FCPA Compliance and Ethics Blog

March 14, 2012

The Story of Ajax: Fairness in Rewarding Employee Behaviors

How does your company deal with the question of fairness in its compliance program? I thought about that question while reading an article in the New York Times (NYT), entitled “That Eternal Question of Fairness”, by Nancy Koehn. In her article, Koehn discussed the book “The Ajax Dilemma: Justice, Fairness and Rewards” written by Paul Woodruff which considers how a company might distribute rewards to its employees “without damaging the larger community.” I have written about the Fair Process Doctrine which generally is recognized as allowing employees to accept a negative result if they think that the process through which the result was determined was fair and not arbitrary and capricious. In the Department of Justice’s (DOJ) 13 point minimum best practices compliance program, Item 10 states:

10.  Discipline. A Company should have appropriate disciplinary procedures to address, among other things, violations of the anti-corruption laws and the Company’s anti-corruption compliance code, policies, and procedures by the Company’s directors, officers, and employees. A Company should implement procedures to ensure that where misconduct is discovered, reasonable steps are taken to remedy the harm resulting from such misconduct, and to ensure that appropriate steps are taken to prevent further similar misconduct, including assessing the internal controls, ethics, and compliance program and making modifications necessary to ensure the program is effective.

However, I believe that the DOJ best practices are more active than the ‘stick’ of employee discipline to make a compliance program effective and I believe that it also requires a ‘carrot’. This requirement is codified in the US Sentencing Guidelines with the following language, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.”

I have advocated that the Compliance Department work with Human Resources (HR) to ensure that rewards are handed out to those employees who integrate such ethical and compliant behavior into their individual work practices going forward.  One of the very important functions of HR is assisting management in setting the criteria for employee bonuses and in the evaluation of employees for those bonuses. This is an equally important role in conveying the company message of adherence to a Foreign Corrupt Practices Act (FCPA) compliance and ethics policy.

Ajax relates to all of these fairness issues through his story from the Iliad. He was one of two Greek warriors who were in line to receive the armor from the mighty Achilles, after he was slain by the Trojan Prince Hector. Achilles’ armor was to be rewarded by the Greek King Agamemnon to “the Army’s most valuable soldier.” Ajax and Odysseus competed for the prize via a speech made before the King. The book’s author uses this speech competition and Agamemnon’s subsequent award of Achilles armor to Odysseus to explore the issues of rewards, which he says “mark the difference between winners and losers.” Paraphrasing several questions that Koehn asked about communities: Which does your company value more: Cleverness or hard work?; Strength or intelligence?; Loyalty or inventiveness?

These questions can play out in a company in a variety of ways. Does your company identify early on in an employee’s career the propensity for compliance and ethics by focusing on leadership behaviors in addition to simply business excellence? If a company has an employee who meets, or exceeds, all his sales targets, but does so in a manner which is opposite to the company’s stated business ethics values, other employees will watch and see how that employee is treated. Is that employee rewarded with a large bonus? Is that employee promoted or are the employee’s violations of the company’s compliance and ethics policies swept under the carpet? If the employee is rewarded, both monetarily and through promotions, or in any way not sanctioned for unethical or non-compliant behavior, it will be noticed and other employees will act accordingly. I think one of requirements under the Sentencing Guidelines is to ensure consistent application of company values throughout the organization, including those identified as ‘rising stars’.

In her book review, Koehn states that she believes the Ajax example still has relevance today. Most employees are like Ajax, loyally doing the important day-to-day work. If doing business in a manner antithetical to a company’s stated culture of ethics and compliance is seen to be rewarded then those loyal, hard-working employees may well stop working in a compliant manner. The end for Ajax was not good, as after the King’s award of Achilles armor to Odysseus, his anger exploded and he lost his life, his family and his reputation down to this day. From this lesson we draw the conclusion that rewards must be distributed in a way to ensure a company’s health. This, the author believes, is why the “story of Ajax is sure to resonate with many” even today.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

March 13, 2012

Barbara Tuchman and Compliance Programs

One of my favorite historians is Barbara Tuchman. One of the first large volumes of history I read growing up was “The Guns of August”, her Pulitzer Prize-winning book about the outbreak of World War I. The Library of America has recently released two of Tuchman’s works, the aforementioned “The Guns of August” and “The Proud Tower” which details the pre-World War I era, together with the personalities and events which led to the ‘war to end all wars.”

This love of history coupled with my interest in ethics and compliance was piqued by an article in the Saturday edition of the Wall Street Journal (WSJ), entitled “A Heroine of Popular History”, by Bruce Cole. The article discussed the work of Tuchman as a popular historian and contrasted the books she wrote with those written by historians with a more academic focus. He quoted the historian Catherine Drinker Bowen, who had the following quotation over her desk “Will the reader turn the page?” I thought this question had particular relevance in the arena of compliance programs; as compliance professionals continually try to get the message of compliance throughout a corporation. So here is some of the wisdom of writing history that Tuchman advocated and how it might help the compliance professional convey the essence of doing business in compliance across a corporation.

Get out in the Field

Tuchman stressed the importance of using primary sources and visiting the sites where ‘history was made”. She said that it was necessary to keep a historian from “soaring off the ground”. From this advice, I believe that the compliance professional needs to get out of the home office, wherever that is, and visit international locations. This is the best way to find out what is going on in the field. This ties to the second point of using primary sources. In the compliance arena, your primary sources are the employees in your own organization. Cole quoted Tuchman that you “arrive at a theory by way of the evidence, not the other way around”. This advice sounds like the guidance from the Department of Justice (DOJ) that your risk assessment should inform your compliance program, not the reverse.

Study Your Company Culture

In the field of history, Tuchman did not view nations or individuals as “helplessly swept along by forces of history beyond their control.” She viewed history as driven by human “foibles, flaws and occasional heroism, rather than by abstract systems.” This means that a compliance professional needs to understand how the cultures in your organization work and then create a compliance program to fit those needs. It does not mean a company can continue to do business with corrupt intent but if there is a culture of gift giving in a geographic area, you should determine a way to continue such courtesies, within the context of your overall compliance regime.

Write Your Policies for Everyone

This is probably Tuchman’s greatest lesson, for both the historian and for the compliance practitioner. Tuchman never received a post-graduate degree in history so she never learned to write like a professional historian, beginning with a “footnote-laden dissertation-written strictly to be read by other scholars.” Tuchman wrote for a wider reading popular audience. The same can be said for written compliance policies. In academia, a Professor’s progress is measured by the judgment of his or her scholarship by peers. Unfortunately, those peers are steeped in the same academic training and therefore judge scholarship on the same criteria as that used to judge dissertations. Tuchman believed that by not pursuing a PhD in history, she was a better writer. She was quoted in the Cole article as having said, “It’s what saved me, I think. If I had taken a doctoral degree it would have stifled my writing capacity.”

Many times compliance policies are written by lawyers and can only be read and interpreted by other lawyers. It is really not our fault as we were all trained in law school to “think and write like a lawyer” but out there in the real world, such language does not always work for the intended audience. This point is even memorialized in the UK Ministry of Justice’s Six Principles for Adequate Procedures which reminds compliance practitioners that anti-bribery compliance policies should be written in “plain English.” While many lawyers, particularly outside counsel who have never practiced as in-house counsel, write like lawyers for other lawyers to read, such writing style does not work for most business people. Therefore in-house counsel should work with a business unit representative, or several, to make the language in written compliance programs accessible to people in the field who are trying to read and understand it.

Just as the Library of America celebrates Tuchman in its recent release of two her greatest works, we in the compliance field should celebrate her for the guidance that she provides in our discipline.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

 

February 29, 2012

Ryan Braun and Building Employee Trust in Your Compliance Program

Most people who have a modicum of interest in baseball now know that Ryan Braun was successful in the appeal of his 50 game suspension by Major League Baseball (MLB) for testing positive for performance enhancing drugs; i.e.: elevated levels of testosterone. The suspension had been levied based upon tests taken late last season, at the conclusion of which Braun was awarded the National League’s Most Valuable Player (MVP) award for the most sterling season, with a Batting Average of .332 with 33 home runs and 111 RBIs while leading the Brewers to the National League (NL) Central title. Although the entire process is required to be confidential under the MLB collective bargaining agreement with the players’ union, both the test results and notice of Braun’s appeal were leaked to the press by person or persons unknown.

Braun won his award because the sample of his urine that was tested was not handled in compliance with the MLB/Players’ Union agreed upon testing protocol. The worker who took the sample did not deliver it to FedEx on the same day the sample was taken from Braun because he said it was Friday night, after 8 PM and all the FedEx offices were closed. (A quick note here that anyone who has ever been an associate at a law firm knows just how bogus that excuse is as there is ALWAYS a FedEx office open. My suggestion is next time to try the airport.) Instead the employee of the drug testing company took the sample home and kept it in his refrigerator over the weekend. This failure to deliver the sample, as required by the agreed upon testing protocol, was enough to allow a tripartite panel of arbitrators to overturn the suspension by a 2-1 vote.

As equally important as it is to have a written process in place, it is as important to follow this process. In the realm of individual rights this is called procedural fairness and it is one of the things that will bring credibility to your Compliance Program. Following an agreed upon process is called the Fair Process Doctrine and this Doctrine generally recognizes that there are fair procedures, not arbitrary ones, in a process involving rights. Considerable research has shown that people are more willing to accept negative, unfavorable, and non-preferred outcomes when they are arrived at by processes and procedures that are perceived as fair. Adhering to the Fair Process Doctrine in two areas of your Compliance Program is critical for you, as a compliance specialist, or for your Compliance Department to have credibility with the rest of the workforce.

This is particularly true in the realm of discipline in your compliance program. If you define a process that is to be followed by all employees when an event occurs, then the company must also follow its procedures in the investigation and administration of discipline. Discipline must not only be administered fairly but it must be administered uniformly across the company for the violation of any compliance policy. Simply put if you are going to fire employees in South America for lying on their expense reports, you have to fire them in North America for the same offense. It cannot matter that the North American employee is a friend of yours or worse yet a ‘high producer’. Failure to administer discipline uniformly will destroy any vestige of credibility that you may have developed.

In addition to the area of discipline, which may be administered after the completion of any compliance investigation, you must also place compliance firmly as a part of ongoing employee evaluations and promotions. If your company is seen to advance and only reward employees who achieve their numbers by whatever means necessary, other employees will certainly take note and it will be understood what management evaluates, and rewards, employees upon this. I have often heard the (anecdotal) tale about some Far East Region Manager which goes along the following lines “If I violate the Code of Conduct I may or may not get caught. If I get caught I may or may not be disciplined. If I miss my numbers for two quarters, I will be fired”. If this is what other employees believe about how they are evaluated and the basis for promotion, you have lost the compliance battle.

So, just as Lin-sanity can inform your compliance program, the Ryan Braun suspension and reversal can also inform your compliance program. To build a solid compliance program, trust by your employees that they will be treated fairly is required. Companies can build trust by living their stated values as set out in their company Code of Conduct and compliance program. As reported in the New York Times (NYT), MLB has come “out firing against Braun, with Rob Manfred, the executive vice president for labor relations, saying in a statement that the league “vehemently disagrees” with” the arbitration ruling. If MLB wants to have any credibility it must follow its own agreed upon testing procedures. So quit whining, if you set up a procedure, you had best follow it. The Procedural Fairness Doctrine requires nothing less.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

February 27, 2012

How Lin-sanity Informs Your Compliance Program: Lesson II

Lin-sanity still reigns. How can you make this determination? I will give you two signs to consider. First Spring Training is in full force and here I am not only thinking about the NBA but also writing about the NBA. Second, I ordered the NBA League Pass package so that I can watch Jeremy Lin play each night the Knicks are on television. (Sam Rubenfeld is smiling somewhere.) But Lin-sanity still continues to inform the compliance practitioner and compliance programs.

How does Lin-sanity continue to inform your compliance program? That question came to mind as I was reading the Saturday edition of the New York Times (NYT) in an article, entitled “The Evolution of a Point Guard, by reporter Howard Beck. In his article Beck destroyed the myth that Jeremy Lin emerged literally “overnight” as a star in the NBA. Beck wrote that this part of the Lin Legend is “altogether flawed, or at least woefully incomplete.” In my last piece on Lin-sanity and compliance I wrote about the analyst who saw the seeds of Lin’s play in his years at Harvard. Beck goes further to point out that the Lin who graduated from Harvard, got cut from both the Warriors and the Rockets is very different from the Lin who is now starting for the Knicks. How is Jeremy Lin different? Through hard work in his profession, the craft of basketball.

What work did Lin do that led to Lin-sanity? Beck went into extensive detail to report on the shooting drills he put in with an old coach to improve his jump shot; the personal fitness coach he worked out with to increase muscle size and speed; the tape of elite NBA guards he studied to learn how to set up and execute a pick and roll; the Developmental League time he put in to learn how to better read defensive double teams; and finally the lonely gym work to develop a 3-point shot. All of this hard work led to, as Beck quoted, a former coach of Lin’s saying that “He’s in a miracle moment, where everything has come together.”

Our last lesson learned from Lin-sanity was to look and think outside the box for compliance resources within your company. Lin-sanity Lesson Learned II is that the initial implementation or enhancement of a compliance program is only the beginning. It is after that time, the hard work really begins. So Jeremy Lin obviously, at least to one analyst, had some amount of talent coming out of college, but Lin-sanity did not begin until he put in all the hard work that Beck detailed in his article, you as a Chief Compliance Officer (CCO) or other person tasked within your company to implement or enhance a compliance program, must work equally hard to make the program truly best practices.

What are some of the things that you should do after implementation or enhancement? You should begin by reviewing your risk assessment to determine the nature and quality of the compliance risks that were defined. Use that list as a starting point to put in the hard work of remedying or better yet managing those risks. Some of the areas that you may need to remediate, while you are going through the initial implementation or enhancement phase of the compliance program, may be one or more of the following.

Foreign Business Representatives

A usual high risk is found by the use of agents, resellers, or other non-employee sales representatives in your company’s sales chain. You need to design a database where you collect information on all such foreign business representatives, such as contract term, underlying due diligence performed, commissions or other payments made to them over the past five years, nature of product sold or service provided and geographic territory. From this database you should risk rank these foreign business representatives and begin the process of remedial due diligence. If your sales model is distributors, you may need to review and assess your contractual rights and requirements for sales to certain end users for your products.

Supply Chain

There may be many persons or entities that represent your company that are located in the Supply Chain, rather than the sales chain. This could include freight forwarders, visa processors, customs clearance companies, law firms, licensing representatives or any other service provider who might interact with a foreign governmental official on behalf of your company. In addition to the information that you should collect in a database, similar to the one described for Foreign Business Representatives above, you should also go back and audit invoices from such government service providers, to determine if there are any issues existing from before the go-live date of your compliance implementation or enhancement.

Internal Controls

Your compliance program should consist of policies and procedures. However, it should also have the appropriate internal controls in place to effectively implement these policies and procedures across the organization. This means that policies from every department of the company may be impacted. Groups disparate as Human Resources, Finance, Accounting, IT, Treasury and others, will all have corporate policies that need to be reviewed and assessed through a Gap Analysis of your internal controls. Any discovered deficiencies will need to be remedied so that writing policies may well be a large part of your compliance effort going forward.

Human Resources

HR is key in any compliance program implementation, enhancement or ongoing evolution. One of the reasons that HR is so critical is that it is the group within your company which will be charged with identifying, evaluating and developing persons with strong ethical values who could become the leaders of your company tomorrow. As a compliance officer you will need to spend significant time with HR representatives to detect, train and promote such persons within your company to leadership and senior management positions in the years ahead.

There will certainly be other areas of your company which will need attention during your initial compliance program implementation or enhancement. It most certainly will seem like an overwhelming task. But here is where the Jeremy Lin example really kicks in. You do not have to create and perfect everything at once. Each step in the compliance journey builds on the prior step. The point is to keep moving. Your best practices compliance program will not emerge overnight, but as with Jeremy Lin, if you keep doing the things you need to do to make your compliance program more robust, you may well bring everything together to create a world class compliance program for your organization.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

February 24, 2012

Innovation and Compliance

Can compliance be innovative? Or can innovation inform your compliance program? Can some of the techniques and strategies of the world’s most innovative companies be brought to bear in the field of anti-corruption and anti-bribery?

I thought about those questions, and perhaps some others, while reading the March issue of Fast Company, with a cover title of “The World’s 50 Most Innovative Companies”. In his column, “From the Editor”, Robert Safian wrote about the “The Lessons of Innovation.” He said in reviewing the Top 50 most innovative company, he drew eight key themes. As I read these I thought about them and their relationship to compliance. So with a tip of the hat to Mr. Safian, here is my compliance spin on his eight key themes of corporate innovation.

1.      Compliance should be a strategy, not a tactic. Starbucks recognized that profit alone is a “fairly shallow aspiration, and it’s not enduring.” Most people want to do business with companies which do not engage in bribery and corruption. Indeed the UK Bribery Act enshrines this in its Six Principles of an Adequate Procedures by stating that a company should only conduct business with other ethical companies.

2.      Big companies need to be as nimble as small companies. Safian notes that the top four companies: Apple, Google, Facebook and Amazon.com all continue to “drive the agenda across the global economy.” This should also be true of your compliance program. You need to use the tools available to you to update your risk assessment if you move into new business lines, products or geographical areas. Similarly if one of your competitors comes under anti-corruption scrutiny, you should review any similar practices that your company might have, such as its sales model or vendors in the Supply Chain.

3.      Technology is disruptive in unexpected places. Here Safian gives the example of LegalZoom, which is “challenging the definition of a law practice” by providing useful legal forms and documents to consumers. In the compliance arena, the number of technological innovations is as broad as it is deep. Companies like Catelas and VisualRisk IQ have developed software products which can allow review and assessment of a large number of data points or other quantitative data. You can even get apps for smartphones which allow submission of expense requests directly to your compliance department.

4.      Compliance is a competitive advantage. Apple has never been publicly reported as going through a Foreign Corrupt Practices Act (FCPA) investigation. What is their stock price today and is it still undervalued? Even when it recently received negative publicity regarding its manufacturing facilities in China, it responded quickly and brought in an outside monitor to assess and report. Apple also annually assesses its third party vendors and makes that report public. Do you think that keeps vendors on their collective toes? You bet it does.

5.      Use of social media makes compliance better. My former speaking cohort, Stephen Martin, then General Counsel for Corpedia, often spoke about Code of Conduct 3.0, which is a web-based interactive tool which helps guide employees through a Code in an interesting and stimulating manner. The same is true of training. You no longer need to simply have a video conference to deliver compliance training around the world. Companies like Click4Compliance have interactive, web-based solutions that you can utilize. I noted above about the smartphone app which allows employees from around the world to submit expense requests to the compliance department and receive an instant response back from an assigned compliance team member.

6. Data is power. If you don’t document it, you can’t measure it. If you don’t measure it, you can’t assess it. If you don’t assess it, you can’t improve it. That is how an engineer tends to look at things. In the compliance world, if you don’t document it, it never existed (Cue drum roll for: document, document and document). Both are true. You have to document things to prove that you actually did them. But if you do not have data, you cannot determine if your compliance program is successful or improve it.

7.      Money is flowing. Here, Safian does not mean necessarily that more funding is available. However, in the compliance world what I believe that this means is forces, other than legal compliance, for example: the US Department of Justice (DOJ) or the UK Serious Fraud Office (SFO) enforcements are beginning to drive compliance. Insurance companies have developed insurance coverage for FCPA investigations; D&O insurers are requiring companies to have a compliance program to cover directors and officers sued in shareholder derivative actions based upon admitted FCPA violations; and perhaps most interestingly, banks and other financial institutions are reviewing anti-corruption compliance programs to determine if they meet minimum best practices and then writing maintenance of these programs into their loan covenants.

8.      Copycats are history. Saflan notes that emerging market entrepreneurs aren’t just following the successes of others, they are creating new, distinct models”. In the compliance arena I believe that ‘out-of-the-box’ solutions are no longer best practices. Companies need to assess their specific compliance risks and then design programs to specifically manage those compliance risks. If your company uses a sales model of agents, one type of compliance management strategy may need to be employed. However, if your company is a manufacturing company, which sells through distributors, another compliance management strategy may be required. Do not simply purchase a compliance program off the shelf. Either design it to fit the needs (and realities) of your business model or work with an expert who can do so.

The innovation angle is not one that is usually in the front of the line at compliance conferences or in thinking through compliance programs. But if you listen to Lanny Breuer, Chuck DuRoss or any other DOJ speaker, they continually talk about evolving best practices in anti-corruption compliance. Any reader of Deferred Prosecution Agreements (DPAs) over the past 18 months is well aware of the changes in focus that the DOJ has in these documents. Certainly, many of the compliance techniques are driven by the compliance challenges in the individual companies. But if your company has engaged in mergers and acquisitions, why would it not follow the ‘enhanced’ compliance guidance found in the Johnson & Johnson DPA and train all high risk employees within 12 months of acquisition and perform a full compliance audit, within 18 months of acquisition? So my conclusion is that innovation in the compliance arena is key. As compliance programs mature and as companies mature in their approach to compliance, innovation will continue to lead best practices.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

February 21, 2012

A Seat at the Table – Compliance in the Contract Tender Process

After all the due diligence on the sales agents and representatives has been completed and they are ready to help you land that large international contract, what is the role of compliance? I would argue that compliance has as central a role to play in any international contract tender process as any other support group in your company; be they legal, tax, HR or another department. If you put compliance at the mix when preparing your response to RFP your company will be much better served than calling them after an issue arises during the contract execution. What are some of the areas that compliance can be of use during contract negotiations?

Subcontractors

It certainly should not surprise anyone to be made aware that your company is legally responsible for its subcontractors in the execution of a contract. This is also true in the anti-corruption context, whether under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. This means that any direct tier subcontractor, which your company might use to complete an international contract, needs to be thoroughly vetted under your compliance regime as a foreign business partner. The reason for this is the same as an agent, subcontractors are acting on your company’s behalf, and hence your company is responsible for them. If you can perform due diligence on all parties which your company will need to execute the contract in the pre-contract phase, it will make things run more smoothly and efficiently after your company is awarded the contract and moves into the execution phase.

Travel to Company Facilities

As a part of the tender process, your company may be required to bring a foreign governmental official or group of officials to view your US operations. This can occur for a number of legitimate reasons, yet care must be followed under both the FCPA and Bribery Act. Your company can pay bona fide and reasonable expenses that are directly related to either (1) the promotion, demonstration or explanation of products or services; or (2) the execution or performance of a contract. Bona fide promotional expenses may also include trips to manufacturing facilities to observe your company’s production and quality control processes or to conduct inspection and testing called for in a contract of sale.  There can also be to facilities where the training offers a legitimate opportunity to demonstrate products and services. There are some guidelines that need to be followed and they are as follows:

• Any reimbursement for air fare will be for economy class.

• Do not select the particular officials who will travel. That decision will be made solely by the foreign government.

• Only host the designated officials and not their spouses or family members.

• Pay all costs directly to the service providers; in the event that an expense requires reimbursement, you may do so, up to a modest daily minimum (e.g., $35), upon presentation of a written receipt.

• Any souvenirs you provide the visiting officials should reflect the business and/or logo and would be of nominal value, e.g., shirts or tote bags.

• Apart from the expenses identified above, do not compensate the foreign government or the officials for their visit, do not fund, organize, or host any other entertainment, side trips, or leisure activities for the officials, or provide the officials with any stipend or spending money.

• The training costs and expenses will be only those necessary and reasonable to educate the visiting officials about the operation of your company.

One of the keys is having any such travel approved by your Compliance Department prior to the travel actually occurring. In addition to the above guidelines there should be a written agenda, reviewed and approved by the compliance representative before the travel occurs. Lastly, all costs associated with the travel and entertainment must be recorded in the Company’s books and records as cost of sales and not an operating expense. The written agenda approved by the compliance representative needs to be maintained and verified by after-action reports so that the entire process is documented.

Testing and Evaluation

If your company manufactures a product, your international customer may well ask to test and evaluate products as a part of the contract tender process. These products may only be provided to support such opportunities. The testing and evaluation of samples should only occur if required by a public tender. Exceptions may be made if the samples are formally requested in writing by the potential government customer in connection with a legitimate contract opportunity. Care should be made so that any product samples are delivered to the foreign governmental agency issuing the tender, not to an individual employee or official, or to a third party. There should be a formal written request identifying the specific number of samples to be tested and evaluated from the potential government customer. The number of samples requested should be reasonable in light of the overall potential contract. All costs associated with the provisioning of sample products for testing and evaluation must be recorded in the Company’s books and records as cost of sales and not an operating expense.

Evaluation of Compliance Risk

Just as other types of risk should be evaluated in any internal contract review process, the compliance risks should also be evaluated. What is the Transparency International – Corruption Perceptions Index ranking of the country or government where the contract will be executed? Are there other sources which can be accessed, such as World Check’s Country Check rating, the Mintz Group’s heat map “Where the Bribes Are”, or the FCPA Database, which aggregates several different types of information but specifically the national anti-corruption and anti-bribery laws applicable to local jurisdictions across the globe. Using these sources and perhaps others, you can put together not only a risk evaluation plan but also a risk mitigation plan for management which they can take into account when the decision of Bid/No Bid or pricing is finalized.

The Compliance Department is more than simply the group which performs the due diligence, trains on compliance and responds to inquiries. It can, and should, play an active role in landing contracts. A mature compliance program can be a great benefit for a company, not only in evaluating risk from the compliance perspective but also preparing the necessary steps so that if a contact is awarded, it can be executed in a time efficient manner. But it must have a seat at the table.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

February 6, 2012

A Triumvirate of FCPA Resources

One of the great things about blogging about the Foreign Corrupt Practices Act (FCPA), UK Bribery Act and ethics and compliance in general, is that practitioners will forward materials to me to review. Not only does this assist me in my legal practice (yes, I do practice law for a living) but it also provides me with a wealth of materials to write about and share with other compliance practitioners. This week I was the lucky recipient of one email with three such resources from Markus Funk, partner at the law firm of Perkins Coie. I would also note that Markus was the author, co-author or otherwise involved in publishing of all three articles.

The three articles are: (1) “Complying With the Foreign Corrupt Practices Act: A Practical Primer”, authored by the University of Chicago Law School’s Corporate Lab, co-sponsored by Microsoft, and published by the ABA Global Anti-Corruption Task Force; (2) “The IP Practitioner’s ‘Cheat Sheet’ to the FCPA and Travel Act:  Introducing the IP FCPA Decision Tree, authored by Doug Sawyer and T. Markus Funk and published in the BNA Bloomberg Patent, Trademark & Copyright Journal; and (3) “Breaking Down the FCPA, Travel Act, and UK Bribery Act”, by T. Markus Funk, published in BNA Bloomberg White Collar Crime Report.

Complying with the FCPA: A Practical Primer

Whether you are new to the field of compliance or a long time practitioner, this 52 page guide is an excellent one-stop shop for any person who may need guidance under the FCPA. This is the result of the collaboration of several authors, law firms, companies and organizations and the stated purpose of the Primer for this report is to provide: (1) an overview of the FCPA; (2) an analysis of how the federal government – particularly the Department of Justice (the “DOJ”) – enforces the FCPA; and (3) a framework for developing effective compliance programs. It certainly fulfills these goals. The Primer used, as sources, the following materials: (1) the United States Attorney’s guidelines; (2) the United States Federal Sentencing Guidelines; and (3) the Organization for Economic Co-operation and Development’s (the “OECD”) Good Practice Guidance.

The Primer takes as its starting point the DOJ’s 13-point minimum best practices compliance program that is now routinely set forth in each Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA) entered into by the Department. A compliance practitioner is also provided with the legal underpinnings of the FCPA, the fundamental components of a best practices compliance program from the DOJ’s perspective and various metrics by which a company can measure and assess the effectiveness of a compliance program. To have all of this in a 52 page Primer is a much needed resource that can be used by all.

 

FCPA and Intellectual Property

In “The IP Practitioner’s ‘Cheat Sheet’ to the FCPA and Travel Act:  Introducing the IP FCPA Decision Tree” co-authors Doug Sawyer and T. Markus Funk discuss the FCPA and its “private bribery twin, the Travel Act” in the context of intellectual property (IP) protection. They note that the reality of 21st century business is that companies are valued largely on the basis of their intellectual property, transforming intellectual property protection into an increasingly central business interest. And with so many US and US-based companies ‘‘going global’’ IP is routinely, and simultaneously, owned and litigated in multiple jurisdictions. IP is, therefore, far from immune from FCPA or Travel Act issues and enforcement.

The authors list FCPA Red Flags in the IP context, which can be such actions (a) a patent being granted unusually quickly; (b) an opposition to a trademark being granted before the entire process has been completed; (c) “a foreign customs official robustly enforcing company A’s anti-counterfeiting agenda, while ignoring company B’s agenda.” To assist the IP practitioner, who may be new to FCPA compliance, or for the compliance practitioner, who may be new to IP issues, the authors conclude their article with a useful decision making tree as a guide to FCPA and Travel Act anti-bribery provisions which “graphically illustrates each analytical step at issue, explains how the Travel Act’s prohibition on ‘‘private’’ bribery fits into the overall anti-bribery puzzle, and seeks to provide a bird’s eye view of this often confusing legal framework.”

Breaking Down the FCPA and Travel Act

In “Breaking Down the FCPA, Travel Act, and UK Bribery Act”, sole author T. Markus Funk, provides the FCPA and Bribery Act compliance practitioner with three handy charts which illustrates the particular steps one must go through to analyze a claim for public corruption under the FCPA and how the Travel Act’s prohibition on private bribery fits into the overall anti-bribery puzzle; a chart explaining how the UK Bribery Act relates to organizations; and a chart which sets out the differences between the FCPA and the Bribery Act. Taken together, these three charts provide to the compliance practitioner with the ‘‘big picture’’ view of these three anti-corruption and anti-bribery laws. It is a very useful short guide to these three laws.

All of these articles fill a valuable niche for the compliance practitioner. I hope that you will review and use them in your practice going forward. I also hope that you will join me in thanking T. Markus Funk for not only authoring or assisting in authoring the above three resources but also for sending them along to me to pass along to you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

December 19, 2011

McNulty’s Maxims, the Deepwater Horizon and FCPA Internal Controls

I often write about what I call Paul McNulty’s three maxims of a Foreign Corrupt Practices Act (FCPA) compliance program: 1) What did you do to prevent it?; 2) What did you do to detect it?; and 3) What did you do to remedy it? I had generally thought that the internal controls component of a minimum best practices FCPA compliance program applied to maxim number 2, detection. However, in a recent guest post regarding internal controls entitled “Controls to Prevent Violations of Anti-Bribery Laws, my colleague Henry Mixon explained that “A specific focus is needed to ensure there are control procedures in place to ensure compliance with” maxim number 1, prevention.

This concept was driven home in a December 15, 2011 article in the Houston Chronicle by reporter Jennifer Dlouhy, entitled “Blowout preventers fall short, report says”. This article discusses a 136 page report by the National Academy of Engineering and National Research Council (“the Report”) on the Deepwater Horizon disaster. One of the findings of the report was that the industry’s trust in blowout preventers, as they are currently designed and utilized, is misplaced. The Report noted that there were several studies which had questioned the reliability of blowout preventers to do what it was designed to and provided several technical reasons for this finding.

For those of you not in the oil and gas industry a blowout preventer is a piece of equipment which is designed to be the last line of defense if the well blows by cutting through the pipe and blocking the oil or gas from escaping upwards and being ignited by the drilling rig. Generally, it has to be activated by someone or some automatic control system to take its preventative action. In other words, it is not viewed as a detection device but as a prevention device.

This article specifies that the design of blow out preventers is as the name implies to prevent an accident. I was reminded that the FCPA and UK Bribery Act require a specific focus on preventive controls. While there should be detect controls as well if your company only has detect controls, your compliance program does not meet the minimum best practices. In his recent post Henry Mixon focused on the use of internal controls to prevent bribery and corruption.

Some examples of this use of internal controls which can be preventative controls are the following:

  1. Petty Cash disbursements should be reviewed by more senior management before rather than reconciled after the fact of disbursement.
  2. Controls are needed over
    1. movement of inventory because bribes can be made through mechanisms other than cash.
    2. gifts, entertainment, hospitality, political contributions, and charitable contributions.
    3. An effective Delegation of Authority such as the requirement of dual signatures for hand- written checks.
    4. Offline processing and maintenance of key information related to vendors and disbursements.
    5. Employees, both contract and permanent, require controls in payroll processing to ensure employees’ statuses as current/former, or a relative of a, Government Official, is identified in pre-hire diligence and that effective oversight is established regarding the hours actually worked, the type of work performed, and the compensation paid.
    6. Vendor master file controls to ensure no vendors are paid unless there has been appropriate due diligence performed.

The Report on the Deepwater Horizon disaster makes clear that the energy industry must find a way to prevent a similar event in the future. The lessons from McNulty’s maxims also make it clear that for a best practices compliance program, you must have sufficient preventative controls in place to prevent bribery and corruption. Henry Mixon details some of the specific reasons that internal controls can be used as prevention control and the specifics on how to do it.

If your compliance program only uses internal controls to detect after-the-fact violations, you may need to call Paul McNulty and have him represent you. Then you may well be in the position of having McNulty call the Department of Justice and self-report a FCPA violation. I am relatively sure that such a call is not one that you would like to make, or have counsel make on your behalf.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

October 5, 2011

TI Guidance on Anti-Corruption and Anti-Bribery Due Diligence for M&A Transactions – Part II

Transparency International (TI) recently released a consultation draft of its White Paper entitled “Anti-Bribery Guidance for Transactions”. In Part I we discussed the risks to companies involved in international mergers and acquisitions. The TI White Paper notes that anti-corruption and anti-bribery due diligence is “often not undertaken, neglected, or allocated insufficient time and resources.” In Part II we will discuss the due diligence process suggested by Transparency International for such transactions.

Aims of Due Diligence

The TI White Paper begins by listing what TI believes to be the core aim of anti-corruption and anti-bribery due diligence. This core aim is to assure that the business to be acquired is sound and not distorted by bribery and its apparent business value is not a product of bribery. To accomplish assurance the acquiring company should identify the risks of corruption and bribery for the target through indicia such as countries of areas of geographic operation, transactional markets and any business partners. There should also be an evaluation of the adequacy of the target’s company’s anti-corruption and anti-bribery program and any corruption or bribery exposure that could cause the transaction to be aborted or modified.

Organizing for Due Diligence

TI next identifies three groups which should be organized for the due diligence. Each group has separate responsibilities and reporting lines which must be clearly delineated. These groups include:

(1) Internal Team. The Internal Team should will include some or all of the acquiring company’s internal corporate functions: the portfolio management team: a due diligence team if it exists: the internal company support functions of finance, general counsel, compliance, corporate affairs; and the appropriate approval and oversight bodies including investment, audit or other committees, executive committee, partners or the board.

(2) External Advisors. The External Advisors will include outside legal counsel, accounting and other forensic outside advisors that specialize in anti-corruption and anti-bribery issues.

(3) Internal Approvers. These Internal Approvers will include the Board of Directors or Partners who will be ultimately responsible for ensuring that their own company has implemented adequate anti-corruption and anti-bribery due diligence procedures during the transaction. These governing bodies must receive the investment and due diligence reports and are required to review these carefully and query management as necessary to check that due diligence has been carried out to a proper extent in assessing corruption and bribery risks.

Integrating Due Diligence into the Transaction Process

1.         Initiating the process

TI stresses that anti-corruption and anti-bribery due diligence should begin at the start of the process. It is not something that should be rammed in during the tail end of the process. TI advises there are four immediate actions regarding anti-corruption and anti-bribery due diligence which should begin when transactional due diligence commences. These four steps are:

  1. The acquisition team communicates the launch of the project to the relevant internal teams and external advisers;
  2. Initial meetings are held with the functions including a cross functional meeting;
  3. A timetable with milestones is developed – the time allocated for completion will vary widely with each situation but adequate time should be allocated to the anti-bribery due diligence; and
  4. The information needed for due diligence is scoped and prioritized striking a balance between the time schedule, resources available for due diligence, the willingness of the target to undergo detailed scrutiny and the need to ensure that issues are not overlooked.

2.         Initial screening

TI advises that the acquiring company should not rely upon any other due diligence work. The risk approaches and risk circumstances for each transaction are never the same. Each potential investment is a fresh start and must be analyzed separately and individually. Although the TI White Paper suggest that this step be carried out by external advisors such as a law firm or consulting company that specializes in anti-corruption or anti-bribery work, I believe that many companies have sufficient internal resources available to them with the expertise to handle this step.

TI specifically advises the following steps for initial screening. They include:

  • An understanding of the target company’s approach to anti-corruption and anti-bribery and its specific program to prevent; detect and remediate the same.
  • An assessment of the commitment of the target company’s Board of Directors and leadership to integrity and the entity’s anti-corruption and anti-bribery emphasis. (It’s ‘Tone at the Top”)
  • Identification of any apparent anti-corruption and anti-bribery exposures or risks through a frank discussion with the management of the target company.

TI concludes by noting that if the anti-corruption anti-bribery risks are high and remediation does not seem an option, “this may lead to the proposed investment being dropped at this stage” before a more detailed investigation is undertaken.

3.         Detailed analysis

While my experience in Mergers & Acquisition (M&A) work is that your opportunity for investigation may end with Step 2 above due to the time constraint on any transaction, TI advocates a more detailed analysis at this point. TI envisions that this more detailed analysis would occur after an agreement in principle is reached but before the execution of a binding contract. Here TI sets forth several detailed steps that the acquiring company can engage in. They include:

  • A business case analysis will be made including a detailed review of the target company’s markets and competitors’ activities; this should include whether corruption and bribery is a potential factor.
  • The management of the target company starts work to prepare the required information which may be considered by the purchaser.
  • A detailed due diligence analysis should be carried out by the due diligence team and/or its advisers to examine in detail the anti-bribery program of the target, assessing its quality and risks of corruption and bribery – this review should include external information from a wide range of sources.
  • Interviews and site visits should be conducted by the Internal Team though some of this may be carried out by external advisers.
  • External sources can be interviewed to obtain information. External sources could be customers, suppliers, industry experts and embassy officials.
  • Support functions will review the results of due diligence and give their opinion to the acquisition or portfolio management team. The functions can include legal counsel, compliance officer, corporate affairs, and any other relevant functions as well as external advisers.
  • Where the risk is judged to be unacceptable the proposal may be dropped at this stage.
  • As this stage involves detailed examination of the target, consideration should be given to appointing a forensic firm which is a specialist in the UK Bribery Act and Foreign Corrupt Practices Act (FCPA). The firm should research and identify relevant information for analysis. This will include detailed scrutiny of books and records including a ledger analysis in sufficient detail to be able to examine line entries which could be problematic.

4.         Decision

The Portfolio Managers or M&A team should next prepare its report for the Acquisition Committee or equivalent body. The report should include a review of the due diligence findings related to bribery, any identified issues and how these could be mitigated, including discussions with the relevant authorities. Where the risk is judged to be unacceptable the purchaser must decide whether it should now withdraw from the planned investment. If the risk is deemed to be high there should be at least an outline of the remediation plan going forward, including how the target company’s anti-corruption and anti-bribery program can be brought to the required adequate level, risks remediated, contracts potentially renegotiated and re-tendered, and how any corrupt employees and associates will be removed from the target company.

5.         Post-acquisition integration

The Johnson and Johnson (J&J) Deferred Prosecution Agreement (DPA), released in April, 2011, provides a company with breathing space to move forward with a plan and remediation of an acquired company. This allows an acquiring company to think of due diligence and remediation as a single continuum and not as a series of bi-lateral continuums. To the extent possible, a company should conduct a pre-acquisition FCPA audit of the target company and post-acquisition a full FCPA audit within 18 months and training of all relevant personnel and business representatives within one year of acquisition.

The TI White Paper also suggests that due diligence procedures continue beyond the point of acquisition. Once the purchase or investment is completed, further due diligence will be carried out with the advantage of greater access if it is a majority investment. At this stage, further bribery risks may be identified in which case remedial action will be needed. If bribery is discovered at this stage then it will be necessary to report this to the legal authorities. If such issues are identified quickly after acquisition this will make it easier to resolve them with the relevant authorities.

The key appears to be that a company should follow the time strictures of the J&J DPA and timely and completely report any discovered violations to the relevant regulatory body, whether it be the US DOJ or the UK Serious Fraud Office.

6.         Continuing monitoring

The TI White Paper concludes this section by stressing the need for ongoing monitoring. Both the UK Bribery Act and FCPA speak to continuing monitoring, whether in the form of ongoing monitoring or ongoing assessment. Principle Six of the UK Bribery Act’s Adequate Procedures discusses the need for ongoing monitoring and review. The Principle states “The commercial organisation institutes monitoring and review mechanisms to ensure compliance with relevant policies and procedures and identifies any issues as they arise. The organisation implements improvements where appropriate.” The reasons for this continued monitoring are to ensure that if external events, like government changes, corruption convictions, or negative press reports occur, an appropriate compliance response is triggered. Assistant Attorney General for the Criminal Division of the US Department of Justice, Lanny Breuer, indicated that such an external verification or assurance of the effectiveness of a compliance program is a key component to assist a company in maintaining a ‘best practices’ FCPA compliance program. He noted that it is through a mechanism such as an ongoing assessment that a company could continue to evaluate its own compliance program with reference to compliance standards which are evolving on a world-wide basis.

As with all TI White Paper’s, this one is a wealth of information for the compliance practitioner. This White Paper lays out one method for thinking through and organizing your anti-corruption and anti-bribery due diligence team for any transactional work. The White Paper also provides to compliance practitioner the specific steps to take in your due diligence and the questions to ask and what to look for. Lastly, the White Paper lays out a way to think through your presentation to management. It is a welcomed addition to the TI library of anti-corruption and anti-bribery White Papers and other materials.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

September 16, 2011

How do You Evaluate a Risk Assessment?

What is the amount of risk that your company is willing to accept? Before you even get to this question how does your company assess risk and subsequently evaluate that risk? In the July issue of the Compliance Week magazine, these questions were explored in an article entitled “Improving Risk Assessments and Audit Operations” in which author Tammy Whitehouse discussed the audit process and how the audit results can form the basis for the evaluation of a risk assessment. In her article Whitehouse focused on the presentation of Michele Abraham, from Timken Co., and how Timken assesses and then monitors risks it determines through its annual compliance audit.

According to Abraham, once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks. Abraham provided two examples of ratings guides which Whitehouse included in her article. We quote both in their entirety.

LIKELIHOOD

Likelihood Rating Assessment Evaluation Criteria
1 Almost Certain High likely, this event is expected to occur
2 Likely Strong possibility that an event will occur and there is sufficient historical incidence to support it
3 Possible Event may occur at some point, typically there is a history to support it
4 Unlikely Not expected but there’s a slight possibility that it may occur
5 Rare Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY

Priority Rating Assessment  Evaluation Criteria
1-2 Severe Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4 High Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7 Significant
8-14 Moderate
15-1920-25 LowTrivial Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by Visual RiskIQ, a relationship-analysis based software such as Catelas or other analytical based tools. But you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the US Department of Justice (DOJ) in its Compliance Program best practices and in the UK Bribery Act Adequate Procedures. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Michele Abraham of Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

« Previous PageNext Page »

Blog at WordPress.com.