FCPA Compliance and Ethics Blog

July 24, 2015

The Kitchen Debate Presages the FCPA Compliance and Ethics Report

Filed under: FCPA,FCPA Compliance and Ethics Report — tfoxlaw @ 7:31 am

Kitchen DebateOn this day in 1959, occurred one of the more iconic events of the Cold War, that being the Kitchen Debate between US Vice President Richard Nixon and Soviet leader Nikita Khrushchev. It was called ‘The Kitchen Debate’ because it occurred in a US exhibition in Moscow, showing casing American domestic scullery esthetics, in the form in the kitchen of a model home built in the exhibition, where the two men went at each other. Nixon suggested that Khrushchev’s constant threats of using nuclear missiles could lead to war, and he chided the Soviet for constantly interrupting him while he was speaking. Taking these words as a threat, Khrushchev warned of Nixon and America of “very bad consequences.” Perhaps feeling that the exchange had gone too far, the Soviet leader then noted that he simply wanted “peace with all other nations, especially America.” Nixon rather sheepishly stated that he had not “been a very good host.” Whether the world pulled back from the brink of war in this model home’s kitchen or not will never be known.

One thing that is known, however is that the recent podcasts, up on the FCPA Compliance and Ethics Report, continue to bring some of the most relevant and unique voices and issues to the Foreign Corrupt Practices Act (FCPA) and anti-corruption discussion. If you have never listened to any of my podcasts I would urge you to check them out on the website highlighted above or by going to iTunes and searching for the podcast name and subscribing. The price is certainly right, as all of the podcasts are available at no cost.

Some of my recent highlights are:

Episode 180-I discuss the recently announced FCPA Master Class training I will begin in September, detailing the highlights and the great course material you have come to expect from my blogsite, books, white papers, eBooks and other publications I put out.

Episode 179-Tim Peterson, a partner at Murphy and McGonigle, discusses the ever-growing FIFA bribery scandal and what it may mean for US companies. As a former SEC lawyer and current white collar practitioner, Tim brings a unique perspective to the ongoing discussion around the burgeoning affair. He explains its importance to both the US and international fight against corruption

Episode 178-Dr. Ben Locwin joined me to provide some of his unique insight into risk assessments. Ben is a true thought leader around business process and practices. He writes, speaks and consults extensively in this area, in the pharmaceutical industry. He has thought about and written extensively on risk assessments and he brings an interesting perspective to this discussion, outside of the traditional anti-corruption compliance practitioner approach.

Episode 177-tone in an organization. I explore how a compliance function can help to create and move an appropriate culture of compliance throughout a company. By creating a tone from the top, into the middle and down to the shop floor you can burn compliance into the very DNA of your organization. Learn how in this podcast.

Episode 176-Tim Treanor was the lead counsel for PetroTiger in its FCPA investigation and held the company to sustaining a Declination from the Department of Justice to prosecute the company. This Declination was recieved in the face of the company’s three top executives pleading guilty to FCPA violations. Tim has called this case one of the most significant corporate enforcement stories of the past several years. Tune in to this podcast to hear Tim explain how he achieved this result and why he deems it so important. Every CCO and compliance practitioner needs to listen to Tim’s recap of this matter.

Episode 175-well known lawyer and law firm consultant Debra Bruce visits with me about the dynamics of law firm funding outside the US and how she believes it will change not only the practice of law in the US but how it could well change the delivery of legal and compliance services going forward. Any lawyer in private practice or in-house needs to understand the dramatic changes that are occurring in the financing of law firms outside the US and how those changes will come to this country.

Episode 174-Compliance Week Managing Editor Matt Kelly returns to talk about the 5th anniversary of the Dodd-Frank Act, what it got right and where there is room for improvement. He also discusses Uber and compliance in an interesting analysis of Uber’s conundrum with the California Labor Board over an employee.

Episode 173-Adam Turteltaub joins me to preview some of the upcoming SCCE Institutes and discusses the 2015 Compliance and Ethics Institute to be held October 4-7 in Las Vegas. Adam highlights some of the keynote speakers and unique opportunities for compliance practitioner to work, learn and commiserate together.

Episode 172-in a ‘must listen’ for any Chief Compliance Officer or compliance practitioner, Scott Killingsworth visits the podcast to discuss the recent SEC enforcement efforts against CCOs individually and what it may mean for compliance practitioners going forward. He reviews the underlying facts and how the enforcement actions appear to be different from the SEC’s stated position how and when CCO’s will be prosecuted.

The above list is but a short summary of some of my recent podcasts. The FCPA Compliance and Ethics Report is the only podcast dedicated to the FCPA, anti-corruption, compliance and ethics. The episodes are all under 30 minutes so they are easy listening on the commute to work, at the gym or even walking around the neighborhood. If you have not done so, you should go over and take a listen.

Finally a huge shout out to my friend and colleague the FCPA Professor on turning 6 today. He brings a unique and distinctive voice to the FCPA discussions.

 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

July 23, 2015

Selecting Compliance Counsel

Filed under: FCPA,Legal Fees,Outside Counsel — tfoxlaw @ 12:01 am

Dollar Signs in EyesI have often wondered who is FCPA Inc. and perhaps even how I might join this seemingly august fraternity if they do allegedly make so much money, as some commentators regularly deride FCPA Inc. for the seemingly outlandish fees they charge for doing Foreign Corrupt Practices Act (FCPA) investigations, remediation, negotiations with the government and the provision of other FCPA or compliance services. Yet there is another way to consider how companies could obtain their compliance services. I recently read a couple of blog post by James J. Stapleton, the Chief Business Development and Marketing Officer at Dickinson Wright PLLC, where he laid out his thoughts on how an in-house counsel can think through obtaining legal services. I have adapted Stapleton’s articles for the compliance practitioner.

In a blog post, entitled “Selecting law firms to propose on your work”, Stapleton reviewed how you might think about law firms you might want to bid on your legal work. He initially looks at the law firm perspective when he says, “I have known some very successful law firm partners who feel that the most important question during the proposal process is not “what does the client want?” but “who else is being considered for the work?” Why? Because everything law firms do is affected by their competition; their fees, their service mix, their client care and all other elements that make up the competitive profile of a specific law firm. Even if an attorney has just a rudimentary understanding of the competition, he should have a strong idea as to their respective strengths and weaknesses.”

Stapleton believes that as an in-house counsel and purchaser of compliance services, it benefits you to do two things to improve your chances of landing the best relationship. First, if you only have two or three firms proposing, you should not share the names of all bidding firms, particularly if they have similar profiles. If you have four or more firms (assuming from different categories of legal service providers), then he suggests going ahead and sharing the names of all competing firms. He then lays out some ranking criteria for you to consider when you are getting ready to request bids for your compliance work.

  • Leader in the field. The firm should be considered the natural leader for your compliance work. He does note however, that this “may be among the priciest of alternatives.”
  • First Challenger. The second firm you consider, option #1a to #1. It should be almost as good as the leader for your work, and even superior in some important ways, but perhaps not quite as impressive a brand name in FCPA Inc.
  • Smaller firm with a more optimal cost/service mix. If the first two firms are in the AmLaw 100, this is your AmLaw 200 choice. It should still be an exceptional firm with a solid if not great reputation. However Stapleton notes, “it has some holes, but will have a more appealing fee structure in comparison to services needed.”
  • Maverick Massive. Given the fact that AmLaw 100 firms have taken a beating on fees over the past few years, some of them may bend over backwards to attract clients. The local office of a large national or international firm may not match up as well as the other competing firms based upon local resources, but they are hard to beat if they decide that they really want a client. Use this economic reality to negotiate a more palatable fee structure.
  • Non-traditional firms. Some firms, such as Baker & McKenzie, offer a compliance consulting practice that you can engage. There are other firms who have created similar consulting arms. While they are usually run by lawyers, as entities they may not be able to provide the attorney/client privilege, yet you may have compliance related work where this is an acceptable trade-off.
  • Boutique. Just as my law firm, TomFoxLaw, is a boutique law firm, there are others in the compliance space. Many of these types of firms can work with you on creative billing arrangements or fee structures yet can bring to bear some of the top compliance talent in the country. (Think the Volkov Law Group.)
  • Incumbent. Most interestingly, Stapleton says that even if “you may be privately thinking of them as “the-firm-that-I-am-about-to-fire,” but I would include them in the mix for two reasons; first, because the incumbent is often willing to bend over backwards to retain work, particularly if they are just starting to realize that there are service problems in the relationship. And second, you’ll want the other firms to know that the incumbent is being considered. That will help keep them honest.”

He ends by noting that you should let each of the firms or consulting entities know other firms or consulting entities you are inviting to bid. As the law firms should know their competition well, it serves for you as an indicator to the law firms as to what you consider to be important criteria for your decision. Stapleton believes that “each of these steps are designed to help you find a mix of law firms that is optimal for your needs. The legal profession is competitive, and as a consumer of legal services you can leverage that competition to achieve the best possible output. Your company’s leadership will generally support this approach, given the attention you are paying to being cautious with corporate resources.”

In a second blog post, entitled “The RFP for Outside Counsel”, Stapleton laid out his thoughts around some items an in-house counsel should require from a prospective outside compliance counsel in the form of a Response to Request for Proposal (RFP). He suggests that every RFP for outside compliance counsel you send out should contain some basic elements, as follows:

  1. Description of compliance services (what your company needs).
  2. Desired pricing format (fixed, time & expense, contingent, hybrid, etc. and whether you want a variety of options or a single fee).
  3. Team biographies and expertise specific to your key needs.
  4. Representative experience base.
  5. Conflict check procedures and timeline.
  6. Describe their access to your compliance team in order to address questions requesting clarification of your needs specific to their RFP response.
  7. Timeline of the compliance selection process. The timeline should include Q&A, accessibility to compliance counsel, response times for each stage of the proposal, etc.

Once he got past the basics, Stapleton added some further requirements for a RFP:

  1. Description of their desired client service, client satisfaction and formal feedback processes.
  2. Questions surrounding how a new law firm will learn your company, industry, competitors and markets and who pays for the time involved in that process.
  3. Preventative measures that the firm commonly employs with clients; e.g.: What training does the firm offer clients?
    • How do they handle planning sessions?
    • What training does the firm offer clients?
    • What is their approach to reviews of your internal processes?
    • Who do they handle risk assessments?
  4. How do they communicate with you about fees, in terms of fee raises, billings above the proposed fee, collections and so forth?
  5. Description of their quality assurance processes.
  6. Description of their team management process; e.g.,
    • What will be the level of attorneys assigned to your work?
    • What is their criteria for selecting the attorneys?
    • What degree of control do you have over attorney selection?
  7. Describe their specific experience in your industry, including an understanding of your business drivers.
  8. Some clients map out the decision process for law firms. They may give the firm a formal list titled “Here’s what it will take to win our work.”
  9. Separate from bios, a client may require Subject Matter Experts with specific qualifications.

Finally, for companies more mature in the RFP for compliance services process, Stapleton added some “more far-ranging sections on their RFPs, including”:

  1. A more tightly defined description of compliance services (what you need, more refined)
  2. A formal service expectations agreement. If the client drafts their service expectations, they will have greater controls over their actual service levels.
  3. Along those same lines, some clients request bilateral client feedback. In other words, they request not just client feedback forms for themselves, but they request external counsel to rate themselves, then compare the two responses. Makes for very fruitful discussions.
  4. “Describe how (name of firm) would approach…” (describe three situations; one past that didn’t work out, one present, one likely to occur in future). In other words, treat the RFP as a learning experience. Get some insights as to how the new firm is likely to approach your legal issues.
  5. What is your proposed team composition, how was it determined and who determines it in the future?
  6. Give examples of business acumen; e.g., business advice you have rendered with respect to legal issues. The best service providers are additive to the business, they will have a broader understanding of the business problems surrounding your legal issues.

I particularly agreed with Stapleton’s final touch in which he says you should always “ask the question: “What will we lose if we don’t select your firm?””

I found Stapleton’s ideas very intriguing for the Chief Compliance Officer (CCO) or compliance practitioner. He certainly lays out some strategies you might be able to employ to help ameliorate the cost of your compliance services, even if they are obtained from the amorphous FCPA Inc. Finally, if FCPA Inc. is accepting new members, please let me know as I would love to join y’all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

July 22, 2015

Introducing FCPA Master Class Training

TrainingI am pleased to announce the initiation of my FCPA Master Class training sessions. I will put on a two-day Foreign Corrupt Practices Act (FCPA) training class, which will be unlike any other class currently being offered. The focus of the FCPA Master Class will be on the doing of compliance. For it is only in the doing of compliance that companies have a real chance of avoiding FCPA liability.

The FCPA Master Class will provide a unique opportunity for any level of FCPA compliance practitioner, from the seasoned Chief Compliance Officer (CCO) to the practitioner who is new to the compliance profession. If you are looking for a training class to turbocharge your knowledge on the nuts and bolts of a FCPA compliance program going forward, this is the class for you to attend.

As one of the leading commentators in the FCPA compliance space for several years, I will bring a unique insight of what many companies have done right and many have done not so well over the years. This professional experience has enabled me to put together a unique educational opportunity for any person interested in FCPA compliance. Simply stated, there is no other FCPA training on the market quite like it. Armed with this information, at the conclusion of the FCPA Master Class, you will be able to implement or enhance your compliance program, with many ideas at little or no cost.

The FCPA Master Class will move from the theory of the FCPA into the doing of compliance and how you must document this work to create a best practices compliance program. Using the Ten Hallmarks of an Effective Compliance as a guide, you will learn the intricacies of risk assessments; what should be included in your policies and procedures; the five-step life cycle of third party risk evaluation and management; tone throughout your organization; training and using other corporate functions to facilitate cost-effective compliance programs.

Highlights of the will include:

  • Understanding the underlying legal basis for the law, what is required for a violation and how that information should be baked into your compliance program;
  • What are the best practices of an effective compliance program;
  • Why internal controls are the compliance practitioners best friend;
  • How you can use transaction monitoring to not only make your compliance program more robust but as a self-funding mechanism;
  • Your ethical requirements as a compliance practitioner;
  • How to document what you have accomplished;
  • Risk assessments – what they are and how you can perform one each year.

You will be able to walk away from the FCPA Master Class with a clear understanding of what the FCPA is and what it requires; an overview of international corruption initiatives and how they all relate to FCPA compliance; how to deal with third parties, from initial introduction through contracting and managing the relationship, what should be included in your gifts, travel, entertainment and hospitality policies; the conundrum of facilitation payments; charitable donations and political contributions, and trends in compliance. You will also learn about the importance of internal controls and how to meet the strict liability burden present around this requirement of FCPA compliance.

The FCPA Master Class will be based around my book, Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which focuses on the creation, implementation and enhancement of a best practices compliance program. Each participant will receive a copy of my book, as well as all training materials to keep and use for reference purposes going forward.

The first FCPA Master Class will be held in Houston, TX on September 10 and 11 at the offices of Merrill Brink International, 315 Capitol St #210, Houston, TX 77002. A Certificate of Completion will be provided to all who attend in addition to the continuing education credits that each state approves. The cost to attend is $1,195 per person. Group pricing is available. Breakfast, lunch and refreshments will be provided both days. For more information or a copy of the agenda, contact Tom Fox via email at tfox@tfoxlaw.com or telephone at 1-832-744-0264. Additional information and registration details are available on my website, Advanced Compliance Solutions.

There will be additional FCPA Master Class training sessions at other locations across the US later this year. I hope that you can join me for one of them.

 

 

 

 

 

 

To find out what type of student you are, please take this Quiz by clicking here.

July 20, 2015

Farewell to Moe Green and the Promise to Pay a Bribe Under the FCPA

Filed under: FCPA,New York Times,Promise to Pay — tfoxlaw @ 12:01 am
Tags: , , ,

Moe GreeneMoe Green died again yesterday but this time he was not shot through the glasses, it was from cancer and the fictional Las Vegas mobster lived to the ripe old age of 79. Of course I am referring to “Alex Rocco, the veteran tough-guy character actor with the gravelly voice best known for playing mobster and Las Vegas casino owner Moe Greene in The Godfather”. As reported in the Hollywood Reporter, Jeffrey Dean Morgan was quoted as saying, “For those of us lucky enough to get to know Rocco, we were blessed”; “He gave the best advice, told the best and dirtiest jokes and was the first to give you a hug and kiss when it was needed. To know Roc was to love Roc. He will be missed greatly.” But it was his scream of the line, “I buy you out, you don’t buy me out!” in response to a buyout offer from Michael Corleone for which Rocco may well best be remembered in an almost 60 year acting career.

Rocco’s death and Green’s line about offers and counter-offers, with attendant promises to pay, with your life or otherwise, inform today’s blog post. Compliance practitioners will recognize that payments of bribes to foreign government officials, officials of state-owned enterprises, and certain others are illegal under the Foreign Corrupt Practices Act (FCPA), which reads, in relevant part, that: “It shall be unlawful for any issuer which has a class of securities registered pursuant to section 78l of this title or which is required to file reports under section 78o(d) of this title, or for any officer, director, employee, or agent of such issuer or any stockholder thereof acting on behalf of such issuer, to make use of the mails or any means or instrumentality of interstate commerce corruptly in furtherance of an offer, payment, promise to pay, or authorization of the payment of any money, or offer, gift, promise to give, or authorization of the giving of anything of value to…”

The above is the operative prohibition from the FCPA and its violation can lead up criminal sanctions. However, most Chief Compliance Officers (CCOs), compliance practitioners and those practicing in the FCPA space have focused on all of the language except the words promise to pay. The reason would seem straightforward; not until a bribe has been paid would there be evidence sufficient to uphold sanctions under the FCPA. Yet, just as the Rosetta Stone revealed a new source of information long lost to the world, a promise to pay under the FCPA can have just as serious consequences for companies or individuals.

I thought of these issues when I read a recent article in the New York Times (NYT), entitled Scandal Casts Shadow on Private Equity Firm’s Quest for a Bargain, by frequent contributor Steven Davidoff Solomon. In his article, Solomon detailed a transaction by “Cerberus Capital Management, the private equity firm headed by Stephen A. Feinberg, acquired the agency’s Northern Ireland loan portfolio, which had a face value of 4.5 billion pounds (currently about $7 billion), for £1.3 billion in April 2014.”

The FCPA angle came into play because a law firm engaged by Cerberus, Northern Ireland’s Tughans, disclosed “that it had discovered that Mr. Coulter [the now former Managing Partner of Tughans] had diverted the £7 million in professional fees owed to the firm to an account in his name without the knowledge of his partners.” Further, a member of the Republic of Ireland’s parliament, Mick Wallace, “contended that £7 million was put in an offshore bank account on the Isle of Man to pay off an unidentified Irish politician or political party in connection with the Cerberus deal.” Before the money could disappear from the Isle of Man bank account Tughans retrieved it and the firm “parted ways with Mr. Coulter.” Solomon noted that at this time, “no politician has been identified as the potential beneficiary of the £7 million, though speculation is rampant. Police in Northern Ireland have opened a criminal investigation.”

According to Solomon, “Cerberus pointed out in a statement that it has not been accused of any wrongdoing and that it has “zero tolerance for inappropriate or unethical activities. We insist on the same high standards of conduct from our advisers,” it added. “In this matter, as is our standard business practice, we codified these expectations in our engagement letters with our outside advisers so that there was no room for interpretation.” It said it had received assurances from both law firms that they were in compliance with all laws and regulations.”

Henry McDonald, reporting in a The Guardian entitled “Lawyer denies bribery claim over £1bn Irish property sale”, wrote that former Tughans Managing Partner Coulter said, “denied that he or any politician had benefited financially. “The fees payable were paid into a Tughans company account supervised by the firm’s finance team,” he said. “In September 2014, a portion of the fees was retained by Tughans and I instructed Tughans’ finance director to transfer the remaining portion into an external account which was controlled only by me. Not a penny of this money was touched.” Coulter added this rather amazing statement, released through his PR firm, “he had directed the transfer of money for “a complex, commercially and legally sensitive” reason.”

If someone wanted to give a FCPA exam question, where the students had to spot the FCPA issues, this one would probably be about as good as you could dream up. But to think that a law firm’s fee would be put into a bank account in a well-known location which raises as many Red Flags as the Isle of Man, seems stretching things a bit too far. McDonald also reported that the Tughans firm “had passed all documentation relating to this to the Law Society of Northern Ireland. “The firm voluntarily brought the matter to the attention of the Law Society and will continue to cooperate with any inquiry,” it said.” He also noted that Northern Ireland officials had “called in the UK’s National Crime Agency to investigate allegations of bribery and corruption relating to the property deal.”

So what if there had been a promise to pay a bribe, but one was never paid because the money was no longer available in a separate bank account? Under the FCPA, a promise to pay is viewed with equal suspicion as the payment of a bribe. Cerberus is clearly a US entity, so the FCPA would apply. The firm’s expectations of law firms compliance with the FCPA, written into their engagement letter, coupled with the “assurances” the company received from its law firms that it was in compliance with all laws and regulations could protect the firm in a FCPA investigation. But we do have at least one person, Irish Parliament member Mick Wallace, saying the money was put into the Isle of Man bank account to pay off an Irish politician or political party. If there was a promise to pay, the result under the FCPA could be the same as if there was an illegal payment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

July 17, 2015

Great Structures Week V – The Tacoma Narrow Bridge Failure and Preventing Failure in Your Compliance Program

Tacoma Narrows BridgeI conclude my Great Structures Week with a focus on structural engineering failures: suspension bridges and the challenges of wind in their construction and maintenance. I am drawing these posts from The Great Courses offering, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. In his chapter on suspension bridges he notes that the “Tacoma Narrows Bridge was the third longest span in the world when it opened to the world, this month of July in 1940.” Yet it collapsed only four months later, in one of the most famous visual images of a bridge’s collapsing. This is due to the “inherent flexibility of cable as a structural form”. A bridge can move in longitudinal vibration, that is up and down and in torsion, where it twists from side-to-side.

Most people recognize unstiffened suspension bridges as old as man and engineering itself. It was not until the 1820s that serious study was brought to bear on the issue of wind-related collapse of suspension bridges. The initial solution was to simply use more weight to reinforce the span. However, while that solution did bring some stability, it reinforced damage as the structure became a textbook example of Newton’s Second Law of Motion, which states that the acceleration of an object is dependent upon two variables – the net force acting upon the object and the mass of the object; meaning that once a heavy weight is in motion, it is more resistant to deceleration.

Yet it was scientific methodology that led to the disaster with the Tacoma Narrows Bridge. An engineer named Leon Moisseiff had developed a theory that long spanned suspension bridges were heavy enough that they did not require stiffening trusses because “their mass stabilized them against wind-induced vibrations.” However this theory failed to take into account how air flows around a bridge and the “dynamic response of the structural system.” Ressler concludes this section by stating, “this case has become a classic symbol of the dangers of arrogance born of overconfidence in science-based design methods, and belt-and-suspenders engineering has made a bit of a comeback.”

I thought about the catastrophic failure of the Tacoma Narrows Bridge in the context of one of the greatest risks in Foreign Corrupt Practices Act (FCPA) compliance; that being third parties. Many non-compliance corporate employees assume that if a third party passes due diligence muster; they are in the clear. After all, you cannot stop a third party from making a bribe or other corrupt payment. Fortunately the Department of Justice (DOJ) does not take such a myopic view as many business types. Under the FCPA, a company is responsible for the actions of its third party representatives.

The real work around your third party compliance program begins after the contract is signed and it is in the management of the third party relationship. While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, writing in the White Paper by The Steele Foundation entitled “Global anti-corruption and anti-bribery program best practices”, said, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.”

Carol Switzer, writing in the Compliance Week magazine, set out a five-step process for managing corruption risks, which I have adapted for third parties.

  1. Screen – Monitor third party records against trusted data sources for red flags.
  2. Identify – Establish helplines and other open channels for reporting of issues and asking compliance related questions by third parties.
  3. Investigate – Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
  4. Analyze – Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
  5. Audit – Finally, your company should have regular internal audit reviews and inspections of the third party’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.

Additionally there several different functions in a company that play a role in the ongoing monitoring of the third party. While there is overlap, I believe that each role fulfills a critical function in any best practices compliance program. 

Relationship Manager

There should be a Relationship Manager for every third party which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party.

Compliance Professional

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. This role can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third party. 

Oversight Committee

A company can have an Oversight Committee review documents relating to the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment is within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.

Audit

A key tool in managing the relationship with a third party post-contract is auditing the relationship. I hope that you will have secured audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed.

Perhaps now you will understand why I say that managing the relationship of your third party’s is where the real work of your FCPA compliance program comes to the fore. It also demonstrates a key difference in having a paper compliance program and doing compliance. Having a paper compliance program is simple but doing compliance is not always easy; you have to work at it to maintain an effective program.

I hope that you have enjoyed this week’s offering based around some of the world’s greatest structures, their engineering concepts and innovations and how they all related to a best practices compliance program. I am a huge fan of The Great Courses offerings and if you are interested in learning in a great many areas it is one of the best resources available to you. For a more detailed discussion of how you can develop and implement a best practices anti-corruption compliance program, I hope you will check my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

For a dramatic video of the collapse of the Tacoma Narrows Bridge on YouTube, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

July 16, 2015

Great Structures Week IV – The Gothic Cathedral and Compliance Incentives

Our Lady at ChartresI continue my Great Structures Week with focus on great structural engineering and its innovations in the medieval world – that being the Gothic Cathedral. I am drawing these posts from The Great Courses offering, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. When it comes to Gothic Cathedrals, Ressler notes that they are a rich case study in the development of “architecture and the limits of empirical design, literally written into the walls of the buildings.”

The innovation of the Gothic Cathedral was to use elements of the Roman basilica but to add “height and light, featuring ever taller naves, pierced by ever-larger clerestory windows, and delineated by ever-more-slender engaged columns”. The first innovation came with the pointed arch followed by ribbing on the columns to help stiffen and strength them more effectively. However the truly dynamic innovation was the creation of flying buttresses, which were huge additional columns outside the structure yet were designed to become load-bearing members so the highest point inside the cathedrals could be filled by light through ornately stained glass windows. Two of the finest examples of these Gothic Cathedrals are both found in France. They are the Cathedral of Our Lady at Chartres and Cathedral of St. Stephens at Bourges.

Just as the medieval world built up the structural engineering techniques from their forebears, as your compliance regime matures you can implement more sophisticated strategies to make your Foreign Corrupt Practices Acct (FCPA) compliance program a part of the way your company does business. Using an article in the Spring 2014 issue of the MIT Sloan Management Review, entitled “Combining Purpose with Profits”, as a basis, I have developed six core principles for incentives, for the compliance function in a best practices compliance program.St. Stephens at Bourges

1. Compliance incentives don’t have to be elaborate or novel. The first point is that there are only a limited number of compliance incentives that a company can meaningfully target. Evidence suggests the successful companies are the ones that were able to translate pedestrian-sounding compliance incentive goals into consistent and committed action.
2. Compliance incentives need supporting systems if they are to stick. People take cues from those around them, but people are fickle and easily confused, and gain and hedonic goals can quickly drive out compliance incentives. This means that you will need to construct a compliance function that provides a support system to help them operationalize their pro-incentives at different levels, and thereby make them stick. The specific systems which support incentives can be created specifically to your company but the key point is that they are delivered consistently because it signals that management is sincere.
3. Support systems are needed to reinforce compliance incentives. One important form of a supporting system for compliance incentives “Is to incorporate tangible manifestations of the company’s pro-social goals into the day-to-day work of employees.” Make the rewards visible. As stated in the FCPA Guidance, “Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career.”
4. Compliance incentives need a “counterweight” to endure. Goal-framing theory shows how easy it is for compliance incentives to be driven out by gain or hedonic goals, so even with the types of supporting systems it is quite common to see executives bowing to short-term financial pressures. Thus, a key factor in creating enduring compliance incentives is a “counterweight”; that is, any institutional mechanism that exists to enforce a continued focus on a nonfinancial goal. This means that in any financial downturn compliance incentives are not the first thing that gets thrown out the window and if my oft-cited hypothetical foreign Regional Manager misses his number for two quarters, he does not get fired. So the key is that the counterweight has real influence; it must hold the leader to account.
5. Compliance incentive alignment works in an oblique, not linear, way. The authors state, “In most companies, there is an implicit belief that all activities should be aligned in a linear and logical way, from a clear end point back to the starting point. The language used — from cascading goals to key performance indicators — is designed to reinforce this notion of alignment. But goal-framing theory suggests that the most successful companies are balancing multiple objectives (pro-social goals, gain goals, hedonic goals) that are not entirely compatible with one another, which makes a simple linear approach very hard to sustain.” What does this mean in practical terms for your compliance program? If you want your employees to align around compliance incentives, your company will have to “eschew narrow, linear thinking, and instead provide more scope for them to choose their own oblique pathway.” This means emphasizing compliance as part of your company’s DNA on a consistent basis — “the intention being that by encouraging individuals to do “good,” their collective effort leads, seemingly as a side-effect, to better financial results. The logic of “[compliance first], profitability second” needs to find its way deeply into the collective psyche of the company.”
6. Compliance incentive initiatives can be implemented at all levels. Who at your company is responsible for pursuing compliance incentives? If you head up a division or business unit, it is clearly your job to define what your pro-social goals are and to put in place the supporting structures and systems described here. But what if you are lower in the corporate hierarchy? It is tempting to think this is “someone else’s problem,” but actually there is no reason why you cannot follow your own version of the same process.

Looking for some specific compliance obligations to measure against? You could start with the following examples of compliance obligations that are measured and evaluated.

For Senior Management

• Lead by example in your own conduct and in the decisions you take, to the resources and time you commit to compliance.
• Facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally.
• Support specific initiatives from the Chief Executive Officer (CEO), legal and compliance functions.

For Middle Management

• Demonstrate, facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally.
• Support specific initiatives from the legal and compliance functions.
• Ensure that all employees, agents and contractors directly or indirectly reporting to you fully complete all required training and communications in a timely manner.
• Provide full cooperation with investigations conducted by the compliance or legal functions of any alleged violation of compliance policies.
• Include the Chief Compliance Officer (CCO) or another legal or compliance function representative in your management meetings at least twice per year, per geography.
• Identify instances of non-compliance and support compliance monitoring and reporting systems.
• Partner with compliance in resolving compliance issues.

For Business Development or Company Sales Representatives

• Certify that all employees, agents and contractors directly or indirectly reporting to you have fully reported all sales and marketing interactions with all government officials in a timely manner.
• Certify that all employees, agents and contractors directly or indirectly reporting to you have fully, promptly and accurately reported all expenses with third party sales representatives have occurred.

The Gothic Cathedral is one of the greatest structural engineering feats mankind has ever created. It combined a dimension of height not surpassed for nearly 1000 years with an ingress of light not previous seen in structures. This use of light facilitated the development of the artistry of stained-glass windows.

For a review of what goes into the incentive structures of a best practices compliance program, I would suggest you check my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2015

July 15, 2015

Great Structures Week III – The Roman Arch and Resourcing Your Compliance Program

Pont du Gard aqueductI continue my Great Structures Week with focus on structural engineering innovations from ancient Rome. I am drawing these posts from The Teaching Company course, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler who said “When I think of Rome, the first image that comes to mind is an arch.” It is present in aqueducts, in the triumphal arches that adorn the city of Rome, in the city gates and even in the Coliseum.

The arch was a major engineering advancement because the prior method for traversing horizontal distance was the beam, which was limited in its use. Ressler notes “because the arch carries its load entirely in compression, its span isn’t limited by the tensile strength of the material, the size of its stones, and it can span greater distances which might be conceived of with stone beams”. The arch itself has two essential characteristics. First it carries an entire load in compression, that is it counter-balances against itself, which allows for construction using the most basic building materials known in the ancient world: stone, brick and concrete.Arch of Titus

Yet the second characteristic of the arch is equally significant. An arch requires “both vertical and horizontal reactions to carry a load. The downward load of the arch is balanced by an upward reaction from the base”. Both the Arch of Titus and Pont du Gard aqueduct are still standing and can be seen today as magnificent examples of this Roman innovation.

I wanted to use the dual load system whereby an arch supports not only great weight but also esthetic engineering designs to discuss how a Chief Compliance Officer (CCO) or compliance practitioner might develop resources to implement a best practice anti-corruption compliance program under the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery law. Funding of a compliance program is always one of the biggest challenges. Short of being in the middle of a worldwide FCPA, UK Bribery Act or other anti-corruption investigation, you are never going to receive all the funding you want or even think that you are going to need.

However, this corporate reality is not going to save you if the government comes knocking. The FCPA Guidance provides the following, “Moreover, the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

Stephen Martin often says that an inquiry a prosecutor might make is along the lines of the following. First what the company’s annual compliance budget was for the past year. If the answer started with something like, “We did all we could with what we had ($100K, $200K, name the figure), the next inquiry would be, “How much was the corporate budget for Post-It Notes last year?” The answer was always in the 7-figure range. Then the KO punch question would be, “Which is more business critical for your company; complying with the FCPA or Post-It Notes?” Unfortunately, most companies spent far more on Post-It Notes than they were willing to invest into their compliance program.

However this corporate reality will allow you to look to other areas to assist the compliance function. An obvious starting place is Human Resources (HR). There are several areas in which HR can bring expertise and, in my experience, enthusiasm to the compliance function. Some of the reasons include the fact that HR is physically located at or touches every site in the company, globally. HR is generally seen as more approachable than many other departments in a company, unfortunately including compliance. A person’s first touch point with a company is often HR in the interview process. If not in the interview process, it is certainly true after a hire is made. Use this approachability.

HR has several key areas of expertise, such as in discrimination and harassment. But beyond this expertise, HR also has direct accountability for these areas. It does not take a very long or large step to expand this expertise into assistance for compliance. HR often is on the front line for hotline intake and responses. These initial responses may include triage of the compliant and investigations. With some additional training, you can create a supplemental investigation team for the compliance department.

Clearly HR puts on training. By ‘training the trainers’ on compliance you may well create an additional training force for your compliance department. HR can also give compliance advice on the style and tone of training. This is where the things that might work and even be legally mandated in Texas may not work in other areas of the globe; advice can be of great assistance. But more than just putting on the training, HR often maintains employee records of training certifications, certifications to your company’s Code of Conduct and compliance requirements. This can be the document repository for the Document, Document, and Document portion of your compliance program.

Internal Audit is another function that you may want to look at for assistance. Obviously, Internal Audit should have access to your company’s accounting systems. This can enable them to pull data for ongoing monitoring. This may allow you to move towards continuous controls monitoring, on an internal basis. Similarly, one of the areas of core competency of Internal Audit should also be internal controls. You can have Internal Audit assist in a gap analysis to understand what internal controls your company might be missing.

Just as this corporate function’s name implies, Internal Audit routinely performs internal audits of a company. You can use this routine job duty to assist compliance. There will be an existing audit schedule and you can provide some standard compliance issues to be on each audit. Further, compliance risks can also be evaluated in this process. Similar to the audit function are investigations. With some additional training, Internal Audit should be able to assist the compliance function to carry out or participate in internal compliance investigations. Lastly, Internal Audit should be able to assist the compliance function to improve controls following investigations.

A corporate IT department has several functions that can assist compliance. First and foremost, IT controls IT equipment and access to data. This can help you to facilitate investigations by giving you (1) access to email and (2) access to databases within the company. Similar to the above functions, IT will be a policy owner as the subject matter expert (SME) so you can turn to them for any of your compliance program requirements, which may need a policy that touches on these areas. The final consideration for IT assistance is in the area of internal corporate communication. IT enables communications within a company. You can use IT to aid in your internal company intranet, online training, newsletters or the often mentioned ‘compliance reminders’ discussed in the Morgan Stanley Declination.

Finally, do not forget your business teams. You can embed a compliance champion in all divisions and functions around the company. You can take this a step further by placing a Facility Compliance Officer at every site or location where you might have a large facility or corporate presence. Such local assets can provide feedback for new policies to let you know if they do not they make sense. In some new environments, a policy may not work. If your company uses SAP and you make an acquisition of an entity which does not use this ERP system, your internal policy may need to be modified or amended. A business unit asset can also help to provide a push for training and communications to others similarly situated. One thing that local compliance champions can assist with is helping to set up and coordinate personnel for interviews of employees. This is an often over-looked function but it facilitates local coordination, which is always easier than from the corporate office.

All of these other corporate functions can greatly assist you in the actual doing of compliance. Moreover, in a resource-constrained environment, these other corporate disciplines can be used to strengthen your compliance program, in a manner similar to vertical and transverse integration of structural integrity presented in an arch. Finally, just as the arch utilized some of the most basic construction elements in existence, by using the other corporate disciplines, engaging in precisely their corporate functions, you can create a strong foundation in your compliance program going forward.

For a more detailed discussion of how you can internally resource your FCPA compliance program, I would suggest you check my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

July 14, 2015

Great Structures Week II – Structures from Ancient Egypt and Greece

great pyramid of giza

I continue my Great Structures Week with a focus on great structures from the earliest times, ancient Egypt and Greece. I am drawing these posts from The Teaching Company course, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. From Egypt there are of course the Pyramids, of which Ressler says, “They’re important, not just because they’re great structures, but also because they represent some of the earliest human achievements that can legitimately be called engineering. The Great Pyramid of Giza stands today as a testament to the strength and durability of Egyptian structural engineering skills.”

From Greece we derive what Vitruvius called the “Empirical Rules for Temple Design” which define a “single dimensional module equal to the radius of a column in the temple portico, then specify all other dimensions of the building in terms of that module.” These rules are best seen in Greek temples, largely consisting of columns, which are defined as “a structural element that carries load primarily in compression” and beams, which are “structural elements subject to transverse loading and carry load in bending.” My favorite example of the use of columns is seen in the Parthenon; the most famous of all Greek temples still standing.

In many ways these two very different structures stand as the basis of all structural engineering and Great Structures that come later throughout history. For any anti-corruption compliance regime based on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery statutes, the same is true for a Code of Conduct and written policies and procedures. They are both the building blocks of everything that comes thereafter.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”Parethnon

There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Another way to think of policies, procedures and controls was stated by Aaron Murphy, now a partner at Foley & Lardner, in his book “Foreign Corrupt Practices Act”, when he said that you should think of all three as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Borrowing from an article in the Houston Business Journal (HBJ) by John Allen, entitled “Company policies are source and structure of stability”, I found some interesting and important insights into the role of policies in any anti-corruption compliance program. Allen says that the role of policies is “to protect companies, their employees and consumers, and despite an occasional opposite outcome, that is typically what they do. A company’s policies provide a basic set of guidelines for their employees to follow. They can include general dos and don’ts or more specific safety procedures, work process flows, communication guidelines or dress codes. By establishing what is and isn’t acceptable workplace behavior, a company helps mitigate the risks posed by employees who, if left unchecked, might behave badly or make foolhardy decisions.”

Allen notes that policies “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.

Allen believes that there are five key elements to any “well-constructed policy”. They are:

  • identify to whom the policy applies;
  • establish the objective of the policy;
  • explain why the policy is necessary;
  • outline examples of acceptable and unacceptable behavior under the policy; and
  • warn of the consequences if an employee fails to comply with the policy.

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, the logistics alone of such training can appear daunting. Consider gathering small groups of employees, where detailed questions about policies can be raised and discussed, as a powerful teaching tool. Allen even suggests posting Frequently Asked Questions (FAQ’s) in common areas as another technique. And do not forget that one of the reasons Morgan Stanley received a declination to prosecute by the Department of Justice (DOJ) was that it sent out bi-monthly compliance reminder emails to its employee Garth Peterson for the seven years he was employed by the company.

The FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” Allen puts a bit differently in that “it is important that policies are applied fairly and consistently across the organization.” He notes that the issue can be that “If policies are applied inconsistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

For a review of what goes into the base structures of a best practices compliance program, I would suggest you check my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

July 13, 2015

Great Structures Week I: Vitruvius, the Brooklyn Bridge and Compliance

Brooklyn BridgeI recently completed a course from The Teaching Company, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. It was a wonderful learning experience about some of the world’s greatest structures and the development of structural engineering throughout history. As I worked my way through the course, it occurred to me that many structural engineering concepts are apt descriptors for an anti-corruption compliance program. So today, I will begin the ‘Great Structures Week’ as an entrée into an appropriate topic for your Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption/anti-bribery compliance program. Each day I will discuss a structural engineering concept together with one my favorite examples from Professor Ressler’s course.

To open the series I will consider what makes a structure great. Marcus Vitruvius Pollio (Vitruvius) was a Roman author, architect, and civil engineer during the 1st century BC, known for his work entitled De Architectura. Vitruvius is famous for proclaiming that a structure must exhibit the three qualities of firmitas, utilitas and venustas, meaning that it must be solid, useful and beautiful. These are sometimes termed the Vitruvian Triad and today these are loosely translated that great constructions must have form, function or structure. Form is the arrangement of space and harmony. Function is the measure of usefulness. Structure contains innovative techniques in its creation.

My favorite example of a structure that incorporates all three of these concepts is the Brooklyn Bridge. The beauty of the form follows the functions of the scientific principles that underlie the bridge’s structure. As Ressler noted “Each element of the form of the Brooklyn Bridge serves a structural purpose based on mathematical principles.” First the form itself is one of great beauty. The function remains the same, even if the modes of transport have evolved; the Bridge was designed to carry people from Brooklyn to Manhattan. Yet as Ressler notes, “beyond the aesthetic, these features are a direct reflection of the scientific principles underlying the bridge’s design. They are, in a word, structure – a system of load carrying elements that cause the bridge to stand up.” We have a graceful and elegant design, which operates to safely conduct people over the Hudson River, through an engineering design that allows the structure to act as intended.

This convergence of Vitruvius’ tripartite view of what makes a great structure is an appropriate analogy for a best practices anti-corruption compliance program to facilitate compliance with the FCPA, UK Bribery Act or similar regime. Over the years both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear that each company should have a compliance program that fits its needs. Indeed, in the FCPA Guidance, it could not have been made clearer when it stated, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors. When it comes to compliance, there is no one-size-fits-all program.” The Guidance goes on to state the obvious when it notes, “companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs. Indeed, small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations”.

The Guidance goes on to note, “Compliance programs that employ a “check-the-box” approach may be inefficient and, more importantly, ineffective. Because each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”

Yet when viewed through Vitruvius’ prism, it is clear that an anti-corruption compliance program is much more holistic, with form, function and structure. A good compliance program is really about good financial controls. I think this is one outlook of FCPA compliance which is not discussed enough. Stanley Sporkin, in many ways the progenitor of the law, recognized that if a company was going to engage in corruption it would have to hide such activity through falsified books and records. Hence, he articulated the basis for having the accounting provisions included when Act was originally written and enacted into law. These provisions include both the books and records provision and the internal controls provision. The Guidance says, “the accounting provisions ensure that all public companies account for all of their assets and liabilities accurately and in reasonable detail”. So the form of a compliance program should be largely in financial controls that are baked into a company.

The formula of a compliance program can follow several forms. It can be based on the Ten Hallmarks of an Effective Compliance Program from the FCPA Guidance, the Six Principles of Adequate Procedures as contemplated by the UK Bribery Act; the OECD 13 Good Practices or other formulations such as the Five Elements of an Effective Compliance Program developed by Stephen Martin and Paul McNulty from the law firm of Baker & McKenzie. The form of any of these articulations meets the Vitruvius definition.

Next is the function. Here I think it is appropriate to consider what the FCPA Guidance says regarding internal controls, that being “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitor­ing.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.” This language points to function of any best practices compliance program, to make the company a better-run company.

Finally, in the area of structure it is incumbent to recall that any best practices anti-corruption compliance program continues to evolve. It evolves with technological innovations such as transaction or continuous controls monitoring. But a compliance program must evolve as your company evolves. Changing commercial realities and conditions can create new or increased FCPA compliance risks. Your compliance program needs to be able to detect, assess and manage new risk as your business creates new products; moves into new territories or develops new sales channels. The FCPA Guidance states, “They are dynamic and evolve as the business and the markets change.” To do so, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its custom­ers, the laws that govern its actions, and the standards of its industry.”

For a review of what goes into a best practices compliance program, I would suggest you check out my book, entitled “Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

July 7, 2015

The Sioux at Little Bighorn and Using Risk Going Forward

Scaling the WallI recently wrote about the stupidity of General Custer and the defeat of his Calvary at Little Bighorn as a lead in for the failure to adequately assess and then manage risks in a Foreign Corrupt Practices Act (FCPA) compliance program. I received the following comment from a reader:

As a military history buff, I note that your comments on risk assessment reflect a very limited view of the battle. The Sioux made superb use of reconnaissance, fire and maneuver. The cavalry’s underestimation of the military skills of their Indian enemies were immediately assessed and dealt with aplomb and considerable skill. The great lesson to be learned from the Battle of the Little Big Horn is that there is great opportunity in exploiting the tactical stupidity of the overconfident. Reminds me of Napoleon and Prince Alexander at the Platzen Heights of Austerlitz. 

This comment made an excellent point that risk assessment and risk management are not simply to be viewed as negatives or a drag on business. These concepts are also valid in aiding companies to do business by exploitation of strategic risk. This point was driven home most clearly in the recent book by well-known risk management guru Norman Marks, entitled World-Class Risk Management. 

Marks’ thesis on this issue is that “It is essential that management take enough risk! If they take no risk, the organization will fail. So risk management is about taking the right risks for the organization at the desired levels, balancing the opportunities on the upside and the potential for harm on the downside” [emphasis in original]. I once heard former Chairman of Citigroup, John Reed say the reason a car has brakes is not to make it safer but so that you can drive faster. It is the same concept. FCPA compliance programs are often viewed as brakes on doing business. At best they slow things down and at worst the Chief Compliance Officer (CCO) is Dr. No from the Land of No.

However, as Marks points out in his chapter entitled “What is Risk and Why is Risk Management Important?”, it is a serious flaw to only see risk as a negative and indeed to limit risk management to the negative. He wrote, “Treating risk as only negative and overlooking the idea that organizations need to take risks in pursuit of their objectives. Effective risk management enables an organization to exploit opportunities and take on additional risk while staying in control and thereby, creating and preserving value.” He goes on to explain that a company should “understand the uncertainty between where we are and where we want to go so that we can take the right risks and optimize outcomes”.

These outcomes should be determined through an organization determining its risk appetite. Here Marks commented on the definition found in the COSO 2013 Framework for risk appetite by saying it is “the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.” As pointed out by the comment to my blog post on risk assessment and risk management, I focused on risks that were not properly assessed and not properly managed, leading to catastrophic results. But the comment pointed out that when properly used a risk assessment can lead to better management of risk and allow a company to take greater risk because it can manage the scenario more effectively. Marks stated this concept as “think of risk as a range: the low end is the minimum level of risk you are willing to take because you have the ability to accept risk, and recognize that taking the risk is essential to achieving your objective. The high end is the maximum level of risk you can afford to take.”

In the FCPA context, I think this is most clearly seen in the area of third party risk management. There are five steps to the lifecycle of third party management: (1) business justification; (2) questionnaire; (3) due diligence and its evaluation; (4) contract with compliance terms and conditions; and (5) post-contract management. If circumstances are such that you cannot fully perform all five steps to your satisfaction, this puts pressure on the remaining steps. In other words, while your risk may go up if one cannot be fully performed, it may well be that the additional risk can be mediated in another step.

The robustness of your third party risk management program can give you the ability to move forward and use third parties for a business advantage. Say you want to hire a royal family member from a certain foreign country as a third party representative. While at first blush this might seem to be prohibited under the FCPA, there are two Opinion Releases that hold that the mere hiring of a royal family member does not violate the FCPA. In Opinion Release 10-03 the Department of Justice (DOJ) reviewed the following factors of whether a Royal Family Member is a foreign governmental official, the factors were: “(i) how much control or influence the individual has over the levers of governmental power, execution, administration, finances, and the like; (ii) whether a foreign government characterizes an individual or entity as having governmental power; and (iii) whether and under what circumstances an individual (or entity) may act on behalf of, or bind, a government.”

Then in Opinion Release 12-01, the DOJ went further and added a duties test to what was believe to be a status test only. After initially noting that “A person’s mere membership in the royal family of the Foreign Country, by itself, does not automatically qualify that person as a “foreign official”” the DOJ goes on to reiterate its long held position that each question must turn on a “fact-intensive, case-by-case analysis” for resolution. The DOJ follows with a list of factors that should be considered. They include:

  1. The structure and distribution of power within a country’s government;
  2. A royal family’s current and historical legal status and powers;
  3. The individual’s position within the royal family; an individual’s present and past positions within the government;
  4. The mechanisms by which an individual could come to hold a position with governmental authority or responsibilities (such as, for example, royal succession);
  5. The likelihood that an individual would come to hold such a position;
  6. An individual’s ability, directly or indirectly, to affect governmental decision-making; and the (ubiquitous)
  7. Numerous other factors.

Additionally the DOJ recognized some of the risk management techniques that had been put into place by the company requesting the Opinion. These risk management techniques were having a robust anti-corruption compliance program and requiring one from the third party that had employed the royal family member. There was full transparency by the US Company in hiring the royal family member. The compensation was disclosed, was within a reasonable range and was appropriate for the services delivered to the company and the contract between the parties had appropriate FCPA compliance terms and conditions.

I had initially thought that the import of Opinion Release 12-01 was creative lawyering to create a new test around the hiring of royal family member and foreign government officials. However re-reading it in light of the comment to my earlier blog post and of Marks’ book, it can also be seen as an example of how using risk management can be a positive for a business going forward. I would posit to CCOs or compliance practitioners there may be ways to do business in compliance with the FCPA if you think of using your FCPA compliance program as a way to better manage risk to do business rather than simply saying something will violate your compliance program without thinking through how such a compliance risk could be managed effectively.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,408 other followers