FCPA Compliance and Ethics Blog

February 27, 2015

Gulliver’s Travels, Truth or Fiction?

Gulliver's TravelsThere was once a man named Gulliver who traveled widely and wrote a book about his adventures called Gulliver’s Tales. During his first voyage, Gulliver is washed ashore after a shipwreck and finds himself a prisoner of a race of little people, who live in the country of Lilliput. After giving assurances of his good behavior, Gulliver becomes a resident in Lilliput and becomes a favorite of the court. From there, the book follows Gulliver’s observations on the Court of Lilliput. He is also given the permission to roam around the city on a condition that he must not harm their subjects and otherwise engage in illegal, immoral or unethical conduct.

I am continually amazed at how life imitates art because if I told you the following tale you might accuse me of simply making up things to write about. Imagine there is a corporate banking Chief Executive Officer (CEO), whose company signed one of the largest Deferred Prosecution Agreements (DPA) ever a little over two years ago giving assurances of good behavior going forward. Now imagine I tell you that the same CEO has been hiding money for years in a Swiss bank account through a shell corporation for ‘his privacy’ (IE., Hiding money from the Lilliputians of this world). Unfortunately for the real Stuart Gulliver, the CEO at the banking giant HSBC, these facts are true. While his company is in yet another scandal involving its illegal conduct, while under a DPA for its past sins, it turns out the CEO was hiding approximately $7.7MM in a Swiss bank account. To compound this effort to conceal his monies, he did so through a shell Panamanian company.

Yet, just like the fictional Gulliver, the real Gulliver has a very simply explanation for this practice. According to Jenny Anderson, in an article in the New York Times (NYT) entitled “HSBC Chief Defends Swiss Bank Account Worth $7.7 Million”, Gulliver said “This has an everyday explanation to it” and said the explanation was that he was trying to hide the money so his co-workers would not know he much money he made. Or as Anderson wrote, “In an effort to protect his privacy — he was the bank’s top earner — he put the money in Switzerland to hide it from the prying eyes of his Hong Kong colleagues. But he then had to hide it from his curious Swiss colleagues, so he created an anonymous Panamanian company.”

So it turns out that Gulliver was not only trying to hide his money from his co-workers but also from the Swiss by creating a shell corporation to launder the money into before depositing it in Switzerland. Similar to those pesky Lilliputians, who might want to find out something about him that he did not want them to know, as when the fictional Gulliver agreed to not violate the law or engage in otherwise unethical conduct. Of course the real Gulliver has protested that such arrangements were not illegal at the time he engaged in them, side-stepping the question of whether his conduct was unethical (Ethical bankers, does that topic belong in the fiction section?).

Gulliver also went on a charm offensive essentially claiming that not only him but the entire banking industry in general was being picked on. Channeling his inner Mother Theresa, Gulliver was quoted in an article in the Financial Times (FT), entitled “Standards for bankers higher than for bishops, claims HSBC chief Gulliver” by Martin Arnold and George Parker, as saying “It seems to me that we are holding large corporations to higher standards than the military, the church or civil service.” While I am not quite certain as to the pay scale of UK church leaders, I am relatively certain that those in the civil service and military do not have an extra $7.7MM laying around that they need to launder through a Panamanian corporation to hide in a Swiss bank account.

The real Gulliver should have just channeled his fictional Gulliver and said that when in the land of Lilliput, you do not have to tell the Lilliputians the truth, even if you have sworn in a pesky DPA to do so. From the real Gulliver’s statement about bankers being held to higher standards, he obviously thinks that the church, military and civil service (and probably the rest of us mere mortals) have Lilliputian ethical obligations compared to him.

What does all this mean for prosecuting HSBC in the newly erupted money laundering through its Swiss subsidiary scandal? Well it is great to know your CEO has first hand knowledge of the mechanics of such activities. The appropriate UK authorities or even the US Department of Justice (DOJ) could interview the real Gulliver as a subject matter expert (SME) on not only how to hide money from your fellow employees, but also from the Swiss and even gain insight into such machinations to hide money from your own national tax authorities. The real Gulliver may be a real find for the DOJ as an expert witness, at the trial of his company for breach its DPA.

Further, just think of the credibility the real Gulliver would have in negotiations with the DOJ on whether HSBC broke its promises to do business in compliance with US anti-money laundering (AML) laws when it signed its DPA back in 2012. He could go right into the meeting and say, “Lads, let me dispel any misconceptions you might have about Swiss bank accounts. They exist to hide money. At least that is how I use them personally.” He could then walk the lowly civil servants who work in the DOJ Fraud Section and who have lower standards than the whiter-than-white bankers through how the real world of money laundering works, or at least the real world of multi-millionaires who, for some reason, want to protect their own privacy.

The real Gulliver could answer yet another rhetorical question that he posed, and was reported in the FT article, when he asked, “Can I know what every one of 257,000 people is doing? Clearly, I can’t. If you want to ask the question could it ever happen again – that is not reasonable.” The real Gulliver could then go on to respond to this rhetorical flourish along the lines of the following, But I can tell you what is reasonable, to ask me if I know what I am doing and how I am doing it. I am hiding money in my Swiss bank account through a shell Panamanian company. He might even add, How brilliant is that?

Since the fictional Gulliver lived and traveled over 300 years ago, he may be distantly related to the real Gulliver of HSBC today. Nevertheless for a bank CEO to have laundered his own money through a shell corporation into a Swiss bank account ‘for privacy’ is one of those convergences where truth surely is stranger than fiction.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 25, 2015

Doing Less with Less and the Unification of Germany

Sqeezed Piggy BankI am attending the SCCE Utilities and Energy Conference in Houston this week. As usual, the SCCE has put on a great event for the compliance practitioner. This year there is live blogging by Kortney Nordum so there should be much about the conference up on the SCCE blogsite, this week and into the future. Lizza Catalano has put together a first rate program for compliance practitioners of many stripes. As an added benefit, SCCE Chief Executive Officer (CEO) Roy Snell has brought some cold weather down to Houston for the event for our late February enjoyment. While it was 80 on Saturday, today is was a balmy 36 courtesy of our Minnesotan guests.

As you might guess the current economic downturn is on everyone’s mind and a subject of much conversation. Last week I wrote a post about the depression of oil and gas prices in the energy space and some of the increased Foreign Corrupt Practices Act (FCPA) or other anti-corruption risks that might well arise from this economic downturn. Over the next couple of days, I want to explore how a Chief Compliance Officer (CCO) or compliance practitioner might think through responses to this increased compliance risk. Today I will focus on doing less with less. Tomorrow I will suggest some technological solutions.

I have been around long enough to see more than one of these economic events in the energy space. While not suggesting that we Texans never learn not to repeat our mistakes, they do seem to have a pattern. Prices drop precipitously, companies who are overstocked, over-leverage or generally over-panic; over-react and cut head count and spending dramatically to some level that is not based on rational economic analysis. Then they get some handle on where the numbers might be heading and the cuts start to flatten out and some type of equilibrium is reached.

Right now, in the energy space, we are in the cutting phase. That means loss of personnel (head count) and loss of resources even if it was calculated last year based on a summer or fall 2014 economic projection in your annual budgeting process. This means one thing you will need get for a quarter or two will be financial resources to place the personnel your compliance function may have lost. This means that you will have to figure out a way to accomplish more with fewer resources. While I often advocate that the compliance function can and should draw on other disciplines such as Human Resources (HR), IT, Internal Audit and Marketing for support; those functions have most probably been ‘right-sized’ as well so they may not be able to assist the compliance function as much they could have previously.

Now would be a very good time to put into practice what Dresser-Rand CCO Jan Farley often says, “Don’t sweat the small (compliance) stuff.” Farley often speaks about the need not to waste your scarce compliance resources on areas or matters that are low compliance risks. But to do this, you need to understand what are your highest compliance risks. Since you will not have additional resources to perform such an analysis, I would suggest now would be a very good time for you to assess your compliance program and your business model to see what are your highest risks. If you believe there are several, you can fprioritize them. This exercise will give you the basis to deliver your ever-scarcer compliance resources to your highest risk areas.

While I do not believe the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) will be sympathetic to some unsubstantiated claim along the lines of ‘I did my best with what I had’; they also made clear in the FCPA Guidance that “An effective compliance program promotes “an orga­nizational culture that encourages ethical conduct and a commitment to compliance with the law.” Such a program protects a company’s reputation, ensures investor value and confidence, reduces uncertainty in business transactions, and secures a company’s assets. A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” (emphasis supplied)

So while the DOJ and SEC will not accept you bald-faced claims that our company simply did not have the money to spend on compliance, they will most-probably consider a compliance program where you have looked at your risks, in the context of this economic downturn, and delivered the compliance resources you do have to those risks. But the key is Document, Document, and Document your decision-making calculus and your implementation. (Stephen Martin would probably add here that if your annual spend on Yellow Post-It Notes is a factor of 10X your compliance spend, this approach would not be deemed credible.)

In her On work column in the Financial Times (FT), Lucy Kellaway wrote about this the concept of doing less with less for the corporate executive personally, in an article entitled, “No need to ‘lean in’ when laziness can be just as effective”. She cited to the Prussian General Helmuth von Moltke for “devising one of the world’s fist management matrices” when he assessed his officers on two scales: “clever v. dim and lazy v. energetic.” From this he came up with four permutations:

  • Dim and lazy – Good at executing orders.
  • Dim and energetic – Very dangerous, as they take the wrong decisions.
  • Clever and energetic – Excellent staff officers.
  • Clever and lazy – Top field commanders as they get results.

The point of Kellaway’s article has direct implications for the CCO or compliance practitioner currently facing an economic downturn, “It is only by being lazy that we become truly efficient, and come to see what is important and what is not.” Kellaway cautioned “the sort of laziness to encourage is not the slobbish variety that means you do bad work. That is not laziness: it is stupidity. Instead, we need the clever version that comes from knowing there is an opportunity cost to every minute we spend working, so we must use our time wisely.”

From the compliance perspective, this translates directly into using your compliance resources wisely. So whether you want to cite the Prussian general who unified Germany, columnist Kellaway, Dresser-Rand CCO Farley or this article’s theme of doing less with less, I would suggest to you there is a manner to maintain “A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations” even in an economic downturn.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

February 24, 2015

Victory or Death: William Barret Travis and the Obligations of a CCO

William Barret TravisToday in 1836, Alamo commander William Barret Travis issued his famous ‘Victory or Death’ plea for reinforcements. It was short so I quote it in full:

To the People of Texas & All Americans in the World:

Fellow citizens & compatriots—I am besieged, by a thousand or more of the Mexicans under Santa Anna—I have sustained a continual Bombardment & cannonade for 24 hours & have not lost a man. The enemy has demanded a surrender at discretion, otherwise, the garrison are to be put to the sword, if the fort is taken—I have answered the demand with a cannon shot, & our flag still waves proudly from the walls. I shall never surrender or retreat. Then, I call on you in the name of Liberty, of patriotism & everything dear to the American character, to come to our aid, with all dispatch—The enemy is receiving reinforcements daily & will no doubt increase to three or four thousand in four or five days. If this call is neglected, I am determined to sustain myself as long as possible & die like a soldier who never forgets what is due to his own honor & that of his country—Victory or Death.

William Barret Travis

Lt. Col. Comdt

While Thermopylae will always go down as the greatest ‘Last Stand’ battle in history, the Alamo is right up there in contention for Number 2. Like all such battles sometimes the myth becomes the legend and the legend becomes the reality. In Thermopylae, the myth is that 300 Spartans stood against the entire 10,000 man Persian Army. However there was also a force of 700 Thespians (not actors; but citizens from the City-State of Thespi) and a contingent of 400 Thebans who fought and died alongside the 300 Spartans. Somehow, their sacrifice has been lost to history.

Likewise, the legend that lifts the battle of the Alamo to the land of myth is the line in the sand. The story goes that William Barret Travis, on the day before the final attack, when it was clear that no reinforcements would arrive in time and everyone who stayed would perish; called all his men into the plaza of the compound. He then pulled out his saber and drew a line in the ground. He said that they were surrounded and would all likely die if they stayed. Any man who wanted to stay and die for Texas should cross the line and stand with him. Only one man, Moses Rose, declined to cross the line. The immediate survivors of the battle did not relate this story after they were rescued and this line in the sand tale did not appear until the 1880s.

But the thing about ‘last stand’ battles is they generally turn out badly for the losers.  Very badly. I thought about this when the former head of the Foreign Corrupt Practices Act (FCPA) unit at the Department of Justice (DOJ), Chuck Duross, said at Compliance Week a couple of years ago that he viewed anti-corruption compliance officials as “The Alamo” in terms of the last line of defense in the context of preventing violations of the FCPA. I gingerly raised my hand and acknowledged his tribute to the great state of Texas but pointed out that all the defenders were slaughtered, so perhaps another analogy was appropriate. Everyone had a good laugh back then at the conference. But in reflecting on the history of my state and what the Alamo means to us all; I have wondered if my initial response too facile?

What happens to a Chief Compliance Officer (CCO) or compliance practitioner when they have to make a stand? Do they make the ultimate corporate sacrifice? Will they receive the equivalent of a corporate execution as the defenders of the Alamo received? This worrisome issue has certainly occurred even if the person ‘resigned to pursue other opportunities.’ My fellow FCPA Blog Contributing Editor Michael Scher has been a leading voice for the protection of compliance officers, as have Donna Boehme and Michael Volkov. In a post entitled “Michael Scher Talks to the Feds” he said, “a compliance officer (CO) working in Asia asked for recognition and protection: “A CO will not stand up against the huge pressure to maintain compliance standards if he does not get sufficient protection under law. Most COs working in overseas operations of U.S. companies are not U.S. citizens, but they usually are first to find the violations. Since the FCPA deals with foreign corruption, how could the DOJ and SEC not protect these COs?”” In the same post, he asked the following of the DOJ and SEC “Wal-Mart’s compliance officers and professionals allegedly were intentionally obstructed by senior executives from conducting a compliance review and subjected to career-ending retaliation. If confirmed, will the DOJ and SEC’s settlement demonstrate that such harassment of compliance professionals is not condoned? Will the DOJ and SEC also make it clear that compliance officers working for multi-national companies like Wal-Mart in countries outside of America will receive the same protections as those working in America?”

Writing about the MF Global scandal in the New York Times (NYT) in an article entitled “Another View: MF Global’s Corporate Governance Lesson” Michael Peregrine stated that the “compliance officer is the equivalent of a “protected class” for governance purposes, and the sooner leadership gets that, the better.” Particularly in the post Sarbanes Oxley (SOX) world, a company’s CCO is a “linchpin in organizational efforts to comply with applicable law.” When a company fires, or asks him/her to resign, it is a significant decision for all involved in corporate governance and should not be solely done at the discretion of the Chief Executive Officer (CEO). Jonathan Marks has long advocated that the departure of a CCO from a company is such a material event that it should be disclosed by public companies.

In the area of anti-money laundering (AML) compliance professionals, Reuters, in an article entitled “Bankers anxious over anti-money-laundering push to go after individuals”, reported that at the Securities Industry Financial Markets Association conference, John Davidson, E*Trade Financial’s global head of AML, said that the “new push by regulators and lawmakers to hold individuals, rather than just institutions, accountable for regulatory violations involving money laundering is spooking members of the U.S. financial industry.” He further said that this aggressive trend and a new vigorous AML bill, introduced in Congress by Representative Maxine Waters entitled “Holding Individuals Accountable and Deterring Money Laundering Act”, were all “a little scary.” He found the movement towards more AML enforcement against individuals “an incredibly disturbing trend.” The reason it is so scary, an un-named top level compliance officer said, is “that compliance officers at the largest Wall Street institutions were feeling especially nervous because the power structures in those institutions sometimes did not give compliance officers enough authority to act.”

Upon further reflection I now believe the Alamo reference appropriate for compliance officers. It is because sometimes we have to draw a line in the sand to management. And when we do, we have to cross that line to get on the right side of the issue, the consequences be damned. This means that while you not only have to make hard decisions you may have accept employment separation if your company disregards your advice and engages in illegal activity. I do not pretend that to be a easy decision or one lightly made but CCOs have a different role in a corporation from that of a General Counsel (GC) and no amount of pining about attorney ethical obligations will change that dynamic.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 20, 2015

Assessing Internal Compliance Controls – Part II

Assessing Internal Controls IIn this blog post I continue my exploration of how you should assess your compliance internal controls using the Committee of Sponsoring Organization of the Treadway Organization (COSO), publication “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), as a starting point and basis for discussion. You will recall from my series on compliance internal controls under the COSO 2013 Framework there are five objectives: (1) Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information and Communication; and (5) Monitoring Activities. Today I will review issues around compliance internal control assessments on Control Environment and Risk Assessments.

First are some general definitions that you need to consider in your evaluation. A compliance internal control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.” A compliance internal control is functioning if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”

I. Control Environment

Under the objective of Control Environment there are five principles which you will need to assess. The five principles are:

  1. The organization demonstrates a commitment to integrity and ethical values. Here you can look to see if there is a training program to help make employees cognizant of the importance of doing business ethically and in compliance with the standard’s of your company’s Code of Conduct. Also is there specific training on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other relevant anti-corruption/anti-bribery legislation which may govern your organization? Next does your company have in place any process to evaluate “individuals against published integrity and ethics policy”? Finally, do you have in place any process to “identify and address deviations in the organization”?
  2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Under this Principle you must DOCUMENT the active involvement of your company’s Board of Directors. So not only must risk assessments be performed and evaluated by senior management, they must also be evaluated by the Board, separate and apart from senior management. A Board must also document its review of any remediation plans and monitoring activities.
  3. Management establishes, with board oversight, structures, reporting lines and appropriate authorities and responsibility in pursuit of the objectives. This Principle deals primarily with reporting lines and structures so you will need to consider not only the structure of your business but also whether or not both clear and sufficient reporting lines have been established throughout the company. The next analysis is to move down the chain to see if there definitions and assignments for your compliance function. Lastly you need to assess whether there are sufficient parameters around the responsibilities of the compliance function and if there are limitations which should be addressed.
  4. The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives. Under this Principle you will need to review the policies and procedures to make sure you have the minimum required under a best practices compliance program and then evaluate and address any shortcomings. This Principle also has a more personnel focus by requiring you to consider whether your organization attracts, develops and retains sufficient compliance personnel and is there an appropriate succession plan in place if someone ‘wins the lottery’ on the way to work.
  5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective. Under this Principle review is required to determine whether the Board established and communicated the mechanisms to hold employees accountable for your compliance internal controls. As suggested in the FCPA Guidance, there should be both a carrot and stick approach, so for the carrot is there some type of Board, senior management or employee compensation based on whether they did their assignments in compliance with your Code of Conduct or are bonuses based strictly on a sales formulation? For the stick, have any employees ever been disciplined under your compliance regimes?

II. Risk Assessment

This objective has four Principles that require assessment. They are (numbers follow the COSO Framework):

  1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives which include Operations Objectives, External Financial Reporting Objectives, External Non-Financial Reporting Objectives, Internal Reporting Objectives and Compliance Objectives. Here I think the key is the documentation of several different topics and issues relating to your company and how it operations. This means you will need to assess such diverse concepts as what are your senior management’s choices for business and compliance? You will need to consider and assess tolerances for risk as demonstrated by such issues as operations and financial performance goals. Finally, it can be used as a basis for committing of compliance resources going forward.
  2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. This Principle requires you to take a look at not only your compliance organization but also your business structure including entity, subsidiary, division, operating unit, and functional levels. You should assess the involvement of your compliance function at each point identified and the appropriate levels of management therein. Finally, from the compliance perspective, you should attempt to estimate not only the significance of compliance risks identified in the risk assessment but also determine how to respond to such identified compliance risks.
  3. The organization considers the potential for fraud in assessing risks to the achievement of objectives. Bribery and corruption can be categorized as forms of fraud. Rather than being fraud against the company to obtain personal benefits it can be fraud in the form of bribery and corruption of foreign government officials. For the compliance internal control assessment around this Principle I would urge you to ‘follow the money’ in your organization and consider the mechanisms by which employees can generate the funds sufficient to pay bribes. Many of these are simply fraud schemes so you should consider this within the compliance context and assess incentive and pressures on employees to make their numbers or be fired. You should also assess your employees’ attitudes and rationalizations regarding same.
  4. The organization identifies and assesses changes that could significantly impact the system of internal control. This Principle speaks to the need of your organization to maintain personnel competent to use the risk assessment going forward. But it also requires you to assesses changes in the external environment, assess changes in the business model or other significant business changes and, finally, to consider any changes in compliance leadership and how that would impact this Principle.

I often say that good compliance is simply good business. These COSO objectives are not only important from the compliance perspective but they also speak to the issue of overall process in your organization. The more you can burn these activities into the DNA of your company, the better run your organization will be going forward. Auditing against the COSO standards will provide your management with greater information on the health of your organization and satisfy your legal requirements under the FCPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 19, 2015

Assessing Compliance Internal Controls – Part I

Assessing Internal Controls II have recently detailed the COSO 2013 Framework in the context of a best practices compliance regime. However there is one additional step you will need to take after you design and implement your internal controls. That step is that you will need to assess against your internal controls to determine if they are working.

In its Illustrative Guide, the Committee of Sponsoring Organization of the Treadway Organization (COSO), entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), laid out its views on “how to assess the effectiveness of its internal controls”. It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements which can only be met through such a structured post. First, each of the five components are present and function. Second, are the five components “operating together in an integrated approach”? Over the next couple of posts I will lay out what COSO itself says about assessing the effectiveness of your internal controls and tie it to your compliance related internal controls.

As the COSO Framework is designed to apply to a wider variety of corporate entities, your audit should be designed to test your internal controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward.

The Illustrative Guide suggests using a four-pronged approach in your assessment. (1) Make an overall assessment of your company’s system of internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.” (2) There should be a component evaluation. Here you need to more deeply evaluate any deficiencies which you may turn up and whether or not there are any compensating internal controls. (3) Assess whether each principle is present and functioning. As the COSO Framework does not prescribe “specific controls that must be selected, developed and deployed” your task here is to look at the main characteristics of each principle, as further defined in the points of focus, and then determine if a deficiency exists and it so what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis.

Another way to think through the approach could be along the following lines. A Principle Evaluation should consider “the controls to effect the principle” and would allow internal control deficiencies to be “identified along with an initial severity determination.” A Component Evaluation would “roll up the results of the component’s principle evaluations” and would allow a re-evaluation of the severity of any deficiency in the context of compensating controls. Lastly, an overall Effectiveness Assessment which would look at whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment.

The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It went onto define ‘major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” Having a major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.”

Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have at a minimum the categories of policies laid out in the FCPA Guidance Ten Hallmarks of an Effective Compliance Program, which states “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments”, also formulated in the Illustrative Guide, such a finding would preclude management from “concluding that the entity has met the requirements for effective internal controls in accordance with the Framework.”

However, if there are no objective criteria, as laid out in the FCPA Guidance, to evaluate your company’s compliance internal controls, what steps should you take? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.”

The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, and Document feature is critical in any best practices anti-corruption or anti-bribery compliance program whether based upon the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or some other regulation. With the Illustrative Guide of these Illustrative Tools, COSO has given the compliance practitioner a very useful road map to begin an analysis into your company’s internal compliance controls. When the Securities and Exchange Commission (SEC) comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the FCPA’s internal controls provisions. In subsequent blog posts I will take a look at how you might audit your compliance internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 17, 2015

Gary Owens, Laugh-In and Accountability in Your Compliance Program

Gary OwensIf you were alive at all during the 1960s, you will recall that one of the cultural phenomenon’s was NBC’s television show Laugh-In. It was brought to you from the NBC studios in beautiful downtown Burbank and featured one very droll player, who always played himself, Gary Owens, as the show’s announcer – Gary Owens. Owens died last week and I was surprised but pleased to learn in reading his obituary in the New York Times (NYT) that he was also the voice for several cartoon characters in the Jay Ward stable (home of Rocky and Bullwinkle) and he was the voice of Space Ghost which had a renaissance during the early years of the Cartoon Network.

I thought about Owens’ role on Laugh-In not only as the straight man but also the character, who in many ways brought accountability to the manic show when I read this week’s article by Adam Bryant in his NYT Corner Office column, entitled “Making a Habit of Accountability”, which featured his interview of Natarajan Chandrasekaran, the Chief Executive Officer (CEO) of Tata Consulting Services. Chandrasekaran was raised on a farm and one of the things that he learned early on from his farmer father was “the value of money and the value of time. So he made us account for things. It wasn’t that there was a right or wrong way, but he wanted us to be accountable for what we did.”

I considered this concept of accountability in your best practices anti-corruption compliance program, whether based upon the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other program. With the Department of Justice’s (DOJ) recent pronouncements that it will more aggressively prosecute individuals for FCPA violations, perhaps companies should emphasize accountability more in their compliance programs. By doing so, perhaps employees might understand that there really is their personal liberty on the line when they engage in something which might even approach a FCPA violation. Further, by emphasizing personal accountability, companies could demonstrate more pro-active approaches to compliance that the DOJ wants to see going forward.

Chandrasekaran’s remarks went beyond simply emphasizing personal accountability. He also spoke about accountability in the context of a company’s overall culture. In particular I found his thoughts about accountability, learning and culture quite insightful. He said, “Learning cannot be achieved by mandate. It has to be achieved by culture.” He added, “In our executive team meetings, we share experiences and case studies about failures and successes.”

But beyond simply this insight there should also be accountability for helping others achieve the company’s overall goals. While he did not limit it to compliance, I still found it applicable to a best practice compliance regime when he said, “Everybody has to take some accountability for other people, and look for ways to make small contributions to help others. Looking after people has to become everybody’s responsibility. Innovation and caring for people are cultures; they are not departments.” He did admit that such a change would not happen overnight and indeed he has been emphasizing this message for five years at Tata because “It takes time to build that culture.”

Chandrasekaran also had an insight into compliance through his views on company structure. Tata is a flat organization, with multiple business units. He did this so the largest number of employees would feel empowered to make decisions and work collaboratively. While I recognize that such views might be antithetical to US based companies with a more ‘command and control’ approach, Chandrasekaran explained that the leaders of those units are expected “to work together. We said the power of our company will be driven by how well they work together. In some of our bigger monthly meetings, we will start with people presenting examples of their collaborations.”

I considered all of the above in the greater context of a best practices anti-corruption compliance program. One of the things that the FCPA Guidance emphasized was the inter-relatedness of each component of your compliance program. While you might have greater risk in the area of third parties or doing business in certain areas of the world where there are higher perceptions of corruption, you should not pick and choose what prongs of a compliance program you implement. Each step builds upon one another and should all point to accountability for your actions in decision-making calculus for business decisions and their implementations.

However the concept of accountability is not one that is spelled out in the FCPA Guidance or in any formulation of a best practices compliance regime. Yet it is clear that accountability is something that underlies what a compliance program is trying to achieve. Just as Chandrasekaran learned early on there is a value to things; there is a value to time and there is a value to money. So they should be accounted for in the way you do business.

This might best be described as oversight of your compliance program. The issue your company should focus on here is whether employees are accountable within the ambit of your compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are accountable to the compliance program.

Two mechanisms to do so are through the techniques of monitoring, which is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. A second tool is auditing, which is generally viewed as a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to hold employees accountable to doing business under your compliance regime and Code of Conduct. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. While it may seem that accountability means looking over every employees shoulder, it should not simply be seen as the workplace equivalent of parental oversight. Chandrasekaran explained that how you conduct yourself at work can have a huge impact on other employees. He said, “it’s sometimes very hard to imagine, early in your career, how much impact you can have. If you’re in a job and in an organization, the impact you can make is huge, because it’s all about being part of a group that’s driving impact. So look for those opportunities.” If you look for ways to demonstrate accountability you can influence a wide variety of others going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 16, 2015

Economic Downturns and Increased Compliance Risk

Oil PricesOil is hovering around $50 per barrel. For most of the US economy this drop in oil price has provided a much-needed economic boost. One piece on the NPR website, entitled “Oil Price Dip, Global Slowdown Create Crosscurrents For U.S.”, said “economists have suggested the big drop in oil prices is a gift to consumers that will propel the economy.” Liz Ann Sonders, who is the chief investment strategist at Charles Schwab, was quoted as saying “The U.S. economy is 68 percent consumer spending, so right there you know that falling oil prices is a benefit.” Another economist said the positive effects could be “worth $400 billion” for the US economy as a whole.

But in the energy space, particularly in the city of Houston, Texas, this plunge has been devastating. It is so bad that in this past week’s issue of the Houston Business Journal (HBJ), it provided a ‘Box Score’ for energy company lay-offs. And that was before Halliburton announced a 10%-15% reduction and Hercules Offshore announced that it had laid off some 30% of its work force since last October. Nationally, for the energy industry, it will be just as bad. In the NPR piece, David R. Kotok, of Cumberland Advisors, said, “cuts in production and energy company payrolls will cost the U.S. economy up to $150 billion.” The Houston Chronicle headlined it was a “Bloodbath”.

I thought about what this plunge in the price of oil could mean for the compliance function in energy and energy related companies going forward. Many Chief Compliance Officers (CCOs) and compliance practitioners struggle with metrics to demonstrate revenue generation. Most of the time, such functions are simply viewed as non-revenue generating cost drags on business. This may lead to compliance functions being severely reduced in this downturn. However I believe such cuts would be far from short-sighted; they would actually cost energy companies far more in the short and long term.

Almost any energy company of any size has gone through a Foreign Corrupt Practices Act (FCPA) investigation, whether internal or formal by the Department of Justice (DOJ) or Securities and Exchange Commission (SEC). Many had gone through enforcement actions. The risk profiles of these companies did not change because of the drop in oil prices. Extractive resources are still located largely in countries with a high perception of corruption. In others, the inherent compliance risks that currently exist for energy companies will certainly not lessen. Unfortunately they may well increase.

At this point I see two increasing compliance risks for energy companies. The first is that companies will attempt to reduce their costs by cutting their compliance personnel. A tangent but equally important component of this will be that companies that do not invest the monies needed to beef up their oversight through monitoring or other mechanisms are setting themselves up for serious compliance failures.

Moreover, what will be the pressure on the business folks of such companies to ‘get the deal done’ with this slashing of oil prices? Further, if there is a 10% to 30% overall employee reduction, what additional pressures will be on those employees remaining to make their numbers or face the same consequences as their former co-workers?

I think both of these scenarios are fraught with increased compliance risks. For companies to engage in behaviors as I have outlined above would certainly bring them into conflict with the Ten Hallmarks of an effective compliance program as set out in the FCPA Guidance. For instance on resources, the FCPA Guidance does not say in a time of less income, when your compliance risk remains the same or increases, you should cut your compliance function or the resources to support it. Indeed it intones the opposite, when stating, “Those individuals must have appropriate authority within the organization, adequate autonomy from management, and sufficient resources to ensure that the company’s compliance program is implemented effectively.” Moreover, the FCPA Guidance adds, “Moreover, the amount of resources devoted to compliance will depend on the company’s size, complex­ity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk pro­file of the business.” So the resource issues is stated in reference to the risk profile of the business and not the current or fleeting economic issues of the day.

Also note that the FCPA Guidance speaks to an analysis from the DOJ side, which would presumably be a criminal side review. For instance, if a company cuts its compliance staff while its risk profile has not decreased, does this provide the required intent to commit a criminal act under the FCPA? Moreover, who would be the guilty party under such an analysis? Would it be the Chief Executive Officer (CEO) who ultimately decides we need a fixed percentage cut of employees or simply a raw number to be laid off? How about the department head (as in the CCO) who is told to cut your staff 10% or we will make the cuts for you? Or is it a company’s Human Resources (HR) department who delivers the dreaded knock on a compliance practitioner’s door (I’m from HR and could you come with me). What if a company’s decision-making authority is so decentralized that there is no one person who can be held accountable?

You should also note the SEC role in FCPA enforcement, as alluded to in the quote from the FCPA Guidance. There will be an assessment of internal controls. Now that the COSO 2013 Framework has become effective, will companies delay plans to implement the new Framework and to begin to audit against it? If so, would that be a per se FCPA violation?

But there is a second reason that I believe that energy companies risk profiles will increase in this industry-specific downturn. Unfortunately it will come from those employees who survive the lay offs. They will be under increased pressure to do the jobs of the laid-off folks so there will be a greater chance that something could slip through the cracks. If you are already working full time at one job and one, two or three other employees in your department are laid-off, which job is going to get priority? Will you only be able to put out fires or will you be able to accomplish what most business folks think is an administrative task?

But more than the extra work the survivors will have laid upon them will be the implicit message that some companies senior management may well lay down, that being Get the Deal Done. If economic times are tough, senior management will be looking even more closely at the sales numbers of employees. The sales incentives could very well move from a question of what will my bonus be if I close this transaction to one of will I be fired if I do not close this transaction. If senior management makes clear that it is bring in more business or the highway, employees will get that message.

Once again, where would the DOJ look for to find intent? Would it be the person out in the field who believed he was told that he or she either brought in twice as much work since there were half as many employees left after lay-offs? Would it be the middle manager who is more closely reviewing the sales numbers and sending out email reminders that if sales do not increase, there may well have to be more cuts? What about the CEO who simply raises one eyebrow and says we need to hunker down and get the job done?

What might be the DOJ or SEC reaction to the downsizing of compliance in the face of such increased compliance risk? The energy industry has not gone through this type of economic downsizing in the new age of FCPA prosecutions, largely since 2004, so there is no relevant time frame of FCPA enforcement to reflect from. However, the financial industry did go through such a contraction in the 2007-2010 time frame. We have seen the DOJ and other financial industry regulators draw huge penalties for a series of anti-money laundering (AML) and LIBOR scandals. My guess is that the DOJ and SEC will not allow companies to use economic arguments in the face of known and recognized increase in compliance risks. Indeed they may focus on some of these points as reasons for increased compliance vigilance in an energy company’s compliance function going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 12, 2015

Maurice Gilbert, CCI and Ten Questions A Board Should Consider About Compliance

Maurice GilbertFor those of you in the compliance world who do not know Maurice Gilbert, you should. I could probably write an entire post on the number of hats that he wears. For the Chief Compliance Officer (CCO) or compliance practitioner, two of the most significant are as Managing Director at Consileum Inc., which I consider to be one of the premier compliance related search firms in America and as Founder and Managing Editor of Corporate Compliance Insights, known as CCI in the compliance world (full disclosure – I blog and write for CCI). If you are looking for some of the country’s top compliance talent for a corporate compliance position Maurice should be about the first person you call when even thinking about such a task. He can help you to define the scope of the position and then craft the position to attract some great talent for you to consider. Of course, you should always know one of the country’s top compliance talent recruiters because you never know when the right opportunity might be presented by a client to Maurice and you could perfectly fill the bill.

However it is his other hat that I want to highlight today. As Founder and Managing Editor of one of the top online compliance resources, Maurice leads a team that continually generates and posts some of the most insightful and useful pieces of information around the entire panoply of issues related to compliance. From my world of anti-corruption compliance, to trade-compliance, corporate boards and governance, auditing and much more, CCI is a resource you should have on your favorites toolbar. It was through Maurice and CCI that I was introduced to the writings and assorted wisdom of Jim DeLoach, who is one of my favorite contributors to read on CCI.

DeLoach is a Managing Director with global consulting firm Protiviti. He regularly writes and blogs on issues relating to Enterprise Risk Management (ERM). He put out such great material and a plethora of it that Maurice persuaded him to put it together for us in an eBook, entitled “Making Risk Management Work for You. In the section entitled “10 Questions You Should Ask About Risk Management”, DeLoach lists 10 questions he says that a board and senior management should think about when considering ERM. I have used this section as a basis to reformulate the questions from a compliance perspective.

  • What are the company’s top compliance risks, how severe is their impact and how likely are they to occur? – Just as managing enterprise risk at a strategic level requires focus, the same is true for compliance. This requires you limiting your top risks to a handful so they can accurately be assessed and managed. DeLoach suggests that you should be emphasizing no more than five to 10 risks. Furthermore, “Day-to-day risks are an ongoing operating responsibility.”
  • How often does the company refresh its assessment of the top [compliance] risks? – As the Department of Justice (DOJ) continually reminds us, your compliance risk assessment process should be responsive to change in the business environment. It is now mandatory that teams have in place “a robust process for identifying and prioritizing the critical [compliance] risks, including emerging [compliance] risks, is vital to an evergreen view of the top risks.”
  • Who owns the top compliance risks and is accountable for results, and to whom do they report? – While this might seem self-evident in any best practices compliance program it is not always opaque within an organization. Clearly your CCO should own the top compliance risks and manage them but there should also be proper board oversight and reporting. DeLoach warns, “Gaps and overlaps in risk ownership should be minimized, if not eliminated.”
  • How effective is the company in managing its top [compliance] risks? – Just how effective is your compliance regime is a key question that any CCO or compliance practitioner needs to be thinking about on a regular basis. However, for the board and senior management level, there should be “a robust process for managing and monitoring each of the critical [compliance] risks.” Moreover, your “risk management capabilities must be improved continuously as the speed and complexity of business change.”
  • Are there any organizational “blind spots” around [compliance] warranting attention? – Some practitioners believe that the entire Foreign Corrupt Practices Act (FCPA) enforcement regime is a failure because companies are still engaging in bribery and corruption. But the simple fact is that since corporations are made up with people there will always likely be wrongdoers. DeLoach notes that “Cultural issues and dysfunctional behavior can undermine the effectiveness of [compliance] risk management and lead to inappropriate risk taking or the undermining of established policies and processes.” He cites several examples including “lack of transparency, conflicts of interest, a shoot-the-messenger environment and/or unbalanced compensation structures may encourage undesirable behavior and compromise the effectiveness of risk management.”
  • Does the company understand the key assumptions underlying its [compliance] strategy and align its competitive intelligence process to monitor external factors for changes that could alter those assumptions? – You might not think it could happen in a compliance regime but if a company fails to recognize that its business paradigm is changing, it could be too late to affect an appropriate compliance strategy for a new product line/service offering or breaking into a new geographic territory. Here DeLoach believes that while “no one knows for sure what will happen that could invalidate the company’s strategic assumptions in the future, monitoring the validity of key assumptions over time as the business environment changes is a smart thing to do.”
  • Does the company articulate its risk appetite and define risk tolerances for use in managing the business? – This is one area that always bears discussion. For some companies there is enough business in the middle of the road that they feel like they do not have to go up to the line of a FCPA violation to garner sales, while other companies have done deals that may have been lawful but, at the end of the day, had awful consequences for the business. Just because you can do something does not mean you should do it and a large part of such a calculus is round your risk appetite dialogue. DeLoach believes such ongoing conversations can assist to “bring balance to the conversation around which risks the enterprise should take, which risks it should avoid and the parameters within which it should operate going forward. The risk appetite statement is decomposed into risk tolerances to address the question, “How much variability are we willing to accept as we pursue a given business objective?” For example, separate risk toler­ances may be expressed differently for objec­tives relating to earnings variability, interest rate exposure, and the acquisition, develop­ment and retention of people.”
  • Does the company’s [compliance] risk reporting provide management and the board information they need about the top risks and how they are managed? – Compliance reporting should begin with relevant information about the critical compliance risks and how those compliance risks are managed. DeLoach believes that some of the questions you should be asking under this prong are along the lines of the following: “Are there opportunities to enhance the [compliance] risk reporting process to make it more effective and efficient? Is there a process for moni­toring and reporting critical [compliance] risks and emerging [compliance] risks to executive management and the board?”
  • Is the company prepared to respond to extreme [compliance] events? – DeLoach calls it an extreme event but I would ask, what will you do if your company is on the front page of the New York Times (NYT), Wall Street Journal (WSJ), Financial Times (FT) or any other similar media outlet for a compliance related violation or issue? Do you have a response plan in place? More so “Has it prioritized its high-impact, low-likeli­hood risks in terms of their reputational effect, velocity to impact and persistence of impact, as well as the enterprise’s response readiness?”
  • Does the board have the requisite skill sets to provide effective [compliance] risk oversight? – This goes to the heart of frustrations from both the compliance function side and the board side of the equation. Does your board and senior management have specific FCPA or other relevant anti-corruption training and understand your business model well enough to provide input regarding critical compliance risk issues on a timely basis? From the board’s perspective they may feel the information they receive is asymmetrical and that they do not receive enough material information to render good decision-making. From the CCO or compliance practitioner’s perspective, they may feel that they cannot get enough time in front of the board, audit committee or senior management to properly educate them on the issues.

I have only scratched the surface of DeLoach’s thoughts on ERM. I urge you to go to the CCI site and download the entire work. Did I mention the best thing about CCI and DeLoach’s book? It is free on the CCI site. So after you download DeLoach’s book, stick on the site and noodle around to find something that interests you or could be of assistance in your compliance practice. Don’t forget to check out CCI’s job listing because Maurice has that other hat that he wears as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 6, 2015

Arsenale and Incentivizing Compliance

ArsenaleI continue with a Venice themed blog post today by focusing on the Arsenale. No this is no a precursor to that famous north London football club, the Arsenal Gunners, but the district in Venice where one of the main commercial enterprises of the city took place, that being ship building and ship repair. At one point, the Arsenale employed almost 10% of the city’s workforce or 12,000 people. This was in the mid 1200s to the 1400s when Venice was at or near the height of its trading and financial power. The Arsenale developed the first production line for the building of ships, when, of course, it was all done by hand. The equipment developed to drag ships up on shore and repair was simply amazing. Appropriately, the Arsenale is now an Italian naval facility.

But I also picked up some interesting compliance insights in learning more about the Arsenale. The ship building techniques were of such a high level and importance to the city that they were viewed as state secrets. To protect against the loss of such valuable intellectual property, the Venetian city fathers put in a series of incentives and punishments that can help inform your best practices compliance program up to this day. First, and foremost, Venice forbade any skilled worker from leaving the city to go to work at a neighboring or rival city; the first non-compete and still widely used by corporate America today. Second was the punishment that if you were caught passing secret, you were summarily executed only after excruciating torture; while these techniques are not as widely used by corporate America today I am sure there are some non-enlightened corporate leaders who might like to re-institute one or both practices.

However over on the incentive side there were several mechanisms the City of Venice used to help make the Arsenale work force more loyal and desirous to stay in their jobs, all for the betterment of themselves and their city. The first was job security. The Arsenale was so busy for so many years that lay-offs were unheard of. Even if someone lost their job, through injury, mishap or worse; they received enough of compensation that they could live in the city. Finally, when a worker died, the company provided not only funeral expenses but would assist in taking care of the family through stipends or finding other work for family members.

This dual focus on keeping the state secrets of ship building and repair within the City of Venice reminded me of one of the points that representatives of the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) continually remind compliance practitioners about when discussing any best practices compliance program; whether based on the Ten Hallmarks of an Effective Compliance Program, as articulated in their jointly released FCPA Guidance, or some other articulation such as in a Deferred Prosecution Agreement (DPA) Attachment C. They continually remind Chief Compliance Officers (CCOs) and compliance practitioners that any best practices compliance program should have both incentives and discipline as a part of the program.

Regarding disincentives for violating the Foreign Corruption Practices Act (FCPA), the Guidance is clear in stating, “DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropri­ate and clear disciplinary procedures, whether those proce­dures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.”

However, the Guidance is equally clear that there should be incentives for not only following your own company’s internal Code of Conduct but also doing business the right way, i.e. not engaging in bribery and corruption. On incentives, the Guidance says, “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership. Some organizations, for example, have made adherence to compliance a significant metric for management’s bonuses so that compliance becomes an integral part of management’s everyday concern.” But the Guidance also recognizes that incentives need not only be limited to financial rewards as sometime simply acknowledging employees for doing the right thing can be a powerful tool as well.

All of this was neatly summed up in the Guidance with a quote from a speech given in 2004 by Stephen M. Cutler, the then Director, Division of Enforcement, SEC, entitled, “Tone at the Top: Getting It Right”, to the Second Annual General Counsel Roundtable, where Director Cutler said the following:

[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts is short-term profitability, and that cutting ethical corners is an ac­ceptable way of getting there, they’ll perform to that measure. To cite an example from a different walk of life: a college football coach can be told that the graduation rates of his players are what matters, but he’ll know differently if the sole focus of his contract extension talks or the decision to fire him is his win-loss record.

All of this demonstrates that incentives can take a wide range of avenues. At the recently held ACI FCPA Bootcamp in Houston, TX, one of the speakers said that the Houston based company Weatherford, annually awards cash bonuses of $10,000 for employees who go above and beyond in the area of ethics and compliance for the company. While some might intone that is to be expected from a company that only recently concluded a multi-year and multi-million dollar enforcement action; as the speaker said if you want emphasize a change on culture, not much says so more loudly than awarding that kind of money to an employee.

While I am sure that being handed a check for $10,000 is quite a nice prize, you can also consider much more mundane methods to incentivize compliance. You can make a compliance evaluation a part of any employee’s overall evaluation for some type of year end discretionary bonus payment. It can be 5%, 10% or even up to 20%. But once you put it in writing, you need to actually follow it.

But incentives can be burned into the DNA of a company through the hiring and promotion processes. There should be a compliance component to all senior management hires and promotions up to those august ranks within a company. Your Human Resources (HR) function can be a great aid to your cause in driving the right type of behavior through the design and implementation of such structures. Employees know who gets promoted and why. If someone who is only known for hitting their numbers continually is promoted, however they accomplished this feat will certainly be observed by his or her co-workers.

Just as the fathers of Venice viewed the workers of the Arsenale as critical to the well-being of their city, senior managers need to understand the same about their work force. In places like Texas, employees typically are incentivized with some enlightened remark along the lines of “You should just be happy you even have a job.” Fortunately there are real world examples of how corporate incentives can work into a compliance regime. The City of Venice long ago showed how such incentives could help it maintain a commercial advantage. Fortunately the DOJ and SEC still understand those valuable lessons and continue to talk about them as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 5, 2015

Selfie-Sticks and Risk Assessments

Selfie-StickGreetings from Venice and a big thanks to Joe Oringel at Visual Risk IQ for allowing my to post his five tips on working with data analytics while I was on holiday in this most beautiful, haunting and romantic of cities. While my wife and I have come here several times, we somehow managed to arrive on the first weekend of Carnivale, without knowing when it began. On this first weekend, the crowds were not too bad and it was more of a local’s scene than the full all out tourist scene.

As usual, Venice provides several insights for the anti-corruption compliance practitioner, whether you harbor under the Foreign Corrupt Practices Act (FCPA), UK Bribery Act, both, or some other such law. One of the first things I noticed in Venice was the large number of selfie-sticks and their use by (obviously) tourists. But the thing that struck me was the street vendors who previously sold all manner of knock-off and counterfeit purses, wallets and otherwise fake leather goods had now moved exclusively to market these selfie-sticks. Clearly these street vendors were responding to a market need and have moved quickly to fill this niche.

While the economics, inventory, bureaucracy, market-responsiveness of such businesses may be a bit more nimble than the more traditional US entity doing business overseas it does bring up a very good lesson for the compliance practitioner. A risk assessment is a tool for a variety of purposes. Certainly moving into a new geographic area is an important reason to perform a risk assessment. However, it can also be used for a new product offering, such as a selfie-stick. As stated in the FCPA Guidance, “As a company’s risk for FCPA violations increases, that business should consider increasing its compliance procedures, including due diligence and periodic internal audits. The degree of appropriate due diligence is fact-specific and should vary based on industry, country, size, and nature of the transaction, and the method and amount of third-party compensation. Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs. When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”

So what if your company comes to market with a new product or, in the case of the Venetian street merchants, move to sell a product for the first time even if the product is not exactly ‘new’. Obviously you will need to consider all government touch points that could bring you into potential violation under the FCPA. You should determine not only what licenses you will need but also how you will obtain them. Avon has come to over $500MM in FCPA grief by paying bribes to obtain licenses (and then doubling down by going full Watergate in its cover-up). Wal-Mart is alleged to have gotten into hot water in Mexico for paying bribes to obtain permits to do business in that country. So will your company obtain these licenses directly or use a third party to obtain them?

What about continued quality control of your new product? If you are in the food product industry this will mean continued inspections of your products to assure they meet government standards. Make sure that you have a hiring process in place to weed out the wives, sons or daughters of any food service inspectors. Of course, do not hire such inspectors for jobs directly either, especially if they do not have to show up or perform any duties to get paid by your company.

If you are not going to manufacture your selfie-stick equivalent in the country where these new products will be sold, how will you import them? Who will be interfacing with the foreign government on tax issues for importing of products? Will they be there permanently or on a temporary basis? All questions that have gotten US companies into FCPA trouble when they paid bribes to answer, assuage or grease some or all of the answers.

It turns out the compliance practitioner can learn quite a bit from the selfie-stick; not all of it is simple self-indulgence. Your compliance program must respond to your business initiatives. To do so, you also need to have a seat that the big boy table where such initiatives are discussed. But that is another lesson from Venice for a different day. Until then, ciao.TexasBarToday_TopTen_Badge_Large

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,079 other followers