FCPA Compliance and Ethics Blog

April 15, 2015

Five Step Process for Transaction and Continuous Controls Monitoring

Five Step ProcessMost Chief Compliance Officers (CCOs) and compliance practitioners understand the need for transaction monitoring. Whether it be as a part of your overall monitoring of third parties, employees, or to test the overall effectiveness of internal controls and compliance, transaction monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied to transaction monitoring, they may not be as aware of how to actually engage in the process. Put another way, how do you develop a methodology for building a transactional monitoring process that yields sustainable, repeatable results?

I recently put that question to one of the leaders in the field, Joe Oringel, co-founder and principal at Visual Risk IQ. He explained to me that their firm has dissected data analytics and transaction monitoring into a five-step process they call QuickStart, which facilitates applying the process iteratively across a two to four month time frame. These iterations allow for, and reinforce the methodology’s repeated and practical application and reapplication. The five steps are (1) Brainstorm, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Brainstorm

Under this step, the transactional monitoring specialist, subject matter expert (SME), such as one on the Foreign Corrupt Practices Act (FCPA) or other anti-corruption law, and the compliance team members sit down and go through a multi-item list to better understand the objectives and set the process going forward. The brainstorming session will include planning the monitoring objectives and understanding the data sources available to the team. Understanding relationships between the monitoring objectives and data sources is essential to the monitoring process. During brainstorming, the company’s risk profile and its existing internal controls should be reviewed and discussed. Finally, there should be a selection of the transaction monitoring queries and a prioritization thereon. This initial meeting should include company representatives from a variety of disciplines including compliance, audit, IT, legal and finance departments, sales and business development may also need to be considered for this initial brainstorming session.

While the rest of the steps may seem self-evident in any transaction monitoring process, it is the brainstorming step which sets the Visual Risk IQ approach apart. This is because business knowledge is critical to sustaining and improving the transaction monitoring process. And because the process is iterative, periodic meetings to further understand the business pulse allow the most useful data to be monitored through the system. 

Acquire and Map Data

The second step is to obtain the data. There may be a need to discuss security considerations, whether or how to redact or mask sensitive data, and ensure files are viewable only by team members with a “need to know”. Balancing, which consists of comparing the number of records, checksums, and controls totals between the source file (as computed by the file export) and then re-calculated number of records, checksums, and control totals (as computed by a file import utility). Balancing is performed to make sure that no records are dropped or somehow altered, and that the files have integrity. Somewhat related is making sure that the version of the files used is the “right” one. For example if you are required to obtain year-end data year-end close could be weeks after the closing entries have been actually recorded, depending on the departments engaged in the year end processes.

Types of systems of record could include Enterprise Resource Planning (ERP) data from multiple transaction processing systems, including statistics on numbers and locations of vendors, brokers and agents. You may also want to consider watch lists from organizations such as the Office of Foreign Asset Control (OFAC), the Transparency International – Corruption Perceptions Index (TI-CPI), lists of Politically Exposed Persons (PEPs) or other public data source information. Some of the data sources include information from your vendor master file, general ledger journals, payment data from accounts payable, P-cards or your travel and entertainment system(s). You should also consider sales data and contract awards, as correlation between spending and sales as these may be significant. Finally, do not forget external data sources such as your third party transactional data. All data should initially be secured and then transmitted to the transaction monitoring tool. Of course you need to take care that your transaction monitoring tool understands and properly maps this data in the form that is submitted.

Write Queries

This is where the FCPA SME brings expertise and competence to assist in designing the specific queries to include in the transaction monitoring process. It could be that you wish to focus on the billing of your third parties; your employee spends on gifts, travel and entertainment or even petty cash outlays. From the initial results that you receive back you can then refine your queries and filter your criteria going forward. Some of the queries could include the following:

  • Business courtesies to foreign officials;
  • Payments to brokers or consultants;
  • Payments to service intermediaries;
  • Payments to vendors in high risk markets;
  • Round dollar disbursements;
  • Political contributions or charitable donations; and
  • Facilitation payments.

Analyze and Report

In this process step, you are now ready to begin substantive review and any needed research of potential exceptions and reporting results. Evaluating the number of potential exceptions and modifying queries to yield a meaningful yet manageable number of potential exceptions going forward is critical to long-term success. You should prioritize your initial results by size, age and source of potential exception. Next you should perform a root cause analysis of what you might have uncovered. Finally at this step you can prioritize the data for further review through a forensic review. An example might be if you look at duplicate payments or vendor to employee conflicts. Through such an analysis you determine if there were incomplete vendor records, whether duplicate payments were made and were such payments within your contracts terms and conditions.

Refine and Sustain

This is the all-important remediation step. You should use your root cause analysis and any audit information to recalibrate your compliance regime as required. At this step you should also apply the lessons you have learned for your next steps going forward. You should refine, through addition or deletion of your input files, thresholds for specific queries, or other query refinements. For example, if you have set your dollar limits so low that too many potential exceptions resulted for a thoughtful review, you might raise your dollar threshold for monitoring. Conversely if your selected amount was so low that it did not generate sufficient transactions, you could lower your parameter limits. Finally, you can use this step to determine the frequency of your ongoing monitoring.

Oringel concluded by emphasizing the iterative nature of this process. If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of transaction monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show any regulators who might come knocking.

For further information on this process, contact Joe Oringel at Joe.Oringel@VisualRiskIQ.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 13, 2015

Brazilian Corruption Scandal Expands Past Petrobras – Is a FCPA Country Sweep Next?

BroomThe Brazilian corruption scandal took a new turn last week, when the Brazilian government announced that it was investigating the country’s health ministry and the state-owned bank Caixa Econômica Federal (Caixa). As reported by Rogerio Jelmayer and Luciana Magalhaes in the Wall Street Journal (WSJ), in an article entitled “Corruption Scandal in Brazil Gets Bigger”, the schemes were similar to those used in the Petrobras scandal, where inflated contracts were awarded to contractors who kick backed the overcharges to those in position to award the business.

This expansion of Brazilian government investigation is also the first reported instance of companies outside the energy sector or those doing business with the Brazilian state-owed enterprise Petrobras being investigated by the Brazilian government. Over the years there have been several Foreign Corrupt Practices Act (FCPA) enforcement actions regarding US companies doing business in Brazil. With this expansion of the Petrobras corruption scandal to other government departments and state-owned entities, a new chapter may be opening. This new chapter may bring not only Brazilian domestic bribery and corruption scrutiny but also draw the attention of US or UK regulators, such as the Department of Justice (DOJ), Securities and Exchange Commission (SEC) or the UK Serious Fraud Office (SFO).

In the health ministry the area of contracts under investigation were those for advertising. The WSJ article said, “the cost of advertising contracts was inflated by as much as 10%, prosecutors said, with the surplus also passed along to politicians. The health ministry said all its advertising contracts meet the legal requirements, and it will investigate the allegations and cooperate with police and prosecutors.” It certainly is comforting when the government says it will cooperate with investigators.

But perhaps more interesting was the timing of the allegations against the country’s third largest state-owned bank Caixa. While the allegations around the scope and extent of the bribery were similar to those made against the Brazilian health ministry, the declarations of these new investigations coincided with the announcement last week by the government Finance Minister Joaquim Levy and Caixa Chief Executive Officer (CEO) Miriam Belchior for “an initial public offering [IPO] in the insurance joint venture it has with French insurer CNP Assurances.”

What do you think the comfort level will be for institutional investors about now in this IPO? I wonder if under IPO rules and regulations in Brazil, whether the CEO must certify either the financial statement as accurate or that there is no evidence of corruption in the organization? Even those in Brazil recognize the gravity of these allegations against Caixa. Luis Santacreu, a banking analyst at the Brazilian rating agency Austin Ratings, said that he thought this announcement would make the IPO more difficult and “the allegations against Caixa show it needs to improve its governance.”

These two developments demonstrate the difficulties that international companies may have in doing business in Brazil going forward. It is not difficult to believe that a country sweep on those doing business in Brazil, with the Brazilian government or with Brazilian state-owned enterprises, may well be coming. Given the recent 2014 World Cup and the upcoming 2016 Olympics, it would not seem too great a stretch for the DOJ or SEC to begin to look at US companies with significant amounts of commerce with and in Brazil.

While we have not seen evidence of country sweeps to-date, there has been evidence of industry sweeps in FCPA enforcement. The FCPA Professor, in a blog post entitled “Industry Sweeps”, posted an article from FCPA Dean Homer Moyer, entitled “The Big Broom of FCPA Industry Sweeps”. In his article, Moyer said that an industry sweep is the situation where the DOJ and/or SEC will focus “on particular industries – pharmaceuticals and medical devices come to mind — industry sweeps are investigations that grow out of perceived FCPA violations by one company that enforcement agencies believe may reflect an industry-wide pattern of wrongdoing.” Moyer further wrote, “Industry sweeps are often led by the Securities and Exchange Commission (“SEC”), which has broad subpoena power as a regulatory agency, arguably broader oversight authority than prosecutors. They are different from internal investigations or traditional government investigations, and present different challenges to companies. Because the catalyst may be wrongdoing in a single company, agencies may have no evidence or suspicion of specific violations in the companies subject to an industry sweep. A sweep may thus begin with possible cause, not probable cause. In sweeps, agencies broadly solicit information from companies about their past FCPA issues or present practices. And they may explicitly encourage companies to volunteer incriminating information about competitors.”

As a compliance professional, one of the key takeaways from the Brazilian corruption scandal is that you should take a very hard and detailed look at your company. With the spread of Brazilian investigations around corruption, we can see that these scandals are not be limited to only the energy or energy-related service industry. One of the first things you can begin to do is to review the list of third parties who might work with the Brazilian government or with Brazilian state-owned enterprises. You should begin by asking such questions as:

  • What is the ownership of the third party? Is there a business justification for the relationship?
  • Is there anyone in the company who is responsible for maintaining the relationship? Is there ongoing accountability?
  • How is the relationship being managed?
  • Are you engaging in any transaction monitoring?
  • Are you engaging in any relationship monitoring?
  • What is the estimated or budgeted size of the spend with the third party?

While the GlaxoSmithKline PLC (GSK) investigation has reverberated throughout the China, I think that the Brazilian corruption scandals will be with us for some time. As bad as it seems about now, and it certainly appears bad, there are many lessons that the compliance practitioner can not only draw from but use for teaching moments within your company. For if you are doing business with the Brazilian government or with Brazilian state-owned enterprises it may not be “if you are subject to a FCPA sweep” but only “when”.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 10, 2015

International Anti-Corruption Enforcement Efforts

ARound the GlobeWhile the US Foreign Corrupt Practices Act (FCPA) is still the most widely recognized and enforcement anti-bribery and anti-corruption law across the globe, there have been a number of initiatives which will lead directly to greater anti-bribery and anti-corruption enforcement. This increased enforcement will lead to increased risks for companies that do not have anti-bribery and anti-corruption compliance programs in place. This post discusses the efforts of other countries to enact and enforce legislation to curb bribery and corrupt across the globe.

China 

Over the past 18 months, GlaxoSmithKline PLC (GSK) was embroiled in a very public, very nasty bribery and corruption investigation. It culminated in the conviction of GSK and the assessment of a $491 million fine, criminal conviction of four senior GSK China subsidiary managers and the criminal convictions of two ancillary GSK-hired investigators. The entry of the Chinese government into the international fight against corruption and bribery is truly a game-changer. While there may be many reasons for this very public move by the Chinese government, it is clear that foreign companies are now on notice. Doing business the old fashioned way will no longer be tolerated. This means that international (read: western) companies operating in China have a fresh and important risk to consider; that being that they could well be subject to prosecution under domestic Chinese law.

The international component of this investigation may well increase anti-corruption enforcement across the globe. First of all, when other countries notorious for their endemic corruptions, for example India, see that they can attack their domestic corruption by blaming it on international businesses operating in their country, what lesson do you think they will draw? Most probably that all politics are local and when the localities can blame the outsiders for their own problems they will do so. But when that blame is coupled with violations of local law, whether that is anti-bribery or anti-price fixing, there is a potent opportunity for prosecutions.

One of the audit failures of GSK was around well known compliance risks in China, including (1) event abuse planning; (2) mixture of legitimate and illegitimate travel; (3) other collusion with travel agencies; and (4) parallel itineraries. So those risks are well known and have been documented. While the cost of monitoring is high and would involve the tedious work of verifying millions of receipts by calling hotels, airlines and office supply stores and scrutinizing countless transactions for signs of fraud; if your compliance risks are known for a certain profile, then you should devote the necessary resources to making sure you are in compliance in that area.

Brazil 

While GSK was a harbinger of international anti-corruption investigations and enforcement actions based on domestic anti-bribery laws; Brazil and its state-owned energy company Petrobras may become the world’s largest corruption investigation. In a New York Times (NYT) article, entitled “Scandal Over Brazilian Oil Company Adds Turmoil to the Presidential Race”, the scandal was detailed by a former Petrobras official, Paulo Roberto Costa. Mr. Costa was the person who oversaw the company’s refining operations. He has admitted to having engaged in the receipt of bribes for at least a 10 year period “equivalent to 3 percent of the value of the deals from the Brazilian construction companies that obtained the contracts” to build refineries. This amounted to literally millions being “stashed in bank accounts in Switzerland and the Cayman Islands.” He “inflated budgets for new projects” by 3% and then had that amount kicked back to him as bribes. The allegations were verified “through an associate, Alberto Youssef, a black-market money dealer who testified that he helped launder funds in the scheme. Mr. Youssef, who has also accepted a plea deal, testified that more than a dozen of Brazil’s largest construction companies had paid hefty bribes to obtain lucrative Petrobras contracts.” Interestingly, Brazilian President Rousseff “has also effectively acknowledged the prevalence of corruption inside the executive suites of Petrobras, while denying that she had known about the kickbacks when they were taking place.”

The scandal has not only engulfed suppliers to Petrobras in Brazil. It has now moved to the international stage. From shipyards in Singapore, which have been alleged to have paid bribes to Petrobras, to Rolls Royce in Great Britain which has been alleged to have paid bribes for the sale of turbine engines; this scandal truly is international in scope and may engulf more companies going forward. In addition to violations of Brazilian law, the US government has reportedly opened an investigation, as Petrobras USA is a US stock-exchange issuing entity and subject to the FCPA. Indeed, in the US there are already multiple shareholder derivative lawsuits against the US entity for mis-representing its true value because of the corruption allegations against the company in Brazil.

The Petrobras scandal continues to make news almost daily and its repercussions continue to reverberate across the globe. The FCPA Blog, in an article entitled “Swiss AG freezes $400 million in Petrobras bribe probe”, stated that in Switzerland alone there are nine open investigations into alleged money laundering tied to Petrobras. In mid-March the Office of the Attorney General of Switzerland (OAG) announced that they had issued an order to freeze $400 million of assets allegedly tied to a Petrobras corruption scheme. The FCPA Blog further stated the OAG announced “The release of over $120 million reflects Switzerland’s clear intention to take a stand against the misuse of its financial center for criminal purposes and to return funds of criminal origin to their rightful owners.”

The domestic Brazilian Anti-Bribery Law, the Clean Company Act, enacted into law in 2014, is uniquely designed for oversight by internal audit. Compliance programs will be evaluated on three prongs: the structure of the program; specifics about the legal entity; and an evaluation of the program’s efficiency. The first prong will include consideration of the existence of mechanisms for reporting suspected or actual misconduct, training, code of conduct, policies and procedures, periodic risk assessments, and application of disciplinary measures against employees (including senior management too) involved in wrongdoing. Under the second prong, the compliance risks associated will be considered. Compliance programs should be tailored to the company’s risks; “one-size-fits-all” programs will not be accepted. The third prong will consist of a case-by-case verification, that it is not simply a paper program.

Finally, and no doubt spurred by the Petrobras corruption scandal, the FCPA Blog also reported, in another article entitled “After protests, Brazil president issues anti-graft regulations”, that Brazilian President Dilma Roussef issued a presidential decree with regulations under the Clean Company Act. The new regulations issued address some of the crucial questions concerning the administrative procedure for imposing corporate liability and assessing fines. It also set out the criteria for determining fines, evaluating compliance programs, and entering into leniency agreements. Finally, the decree also provides that books and records accuracy and completeness will be a key criterion for evaluating compliance programs, no doubt inspired by the FCPA accounting provisions. As the FCPA Blog said, “The regulations under the Clean Company Act are a critical milestone in the effort to restore credibility to Brazil’s federal government, in light of its past commitments to fighting corruption in the corporate world.”

Conclusion 

What does all of the above mean for a global company? It means that some law that prohibits bribery and corruption will cover your business. It will not and does not matter if you are a US, UK or Brazilian company doing business outside of your home country, somewhere a law prohibiting bribery and corruption will cover your actions. Even if you are not covered by the FCPA, the UK Bribery Act or the Clean Company Act, if you are doing business in a local country you can still be subject to prosecution under its domestic anti-bribery laws. This means that there will be greater enforcement going forward and greater cooperation between enforcement agencies.

For businesses the only response to this plethora of new laws is to implement and enhance a best practices anti-bribery/anti-corruption compliance program and there are several examples that companies can follow to do so. In the US, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) provided their suggestions with their Ten Hallmarks of an Effective Compliance Program; the UK Ministry of Justice (MOJ) has provided commentary on the Six Principles of an Adequate Procedures compliance program and the Organization of Economic Cooperation and Development (OECD) has put forth its Good Practice Guidance on Internal Controls, Ethics, and Compliance.

All of these anti-bribery/anti-corruption regimes set forth easily digested concepts that a company could implement. However, there must be more than simply a paper program in place. A company must actually do compliance for it to be effective. By making compliance a part of normal business practices, it will be possible to prevent, detect and then remediate any bribery or corruption issues that may arise.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 9, 2015

Lee Surrenders and Hanson Wade’s Oil & Gas Supply Chain Compliance Conference

Lee and GrantToday we celebrate one of the most momentous anniversary’s in the history of the United States, for it was on this day in 1865, 150 years ago, that Confederate General Robert E. Lee surrendered his Army of Northern Virginia to Union Commanding General Ulysses S. Grant at Appomattox Courthouse, effectively ending the American Civil War. Fighting continued for several more weeks to come, however with Lee’s surrender the Civil War had, in all intents and purposes, ended.

Lee and his troops were forced to abandon the Confederate capital of Richmond, they were blocked from joining the surviving Confederate force in North Carolina, and were harassed and outrun by Union cavalry, who took 6,000 prisoners at Sayler’s Creek. With desertions mounting daily the Confederates were surrounded with no possibility of escape. On April 9, Lee sent a message to Grant announcing his willingness to surrender and in the afternoon they met at the home of Wilmer McLean and agreed to the terms of surrender.

Although politicians would later change these terms quite dramatically, Grant is said to have told his officers, “The war is over. The Rebels are our countrymen again.”

Later this month, from April 28-30, Hanson Wade is putting on its annual conference in Houston. It is the “Oil and Gas Supply Chain Compliance” conference, now in its 5th year, and once again the list of speakers is simply stunning. It includes the following Chief Compliance Officers (CCOs) and senior compliance folks: Dan Chapman, Cameron; Brian Moffatt, Ethos Energy, Jay Martin, Baker Hughes; Marcel De Chermont, Acteon Group, Jan Farley, Dresser-Rand; John Sardar, Noble Energy and a host of other luminaries in the field of Foreign Corrupt Practices Act (FCPA) compliance. Even if you live outside of Houston, the FCPA compliance talent at this event will rival any other event in the US and for such an event not held in Washington DC or New York City, it is simply outstanding.

Some of the panels and topics for discussion include: Applying Culturally Sensitive Approaches To Deliver A Core Compliance Methodology For A Variety Of Countries And Risks; How to Meaningfully Engage Your Business Operations in Taking Greater Compliance Ownership; Avoid The Risk Of Cavalier Behaviour Across The Supply Chain In The Face Of A Challenging Economic Climate; How To Deliver Cost-Effective, Risk Based, Function Specific Compliance Training; several in-depth presentations on Supply Chain and Third Party due diligence. These are but some of the sessions and there are many other excellent panels, sessions and speakers which I have not mentioned.

Recently the Event’s Chairperson, Dan Chapman, Vice President, Chief Ethics and Compliance Officer for Cameron, talked about some of the issues that will be discussed in this year’s conference. Chapman said, “Supply chain is, in my mind, a critical part of compliance and creating awareness throughout the business as to when and where you should apply compliance principles is a key focus. For me the industry has evolved in recent years, and our organizations tend to now have strong legal teams who understand anti-bribery and corruption legislation. Not only this, they now have the ‘tone from the top’. Where I feel that work needs to be done is practically embedding compliance into operational processes, and becoming a true and valuable partner to the business. With the current state of the oil price, we’re likely set for reduced budgets and increased risk, which makes it more important now than ever to share stories, materials and solutions to effectively mitigate compliance risk while enabling business delivery.”

I will be speaking at the conference on internal controls but I am extremely pleased to be co-leading an in-depth workshop on the third day of the event, with Joe Oringel, guest blogger and Managing Director at VisualRisk IQ. In our workshop, you will learn how to implement a system of data-driven monitoring controls and documents to measure the effectiveness of your compliance program and get you through a Securities and Exchange Commission (SEC) investigation. During our 3 hour session we will go into the weeds on the following:

  • Understanding what internal controls are required under a best practices compliance program;
  • Recognizing what FCPA enforcement actions tell us about internal controls in an anti-corruption compliance program;
  • Getting to grips with what the SEC expects you to have in place;
  • Competently documenting the effectiveness of your internal controls;
  • Understanding best practices and a methodology for the use of data analytics in compliance and ethics organization;
  • Prioritizing business and compliance questions that can be answered with analysis of digital data; and
  • Identifying a learning plan and resources to enhance your team’s data analytics expertise

I hope that you can attend this most excellent FCPA conference with the two-day sessions on April 28 and 29 and the workshop day on April 30. Very few FCPA conferences focus on Supply Chain and the information that you will receive at this one will be first rate. Finally, Hanson Wade has allowed me to offer a 20% discount to readers of my blog. You can obtain it by entering the code TFLaw20 when you register online. For the conference brochure and full details regarding the agenda and registration, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 7, 2015

Rolling Stone’s Rape Story Retraction: Lessons for the Compliance Practitioner

Rolling Stone Magazine LogoThere are only a very few magazine articles that have radically affected me when I read them. Nick Hornby’s account of a group of soccer hooligans, where he chronicled when they traveled to and briefly took over the Italian city of Turin in 1982; Jack McCallum who profiled Jerry Sandusky after he retired from Penn State University and began his fulltime work at the Second Mile organization in 1999; and Sabrina Rubin Erdely’s piece in Rolling Stone last fall about an alleged gang rape and its aftermath on the University of Virginia (UVA) campus. But as much as the first two articles moved me, it was Erdely’s article that sickened me. As a father of a teenaged daughter about to head off to college, I certainly did not want her in any such place.

This weekend, Rolling Stone magazine retracted its story about the rape at UVA and released a full copy of the internal investigation of the story by the Columbia School of Journalism Dean Steve Coll that detailed Rolling Stone magazines reporting missteps and its failures to engage in the most basic of journalistic techniques before it published the story. The New York Times (NYT) had two articles on the story. An article by Jonathan Mahler, entitled “In Report on Rolling Stone, a Case Study in Failed Journalism, cited that journalism scandals fall into three broad categories. The first is “is pure fabrication, for which high-profile culprits include Jayson Blair (The New York Times), Stephen Glass (The New Republic) and, going back a little further, Janet Cooke (The Washington Post).” Next “is the act of plagiarism (culprits too numerous to list).” But the UVA piece fell into a third category, “lack of skepticism.”

In the second NYT article, entitled “Rolling Stone Article on Rape Failed All Basics, Report says, reporter Ravi Somaiya wrote, “The Columbia report catalogued a series of errors at Rolling Stone, finding that the magazine could have avoided trouble with the article if certain basic ‘reporting pathways’ had been followed.” What was the central flaw in the way Rolling Stone handled the story? First, and foremost, it did not interview any of the three persons the victim named that she told about the rape. Rolling Stone printed the victim’s tale without bothering to check with them. While it is not clear, apparently Rolling Stone did not even try to substantiate the underlying charge of rape by the victim in any manner other than interviewing her seven times.

Mahler noted, “On the most basic level, the writer of the Rolling Stone article, Sabrina Rubin Erdely, was seduced by an untrustworthy source. More specifically, as the report details, she was swept up by the preconceptions that she brought to the article. As much casting director as journalist, she was looking for a single character with an emblematic story that would speak to — in her words — the “pervasive culture of sexual harassment/rape culture” on college campuses.”

Coll in an interview on NPR said that there was a failure at Rolling Stone magazine up and down the line. There was a failure by the reporter’s editor and the Managing Editor for not insisting on the basic questioning of the holes in Erdley’s stories and failures to follow basic reporting protocols. Also the Fact Checking group at the magazine did not insist strongly enough that its concerns be addressed or those concerns were rejected by the magazine’s management.

What I see is a failure of process. This failure led to repercussions immediately for the fraternity involved, which was falsely accused of having its members gang raping a co-ed and to the tarnishing of UVA. But the long-term repercussions for Rolling Stone magazine and the reporter involved, and even the reporting and conversation around sexual assaults on college campuses. In his article Mahler cited Nicholas Lemann, professor at Columbia and the journalism school’s former dean, who “distributes a document called “The Journalistic Method” in his classes”. This process is similar to “investigating a scientific phenomenon. “It’s all about very rigorous hypothesis testing: What is my hypothesis and how would I disprove it? That’s what the journalist didn’t do in this case.””

For the compliance practitioner there are several clear lessons to be drawn from this horrific scandal. Most people have somewhere heard the journalistic technique of a second source to confirm information. It was enshrined in a scene from the movie version of All The President’s Men. In any process there must be validation of said process. You can easily remember this as ‘a second set of eyes’ on any process, compliance or other. It acts like a second source in that it validates the original information.

In the more formal world of internal controls, it is called ‘segregation of duties’. This technique acts to require a double check of any action by requiring a second set of eyes to take a look at an issue. In business the separation by sharing of information with more than one individual in one single task is an internal control intended to prevent fraud and errors. In the IT world this is called redundancy. It is generally recognized there are several techniques that can help to enforce the segregation of duties. They include:

  • Audit trails recreate the actual transaction flow from the point of origination to its existence on an updated file.
  • Reconciliation of accounts and an independent verification process is ultimately the responsibility of users, which can be used to increase the level of confidence that an application ran successfully.
  • Exceptions are handled at supervisory level, backed up by evidence noting that exceptions are handled properly and in timely fashion.
  • Continuous controls monitoring should be maintained, which record all processed system commands or application transactions.
  • Supervisory review should be performed through observation and inquiry.
  • Independent reviews, which follow a prescribed procedure to detect errors and irregularities.

In addition to these segregation of duty lessons for the compliance practitioner, the Rolling Stone scandal provides one additional clear, concrete lesson. As Paul McNulty would say in No. 3 of his McNulty’s Maxims What did you do about it? Unfortunately for Rolling Stone the answer to that query appears to be not much. Not only were none of those directly involved in the article even so much as disciplined, Rolling Stone sees no need to change anything in its reporting or editorial process based on the lessons laid out in the Coll Report.

In an article in the online publication Slate, entitled Despite Damning Report, Rolling Stone Will Continue “To Do What We’ve Always Done.” Are They Serious?”, reporter Hanna Rosin wrote, “Rolling Stone’s editors are “unanimous in the belief that the story’s failure does not require them to change their editorial systems.” Are they serious? Did they read the report?” She also reported that Rolling Stone, “ended by saying they don’t need new ways of doing things; they “just have to do what we’ve always done and just make sure we don’t make this mistake again.” And Coco McPherson, head of fact-checking, said, “I one hundred percent do not think that the policies that we have in place failed. I think decisions were made around those because of the subject matter.””

All I can hope is that companies subject to the Foreign Corrupt Practices Act (FCPA) do a better job of learning from the Rolling Stone fiasco than Rolling Stone appears to have done.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 6, 2015

Tribute To Eddie LeBaron and CCO as Compliance Project Sponsor

Eddie LeBaronToday we celebrate Eddie LeBaron, who died last week. LeBaron was a diminutive pro quarterback for 11 seasons in the National Football League (NFL) in the 1950s and 1960s. He was also a lawyer and decorated veteran, having been awarded the Bronze Star during the Korean Conflict. In his New York Times (NYT) obituary, Frank Litsky wrote “In a position where players are now routinely 6 feet 3 inches or taller, LeBaron was 5-foot-7, and his weight never reached 170 pounds. But he had no fear of scrambling.” LeBaron quarterbacked the Dallas Cowboys from 1960 to 1963, before handling the reins of Coach Tom Landry’s offense over to Don Meredith with his retirement. After his retirement he worked as a color analyst for CBS Sports, who covered the NFL in those days. One of the things that I remember from his commentary work was the need for planning in any game plan. It was one of the first things I recall learning about pro football.

One of the skills you may be called upon as a Chief Compliance Officer (CCO) or compliance practitioner is the initiation, integration or enhancement of a Foreign Corrupt Practices Act (FCPA) compliance solution into an organization. Most assuredly, one of the things that is not taught in law school or in any compliance course is project management. As CCO, you may either lead such a project on a day-to-day basis or you may take the role of project sponsor, while delegating the day-to-day running of the project to a compliance practitioner in your group.

I thought about this issue when reading a recent article in the MIT Sloan Management Review, entitled “How Executive Sponsors Influence Project Success”, by Timothy J. Kloppenborg and Debbie Tesch. In their article they note, “The role of a project sponsor is often overlooked. But for every stage of a project, there are key executive sponsor behaviors that can make the difference between success and failure.” I found their article has some excellent tips for the CCO or compliance practitioner who may be facing such a task. The authors break the project life cycle stage into four stages: (1) Initiating Stage; (2) Planning Stage; (3) Executing Stage; and (4) Closing Stage.

I.   Initiating Stage

In this stage there are three key activities that a sponsor should pursue. First, the sponsor needs to set the performance standards. This “can be accomplished in the project charter by stating goals about the project’s strategic value and how it will be measured.” But beyond the written details there must be a “clear understanding of expectations about performance” of which dialogue is critical. Second, the project sponsor must mentor the project manager, whose key responsibility is to explain, “how the project fits into the big picture, defining the performance standards and helping the project manager set priorities.” Finally, the project manager must establish the project priorities, with the “most compelling” questions being “what needs to happen first and how should conflicts by settled?”

II.  Planning Stage

In the Planning Stage the authors believe that there are two critical project sponsor behaviors. The first is to “ensure planning” activities are completed by providing “leadership so that the project manager and team can set goals that align with the vision and broader organizational goals. The second is to “develop productive relationships with stakeholders”. This means frequent meetings and communications. Interestingly, the project sponsor should not only see that “needs are identified and understood” but also make “sure that stakeholders’ emotional concerns are given adequate consideration.” Admittedly this is not something lawyers do particularly well but it is mandatory for the CCO or compliance professional.

III.  Executing Stage

In the Execution Stage the authors identify three elements. First the project sponsor must “ensure adequate and effective communication.” This means that regular communications must occur as the project progresses “to make sure that expectations are met.” However this may require the project sponsor to “stand ready to manage the organizational politics with internal and external stakeholders.” Second, a project sponsor must work to help “maintain relationships with stakeholders.” This element helps facilitate the project manager and project team communications noted in the first element. Here the project sponsor should be “open to direct feedback from team members” to ensure that expectations are met. Finally, the project sponsor should work to “ensure quality” by practicing “appropriate decision-making methods and work to resolve issues fairly.”

IV.  Closing Stage

Finally, in the Closing Stage the authors write that there are two elements that project sponsors should emphasize. The first is to “identify and capture lessons learned.” They should be properly “categorized, stored and distributed in such a manner that future project teams will be able to understand and capitalize on”. The second element is to “ensure that capabilities and benefits are realized.” Capabilities, the authors suggest, “could include employees becoming more committed and more capable”. Further, that processes are “more effective and efficient.” Benefits relates to “verifying that the deliverables that were specified at the beginning were actually provided, work correctly and satisfy customer needs.”

To the extent they know much about project management, most CCOs or compliance practitioners are aware of the “iron triangle” of factors to determine a project success. The authors define these as “cost, schedule and performance.” But the authors’ research has led them to conclude that for a project to be a success it must meet an organization’s expectations. The next evaluative point is did the project come in on time, within budget and to the project’s specifications? Finally, did the project succeed in bringing its touted positive benefits to the organization?

By using the steps the authors have outlined, a CCO can think through the organization and ongoing performance of a project to set it up for success. Equally importantly for the CCO, if the project management has been delegated to compliance team members or with other disciplines inside your organization, such as legal, internal audit, IT or human resources; the continued involvement of a CCO as the project sponsor can be key component. The authors posit, “for every project stage, there are success factors that project sponsors should consider” and that a CCO must engage in an ongoing and continual dialogue with the project manager. Finally, key lessons learned should be captured and used down the road to help facilitate other projects or issues as applicable.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 3, 2015

Why Tone at the Top Matters and Join the FCPA Professor in Houston

IMG_1173Over this week I have looked at some issues related to compensation and methods from other disciplines that a compliance practitioner might use to test and then improve a company’s third party management regime. Today, I want to go back to the starting point for any compliance program; that is the Tone at the Top. I was reminded of the absolute necessity of having a management not only committed to following the law but the actual doing of compliance when I read about the guilty verdicts in the Atlanta schools cheating scandal.

In an article in the New York Times (NYT), entitled “Atlanta Educators Are Convicted of Racketeering”, reporter Alan Blinder detailed the guilty verdicts handed down in an Atlanta state Superior Court this week where 11 of 12 defendants were convicted in a lengthy trial. Blinder wrote, “On their eighth day of deliberations, the jurors convicted 11 of the 12 defendants of racketeering, a felony that carries up to 20 years in prison. Many of the defendants — a mixture of Atlanta public school teachers, testing coordinators and administrators — were also convicted of other charges, such as making false statements, that could add years to their sentences.” Most stunningly, the trial judge “ordered most of the educators jailed immediately, and they were led from the courtroom in handcuffs.”

The school district’s top administrator Dr. Beverly Hall, channeling her inner Ken Lay, had the temerity to pass away during the trial so there was no finding as to her conduct. Unrepentant to end she said “she had done nothing wrong and that her approach to education, which emphasized data, was not to blame.” When interviewed back in 2011, Dr. Hall had said, “I can’t accept that there’s a culture of cheating. What these 178 are accused of is horrific, but we have over 3,000 teachers.”

Think about those two statements for a moment. They mimic the same tired excuses used by apologizers in the anti-corruption world. First it was only a small subset of those involved who actually broke the law. In other words, the oldie but goodie rogue employee(s) defense. It did have the notable exception that there were 178 roguies out there lying and cheating. But more than the rogue employee defense, she emphasized that she obtained results, the scores on the State of Georgia’s standardized tests for public schools improved dramatically under her watch. In the Foreign Corrupt Practices Act (FCPA) anti-corruption world that is the same as “we had to do it to compete” argument. It is equally as inane as the rogue employee defense.

Moreover, a State of Georgia investigation “completed in 2011, led to findings that were startling and unsparing: Investigators concluded that cheating had occurred in at least 44 schools and that the district had been troubled by “organized and systemic misconduct.” Nearly 180 employees, including 38 principals, were accused of wrongdoing as part of an effort to inflate test scores and misrepresent the achievement of Atlanta’s students and schools. Investigators wrote in the report that Dr. Hall and her aides had “created a culture of fear, intimidation and retaliation” that had permitted “cheating — at all levels — to go unchecked for years.” How is that for tone from the very top?

I bring you another example from a company I once worked at whose management locked themselves behind bolted doors on a floor in the building not accessible by any employees. And just in case someone did make onto this executive floor, there was an armed police presence as a last ditch security measure. The locked down top floor was after the following security measures were already in place: (1) you had to badge in to get into the parking garage, (2) building access was by card entry, (3) elevator access was by card entry, and (4) floor access was by card entry.

Why would senior executives barricade themselves behind such massive physical protection? Did they do this because crazed competitors were sending in assassins, because the company was so profitable and hence unassailable as a competitor? How about something more nefarious such as international hit squads roaming through international businesses in Houston, picking off key executives? Alas the explanation was not anything so exotic. With all of these security measures in place the reason was to keep mere mortal employees away from senior management. What type of message that does send to employee? Much like the one I had growing up, speak only when spoken to.

The point of all this is that tone does matter. Senior management must be committed and communicate its commitment to not only obeying laws but also complying with laws. In the FCPA world, that means you must have a compliance program in place that meets the Ten Hallmarks of an Effective Compliance Program as set out in the FCPA Guidance.

On a completely different note as a compliance practitioner, if you want to have a shot at some serious professional growth and you are in the Houston area, somewhere else in Texas or anywhere else in the South, I suggest you consider attending the FCPA Professor’s FCPA Institute, which will be held in Houston on Monday, May 4 and Tuesday, May 5. The Professor’s goal in leading this first Texas FCPA Institute is “to develop and enhance fundamental skills relevant to the FCPA and FCPA compliance in a stimulating and professional environment with a focus on learning. Information at the FCPA Institute is presented in an integrated and cohesive way by an expert instructor with FCPA practice and teaching experience.” Some of the topics, which will be covered, include the following:

  • An informed understanding of why the FCPA became a law and what it seeks to accomplish;
  • A comprehensive understanding of the FCPA’s anti-bribery and books and records and internal controls provisions and related enforcement theories;
  • Various realties of the global marketplace which often give rise to FCPA scrutiny;
  • The typical origins of FCPA enforcement actions including the prominence of corporate voluntary disclosures;
  • The “three buckets” of FCPA financial exposure and how settlement amounts in an actual FCPA enforcement action are typically not the most expensive aspect of FCPA scrutiny and enforcement;
  • Facts and figures relevant to corporate and individual FCPA enforcement actions including how corporate settlement amounts are calculated;
  • How FCPA scrutiny and enforcement can result in related foreign law enforcement investigations as well as other negative business effects from market capitalization issues, to merger and acquisition activity, to FCPA related civil suits; and
  • Practical and provocative reasons for the general increase in FCPA enforcement.

In other words, it is what you have come to expect from the FCPA Professor; well-thought out reasoned analysis, practical knowledge and learning, and provocative thinking and assessment. But this is also your chance to attend a two-day Institute with one of the most original thinkers in the FCPA space. The FCPA Institute will provide insights into the topics more near and dear to my heart as a ‘nuts and bolts guy’. In addition to the above substantive knowledge, FCPA Institute participants will gain in-demand, practical skills to best manage and minimize FCPA risk by:

  • Practicing FCPA issue-spotting through video exercises;
  • Conducting a FCPA risk assessment;
  • Learning FCPA compliance best practices, including as to third parties;
  • Learning how to effectively communicate FCPA compliance expectations; and
  • Grading a FCPA code of conduct.

In addition, attorneys who complete the FCPA Institute may be eligible to receive those all-important Continuing Legal Education (CLE) credits. The sponsors, King & Spalding, will be seeking CLE credit in CA, GA, NY, TX and if needed in NC and VA. Actual CLE credit will be determined at the end of the program based on actual program time. Attorneys may be eligible to receive CLE credit through reciprocity or attorney self-submission in other states as well.

I hope that you can join the FCPA Professor for this FCPA Institute. I have previously said, “if the FCPA Professor writes about it you need to read it. While you may disagree with him, your FCPA perspective and experience will be enriched by the exercise.” I would now add to this statement that if the FCPA Professor puts on his FCPA Institute you should attend. Not only will you garner a better understanding of the theoretical underpinnings of the law and the plain words of its text; you will also be able to articulate many of the issues which befall companies caught up in a FCPA investigation to your senior management in a way that will help them understand the need for a robust compliance program.

To register for the FCPA Institute, or for more information, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 2, 2015

Managing Your Third Parties in a FCPA Compliance Program

7K0A0501The building blocks of any Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program lay the foundations for a best practices compliance program. For instance in the lifecycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third party management becomes more important. It is also the one where the rubber meets the road of actually doing compliance.

In the March/April issue of Supply Chain Management Review is an article by Mark Trowbridge, entitled “Put it in Writing: Sharpening Contracts Management to Reduce Risk and Boost Supply Chain Performance”, that provides some useful insights into the management of the third party relationship. While the focus of the article was about having a “strategic approach to contracts management” I found the author’s “five ways to start professionalizing your approach to outsourcing contracts” as steps a compliance practitioner can use in the management of third party relationships, both on the sales side and those which come into your company through the Supply Chain.

By taking his analysis into the compliance realm, I believe there are concrete steps you can take going forward. The key is to have a strategic approach to how you structure and manage your third party relationships. This may mean more closely partnering with your third parties to help manage the anti-corruption compliance risk. It would certainly lead towards enabling your company to “control risk while optimizing the performance” of your third parties. To achieve these goals, I have revised Trowbridge’s prescriptions from suppliers to third parties.

I. Consolidate Third Parties but Retain Redundancy

It is incumbent that consolidation in your third party relationships on the Supply Chain side to a smaller number of suppliers will “yield better cost leverage.” From the compliance perspective it also should make the entire third party lifecycle easier to manage, particularly steps 1-4. However a company must not “over-consolidate” by going down to a single source supplier. Trowbridge advocates a diversified supplier base, with a technique he calls “dual-sourcing”. From the compliance perspective, you may want to have a primary and secondary third party that you work with in a service line or geographic area to retain this redundancy.

II. Keep Tabs on Subcontracted Work

This is one area that requires an appropriate level of management. If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third party relationship has your approved compliance terms and conditions in their contracts with their subcontractors. You will also need to test that proposition. In other words, you must require, trust and then verify.

III. When Disaster Strikes, Make Sure Your Company is Legally Protected Too

This is where your compliance terms and conditions will come into play. One of the things that I advocate is a full indemnity if your third party violates the FCPA and your company is dragged into an investigation because of the third party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract. This means that you can legally, under the terms of the contract, terminate it immediately, with no requirement for notice and cure. Once again you may be somewhat constrained by local laws but if you do not have the clause, you will have to give written notice and an opportunity to cure. This notice and cure process may be too long to satisfy the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) during the pendency of a FCPA investigation. Finally, you need a clause that requires your third party to cooperate in any FCPA investigation. This means cooperation with you and your designated investigation team but it may also mean cooperation with US governmental authorities as well.

You also need the ability to move between third parties if the need arises. This is the redundancy issue raised above. You do not want to be stuck with no approved freight forwarders or other transporters in a certain geographic area. If a compliance related matter occurs, you may well need certain contractual rights to move your work and to require your prime third party to cooperate with the transition to your secondary third party.

IV. Keep Track of Your Third Parties’ Financial Stability

This is one area that is not usually discussed in the compliance arena around third parties but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward Red Flag that is raised in such circumstances. Those third parties under financial pressure may be more easily persuaded to engage in bribery and corruption than third parties that stand on a more solid financial footing. You can do this by a simple requirement that your third party provide annual audited financial statements. For a worldwide logistics company, this should be something easily accomplished.

Trowbridge says, “Automated financial tracking tools can also be used to keep track of material changes in a supplier’s financial stability.” You should also use your in-house relationship manager to regularly visit key third party relationships so an on-the-ground assessment can be a part of an ongoing conversation between your company and your third parties.

V. Formalize Incentives for Third Party Performance

One of the key elements for any third party contract under the FCPA or UK Bribery Act is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third party. If you have a long-term stable relationship with a third party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance with the FCPA or other anti-corruption compliance regime.

Additionally, as Trowbridge notes, “The fact is, linking contractual compensation to performance does make a significant difference in supplier performance. This is especially valuable when agreed upon key performance indicator (KPI) metrics can be accurately tracked.” This would seem to be low hanging for the compliance practitioner. If you cannot come up with some type of metric from the compliance perspective, you can work with your business relationship team to develop such compliance KPIs.

While Trowbridge’s article focused on the suppliers, I found his ideas easily transferable to the compliance field. Near the end of the article Trowbridge suggested ranking suppliers based upon a variety of factors including performance, length of relationship, benchmarking metrics and KPIs. This is a way for the compliance practitioner to have an ongoing risk ranking for third parties that can work as a preventative and even proscription prong of a compliance program and allow the delivery of compliance resources to those third parties that might need or even warrant them.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 1, 2015

Supply Chain as a Source of Compliance Innovation

Supply ChainOn this day we celebrate the greatest upset in the history of the NCAA Basketball Tournament, when Villanova beat Georgetown for the 1985 national championship. Georgetown was the defending national champion and had beaten Villanova at each of their regular season meetings. In the final the Wildcats shot an amazing 79% from the field, hitting 22 of 28 shots plus 22 of 27 free throws. Wildcats forward Dwayne McCain, the leading scorer, had 17 points and 3 assists. The Wildcats’ 6’ 9” center Ed Pinckney outscored 7’ Hoyas’ center, Patrick Ewing, 16 points to 14 and 6 rebounds to 5 and was named MVP of the Final Four. It was one of the greatest basketball games I have ever seen and certainly one for the ages.

I thought about this game when I read an article in the most recent issue of Supply Chain Management Review by Jennifer Blackhurst, Pam Manhart and Emily Kohnke, entitled “The Five Key Components for SUPPLY CHAIN”. In their article the authors asked “what does it take to create meaningful innovation across supply chain partners?” Their findings were “Our researchers identify five components that are common to the most successful supply chain innovation partnerships.” The reason innovation in the Supply Chain is so important is that it is an area where companies cannot only affect costs but can move to gain a competitive advantage. To do so companies need to see their Supply Chain third parties as partners and not simply as entities to be squeezed for costs savings. By doing so, companies can use the Supply Chain in “not only new product development but also [in] process improvements”.

I found their article resonated for the compliance professional as well. It is almost universally recognized that third parties are your highest Foreign Corrupt Practices Act (FCPA) risk. What if you could turn your Supply Chain from being considered a liability under the FCPA to an area that brings innovation to your compliance program? This is an area that not many compliance professionals have mined so I think the article is a useful starting point. The authors set out five keys to successful innovation spanning Supply Chain partners. They are: “(1) Don’t Settle for the Status Quo; (2) Hit the Road in Order to Hit Your Metrics; (3) Send Prospectors Not Auditors; (4) Show Me Yours and I’ll Show You Mine; and (5) Who’s Running the Show?”

Don’t Settle for the Status Quo

This means that you should not settle for simply the status quo. Innovation does not always come from a customer or even an in-house compliance practitioner. Here the key characteristics were noted to be “cooperative, proactive and incremental”. The authors emphasize that “you need to be leading the innovation change rather than catching up from behind.” If a company in your Supply Chain can suggest a better method to do compliance, particularly through a technological solution, it may be something you should well consider.

Hit the Road in Order to Hit Your Metrics

To truly understand your compliance risk from all third parties, including those in the Supply Chain, you have to get out of the ivory tower and on the road. This is even truer when exploring innovation. You do not have hit the road with the “primary goal to be the inception point for innovation” but through such interactions, innovation can come about “organically”. There is little downside for a compliance practitioner to go and visit a Supply Chain partner and have a “face-to-face meeting simply to get to know the partner better and more precisely identify that partner’s needs.”

Send Prospectors Not Auditors

While an audit clause is critical in any Supply Chain contract, both from a commercial and FCPA perspective, the authors believe that “Too often firms use supply chain managers as auditors when they are dealing with supply chain partners.” The authors call these types of managers “innovation partners.” Every third party should have a relationship manager, whether that third party is on the sales side or the Supply Chain side of the business. Moreover, the innovation partners are “able to see synergies where [business] partners can work together for the benefit of everyone involved.”

Show Me Yours and I’ll Show You Mine

Here the authors note, “Trust plays an extremely important role in supply chain innovation. Firms in successful innovations discussed a willingness to share resources and rewards and to develop their partners’ capabilities.” The authors believe that “Through the process of developing trust, firms understand their partner’s strategic goals.” I cannot think of a more applicable statement about FCPA compliance. Another way to consider this issue is that if your Supply Chain partner has trust in you and your compliance program, they could be more willing to work with you on the prevent and detect prongs of compliance regimes. Top down command structures may well be counter-productive.

Who’s Running the Show?

I found this point particularly interesting as for the authors, this prong means “who is doing what, but also what each firm is bringing to the relationship in terms of resources and capabilities.” In the compliance regime it could well lead to your Supply Chain partner taking a greater role in managing compliance in a specific arena or down a certain set of vendors. Your local Supply Chain partner might be stronger in the local culture, which could allow it to lead to collaborations by other vendors in localized anti-corruption networks or roundtables to help move the ball forward for doing business in compliance with the FCPA or other anti-corruption laws such as the UK Bribery Act.

The authors ended by remarking, “we noticed that leveraging lean and process improvement was mentioned by virtually every firm.” This is true in the area of process improvement, which is the essential nature of FCPA compliance. Another interesting insight from the authors was that utilization can increase through such innovation in the Supply Chain. Now imagine if you could increase your compliance process performance by considering innovations from your Supply Chain third parties? The authors conclude by stating that such innovation could lead to three “interesting outcomes 1) The trust and culture alignment is strengthened through the partnership innovation process leading to future innovations and improvement; 2) firms see what is needed in terms of characteristics in a partner firm so that they can propagate the success of prior innovations to additional partners; 3) by engaging supply chain partners as innovation partners, both sides reap rewards in a low cost, low risk, highly achievable manner.” With some innovation Villanova coach Rollie Massimino led his team over the prohibitive favorite Georgetown, and you may be able to tap into a resource immediately available at your fingertips, your Supply Chain.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 31, 2015

Do Your Executives Have (Compensation) Skin in the Game?

Whymper and MatterhornThis year marks the 150th anniversary of the ascent of the most famous mountain in Europe, the Matterhorn. On Bastille Day, in 1865, four British climbers and three guides were the first climbers to reach the summit. In an article in the Financial Times (FT), entitled “In Whymper’s steps”, Edward Douglas wrote, “It was a defining moment in the history of mountaineering, arguably as pivotal as the first ascent of Everest. Before this calamity climbing was a quirky minority pastime and Zermatt an indigent and obscure village. All that changed on July 14, 1865. As locals cheerfully acknowledge, the Matterhorn disaster enthralled the public around the world and sparked an unprecedented tourist boom.”

The disaster had befallen the climbing team on its descent after having scaled the summit. The team was led by Edward Whymper. As they were coming back down, they were all tied together with rope. When one of the team slipped, he knocked over his guide and “their weight on the rope pulled off the next man…and a fourth climber as well.” Only expedition leader Whymper and two Swiss guides, a father and son duo from Zermott, survived the disaster when “they dug in and the rope tightened – then snapped – leaving them to watch in horror as the bodies of their companions cartwheeled thousands of feet down the mountain.” The depiction of the disaster by the French artist Gustave Doré captures for me the full horror of the tragedy.

Yesterday I wrote about the role of compensation in your best practices compliance program. Today I want to focus on the same issue but looking at senior management and compensation. I thought about this inter-connectedness of compensation in a compliance program, focusing up the corporate ladder when I read a recent article in the New York Times (NYT) by Gretchen Morgenson, in her Fair Game column, entitled “Ways to Put the Boss’s Skin In the Game”. Her piece dealt with a long-standing question about how to make senior executives more responsible for corporate malfeasance? Her article had some direct application to anti-corruption compliance programs such as those based on the US Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Morgenson said the issue was “Whenever a big corporation settles an enforcement matter with prosecutors, penalties levied in the case – and they can be enormous – are usually paid by the company’s shareholders. Yet the people who actually did the deeds or oversaw the operations rarely so much as open their wallets.”

She went on to explain that it is an economic phenomenon called “perverse incentive” which is one where “corporate executives are encouraged to take outsized risks because they can earn princely amounts from their actions. At the same time, they know that they rarely have to pay any fines or face other costly consequences from their actions.” To help remedy this situation, the idea has come to the fore about senior managers putting some ‘skin in the game’. Her article discussed three different sources for this initiative.

The first is a current proxy proposal in front of Citigroup shareholders which “would require that top executives at the company contribute a substantial portion of their compensation each year to a pool of money that would be available to pay penalties if legal violations were uncovered at the bank.” Further, “To ensure that the money would be available for a long enough period – investigations into wrongdoing take years to develop – the proposal would require that the executives keep their pay in the pool for 10 years.”

The second came from William Dudley, the President of the Federal Reserve Bank of New York, who made a similar suggestion in a speech last fall. His proscription involved a performance bond for the actions of bank executives. Morgenson quoted Dudley from his speech, “In the case of a large fine, the senior management and material risk takes would forfeit their performance bond. Not only would this deferred debt compensation discipline individual behavior and decision-making, but it would provide strong incentives for individuals to flag issues when problems develop.”

Morgenson reported on a third approach which was delineated in an article in the Michigan State Journal of Business and Securities Law by Greg Zipes, “a trial lawyer for the Office of the United States Trustee, the nation’s watchdog over the bankruptcy system, who also teaches at the New York University School for Professional Studies.” The article is entitled, “Ties that Bind: Codes of Conduct That Require Automatic Reductions to the Pay of Directors, Officers and Their Advisors for Failures of Corporate Governance”. Zipes proposal is to create a “contract to be signed by a company’s top executives that could be enforced after a significant corporate governance failure. Executives would agree to pay back 25 percent of their gross compensation for the three years before the beginning of improprieties. The agreement would be in effect whether or not the executives knew about the misdeeds inside their company.”

As you might guess, corporate leaders are somewhat less than thrilled at the prospect of being held accountable. Zipes was cited for the following, “Corporate executives are unlikely to sign such codes of conduct of their own volition.” Indeed Citibank went so far as to petition the Securities and Exchange Commission (SEC) “for permission to exclude the policy from its 2015 shareholder proxy.” But the SEC declined to do and at least Citibank shareholders will have the chance to vote on the proposal.

In the FCPA compliance context, these types of proposals seem to me to be exactly the type of response that a company or its Board of Directors should want to put in place. Moreover, they all have the benefit of a business solution to a legal problem. In an interview for her piece, Morgenson quoted Zipes as noting, “This idea doesn’t require regulation and its doesn’t require new laws. Executives can sign the binding code of conduct or not, but the idea is that the marketplace would reward those who do.” For those who might argue that senior executives can not or should not be responsible for the nefarious actions of other; they readily take credit for “positive corporate activities in which they had little role or knew nothing about.” Moreover, under Sarbanes-Oxley (SOX), corporate executives must make certain certifications about financial statement and reporting so there is currently some obligations along these lines.

Finally, perhaps shareholders will simply become tired of senior executives claiming they could not know what was happening in their businesses; have their fill of hearing about some rogue employee(s) who went off the rails by engaging in bribery and corruption to obtain or retain business; and not accept that leaders should not be held responsible.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,187 other followers