinds and types of comics, from super-heroes to the Archie series. One of the series that he collected that I still think about from time-to-time was Classics Illustrated. Classics Illustrated was a comic book series featuring adaptations of literary classics which began publication in 1941 and finished its first run in 1971, producing 169 issues. I won’t divulge how many classic novels that I read in such fashion as a youngster but I will say that that group is the only set of magazines and comics that I collected in the 60s of which I still have a complete set.

There is another illustrated series which may be of more use to the modern day compliance practitioner which can be found in Compliance Week Magazine. In the February 2012 edition OCEG President Carole Switzer continues her series on an illustrated six-part anti-corruption program. In this issue she focuses on third party due diligence. She begins by noting that one of the surest ways to develop and strengthen your anti-corruption compliance program, whether based upon the US Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act is to discover “what you do not understand about the third-parties who help you to do business abroad.” She explains that if your company does not “expand its knowledge of activities of your business partners,” the Department of Justice (DOJ) or UK Serious Fraud Office (SFO) may well do so for you in an enforcement action. Switzer provides a six-step process with a nifty diagram attached to the article.

1.  Define

To begin you should define your objectives and then design your process. This should include all forms that you will use including questionnaires, background checks, references and certifications. You should also delineate your process to review and clear any Red Flags which may arise in the process.

2.      Collect Initial Data

This step should begin with a country review to make an initial determination of risk of corruption. You can use the Transparency International (TI) Corruption Perceptions Index (CPI) or similar resource. Determine how you can make real-time checks, whether through a third-party software provider such as World Compliance or other mechanism for initial due diligence. You will also need to collect data directly from the proposed third party business partner in the form of a questionnaire or other document. There should also be an initial discussion of the “nature, scope and intended relationship” with the third party.

3.  Assess

Under this step, Switzer believes that you should initially set up categories for your third parties of high, moderate and low. Based upon which risk category the third party falls into, you can design specific due diligence. She defined low risk screening as “trusted data source search and risk screening such as the aforementioned World Compliance”; moderate risk screening as “enhanced evaluation to include in-country public records…and research into corporate relationships”; high risk screening is basically a “deep dive assessment” where there is an audit/review of third party controls and financial records, in-country interviews and investigations “leveraging local data sources.”

4.      Approve/Deny/Approve with Condition

Under this step you should establish business rules and process triggers to “facilitate control and monitoring throughout the life of each contract.” As the risk level increases you should apply more stringent controls on the third party. This would also include more intense monitoring of the relationship on an ongoing basis.

5.      Train/Control

Your company should establish anti-corruption training for each risk level of third party with which you do business. You should administer the training, whether live, computer based or webinar, for different third party audiences “taking cultural issues into consideration and addressing role-specific needs.” You should assess and certify the results of your training or certify third party awareness through its own training program. Lastly the “control” portion of this step relates to compliance terms and conditions, which should be included in any written agreement with your third party.

6.      Monitor/Review

Switzer ends her six-point program by noting that you should “establish monitoring and re-approval requirements for each risk level.” There should be continued contact and monitoring by a combination of business unit sponsor and trusted outside professionals. There should be mandatory re-approval at fixed points as well as an action plan to address any red flags which might arise during the relationship.

I find the OCEG Anti-Corruption Illustrated series to be a very useful tool to help visualize the compliance process. While not in the same league as Classics Illustrated they certainly are a useful tool for the compliance practitioner. I would urge you to visit the OCEG website for their series and many other useful tools.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012