Get Out of the Ivory Tower – Using Internal Corporate Resources to Facilitate the Compliance Function

The second day of Hanson Wade Oil and Gas Supply Chain Compliance conference in Houston packed as much solid information into it as did the first day. One of the sessions dealt with utilizing other corporate functions to assist a compliance department in implementing or enhancing a compliance program. There are many resources which currently exist inside your organization and if you are in the position where you must use internal rather than external resources, this post will detail some of the functions which you may be able to call upon inside your organization.

You should start with a basic approach which the speaker termed “Get Out of the Ivory Tower”. He explained that the compliance department must obtain realistic input from geographies, cultures, business units and corporate functions within the company. As he rather succinctly put it to the audience “A procedure which may work in Texas may not work in Indonesia.” He also counseled to train in local languages. This may mean more than translating your talk into one language. He gave the example of his training in Spain where he had dual translations going, from English into Spanish and Catalan.

Part of this translation issue led to his next point, which was not to believe your own story or even worse, your own propaganda. Simply because a Country Manager says something is true means does not mean that it is true. Internal controls, monitoring and auditing are important to test that you are actually doing compliance rather than simply saying you are in compliance.

In determining what other departments might be able to assist the compliance function, the speaker suggested that you should start with three inquiries. They were:

1. What can yours do? This is the initial assessment that you need to make about what your compliance department can do. What are your resources and budget? Start with this question.
2. What can theirs do? In looking around your company, next ask this question. What are the functions of the departments? Are there things that they are currently doing which can supplement the compliance function? Are there functions in that department’s core function which can assist the company in the doing of compliance?
3. How many employees does each of you have? An obvious concern is the number of employees that are available to assist the compliance function.

What are some of the other corporate functions that might assist the compliance department going forward? An obvious starting place is Human Resources (HR). The speaker listed several areas in which HR can bring expertise and, in my experience, enthusiasm to the compliance function. Some of the reasons include the fact that HR is physically located at or touch every site in the company, globally. HR is generally seen as more approachable than many other organizations in a company, unfortunately including compliance. A person’s first touch point with a company is often HR in the interview process. If not in the interview process, it is certainly true after a hire is made. Use this approachability.

Obviously, HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the Document, Document Document portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be on each audit. Further, compliance risks can also be evaluated in this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert so you can turn to them for any of your compliance program requirements which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If you company uses SAP and you make an acquisition of an entity which does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

There are many ways to implement or enhance a compliance program in a company. If you do not have the luxury of creating an entire compliance department with an unlimited budget, you may be able to call upon other areas of corporate expertise to facilitate your role. Do not be an Ivory Tower.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Edgar Allen Poe and Innovation in the Compliance Function

Tomorrow, April 20 is the anniversary of a truly innovative work of literature. On April 20, 1841, Edgar Allen Poe’s story, The Murders in the Rue Morgue, first appeared in Graham’s Lady’s and Gentleman’s Magazine. The tale is generally considered to be the first detective story. The genre is distinctive from a general mystery story in that the focus is on analysis. The story describes the extraordinary analytical powers used by Monsieur C. Auguste Dupin to solve a series of murders in Paris. The character of Dupin became the prototype for many future fictional detectives, including Arthur Conan Doyle’s Sherlock Holmes and Agatha Christie’s Hercule Poirot. Like the later Sherlock Holmes stories, the tale is narrated by the detective’s roommate. Poe biographer Jeffrey Meyers sums up the significance of “The Murders in the Rue Morgue“: “[it] changed the history of world literature.” Poe’s role in the creation of the detective story is reflected in the Edgar Awards, given annually by the Mystery Writers of America. For both myself and the many worldwide fans of Sherlock Holmes, we owe a tip of the hat to Poe for inventing the genre.

As Poe demonstrated, innovation can come in many forms. Earlier this week I wrote about some of the innovative ways that Joel Katz, of CA Technologies, had improved his company’s compliance function. In this post, I will discuss how Katz was able to increase the participation of business leaders into the doing of compliance. He did so by the creation of ‘Regional Business Ethics Councils.’ I found the CA Technology creation and use of these Regional Business Ethics Councils as an innovative approach to help move compliance into the company’s DNA in a robust manner.

The Regional Business Ethics Councils are designed to “largely serve as a communication vehicle between our corporate compliance team in the United States, business leaders, and employees.” These Regional Business Ethics Councils were created in the company’s three major geographic regions which consisted of the Americas, Europe and the Middle East (EMEA) and Asia-Pacific (APAC). Each Regional Business Ethics Council is comprised of six to eight senior business leaders from each part of the company’s functional business, including legal, finance, HR, sales, development, administration, and others. The Regional Business Ethics Councils meet quarterly.

Katz believes that the Regional Business Ethics Council members play a critical role with compliance messaging to employees in their respective regions. Their meetings are used to “discuss current compliance issues and internal and external trends, significant legal or regulatory changes that impact the business, and upcoming compliance initiatives.” This structure allows the company to be more nimble and be in a position to respond more quickly to different external issues that may arise and impact the compliance function.

CA Technologies also uses the Regional Business Ethics Councils as a mechanism to “solicit feedback from the business on the current business environment, any concerns the business leaders may have about our business or our compliance program, and any other issues they wish to discuss.” One of the constant challenges for employees is getting foreign employees to trust and communicate with the compliance function. The Regional Business Ethics Council can provide another route by which information and concerns can be conversed up to the compliance function.

Katz acknowledged that the level of engagement of the individual council members varies from both person to person and Regional Business Ethics Council to Regional Business Ethics Council. Nevertheless, the company has found that the Regional Business Ethics Council initiative “has succeeded in creating more visibility into the compliance function for company business leaders and more visibility into the global business for our compliance team.” Additionally, the Regional Business Ethics Councils can assist the compliance group by focusing on issue-spotting and awareness-raising within their specific region. Katz believes that this is helpful because it “is consistent with our belief that if we can get people talking about compliance and asking questions, we can address most issues long before they become compliance problems.”

Katz ended his article by explaining that at CA Technology “compliance training and communication plan is and will always be a work in progress” which he believes is appropriate for “every organization, as such organizations and legal and regulatory landscapes will undoubtedly evolve and change over time.” His article helps to drive home the message that a company “should examine its plan at least annually to ensure it is still viable and continually look for opportunities to improve it. This iterative approach to training and communication will help ensure that messages are being heard, understood, acted upon and appreciated by your employees.”

I have often written about the need for some type of management oversight above the compliance function which sits below a company’s Board of Directors. The CA Technology approach of using the Regional Business Ethics Council provides another level of engagement by corporate functions. But just as a Regional Business Ethics Council can be used to communicate from areas outside the US back to the corporate headquarters, the Council structure allows the compliance function to communicate back into the regions. I believe that this can help companies to communicate the importance of compliance more thoroughly and more effectively throughout an organization.

Lastly, one of Katz’s themes is to help the company employees understand that compliance is there to help them do work business more efficiently and at the end of the day in a manner more consistent with the company’s overall ethical values. I believe that the use of the Regional Business Ethics Council program can be a key way to demonstrate this commitment to employees. I would suggest that this type of program may be something that you should consider for your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

How to Introduce Innovation in Your Compliance Program

News Flash: Houston Astros Lead AL in Wins!

 In case you were too worn out from this weekend’s college basketball tournament bonanza, both the men’s and women’s, to stay up on Sunday night and watch ESPN; the Houston Astros won their 4000^th game and had their first American League (AL) win so that they now lead the AL in overall wins. I guess Astros owner Jim Crane, he of “I-made-a-$100-million-dollars-so-I-must-know-what-I-am-doing”, thinks he knows a thing or two about innovation. Or perhaps not?

While Brother Crane is no doubt reveling in his first win as the Astros owner, I thought about the question of how a compliance professional can use innovation to improve a company’s overall compliance program? This topic of innovation was recently explored in an article in the MIT Sloan Management Review,  Spring 2013 issue, entitled “How Innovative is Your Company’s Culture?” by Jay Rao and Joseph Weintraub. In this article, the authors tried to determine how companies could develop a more innovative culture. While the article did not focus on compliance, I found the ideas that they put forward as a useful manner for compliance practitioners to think through and implement innovation into their Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance programs.

The authors believe that when it comes to innovation, most companies focus on resources, processes and measurement because they are tool-oriented and more easily measured. Conversely companies tend to focus less on people-oriented components of innovation success, for example values, behaviors and climates, because they are harder to measure. The authors quote one Chief Executive Officer (CEO) who had said, “The soft stuff is the hard stuff.” Yes the authors believe that it is the soft-stuff, people issues where the greatest opportunity for innovation can occur. I believe that this holds true for innovation in a company’s compliance program as well.

The authors posit that there are six building blocks to an innovative culture. These six building blocks are not static conditions but are inter-related and to an extent, interdependent on each other. The six building blocks are:

1. Values. The authors believe that it is a company’s values which drive both its priorities and its decisions. It is also reflected in where a company spends its money. If a company is innovative, it tends to emphasize creativity and encourage continuous learning. Values are more than what leaders say or what they write but drive by what they do and what they invest in.
2. Behaviors. This describes how company employees act in the cause of innovation. This is demonstrated when leaders work to energize employees and to make sure that things happen within the company. For employees it means working to overcome obstacles around innovation and making things happen when “resources and budgets are thin.”
3. Climate. The authors believe that climate is “the tenor of workplace life.” This means that innovation is encouraged and employees take it on “with enthusiasm.” People are allowed to take risks within a safe environment and the company encourages “independent thinking.”
4. Resources. Within the framework of their six building blocks, the authors believe that resources have “three main factors” people, systems and projects.” Of these three factors, people are the most important because they have the most “powerful impact on the organization’s values and climate.”
5. Processes. The authors state that processes are the route by which innovations follow as they are developed within an organization. These processes include not only the track they follow but also the criteria for capturing and sifting through new ideas for “reviewing and prioritizing projects and prototyping.
6. Successes. The authors believe that successes in a company are “captured at three levels: external, enterprise and personal.” These can help to demonstrate if an innovation is paying off. But more than simply financial success, this building block “reinforces the enterprise’s values, behaviors and processes, which in turn drive many subsequent actions and decisions”.

There are several lessons that the compliance practitioner can derive from these six building blocks to help put innovation into your company’s compliance program. I think the first is that you must create an environment where innovation is not only accepted but encouraged in your company. A simple top-down structure will not accomplish this goal. Not only do you have to go out into the field but you must listen to what people in the field are telling you. Simply because you get push-back from the business folks does not mean that their suggestions are always wrong. There might be some nugget in such push-back which allows you to do something faster, quicker or with more compliance efficiency. Even if the suggestion or push-back does not warrant inclusion into your compliance program, you should at least acknowledge employees for their suggestion.

Another technique that you might use based on these building blocks is the compliance champion. Such a person can be used not only as an initial point-of-contact for your compliance program but you can use non-compliance department compliance champions as innovation leaders in your compliance program. You could have them meet (in person or virtually) on quarterly intervals to discuss compliance program innovations that they might come up with based upon their more focused training and work as a compliance champion in your company. As the authors might say, you can develop your own internal community of compliance innovation experts that you could call upon as an internal resource. Further, in their role as your initial point-of-contact for your compliance program, these compliance champions could also act as a filter to bring you other innovative ideas from your company’s workforce.

This article by Rao and Weintraub had some very interesting ideas about how a company can ingrain innovation into its compliance program. Many companies have worked very diligently on resources, processes and measurement of their compliance program. However, as compliance programs mature and become a part of every well-run company, compliance practitioners can move towards other themes of innovation; that of values, behaviors and climates. So while I am not yet convinced that the Astros $20MM payroll really was a positive innovation, I do believe that the authors have set out some very thoughtful ideas that you can incorporate into your compliance efforts going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

The Red Scare: Knowledge and the Importance of Due Diligence

 Ed. Note-we continue our series of guest posts from our colleague Mary Shaddock Jones, who today looks at the importance of due diligence.

At midnight on November 9, 1989, East Germany’s rulers gave permission for the Berlin Wall, separating East and West Berlin, to be opened up.  Ecstatic crowds immediately began to clamber on top of the Wall and hack large chunks out of the 28-mile barrier.  I remember viewing the scene on T.V.  It was a momentous moment in world history.  For those of you who may not know, while East Germany never officially adopted a “red flag” for its country, on most official buildings, the national flag (black-red-gold with hammer and circle) was flown with a solid red flag flown next to it!  Twenty-two years later the “fall of the Red Flag of East Berlin”, seems like distant memory.  However, for businesses doing business internationally the “red flag” has once again come to represent a warning or a threat in terms of liability under the FCPA

The Lay Person’s guide to the FCPA published by the Department of Justice warns U.S. firms about their choice of overseas partners and agents. A bad choice is someone who is likely to make corrupt payments. That likelihood, the DOJ says, is usually indicated by warning signs called “red flags.” If there are red flags to start with, and if the intermediary does bribe a foreign official to help the business, the company will have trouble arguing it shouldn’t be responsible for an FCPA violation based on an indirect corrupt payment.

Red flags, as the name suggests are easy to spot, and include such things as: (1) unusual payment patterns or financial arrangements;  (2) a history of corruption in the country;  (3) a refusal by the foreign joint venture partner or representative to certify that it will not take any action that would cause the U.S. firm to be in violation of the FCPA; (4) unusually high commissions; (5) Lack of transparency in expenses and accounting records; (6) An apparent lack of qualifications or resources on the part of the joint venture partner or  representative to perform the services offered; and, (7) a recommendation from the local government of the intermediary to hire this particular third party.

Although red flags are often relatively easy to discover, the failure to look may result in a company being subject to severe penalties.  As a result,  prior to dealing with any third party, companies should conduct Due Diligence in an  attempt to discover whether the third party is involved in any prohibited corrupt practices or has some connection to a foreign government official that you may not be aware of.  Due diligence is thus an essential tool, as it allows one to acquire knowledge of any existing or potential “red flags”, thus enabling entities to make informed decisions on whether or not to interact with or transact business with certain persons and entities.

The practical pointer for today’s blog is this- The undeniable truth is that Companies must know who they are doing business with and, as importantly, why they are choosing to do business with this particular entity.  This requires the accumulation of information! In order to collect adequate information concerning prospective third-party Agents or Business Partners, many companies are now using a consistent set of tools, for example: (1) questionnaires requiring the person within the company who is recommending the retention of a third party to provide basic information such as the reasons for engagement, the specific services required, how prospective third-party individuals or companies were selected for possible service, relevant experience and capabilities of the prospective third party, whether the prospective third-party would need to interact with government officials, how much and in what manner the third party should be compensated, etc.; (2) a questionnaire submitted to the prospective third party requesting significant information regarding the ownership, physical location, management, experience, relationship to foreign government officials, references of the third party and an assurance by the third party that it understands and is willing to comply with anti-corruption laws and regulations; (3) some method of vetting the reputation and background of the prospective third-party representative or business partner. Ultimately,  the level of due diligence required will generally be commensurate with the level of perceived risk.

When conducting due diligence of high-risk third parties, one should typically employ the services of  third party professionals.  These professionals can help insure that the high risk third party does not pose potential FCPA liability through the use of various means such as: checks of corporate filings and business records, legal proceedings, Internet searches, and adverse media checks.  Furthermore,  many emerging markets and developing countries pose such a great risk of FCPA liability, that additional due diligence procedures including “in-country” (a/k/a “boots on the ground”) searches may be required such as: conducting searches of localized public records, phone interviews, site visits, and reference checks.

Consider the following policy language:

Under the U.S. FCPA,  the Company and its Personnel could be liable for indirect offers, promises of payments, or payments to any Government Official (or to private entity if the UK Bribery Act is involved) if such offers, promises, or payments are made through an Agent or Partner with the knowledge that a Government Official will be the ultimate recipient. As a result, it is important that the Company, through the Company Compliance Officer, consider the necessity of conducting anti-corruption due diligence on a prospective Agent or Partner. If after performing a risk assessment the Company concludes that a due diligence investigation should be conducted, then the extent of the investigation must be determined.  The degree of due diligence the Company will perform depends upon a lot of factors, including the dollar value of the arrangement, the expected contact with government officials, and the country at risk.  In making the determination, the Company will consider whether the transaction raises “red flags”.

Examples of common “red flags” with third parties are as follows:

• The prospective acquisition target, Agent, or Partner insists that its identity remain confidential or refuses to divulge the identity of its owners, directors, or officers.
• Family, business or other ‘special’ ties with government or political officials.
• Reputation for violation of local law or company policy, such as prohibitions on commissions, or currency or tax law violations. Also negative press, rumors, allegations, investigations or sanctions.
• The transaction or the prospective acquisition target, Agent, or Partner is or operates in a country where there is widespread corruption or a history of bribes and kickbacks
• Requests from government officials or agencies to engage or hire specific third parties.
• Inadequate credentials for the nature of the engagement or lack of an office or an established place of business.
• Missing or inadequate documentation to support services and invoices. Unsupported charges or expenses, requests for payment of non-contracted amounts.
• Convoluted or complex payment requests, such as payment to a third party or to accounts in other countries, requests for payments in cash or requests for upfront payment for expenses or other fees.
• Requests for political, charitable contributions or other favors as a way of influencing official action.
• Third party has a reputation for getting ‘things done’ regardless of circumstances or suggests that for a certain amount of money, he can fix the problem or “make it go away”.

All due diligence investigations conducted by the Company will include an analysis of potential “red flag” issues.  Investigations of potential “red flag” issues should be carefully documented and relevant documents, such as due diligence, questionnaires, reports, and compliance certificates, should be maintained by the Company Compliance Officer or his or her designee.

On Monday, we will examine contractual language to consider when contracting with approved Agents and Partners.  Stay tuned.

 Mary Shaddock Jones has practiced law for 25 years in Texas and Louisiana primarily in the international marine and oil service industries.  She was of the first individuals in the United States to earn TRACE Anti-bribery Specialist Accreditation (TASA).  She can be reached at msjones@msjllc.com or 337-513-0335. Her associate, Miller M. Flynt, assisted in the preparation of this series.  He can be reached at mmflynt@msjllc.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor.

 

Creating Sustainable (Compliance) Performance

Compliance practitioners are continually tasked with moving a company’s culture of compliance forward. However, the day-to-day work is sometimes too granular to see results. In an article in the January-February issue of the Harvard Business Review, entitled “Creating Sustainable Performance”, authors Gretchen Spreitzer and Christine Porath explore some different techniques that managers can use to “help employees thrive at work.” They note that even in a down economy, thriving employees out produce non-thriving employees. The authors defined ‘thriving’ as employees who are not only “satisfied and productive but also engaged in creating the future” for their organization. I thought about these concepts within the context of promoting a culture of compliance within your organization.

The authors posit that there are two components to such thriving employees. They are vitality: “the sense of being alive, passionate and excited” and learning: that being the “growth that comes from gaining new knowledge and skills.” These two concepts work in concert and lead to employees who “deliver results and find ways to grow” on the job. Just think about the power of these concepts if you could apply them to advancing your company’s compliance program. The authors list four steps that managers can take to help employees thrive, which I have adapted for the goal of promoting compliance within your company.

Provide decision making discretion. Here the authors believe that employees will be energized if they can make decisions which affect their work. For your compliance program, it means listening to and working with your local employees to come up with better ways to implement and enhance compliance. But you must take care not to cut back on empowerment simply if a person makes a mistake. Such an eventuality can and should be used as teaching opportunity.

Share information. People will contribute to an organization more effectively when they understand how their specific work fits within the company’s overall mission and strategy. It is difficult to look for innovative solutions if the impact cannot be seen. Compliance should be open and transparent to allow employees to see the fruits of their ideas and efforts as systems which make information widely available should build trust and confidence.

Minimize incivility. This one should be held close by the lawyers in compliance and legal departments. I do not mean yelling and screaming but taking the time to listen and explain. As a lawyer, I sometimes revert to my legal training that all I need to do is explain the rules and that should be enough for everyone to understand. If employees face incivility the authors believe they are “likely to narrow their focus to avoid risks and lose opportunities to learn in the process.”

Offer performance feedback. The authors believe that feedback is the mechanism by which opportunities for learning are presented. Further, the more direct and the quicker the feedback is presented to an employee, the more useful it is as it resolves feelings of uncertainty and provides focus. This can help an employee get back on track or provide the impetus to match a culture of compliance.

One of the significant factors for each of these four mechanisms is that they do not require a substantial investment or enormous efforts. It does require leadership to be open to empowering employees. The authors conclude that these four mechanisms must be used in conjunction as each one reinforces the other. But the results can be very helpful in moving your company forward. In the 2012 economic climate putting such building blocks in place can be a powerful tool for your compliance efforts going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Conduit to Compliance or First Line of Defense – the Local Compliance Point Person

As compliance programs mature, it is becoming increasing clear that one size does not fit all. Moreover, there may be several different approaches to creating the most effective compliance program for your organization. This past week I attended the ACI FCPA Boot Camp in Houston. Many of the presentations dealt programs, procedures and process companies had developed specifically for the compliance issues they have faced around the globe. One of these was in a session entitled “Compliance Programs 2.0” where one of the subjects discussed was who to embed as a local compliance representative in an international business unit.

On this discussion panel were two lawyers, Rick Chapman, Assistant General Counsel at Halliburton and John Lewis, Sr. Managing Counsel – Compliance Global Anti-Bribery Counsel, they presented two distinct views on utilizing local compliance point persons in their company’s respective international anti-corruption and anti-bribery efforts. I found that each company’s approach had merit and that they are both models which you can review to determine which might be best suited for implementation in your organization.

Conduit

Rick Chapman described the structure that Halliburton utilizes as a conduit to the compliance department. The local compliance resource is generally not an attorney or in the company’s Legal Department. The employee is a local business unit employee who Halliburton embeds within the compliance function. Initially the compliance group will identify a person who can handle this role and will then  provide them with specialized compliance training.

Mr. Chapman remarked that two of the main roles of the LCAs are to provide compliance training to other employees in the business unit and also to listen to the compliance concerns of Halliburton employees on the ground. As the local eyes and ears of the compliance group, they can bring day-to-day concerns back to the home office for review and assessment. In this manner they are viewed as a conduit to the compliance group, headquartered in Houston.

First Line

John Lewis contrasted the Halliburton conduit approach with that of Coca-Cola regarding local compliance resources. Coca-Cola utilizes regional counsel from the Legal Department to act as “Legal Ethics Officers (LEOs).” While these LEOs are lawyers, Mr. Lewis made clear that they are employed in the Legal Department and not in the local business unit. In their role, LEOs have authority to make preliminary compliance assessments regarding day-to-day compliance issues. The company views them as the first line of compliance.

Mr. Lewis said that one of the key reasons that the company takes this approach is in dealing with foreign governmental officials. LEOs have authority to make contact directly with foreign government officials and present the company’s position on compliance issues. He stated that this brings one additional level of review and assessment to the company’s compliance regime and that this could be important if a regulator reviewed any decision made by the company in the context of the Foreign Corrupt Practices Act (FCAP), UK Bribery Act or other anti-corruption laws.

I found both of these methods to create and utilize a local compliance representative creative and economically efficient. They are systems to help embed the concept of compliance within the local and international culture of an operation. By utilizing such resources, whether they be in the “conduit” format or the “first line of defense” format, I believe that a company can drive home, on a daily basis, how to conduct business ethically and within the parameters of anti-corruption laws.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

The Bribery Act and DPAs: Transparency is the Key

The debate now ongoing in the UK about whether Deferred Prosecution Agreements (DPA) should be a tool available to prosecutors in the Serious Fraud Office (SFO) and Crown Prosecutors is an important issue that should be well reasoned and thoroughly vetted. However, from where I sit in the US, I believe that the ability to enter into a DPA is a powerful tool that advances the interests of prosecutors, the judiciary and the public. Based on the reasons I will set out below, I believe that the UK should incorporate such a tool into those mechanisms available to the SFO and Crown Prosecutors to resolve cases brought under the Bribery Act.

The key issues that law makers in the UK must resolve is how to incorporate the concept of a DPA into a system which only allows prosecutors the option of bringing criminal charges or declining to do so coupled with a judiciary system that has unfettered discretion to accept or reject any settlement agreement brought before it. In an article entitled “The US Model for Deferred and Non-Prosecution Agreements” Mike Volkov phrases the question as “For UK policy makers, the balance between judicial review and prosecutorial discretion is one which has to be resolved before any new policy can be enacted.”

The primary reason for both the prosecution and a company which violates the Bribery Act entering into a DPA is certainty. The one thing I learned in almost 20 years of trying cases in the US (civil side only) is that nothing is certain when you leave the final decision to an ultimate trier of fact who is not yourself, whether that trier of fact be a jury, judge or arbitrator. The most important thing for a company is certainty and that is even more paramount when a potential criminal conviction looms over its corporate head. Certainty is equally critical for the prosecution. No matter how ‘slam dunk’ the facts are, or appear to be, once a prosecutor turns over the final decision in a case to another trier of fact; the prosecution has also lost certainty in the final decision. Every corporate defendant which goes to trial can and should raise all procedural and factual defenses available to it. No prosecutor can ever be 100% certain that it will win every court ruling or that a guilty conviction will be upheld on appeal.

However, a DPA can bring certainty. For a company certainty in its rights and obligations, for the prosecution the same is true. The key then is how to achieve this certainty through the judicial process where the judicial system has other interests to protect. These interests include the right of judicial review and protection of the public interest. The key is how to reconcile these competing interests.

One of the suggestions in the Bribery Act debate on this issue is to allow a judicial representative to be a part of the negotiations between companies and prosecutors before a final DPA is agreed to by the parties. The judicial representative could provide guidance on what might be acceptable under a final judicial review when the DPA is submitted to a court for acceptance and Entry of Judge. To forestall any claim of conflict of interest, the reviewing court would be a different judge than the judge who provided the guidance in the pre-court review stage.

However, I would not advocate such an approach for several reasons. I believe that the judiciary has a different role which is to ensure that laws are followed and administered justly and to safeguard that the public interest is represented in any settlement which results in a DPA. For one judicial representative to assist in the crafting of the DPA and another judicial representative to rule upon the DPA demeans from this role. While not enshrined in a written constitution as in the US, there is a distinction between the prosecution, which is a function of the executive branch and the judiciary, which is a function of the judicial branch. While the UK has a different form of democracy than the US, parliamentary vs. representative democracy, the executive and judicial functions remain separate and distinct. Next, no matter how independent the final reviewing judge is, the fact that another judge assisted in fashioning a DPA would factor into any judicial analysis and usually a reviewing judge respects the rulings and decisions of another judge, at least at the trial court level. This respect would most probably continue in the court review of DPAs negotiated with the help of another member of the bench.

Nevertheless, I still argue that DPAs still should play an important role in the resolution of Bribery Act cases. However, I would not urge early judicial involvement but that the key to certainty is transparency. The transparency comes into play in the crafting of the DPA, which should include a full analysis of the penalty to which the parties agreed to in the DPA. Here guidance might be taken from the US Department of Justice’s (DOJ) approach to list out the factors and the attendant scoring in each DPA. This scoring can go up or down depending on many factors which are now discussed in each DPA. Further the underlying factors and scoring are based upon the US Prosecutors Guidelines which are also publicly available.

It is through this transparency that a court can determine if the law, here the Bribery Act, has been fairly or justly administered. A court can then also use this transparency to ensure that the interests of the British public are also properly taken into account. The fact that the Bribery Act is a new law should not prevent a thorough analysis of such factors. The prosecution can simply do what lawyers are trained to do; review the prior law to provide guidance or look at other similar laws for guidance.

I understand the response that a DPA brought before a court under such a scenario that I have listed above is still open to judicial rejection. However, I believe that most courts will follow precedent, if such precedent is used in a well-reasoned manner and presented logically to a court. As for the argument that such an approach may well lead to higher fines or greatly penalties being levied, I would respond that such higher fines or greater penalties should have then been agreed to in the first place.

A DPA can be, and is, a powerful tool in the arsenal to fight bribery and corruption. The US DOJ has used it successfully, I would argue, for many years, to the benefit of the US public. I would also urge that such a tool become available to the SFO and Crown Prosecutors in their fight against bribery and corruption. However, the maintenance of judicial independence is a key component of any democracy. This judicial independence can continue in a manner consistent with the certainty brought by DPAs and court oversight and approval through transparency.

This article originally appeared in thebriberyact.com.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Lean Knowledge Principles: Application to the Compliance Program

In the October 2011 issue of Harvard Business Review is an article, entitled “Lean Knowledge Work”, where authors Bradley Staats and David Upton explore the issue of whether the lean knowledge principles derived from the Toyota Production System can be applied to knowledge work. While there is no one definition of ‘lean’ it has generally included “numerous approaches to improving operations, all based upon the same principles; relentless attention to detail, commitment to data-driven experimentation and charging workers with the ongoing task of increasing efficiency and eliminating waste in their jobs.”

The authors began by noting that most people in the business world believe that ‘knowledge’ based work does not lend itself to lean principles. The reason for this is that knowledge based work is not repetitive based and cannot be repetitively defined. The use of a knowledge based decision making calculus involves use of expertise and judgment, which as the authors put it, is “locked inside the worker’s head.” However, the authors posit that much knowledge based “can be articulated”. Moreover, many knowledge based activities have nothing to do with applying judgment but “can be streamlined to continually find and root out waste.” From my own corporate experience, such knowledge should be captured in a Knowledge Management (KM) system or the company risks losing such knowledge when senior employees retire or move on to other assignments. Under KM a base of knowledge should be available to a wide number of employees to draw upon and not be limited to being inside the head of a limited number of employees.

The authors draw upon six principles to make knowledge based organizations lean.  They are:

1.      Eliminate Waste

The authors point to several ‘wastes’ which are endemic to a knowledge based organization and can ‘eat up huge amounts of time.” These include printing documents, requesting information need to make decisions, setting up meetings and other routine administrative tasks. While recognizing that most employees in corporate America today do not have any administrative support to handle such tasks, the authors suggest that employees not focus simply on eliminating large, obvious forms of waste but focus on small waste which they termed “nickels [of waste] that no one has bothered to pick up.”

2.      Specify the Work

My corporate experience in a legal department is that very little knowledge is written down. Usually there is no attempt at anything resembling KM. However, the authors suggest that employees start with the repeatable parts of a process and codify them. You do not have to specify everything, but certain parts of a process could be specified and made available for others to learn from or draw upon in future work or transaction

 3.      Specify How Workers Should Communicate With One Another

The authors note that in a knowledge based system, ‘many problems are too big or too complex for one person to tackle” so that organizations may use teams to perform  knowledge based work. This can also be true in the compliance context where the Compliance Department may work with a Legal Department, an internal Compliance Champion, or external third parties going through a vetting process or others. When multiple parties are involved it is imperative that good communications be carried out throughout the entire process involved. The authors suggest three guidelines: (1) Define who should be communicating, how often and what should be communicated; (2) Create a shared understating of what is being communicated; and (3) Resolve any disagreements with facts, not opinions.

4.      Address Any Problems Which Arise Quickly and Directly

The authors advocate that if a problem crops up, it should be resolved by the employee who created it. This is because that person usually has a quicker and more expeditious solution. If such a person cannot do so, a team member should work on it or at least participate in the resolution. This would also hold true for the location where any problem arises. It should be resolved in that location. Lastly, do not let problems fester and grow. They should be resolved as soon as possible as they arise.

5.      Plan for an Incremental Journey

The authors suggest that you start small on your journey to lean; as you probably will not get it right the first time. Further you should write down your lessons learned in the process so you will have a record of what worked and what did not work so that at least you will not have to redo that part of the process. Moreover, the lean process implementation is not one set in stone. Be nimble and agile so that you can respond to opportunities to improve the process as they arise. Also remember that not every lean approach works for every knowledge based task or system. Lean focuses on the more repetitive work so spend your time and efforts there.

6.      Engage Your Managers

The authors believe that lean principles result from “bottom up improvement’. However, middle managers should be engaged with their teams, both through education on its benefits and with support throughout the project. Additionally and not surprisingly, senior managers must be long term champions for any such change. For employees to take innovation seriously, senior management must actively support the process. Such a sea-change will require man-power investment, training and monetary investment all of which senior management must actively support. There must be a clear, long term commitment from such senior management to the project.

This article presents a new way for many in a Compliance or Legal Department to think through the challenges of a compliance program, whether based on the Foreign Corrupt Practices Act (FCPA), the UK Bribery Act or both. I continually press that the top priority of a compliance program is to “document, document, document” all the while understanding that a compliance program is very much process driven. The lean approach can be used in many of the process steps where documentation is the key. The discretion and expertise brought to bear in compliance programs can then be overlaid on this system. In today’s economic reality, this approach can help a corporate compliance department deliver a more robust, yet more economical compliance product.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

The Compliance Champion: Getting People to Solve Problems Without You

One of new areas of a best practices compliance program is to engage a company’s non-legal and non-compliance department employees in a role of “Compliance Champion”. Such a concept has several different functions: it allows a small compliance department to leverage resources and to expand the compliance footprint in the workforce and it (hopefully) fosters a workforce that is more committed to compliance through non-lawyer participation. One of the goals of such a Compliance Champion program is to train such employees to be your first line of compliance people on the ground, both to respond to routine queries and to alert the Legal/Compliance Department if a problem needs to be escalated.

This new best practice occurred to me as I read an article in the September issue of the Harvard Business Review, entitled “Smart Rules: Six Ways to Get People to Solve Problems Without You” by Yves Morieux. Bringing a ‘Compliance Champion’ to a business unit usually means bringing a business person, new to the compliance field to a role which may have a different focus than their previous experience. It can often add complexity to their existing job. Morieux speaks to the issue of managing complexity and the “smart rules” set out in the article can assist the transition of an employee into a Compliance Champion.

Rule 1 – Improve Understanding of What Co-Workers Do

The key here is for the Compliance Champion to understand what is being asked of them, the goals and challenges they are expected to meet and the constraints under which they operate within their role as Compliance Champion. Clearly the dissemination of such information is the responsibility of the Compliance Department through training. However, this type of information also comes from observation and interaction; the ‘Doing” part of on the job training.

Rule 2 – Reinforce People Who Are Integrators

This involves the inevitable tension between the Compliance Department which creates the standards and process and the business unit which is involved in sales and marketing. One of the key roles that a Compliance Champion can fulfill is to interact with these multiple stakeholders. As a business unit representative, often times, the Compliance Champion can obtain cooperation more quickly and at a greater frequency than the Compliance Department. The Compliance Department should increase the discretionary powers of the Compliance Champion as they become more comfortable and proficient in the role.

Rule 3 – Expand the Amount of Power Available

This is somewhat related to a portion of the points raised in Rule 2. However, this Rule 3 has a different focus. Recognizing that people always dislike losing power within an organization, your company will need to make certain that the Compliance Champion role is created without taking power away from others within the company. You should make certain that the Compliance Champions have new and different responsibilities from others within the organization.

Rule 4 – Increase the Need for Reciprocity

Morieux defines this Rule as expanding “the responsibilities of integrators beyond the activities over which they have direct control.” This means that you must challenge the Compliance Champions to negotiate and make trade-offs rather than simply avoid issues. By expanding the goals of the Compliance Champions, you will encourage them to work cooperatively with the business unit.

Rule 5 – Make the Employees Feel the Shadow of the Future

Morieux posits that the longer that “it takes for the consequences of a decision to take effect, the more difficult it is to hold a decision maker accountable.” The Compliance Champions need to feel that there will be consequences to their actions so that the “shadow” of the future needs to be relevant to them. This can be accomplished by reducing lead times on the projects involving Compliance Champions. Another technique might be to more regularly review measurable performance outputs. The key here is to make the Compliance Champion feel that their work is real, relevant and the final future of their work is close by.

Rule 6 – Put the Blame on the Uncooperative

There must be accountability for those who fail to cooperate in ways which cause project delays. This can be done by adjustment of a company reward criteria, such as bonuses. If a Compliance Champion says they need more resources to complete a project and the resources are provided and they fail to do so, a bonus reduction should be made. But this means more than simply sanctioning the Compliance Champion. Once there is a communication of a problem, such as the business unit failing to provide information required by the Compliance Champion to complete their assigned task, then the business unit personnel involved also need to have some type of sanction as well.

The author notes that not all of these Rules are required to have a successful management of complexity. I would submit that the same is true for a business unit employee who is assigned to be a Compliance Champion. Nevertheless, the use of a business unit Compliance Champion can help to manage the compliance process in a manner which enhances the overall compliance process and, more importantly, the overall compliance message. Greater diversity in the compliance approach can allow for customized solutions with significant business unit input and allow for greater business unit buy-in for the compliance solution.

————————————————————————————————–

They’re Back!!!!!! Howard Sklar and I discuss all things FCPA and compliance (well mostly all things) on the return of This Week in FCPA, Episode 16. See and hear Howard go on several rants as we discuss Haiti Teleco, denial of the ICE Mandamus Petition, Oracle’s announcement of a FCPA investigation and the post-trial filings in the Lindsey Mfg. case.

On Thursday, Sept. 15, my colleague Mary Jones and I will discuss how a Best Practices  compliance program can assist you in a FCPA compliance investigation, in a webinar hosted by World-Check and Ethisphere. Mary will discuss her experiences at Global Industries in a multi-year, world-wide FCPA investigation and how Global Industries came out with a Non-Prosecution Agreement. For registration and information, click here.

————————————————————————————————–

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011