The Culinary Aspects of Homer’s Odyssey and Compliance Training

I recently came across a fascinating book entitled “The Meaning of Meat and the Structure of the Odyssey” by Egbert Bakker. In this work, Bakker looks at the culinary aspects of Odysseus’ journey home from the Trojan War. Peter Thonemann, writing in the TLS, said that “Bakker’s book is a powerful illustration of the importance of food and culinary practices to past society.” In other words, the eating habits could be used to not only understand the past but also perhaps train those in the present about the “wider moral culpability” found in Homer’s work.

I thought about this different way of learning as I was reading a recent article by the Open Compliance and Ethics Group (OCEG) President Carol Switzer in the Compliance Week magazine, entitled “Playing the Game of Risk in Workplace Education”. Her article was coupled with a roundtable discussion of the subject and another in the OCEG, GRC Illustrated Series entitled “Risk-Based Education and Training”.

In the article, Switzer reminds us “one size does not fit all in deciding the content and intensity of training needs for each role or individual”. Recognizing that it all starts with a risk-based analysis of who needs the training is just the start. Switzer believes that by engaging employees in the training, it can become more effective. She looks to the world of gaming when stating that, “Well-designed games encourage engagement, and more engagement means more reinforcement, and that leads to better recollection and application of the information. Situational decision making drives the player to think, not just act. Making wrong choices and seeing the consequences leads to desire to act the right way and gain rewards, be it advancing to the next level of the game, earning a prize for success, or understanding that in the real workplace world the reward may be achievement of personal and organizational objectives.”

In her roundtable, she posed the question, “How do you suggest companies decide on the appropriate amount of training? Earl Jones, Shareholder at Littler Mendelson PC, responded that a company needs to evaluate where its risks are, “If the company is betting on international expansion, then intensive anti-bribery and corruption intensive training is a necessity for key employees. Also design training to build and protect sources of value. If an intangible asset, like a brand, is an important source of value, thoroughly train employees to identify, understand, and react to events or behavior that could impair the brand.”

When it comes to the scope and style of training, Steve Perreault, Global Head of eLearning GRC for Thomson Reuter, suggested you should assess your training by employee groups. You should “Understand things like: How likely is a group of employees to participate in activity that is related to a particular regulatory area? How complex is that regulation? What controls are in place already? Is this employee group responsible for making sure others comply with policies and regulations? You also have to consider what you will need to provide to evidence to regulators and courts that the program exists and is effective. Once you get that figured out, you must ensure that you stay on top of changes in legislation and enforcement, and revise policy, procedures, and training accordingly.”

Switzer next turned to measuring the effectiveness of training and how a company might determine this. Alisha Lynch, Global Ethics and Compliance Education Leader at Dell Inc., said, “Determining the scope and style of training should have several input sources.  Most organizations have three- to five-year strategic plans, and training programs should be designed to support those plans and initiatives. One good analogy is that a training initiative should be like a physical fitness regime. You cannot exercise the same muscle every time to make significant improvements, and you cannot ignore the diet. A culture is like a diet. If the organization designs and delivers great training but the culture is toxic, probably no improvement will be made.”

In the GRC Illustrated Series, it suggests that companies take a risk-based approach to provide appropriate levels and types of training and education to different individuals across the organization. Some of the factors they suggest you review are the role of the individuals, geography, and their level of exposure to particular risk areas. Such an approach moves away from the ‘tick-the-box’ approach that generally renders such compliance useless. It also helps to ensure that there is a more effective use of budgetary resources by focusing training efforts to maximize the return on the investment. The piece advocates a three-pronged approach.

Define

The first step is to define what you are trying to achieve. The piece recognizes that “while some organizations limit their training programs to what is legally required, more successful ones know that there are many reasons for developing a thoughtful, well-designed approach to employee education.” It puts forward that if training is done right, it will help the organization to achieve several goals. These include: the business Objectives; managing threats and business opportunities; it will address change in positive manner; it can help to ensure integrity and the company’s reputation; it can strengthen the business’s culture and ethical conduct; and, lastly, it can provide evidence that the company has complied with legal requirements such as the US Sentencing Guidelines and the Ten Hallmark’s of an Effective Compliance Program.

Design

The next step is to design the training program, which is further broken down into three steps, which drill down into the specifics of training. By using these three steps, you can help to assure that the training will be effective for the individual but also for the nature of the risk involved.

The first is to design the training program. Steps include the development of curriculum using a risk-based model. You should set uniform methods for acquiring content, maintaining records, and reporting. This should be followed by the establishment of standards for selecting appropriate content, delivery methods, frequency, and assurance based on risk exposure. You can review any technological solutions for both e-learning delivery and documentation. Finally, you will need to consider training content revision when requirements or risk analyses change.

After the design of the training program, the next level is to design the specific training courses. Here you should establish your learning objectives and map the training to legal and competency requirements. You must always remember who is your audience and what their characteristics might be. You need to ensure that the content is timely and the instructors are effective. Finally, you will need to determine not only the most appropriate mechanism to deliver the content but also define the key performance indicators and determine methods to audit them.

The final design level is the individual’s training plan. Here you need to analyze what the person’s role is within the organization and use this to determine mandatory and risk-based training needs. You will need to consider modifying the risk profile based upon assessments given before and after the training is delivered and then adapt the training as an employee’s role and risk profile changes within an organization

Deliver

For the delivery of the training materials, they also have a tripartite scheme. They break it down into high risk exposure roles; medium risk exposure roles and low-risk exposure roles.

• High Risk Exposure Roles – are defined as those employees whose roles in an organization can significantly impact the company. Here expert subject proficiency is demanded and individuals should be able to act with confidence in a wide range of scenarios and conditions based on a strong understanding of the risks, requirements, and penalties. Training may be repeated frequently using several methods of delivery, have greater assurance through testing and certification of course completion, and include ongoing risk profiling of individuals through assessment of behavior choices in online courses or live simulation exercises.
• Medium Risk Exposure Roles – are defined as those employees who face risk on regular basis or present a moderate level of negative impact to a company if they mishandle the risk. These individuals should know the risks, requirements, and penalties and should be able to apply their knowledge to common scenarios using standards and tools given to them. Training should have content to make them proficient in the subject, be refreshed periodically, use a mix of modes of delivery, and have methods to prove evidence of understanding.
• Low Risk Exposure Roles – are defined as those employees with a low likelihood of facing the attendant risk. Persons in this category should be made aware of the risks, requirements, and penalties, as well as the organization’s expectations about how to address it. They should know relevant policies and procedures and where to get assistance in addressing a risk or making a behavior decision.

As with all areas in an anti-corruption compliance program, Switzer and the OCEG suggest that you monitor and audit your program so that you can review it and improve as circumstances warrant. I would add that you should also Document, Document and Document what you are doing for the same reasons. Just as Bakker’s new look at the culinary aspects of the classics can provide new insights into interpretation, it also shows the training that was written into Homer’s Odyssey.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

More Compliance Lessons from the Asiana/SFO Crash Investigation

I have long been interested in the intersection in the changes in attitude regarding safety in the workplace by corporations and the changing attitudes on doing business through bribery and corruption. As a trial lawyer defending corporations in catastrophic accident lawsuits, I saw a sea change in the corporate attitude regarding safety, beginning in the 1980s through the 1990s. Many of the arguments used against safety during that era are used now. Some of my favorites are: (the financial excuse) it costs too much and doesn’t contribute to the bottom line; (the traditional excuse) we’ve always done it that way; and (my personal favorite) you can’t stop humans from screwing up and trying to injure themselves. But the reality is that safety at the work place did improve and now most companies not only say that safety is job No. 1 but they live and breathe that motto. Does this sea change mean that serious accidents do not happen at the workplace? Of course not, but it does not mean that companies have or even should give up the quest for zero accidents at work.

Part of the ongoing debate about compliance is whether the Department of Justice (DOJ) approach of corporate enforcement actions and the use of Deferred Prosecution Agreements (DPAs) and Non-Prosecution Agreements (NPAs) help or hurt compliance with the Foreign Corrupt Practices Act (FCPA). Some commentators remark that the simple fact that there are enforcement actions is indicia itself that the DOJ approach is not working. Mike Volkov took on this topic in his post, entitled “The Sky is the Limit: Escalating Fines, DPA/NPAs and Deterrence”, by asking if “it is important to ask the question whether the current enforcement scheme adequately punishes and deters corporations”? In his discussion he points to some who want more prosecution of individuals as a greater deterrent and others, notably the FCPA Professor, who want greater corporate protections against prosecution through the addition of a compliance defense as a mechanism to give corporations more incentive to do business in compliance with the law. Volkov ends by observing the DOJ’s current enforcement focus “will not change unless and until there is a good reason to do so – so far no one has pointed to any significant reason for the Department of Justice to change its practices.”

I thought about all of the above in the context of the hearings in Washington in front of the National Transportation Safety Board (NTSB) surrounding the crash of the Asiana jet at San Francisco’s airport last summer. Earlier this week I wrote about one of the lessons from the hearings which was the need for enhanced training by Asiana pilots on not only the specific planes they pilot but also training that they can speak up when they see something that they believe is not right.

This need for training was made even more acute when the story about the testimony given by the Captain on board the flight in question in a New York Times (NYT) article, entitled “Pilots in Crash Were Confused About Control Systems, Experts Say”, where Captain Lee said that he told investigators that any of the three pilots on the plane could have decided to break off the approach, but he said it was “very hard” for him to do so because he was a “low-level” person being supervised by an instructor pilot. But more than even the failure to raise his hand and speak up, Lee did not heed the warning of a junior officer. As reported in an article by the Associated Press, entitled “Pilot who crashed at SFO was worried about landing”, after the accident, Lee told NTSB investigators that neither he nor the instructor pilot onboard the flight said anything when the first officer raised concerns four times about the plane’s rapid descent. Further, he was very concerned about his ability to make a visual landing. So not only was Lee afraid to speak the truth to a superior, he didn’t listen when questioned by a junior. In the world of workplace or airline safety, this is a recipe for disaster.

I think the key to overcoming these problems is training, which has long been recognized as a cornerstone of any best practices ethics and compliance program. I thought it might be an appropriate time to review the training statements made regarding the FCPA. The US Sentencing Guidelines list “Conducting effective training programs” as one of the factors the DOJ will take into account when a company accused of a FCPA violation is being evaluated for a sentence reduction. The Sentencing Guidelines mandate:

(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities. 

After the promulgation of the Sentencing Guidelines, the DOJ and Securities and Exchange Commission (SEC) gave their views on training in the 2012 FCPA Guidance. Their Ten Hallmarks of an Effective Compliance Program listed Training and Communication as one of the key elements. In this section they said that anti-corruption and anti-bribery compliance policies cannot work unless effectively communicated throughout a company. They advised that “a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” But more than a simple dyadic promulgation of a rule, a company should tailor its training to its needs and its risks. This means that any “information should be presented in a manner appropriate for the targeted audience, including providing training and training materials in the local language.”

In addition to the FCPA Guidance, the UK Ministry of Justice (MOJ) has stated that training is one of the Six Principles of an effective compliance program. Under Principle V, it states that “The business seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the company through internal and external communication, including training, that is proportionate to the risks it faces.” The Guidance recognizes that communication and training deters bribery by companies, their employees and those persons associated with it, by enhancing awareness and understanding anti-corruption policies and procedures and the company’s commitment to their proper application. It therefore follows that making information available on legal requirements, obligations and policies and procedures for implementation of the same assists in more effective monitoring, evaluation and review of bribery prevention procedures. Anti-bribery training should provide, to company employees and those persons and entities associated with the company, the knowledge and skills needed to implement and utilize the anti-bribery procedures and handle in a satisfactory manner any bribery related problems or issues that may arise.

Fortunately violations of the FCPA rarely result in loss of life or limb. But that does not diminish the responsibility of companies to comply with the law. And just as corporate attitudes around safety changed dramatically, corporate attitudes about following the FCPA can change as well. Indeed they could even take the basic approach suggested by (the then) DOJ representative Greg Anders in testimony about attempts to amend the FCPA before the House Judiciary Committee, don’t pay bribes.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Why Can’t We Be Friends? Compliance and HR

I have long been an advocate of the compliance function working with the Human Resources (HR) function in any company to help achieve greater compliance under anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. I think that HR is uniquely situated to ‘connect the dots’ in many areas of compliance. My thoughts on this subject were echoed in a recent article in the June issue of Compliance Week Magazine, in an article by Jaclyn Jaeger, entitled “How Compliance and HR Can Get It Together”. Jaeger quoted Alex Weisgerber for the following, “Boards are increasingly asking their executive teams to identify and address major people risks.” He further stated that “The HR-compliance partnership can help anticipate this request and set the organization’s human capital risk management agenda proactively.”

However, Jaeger wrote that in some companies this cooperation towards the goal of greater compliance has been found to be lacking. There may be several factors which lead to a more asymmetrical approach by these functions, particularly due to “gaps in communication and collaboration between compliance and HR.” She quoted Weisberger that “The two groups simply haven’t found many opportunities to collaborate in supporting organizational performance.” While I disagree with this statement, Jaeger’s article does detail some of the steps the compliance practitioner can take to bring these two corporate functions into alignment.

Jaeger quotes Shanti Atkins, for the following, “The first challenge to overcome is the “deeply held stereotypes that legal, compliance, and HR typically have of each other.” It’s important to talk about those if we are to get past them.” But perhaps more importantly is the notation held in many legal departments and compliance functions that “the HR function is not a strategic player in the company—that its central function is to manage paperwork, schedule training sessions, and mediate mundane spats such as who hogs the best space in the parking lot.”

As mentioned above, I have long advocated that HR is uniquely situated to connect the dots and along this line of thought, Jaeger wrote that “Getting employees to function as a coherent, engaged unit has to do with people, not policies—and people issues are exactly where HR excels, or course. HR has its finger on the pulse of employee culture, Atkins says because it is the primary channel employees use to complain when there is a problem—and those problems are usually a warning sign of wider compliance-related issues.” What are some of the areas that HR can assist the compliance function with? I believe that there are five key areas. They include the following.

Training

A key role for HR in any company is training. This has traditionally been in areas such as discrimination, harassment and safety, to name just a few, and based on this traditional role of HR in training this commentator would submit that it is a natural extension of HR’s function to expand to the area of FCPA compliance and ethics. There is a training requirement set forth in the US Sentencing Guidelines. Companies are mandated to “take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”

Employee Evaluation and Succession Planning

What policy does a company take to punish those employees who may engage in unethical and non-compliant behavior in order to meet company revenue targets? Conversely, what rewards are handed out to those employees who integrate such ethical and compliant behavior into their individual work practices going forward? One of the very important functions of HR is assisting management in setting the criteria for employee bonuses and in the evaluation of employees for those bonuses. This is an equally important role in conveying the company message of adherence to a FCPA compliance and ethics policy. In addition to employee evaluation, HR can play a key role in assisting a company to identify early on in an employee’s career the propensity for compliance and ethics by focusing on leadership behaviors in addition to simply business excellence. If a company has an employee who meets, or exceeds, all his sales targets, but does so in a manner which is opposite to the company’s stated FCPA compliance and ethics values, other employees will watch and see how that employee is treated. Is that employee rewarded with a large bonus? This requirement is codified in the Sentencing Guidelines with the following language, “The organization’s compliance and ethics program shall be promoted and enforced consistently throughout the organization through (A) appropriate incentives to perform in accordance with the compliance and ethics program; and (B) appropriate disciplinary measures for engaging in criminal conduct and for failing to take reasonable steps to prevent or detect criminal conduct.”

Hotlines and Investigations

One of the requirements for a company under the Sentencing Guidelines is that they “… have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.” This requirement is met by having a hotline. One of the traditional roles of HR in the US is to maintain a hotline for reporting of harassment claims, whether based on EEOC violations or other types of harassment. It is a natural extension of HR’s traditional function to handle this role.

Regarding investigations, HR can bring broad benefits to any FCPA compliance and ethics program through an efficient investigation process. It is recognized that a Legal or Compliance Department may wish to take over and complete an investigation process. However, HR can bring a consistency in both the process and any discipline which is imposed. Such consistency reinforces the senior management’s message of commitment by the company to FCPA compliance and ethics. Such a function by HR can lead to an understanding of emerging risks. Lastly, it may be that employees are more willing to speak up to HR and the building of trust can be utilized to assist in overall risk mitigation.

Background Screening

A key role for HR in any company is the background screening of not only employees at the time of hire, but also of employees who may be promoted to senior leadership positions. HR is usually on the front lines of such activities, although it may be in conjunction with the Legal Department or Compliance Department. This requirement is discussed in the Federal Sentencing Guidelines for Organizations (FSGO) as follows “The organization shall use reasonable efforts not to include within the substantial authority personnel of the organization any individual whom the organization knew, or should have known through the exercise of due diligence, has engaged in illegal activities or other conduct inconsistent with an effective compliance and ethics program.”

When the Government Comes Calling

While it is true that a company’s Legal and/or Compliance Department will lead the  response to a government investigation, HR can fulfill an important support role due to the fact that HR should maintain, as part of its routine function, a hard copy of many of the records which may need to be produced in such an investigation. This would include all pre-employment screening documents, including background investigations, all post-employment documents, including any additional screening documents, compliance training and testing thereon and annual compliance certifications. HR can be critical in identifying and tracking down former employees. HR will work with Legal and/or Compliance to establish protocols for the conduct of investigations and who should be involved.

Lastly, another role for HR can be in the establishment and management of (1) an Amnesty Program or (2) a Leniency Program for both current and former employees. Such programs were implemented by Siemens during its internal bribery and corruption investigation. The Amnesty Program allowed appropriate current or former employees, who fully cooperated and provided truthful information, to be relieved from the prospect of civil damage claims or termination. The Leniency Program allowed Siemens employees who had provided untrue information in the investigation to correct this information for certain specific discipline. Whichever of these programs, or any variations, that are implemented HR can perform a valuable support role to Legal and/or Compliance.

Doing More with Less

While many practitioners do not immediately consider HR as a key component of a FCPA compliance solution, it can be one of the lynch-pins in spreading a company’s commitment to compliance throughout the employee base. HR can also be used to ‘connect the dots’ in many divergent elements in a company’s FCPA compliance and ethics program. The roles listed for HR in this series are functions that HR currently performs for almost any company with international operations. By asking HR to expand their traditional function to include the FCPA compliance and ethics function, a US company can move towards a goal of a more complete compliance program, while not significantly increasing costs. Additionally, by asking HR to include these roles, it will drive home the message of compliance to all levels and functions within a company; from senior to middle management and to those on the shop floor. Just as safety is usually message Number 1, compliance can be message Number 1A. HR focuses on behaviors, and by asking this department to include a compliance and ethics message, such behavior will become a part of a company’s DNA.

If your company does not integrate HR into several ongoing roles for FCPA compliance I believe that is high time you did so. Jaeger’s article points out several steps you can take to bring these two functions into greater collaboration. From my perspective, HR can be a valuable partner for compliance and one that you should begin to take advantage of now.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The Five Essential Elements of a Corporate Compliance Program – Part II

Tuesday morning, at the University Club of Chicago, Stephen Martin and I will co-present at a Foreign Corrupt Practices Act (FCPA) event hosted by Kreller. If you are in or near Chicago, I hope that you can join us for this presentation. The title of our presentation is “Anti-Corruption/FCPA Developments & Best Practices” and we will focus on a concept that Stephen and his partners at the law firm of Baker & McKenzie have developed which are five essential elements of a corporate compliance program. In Part I, I discussed the background to the development of the five essential elements. In today’s installment, Part II, I will detail the remaining elements in the five elements of an essential compliance program.

III.             Standards and Controls

Generally, every company has three levels of standards and controls. (1) Code of Conduct. Every company should have a Code of Conduct which should express its ethical principles. However, a Code of Conduct is not enough. (2) Standards and Policies. Every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. (3) Procedures. Every Company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

IV.              Training

Another pillar of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct. Simply conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The Department of Justice’s (DOJ) expectations of effectiveness are measured by who a company trains, how the training is conducted and how often training occurs.

There are several key elements to training. First is that you need to train the right people. You must prioritize which audience to educate by starting your training program in higher risk markets and focus on directors, officers and sales employees who may have direct contact with government officials or deal with state-owned entities. Again, focus initially on training country managers in your company’s high-risk markets, then expand geographically and through the ranks of employees.

Second, in high risk markets and for high risk employees or third parties you should conduct live, annual training. Enforcement officials have made it clear that live, in-person training is the preferred method in high-risk markets and also that it should be regular and frequent. Another benefit of live training is the immediate feedback from employees that would be much less likely to occur during a webinar or other remote training. Lastly, during live training, employees are more likely to make casual mention of a potentially risky practice, giving you the opportunity to address it before it becomes a larger problem.

It is important that you pay attention to what employees say during training. This is because training can alert you to potential problems based on the type of questions employees ask and their level of receptiveness to certain concepts. For example, during training employees might ask specific questions about important compliance considerations such as their interactions with government officials or gift-giving practices. Such questions can raise red flags and uncover issues that should be reviewed and addressed quickly.

Thirdly, you should tailor your training to each country. This means that employing a generic script for compliance training is a mistake. To be effective, training programs should be customized by region, country, industry, areas of compliance and types of employee. In addition to Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and OECD guidelines, focus on compliance risks in the country where the employees being trained are working. For example: In China, address the many corruption risks involved in dealing with state-owned entities.

V.                 Oversight – including monitoring, auditing and responses

The issue your company should focus on here is whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. Two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit and respond quickly to allegations of misconduct. These three highlighted activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

Many companies fall short on effective monitoring. This can sometimes be attributed to confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it’s effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

Finally, as was emphasized again with the recent Pfizer Deferred Prosecution Agreement (DPA), your company should establish protocols for internal investigations and disciplinary action. The Pfizer “Enhanced Compliance Obligations” included the following on investigative protocols: (a) On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training; (b) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with, and payments to, individual foreign government officials or health care providers, as well as other high-risk transactions in the market; (c) Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and (d) a review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk. Prior to such an investigation, however, the company should have procedures – including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently – in place to make sure every investigation is thorough and authentic.

Finally, and consistent with Stephen Martin’s Baker & McKenzie partner Paul McNulty’s Maxim Three (What did you do about it?), is your remediation efforts. Your company should remediate problems quickly. A key concept behind the oversight element of compliance is that if companies are policing themselves on compliance-related issues, the government won’t have to do it for them. Remediation, then, is an important component of oversight. If your company’s sales force in Thailand is engaged in potentially improper activity due to a lack of adequate training, remediate the deficiency and schedule that training now. In the end, it’s not enough to just gather information and identify compliance problems through monitoring and auditing. To fulfill this essential element of compliance, you also have to respond and fix the problems.

Stephen Martin and the Baker & McKenzie team have put together an excellent resource for the compliance practitioner in their five essential elements of a corporate compliance program. I hope that you can attend our FCPA event this week. For those of you who cannot attend in person, you can email me for the slide deck and other materials after the event.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Compliance Lessons from Macbeth: Listen to Your Gut

I have always found Macbeth to be one of Shakespeare’s most terrifying plays. Every time I see the production and hear Lady Macbeth say that she would “have plucked from my nipple his boneless gums and dashed his brains out” of her baby or see her ghost after her suicide, it sends chills up my spine. But there are other lessons which can be drawn from the play that could be applicable to the compliance practitioner and a Foreign Corrupt Practices (FCPA) or UK Bribery Act compliance program. In an article in the July 16 edition of the Texas Lawyer, entitled “Shakespeare’s ‘Macbeth’ Teaches Lawyers Life Lessons”, author Michael Maslanka said that one of the plays lessons for him was to “listen to your gut” when faced with a dubious proposition.

Maslanka cites to the dialogue between two characters, Macduff and Malcolm, when Malcolm is when deciding whether Macduff is a friend or an enemy. Malcolm falsely tells Macduff that he is unfit to succeed his father because of his unbridled sexual appetites. “The cistern of my lust, and my desire all continent impediments would o’erbear that did oppose my will,” Malcolm says. After more back and forth, Macduff concludes Malcolm is not fit to be king. Malcolm has found an honest man who will stand up for what is right, not what is expedient. Maslanka goes on to cite these two characters for the suggestion that “When in doubt on a dubious proposition, go with your gut-level reaction.” At first, Macduff tries to negotiate his conscience, because he so desperately wants an honest leader for Scotland. He acknowledges Malcolm’s weaknesses, telling him, “All these are [bearable] with other graces weighed.” But, when Malcolm says there are no other graces, Macduff declares, “Fare thee well, lord.” The lesson: ethics are not negotiable.

This type of choice can also play out in the compliance world. The starkest example of which I am aware of is the HP matter involving its German subsidiary and allegation of bribery to receive a contract for the sale of hardware into Russia. At least one witness has said that the transactions in question were internally approved by HP through its, then existing, contract approval process. This employee, Mr. Dieter Brunner, a contract employee who was working as an accountant on the group that approved the transaction, said in an interview in the Wall Street Journal (WSJ) that he was surprised when, as a temporary employee of HP, he first saw an invoice from an agent in 2004. “It didn’t make sense,” because there was no apparent reason for HP to pay such big sums to accounts controlled by small-businesses, Mr. Brunner said. He then proceeded to say he processed the transactions anyway because he was the most junior employee handling the file, “I assumed the deal was OK, because senior officials also signed off on the paperwork”.

In almost every circumstance where a significant compliance matter has arisen, if the issue had been reported, or at least sent up the chain for consideration, there is a good chance that the incident would not have exploded into a full FCPA compliance violation. This is the concept of escalation and it is a key feature of any successful compliance program; to escalate compliance concerns up the chain for consideration and/or resolution.

This failure to escalate leads to the issue not reaching the right people in the company for review/action/resolution and the issue later becomes more difficult and more expensive to deal with. A company needs to have a culture in place to not only allow elevation but to actively encourage elevation and this requires that both a structure and process exist. The company must then train, train and train, all of its employees. Lastly, while a whistleblower process or hotlines are necessary these should not be viewed as the only systems which allow an employee to escalate a concern.

As Shakespeare might opine, Mr. Brunner did not “listen to his gut” when it told him that the transaction in question did not make sense. Think what position HP might be in today if this temporary employee had been trained by HP that he could escalate his concern if something “didn’t make sense” to a higher level within the company for review. The key is to have the systems in place to allow such escalation and to train all employees, including contract employees, on how to escalate an issue. In FCPA training sessions, one of the things that I try to emphasize is that employees to not have to know the ins and outs of the FCPA, but if something does not feel right, smell right or look right; please raise your hand and say “it doesn’t make sense” to me.

Maslanka then draws to what he believes is the play’s over-arching eternal lesson: “Bet on concrete values like ethics, not ephemeral desires. The witches who predicted that Macbeth would become Cawdor (King) disappear as Macbeth and Banquo are speaking with them. “Banquo remarks they are like “bubbles” in the water and wonders where they have gone. Macbeth’s penetrating insight: “Into the air, and what seemed corporal melted, as breath into the wind.” This insight should compel him to embrace the concrete: the ethical behavior in honor, loyalty, friendship. But his insight fades and instead Macbeth he embraces the ephemeral: title, power, castles.”

So as July has now passed into August and the summer moves towards a close, think about how you might use Shakespeare to illustrate some of the key concepts of your compliance program. It might be time to talk about your hotline or reporting lines with employees to “listen to your gut” or “just raise your hand” if something does not seem right in a transaction. You can also use Shakespeare to show the timeliness and universality of the ethical values that you wish to inculcate into your company’s DNA. For as the author of this most interesting article also observes, “Once an ethical boundary is crossed there is no going back to ethical behavior.” Maslanka again quotes Macbeth who says, “I am in blood stepped in so far that, should I wade no more, returning were as tedious as go o’er.” There always is a window of opportunity to step back from the ethical precipice. Fail to take it and, like Macbeth, the downward spiral is triggered with no incentive to return to an ethical state.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Henry V and Principle V of the Six Principles of Adequate Procedures: Communication

Henry V is a truly inspiring play. Whether one sees it on the stage or on the big screen with the 1944 Olivier or 1989 Branagh version, one cannot help but draw inspiration about the story of the former Prince Hal, from Henry IV, who becomes a regal monarch and leads the English army to a defeat of the French at the Battle of Agincourt. One of the things that Henry V does extraordinarily well is communicate; about his goals and rousing his subjects to help achieve them. Today we use the prism of Henry V to look at Principle V of the Six Principles of Adequate Procedures; that being “Communication (including training)”.

I.                   Commentary

The Guidance for the Six Principles of an Adequate Procedures, anti-bribery program states in Principle V that “The business seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the company through internal and external communication, including training, that is proportionate to the risks it faces.” The Guidance recognizes that communication and training deters bribery by companies, their employees and those persons associated with it, by enhancing awareness and understanding anti-corruption policies and procedures and the company’s commitment to their proper application. It therefore follows that making information available on legal requirements and obligations and policies and procedures for implementation of the same assists in more effective monitoring, evaluation and review of bribery prevention procedures. Anti-bribery training should provide, to company employees and those persons and entities associated with the company, the knowledge and skills needed to implement and utilize the anti-bribery procedures and handle in a satisfactory manner any bribery related problems or issues that may arise.

II.                      Communication

The Guidance begins by recognizing that the content, language and tone of communications for internal consumption may vary from external use in response to the different relationship the audience has with the company. Further, the nature of communication will vary enormously between businesses in accordance with the different bribery risks faced, the size of the business and the scale and nature of its activities.

a.   Internal Communications

It all starts with ‘tone from the top’ but communications within a business need to also focus on the implementation of the company’s anti-bribery policies and procedures. The Guidance lists several areas which it believes such communication should provide instruction upon. These include company policies on “decision making, financial control, hospitality and promotional expenditure, facilitation payments, training, charitable and political donations, penalties for breach of rules and the articulation of management roles at different levels.” Another critical aspect of internal communications is the establishment of an ethics helpline. Such a helpline should be secure, confidential and accessible for both employees and those outside the company to elevate concerns about bribery on the part of associated persons, to provide suggestions for improvement of bribery prevention procedures and controls and for requesting advice. The Guidance calls such a tool a “Speak-Up Line” but whatever name it is given, it is clear that those both inside and outside a company need to be furnished with a secure, confidential and safe manner to report ethical concerns to an appropriate level of management.

b.   External Communications

Just as risk assessment and due diligence on third parties form a critical component of an Adequate Procedures based anti-bribery corruption program, the Guidance also speaks to the need for external communication of bribery prevention policies through a statement or Code of Conduct, which should act as a deterrent to those intending to bribe on a business’s behalf. The Guidance relates that external communications can include information on bribery prevention procedures and controls, sanctions, results of internal surveys, rules governing recruitment, procurement and tendering. The Guidance also recognizes that businesses may consider it proportionate and appropriate to communicate its anti-bribery policies and commitment to a wider audience, such as other companies in their sector, trade association members and to organizations that would fall outside the scope of the range of its associated persons, or to the general public.

III.                   Training

Restating again that the number one key to an Adequate Procedures anti-bribery compliance program, a company should develop its training protocol based upon a risk assessment. The Guidance recognizes that all employees should receive some training which is likely to be effective in firmly establishing an anti-bribery culture whatever the level of risk. This general level of training can be centered on raising employee awareness about the threats posed by bribery in general and in the industry in which the company operates in particular, and the various ways it is being addressed.

There should be mandatory, general training for new employees or for agents (on a weighted risk basis) as part of the employee indoctrination process, but it should also be tailored to the specific risks associated with specific posts. The Guidance indicates that a company should tailor its training to the special needs of those involved in any procedures and higher risk functions such as purchasing, contracting, distribution, marketing, and those working in high risk countries. It is important to note that for training to be effective it should be continuous, regularly monitored and evaluated.

The Guidance also suggests that associated persons to undergo training. This will be particularly relevant for high risk associated persons. The better practice is to require such anti-bribery training as a part of compliance contractual terms and conditions and then provide such training to the highest risk third party representatives. But the Guidance does recognize that a company may wish to encourage associated persons to adopt bribery prevention training. If this is done, the training should be evaluated and appropriate records of business partner training be submitted to the company on no less than an annual basis.

The Guidance also recognizes that there are various media which can be used to deliver training. It lists some of the different training formats which are available in addition to the traditional classroom or seminar formats, such as e-learning and other web-based tools. However, a company should not lose sight of a risk based approach, so that those employees or third parties deemed the highest risk need to receive the most intensive training. Finally, whatever the format of the anti-bribery training, it should seek to achieve its objective of ensuring that those participating in it develop a firm understanding of what the relevant policies and procedures mean in practice for them.

So how can you channel Henry V to help your compliance program? Perhaps you could begin by re-reading the play or some of its most inspiring scenes or even watching them on You Tube. You can start with the St. Crispin’s Day Speech, ride once more into the breach, or even the Prologue to learn about communication.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012