FCPA Compliance and Ethics Blog

July 14, 2015

Great Structures Week II – Structures from Ancient Egypt and Greece

great pyramid of giza

I continue my Great Structures Week with a focus on great structures from the earliest times, ancient Egypt and Greece. I am drawing these posts from The Teaching Company course, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. From Egypt there are of course the Pyramids, of which Ressler says, “They’re important, not just because they’re great structures, but also because they represent some of the earliest human achievements that can legitimately be called engineering. The Great Pyramid of Giza stands today as a testament to the strength and durability of Egyptian structural engineering skills.”

From Greece we derive what Vitruvius called the “Empirical Rules for Temple Design” which define a “single dimensional module equal to the radius of a column in the temple portico, then specify all other dimensions of the building in terms of that module.” These rules are best seen in Greek temples, largely consisting of columns, which are defined as “a structural element that carries load primarily in compression” and beams, which are “structural elements subject to transverse loading and carry load in bending.” My favorite example of the use of columns is seen in the Parthenon; the most famous of all Greek temples still standing.

In many ways these two very different structures stand as the basis of all structural engineering and Great Structures that come later throughout history. For any anti-corruption compliance regime based on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery statutes, the same is true for a Code of Conduct and written policies and procedures. They are both the building blocks of everything that comes thereafter.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”Parethnon

There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Another way to think of policies, procedures and controls was stated by Aaron Murphy, now a partner at Foley & Lardner, in his book “Foreign Corrupt Practices Act”, when he said that you should think of all three as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Borrowing from an article in the Houston Business Journal (HBJ) by John Allen, entitled “Company policies are source and structure of stability”, I found some interesting and important insights into the role of policies in any anti-corruption compliance program. Allen says that the role of policies is “to protect companies, their employees and consumers, and despite an occasional opposite outcome, that is typically what they do. A company’s policies provide a basic set of guidelines for their employees to follow. They can include general dos and don’ts or more specific safety procedures, work process flows, communication guidelines or dress codes. By establishing what is and isn’t acceptable workplace behavior, a company helps mitigate the risks posed by employees who, if left unchecked, might behave badly or make foolhardy decisions.”

Allen notes that policies “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.

Allen believes that there are five key elements to any “well-constructed policy”. They are:

  • identify to whom the policy applies;
  • establish the objective of the policy;
  • explain why the policy is necessary;
  • outline examples of acceptable and unacceptable behavior under the policy; and
  • warn of the consequences if an employee fails to comply with the policy.

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, the logistics alone of such training can appear daunting. Consider gathering small groups of employees, where detailed questions about policies can be raised and discussed, as a powerful teaching tool. Allen even suggests posting Frequently Asked Questions (FAQ’s) in common areas as another technique. And do not forget that one of the reasons Morgan Stanley received a declination to prosecute by the Department of Justice (DOJ) was that it sent out bi-monthly compliance reminder emails to its employee Garth Peterson for the seven years he was employed by the company.

The FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” Allen puts a bit differently in that “it is important that policies are applied fairly and consistently across the organization.” He notes that the issue can be that “If policies are applied inconsistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

For a review of what goes into the base structures of a best practices compliance program, I would suggest you check my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

July 9, 2015

The Third Man and the Authority of Chief Compliance Officers

ThirdManHarry Lime is back, although he really never left us. As reported by Kristin M. Jones in a Wall Street Journal (WSJ) article, entitled “Harry Lime Reborn”, the glorious British film noir The Third Man, written by Gra ham Greene and directed by Carol Reed, has been restored in a new digital version. It opens this week at select theaters and will tour the country this summer. The screenplay was adapted from the book of the same name by the author, Greene. It is the rare movie that is at least as good as the book. Greene himself noted that the story “was never written to be read but only to be seen.”

The story revolves around protagonist Holly Martin (played by Joseph Cotton) who goes to post-war Vienna at the behest of his college buddy Harry Lime (played with aplomb by Orson Welles). Martin arrives after a funeral for Lime and finds out that Lime was dealing in the black market. Martin searches for Lime, meeting his girlfriend and assorted shady characters along the way. He ends up leading the Military Police occupying the city to Lime and there is a final noir-classic chase through the sewers of Vienna.

What’s my favorite scene? There are way too many to name but the clown’s head shadow is one of the great cinematic visions of undulated terror. The final chase through the sewers of Vienna is a classic. The dialogue is both chilling and funny. Chilling when Lime asks Martin, while they are atop the apex of a Ferris wheel, whether he would refuse money to make the dotlike figures of humans below stop moving; Funny when Lime say that in 200 years of warfare between the Borgias, the Medicis and continual conflict in Italy it produced the flowering of the Renaissance, while 500 years of peace in Switzerland produced the Cuckoo Clock. Finally, is the haunting musical score of Anton Kara’s use of the Zither . The movie definitely makes my Top 10 greatest movies of all-time.

I thought about this movie in the context of the ongoing debate in the compliance world about whether a company could or should combine or separate the role of the Chief Compliance Officer (CCO) from that of the General Counsel (GC). There has traditionally been a split in companies on whether the CCO should report into a legal function and the GC or report directly to a company’s head officer. Mike Volkov noted that “According to the last PWC Compliance Survey, only 29 percent of CCOs have made it into the C-Suite but that will increase. Only 27 percent of CCOs continue to report to the general counsel while 34 percent report directly to the CEO.” Whichever path your company employs it is imperative that the CCO speak from a position of authority.

A consistent voice for the importance of the role and voice of the CCO in any organization is noted compliance expert, Donna Boehme. She writes and speaks consistently on the characteristics for a successful CCO. Writing in the SCCE magazine, Compliance & Ethics Professional, in an article entitled “Five essential features of the Chief Ethics and Compliance Officer position”, Boehme articulated five essential features required for a CCO to be successful in an organization.

  1. Independence

It is incumbent that any CCO must have “sufficient authority and independence to oversee the integrity of the compliance program.” Some indicia of independence would include a reporting line to the company’s Board of Directors and Audit/Compliance Committee but more importantly “unfiltered” access to the Board. There should also be protection of employment including an employment contract with a “nondiscretionary escalation clause” and a requirement for Board approval for any change in the terms and conditions of employment, including termination. There must also be sufficient resources in the form of an independent budget and adequate staff to manage the overall compliance program.

  1. Empowerment

A CCO must have “the appropriate unambiguous mandate, delegation of authority, senior-level positioning, and empowerment to carry out his/her duties. Such can be accomplished through a “board resolution and a compliance charter, adopted by the board.” Additionally the CCO job description should be another manner in which to clarify the CCO “mandate, and at a minimum should encompass the single point accountability to develop, implement and oversee an effective compliance program.” All of the above should lead in practice to a “close working relationship with an independent board committee.”

  1. Seat at the Table

The CCO must “have formal and informal connections into the business and functions of the organization – a seat at the table at important meetings where all major business matters (e.g., risk, major transactions, business plans) are discussed and decided.” She argues that, at a minimum, the CCO should participate in “budget reviews, strategic planning meetings, disclosure committee meetings, operational reviews, and risk and crisis management meetings.”

  1. Line of Sight 

The CCO should have “unfettered access to relevant information to be able to form independent opinions and manage the [compliance] program effectively.” This does not mean that the CCO should have veto power over functions such as safety or environmental or that such functions must report to the CCO, but unless there is visibility to the CCO for these risk areas, the CCO will not able to adequately assess and manage such risks from the compliance perspective. The correct structuring of the CCO role to allow it visibility into these areas will help the CCO coordinate compliance convergence training.

  1. Resources 

It is absolutely mandatory that the CCO be given both the physical resources in terms of personnel and monetary resources to “get the job done.” I have worked at places where the CCO had neither and the CCOs did not succeed because they never even had the chance to do so. Boehme focuses on both types of resources. Under monetary resources she points, as an indicia, to the independence of the CCO from the GC “rather than a shared budget”. This can also bleed over to ‘headcount’ and shared or dotted line reporting resources. There should be independent resources reporting into the compliance function.

Whichever way a company decides to go on this question, it must meet Requirement No. 6 of the Department of Justice’s (DOJ’s) minimum best practices requirement for a Foreign Corrupt Practices Act (FCPA) based compliance program, which reads:

The company will assign responsibility to one or more senior corporate executives for the implementation and oversight of the company’s anti-corruption policies, standards, and procedures. Such corporate official(s) shall have direct reporting obligations to independent monitoring bodies, including internal audit, Company’s Board of Directors, or any appropriate committee of the Board of Directors, and shall have an adequate level of autonomy from management as well as sufficient resources and authority to maintain such autonomy. 

Additionally this is reiterated in the 2011 Amendments to the US Sentencing Guidelines, §8B2.1 (b)(2)(C), which states:

Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

If you have the chance to see The Third Man this summer I urge you to do so. For a schedule of its showings across the country click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

July 1, 2015

Mifune Gets a Star on the Walk of Fame-the Petrobras Scandal Only Gets Worse

MifuneIt was announced last week that actor Toshirō Mifune (1920-1997) will be honored with a star bearing his name on the Hollywood Walk of Fame. The Hollywood Chamber of Commerce will add the star in 2016, together with new stars in the motion picture category for Quentin Tarantino, Michael Keaton, Steve Carell, Bradley Cooper, Ashley Judd and Kurt Russell. For those of you who may not have heard of Mifune, he was a veteran of sixteen films directed by Akira Kurosawa as well as many other Japanese and international classics. His films with Kurosawa are considered cinema classics. They include Drunken Angel, Stray Dog, Rashomon, Seven Samurai, The Hidden Fortress, High and Low, Throne of Blood, Sanjuro, and Yojimbo. While there are many great, great performances in these films, my personal favorite is Yojimbo where Mifune plays an un-named Ronin, who cleans out a village infested by two warring clans. The film was the basis for the great first Sergio Leone/Clint Eastwood Spaghetti western, A Fistful of Dollars. 

I had always thought that the Hollywood Walk of Fame honors actors but it turns out that it honors a great many more performers. For instance, next year will also see names like LL Cool J, Cyndi Lauper, Shirley Caesar, Joseph B. “Joe” Smith, Itzhak Perlman, Adam Levine, and Bruno Mars added in the music category. I considered this category of entertainers wider than simply actors when I recently read more about the burgeoning scandal in Brazil around the state owned energy company Petrobras and its ever-growing fallout.

The fallout has extended far beyond Petrobras, Brazil and even the direct parties who may have been involved. In an article in the Financial Times (FT), entitled “Petrobras woes loom large in Shell deal for BG”, Joe Leahy, Jamie Smyth and Christopher Adams reported on how the ongoing matter is affecting the world of super sized mergers and acquisitions. The rather amazing thing about this issue is not that British Gas (BG) has been caught up in the scandal or even has been alleged to paying bribes to Petrobras.

Rather it is because of assets that BG has in its portfolio. The article said, “Brazil has the potential to become the location of the most troubled assets in BG’s portfolio because the UK company is partner to Petrobras in some of the vast pre-salt oilfields off the country’s east coast in the Santos Basin.” This has led to speculation that “There is a risk that Petrobras will struggle to fulfill its mandate as sole operator for all new pre-salt oilfields because of the corruption scandal, and that this leads to delays in developing the deepwater discoveries, including those involving BG.”

This development arising out of the Petrobras scandal is so significant that BG mentioned it in their annual report, saying “In Brazil, we are closely monitoring how the current corruption allegations affecting Petrobras may impact the cost and schedule of the Santos Basin [pre-salt] development because of supply chain disruption and/or capital and liquidity constraints placed on Petrobras.” Think about that statement for a moment. It is only in the annual report because it could have a ‘material’ effect on BG and BG is a company being acquired by Shell to the tune of £55 million. However, as noted in the FT article, “many analysts say that Petrobras, partly because of the magnitude of the scandal, does not have the capital or management bandwidth to be the sole operator of all new pre-salt fields.”

What if Petrobras becomes unable to develop enough resources to feed South America’s largest democracy’s need for energy? In 2014 alone, the company posted a new loss of $7.4 billion, of which $2.5 billion was attributable to the ongoing bribery and corruption scandal. How much will it cost the country of Brazil to bring in outsiders to develop its own natural resources? This is a real possibility and it was further driven home by another FT article by Joe Leahy, entitled “Petrobras plans 37% cut in investment”. Petrobras currently is required by Brazilian “government policy forcing it to import petrol at international prices and sell it in the domestic market at a subsidized rate.”

Things can only get worse as Leahy reported that the company announced it “was cutting its projection for investment in 2015-2019 to $130.3bn or by 37 percent in relation to its previous plan.” This would lead to a reduction in “domestic production to 2.8m barrels per day of oil equivalent by 2020 from the previous target of 4.2m.” The article ended by noting that Petrobras would “divest $15.1bn in assets and undertake additional restructuring and sales of assets totaling $42.6bn in 2017-18.”

All of this certainly bodes poorly for the citizens of Brazil. For those who claim that bribery is a victim-less crime; I would point to this as Contra-Example A. But this information is also of significance to any Chief Compliance Officer (CCO) or compliance practitioner for a US, UK or other western country. Not only must you review any contracts you had with Petrobras and any of its suppliers; now you must digger several levels deeper. If you are in an acquisition mode, you not only need to look at the contracts of your target to see if they may have been obtained through bribery and corruption, the simple fact of having a contract with Petrobras may put your potential portfolio asset base at risk. For if Petrobras has to cut back 37% on investments at this point, chances are it will only get much worse. This 37% reduction is based on only the first round of estimates of the cost to the company of the bribery scandal.

But more than simply contracts directly with Petrobras, if you are evaluating a target who has contracts with Petrobras suppliers, you may be at equal risk. Not only could those suppliers obtain their contracts with Petrobras through bribery and corruption, those same contracts, even if valid, may not be worth their estimated value if Petrobras cannot fulfill them or even worse, pay for the goods and services delivered thereunder. How about payment terms? Do think for one minute, Petrobras would not unilaterally extend payment dates out 30, 60, 90 even 180 days when it finds itself in more bribery and corruption hot water?

Finally, I think there is a very good chance the US Department of Justice (DOJ) or Securities and Exchange Commission (SEC) could come knocking, unannounced, for any US company doing business with Petrobras or even with significant operations in Brazil. The SEC could do something as simple as send a letter requesting clarification of your internal controls or books and records regarding subcontractors or other third parties in Brazil. If you received such a letter, would you be in position to respond from the requirements for a public company under the Foreign Corrupt Practices Act?

Toshirō Mifune had a long and distinguished acting career. While it is not clear how long, how far and how deep the Petrobras corruption scandal will reach, it is clear that its repercussions will extend far past the energy industry or even Brazil. You need to review and be prepared to respond now.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 25, 2015

Custer’s Last Stand and Risk Management

Custer's Last StandOn this day in 1876 one of the greatest failures in risk management took place when Lieutenant Colonel George Armstrong Custer and his entire 7th Cavalry were wiped out at the Battle of the Little Big Horn. Custer had split his command into three wings and he took his battalion of 200 or so men down the center of what he thought would be little resistance. Instead he found that he was facing a far superior force of 3000 largely Sioux warriors who quickly overwhelmed and defeated Custer’s command, with all US troops being killed. There is now some debate on whether all the cavalrymen were actually killed by the Native Americans or took their own lives, saving the last bullet for themselves, in western parlance.

Historians have debated over time the reason for Custer’s defeat. Was it arrogance; bad intelligence; faulty command, just plain stupidity or even a wish for martyrdom by Custer? Whichever the cause, it was the worse defeat of the US Army by Native Americans in the Western campaigns of the later 1800s. Today, it might be termed as a faulty assessment and management of the risks involved.

I thought about Custer and his defeat when I read a recent article in the Harvard Business Review (HBR), entitled “Strategy How to Live With Risks. It presented risk, risk assessments and risk management in a new light, a key acumen being that risk management should be used as a “protection shield, not an action stopper.” It was based upon a research paper by the CEB, entitled “Reducing Risk Management’s Organizational Drag”, which I thought it had some interesting insights for the Chief Compliance Officer (CCO) or compliance practitioner.

The first insight is that, in many instances, companies are assessing risks that are in the rear-view mirror. The author pointed to the Sarbanes-Oxley (SOX) Act, passed in response to the Enron and Worldcom accounting scandals in noting, “In the wake of the 2008 financial crisis many large banks changed their business models, and other companies implemented systems to better manage credit risks or eliminate overreliance on mathematical models.” This type of mentality can lead to what the author says, is “a variation on what military historians call “fighting the last war.” As memories of the recession fade, leaders worry that risk management policies are impeding growth and profits without much gain.” The author went on to quote Matt Shinkman of CEB, a member based advisory company, for the following insight “Firms are questioning whether the models they put in place after the financial crisis are working—and more fundamentally questioning the role of risk management in their organizations.”

This retrospective look back is coupled with what the author says is a decision making process which “is too slow, in part because of an excessive focus on preventing risk” and not managing risk; in other words, companies were slowed down even further by something termed “organizational drag”. Companies need to find new mechanisms to assess and manage risk going forward. The best way to do so, many companies have indicated, is through reorganizing or reprioritizing risk management and the article presented “three best practices” in doing so.

Strike the Right Balance Between Risk and Reward

Recognizing that risk management is often simply ‘just saying no’, the HBR articcle suggests that “Today’s risk managers see their role as helping firms determine and clarify their appetite for risk and communicate it across the company to guide decision making. In some cases this means helping line managers reduce their risk aversion.” The interesting insight I found here is that if an asset is low performing it may be because the management is so risk averse. This may present a CCO or compliance practitioner with an opportunity to increase growth through other risk management solutions that they could implement.

Focus on decisions, not process

This insight is one that CCO and compliance practitioners should think about and try and implement. Recognizing that risk assessments are important, the author believes that risk managers should focus more on decisions concerning risk rather than the process of determining risk. This means, “In addition to relying on paperwork or process, risk managers are turning to tools (such as dashboards that show risks in real time) and training that help employees assess risk. They are also helping companies factor a better understanding of risk into their decision making.”

By having a seat at the senior management’s table, a CCO or compliance practitioner can help identify risk issues early on in planning. This allows a COO to help craft a risk management solution, or even better yet show colleagues how to “spot potential problems and managers see how their projects fit into the company’s overall portfolio of projects, each with its own set of risks.” The author again quoted Shinkman, “This is less about listing risks from a backward-looking perspective and more about picking the right portfolio of risky projects.”

Make employees the first line of defense

The author channels his inner Howard Sklar (water is wet) by stating, “Decisions don’t make themselves, people make them”. However from that insight, the author believes that “smart companies work to improve employees ability to incorporate appropriate levels of risk when making choices.” But this means you must not only adequately train your employees to spot the appropriate risk but you, as CCO must provide them with tools to manage the risk. The author wrote, “Companies are also trying to identify which types of jobs or departments face a disproportionate share of high-risk decisions so that they can aim their training at the right people. They’re focusing that training less on risk awareness and more on simulations or scenarios that let employees practice decision making in risky situations. Finally, risk managers are becoming more involved in employee exit interviews, because people leaving an organization often identify risks that others aren’t able or willing to discuss.”

The article ends by noting that the goal is “to transform risk management from a peripheral function to one with a voice integrated into the day-to-day management” of an organization. That is also viewed as a component of CCO 2.0 and a more mature model of improvement. By focusing on training employees on how to spot Foreign Corrupt Practices Act (FCPA) compliance risks and then providing them with the tools to adequately manage that risk, CCOs can deliver greater value.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 24, 2015

Pink Flamingos and the Compliance Audit

FeatherstoneThe creator of one of the most ubiquitous symbols of mid-century Americana died earlier this week. Don Featherstone, the creator of the pink plastic lawn flamingo, the ultimate symbol of American lawn kitsch, has died. He was 79. Featherstone, a trained sculptor with a classical art background, created the flamingo in 1957 for plastics company Union Products, modeling it after a bird he saw in National Geographic. Millions of the birds have been sold. Whether you think of the Pink Flamingo as a symbol of Miami Vice, Jon Waters and Devine or for something less salacious, here is to Featherstone, a true original.

While Featherstone created one of the ultimate symbols of the second half of the 20th century for a generation of South Floridians, the Japanese company Takata Corporation (Takata) continues to be in the news for much less prestigious reasons. As reported in the New York Times (NYT), in an article entitled “Senate Panel Says Tanaka Cut Audits on Safety”, Hiroko Tabuchi and Danielle Ivory said “In the middle of what would become the largest automotive recall in US history, the Japanese airbag manufacturer Takata halted global safety audits to save money”. Interesting (or perhaps ominously might be a better word) Takata responded by saying it had not halted safety audits for products but rather for worker safety. Doesn’t that give you some comfort?

A US Senate committee report found that “Takata halted global safety audits at its manufacturing plants in 2009, a year after Honda had started recalling a small number of cars to replace the airbags.” These audits were later restarted in 2011 but when they found safety issues related to airbag manufacturing in two key plants, “those findings were not shared with Takata’s headquarters in Tokyo, the report said, citing internal emails from Takata’s safety director at the time.” Moreover, “when the safety director returned to the plant months later to conduct a follow-up audit, employees appeared to scramble to create the appearance of a safety committee within the plant.” Finally, and perhaps most damningly, the report cited an internal Takata email which said, “No safety committee, as such, has been formed” at the plants in question.

Foreign Corrupt Practices Act (FCPA) compliance in many ways follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in US corporations. The safety committee and safety audits became mainstays of any best practices in the area of safety for a company. These techniques inform any anti-corruption best practices compliance program, either under the FCPA, UK Bribery Act or any other anti-corruption regime. Indeed audits are specifically delineated in the FCPA Guidance as a way to assist in the continuous monitoring of your compliance regime. Such an audit can be thought of as a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. There are three factors which are critical and unfortunately with Takata seemed to be lacking in its safety audit protocol: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited.

Auditing can take several different forms in an anti-compliance program. As a matter of course, you should audit the compliance program in your own organization. A forensic audit can collect and analyze accounting and internal-controls evidence in your compliance regime. This information can be used to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of a forensic audit can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Further, an internal audit can review a compliance process to determine if employees are following prescribed processes or internal controls, in an operational Sarbanes-Oxley (SOX) or FCPA compliance audit.

In addition to the collection and analysis of evidence, an auditor’s objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. Obviously one of the functions of such an audit is to determine if further investigation is warranted.

Now imagine if this scenario had been followed by Takata. The lack of a safety committee is a glaring omission at any manufacturing facility. Simply noting this and reporting it up the chain could have gone some way towards preventing the situation the company now finds itself in; with a worldwide recall of up to 32 million vehicles. The same is true for a compliance audit. Just as monitoring can provide information to you on a more real-time basis; a compliance audit compliments this real-time oversight with a much deeper dive into what has happened on a historical basis.

The recent BHP Billiton FCPA enforcement action is certainly one to look at in this context. Although there was a committee set up to review gifts and travel requests for the company’s 2008 Olympic hospitality program, the committee did not fulfill this charge. It was alleged in the Securities and Exchange Committee (SEC) settlement documents that this committee was never intended to pass muster on the applications for tickets and travel for government officials but was simply there to provide guidance.

Once again this situation points out the difference between having a paper compliance program in place and the actual doing of compliance. Even with an appropriate oversight structure in place BHP Billiton did not do the work of compliance by evaluating the applications for travel and tickets to the Beijing Olympics but left it to the devices of the business unit employees who were making the requests and ultimately most directly benefited from the gifting.

Another area ripe for audit in your compliance program is your third parties. While there is no one specific list of transactions or other items which should be audited when it comes to your third parties below are some of the areas you may wish to consider reviewing:

  • Contracts with supply chain vendors to confirm that the appropriate FCPA compliance terms and conditions are in place.
  • Determine that actual due diligence took place on the third party vendor.
  • Review the FCPA compliance training program for any vendor; both the substance of the program and attendance records.
  • Does the third party vendor have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous, hotline or any other reporting mechanism.
  • Does the third party vendor have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
  • Review expense reports for employees in high risk positions or high risk countries.
  • Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
  • Review the overall structure of the third party vendor’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party vendor’s compliance program designed to identify risks and what has been the result of any so identified?
  • Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party vendor.
  • With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

The compliance function still is behind the safety function in terms of maturity. Because of this there are many lessons which a Chief Compliance Officer (CCO) or compliance practitioner can draw upon from our colleagues in safety. The safety audit is certainly a technique that can be drafted into your compliance program. But as the ongoing Takata air bag debacle demonstrates, your audit only works if you actually perform it. In other words, the protocol is simple, everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 23, 2015

Fraud and the Detection of the Sources for Bribery

 

Detection of FraudIn a recent White Paper authored by Peter Smith for OFS Portal, entitled “Procurement and Fraud in the Supply Chain”, where he examined “fraud linked to procurement and supply chain activities.” Smith focuses on where fraud can occur in the procurement process. From this starting point, he suggests “mitigating actions that organisations can take to protect themselves against fraud.” I found this article to be an excellent review of Supply Chain (SC) activities which the Chief Compliance Officer (CCO) or compliance practitioner could put to good use in reviewing their company’s Foreign Corrupt Practices Act (FCPA) anti-corruption and anti-bribery regime.

A. The Problem – How Does Fraud Happen?

Smith starts by classifying fraud in way which will assist the reader in understanding how it occurs. He believes there are “three critical factors to consider: the perpetrator(s), the plan and the point of failure.” The perpetrator is the one “behind the fraud and either executes it directly or through others.” In the anti-corruption world of the FCPA, this can be through an agent or a supplier who is working to help execute the fraud.

Interestingly, in the area of these third parties (and hence the greatest area of risk for FCPA compliance practitioners to consider) Smith notes that “The plan and point of failure factors are linked in that often the plan relies on the point of failure. In other words, most frauds take advantage in some weakness in the process, technology, policy or systems of combination of those.” Smith writes that there are three key phases “in the procurement life-cycle that can be considered; (1) the supplier selection phase; (2) the contract negotiation and award phase; and (3) the contract delivery management phase.”

Phase I – Supplier Selection and Qualification

This phase should be well known to the compliance practitioner as a part of the third party life-cycle management step denominated as due diligence. But Smith asks that you consider factors other than simply whether someone is on the Denied Parties List (DNP) or is a Politically Exposed Person (PEP). He suggests that you consider misrepresentation by the third party in the nature of “concealing the true nature of its business, history or ownership when it bids for the work.” He also points out that through collusion and cartels, persons or entities can work to control a market. If you did any work with Petrobras over the years, you will certainly recognize that many if its approved suppliers operated in this manner. Given what we now know about how corrupt Petrobras was, this is not too surprising.

But Smith also suggests that employees may be involved in skewing the selection process towards a corrupt agent or other partner. He recommends reviewing the bid process to see if there was bias in the competition, which would push an otherwise arms-length award to a corrupt partner. This could occur through biased competition through specification, where an employee would “construct a specification that makes it likely or inevitable that a particular supplier will win the competitive process.” The next is biased competition through tailoring the evaluation process which gives weight to the specific strengths of a corrupt third party. Finally, Smith points out that there can be biased competition through information leakage when a company employee will leak confidential information to a third party to give them an advantage in the bidding process.

Phase II – Contracting

Smith says the “next critical point at which fraud can take place is during the contract negotiations and in agreeing the detailed terms and conditions.” Moreover, Smith believes this stage is critical if often overlooked because “the seeds are often sown at the contracting stage.” Scenarios can include where there is a certain level of ‘local content’ required “but without any clear contractual mechanism to explain how it will be measured or policed.” As any CCO or other FCPA compliance practitioner would recognize, local content is one of the easiest ways to get into FCPA high risk so managing that risk is critical. I found Smith’s concern with setting out the clear legal terms and conditions around any such requirement as a good way to manage the high risk.

Phase III – Contract Delivery and Management

Here Smith laid several different fraud schemes which could facilitate a bribery plan. The first is fake invoices which can rely on “poor processes within an organisation” to spot. However this scheme can also rely on a company insider to approve such fabrications. Next is “volume over-invoicing”. In this scheme, while a supplier does supply some goods or services, the invoice is raised for more than has been delivered. If there is a scheme to create a pot of money to be used to fund bribes, there will need to be an internal company accomplice to “smooth the way by authorizing receipts or invoices.” Next there is “price-related over-invoicing” the third party will over-price the goods or services, above what is allowed under the contract. Another scheme set out by Smith is “invoice diversion” where “a legitimate payment that should go to a certain supplier is diverted to a third party fraudulently.” Another scheme can simply be to ease the contract terms and conditions which allow the third party to receive a benefit with nothing in return being delivered back to the company. Finally, there is what Smith details as one of the “toughest frauds to detect”, that being the delivery of lower quality products than is contractually specified.

B.The Solution – How to Reduce Fraud

Smith believes that fraud prevention can be built around a troika of concepts. (1) You need to have “effective procurement and spend management policies in place. (2) You must “use appropriate and robust processes”. (3) Finally “applying the right technology to support and manage those processes.” In his paper he followed the same outline on how to reduce the instances of fraud.

Phase I – Supplier Selection and Qualification

While a clear procurement policy is the starting point, it is only the starting point. Having a transparent process is important as well as adequate supplier qualification details. He notes that multiple sign-offs should be in place to ensure that one person does not control the entire process. This should also be incorporated into the communications trail with the competitors to ensure that no one third party receives confidential information. Obviously an appropriate level of due diligence should be applied to confirm that not only are the third party’s who they represent themselves to be but that they are also qualified to do the work or deliver the services. Finally, there should be controls around onboarding “so that firms who are actually going to be suppliers go through more rigorous checks before they are accepted onto” the Vendor Master List.

Phase II – Contracting

Obviously the starting point for any business relationship should be a well-drafted contract. However, for larger organizations Smith believes that “a contracts database or contract lifecycle management system is essential.” To the greatest extent possible there should be standard compliance and legal terms and conditions, coupled with an “appropriate level of sign-off and approvals management for contracts.” Finally, segregation of duties (SOD’s) “to make sure that there are checks and balances and that no one person holds too much power in the process.”

Phase III – Contract Delivery and Management

As I often say in the lifecycle management of third parties, the real work begins when the contract is signed. Smith believes that many of the routes of fraud, “can be closed off by taking a few precautions” which include some of the following steps. First and foremost is “no purchase order, no pay” but this also means there should be an invoice from the vendor which is matched to the contract for accuracy. Once again checks and balances, SOD’s for sign-offs and approvals must be built into your payment system. There should be controls around changes to the contract and, more importantly, changes to any payment details. Lastly, ongoing oversight and monitoring through controls analytics and auditing should be employed on the back end to verify delivery of goods or services.

I found Smith’s White Paper to be an excellent review for the CCO or compliance practitioner around not only the mechanism of how fraud occurs but a review of the techniques for fraud prevention. While his concepts may seem like a review for the compliance practitioner, it also allows you to think through how corruption might take place in your organization. The briber has to get the money from some source and Smith’s White Paper can give you insights on where you might look.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

June 15, 2015

The Compliance Practitioner’s Magna Carta – Fee Fixed for Compliance Consulting

Magna Carta 2Today is the anniversary of one of the most momentous events of English history. 800 years ago King John met the rebellious Barons at Runnymede and set his seal to the Magna Carta or ‘Great Charter”. The document was a peace treaty between the King and his Barons and guaranteed that the King would respect feudal rights and privileges, uphold the freedom of the church, and maintain the nation’s laws.

Clause 39, of 63, is seen as a key article as it states “no free man shall be arrested or imprisoned or disseised [dispossessed] or outlawed or exiled or in any way victimised…except by the lawful judgment of his peers or by the law of the land.” This clause has been celebrated as an early guarantee of trial by jury and of habeas corpus and inspired England’s Petition of Right (1628) and the Habeas Corpus Act (1679).

I thought about the Magna Carta in the context of one of the loudest and largest complaints from Chief Compliance Officers (CCOs), compliance practitioners and indeed corporations around Foreign Corrupt Practices Act (FCPA) compliance. That is the cost of outside counsel in the delivery of compliance services. Many commentators rail against the high cost of both FCPA investigations and remediation’s.. Much of this high cost is driven by law firms that bill by the hour.

Stephen Fairley, who runs the Rainmaker Institute, has written extensively about the high cost of hourly billing and alternative fee arrangements (AFAs). In a blog post, entitled “Considering Alternative Fee Arrangements? Here’s How to Make Them Work for Your Firm (1 of 2)”, he cited to Vincent Cino, Chairman of Jackson Lewis PC, who told American Lawyer, “The billable hour is directly opposed to the best interest of the client and to the provider of service because by its very nature it adds an artificial barrier to the accomplishment of the only real objective, which is a quality legal product for a set and expected price.” Fairley went on to state, “One of the most common AFAs is the fixed or flat fee arrangement”.

So today I am announcing a new service offering of compliance consulting for a fixed monthly fee. For this fee you can have a set number of hours of compliance consulting services from myself. While Fairley’s quotation and comments certainly resonate with me, I saw this approach work when I was an in-house counsel at a major corporation where the lawyers never kept a record of what they worked on. The reason for this was that the Law Department heads did not want anyone on the business side wondering how much a phone call to the corporate legal department was going to cost them. The legal department was funded through a straight overhead charge to the operating unit; in other words a fixed fee, set annually. The law department wanted the business unit folks to always call with questions so they made it as easy and inexpensive as possible.

I have long thought about that concept and that model in the delivery of compliance services. The purpose of my new service offering is to allow a CCO or compliance practitioner who may need the services of a Subject Matter Expert (SME) in the nuts and bolts of FCPA compliance to have a low-cost, yet first class, resource which they can call upon with any questions at anytime and know what their monthly cost will be. I want to give a client every incentive to pick up the phone and call me as their SME, without worrying about how much the phone call is costing.

But I have other reasons for this new service offering. The fixed fee arrangement benefits both side of the equation, the lawyer and the client. Lee Rosen, a North Carolina attorney, has written extensively on fixed fee arrangements for counsel. In a blog post entitled “Hourly Billing Kills Your Art” he said, “Fixed fees let lawyers be artists. They let us do what needs doing even if it’s not something that’s economically justifiable. They let you as a lawyer release the imaginative, creative inner lawyer that too often stays bottled up inside because of the economic constraints resulting from clients feeling the pressure to pay the bills.” If there was ever a practice that was more art than Black Book law, it is FCPA compliance. A fixed fee arrangement allows me to work on the art part of it in a way that will benefit clients, yet not cost an arm and a leg.

So on this anniversary of a seminal event in English history and one that we Americans celebrate as equally important to our national character, you now have the opportunity to consult with a SME on the ‘nuts and bolts’ of FCPA compliance on a cost-effective way that I am sure you will find most innovative and useful for your compliance program. If you are interested in finding out more contact me at my email address listed below and we can discuss the specifics of my new FCPA fixed fee consulting practice offer.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

June 12, 2015

Tribute to Sir Christopher Lee and Release of New Book for CCOs

Lee as DraculaSir Christopher Lee died yesterday. For several generations of horror movie fans, he was simply Dracula, having starred in the role for Hammer Films in the 1950s through the 1980s. Yet for another couple of generations of movie aficionados, he was known for his work in the later Star Wars series as Count Dooku in both Star Wars: Episode II — Attack of the Clones and in Star Wars: Episode III — Revenge of the Sith. He was also the wizard Saruman in Peter Jackson’s Lord of the Rings films.

His characterization of Dracula may have been closer to what Dracula’s creator, Bram Stoker, had envisioned. According to his obituary in The Telegraph, Lee “imbued the character with a dynamic, feral quality that had been lacking in earlier portrayals.” The first Hammer Dracula film was the most successful. The Telegraph stated, “With Cushing cast this time as the vampire hunter, Dracula (retitled Horror of Dracula in America) was a box-office success for Hammer and horror aficionados at the time labelled it “the greatest horror movie ever made”. Lee also regarded it as the best of the series of Dracula films that he made with Hammer. “It’s the only one I’ve done that’s any good,” he recalled. “It’s the only one that remotely resembles the book.””

Lee’s creativeness and greatness in the roles he has played lead-in to my topic today. I am extremely pleased to announce that my latest book CCO 2.0 | Internal Marketer and Soft Skills Required has been published and is now available from Compliance Week. CCO 2.0 provides the Chief Compliance Officer (CCO) and compliance practitioner with some of the most current ideas on the types of skills that a compliance officer might need and how to market the compliance function within the corporate environment.

In the Internal Marketer section, I take on such topics as The Five Golden Rules of Internal Marketing Compliance; Internal Marketing of a Compliance Program; Getting Employees to Care about a Compliance Program; Getting Your Employees to Internally Market Your Compliance Program; Internal Advertising of Your Compliance Program and Funding Your Compliance Program.

In the sections of soft skills I discuss skills the CCO or compliance practitioner can use to move forward the compliance agenda in a company. I discuss such topics as the use of influence by a CCO; Four Keys to Compliance Leadership; the CCO as Chief Persuasion Officer; the CCO as Chief Collaboration Officer; Communications tips for the compliance professional; putting compliance at the center of strategy and why compliance is different than legal function.

The book is available in paperback and eBook formats and you can find both by clicking here.

While you are on the Compliance Week site, I would also suggest that you take at look at my seminal work on creation, implementation and enhancement of an anti-corruption compliance program, Doing Compliance. If there is one book in your library on how to do compliance, this book is it. In this book I discuss the requirements to build, and execute, a modern compliance program. With a focus on anti-bribery and anti-corruption issues, the book first reviews the basic building blocks a compliance officer needs (code of conduct, policies and procedures, internal controls), moves on to address the proper role and autonomy of a CCO, delves into the most important CCO duties (risk assessment, training, investigations), and always offers practical examples and advice for how a compliance program should work.

Best of all, the paperback and eBook both have newly reduced pricing which should make it a ‘must have’ for every member of your compliance team. The book is available by clicking here.

Finally, if you have not yet checked out my podcasts, after you check out my latest two books, published by Compliance Week, you should head over to the FCPA Compliance and Ethics Report or iTunes to check out the latest editions. Some of the highlights are:

Episodes 163 and 166 deal with the FIFA indictments.

Episode 164 – MissionLogPodcast.com co-host John Champion returns to discuss Star Trek – The Next Generation (TNG) and the leadership lessons from Season One of TNG.

Episode 165 – I discuss the BHP FCPA enforcement action and its implications for the compliance practitioner as a strict liability standard because there was no evidence of bribery presented by the Securities and Exchange Commission (SEC).

Episode 167 – Mara Senn returns to share her top ten practices for cross-border investigations. Senn has some important and useful tips to help the CCO or compliance practitioner think through an approach for an international FCPA investigation.

Episode 168 – Noted criminal defense attorney Dan Cogdell discusses criminal procedure and funding your defense costs, in the defense of an individual Foreign Corrupt Practices Act (FCPA) enforcement action. With all the talk coming about the Department of Justice (DOJ) and FCPA commentariat about the need for individual prosecutions, this episode is timely.

Lastly, after you have purchased my two latest books and checked out my podcasts, I would urge you to head on over to Netflix and settle in with Sir Christopher Lee and his great Hammer films. They are the top of 1950s horror movies.

A happy weekend to all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 29, 2015

Doing Compliance in an Economic Downturn, Part IV – Testing, Peer Groups and Talent Development

Edmund HillaryToday we celebrate the conquest of what the Tibetans call “Mother Goddess of the Land” and what the rest of us call Mount Everest. For on this date in 1953, Sir Edmund Hillary of New Zealand and Tenzing Norgay, a Nepalese Sherpa, became the first explorers to reach the summit of the highest point on earth. News of the success was rushed by runner from the expedition’s base camp to the radio post at Namche Bazar, and then sent by coded message to London, where Queen Elizabeth II learned of the achievement on June 1, the eve of her coronation. The next day, the news broke around the world. Later that year, Hillary and Norgay were both honored by the queen for their momentous achievement.

One of the things that made Hillary and Norgay’s ascent to the summit of Everest was the overall integration and teamwork of the entire group. The British team was led by Colonel John Hunt who set up a series of camps, allowing the expedition to push its way up the mountain in April and May. A new passage was forged through several previously un-surmounted obstacles to bring the team to about 26,000 feet. The first assault to the summit was launched on May 26 by Charles Evans and Tom Bourdillon, however they had to abandon their assent 300 feet from the top due to malfunctioning oxygen sets. Three days later, Hillary and Norgay were successful. In other words, teamwork and process were key to their success.

The accomplishment achieved by Hillary and Norgay drives the conclusion of my series on the steps you can take to improve your Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program and overall compliance function during a period of economic downturn. So when faced with reduced monetary resources and lessened head count you might want to consider the teamwork of compliance. To that end you might use a strategy of developing compliance talent and relationships for the compliance function. You could initiate a compliance talent development group where you rotate high potential individuals in your company through the compliance function in some manner.

My suggestion would be to work with senior management and your Human Resources (HR) function to identify some of the key talent within your company. They can come from any other area of the company; such as accounting, finance, internal audit, HR itself, sales or any other discipline. From there you can task them to lead a working group on a compliance related project. The project itself can be any project you would like to try and implement when funding becomes more available.

One company I worked at had such an organization called the President’s Team which was an annual group that developed projects for the company Chief Executive Officer (CEO). The concept is the same but the goal is having the high talent employees learn more about compliance. Equally important for you as the compliance practitioner is to develop relationships with such up and comers so you can access to them if they continue to progress up the corporate chain. Remember it is important to have relationships with those in power and those who will be in power.

In addition to the talent development group, you should also revisit your interactions with your Board or Audit Committee. You need to re-emphasize to them their responsibility for compliance going forward and that it will not diminish simply because the price of oil has gone south or any other reason why you may be in an economic downturn. If there are emergency projects or others which you believe should take priority this would be a good time to inform and educate the Board on them so that you can continue to maintain as much funding as is possible. This could come into play if you have a number of whistleblower complaints to triage and review in short order due to employee layoffs. But if you did not establish those relationships ‘yesterday’, you probably cannot call on them ‘tomorrow’ so you need to make sure they are in place now.

Another idea that you can try is something along the lines of a client advisory committee or peer group review. You can put together a peer group to help advise your compliance function. After all, one of your constituent groups is your employee base. So why not turn to that group to find out what is working and perhaps their views on what is not, in their eyes, from the compliance function. If they can provide feedback to you on how to streamline a compliance process you might well be able to incorporate such suggestions going forward. They will be aware of the resource constraints the company is under so it could be an avenue which you have not previously used. Further, as with the talent development group concept, you would have the opportunity to develop relationships with other leaders in your organization. Finally, the group would have greater investment in the compliance function going forward.

Next is one of your highest risks, that of third parties, which most compliance practitioners recognize as their highest risk in any FCPA anti-corruption compliance program. This risk does not lessen simply because of a downturn. My suggestion is that you test and review all of the indicia around the lifecycle of your third party risk management program. This is not a forensic audit or even standards that an auditor might use. But you can test and you can test the documentation around your program at little to no cost.

The lifecycle of a third party is the following: (1) Business justification, (2) Questionnaire, (3) Due Diligence and Evaluation, (4) Contract negotiation, and (5) Managing the relationship thereafter. You can perform testing on all of these steps by reviewing the documentation in your third party database. For each third party you should confirm that there is documentation in each file, which supports each of the five prongs. In addition to the document, document, document aspect of this exercise, you can also use it as a cross-check on your internal control mapping for each validated prong so this can also be considered an internal compliance control.

I hope that you have found some of these ideas for improving your compliance function in an economic downturn useful. Perhaps they have stimulated ideas or discussions within your organizations going forward. If you have any other ideas which you would be willing to share, I hope that you will pass them along to me. We are all in this compliance ride together anything we all can do to move things forward is progress in my mind.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

May 27, 2015

Economic Downturn Week, Part II – The Golden Gate Bridge and Employment Separation – Hotlines and Whistleblowers During Layoffs

Golden Gate BridgeToday, we celebrate one of the greatest engineering achievements of the century. On this date in 1937, the Golden Gate Bridge opened. At 4200 feet long, it was at the time the world’s longest suspension bridge. But not only was it an engineering and architectural milestone, its aesthetic form was instantly recognized as classical and to this day is one of the most iconic structures in the US if not the world. With just a few years until its 80th birthday, it demonstrates that a lasting structure is more than simply form following function but contains many elements that inform its use and beauty.

I use the Golden Gate Bridge as an entrée to my continued discussion on the series on steps that you can use in your compliance program if you find yourself, your company or your industry in an economic downturn. Whether you are a Chief Compliance Officer (CCO) or compliance practitioner, these steps are designed to be achieved when you face reduced economic resources or lessened personnel resources going forward due to a downturn your economic sector. Yesterday, I discussed mapping your current and existing internal controls to the Ten Hallmarks of an Effective Compliance Program so that you can demonstrate your compliance with the Foreign Corrupt Practices Act’s (FCPA) internal control prong to the accounting procedures. Today I want to discuss the issues surrounding the inevitable layoffs your company will have to endure in a downturn.

In Houston, we have experienced energy companies laying off upwards of 30% of their workforce, both in the US and abroad. Employment separations can be one of the trickiest maneuvers to manage in the spectrum of the employment relationship. Even when an employee is aware layoffs are coming it can still be quite a shock when Human Resources (HR) shows up at their door and says, “Come with me.” However, layoffs, massive or otherwise, can present some unique challenges for the FCPA compliance practitioner. Employees can use layoffs to claim that they were retaliated against for a wide variety of complaints, including those for concerns that impact the compliance practitioner. Yet there are several actions you can take to protect your company as much as possible.

Before you begin your actual layoffs, the compliance practitioner should work with your legal department and HR function to make certain your employment separation documents are in compliance with the recent SEC v. KBR Cease and Desist Order regarding Confidentiality Agreement (CA) language which purports to prevent employees from bringing potential violations to appropriate law or regulatory enforcement officials. If your company requires employees to be presented with some type of CA to receive company approved employment severance package, it must not have language preventing an employee taking such action. But this means more than having appropriate or even approved language in your CA, as you must counsel those who will be talking to the employee being laid off, not to even hint at retaliation if they go to authorities with a good faith belief of illegal conduct. You might even suggest, adding the SEC/KBR language to your script so the person leading the conversation at the layoff can get it right and you have a documented record of what was communicated to the employee being separated.

When it comes to interacting with employees first thing any company needs to do, is to treat employees with as much respect and dignity as is possible in the situation. While every company says they care (usually the same companies which say they are very ethical), the reality is that many simply want terminated employees out the door and off the premises as quickly as possibly. At times this will include an ‘escort’ off the premises and the clear message is that not only do we not trust you but do not let the door hit you on the way out. This attitude can go a long way to starting an employee down the road of filing a claim for retaliation or, in the case of FCPA enforcement, becoming a whistleblower to the Securities and Exchange Commission (SEC), identifying bribery and corruption.

Treating employees with respect means listening to them and not showing them the door as quickly as possible with an escort. From the FCPA compliance perspective this could also mean some type of conversation to ask the soon-to-be parting employee if they are aware of any FCPA violations, violations of your Code of Conduct or any other conduct which might raise ethical or conflict of interest concerns. You might even get them to sign some type of document that attests they are not aware of any such conduct. I recognize that this may not protect your company in all instances but at least it is some evidence that you can use later if the SEC (or Department of Justice (DOJ)) comes calling after that ex-employee has blown the whistle on your organization.

I would suggest that you work with your HR department to have an understanding of any high-risk employees who might be subject to layoffs. While you could consider having HR conduct this portion of the exit interview, it might be better if a compliance practitioner was involved. Obviously a compliance practitioner would be better able to ask detailed questions if some issue arose but it would also emphasize just how important the issue of FCPA compliance, Code of Conduct compliance or simply ethical conduct compliance was and remains to your business.

Finally are issues around hotlines, whistleblower and retaliation claims. The starting point for layoffs should be whatever your company plan is going forward. The retaliation cases turn on whether actions taken by the company were in retaliation for the hotline or whistleblower report. This means you will need to mine your hotline more closely for those employees who are scheduled or in line to be laid off. If there are such persons who have reported a FCPA, Code of Conduct or other ethical violation, you should move to triage and investigate, if appropriate, the allegation sooner rather than later. This may mean you move up research of an allegation to come to a faster resolution ahead of other claims. It may also mean you put some additional short-term resources on your hotline triage and investigations if you know layoffs are coming.

The reason for these actions are to allow you to demonstrate that any laid off employee was not separated because of a hotline or whistleblower allegation but due to your overall layoff scheme. However it could be that you may need this person to provide your compliance department additional information, to be a resource to you going forward, or even a witness that you can reasonably anticipate the government may want to interview. If any of these situations exist, if you do not plan for their eventuality before you layoff the employee, said (now) ex-employee may not be inclined to cooperate with you going forward. Also if you do demonstrate that you are sincerely interested in a meritorious hotline complaint, it may keep this person from becoming a SEC whistleblower.

Just as the Golden Gate Bridge provides more to the human condition than simply a structure to get from San Francisco to Marin County, layoffs in an economic downturn provide many opportunities to companies. If they treat the situation appropriately, it can be one where you manage your FCPA compliance risk going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

 

 

« Previous PageNext Page »

Blog at WordPress.com.