FCPA Compliance and Ethics Blog

April 6, 2015

Tribute To Eddie LeBaron and CCO as Compliance Project Sponsor

Eddie LeBaronToday we celebrate Eddie LeBaron, who died last week. LeBaron was a diminutive pro quarterback for 11 seasons in the National Football League (NFL) in the 1950s and 1960s. He was also a lawyer and decorated veteran, having been awarded the Bronze Star during the Korean Conflict. In his New York Times (NYT) obituary, Frank Litsky wrote “In a position where players are now routinely 6 feet 3 inches or taller, LeBaron was 5-foot-7, and his weight never reached 170 pounds. But he had no fear of scrambling.” LeBaron quarterbacked the Dallas Cowboys from 1960 to 1963, before handling the reins of Coach Tom Landry’s offense over to Don Meredith with his retirement. After his retirement he worked as a color analyst for CBS Sports, who covered the NFL in those days. One of the things that I remember from his commentary work was the need for planning in any game plan. It was one of the first things I recall learning about pro football.

One of the skills you may be called upon as a Chief Compliance Officer (CCO) or compliance practitioner is the initiation, integration or enhancement of a Foreign Corrupt Practices Act (FCPA) compliance solution into an organization. Most assuredly, one of the things that is not taught in law school or in any compliance course is project management. As CCO, you may either lead such a project on a day-to-day basis or you may take the role of project sponsor, while delegating the day-to-day running of the project to a compliance practitioner in your group.

I thought about this issue when reading a recent article in the MIT Sloan Management Review, entitled “How Executive Sponsors Influence Project Success”, by Timothy J. Kloppenborg and Debbie Tesch. In their article they note, “The role of a project sponsor is often overlooked. But for every stage of a project, there are key executive sponsor behaviors that can make the difference between success and failure.” I found their article has some excellent tips for the CCO or compliance practitioner who may be facing such a task. The authors break the project life cycle stage into four stages: (1) Initiating Stage; (2) Planning Stage; (3) Executing Stage; and (4) Closing Stage.

I.   Initiating Stage

In this stage there are three key activities that a sponsor should pursue. First, the sponsor needs to set the performance standards. This “can be accomplished in the project charter by stating goals about the project’s strategic value and how it will be measured.” But beyond the written details there must be a “clear understanding of expectations about performance” of which dialogue is critical. Second, the project sponsor must mentor the project manager, whose key responsibility is to explain, “how the project fits into the big picture, defining the performance standards and helping the project manager set priorities.” Finally, the project manager must establish the project priorities, with the “most compelling” questions being “what needs to happen first and how should conflicts by settled?”

II.  Planning Stage

In the Planning Stage the authors believe that there are two critical project sponsor behaviors. The first is to “ensure planning” activities are completed by providing “leadership so that the project manager and team can set goals that align with the vision and broader organizational goals. The second is to “develop productive relationships with stakeholders”. This means frequent meetings and communications. Interestingly, the project sponsor should not only see that “needs are identified and understood” but also make “sure that stakeholders’ emotional concerns are given adequate consideration.” Admittedly this is not something lawyers do particularly well but it is mandatory for the CCO or compliance professional.

III.  Executing Stage

In the Execution Stage the authors identify three elements. First the project sponsor must “ensure adequate and effective communication.” This means that regular communications must occur as the project progresses “to make sure that expectations are met.” However this may require the project sponsor to “stand ready to manage the organizational politics with internal and external stakeholders.” Second, a project sponsor must work to help “maintain relationships with stakeholders.” This element helps facilitate the project manager and project team communications noted in the first element. Here the project sponsor should be “open to direct feedback from team members” to ensure that expectations are met. Finally, the project sponsor should work to “ensure quality” by practicing “appropriate decision-making methods and work to resolve issues fairly.”

IV.  Closing Stage

Finally, in the Closing Stage the authors write that there are two elements that project sponsors should emphasize. The first is to “identify and capture lessons learned.” They should be properly “categorized, stored and distributed in such a manner that future project teams will be able to understand and capitalize on”. The second element is to “ensure that capabilities and benefits are realized.” Capabilities, the authors suggest, “could include employees becoming more committed and more capable”. Further, that processes are “more effective and efficient.” Benefits relates to “verifying that the deliverables that were specified at the beginning were actually provided, work correctly and satisfy customer needs.”

To the extent they know much about project management, most CCOs or compliance practitioners are aware of the “iron triangle” of factors to determine a project success. The authors define these as “cost, schedule and performance.” But the authors’ research has led them to conclude that for a project to be a success it must meet an organization’s expectations. The next evaluative point is did the project come in on time, within budget and to the project’s specifications? Finally, did the project succeed in bringing its touted positive benefits to the organization?

By using the steps the authors have outlined, a CCO can think through the organization and ongoing performance of a project to set it up for success. Equally importantly for the CCO, if the project management has been delegated to compliance team members or with other disciplines inside your organization, such as legal, internal audit, IT or human resources; the continued involvement of a CCO as the project sponsor can be key component. The authors posit, “for every project stage, there are success factors that project sponsors should consider” and that a CCO must engage in an ongoing and continual dialogue with the project manager. Finally, key lessons learned should be captured and used down the road to help facilitate other projects or issues as applicable.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

November 6, 2014

Supplier Risk Management – Interconnected Processes

The Last EmpireI recently read a book review in the Times Literary Supplement (TLS) by Archie Brown, entitled “One into fifteen”, where he reviewed the book “The Last Empire” by author Serhii Plokhy. Plokhy’s book is about the dissolution and final days of the Soviet Union. One of the more interesting precepts from the book is end of the Soviet Union as announced on Christmas Day, 1991, by then Communist Party Secretary Mikhail Gorbachev. Brown wrote, “All too often the dissolution of the Soviet Union is conflated with the end of Communism and with the end of the Cold War. But the book points out that the Politiburo had ceased to be the ruling body of the USSR in March of 1990 and thus it was “entirely fallacious to speak of either Communism or the Cold War as having ended in December 1991. The transformation of the system was a precondition for the demise of the state, with the latter being an unintended consequence of the former. But these were distinctive, albeit interconnected processes.””

I considered ‘interconnected processes’ when I saw the Compliance Insider, Illustrative Case Study Series, entitled “Supplier Risk Management”, in which The Red Flag Group laid out in a visual format how a company can effectively identify and manage risks in its supply chain. The process is dubbed ‘Report, Review and Improve’ and consists of six steps.

Step 1 – Collect information on the suppliers. This step begins with a review and assessment of your own Vendor Master files to make an initial determination if a new or indeed other supplier is needed. If there is a business justification for bringing the supplier into a commercial relationship with your company, then you should gather performance data on the proposed vendor. The article suggests that a technological solution can help to provide risk-rated questionnaires to facilitate the process by building workflows and approvals directly into your questionnaires.

Step 2 – Validate the collected information. This is the investigative step. You should take the information provided to you by the proposed supplier and test it. You can check on references. You should also engage the supplier directly by interviewing the internal staff of the proposed supplier and review documents and records as appropriate. When necessary, you may also wish to consider the use of outside experts or internal consultants for recommendations or validations. This step should end with the creation of a risk score of the data you have gathered. Here a technological solution can assist by automating your analysis of completed questionnaire with a risk-based scoring of the answers to facilitate the validation process.

Step 3 – Rate the risk of the supplier. This is the analysis step where you should “compare the risks against your complete knowledge of the proposed supplier.” You should also compare your assessed risks against industry data and the risk-rank the proposed supplier or suppliers. A technological solution can also help to crunch large amounts of numbers or other data to give a first pass on your risk-ranking which can be further refined if required.

Step 4 – Implement risk management controls. The article posits that this step should include the conducting of background due diligence and integrity analysis by screening against known watch lists, sanctions lists and those of politically-exposed-persons (PEPs). A technological solution can help this step by managing the request and delivery of due diligence reports, aid in the reviewing, approving and tracking of completed reports and ensure ongoing compliance with automated daily reviews of such lists. Another suggested component of this step is to meet with your internal and external stakeholders to convey expectations. From this point you should be ready to enter the contracting phase, with appropriate compliance terms and conditions. To the extent required, you should also create and manage your compliance policy for the supplier at this stage as well.

Step 5 – Assess and monitor the supplier. In any relationship with a third party in the compliance world, this step is where the rubber hits the road and you have to manage the relationship. The article discusses custom eLearning that can allow you to quickly and efficiently create training programs for your suppliers based upon your compliance regime and not hypothetical training based on legal standards. A technological solution can also assist you in obtaining online certifications to certify that your supplier is in compliance with your company’s business requirements and internal controls. Finally such a solution can help to automate the process going forward to ensure that certification updates are provided, executed and tracked. But more than the ongoing certifications and training, you will need to monitor the transactions you engage in with a supplier. This may entail reviewing a large amount of data through transaction monitoring but it may also entail going to visit a supplier and going through the deep dive of an audit.

Step 6 – Continuous reporting, review and monitoring. All of this information you obtained must be fully documented. Of course, it must be documented to produce to a regulator if the government comes calling. However, this information can also be used to improve the supplier relationship and perhaps even your vendor system. One of the most interesting suggestions was to create a ‘Virtual Data Room’ dedicated to your suppliers. Not only would the creation of such a stored environment enable you to call up information requested by a regulator on short notice, you would also have it in an accessible format for supply chain process improvements. The article suggests trying such techniques as implementing performance incentive programs which can push compliance culture and behavior changes based upon the data you collect. Interesting the clothing company Levi Strauss instituted just such a policy for suppliers in the area of corporate social responsibility, it announcing it earlier this week.

If you do not subscribe to The Red Flag Group’s Compliance Insider publication, I suggest that you do so. It is one of the very best periodicals around on the building blocks of compliance. The six steps it has laid out for process of identifying and managing your supplier compliance risks under the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act demonstrates the thesis of Plokhy’s book reviewed in the TLS; that it is interconnected processes which usually mark change and management. In the case of the former Soviet Union, it may be been drawn by more human factors but there are now a variety of technological tools available to assist your facilitation of this process under any anti-bribery or anti-corruption compliance regime.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 2, 2014

The Mitford Sisters and the Compliance Audit

Mitford SistersDeborah Cavendish died last week. She was the last surviving member of an extraordinary group of women known as the ‘Mitford Sisters’. They were six daughters of David Freeman-Mitford, the 2nd Baron Redesdale and the former Sydney Bowles. The six had about as varied lives as one could possibly have from six different yet related siblings. Nancy (1904-73) became an author and wrote “The Pursuit of Love” and “Love in a Cold Climate.” Pamela (1907-94), who grew up wanting to be a horse, married a horseman who became a physicist. Diana (1910-2003) married Britain’s fascist leader Oswald Mosley, in the presence of Hitler and Joseph Goebbels. Unity (1914-1948) fell in love with Hitler and was Eva Braun’s rival for his affections; she died a decade after her attempted suicide with the bullet still in her head. Jessica (1917-96) was a communist. This did not prevent her from eloping with Churchill’s nephew and moving to the United States, where she penned “The American Way of Death” and other books. Deborah developed a passion for chickens and later married Andrew Cavendish, who became the Duke of Devonshire, making Deborah, the Duchess of Devonshire.

Deborah’s major accomplishment was to adapt the Duke ancestral home of Chatsworth into self-sustaining family business. She kept up a personal and active involvement in this project for nearly 40 years, until her husband died and she became the Dowager Duchess. Today, Chatsworth is one of the most visited sites in England.

I thought about Deborah, her remaking of Chatsworth and how she and her sisters remade themselves from the fairly-tale princess lives they grew up with when I read a recent article in the Red Flag Group’s Compliance Insider, September-October issue, entitled “Rethinking the typical audit”, by Georgia White. The piece recognized that the standard financial audit clause may be of little use to the compliance practitioner but it can be reworked “to include proactive compliance obligations which can be an effective and valuable way to positively manage relationships with distributors and resellers.” Some of the reasons for typical audit clauses with such parties are disfavored and were identified as “insufficiently tailored and poorly defined” or such audit clauses have some type of “catch-all” provision which allows a company to audit more than simply its relationship with a distributor or reseller. Such audit clauses were noted to “represent little value for both the client and the business partner.”

Compliance Audit Clause

The first focus of the article was that “Compliance audits should be aimed at engaging business partners to participate in compliance initiatives pro-actively, whether by way of interview or discussion, integrity circles or forums, or healthy checks or periodic review” all supplemented by occasional transaction sampling. In other words, you must do the work required in managing the relationship after the contract is signed or Step 5 in the Five Step lifecycle management of third parties. The article suggested the following compliance audit clause, “In addition to maintaining proper records and accounts in relation to Distributor/Reseller’s use of product X, Distributor/Reseller will participate in compliance health checks and periodic reviews, and attend integrity circle and forums on a regular basis as required by Supplier Y. In the event of an allegation of misconduct, upon seven (7) days written notice Supplier Y (or its authorized agent)may conduct an inspection and audit all relevant facilities and records of Distributor/Reseller to verify compliance with obligations under this Agreement. Such audit is to be conducted in business hours at Supplier Y’s own expense and in such a manner as not to unreasonably interfere with Distributor/Reseller’s normal business activity.”

Getting buy-in from business partners

The piece suggests that in this manner of pro-actively engaging your Distributor/Reseller you can help maintain “the integrity of the relationship” and keep “open and transparent lines of communication.” While it may be easier to include such a clause with a new Distributor/Reseller; you may face a challenge with such a relationship which has been long standing. However for an effective Distributor/Reseller to be maintained, the author believes that everyone must be treated equally (the Fair Process Doctrine in play) as “compliance audits should apply to new and existing partners alike.” The key is communication by educating your Distributor/Reseller base “on the value of this kind of proactive exchange on compliance issues during business-planning sessions.” In other words, set expectations by talking to your business partners about why the compliance audit is necessary and, more importantly, have them understand the “risks associated with product diversion and unethical behaviour.”

When should the audit clause be added?

The piece takes on another touchy subject in audit clauses which is timing by stating, “To maintain positive relationships with existing business partners it is important to consider the timing of any proposed changes to existing contractual provisions.” However White provided some timing points for initiating this discussion.

  • Contract renewal cycle. If such a discussion is brought up during the regular renewal cycle you certainly should have good argument about such programs under a Foreign Corrupt Practices Act (FCPA) best practices compliance program. The debate about whether distributors were covered was ongoing until a couple of years ago so many companies may not have considered auditing such relationships. Moreover, White notes that if you raise the issue during a renewal cycle, “business partners are less likely to invoke suspicion that is a ‘targeted’ requirement” you are aiming only at them.
  • Annual business planning sessions. Such meetings usually entail an overall strategy component so White believes it is a good time to bring up the issue in the context of your company’s overall anti-corruption compliance efforts. You should have the opportunity to “discuss best-practice strategy and introduce the possibility of proactive compliance auditing for the relationship going forward.” The more you can focus on the ‘partner’ nature of the compliance obligation the more this should resonate with your Distributor/Reseller.
  • Company-wide annual meetings with Distributor/Resellers. Here White suggests that if you bring all of your Distributor/Resellers together and announce the auditing requirement, you may be able to demonstrate that auditing is now a system wide requirement. She believes “The chance of buy-in is increased if it is perceived that other competitors are already actively engaging with you in this manner.”
  • White suggests, particularly if you are in a high risk environment or need to institute such an audit right sooner rather than later, to negotiate over audits rights. She suggests “consider introducing the proposed change in tandem with a benefit that is being rolled out to the business partner.” I would add that you could also sweeten up the pot.

From the overall tone of White’s article, the key seems to communication. Communication can be used to show that adding and then invoking a compliance audit clause is not necessarily a negative outcome. But more than communication with your Distributor/Resellers is the concept from the Fair Process Doctrine; that is, if the process is fair, people and business partners may be more willing to accept a perceived negative outcome. This will go a long way to alleviating fears from Distributor/Resellers that they are being targeted for some nefarious reason or worse, that your company may be using the information obtained in a compliance audit to drive down the commercial value of the relationship.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 2, 2014

Gettysburg Day 2 – A Failure of Culture in Leadership and How to Overcome It

James LongstreetToday is the 151st anniversary of Day 2 of the Battle of Gettysburg. Last year I focused on Union General Dan Sickles and how is disobeying of his commanding officer’s order, destroyed his brigade and ended his military career. Today, I want to focus on the Confederate side and how the non-use of information doomed the Confederate attack on Day 2 when it failed to dislodge the Union Army from the heights south of the town of Gettysburg.

If you have ever been to the battlefield, you were most probably struck by the rockiness of the heights to the south of town. While much of the area around the town had been cleared for farming there were some very rocky and stark ridges that ran south of Gettysburg. The Confederate plan had been to size this high ground using a road that split the rocky crags as a launching point. However, Confederate General James Longstreet’s failed to follow this order when he ordered his men to make a long, circuitous route that could not be seen by Union Army Signal Corps observers on Little Round Top. It was 4 pm by the time his two divisions reached their jumping off points, and then he and his generals were astonished to find the Union Army’s III Corps planted directly in front of them. Confederate General John Hood argued with Longstreet that this new situation demanded a change in tactics; he wanted to swing around, below and behind, Round Top and hit the Union Army in the rear. Longstreet, however, refused to consider any modifications to Lee’s order as the Confederate Army had suffered a significant defeat by not dislodging their enemy. A Confederate staff officer remarked that Lee was “not in good humor over the miscarriage of his plans and his orders.”

Longstreet’s refusal to take account of the changed conditions in implementing his orders had disastrous consequences for the Confederates on Day 2. Other than the slaughter of their troops in places like the Wheatfield, the Peach Orchard, Devil’s Den, Big Round Top and Little Round Top; they did not accomplish any military objectives. In the compliance world the failure to take changed or different circumstances into account can have negative consequences as well. I thought about some of these concepts when reading a recent article in the May issue of the Harvard Business Review (HBR), entitled “Navigating the Cultural Minefield”, by Erin Meyer, where she wrote about learning how to work more effectively with people from other countries. As all Chief Compliance Officers (CCOs) or compliance practitioners who work in a company subject to the Foreign Corrupt Practices Act (FCPA) work with employees outside the United States I found her insights useful when thinking about how to deal with employees from other cultures.

Myer has developed a tool she calls the Culture Map. It consists of eight scales representing the management behaviors where cultural gaps are most common. By comparing the position of one nationality relative to another on each scale, the user can decode how culture influences day-to-day collaboration. Her eight scales are “based on decades of academic research into culture from multiple perspectives. To this foundation I have added my own work, which has been validated by extensive interviews with thousands of executives who have confirmed or corrected my findings.” They are:

Communicating. Meyer compares cultures along the Communicating scale by measuring the degree to which they are high- or low-context, a metric developed by the American anthropologist Edward Hall. She believes that in “low-context cultures, good communication is precise, simple, explicit, and clear. Messages are understood at face value. Repetition is appreciated for purposes of clarification, as is putting messages in writing.” This contrasted with high-context cultures, where “communication is sophisticated, nuanced, and layered. Messages are often implied but not plainly stated. Less is put in writing, more is left open to interpretation, and understanding may depend on reading between the lines.”

Evaluating. Here Meyer “measures a preference for frank versus diplomatic negative feedback. Evaluating is often confused with Communicating, but many countries have different positions on the two scales.” She notes that the French “are high-context (implicit) communicators relative to Americans, yet they are more direct in their criticism” but “Spaniards and Mexicans are at the same context level, but the Spanish are much more frank when providing negative feedback.”

Persuading. Meyer notes that the manner “in which you persuade others and the kinds of arguments you find convincing are deeply rooted in your culture’s philosophical, religious, and educational assumptions and attitudes.” So, for instance, a senior “Western executive will break down an argument into a sequence of distinct components (specific thinking), while Asian managers tend to show how the components all fit together (holistic thinking).” But she evens delineates this scale further by finding that, “people from southern European and Germanic cultures tend to find deductive arguments (what I refer to as principles-first arguments) most persuasive, whereas American and British managers are more likely to be influenced by inductive logic (what I call applications-first logic).”

Leading. This scale measures the degree of respect and deference shown to authority figures, placing countries on a spectrum from egalitarian to hierarchical.

Deciding. Meyer articulates that this scale, measures the degree to which a culture is consensus-minded. She believes that Westerners wrongly believe that the “most egalitarian cultures will also be the most democratic, while the most hierarchical ones will allow the boss to make unilateral decisions.” She found that while “Germans are more hierarchical than Americans, but more likely than their U.S. colleagues to build group agreement before making decisions.” Further. she noted that the “Japanese are both strongly hierarchical and strongly consensus-minded.”

Trusting. Meyer splits this into the old ‘from the head’ (cognitive trust) or ‘from the heart’ (affective trust) analysis. She wrote, “In task-based cultures, trust is built cognitively through work. If we collaborate well, prove ourselves reliable, and respect one another’s contributions, we come to feel mutual trust. In a relationship-based society, trust is a result of weaving a strong affective connection. If we spend time laughing and relaxing together, get to know one another on a personal level, and feel a mutual liking, then we establish trust.”

Disagreeing. While Westerners, particularly Americans, tend to believe that a little open disagreement is healthy; other “cultures actually have very different ideas about how productive confrontation is for a team or an organization. This scale measures tolerance for open disagreement and inclination to see it as either helpful or harmful to collegial relationships.”

Scheduling. This one is my personal bane as there are some cultures that take the position that people treat scheduling, deadlines and meeting times as a mere “suggestion.” Her “scale assesses how much value is placed on operating in a structured, linear fashion versus being flexible and reactive.”

From this scale, Meyer has developed four rules to help bridge the cultural gap.

  1. Do Not Underestimate the Challenge. Most management styles have been developed over a lifetime of work. For most CCOs this includes a stint in a corporate legal department. But as Meyer notes, “Succeeding would depend on taking an entirely different approach and making ongoing adjustments over the long term.” Further, you may well need to unlearn many of the techniques that have made you successful.
  2. Apply Multiple Perspectives. More than simply recognizing the cultural perception of other employees is not enough as you will need to look “through multiple lenses.” Meyer writes that you need to understand the cultural position of one country to another, subsequently “You need to understand how the Koreans perceive the Indians, how the Indians perceive the Brazilians, and so on, and manage across the map. As you learn to look through multiple lenses, you may see that on some scales the Brazilians, for example, view the Indians in a very different way than the Koreans do.”
  3. Find the Positive in Other Approaches. Here people tend to see the negative when looking at how other cultures work but Meyer suggests that you should try and understand what it is that makes a cultural work. Further, if you have a compliance team from different cultural backgrounds this can bring strength to your overall position. Lastly, you can achieve a “complex understanding of various [cultural] strengths on the team” so that you can choose the best players for going forward.
  4. Adjust and The Readjust Your Position. Meyer believes that “More and more teams are made up of diverse and globally dispersed members. So as a leader, you’ll frequently have to tweak or adapt your own style to better mesh with your working partners. It’s not enough to shift to a new position on a single scale; you’ll need to widen your comfort zone so that you can move more fluidly back and forth along all eight.”

Meyer’s article provides some very good insight for the compliance practitioner. We all will have to deal with many cultures in a multi-national corporate compliance practice. By using the techniques that Meyer has developed you can not only come to understand how better to lead but also you can use your team members from other cultures to facilitate greater communication of compliance principles, training and issues throughout the organization.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

 

May 13, 2014

Working With Third Parties in the Due Diligence Process

Jamestown ColonyOn this day we celebrate the 1607 founding of the English colony at Jamestown. While credited with being the first English colony in what became America, it’s probably more accurate to refer to it as the first permanent English colony that survived for any length of time. The largely male colonists faced many tough years before they finally pulled through. One thing that made the colonists experience so difficult was that they had no idea about what to expect when they sailed over to the New World.

Hopefully in the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance regime, the situation is a bit more advanced today when it comes to looking at third parties, in the pre-contract phase of third party management, during due diligence. While most companies, if not comfortable with the need for and execution of pre-contract signing due diligence, certainly understand the need for this process; the same is not universally true for the non-US or non-UK company upon which due diligence is being performed upon. An interesting article in the recent issue of Compliance Insider, entitled “Disclosing the Subject-Dealing with Compliance Immaturity”, deals with precisely this situation; where the third party has not gone through the due diligence process. The article provides some useful tips on how the compliance practitioner can get through this sometimes-delicate process.

One thing the article makes clear is that if you are performing due diligence on a third party, you should fully disclose this information to the third party. They state, “There is nothing to be gained by not telling the subject company about the process or trying to keep it secret. Except for in an acquisition where the buyer has yet to disclose themselves, there is little advantage in keeping quiet. The third party expects that you will be doing some form of due diligence and engaging a compliance or legal firm to complete a review. There is nothing that the due diligence company or law firm is going to do differently than if that due diligence were secret – no one would ever disclose more than they had to and would never disclose the name of the client for which they were acting.”

After you disclose to the third party that they need to go through your company’s due diligence process, which should begin with a questionnaire to help determine the appropriate level of due diligence to perform, you may face pushback from the third party. Unfortunately, as the article notes, such pushback usually goes initially to the business contact, which tends to side with the third party against the compliance function. This means that you need to educate your business unit sponsor on the reasons your company must engage in the third party management process so that they can communicate this to the third party. The article identifies three major reasons which a third party may resist your attempts at due diligence.

  1. Immaturity – the third party is “not used to due diligence or working with global companies that focus on compliance. They are not aware of the value of due diligence and have been living in the “compliance cave”. This is an issue in itself as it shows a degree of compliance immaturity and certainly gives an insight into how that company might be as an acquired entity. They are probably going to focus on the fact that there is an inbuilt level of trust that is needed in business and that the company should rely on that trust.”
  2. Negotiating – the third party may be “negotiating, trying to leverage the issue for their own gain as part of a negotiation. They may not be trying to hide anything per se, but may be sending a message that the company is taking too long, being too conservative, being caught in compliance obfuscation or losing sight of the real deal.”
  3. Hiding – it may also be that the third party does have something to hide.

The article suggests four clear steps that you can take if you are faced with one or a multiple of the above reasons for pushback from the third party.

  1. Engage the issue head on – it is important that you quickly and succinctly address concerns that your compliance team or compliance process is “heavy handed or that there is a lack of trust” between your company and the third party.
  2. Engage the business sponsor – as I stated above, one of the key components of any successful third party lifecycle management program is the engagement of the business sponsor. Obviously the business sponsor needs to justify the potential contractual relationship your company would have with the third party but the business sponsor is also the primary point of contact with the third party, throughout both the pre-contracting phase and the post-contracting relationship management. The article intones that if the third party tries to use an excuse to stop or lessen the process, “then the transaction is probably not worth it.”
  3. Develop your company’s compliance message – you should be crystal clear that your company will “conduct due diligence and background screening on all its proposed business partners and it is company policy to do so.” This can be done so through reference to the FPCA and your company policy. But more than simply a legal explanation, reputational risk is also important for your company. Be clear and re-emphasize your message that “there is neither a lack of trust nor an assumption of lack of integrity on the part of the subject company – it is normal procedure and gets done for all third parties of certain types right across the company, and this subject company is no different.”
  4. Negotiate a proposed go-forward plan – the article emphasizes that you should “not back down” and I whole-heartedly agree. But more than simply standing strong, you can use these discussions to help educate the third party involved why it is not only important for your company but also the third party. If they want to do business with any US or UK Company, they will need to go through this process. Indeed, it will make them more marketable to US or UK Companies if they have gone through the process.

Like many compliance practitioners, I came to the field of compliance through the legal department. Working for a very big fish company in the energy company it was very much ‘big fish-little fish’ where the big fish told the little fish what would be in the contract. However that model does not, nor should it, work in the compliance field. I have found that most third parties understand that if they desire to do business with a US or UK company, since we are required to perform due diligence as part of any best practices compliance program, the third party will need to be a part of that process. The Compliance Insider article provides a valuable look at a topic which is not always focused on from the perspective of the US or UK based compliance practitioner.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

May 5, 2014

Hitting the Ground Running – Your First 100 Days as a New CCO

FDR Fireside ChatThe first 100 days. Franklin D Roosevelt’s (FDR’s) first term is the standard by which all other Presidents are measured for their first days in office. Why? It is because not only did FDR hit the ground going full speed but also passed legislation, which changed the shape of America for years to come. While the first thing he did was declare a Bank Holiday to save the nation’s banking system, he also passed significant legislation to try to stem the effects of the Great Depression. These bills included the Agricultural Adjustment Act, the Federal Emergency Relief Administration, the Civilian Conservation Corps, and, finally, the National Industrial Recovery Act. He also enacted the Truth-in-Lending and Glass-Steagall Acts to help regulate the stock market, whose collapse had heralded the economic downturn. Even if these acts did not turn the tide of the Great Depression, it gave people hope because at least it appeared FDR was doing something to fight the economic calamity.

Now imagine that you finally have been able to secure a new position as Chief Compliance Officer (CCO) in the compliance field. Every company believes that they are ethical and that they certainly do business ethically but what are some of the things that you can do in your first 100 days? Hopefully you will not be dropped into a corporate situation as dire as the one FDR faced for the US in 1933 but the reality is that many new heads are still judged on these mythical first 100 days.

In the March-April issue of the Red Flag Group’s Compliance Insider magazine, the issue of what you can do to help yourself to succeed in a new role was explored in an article entitled “The First 90 Days in Compliance”. The article uses the book The First 90 Days by author Michael Watkins as a starting point to provide “systematic methods you can employ to both lessen the likelihood of failure and reach the break-even point faster.”

Prepare Yourself

The key is to try and make a clear transition. The best situation is if you can take some time off to prepare yourself between your old and new positions. You should try and use this time to learn more about your new employer and supplement the information you were able to garner during the hiring process. If you cannot take time off, the article suggests studying every night to prepare for your new position. If you want to hit the ground running, you have to be ready to do so.

Accelerate Your Learning

You will be required to learn quite a bit on the job, very, very quickly. The article suggests some key areas for immediate inquiry, which include your new company’s investigations and hotline issues; the internal audit documents relating to compliance; the annual reports for any notes about investigations or other Securities and Exchange Commission (SEC) issues; and a general review to see what is happening the industry to see if there are ongoing Foreign Corrupt Practices Act (FCPA) investigations or recent enforcement actions. The article also suggests meeting up to 50 colleagues in your new company to “Interview them about the company’s existing compliance” program. From these interviews, you can reach out to begin to build a network for further interviews.

Match Your Strategy to the Situation

Here the article suggest that you need to first identify the highest compliance risks and then try to focus on the risks which are not being managed effectively. They note, “It is your role to quickly work out where the most risky practices are and which risks will have the biggest effect on the business…The part that is more challenging is managing risk while focusing on the areas that have the biggest business value. Business value can be measured in country value, profit or reputation. It can also be measured in reducing potential exposure in fines or prosecutions, or growing revenue and profits.”

Secure Early Wins

You do not need to try and fix the company’s compliance program in the first 100 days. But you do need to find a way “to identify opportunities to build both personal credibility and credibility for the compliance function as a whole.” The article suggests taking the issue, which seems to have the most “noise” and contributing towards resolving it. But some of your work may come with instituting good process, as “A large amount of early wins can be as simple as the new compliance team focusing on adding value, removing obfuscation and helping to grow the business, rather than being a roadblock.”

Negotiate Success

One obvious thing to generate success in the corporate world is to have a good relationship with your boss. The article suggests you should have important conversations around “expectations, working style, resources and your personal development.” To facilitate these discussions the following points are posited:

  • There is no value in trashing the existing compliance program.
  • You need to drive the discussions with your boss.
  • Your boss is looking for solutions, not problems.
  • Your boss is not interested in running through your checklist of things to do.
  • Make sure that you connect with the people that your boss values and admires, such as their mentor.
  • Most importantly, set expectations.

Achieve Alignment

If you have not done so through the hiring process, you should have a clear understanding of what compliance means at your new company and what your role will be. While you were hired for FCPA or other anti-bribery legislation compliance, does compliance means something broader in your new role?

Build Your Team

You will probably be called on to make some difficult personnel decisions in this area but one that is absolutely necessary. As the article notes, “your ability to select the right people for the right positions is among the most important drivers of success during your transition and beyond. You also need to hold onto the right people. The focus for every solid manager is to focus on the best people and only those people – the rest should quickly be managed up or out.” If compliance is seen as ‘The Land of No’ populated by one or more Dr. No characters, it is time to make a change and the sooner the better.

Create Coalitions

One of the biggest keys for any successful compliance program is the ability “to influence people outside your direct line of control. Supportive alliances, both internal and external, are necessary if you are to achieve your goals.” You will need to try and identify those persons and develop relationships, then create coalitions with them. This means you will need to get out of the office and get overseas as quickly as possible. While your manager, be it the Chief Executive Officer (CEO) or other, will probably want you in the office, you need to get out of your office and build relationships in the field.

Keep Your Balance

These first 100 days will be a time of very high stress. This may well be compounded by your travel schedule and working very long hours to try and fulfill the concepts discussed herein. The article advises, “The right advice-and-counsel network is an indispensable resource. Use your network of mentors, coaches and friends to discuss your part at the company and what you have been experiencing.” The key is to use whatever resources are available to you during your first 100 days.

Accelerate Everyone

Just as FDR accelerated his actions during his first 100 days, a large part of his success was that he accelerated those around him. You should take this key component of FDR’s success to heart in your new role. Get all of your “direct reports, bosses, and peers – accelerate their own transitions. The fact that you’re in transition means they are too. The quicker you can get your new direct reports up to speed, the more you will help your own performance.”

It is difficult to imagine today a harder situation than the country faced when FDR came to power in 1933. The task must have seemed overwhelming. Starting a new compliance leadership position at a new company can seem equally daunting. The Compliance Insider article provides an excellent framework on how to not only think through your steps going forward but also how to execute them.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 15, 2014

The Louisiana Purchase and Compliance Focus Group – Changing the Game

Focus GroupIn 1803, the fate of the United States changed in ways that could have never been contemplated, when the French Minister Talleyrand offered to sell France’s entire Louisiana Territory in North America to stunned American negotiators, Robert Livingston and James Monroe, who were simply trying to purchase the city of New Orleans from the French Emperor Napoleon. Quickly recognizing that this was an offer of potentially immense significance for the US, Livingston and Monroe began to negotiate on France’s proposed cost for the entire territory. Several weeks later, on April 30, 1803, the American emissaries signed a treaty with France for a purchase of the vast territory for $11,250,000. With the sale of the Louisiana Territory, Napoleon abandoned his dreams of a North American empire, but he also achieved a goal that he thought more important. “The sale [of Louisiana] assures forever the power of the United States,” Napoleon later wrote, “and I have given England a rival who, sooner or later, will humble her pride.”

There are many great resources out there for the compliance practitioner. One of them I have really come to appreciate and look forward to receiving is the Red Flag Group’s bi-monthly Compliance Insider magazine, available both in print and online versions. In the most recent version there were several articles that I found very useful for the compliance practitioner but the one I want to focus on today is the compliance focus group. This provides a forum, which allows employees to raise compliance issues and concerns in “an informal environment, in small groups or in one-on-one sessions. They can be done as stand alone or as break-out sessions from larger meetings, conferences or similar events where multiple parties get together.” The article provided 10 things which you should consider before you hold your compliance focus groups.

  1. Select Your Countries and Regions Carefully. You need to reflect on selecting those areas, which have “compliance issues, have been the subject of investigations or are higher risk.” Contrast that selection with one or more regions that have achieved compliance performance so that you can clearly articulate the difference. Most importantly, pick the regions that need the most support and “have the most business at risk if there is a compliance issue. You will also know from your own business those areas, business units or regions where there is more “noise” around compliance.”
  1. Plan Your Locations, Times and Attendees. Think about your logistics, both higher level such as travel times and lower details such as seating. As you will usually desire to have three to four sessions per day, up to 90 minutes, you will need to make sure people have enough time to get there and register. But also think about seating, as you want to make things as informal as possible. This means a conference table or a large U shape arrangement and not classroom or lecture room seating.
  1. Have Separate Management Sessions. It is important that you make attendees feel that they can give open and honest thoughts about the company and its compliance regime. This means you cannot have senior management in sessions for middle management and lower management and employees.
  1. Draft an Agenda and a Short Presentation. The author believes that many times participants will need a stimulus of some sort to get things going. He advises “A good idea is to build a brief agenda before the meeting, even if it is fairly flexible – many senior employees will demand an agenda before accepting a meeting.” Also prepare a brief PowerPoint presentation for the session designed to explain the purpose and outcomes of the session, keep it to five or six slides which will act as placeholders for discussion topics.
  1. Think About Some Probing Questions In Advance. Here are some of the suggested questions that you should consider asking to the group:
  • Do people understand what compliance is? What does it mean to you in your daily business dealings?
  • What do people think of the policies and procedures across the company?
  • Is the training simple and easy to understand?
  • What is the company culture around compliance? Do people really take it seriously or is there a “tick-the-box” mentality?
  • Are there issues with reporting? How do people report? What is the culture regarding reporting issues?
  • Does management “walk the walk” with compliance or just “talk the talk”?
  • How does your company compare to its peers in the area of compliance?
  • What is the competitive environment like, both externally and internally?
  • Where are the areas that compliance could improve?
  1. Select a Facilitator. Compliance issues can be sensitive and people can be uncomfortable talking about them. For the focus group to succeed and be of value, everyone should be made to feel comfortable; and feel that they are not being audited or reviewed or they will not be confident to speak up. The author believes that here a good facilitator can be assist in keeping “the discussion going, ensure that everyone participates, make people feel at ease and, most importantly, ensure that the discussion is lively. The facilitator might also need to be trained on some of the risk areas of the business and have a solid understanding of the business and the existing compliance program.”
  1. Prepare Your Opening Disclaimer. Some participants may want to know how their comments will be used, quoted directly or generalized. This would be the time to address such concerns and invoke confidentiality of names and other identifiers.
  1. Prepare Some Takeaways. The leader should be prepared to summarize what the next steps will be going forward, including when a report might be issued to management and what might included in the report.
  1. Prepare a Report For All Participants. A key component of any compliance focus group is a post event report, which consolidates all sessions. This should be generated as soon as possible after the end of the last session. The report should include specific actions that will be taken based upon the input received from the focus groups. There will certainly be expectations from participants that if they have reported any circumstances which warranted responses they will want to know what the compliance team is doing about a response. Participants will also want to see whether the feedback they gave is consistent with that given in the other sessions.

10.Write a Report for Management. This report should focus on the larger issues raised in the compliance focus groups and, as the author notes, “looking at the trends, steps forward and lessons learned.”

While your compliance focus group may not be quite the game changer that the Louisiana purchase was for the US, it will certainly provide you solid information on your compliance program that you can use to move it forward; as the article notes, “From the people who use the programme everyday—your employees and partners—you can find out what the programme means, how it adds value (or doesn’t add value) and how it is seen by the management team around the world. And while you are at it, you may want to check out the Red Flag Group’s Compliance Insider magazine, it is a great resource.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 13, 2014

Harriet Tubman and Navigating to Become an Ethical Company

Harriet TubmanMarch 10th was the 101st anniversary of the death of Harriet Tubman. She was one of the greatest conductors on the Underground Railroad, which took slaves out of the old south and up to freedom in the north and into Canada. I read about her as a child and her story always moved me. The one thing I remembered is that when traveling at night in the pitched darkness, she would feel for the moss growing on trees so that she would always know which way to travel. Moss grows on the north side of a tree so she would always be able to move her way north and to freedom for those she helped escape.

I thought about Harriet Tubman and her story of how she could determine which way to travel in pitch darkness when I recently read an article in the Ethisphere Magazine, entitled “Ethics By Example”, by Gary E. McCullough. In his article he gave some specific steps that a company can engage in to help foster and create an ethical culture which he has learned over the past 25 years from working for companies as varied as Proctor and Gamble, Career Education Company and serving as an infantry officer in the US Army. 

1.    Implement structure and clear expectations. 

McCullough suggests that you should create a mechanism that allows employees to address issues. In doing so, you should also be able to demonstrate both senior management and the company’s commitment to ethics and compliance. He recommends the following steps:

  • Set clear policies and expectations through your vision statement;
  • There must be strong education and training programs;
  • Metrics and measurement systems are a must;
  • A visible compliance structure within your company;
  • A confidential helpline for reporting issues with a stout no retaliation policy; and
  • A method to investigate and resolve complaints. 

2.    Ignoring infractions is not an option.

McCullough recognizes that company leaders face ongoing struggles to balance being too harsh or too lenient. If the former occurs, a leader can run the risk of demoralizing his team. If it is the latter, a leader can simply be run over by his or her troops. But a company leader must address infractions of your internal Code of Conduct, or other similar policies, or no employee will take it seriously. 

3.    Make ruthless decisions, but execute them with compassion. 

Leaders have to make tough decisions. McCullough counsels that no matter how difficult a decision might be, it should be delivered with compassion. In other words, no termination communicated by email. Tell people in person and then give them the assistance to help moving forward. 

4.    Focus on the work. 

Channeling his inner Paul McNulty (he of McNulty’s Maxims), McCullough intones that the most critical thing is what you do after a problem arises. As McNulty might say, “What did you do after you found out about it?” Do not defend your past practices or say that everyone else does it but move forward to remediate the situation, fulfill your obligations and move forward. In the world of Foreign Corrupt Practices Act (FCPA) prosecution, it is clear from 2013 corporate enforcement actions that a company should remediate during the pendency of any FCPA investigation or enforcement action. Such remediation will go a long way in reducing the overall penalty, enhancing your credibility with the Department of Justice (DOJ) and helping to avoid the appointment of a corporate monitor.

5.    Be in alignment with your Board. 

McCullough believes that Boards share ownership of a company’s compliance function with the Chief Executive Officer (CEO), senior management and the compliance function. As such the best accomplishments in compliance comes when the Board, or a committee thereof, can bring a sustained outside perspective, methods and best practices to a company’s overall compliance regime.

6.    Instill it in the culture.   

I once explained a CEO’s role in compliance to a company executive and as I was going through various strategies, he looked at me and said, “You want me to be the ambassador for compliance.” I said that was exactly what I wanted him to do and it was the best description I have ever heard of what both McCullough and I believe a CEO can bring to the table. McCullough writes, “leaders must model the behavior expected from others. And when engaging with individuals, never let an opportunity pass to remind them of the company’s obligations to its stakeholders to always “do the right thing””. I could not have said it better myself.

McCullough’s points, while general in nature, are a good starting point for any compliance practitioner to review the overall nature of a company’s ethical and compliance health. For the compliance practitioner it provides some general, yet important points that they can discuss with a CEO or senior management about the company’s ethical direction. Much like Harriet Tubman’s ability to continue to move north on the Underground Railroad in pitch darkness, these guideposts will help your compliance program to move forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 12, 2014

FDR’s Fireside Chat and Risk Ranking of Third Parties Under the FCPA

FDR Fireside ChatOn this date in 1933, just eight days after he was inaugurated, President Franklin Roosevelt (FDR) gave his first Fireside Chat to the American public. FDR began his chat by stating, “I want to talk for a few minutes with the people of the United States about banking.” He went on to explain his recent decision to close the nation’s banks in order to stop a surge in mass withdrawals by panicked investors worried about possible bank failures. FDR had correctly assessed that the public had lost confidence in the US banking industry and, based on that assessment, he closed them in his famous Bank Holiday. In 1929, over 600 banks folded, the number by 1932 had increased to over 5100. But more than simply these bank failures was the perception that the US banking system was on the verge of collapse. FDR also announced that he was reopening the banks the next day. The US banking system has been secure since that time.

I thought about FDR’s ability to correctly assess the risk to the US banking system. As compliance programs mature, one of the things that companies struggle with is how to better assess third party risks so that the right resources can be delivered to manage these risks. In the most recent issue of Compliance Insider an article, entitled “Building a Risk-Scoring Methodology for Distributors and Resellers”, lays  out a decision making calculus which can assist a company to best utilize its resources to not only quantify a large number of third party risks, but manage those risks more efficiently.

The article notes that there are two main resources that a compliance practitioner will need to rate the risks of third parties. The first is information about the entity. This category of information can come from a number of sources including the third party itself, in the form of a questionnaire through  to various levels of due diligence. The second  resource is the people who use the information to make decisions.  As there is only a finite amount that you, the compliance practitioner, can find out about your third parties use the resources available as there is a substantial need to make the best use of that information. All of this must be balanced between spreading the decision making across a large number of people whilst ensuring that the decisions made are consistent. To assist in answering these issues, the article suggests a methodology “to help focus your controls and resources more efficiently”. 

1.          What is your aim? 

The initial step in any risk-scoring exercise is to clearly define what you are trying to achieve. The second part of clarifying the aim is to build an expectation and means of measurement so that you can assess the validity of your calculus. 

2.             Which information is relevant? 

Most generally, the main criteria are the location of the partner or where they will deliver the product or services, the type of service or product that the partner is providing and the value of that service. This initial analysis can help you to create a high, medium and low risk model. But other factors should be weighed which can provide a more sophisticated approach. Some of these factors include the following:

  • Are they new or existing partners?
  • Are they touching end-users?
  • Are they selling to government customers?
  • Do you have contracts with them?
  • Do they obtain licenses for selling products in that country on your behalf?
  • Do you provide market development funds to them? 

3.             Where can I find the information? 

This speaks to the heart of your due diligence process. Obviously a questionnaire forwarded to your potential third party is a starting point. However such information should be verified and cross-checked. Additional factors should be geographic risk, the value(s) of potential transactions and compensation to the third parties. Lastly is the traditional levels 2 and 3 due diligence.

4.             Consider the questions you will ask the third parties 

Here the author believes that an additional analysis of both the criteria required and the possible resources to garner datum to support the criteria should be considered. These considerations include:

  • Which is the most cost-effective source for the information?
  • What is the most accurate way of obtaining information?
  • Do you need to ask the question at all?
  • How should the questions be worded to ensure the greatest efficiency in getting to the required answer?
  • How do you write the questions to ensure the scores are usable?
  • Which questions and responses should be scored? 

5.             Are the responses accurate? 

Here is where ‘a second set of eyes’ is critical. The article suggests that “sanity checks to ensure that the answers respond to the question and that the responder seems to have understood the question – this is especially useful when the questions have been translated into other languages.” You should also endeavor to cross-check against other information known about the partner, with reviews by multiple persons in your organization. Finally, on the back you should build into your program audits and spot-checks to assess the accuracy and consistency of approvals.

6.             What does it all mean?

Now you have to start using the information. Recognizing that you may need to tinker with your system, it is important that you “design the overall process to allow changes to be made in the future, as you learn more about the results.”

7.             What happens next?

Now the time has arrived to score the results. After you determine who will make the decision and the path for review and escalation, if required, also you should consider the Tom Fox Mantra, Document, Document, and Document. In other words, how does the scoring and decision making process get documented in your organization?

8.             How will you carry out the review process? 

At this point, it is appropriate to consider whether you have met or are moving in the direction that you attempted to establish back in Step 1. You should consider:

  • Does your program accurately reflect the risks that you understood the partners posed?Is the final result of your process consistent?
  • Were decisions on the risk level made by the right people in your organization?
  • Were the necessary issues escalated to the right people?
  • Have the risks changed?
  • Can the process be changed, or has it been built into an inflexible technology or workflow? 

Once the review is complete any necessary changes should be communicated to the staff involved in the process to ensure they know how their role is impacted. The author ends with some reservations that you should expect to run into. These include:

  • don’t expect to use scoring to fully automate a process – the information available is generally not complete enough to provide an accurate model, so scoring is far better when used as a guide;
  • don’t assume you will get it right first time (or second) – it is important to have a clear understanding of what you are aiming at, and to build regular review into the program to recalibrate the scoring;
  • keep the process and scoring as simple as possible – most of the relevant risk-related information can be found in a few key criteria; and
  • your perception of risk will change when new information comes to light, so remember to document the decision-making process so that you can justify the final risk outcome. 

While FDR may have more intuitively known the real problem with the US banking system it was the perception that it was not solvent, you do not have to rely solely on your gut when making informed decisions about the Foreign Corrupt Practices Act (FCPA) risks that a third party may present to your company. For the Department of Justice (DOJ), I think the key is that you assess the risk and document that assessment. If you do so and a third party gets you into FCPA hot water, you have the best chance of coming out on the other side as well as the US banks did after their ‘holiday’ with FDR.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

March 4, 2014

How Does the 20th Amendment Inform Your Compliance Program Incentives?

FDR InagurationOn this date in 1933, FDR held his first inauguration. It was also the final inauguration held in March before the passage of the 20th Amendment to the US Constitution that moved the inauguration date to January 20th. What was the reason the Constitution originally set an inauguration date in March, some six months after the November election? It is because a Roman Tribune’s annual term of office began in March, rather than in January. During this six month period, the old administration did not have much incentive to do anything, which could benefit the incoming Presidential administration, if they were from different parties. That was the driving force for the 20th Amendment.

I thought about this dis-incentive when considering the question of how could you incentivize your senior management team so that they will integrate compliance into their business routine? Put another way, how can you measure compliance in senior management or evaluate it for the purposes of a bonus calculation? This issue has often been difficult to sustain in a company because the compliance evaluation of whether a senior manager or company leader is often viewed as too subjective. However, in a recent article in the Compliance Insider magazine, put out by the Red Flag Group, I came across an article that directly addresses these issues and concerns.

The article was entitled, “Integrating Your Compliance Programme Into the Variable Compensation of Executives”. The article was built around a case study of the Sorin Group, which is a healthcare multinational and the company’s incentive program for its compliance regime. Interestingly, the reason the company created such an incentive program in the first place was to “influence actual behaviors, and not merely the consequences of any wrong doing that may occur.” With this premise, at the Sorin Group, compliance has been made an integral part of each manager’s performance objectives. Members on the company’s Executive Leadership Team (ELT) and the other leaders of all of its corporate functions and “business units are directly responsible for the culture, understanding, observance and adoption of the Sorin Code of Conduct, the Sorin United States and international compliance policies and procedures” and their respective health industry codes of practice.

Further, each of the different functions within the Sorin Group has adopted individual performance objectives specifically regarding compliance. The individualized “compliance objectives are agreed and documented every year for each function and senior manager, and form part of the process of continuous performance review (written reviews twice yearly) managed by Sorin’s human resources team. The responsible executive of each function or group is required to cascade each of the compliance obligations to those employees under them. This ensures that the whole company has compliance integrated into their variable remuneration.”

The company’s evaluation process includes the staff that report to each senior executive who are interviewed by the General Counsel (GC) or other member of the compliance function “to determine their adherence to the compliance objectives.” Additionally, “An assessment is performed alongside line managers and a member of the human resources team to determine whether the obligations have been met, and to what extent.” Lastly, this same system applies to the company’s Board of Directors and Chief Executive Officer (CEO).

The variable compensation awarded at the end of each year can be affected in two ways by his or her compliance evaluation. The first is for an entire group and “If a group fails to meet expectations for the specific objectives the executive and their whole team will miss out on the entire variable pay for that year.” But “If a group meets some expectations for the compliance objectives they will receive payment of the variable, with the amount dependant on the amount of objectives that have been met.” The same holds true for the individual within the group so that “if an employee fails to meet his or her compliance objectives, the whole bonus for that employee will remain unpaid.”

The article also gave some specific examples of compliance obligations that are measured and evaluated. This is an excellent list for the compliance practitioner to use in benchmarking a company’s compliance program in this area or instituting such an incentive compensation system for your company. They include the following.

For the ELT

  • Lead from the top – in your own conduct (lead by example) and in the decisions you take, to the resources and time you commit to compliance
  • Facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally
  • Support specific initiatives from the CEO, legal and compliance functions. 

For Department Heads

  • Demonstrate, facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally
  • Support specific initiatives from the legal and compliance functions
  • Ensure that all employees, agents and contractors directly or indirectly reporting to you fully complete all required training and communications in a timely manner
  • Provide full cooperation with investigations conducted by the compliance or legal functions of any alleged violation of compliance policies
  • Include the Chief Compliance Officer or another legal or compliance function representative in your management meetings at least twice per year, per geography
  • Identify instances of non-compliance and support compliance monitoring and reporting systems
    • Partner with compliance in resolving compliance issues.

For Country Heads of Sales

  • Certify that all employees, agents and contractors directly or indirectly reporting to you have fully reported all sales and marketing interactions with all HCPs (Health Care Professional) in a timely manner
  • Certify that all employees, agents and contractors directly or indirectly reporting to you have fully, promptly and accurately reported all expenses with HCPs on Concur. 

The article also speaks of five things to consider when developing such a compliance incentive program.  (1) The program needs to be cascaded down the organization so that it applies to all levels in the company. (2) Include both a 360 degree review and mid-year review. (3) To truly incentive senior management, the compliance objectives should be at least 25% of the overall discretionary bonus program. (4) Do not have simply ‘tick-the-box’ incentives but include subject incentives.

As the final item to consider, the article says that you need to have SMART compliance objectives, which are defined as:

  • Specific: A specific objective has a much greater chance of being accomplished than a general objective (e.g don’t just say “ensure training has been completed by your team”, say;
    • Who: who needs to be trained?
    • What: what training objectives do you want to accomplish?
    • Where: identify a location for the training
    • When: establish a time frame for the training to be completed
    • Which: identify requirements and constraints for any training
    • Why: provide specific reasons, purpose or benefits of accomplishing the training objective.
  • Measurable: Establish concrete criteria for measuring progress toward the attainment of each objective you set.
  • Aggressive but attainable: When you identify objectives that are most important to the compliance function and the relevant business, employees are more likely to see the value in making them come true.
  • Realistic: To be realistic, an objective must represent something which you are both willing and able to work toward.
  • Timely: An objective should be grounded within a timeframe. 

The article ends with some insights into lessons learned by the Sorin Group in its role of the compliance incentive program. These lessons included the following:

  • Top down: If your ELT is truly on board you can make big leaps and not limit your compliance ambitions to incremental steps.
  • Personalize: The objectives should be more personal to each function and more granular.
  • Balance: Have qualitative judgments but couple them with concrete and – most importantly – objective and measurable key performance indicators.
  • Publicize: Talking about the real company examples of its people make the difference.
  • Be positive: Focus your company’s efforts on positive incentive behaviors. In other words, use both the stick and carrot.
  • Just do it: Stop talking the talk and start walking the walk.

The FCPA Guidance made clear that the Department of Justice and Securities and Exchange Commission expect that incentives to be built into your best practices compliance program. The Sorin Group case study in Compliance Insider provides solid tips for the compliance practitioner on steps to take for his or her company’s compliance program. Is some of this subjective? Yes it is but that does not mean financial incentives cannot be written into the evaluation of any senior management to help guide ethical business practices.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Blog at WordPress.com.