Selfie-Sticks and Risk Assessments

Greetings from Venice and a big thanks to Joe Oringel at Visual Risk IQ for allowing my to post his five tips on working with data analytics while I was on holiday in this most beautiful, haunting and romantic of cities. While my wife and I have come here several times, we somehow managed to arrive on the first weekend of Carnivale, without knowing when it began. On this first weekend, the crowds were not too bad and it was more of a local’s scene than the full all out tourist scene.

As usual, Venice provides several insights for the anti-corruption compliance practitioner, whether you harbor under the Foreign Corrupt Practices Act (FCPA), UK Bribery Act, both, or some other such law. One of the first things I noticed in Venice was the large number of selfie-sticks and their use by (obviously) tourists. But the thing that struck me was the street vendors who previously sold all manner of knock-off and counterfeit purses, wallets and otherwise fake leather goods had now moved exclusively to market these selfie-sticks. Clearly these street vendors were responding to a market need and have moved quickly to fill this niche.

While the economics, inventory, bureaucracy, market-responsiveness of such businesses may be a bit more nimble than the more traditional US entity doing business overseas it does bring up a very good lesson for the compliance practitioner. A risk assessment is a tool for a variety of purposes. Certainly moving into a new geographic area is an important reason to perform a risk assessment. However, it can also be used for a new product offering, such as a selfie-stick. As stated in the FCPA Guidance, “As a company’s risk for FCPA violations increases, that business should consider increasing its compliance procedures, including due diligence and periodic internal audits. The degree of appropriate due diligence is fact-specific and should vary based on industry, country, size, and nature of the transaction, and the method and amount of third-party compensation. Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”

So what if your company comes to market with a new product or, in the case of the Venetian street merchants, move to sell a product for the first time even if the product is not exactly ‘new’. Obviously you will need to consider all government touch points that could bring you into potential violation under the FCPA. You should determine not only what licenses you will need but also how you will obtain them. Avon has come to over $500MM in FCPA grief by paying bribes to obtain licenses (and then doubling down by going full Watergate in its cover-up). Wal-Mart is alleged to have gotten into hot water in Mexico for paying bribes to obtain permits to do business in that country. So will your company obtain these licenses directly or use a third party to obtain them?

What about continued quality control of your new product? If you are in the food product industry this will mean continued inspections of your products to assure they meet government standards. Make sure that you have a hiring process in place to weed out the wives, sons or daughters of any food service inspectors. Of course, do not hire such inspectors for jobs directly either, especially if they do not have to show up or perform any duties to get paid by your company.

If you are not going to manufacture your selfie-stick equivalent in the country where these new products will be sold, how will you import them? Who will be interfacing with the foreign government on tax issues for importing of products? Will they be there permanently or on a temporary basis? All questions that have gotten US companies into FCPA trouble when they paid bribes to answer, assuage or grease some or all of the answers.

It turns out the compliance practitioner can learn quite a bit from the selfie-stick; not all of it is simple self-indulgence. Your compliance program must respond to your business initiatives. To do so, you also need to have a seat that the big boy table where such initiatives are discussed. But that is another lesson from Venice for a different day. Until then, ciao.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Risk Assessments-the Cornerstone of Your Compliance Program, Part III

Today, I conclude a three-part series on risk assessments in your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption compliance program. I previously reviewed some of the risks that you need to assess and how you might go about assessing them. Today I want to consider some thoughts on how to use your risk assessment going forward.

Mike Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. Finally, through this risk matrix you should be able to assess relative remediation requirements.

A manner in which to put into practice some of Volkov’s suggestions was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations”. Her article focused on the how Timken Company, assesses and then evaluates the risks the company has assessed. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks. 

LIKELIHOOD 

Likelihood Rating	Assessment	Evaluation Criteria
1	Almost Certain	High likely, this event is expected to occur
2	Likely	Strong possibility that an event will occur and there is sufficient historical incidence to support it
3	Possible	Event may occur at some point, typically there is a history to support it
4	Unlikely	Not expected but there’s a slight possibility that it may occur
5	Rare	Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY 

Priority Rating	Assessment	Evaluation Criteria
1-2	Severe	Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4	High	Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7	Significant
8-14	Moderate
15-1920-25	LowTrivial	Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by Visual RiskIQ, a relationship-analysis based software such as Catelas or other analytical based tools. But you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the DOJ in its FCPA Guidance and in the UK Bribery Act’s Adequate Procedures. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

In an article in Compliance Week Magazine, entitled, “Lessons on Risk Assessments from Winnie The Pooh” Jason Medford articulated that a key use of a risk assessment is to assist the internal audit function in developing their internal audit plan. He cited to the Institute of Internal Auditors (IIA) standard 2010.A1, which states “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually.” He went on to note that “In order to have a truly integrated GRC capability it is necessary for internal auditors to work with other GRC professionals in their organization. They must align their annual audit plan with the organization’s objectives, strategies, and initiatives of the other GRC professionals. They must collaborate, coordinate, and align their audit activities with other GRC professionals to increase visibility, improve efficiency, accountability and collaboration.

Carol Saint, Vice President of Internal Audit for 7-Eleven, who was interview by OCEG President Carol Switzer for the same article said that “We start with a risk assessment, beginning with business units because this is how the organization has designed accountability.  We decompose business units into the processes and sub-processes they own and execute. We evaluate how sub-processes align to achievement of strategic objectives: How do they affect the company’s value drivers? Next, we map financial statement lines to the sub-processes to help prioritize from that lens. Finally, for each sub-process we consider specific risks that could hinder achievement of strategic objectives, as well as fraud risks, significant accounting estimates, benchmarking/ hot topics, and ERM risks. We created an “intensity rating” that measures how often a process/sub-process was mentioned in our stakeholder interviews as a risk to the company. And we also considered how cross-functional a process is so that the element of complexity—a risk accelerator—could help determine audit plan priorities. This year’s plan development process was quite intense, but I think we did a good job of creating a baseline so that future risk assessments are more efficient.”

I hope that you have found this series on risk assessments useful. If you have any questions or better yet would like me to work on a risk assessment for your organization, please contact me.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Honor Our Veterans and Compliance in the Supply Chain

Today is National Remembrance Day for Veterans who served their country and across the world. In the US we call it Veterans Day. In the UK, it is called Remembrance Day. Whatever it is called, it is designed so that we may never forget the sacrifices that the men and women made so that we can live in a free society. So today, I ask you to personally thank a veteran, buy them a cup of coffee or simply reflect on those who made the ultimate sacrifice to allow us all to go forward into the 21^st Century.

My father is a veteran of both World War II and the Korean Conflict. I saw him this weekend and at 87 he is still kicking along, reading, studying and thinking about the relevant issues of the day. He gave to me a copy of the Fall 2013 issue of the University of Illinois, College of Law, Comparative Labor Law & Policy Journal which had an article, entitled “Toward Joint Liability in Global Supply Chains: Addressing the Root Causes of Labor Violations In International Subcontracting Networks”, by authors Mark Anner, Jennifer Bair and Jeremy Blasi. So to honor my father’s continuing interest in anti-corruption compliance, today I will write about this article and how it informs anti-corruption compliance in the Supply Chain.

The authors starting point is that of the Rana Plaza building collapse in Bangladesh, which killed at least 1129 workers, which has led to a “significant departure from the extant model of labor compliance that has developed over the past two decades”. The previous model of labor compliance had assumed that labor issues were a “factory-level problem and the only entity that needs to be regulated is the contractor factory.” This was enforced by companies adopting codes of conduct and then monitoring their suppliers for compliance. However, after the Rana Plaza tragedy, certain western corporations adopted the Bangladesh Accord, which anticipates joint responsibility for labor issues between both vendors and the purchasers of their goods and services. Further, the Bangladesh Accord is not merely like the prior general statements of intent but brings binding, contractually enforceable duties.

While the focus of the article was on labor issues such as pay, safety and retaliation for raising such concerns, the article did point to some interesting ideas which could be applied to this issue as it relates to anti-corruption compliance under laws such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Obviously both laws require a specified protocol for the hiring of third parties which represent companies. These concepts and techniques are now being used for third parties who develop relationships with companies through the supply chain. Companies such as freight forwarders, visa processors and customs brokers have foreign governmental touch points which clearly mandate a through due diligence process under the FCPA and Bribery Act. However, many companies may not recognize their potential exposure for companies which supply them but engage in bribery and corruption to fulfill their contracts.

Using the authors discussion of the regulatory scheme for compliance of labor and safety issues for suppliers under the Bangladesh Accord I have adapted them for anti-corruption compliance. The intention is to create stable, long term relationships and also to promote a stable core of suppliers who are FCPA or Bribery Act compliant in anti-corruption and anti-bribery. These points can incentive suppliers to not only become more compliant in anti-corruption and anti-bribery programs but also reward them for doing business with other like-minded sub-suppliers and sub-contractors. They include:

• Requiring suppliers to designate all sub-suppliers and sub-contractors that they will use.
• Restrict the subset of sub-suppliers and sub-contractors to those who have been certified, through a recognized Non-governmental organization (NGO) or company, in anti-corruption.
• Prohibit retaliation against supplier employees who report, in good faith, allegations of bribery and corruption.
• Require a supplier to register the number of sub-suppliers and sub-contractors that it intends to use for a company.

For US, and other western companies, I think that there are some lessons which might be drawn from the authors’ piece in connection with their compliance programs around the Supply Chain.

Know Your Suppliers

When it comes to anti-corruption compliance in the Supply Chain, many companies either fail to embrace this concept or, worse yet, do not understand how this concept is interwoven into an overall compliance program. Indeed, one of the perceived banes of compliance is that a company is responsible for the actions of its suppliers. Nevertheless, if companies understand that suppliers are a critical component of an overall compliance program it becomes much easier to understand how such a model can and should be used as a guidepost for the Supply Chain and compliance.

The Compliance Oversight Committee

The Oversight Committee is a key component of any best practices compliance program. Not only should it be used for reviewing and managing traditional high risk areas such as third party business representatives in the sales chain; a company can create such committees for other high risk issues particular to a company. Witness the Johnson & Johnson (J&J) Deferred Prosecution Agreement (DPA) and its “Enhanced Compliance Obligations”. In this J&J agreed to establish “a “Sensitive Issue Triage Committee” to review and respond to any such [Foreign Corrupt Practices Act] FCPA issues as may arise.” This is precisely the type of rigor which should be included in a best practices compliance program. Compliance Committees can serve to escalate compliance issues before they become violations of the FCPA or UK Bribery Act and are becoming a part of a best practices compliance program. If a company decides to disband such a committee it must clearly perform rigorous audits or place such safeguards in place to send a message to both vendors in the Supply Chain and employees that compliance is still held in the highest regard by the company.

Risk Assessments – Don’t Let Growth Overwhelm Your Compliance Program

The Department of Justice (DOJ) continually reminds us of the need for risk assessments. One of the areas often overlooked in risk assessments is growth. Growth and indeed explosive growth can be pursued or occur while not fully assessing or even appreciating the risks involved. This could mean that there were many new vendors in the Supply Chain that did not receive the rigorous due diligence and training in anti-corruption and anti-bribery compliance. A company can also hire huge numbers of new contract employees who do not receive the same anti-corruption training as previously hired employees. These can lead to organizational incentives that become skewered towards growth and not compliance.

If a company wants to move forward with an aggressive growth model, it should assess the compliance risks of doing so. Through a risk assessment, it might be determined that compliance might suffer through the increased use of new vendors. For the compliance practitioner, these risks might also be that new vendors in the Supply Chain need full and complete compliance training, that contract employees need the same compliance training as full-time employees; additionally new vendors need rigorous screening through a robust due diligence process to not only identify Red Flags regarding corruption but to help educate them that your company takes compliance very seriously.

So today I honor my father and all Veterans everywhere. And thanks to my father for continuing to be interested enough to read articles which help inform my knowledge of anti-corruption compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

NYPD Community Policing as Model for Your FCPA Compliance Program

For those of you who do not know Scott Moritz, you should take an opportunity to do so. I first met Moritz (virtually) through his article in the FCPA Blog, entitled “Risk-Based Compliance”. In this post, Moritz looked at the language of Opinion Release 08-02 (the “Halliburton Opinion Release”) in the context of the risk based approach of which the Department of Justice (DOJ) approved Halliburton’s proposed acquisition of Expro. These risk based concepts were used by the UK Financial Services Authority (FSA) in its January, 2009, settlement with Aon. Moritz is a retired FBI special agent, with over 25 years of complex investigative, forensic accounting, regulatory compliance and law enforcement experience. He is now a Managing Director for Global Investigations & Compliance at Navigant Consulting.

I have had the opportunity to speak with Moritz on a couple of webinars, jointly author papers with him and hear him speak at leading Foreign Corrupt Practices Act (FCPA) conferences. I can assure you that he knows his stuff. Recently Moritz published yet another piece in his continuing education for the rest of us compliance practitioners in the area of risk based assessments. In an article entitled “Walking a Beat to Reduce Corruption”, Moritz analogized  “the concept of community policing that has been used to reduce crime in many major cities across the world” in his innovative approach of “a growing corporate culture of mutual transparency that is having a very positive effect on overall awareness regarding anti-corruption” for third party due diligence under both the FCPA and UK Bribery Act.

Moritz talked about community policing in the context of new thinking which holds that more “successful third-party anti-corruption programs depend upon effective two-way communication between the company and its third parties.” He advocates that companies “engage directly with third parties to build trust” and to communicate a company’s ethical values to both those third parties in its Sale and Supply Chains. The starting point for any trust is communications. He believes that for a compliance program to be truly effective, “it must create communication channels between compliance, its internal clients within the organization and the third parties whose actions could lead to corruption liability.” This communication should begin by making a company’s key employees, whose responsibilities include engagement with third parties i.e. business sponsors, “to the potential risks of these commercial relationships, how to recognize them, what they may mean in terms of their continuing compliance obligations and how to convey this information to the third parties in a way that is not construed to be offensive in any way.”

One of the most important roles of these business sponsors is to take the message of compliance to the company’s third party representatives. Many companies will have this first message be the company’s FCPA compliance questionnaire but Moritz advocates it is “the business sponsor’s responsibility to explain the company’s third-party anti-corruption program, the rationale behind it, to emphasize the mutual benefits of the relationship and to serve as the company liaison going forward. That initial conversation should also highlight the fact that the vast majority of such steps result in a strengthening of the relationship between the company and its third parties.”

This business sponsor should stress at least three key factors. The first is that the company lives by its anti-corruption values and those are embedded in its anti-corruption, FCPA Compliance Program and the questionnaire is a necessary part of that Compliance Program. Second, that your company’s Compliance Program is similar “to those in place at an increased number of organizations and it would be reasonable to expect it to be part of the process whenever their company engages with a global company.” Third, that by asking for what may seem as unusually sensitive information, it is not a lack of trust but that the request “actually signals the importance of the relationship and the company’s willingness to make a substantial investment in it to ensure that any issues that may be out there are put to rest at the outset thereby eliminating any future barriers to the relationship between the parties.” Concluding this section Moritz opines that by “Spending a fair amount of time setting the tone will provide a solid foundation for the relationship going forward.”

So how does this relate to a community policing program? At least as the theory is practiced by the New York Police Department (NYPD) it is based upon the precept of the “broken window theory” whereby if a window is allowed to be broken and stay broken it sends a signal that no one in the neighborhood cares about crime and this in turn leads to more crime. The NYPD took to having more foot patrols so that the officers could build trust in the neighborhoods which they were assigned, rather than driving around in squad cars. This signaled to the community that the police cared and many neighborhoods responded with actions, such as fixing broken windows, which showed they cared as well.

Moritz concludes his article by noting that “business sponsors act as the cops on your beat”. Just as community policing fosters two-way communication between the NYPD and the community; the business sponsor can effectively take the place of these police officers who are walking a beat in a community. The “business sponsors are on the front lines of your anti-corruption program building long-term relationships that are critically important components of your anti-corruption program and your commercial success as a whole.”

I found the Moritz piece quite interesting and continued his long line of thoughtful, best practices and leading edge commentary. I would add that a key is the business sponsor, your selection and training of this employee is a critical element. I commend the full Moritz piece to you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Napoleon’s Invasion of Russia and Risk Management

Today, June 12 is the traditional date given for Napoleon’s invasion of Russia. I cannot think of a better anniversary to use to introduce the discussion of risk management.  Do you think he made a risk assessment so that he could manage his risks? If he did, what were his risks and how would he go about managing them. While more of a post-mortem than risk assessment, the chart at the right is probably the best statistical graphic ever drawn. It shows a data map drawn by Charles Joseph Minard, showing the losses suffered by Napoleon’s army in the Russian campaign of 1812. Beginning at the Polish-Russian border, the thick band shows the size of the army at each position. The path of Napoleon’s retreat from Moscow in the bitterly cold winter is depicted by the dark lower band, which is tied to temperature and time scales. Certainly an excellent visual representation.

I thought about risk assessments and risk management when pondering that as companies become more mature in their compliance programs, they can use the information generated in a risk assessment in a variety of ways to facilitate an overall risk management program. In an article in the June issue of the Harvard Business Review, entitled “Managing Risks: A New Framework”, authors Robert Kaplan and Annette Mikes posit that the initial step a company must take to create an effective risk management system is to understand “the qualitative distinctions among the types of risk that an organization faces.” The authors have separated business risk into three categories: (1) Preventable Risks; (2) Strategy Risks; and (3) External Risks. They state that companies should design their risk management strategies to each category because what may be an adequate risk management strategy for the management of preventable risks is “wholly inadequate” for the management of strategy or external risks.

Category I: Preventable Risks. These are internal risks, arising from within an organization. The authors believe that “companies should seek to eliminate these risks since they get no strategic benefits for taking them on.” The authors specifically mention anti-corruption and anti-bribery risks as falling in this category. This risk category is best managed through active prevention both through operational processes and training employees’ behaviors and decisions towards a stated goal. The control model to manage preventable risks is to develop an integrated culture and compliance model. Such a system would typically consist of a Code of Conduct or Business Ethics, standard operating procedures, internal controls to spell out the requirement and internal audit to test efficiencies. The role of the Compliance Department in managing Category I risks is to coordinate and oversee the compliance program and then revise the program’s controls as needed on an ongoing basis, all the while acting as independent overseers or the risk management function to the business units.

Category II: Strategy Risks. These risks are those which a company may accept in some form because they are “not inherently undesirable.” In other words, a company may be willing to accept some types of risks in this category so that it may increase profits. This category of risk cannot be managed through the rules based system used for preventable risks, instead the authors believe that “you need a risk management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur.”

The authors list several specific techniques to use as the control model for strategic risks. These include “interactive discussions about risks to strategic objectives drawing on tools” such as heat maps and key risk indicator scorecards. The Compliance Department’s role here is to run risk management workshops and risk review meetings, usually acting as the “devil’s advocate” to the business units involved. Another key role of the Compliance Department is the marshaling and the delivery of resources allocated to mitigate the strategic risk events identified in this process. Finally, the authors believe that the relationship of the Compliance Department to the business units in managing a Category II strategic risk is to act as “independent facilitators, independent experts or embedded experts.”

Category III: External Risks. These are risks which arise outside the company’s control and may even be beyond its influence. This type of risk would be a natural disaster or economic system shutdown, such as a recession or depression. The authors here note that as companies cannot prevent such risks, their risk management strategy must focus on the identification of the risk beforehand so that the company can mitigate the risk as much as possible. Recognizing the maxim that ‘you don’t know what you don’t know’; the authors see the control model for Category III risks as “envisioning risks through: tail-risk assessments and stress testing; scenario planning; and war-gaming” with the management team. Under this Category III risk, the authors believe that the relationship of the Compliance Department to the business units is to either complement the strategy team or to “serve as independent facilitators of envisioning exercises.”

The authors conclude with a discussion of the leadership challenge in managing risks, which they believe is quite different than managing strategy. The reason is that managers “find it antithetical to their culture to champion processes that identify the risks to strategies they helped to formulate.” Nevertheless without such preparation, the authors believe that companies will not be able to weather risks which turn into serious storms under the right conditions. They believe that the key element is that the risk management team must have a direct reporting line to senior management because “a company’s ability to weather [risk] storms depends very much on how seriously executives take their risk-management function when the sun is shining and there are no clouds on the horizon.” I could not have said it better myself.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Ray Bradbury, Fahrenheit 451 and a Risk Based Approach to Managing Third Parties

Ray Bradbury died on Wednesday. For my money, he was the greatest writer of science fiction in the 20^th century. But his fictional world was not all happy endings as found in one of his best known works, Fahrenheit 451. This book had a profound effect on me when I first read it as a teenager. The one concept that struck me the most was when the protagonist, Montag, meets a group of older men who, to Montag’s astonishment, have memorized entire books. Each man in the group has become a book to preserve until it is safe to print books again. So here’s to you, Ray Bradbury.

This week Kroll released its “2012 FCPA Benchmark Report”. In in this survey, it found that the majority of corporate compliance officers at US multinationals believe they’re exposed to bribery risk and fall short on best practices when it comes to third party screening, facilitating payments and political donations.

As reported in the FCPA Blog, in a piece entitled “Compliance Officers Troubled By Third-Party Risk”, some of the key findings of the Report are as follows:

• 69% of all respondents said their companies were either moderately or highly exposed to risk related to compliance with anti-bribery laws; this number jumps to 100% in the pharmaceutical industry and drops to 46% in the financial services industry.
• 99% percent of respondents said they had anti-bribery provisions for employees in their companies’ codes of conduct.
• 73% have anti-bribery provisions in place for third parties.
• 71% require third parties to complete a disclosure listing affiliations with foreign officials (65% verify that third parties adhere to the company’s code of ethics and 73% confirm that each third party is free from sanctions pertaining to compliance with anti-bribery regulation).
• 36% of respondents permit facilitating payments under certain circumstances; 60% do not permit facilitating payments under any circumstances.
• 19% percent do not have a written policy with respect to facilitating payments.

I thought about some of these findings in the context of one of the presentations that I moderated at the Compliance Week 2012 event this week. In a presentation entitled “3rd Party Due Diligence Best Practices in Establishing an Effective Anti-Corruption Program”, Randy Corley, EVP, Global Compliance Officer at Edelmen Inc. discussed his company’s efforts to manage the risks involved with third parties under the Foreign Corrupt Practices Act (FCPA). He has developed a five-step process which he shared with the group.

Step 1: How Much is Enough? Under this step, Edelmen uses an initial screening process to establish scope. The goal is to have a realistic process so that it can be effectively managed and still be of sufficient value for the business unit decision makers, who have the ultimate responsibility over the company’s third parties. From this step, he ranks risks as high, medium or low and then proceeds to his next steps based upon this risk ranking.

Step 2: How Deep Do We Dig? Corley began by noting that in his company, this process is owned by the business unit. He made clear that this is a key step at which the company does a thorough third party risk assessment for each entity. In this risk assessment, the following factors are evaluated: (1) geographic location, (2) government involvement, (3) initial internet search, (4) compensation to be paid to the third party, (5) scope of goods or services to be delivered, (6) skills and qualifications of the third party, (7) experience the company may have previously had with the third party and (8) client recommendations, if any. Using these risk factors Edelmen establishes two parameters going forward. (A) What will be the level of due diligence to be conducted?; and (B) Where will the level of authorization for authorization of this third party lie in the company?

Step 3: What Do You Need To Know? Initially, Corley said that Scope of review depends on risk assessment; High Risk, Medium Risk or Low Risk. This risk ranking will determine the level of information collected and due diligence performed. The key element of this step is data collection. The initial step is to have the third party complete an application which should include requests for information on background and experience, scope of services to be provided, relevant experience, list of actual and beneficial owners, references and compliance expertise.

Step 4: What Did We Learn? From this data, and other data, collected on the third party the next step is to move to Verification and Validation. This can be done through a variety of sources including third party search firms, internet searches, qualification and license checks, checks on Politically Exposes Person (PEP), sanctions lists and reference checks. Thereafter, this information must be evaluated and any Red Flags which may appear must be cleared. If additional information is needed or points clarified, Corley emphasized that now is the time to do it and not wait until later in the process.

Step 5: Yes or No? And Then What? This step is really two parts. In the initial analysis you will need to determine who the ultimate decision maker will be in your organization. It may be someone in the compliance or legal department; it may be someone in the relevant business unit or a senior officer in the company. If the decision is made by a non-compliance or non-legal company representative, there should be a compliance opinion on whether the third party has met your internal company criteria. Finally, do not forget the three most important things about your FCPA compliance program: document, document and document the entire process.

Also included by Corley in his Step 5 is post approval. It begins with the FCPA compliance terms and conditions as a basis. He noted that you should have an annual certification of FCPA compliance by your third party. He said that you should also require training which could take a variety of forms such as training put on by your organization, a mandated third party vendor or other trusted source. Lastly, Corley said that you should update due diligence at regular intervals, which he suggested should be no less than every two year.

The Kroll Report suggests that third party risk remains a significant concern for the compliance practitioner. Corley’s five-step program offers a clear guide about how one company tackled this difficult issue. However, Corley emphasized that it is not form or over substance; you must use and evaluate the information you receive and build your compliance programs around your risk; not try to ram your risks into your compliance program. So, unlike Montag in Fahrenheit 451, you may not have to become a full book in your role as the compliance specialist but you can certainly reference Corley’s five-step program in your company’s compliance calculus.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Integrating Your Compliance Risk: Where the Rubber Meets the Road

In listening to companies discuss compliance in the areas of anti-corruption under the Foreign Corrupt Practices Act (FCPA), anti-money laundering (AML) or export control, one of the things that has consistently struck me is how siloed each of these groups invariably is within their company. Not only does this deny a company the ability to share a wide variety of talent and experiences, it can lead to the concept of what authors Robert Kaplan and Annette Mikes call the “functional trap” of labeling and compartmentalizing risk. In an article in the June issue of the Harvard Business Review, entitled “Managing Risks: A New Framework”, they declare that good risk discussions must be integrative in order for risk interaction to be evaluated. If not, a business “can be derailed by a combination of small events that reinforce one another in unanticipated ways.”

The authors posit that it is difficult for companies to accurately and adequately discuss risk for a variety of reasons. One of these reasons is the aforementioned silo effect which can lead to a lack of discussion by a wide group regarding a number of risks, for example compliance risk; reputational risk; brand risk; credit risk; human resources risk are but a few of the types of risks mentioned in their article. The authors believe that one of the ways to knock down these silos when it comes to a more complete management of risk is to “anchor their discussions in strategic planning, one integrative process that most well-run companies already have” in place.

I.                   VW do Brasil Risk Management Strategy

The authors cite to the example of Volkswagen do Brasil (VW) and the techniques used by its risk-management unit. Initially, the VW risk management unit uses the company’s overall strategy map as a starting point for internal discussions around risk. For each objective that the company sets, the risk management group identifies risk events which might cause the company to fall short of its objectives. Based upon this risk profile, the group creates a “Risk Event Card” for each risk on the strategy map, “listing the practical effects of the event on operations, the probability of the occurrence, leading indicators and potential actions for mitigation.” From this Risk Event Card, the risk management group creates a “Risk Report Card” which is a tool used to present and convey high level information to senior management within the company.

A.     Risk Event Card for the Objective of a Smoothly Functioning Supply Chain

Strategic Objective	Risk Event	Outcomes	Risk Indicators	Likelihood/ Consequences	Management Controls	Accountable Manager
Guarantee reliable and competitive supplier-to-manufacturer processes	Interruption of deliveries	OvertimeEmergency freightQuality problemsProduction losses	Critical items reportLate deliveriesIncoming defectsIncorrect componentshipments	1 2 3 X 4 5 1 2 3 4 5	Hold daily supply chain meeting logistics, purchasing, QAMonitor suppliers’ tooling to detect deteriorationRisk mitigation initiative: Upgrade suppliers’ toolingRisk mitigation initiative: Identify key supply chain executive at each critical supplier	Mr. O. Manuel director of manufacturing logistics

From this Risk Event Card, the risk management group will next create the Risk Report Card. It is organized by strategic objectives and allows senior management to see at a glance “how many of the identified risks for each objective are critical and require attention or mitigation.”

B.     Risk Report Card For Satisfaction of Customer Expectations

Strategic Objective	Assessed Risks	Critical Risk	Trend
Achieve market share growth	4	1	Flat
Satisfy the customer’s expectations	11	4	Upward
Improve company image	13	1	Flat
Develop dealer organization	4	2	Flat
Guarantee customer-oriented innovations management	5	2	Downward
Achieve launch management efficiency	1	0	Flat
Increase direct processes efficiency	4	1	Flat
Create and manage a robust production volume strategy	2	1	Downward
Guarantee reliable and competitive supplier-to-manufacturer processes	9	3	Flat
Develop an attractive and innovative product portfolio	4	2	Downward

II.                Risk Oversight Approach

The authors caution that beyond simply introducing a systematic process for identifying and mitigating key risks, companies should also employ a risk oversight structure. The authors discuss the experience of the Indian IT company, Infosys, which uses a dual structure. It consists of a central team that identifies general strategy risks and then establishes central policy, together with a specialized, decentralized functional team. This second team designs and monitors policies and controls in consultation with local business units. These decentralized teams have the authority and expertise to respond to changes in the company’s risk profile coupled with the nimbleness and agility of being in the field to deal with smaller issues before they become larger problems for the central team back in the corporate office.

All three of the components identified by the authors are relevant for your compliance program. Just as it is important to perform due diligence on third party representatives, before execution of an appropriate contract; the real work is in managing the relationship. In risk management, you must identify and assess the risk but the real work begins in managing the risk. This is where the rubber meets the road.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

JP Morgan and Risk: Mission Creep, Mission Expansion, Mission Explosion

In an article in today’s Financial Times (FT), entitled “JP Morgan shows the futility of fighting complexity”, Sallie Frawcheck posited that the JP Morgan trading loss demonstrated that regulators are fighting the wrong battle regarding risk. She believes that the main reason for the problems engulfing JP Morgan was that the size and complexity of the company’s trading positions were so great that the company is still coming to terms with just how large the loss will be and how JP Morgan can unwind itself from those trading positions.

She believes that one of the solutions would be for regulators to “turn their attention to the issue of understanding how much risk the banks are taking in total, fixing measurements of risk that have fallen short and then making certain that banks have enough capital to support that risk.” However, she also warns that if a bank’s risk assessments are “unable to keep up with the complexity of certain types of trades [such as the ones at issue] or sub-businesses, then the activities should not be allowed in a regulated banking entity. Full stop.” [emphasis mine]

Her article brought up one of the ongoing battles that I continually fought as an in-house counsel, both in my transactional attorney role and compliance professional role and that battle was Mission Creep; leading to Mission Expansion; leading to Mission Explosion. In the transaction world, this would occur when parties contract for the provision of specific services or specific goods and then the contract is used as a basis for a completely different product or service. So if my client provides engineering services, there will be terms and conditions appropriate for a services contract. These terms could spread or assign risk to one party or the counter-party through such clauses as warranty, indemnity, limitation of liability, confidentiality and insurance. However, if the relevant business units of each party then decided to use the contract for the purchase of raw products the scope of the contract has changed or Mission Creep has begun. If the client then asks for the engineering services company to lead the fabrication of the raw materials we have sped up to Mission Expansion. If this Creep and Expansion continue for any length of time, we will move to Mission Explosion.

The risks which were agreed upon for services work are far different for the purchase and delivery of goods. The risks are even more divergent if fabrication of the products are required. These changes in risks can affect the risk management clauses detailed above. A services warranty is usually quite different from a product or even Original Equipment Manufacturers (OEM) warranty. If an indemnity is fault based, are products purchased under a contract which covers engineering services only? What about your limitation of liability – is it limited to the value of a contract, what if the contract for fabrication of the entire systems crashes burns, injures or kills someone? What about Intellectual Property (IP) indemnity for goods and products vs. services delivered? The list of questions is almost endless.

In the compliance world this Mission Creep, Mission Expansion, Mission Explosion trichotomy plays out when a company moves into a new geographic area or product line. Have the compliance risks been adequately evaluated? Have they been evaluated at all? Perhaps more importantly has the relevant business unit communicated to the Compliance Department these new initiatives so that the compliance risks can be assessed?

The failure by JP Morgan to properly assess its risk or use risk intelligence correctly may have indeed had its genesis in the complexity of the trading positions the company was taking. But Frawcheck’s article pointed out that it is not simply complexity which can lead to failure in the assessment and management of risk. In JP Morgan’s case, it may be that one step on the Mission Creep continuum led to more steps of Mission Explosion, which inevitably led to Mission Explosion. But, whatever the reason, I think one of the clear lessons from the JP Morgan debacle is if your risk assessment cannot determine what your risk is or your risk intelligence cannot evaluate your risk assessment in a meaningful way, you need to slow things down until you can do so. Or as Sallie Frawcheck said: Full Stop!

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Assessing Risk? ethiXbase is an Invaluable Tool

Most compliance practitioners have gotten the message that a risk assessment should inform the creation of, or enhancements to, your Foreign Corrupt Practices (FCPA) or Bribery Act anti-corruption compliance program. But just say that you are Compliance Officer and the Chief Compliance Officer (CCO) comes into your office and tells you that the company wants to look at going into China to either manufacture a key component of your company’s most valuable product or go into Russia to sell a new product line. The CCO would like you to do a risk assessment from the anti-corruption/anti-bribery perspective. You cannot go to outside counsel or an outside expert. Faced with this problem, what might be the best single resource for you to begin this research?

Put another way, what is the best one-stop database site for anti-corruption and anti-bribery on a worldwide basis? I think that the answer is will lead you to one resource that I would suggest you take a very hard look and that is ethiXbase.com. The reason – it simply has a breadth and scope that cannot be matched.

The database has five tabs which allow you to research in a wide variety of areas. In addition to the individual tabs, details of which are listed below, you can set notifications for email alerts. You should also note that the site is updated on a daily basis. The specific information includes the following:

Dashboard

This tab allows you to set any of the BRIC, Brazil, Russia, India and China, countries as a default country. From this setting you will receive information on the latest actions in the country; the latest FCPA enforcement actions related to the country you have selected; enforcement statistics and trends and summary of legislation relating to anti-corruption, translated into English. This tab also provides general statistics on the country such as population, capitol and elected federal officials.

FCPA Index

This tab provides a simply breath-taking scope of information for the compliance practitioner. Every FCPA enforcement action and publicly announced on-going investigation is available to you in a searchable database. The ease of use is outstanding. There is information on Federal register, federal agency, public laws, and Congress bills related to the FCPA and, finally, there are risk factors disclosed by companies around the world in all of the above. Amazingly, this database is updated on an hourly basis so you have the most up-to-date information available.

Global Index

This database is equally broad in scope to the FCPA Index but set up for the entire world. Pick any country and you will immediately have access to anti-corruption legislation and the applicability of the Organization for Economic Co-operation and Development (OECD) and United Nations Convention against Corruption (UNCAC). You will find OECD reports as well as other Non-Government Organizations (NGOs) such as the International Monetary Fund (IMF). There is also an index of ancillary laws such as privacy laws and anti-money laundering legislation in each country.

Law Firm Memos

For any compliance practitioner, this resource is simply fabulous; it houses the best legal Memos from the best law firms in the world. It is database of more than 1,000 client alerts and white papers from firms specializing in compliance issues. It is searchable by law firm name, topic and title. You can set up customized watches or bookmark specific memos.

News

Last, but certainly not least, is the News section. This features news in the following categories: Home, News Home, Featured, Africa, Middle East, Europe, North America, Central-South America, South East Asia, Australasia, South Asia and Central Asia. Why is this so important? It can keep you abreast of the most current anti-corruption and anti-bribery news across the globe. More importantly, if an issue or matter pops up in your industry or a geographic region in which your company does business, you will know about it and can be prepared to review it internally. It is a great way to understand how and where the Department of Justice (DOJ) is using its investigative resources.

So how does all of this relate to your assigned task? ethiXbase allows you to research the relevant laws of each jurisdiction that you wish to enter. You can also review all FCPA enforcement actions to determine if your sales model may be similar to any companies which have run afoul of the FCPA. The Law Firm Memo section will give you the underlying legal basis to support your findings. With the Dashboard you can set up the email notifications for any new legal enforcement actions, Memos or news for the country or countries that you need to follow closely. Lastly, the News section will allow you to keep abreast of the reported information for each country.

I have thoroughly reviewed ethiXbase and use it in my compliance legal practice. You should as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Sherlock Holmes and Principle 6 of an Adequate Procedures Compliance Program

I am a big fan of Sherlock Holmes, on radio, television and the movies but particularly in print. Last summer I re-read the Doyle collection and it was like revisiting an old friend. So today, we celebrate the story of the “The Six Napoleons”. In this story, an apparent thief is breaking into private residences and commercial establishments to seemingly smash statuettes of Napoleon. While the slow thinking police think that a rabid Francophobe is terrorizing the Francophiles of London, Holmes sees something very different and indeed much more sinister. It turns out that a very hot, stolen jewel was hidden in one statue of many which were then sold so the jewel thief has to find the correct statuette to find the stolen jewel. Holmes, of course, deduces this and catches the thief.

This leads into the conclusion of my series on the Six Principles of Adequate Procedures under the UK Bribery Act; with Principle 6 – Monitoring and Review. This Principle recognizes that a company should monitor and review its anti-bribery and anti-corruption procedures designed to prevent bribery by persons associated with it and makes improvements where necessary. Indeed the Guidance from the British Ministry of Justice (MOJ) relates that “The bribery risks that a commercial organisation faces may change over time, as may the nature and scale of its activities, so the procedures required to mitigate those risks are also likely to change. Commercial organisations will therefore wish to consider how to monitor and evaluate the effectiveness of their bribery prevention procedures and adapt them where necessary. In addition to regular monitoring, an organisation might want to review its processes in response to other stimuli, for example governmental changes in countries in which they operate, an incident of bribery or negative press reports.”

Generally, I believe there are two strategic reasons to follow Principle 6 of the Guidance. The first is that the only way to know if your compliance program is effective is to test it. The second is that changes in your business model, market conditions, legislation or other external events could increase your anti-bribery and anti-corruption compliance risk well beyond the risks that your compliance regime was intended to manage when it was initially designed and implemented. I find that a compliance assessment is becoming of greater importance to achieve a minimum best practices compliance program. Representatives of the US Department of Justice (DOJ) talk about such a concept in terms of a risk assessment but the precepts are the same. A company needs to assess its program and its effectiveness on a regular basis so that it does not become stale.

Procedures

The Guidance recognizes that there are a wide range of internal and external review mechanisms available for a company to use when assessing its compliance program. As for ongoing evaluation of effectiveness, the Guidance notes that “systems set up to deter, detect and investigate bribery, and monitor the ethical quality of transactions, such as internal financial control mechanisms, will help provide insight into the effectiveness of procedures designed to prevent bribery.” Some of the specific techniques which can be used include staff surveys, questionnaires and feedback from training. All of these can also provide an important source of information on effectiveness and a means by which employees and other associated persons can inform continuing improvement of anti-bribery policies. Continuous controls monitoring is becoming another tool for companies to use in their ongoing compliance program. Witness the recent statements by the DOJ in its declination to prosecute Morgan Stanley for the acts of its former Managing Director, Garth Peterson.

The Guidance also speaks to more formal periodic reviews and reports for top-level management. I would suggest that an annual risk assessment is one mechanism which should be used by companies. The Guidance further suggests that businesses could also draw on information on other similarly situated company’s best practices, for example relevant trade bodies or regulators might highlight examples of good or bad practice in their publications. Once again the DOJ has provided solid guidance in this area by listing several of the areas in which it believes that a company should assess its anti-bribery and anti-corruption risks. These include: (1) Geography – Where does your Company do business?; (2) Interaction with types and levels of Governments; (3) Industrial Sector of Operations; (4) Involvement with Joint Ventures; (5)       Licenses and Permits in Operations; (6) Degree of Government Oversight      and (7) Volume and Importance of Goods and Personnel Going Through Customs and Immigration. In addition to using this information to inform your compliance program, your company can also use such information to update its compliance program in today’s ever changing business environment.

Lastly, the Guidance directs that companies should also avail themselves of some form of external verification or assurance of the effectiveness of anti-bribery procedures. The Guidance says that “Some organisations may be able to apply for certified compliance with one of the independently-verified anti-bribery standards maintained by industrial sector associations or multilateral bodies. However, such certification may not necessarily mean that a commercial organisation’s bribery prevention procedures are ‘adequate’ for all purposes where an offence under section 7 of the Bribery Act could be charged.” While there are no universally recognized standards that I am aware, many third parties can come in and protect an independent assessment of a company’s overall compliance program.

So we end our series on the Six Principles of an Adequate Procedures anti-bribery and anti-corruption compliance program with this memorable quote from the Sherlock Holmes story “The Sign of Four”, “How often have I said to you that when you have eliminated the impossible, whatever remains, however improbable, must be the truth?” This would seem to place the exclamation point on Principle 6; if you fairly and adequately assess your compliance program, you can not only determine its effectiveness but also help to enhance your compliance regime going forward.

============================================================================================

My book, “Lessons Learned on Compliance and Ethics” is now available on Kindle. To order or for other information click here.

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012