The Culinary Aspects of Homer’s Odyssey and Compliance Training

I recently came across a fascinating book entitled “The Meaning of Meat and the Structure of the Odyssey” by Egbert Bakker. In this work, Bakker looks at the culinary aspects of Odysseus’ journey home from the Trojan War. Peter Thonemann, writing in the TLS, said that “Bakker’s book is a powerful illustration of the importance of food and culinary practices to past society.” In other words, the eating habits could be used to not only understand the past but also perhaps train those in the present about the “wider moral culpability” found in Homer’s work.

I thought about this different way of learning as I was reading a recent article by the Open Compliance and Ethics Group (OCEG) President Carol Switzer in the Compliance Week magazine, entitled “Playing the Game of Risk in Workplace Education”. Her article was coupled with a roundtable discussion of the subject and another in the OCEG, GRC Illustrated Series entitled “Risk-Based Education and Training”.

In the article, Switzer reminds us “one size does not fit all in deciding the content and intensity of training needs for each role or individual”. Recognizing that it all starts with a risk-based analysis of who needs the training is just the start. Switzer believes that by engaging employees in the training, it can become more effective. She looks to the world of gaming when stating that, “Well-designed games encourage engagement, and more engagement means more reinforcement, and that leads to better recollection and application of the information. Situational decision making drives the player to think, not just act. Making wrong choices and seeing the consequences leads to desire to act the right way and gain rewards, be it advancing to the next level of the game, earning a prize for success, or understanding that in the real workplace world the reward may be achievement of personal and organizational objectives.”

In her roundtable, she posed the question, “How do you suggest companies decide on the appropriate amount of training? Earl Jones, Shareholder at Littler Mendelson PC, responded that a company needs to evaluate where its risks are, “If the company is betting on international expansion, then intensive anti-bribery and corruption intensive training is a necessity for key employees. Also design training to build and protect sources of value. If an intangible asset, like a brand, is an important source of value, thoroughly train employees to identify, understand, and react to events or behavior that could impair the brand.”

When it comes to the scope and style of training, Steve Perreault, Global Head of eLearning GRC for Thomson Reuter, suggested you should assess your training by employee groups. You should “Understand things like: How likely is a group of employees to participate in activity that is related to a particular regulatory area? How complex is that regulation? What controls are in place already? Is this employee group responsible for making sure others comply with policies and regulations? You also have to consider what you will need to provide to evidence to regulators and courts that the program exists and is effective. Once you get that figured out, you must ensure that you stay on top of changes in legislation and enforcement, and revise policy, procedures, and training accordingly.”

Switzer next turned to measuring the effectiveness of training and how a company might determine this. Alisha Lynch, Global Ethics and Compliance Education Leader at Dell Inc., said, “Determining the scope and style of training should have several input sources.  Most organizations have three- to five-year strategic plans, and training programs should be designed to support those plans and initiatives. One good analogy is that a training initiative should be like a physical fitness regime. You cannot exercise the same muscle every time to make significant improvements, and you cannot ignore the diet. A culture is like a diet. If the organization designs and delivers great training but the culture is toxic, probably no improvement will be made.”

In the GRC Illustrated Series, it suggests that companies take a risk-based approach to provide appropriate levels and types of training and education to different individuals across the organization. Some of the factors they suggest you review are the role of the individuals, geography, and their level of exposure to particular risk areas. Such an approach moves away from the ‘tick-the-box’ approach that generally renders such compliance useless. It also helps to ensure that there is a more effective use of budgetary resources by focusing training efforts to maximize the return on the investment. The piece advocates a three-pronged approach.

Define

The first step is to define what you are trying to achieve. The piece recognizes that “while some organizations limit their training programs to what is legally required, more successful ones know that there are many reasons for developing a thoughtful, well-designed approach to employee education.” It puts forward that if training is done right, it will help the organization to achieve several goals. These include: the business Objectives; managing threats and business opportunities; it will address change in positive manner; it can help to ensure integrity and the company’s reputation; it can strengthen the business’s culture and ethical conduct; and, lastly, it can provide evidence that the company has complied with legal requirements such as the US Sentencing Guidelines and the Ten Hallmark’s of an Effective Compliance Program.

Design

The next step is to design the training program, which is further broken down into three steps, which drill down into the specifics of training. By using these three steps, you can help to assure that the training will be effective for the individual but also for the nature of the risk involved.

The first is to design the training program. Steps include the development of curriculum using a risk-based model. You should set uniform methods for acquiring content, maintaining records, and reporting. This should be followed by the establishment of standards for selecting appropriate content, delivery methods, frequency, and assurance based on risk exposure. You can review any technological solutions for both e-learning delivery and documentation. Finally, you will need to consider training content revision when requirements or risk analyses change.

After the design of the training program, the next level is to design the specific training courses. Here you should establish your learning objectives and map the training to legal and competency requirements. You must always remember who is your audience and what their characteristics might be. You need to ensure that the content is timely and the instructors are effective. Finally, you will need to determine not only the most appropriate mechanism to deliver the content but also define the key performance indicators and determine methods to audit them.

The final design level is the individual’s training plan. Here you need to analyze what the person’s role is within the organization and use this to determine mandatory and risk-based training needs. You will need to consider modifying the risk profile based upon assessments given before and after the training is delivered and then adapt the training as an employee’s role and risk profile changes within an organization

Deliver

For the delivery of the training materials, they also have a tripartite scheme. They break it down into high risk exposure roles; medium risk exposure roles and low-risk exposure roles.

• High Risk Exposure Roles – are defined as those employees whose roles in an organization can significantly impact the company. Here expert subject proficiency is demanded and individuals should be able to act with confidence in a wide range of scenarios and conditions based on a strong understanding of the risks, requirements, and penalties. Training may be repeated frequently using several methods of delivery, have greater assurance through testing and certification of course completion, and include ongoing risk profiling of individuals through assessment of behavior choices in online courses or live simulation exercises.
• Medium Risk Exposure Roles – are defined as those employees who face risk on regular basis or present a moderate level of negative impact to a company if they mishandle the risk. These individuals should know the risks, requirements, and penalties and should be able to apply their knowledge to common scenarios using standards and tools given to them. Training should have content to make them proficient in the subject, be refreshed periodically, use a mix of modes of delivery, and have methods to prove evidence of understanding.
• Low Risk Exposure Roles – are defined as those employees with a low likelihood of facing the attendant risk. Persons in this category should be made aware of the risks, requirements, and penalties, as well as the organization’s expectations about how to address it. They should know relevant policies and procedures and where to get assistance in addressing a risk or making a behavior decision.

As with all areas in an anti-corruption compliance program, Switzer and the OCEG suggest that you monitor and audit your program so that you can review it and improve as circumstances warrant. I would add that you should also Document, Document and Document what you are doing for the same reasons. Just as Bakker’s new look at the culinary aspects of the classics can provide new insights into interpretation, it also shows the training that was written into Homer’s Odyssey.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

The Business of Successful Transformation

Ed. Note-today we have a guest post from out colleague Tim Aikens, which originally appeared on Tim’s website, Azarel.com. 

This month I have chosen a couple of topics that most of us come across at some time in our career.  The toxic culture – being in an organisation that clearly has little or no moral compass.  Secondly how do you tell your boss he or she is wrong? Nobody is perfect, but the boss will often think they have a divine right to be . . Right!

Read on . . . . .

Toxic Corporate Culture – What is it and does it really matter?

A couple of months ago an article in the BBC internet news caught my attention: – ‘Australia London 2012 Olympic swim team ‘toxic’. The first paragraph read ‘Australia’s Olympic swimmers existed within a “toxic” team culture that led to bullying and misuse of prescription drugs, a report has found.’  The inference was that this culture had contributed to the poor performance of the team at the Olympics.

In a world where competition is increasing and becoming more global, a corporation will need to use every tool available to gain competitive advantage.  This would include having a ‘good culture’.  But all too often the drive for success leads to the opposite.  I googled toxic culture and was amazed to find a plethora of learned papers and news articles about the topic.  The issue would seem to be big and important.  But what is a ‘toxic culture’ and does it really matter?  I believe there is such a thing and long term it can destroy an organisation.

Firstly it is important to summarise what we mean by a ‘toxic corporate culture’.

A few extreme examples in recent history of toxic cultures are Enron, Tyco and WorldCom.  Others might include News International and Lehman Brothers. Some have imploded in a spectacular manner, others are still very successful. The single most common feature in all of them is the desire for financial success at almost any cost. Put more simply – greed – especially at the higher levels in the organisation.  There are other signs that appear to be common – bullying, lack of transparency, a closed circle of influence at the top, words (in the sense of written values or behaviours) not matching actions, placing unreasonable demands on staff (from hours to how they are expected to treat others), a win lose style (i.e. my gain is your loss – lots of internal competition).  There are many others, but from a review of the literature these are the main signs.  You might see one or more in your organisation; none are perfect, but when you begin to see a theme, it’s time to change something or move on.

Many organisations will exhibit some of these traits somewhere and some may be tolerated – the perpetually angry boss, a ‘long hours culture’, or one where rules are regularly ignored or abused.

Does it really matter? So what if life is hard at the workface?  Some staff members may be happy to be workaholics; others may enjoy the competitive aspects of a zero sum game when it comes to sales. As long as the company remains profitable and stock price keeps going up why worry?  At this point the question becomes partly ethical and partly business.  A leader might say I have to treat my staff this way in order to get results, others (both staff and workforce) might know no other way.

My view on the ethical side is yes, it really does matter.  How can we tolerate this kind of behaviour yet admonish other nations for corruption and slave labour.  It is perfectly possible to run a business well without even small amounts of toxicity.  A quick review of the Sunday Times Best Companies to work for will show that not only are they good places to work, but that they are also successful.  At an individual level, who believes that they will be more productive long term in a toxic environment?   A couple of years ago I read a great book entitled ‘The No Asshole Rule’.  The author is passionate about civilised workplaces and believes that they can be achieved and boost performance.  An organisation full of ‘assholes’ has to be toxic. The book is a wonderful antidote to this even if a little tongue in cheek at times.

From the business perspective the answer ought to be clear.  There is no long term future for a ‘toxic’ organisation as Enron and others have demonstrated.  Yet there are many businesses that have a reputation (deserved or otherwise) that are still doing business with little or no pressure to change (yet).  Most of them manage to keep the toxicity under control, whether it is the way they treat staff or the products they sell.  In many cases they are tolerated because the public likes what they make or do, or because the product is cheaper.

What to do?  You work for a company that expects long hours and pays poorly.  If you quit another job may be hard to come by.  You are a partner in a big firm that makes a lot of money, but there are some questionable practices.  Leaving means a big drop in salary.  For the hard pressed employee it is often a matter of comfort.  Can you stick it out and continue to work in an organisation that behaves so poorly?  For others it is a matter of conscience.  Is the way this organisation operates right, ethically and morally correct?  There are lots of books and articles that tell you how to deal with a toxic culture.  None of them will work if the leaders do not change and make a decision to operate their organisation in a morally, ethically and socially responsible manner!

What do you do when your boss is wrong?

Who would you rather tell that they had made a mistake and were wrong over something – Lord Alan Sugar or Sir Richard Branson?  They are very different characters and how you might approach them over an error might be very different. Some people are simply more approachable than others.  But move away from the character and ask the bigger question, how do you tell your boss when they are wrong?  There are two issues at stake in this situation.  Firstly, your relationship with your boss and your career – the consequences of handling the situation wrongly.  Secondly there is the business.  What are the implications for the business if the error is not taken on board and corrected?  When the boss is wrong – and you know it, it can be quite an emotive time.  Decisions can be made more through the heart than the head.  The direct approach may not always be the right one.  Here are a few things to think about before raising the ‘error’.

The situation.  If your boss is talking about how many times a football team has won the league and you know he is wrong, what is the impact on the business.  In a social setting he or she might be quite happy to be corrected or not (see next comment).  If the error has no impact on you or the business consider letting it slide.  What value do you add to a relationship by telling your boss he is wrong!

The other side of ‘situation’ is the environment.  If you are in a meeting, telling your boss he is wrong may not be a good idea.  In some societies (e.g. China) this loss of face is a big issue.  If the boss is wrong and it needs correction consider an indirect approach (see comment 3) that allows him to save face and you are not seen as the ‘bad guy’ who made his boss look bad.

The boss.  I have worked for just about every kind of boss there is.  Their personal nature and style are key to the approach you take:

• Big ego.  Be very careful.  Do not say anything in a public setting unless really forced to. E.g. his error could impact a major business decision about to be made.  If possible, correction should be offline and in private.
• Consensus Manager.  You are probably OK to deal with this upfront, but be careful about the words you use.
• Sensitive Manager.  These people are often quite happy to be told they are wrong in private, but fall apart and can react out of character if confronted in a more public setting.  The language has to be very carefully chosen.
• The grandstander.  Usually someone who wants to make a big impact.  If you announce the error he would look bad, if you don’t he could make a fool of himself, as well as lead to a poor decision. They often have big egos as well so treat them in the same way.

Recognising the type is an important first step, and of course it always pays to understand your boss in any job.

The approach.  How do approach the situation and what do you say.  From the comments above it is obvious that there is no one right answer.  However there are some guidelines that will help:

Think first!  The old saying, ‘engage brain before opening your mouth’ is universally true.  Think about three things. Should I actually say something, what should I say and how do I say it?  Examine your motives.

Style. You can go for the open and honest approach, but as noted above that may not always be best (for you or the person in error).  There are other ways:

–  the evidence approach e.g. ‘I understand your viewpoint, but have you considered . . .’. You are not actually saying the boss is wrong, but introducing new evidence and giving him or her the chance to change their mind.  However, with this approach make sure you really have good evidence supported by numbers.

–  use dialogue.  Rather than say ‘you are wrong’ start some dialogue and get into a debate if circumstances allow.

–  be positive and supportive.  You are there to support your boss not see them fail.  Make sure you say something positive and supportive as you open a debate.

–  get the boss to explain.  Rather than state what you might thing is obvious, get the boss to expand on their viewpoint.  This gives you and others opportunities to move into debate.

Words.  Be very careful about the words you use.  Avoid clichés like ‘with respect’ (which usually means with no respect), or ‘as you know’, or ‘I hear what you say’.  These and many others will be interpreted for what they are – a precursor to saying or implying you are wrong!  Try and use ‘yes AND’, not ‘yes BUT’.

———————————————————————————————————————————————————————-

Tim Aikens is the founder of Azarel, a consultancy which helps companies manage transformation and change. He can be reached at tim@azarel.com

———————————————————————————————————————————————————————

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

The Tube and Updating Your Compliance Policies

2013 is the 150^th anniversary of the London Underground, affectionately known as “The Tube.” It truly is one of the great urban architectural marvels of all-time. The oldest sections of the London Underground completed 150 years of operations on 10 January 2013. The Underground serves 270 separate stations and has 250 miles of track, 45% of which is underground. In 2011, it served over 1.2 billion riders but, like any transportation system, it has to be evaluated and upgraded. For my money, the most useful upgrade would be to air condition the cars as they can become unbearably hot in the summer but that may not be on the top of Prime Minister’s Cameron’s list about now.

I thought about this auspicious anniversary and maintenance of the London Underground when I read a recent article in the Compliance Week magazine by Michael Rasmussen, entitled “Improving Policies Through Metrics”. Rasmussen believes that effective policy management requires that a company must periodically review their policies to ensure that they are relevant and aligned with both current laws and corporate objectives. This is because today’s business environment is dynamic and involves both internal and external factors, so, consequently, as a company evolves and changes its policies need to be updated to reflect these changes.

One of the key components of any best practices compliance regime under any anti-bribery and anti-corruption program is policies. Policies tie together a company, its business environment, the risks it faces and the compliance requirements. Policies are a specific requirement for any anti-corruption/anti-bribery compliance regime. In the recently released Department of Justice (DOJ) Guidance on the Foreign Corrupt Practices Act (FCPA), it stated, “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” Under the UK Bribery Act, policies are discussed in the Six Principles of an Adequate Procedures compliance program under Principle V – Communication, where it states “The business seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the company through internal and external communication, including training, that is proportionate to the risks it faces.”

While I think that most compliance practitioners understand this need for policies one of the things that is not usually emphasized at a company is effective policy management. One technique which can be used is to elevate the policy function to the senior management level. One of my former employers, Halliburton, did this when it created a Vice President for Policies back in 2006. So kudos to Halliburton for leading the industry by creating the position of Vice President for Policies.

Rasmussen believes that at a minimum, policies must be reviewed annually. He recommends that each policy should go through a yearly review process to determine if it is still appropriate. There should be a “system of accountability and workflow that facilitates” any policy review process. The end product should be a decision to “retire the process, keep the policy as it is, or revise the policy.” Rasmussen lists five items that a policy owner should evaluate as a part of the policy review process.

• Violations. Here Rasmussen believes that information from reporting systems such as hotlines or other anonymous lines as well as internal or external investigations must be reviewed. Not only would such information indicate if a company policy was violated but the follow-up investigation would help to determine how the policy might have failed, whether it was through “lack of awareness, unauthorized exceptions [or] outright violations.”
• Understanding. Here Rasmussen writes that there should be an analysis of “training and awareness programs, policy attestations” and attendant metrics to determine an appropriate level of policy understanding. He believes that questions to a helpdesk or compliance department could help to discover any ambiguities in a policy that might need to be corrected.
• Exceptions. If you have a policy it should be followed. If an exception to a policy was granted the reason for the exception should have been documented. If there are too many exceptions granted for a policy, it might indicate that “the policy is inappropriate and unenforceable” and therefore should be revised.
• Compliance. A policy should govern and authorize internal controls. These internal controls should be reviewed in conjunction with the policy review to determine overall policy effectiveness. This is because “At the end of the day the policy needs to be complied with.”
• Environment. All the factors around a policy are in flux. This includes a company’s risk profile, its business strategy, laws and regulations. Since a business’ climate is dynamic, a policy should be reviewed in the context of a company’s overall situation and revised accordingly.

If there is a change in a policy it is important that not only the correct change be made but that any change is documented. An audit trail is a key component for a company to internally understand when a change is made and the reason for that change but also to demonstrate to a regulator effective policy management and to present “a defensible history of policy interactions on communications, training, acknowledgements, assessments and related details needed to show the was enforced and operational.” This audit trail should include “key data points such as the owner, who read it, who was trained, acceptance acknowledgements and dates for specific policy versions”. In addition to an audit trail, policy revisions should be archived for referral back at a later time. So, once again, the key message is document, document and document.

Just as best practices in the FCPA compliance arena evolve, so do business practices, markets and risks. If you throw in the complexities from an inter-connected global business milieu, the task becomes even tougher. Business policies are one of the keystones of a company’s communications to its employees on what it expects and what is required of its employees. To keep policies up-to-date and properly take advantage of this valuable tool, policies need to be evaluated and updated as appropriate. If your company fails to do so this takes away from the value of having policies in the first place. I hope that you will use the techniques which Rasmussen has described to help you effectively manage your policies going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The Five Essential Elements of a Corporate Compliance Program – Part II

Tuesday morning, at the University Club of Chicago, Stephen Martin and I will co-present at a Foreign Corrupt Practices Act (FCPA) event hosted by Kreller. If you are in or near Chicago, I hope that you can join us for this presentation. The title of our presentation is “Anti-Corruption/FCPA Developments & Best Practices” and we will focus on a concept that Stephen and his partners at the law firm of Baker & McKenzie have developed which are five essential elements of a corporate compliance program. In Part I, I discussed the background to the development of the five essential elements. In today’s installment, Part II, I will detail the remaining elements in the five elements of an essential compliance program.

III.             Standards and Controls

Generally, every company has three levels of standards and controls. (1) Code of Conduct. Every company should have a Code of Conduct which should express its ethical principles. However, a Code of Conduct is not enough. (2) Standards and Policies. Every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. (3) Procedures. Every Company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

IV.              Training

Another pillar of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct. Simply conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The Department of Justice’s (DOJ) expectations of effectiveness are measured by who a company trains, how the training is conducted and how often training occurs.

There are several key elements to training. First is that you need to train the right people. You must prioritize which audience to educate by starting your training program in higher risk markets and focus on directors, officers and sales employees who may have direct contact with government officials or deal with state-owned entities. Again, focus initially on training country managers in your company’s high-risk markets, then expand geographically and through the ranks of employees.

Second, in high risk markets and for high risk employees or third parties you should conduct live, annual training. Enforcement officials have made it clear that live, in-person training is the preferred method in high-risk markets and also that it should be regular and frequent. Another benefit of live training is the immediate feedback from employees that would be much less likely to occur during a webinar or other remote training. Lastly, during live training, employees are more likely to make casual mention of a potentially risky practice, giving you the opportunity to address it before it becomes a larger problem.

It is important that you pay attention to what employees say during training. This is because training can alert you to potential problems based on the type of questions employees ask and their level of receptiveness to certain concepts. For example, during training employees might ask specific questions about important compliance considerations such as their interactions with government officials or gift-giving practices. Such questions can raise red flags and uncover issues that should be reviewed and addressed quickly.

Thirdly, you should tailor your training to each country. This means that employing a generic script for compliance training is a mistake. To be effective, training programs should be customized by region, country, industry, areas of compliance and types of employee. In addition to Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and OECD guidelines, focus on compliance risks in the country where the employees being trained are working. For example: In China, address the many corruption risks involved in dealing with state-owned entities.

V.                 Oversight – including monitoring, auditing and responses

The issue your company should focus on here is whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. Two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit and respond quickly to allegations of misconduct. These three highlighted activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

Many companies fall short on effective monitoring. This can sometimes be attributed to confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it’s effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

Finally, as was emphasized again with the recent Pfizer Deferred Prosecution Agreement (DPA), your company should establish protocols for internal investigations and disciplinary action. The Pfizer “Enhanced Compliance Obligations” included the following on investigative protocols: (a) On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training; (b) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with, and payments to, individual foreign government officials or health care providers, as well as other high-risk transactions in the market; (c) Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and (d) a review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk. Prior to such an investigation, however, the company should have procedures – including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently – in place to make sure every investigation is thorough and authentic.

Finally, and consistent with Stephen Martin’s Baker & McKenzie partner Paul McNulty’s Maxim Three (What did you do about it?), is your remediation efforts. Your company should remediate problems quickly. A key concept behind the oversight element of compliance is that if companies are policing themselves on compliance-related issues, the government won’t have to do it for them. Remediation, then, is an important component of oversight. If your company’s sales force in Thailand is engaged in potentially improper activity due to a lack of adequate training, remediate the deficiency and schedule that training now. In the end, it’s not enough to just gather information and identify compliance problems through monitoring and auditing. To fulfill this essential element of compliance, you also have to respond and fix the problems.

Stephen Martin and the Baker & McKenzie team have put together an excellent resource for the compliance practitioner in their five essential elements of a corporate compliance program. I hope that you can attend our FCPA event this week. For those of you who cannot attend in person, you can email me for the slide deck and other materials after the event.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Letter to Cicero – Lesson for the Compliance Practitioner from the Roman Republic

Most people will recognize the name Cicero as that of one of the greatest orators of the Roman Republic. In 64 BC he ran for Consul and was elected, beginning his term in March, 63 BC. In this month’s issue of Foreign Affairs, the political strategist James Carville writes a commentary based upon a letter that Quintus Tullius Cicero (the younger brother) wrote to Marcus Tullius Cicero (the older brother and the one we remember as ‘Cicero’) about how to run a political campaign. Although James Carville uses the letter to discuss political campaigns, I found some interesting prescriptions for the (modern day) compliance practitioner.

Use Your Supporters

Cicero the Younger advised his older brother that “Few outsiders have the number and variety of supporters that you do.” I believe that the vast majority of employees want to do business in an ethical manner, compliant with whatever anti-corruption or anti-bribery law that they might operate under, whether it is the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. This translates into not only employees who will follow the requirements of your company’s Code of Conduct and compliance program; but also means that these people can help to not only sustain but grow your compliance program.

Work to Maintain the Goodwill of Your Supporters

Cicero the Younger also advised that his older brother provide helpful advice to his supporters and to also reach out to them by asking for their counsel in return. In the US Department of Justice’s (DOJ) 13 points of a minimum best practices compliance program, providing day-to-day compliance advice is a key component. Item No. 9 Ongoing Advice and Guidance reads in part:

The Company should establish or maintain an effective system for: a. Providing guidance and advice to directors, officers, employees, and, where necessary and appropriate, agents and business partners, on complying with the Company’s anti-corruption compliance policies, standards, and procedures, including when they need advice on an urgent basis or in any foreign jurisdiction in which the Company operates;

The DOJ clearly wants a designated person or persons available to provide compliance advice to company employees on a regular, as needed basis. But Cicero the Younger goes further by saying that providing such advice can cultivate and maintain goodwill. This is certainly true for the compliance practitioner.

Cultivate Relationships

The third point that Cicero the Younger advised his brother to engage upon was to “cultivate relationships” with key decision makers. These relationships will not only assist in winning the election but when the time comes for you to govern, these same relationships will assist you in educating people on your programs.

These three steps, as advised by Cicero the Younger, reminded me of a technique used by Leonard Shen, the Chief Compliance Officer (CCO) at PayPal. Shen said that in a company which is initiating its compliance program, it can be perceived as a change of culture. To alleviate some employee fears, he used an approached which worked to alleviate those types of concerns but had the additional benefit of providing enough information to perform a robust assessment which could be used to form the basis of an effective compliance program. He termed this type of approach as one to “engage and educate.” While the approach had a two word name, it actually had three purposes; (1) to engage the employees in what would form the basis for an enhanced compliance program; (2) to educate the employees generally in compliance and ethical behavior; and (3) through the engagement of employees, to gather information which could be used to form the basis of a risk assessment.

A.    Engagement

Shen and his compliance team traveled to multiple company locations, across the globe, to meet with as many employees as possible. A large number these meetings were town hall settings, and key employee leaders, key stakeholders and employees identified as high risk, due to interaction with foreign governmental official touch-points, were met with individually or in smaller groups. Shen and his team listened to their compliance concerns and more importantly took their compliance ideas back to the home office.

From this engagement, the team received several thousand employee suggestions regarding enhancements to the company’s compliance program. After returning to the US, Shen and his team winnowed down this large number to a more manageable number, somewhere in the range of a couple of hundred. These formed the basis of a large core of the enhancements to the existing company compliance program.

After the enhanced compliance program was rolled out formal training began. During the training, the team was able to give specific examples of how employee input led to the changes in the enhanced program. This engaged the employees and made them feel like they were a part of, and had a vested interest in, the company’s compliance program. This employee engagement led to employee buy-in.

B.    Education

During the town hall meetings, and the smaller more informal group meetings, Shen and his team were doing more than simply listening, they were also training. However, the training was not on specific compliance provisions; it was more generally on overall ethics and how the employees could use compliance as a business tool.

As pointed out by another speaker at Compliance Week 2011, most ethical standards of a company are not found in an existing compliance program, they are found in the general anti-discrimination guidelines and ethical business practices, such anti-competitiveness and use of customer confidential information prohibitions. Often these general concepts can be found in a company’s overall Code of Conduct or similar statement of business ethics; workplace anti-discrimination and anti-harassment guidelines can be found in Human Resource policies and procedures. Concepts such as anti-competitiveness and use of customer and competitor’s illegally obtained confidential information may be found in anti-trust or other business practice focused guidelines.

Shen and his team’s aim for the education component of “Engage and Education” was to have the company employee’s start thinking about doing business the ethical way. It was ethical concept based training designed to be in contrast to a rules based approach, where employees believe they are taught the rules, and then try to see how close they can get to the line of violating the compliance rule without actually stepping over the line. Moreover, by having this general ethical business training, it laid the groundwork for the enhancement of the company’s compliance program and the training that would occur when the enhancement was rolled out.

It is often said in the legal profession that there are no new ideas. This may also be true in the compliance profession. However, there are innumerable resources from which the compliance practitioner can draw inspiration and the Letter to Cicero is certainly one.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Henry V and Principle V of the Six Principles of Adequate Procedures: Communication

Henry V is a truly inspiring play. Whether one sees it on the stage or on the big screen with the 1944 Olivier or 1989 Branagh version, one cannot help but draw inspiration about the story of the former Prince Hal, from Henry IV, who becomes a regal monarch and leads the English army to a defeat of the French at the Battle of Agincourt. One of the things that Henry V does extraordinarily well is communicate; about his goals and rousing his subjects to help achieve them. Today we use the prism of Henry V to look at Principle V of the Six Principles of Adequate Procedures; that being “Communication (including training)”.

I.                   Commentary

The Guidance for the Six Principles of an Adequate Procedures, anti-bribery program states in Principle V that “The business seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the company through internal and external communication, including training, that is proportionate to the risks it faces.” The Guidance recognizes that communication and training deters bribery by companies, their employees and those persons associated with it, by enhancing awareness and understanding anti-corruption policies and procedures and the company’s commitment to their proper application. It therefore follows that making information available on legal requirements and obligations and policies and procedures for implementation of the same assists in more effective monitoring, evaluation and review of bribery prevention procedures. Anti-bribery training should provide, to company employees and those persons and entities associated with the company, the knowledge and skills needed to implement and utilize the anti-bribery procedures and handle in a satisfactory manner any bribery related problems or issues that may arise.

II.                      Communication

The Guidance begins by recognizing that the content, language and tone of communications for internal consumption may vary from external use in response to the different relationship the audience has with the company. Further, the nature of communication will vary enormously between businesses in accordance with the different bribery risks faced, the size of the business and the scale and nature of its activities.

a.   Internal Communications

It all starts with ‘tone from the top’ but communications within a business need to also focus on the implementation of the company’s anti-bribery policies and procedures. The Guidance lists several areas which it believes such communication should provide instruction upon. These include company policies on “decision making, financial control, hospitality and promotional expenditure, facilitation payments, training, charitable and political donations, penalties for breach of rules and the articulation of management roles at different levels.” Another critical aspect of internal communications is the establishment of an ethics helpline. Such a helpline should be secure, confidential and accessible for both employees and those outside the company to elevate concerns about bribery on the part of associated persons, to provide suggestions for improvement of bribery prevention procedures and controls and for requesting advice. The Guidance calls such a tool a “Speak-Up Line” but whatever name it is given, it is clear that those both inside and outside a company need to be furnished with a secure, confidential and safe manner to report ethical concerns to an appropriate level of management.

b.   External Communications

Just as risk assessment and due diligence on third parties form a critical component of an Adequate Procedures based anti-bribery corruption program, the Guidance also speaks to the need for external communication of bribery prevention policies through a statement or Code of Conduct, which should act as a deterrent to those intending to bribe on a business’s behalf. The Guidance relates that external communications can include information on bribery prevention procedures and controls, sanctions, results of internal surveys, rules governing recruitment, procurement and tendering. The Guidance also recognizes that businesses may consider it proportionate and appropriate to communicate its anti-bribery policies and commitment to a wider audience, such as other companies in their sector, trade association members and to organizations that would fall outside the scope of the range of its associated persons, or to the general public.

III.                   Training

Restating again that the number one key to an Adequate Procedures anti-bribery compliance program, a company should develop its training protocol based upon a risk assessment. The Guidance recognizes that all employees should receive some training which is likely to be effective in firmly establishing an anti-bribery culture whatever the level of risk. This general level of training can be centered on raising employee awareness about the threats posed by bribery in general and in the industry in which the company operates in particular, and the various ways it is being addressed.

There should be mandatory, general training for new employees or for agents (on a weighted risk basis) as part of the employee indoctrination process, but it should also be tailored to the specific risks associated with specific posts. The Guidance indicates that a company should tailor its training to the special needs of those involved in any procedures and higher risk functions such as purchasing, contracting, distribution, marketing, and those working in high risk countries. It is important to note that for training to be effective it should be continuous, regularly monitored and evaluated.

The Guidance also suggests that associated persons to undergo training. This will be particularly relevant for high risk associated persons. The better practice is to require such anti-bribery training as a part of compliance contractual terms and conditions and then provide such training to the highest risk third party representatives. But the Guidance does recognize that a company may wish to encourage associated persons to adopt bribery prevention training. If this is done, the training should be evaluated and appropriate records of business partner training be submitted to the company on no less than an annual basis.

The Guidance also recognizes that there are various media which can be used to deliver training. It lists some of the different training formats which are available in addition to the traditional classroom or seminar formats, such as e-learning and other web-based tools. However, a company should not lose sight of a risk based approach, so that those employees or third parties deemed the highest risk need to receive the most intensive training. Finally, whatever the format of the anti-bribery training, it should seek to achieve its objective of ensuring that those participating in it develop a firm understanding of what the relevant policies and procedures mean in practice for them.

So how can you channel Henry V to help your compliance program? Perhaps you could begin by re-reading the play or some of its most inspiring scenes or even watching them on You Tube. You can start with the St. Crispin’s Day Speech, ride once more into the breach, or even the Prologue to learn about communication.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012