FCPA Compliance and Ethics Blog

January 27, 2014

The Abbey Grange, the Quality of Justice and Codes of Conduct

Abbey GrangeIn honor of the return of Sherlock Holmes to PBS with Season 3, I begin a week of Sherlockian themed posts. Today we consider the quality of justice that Holmes discussed in The Abbey Grange, he allowed a man who murdered a wife-abusing husband to go free. Holmes concern with justice, as opposed to simply following the letter of the law, is an excellent introduction into the subject of Codes of Conduct.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), explored some of these questions in a recent article in Compliance Week, entitled “The Code of Conduct Conundrum”. As a part of her article, Switzer interviewed Jimmy Lin, Vice President (VP) of Product Management and Corporate Development at The Network and Kendall Tieck, VP of Internal Audit at Workday, for their thoughts on what makes an effective Code of Conduct.

Tieck views a Code of Conduct as not simply a static piece of paper or document but “but as a set of expected behaviors that are integral to the fabric of the business and an organization’s value system. A Code of Conduct is not a compliance activity, but how an entity demonstrates integrity and acquires trust from markets, shareholders, customers, partners, and governments. To achieve these outcomes, a careful plan, aligned with a policy lifecycle management framework, should articulate how the Code is integrated in the core of the company’s activities and culture.”

Switzer believes that one of the key components of a best practices Code of Conduct is to integrate the connection between a business’ objectives, its risk and compliance management. There are numerous factors, which can move a company towards having such an effective integration. Switzer wrote that some of these include, “external stakeholder expectations and pressures, internal culture and context, objectives for the code, process of development and implementation, content of the code, consequences for non-conforming conduct, strength of sub-codes (e.g. policies), and employee character.”

In a GRC Illustrated series, provided with Switzer’s article, entitled “The Next Generation Code of Conduct”, lays out six steps for the compliance practitioner to think through and implement during a Code of Conduct upgrade or rewrite. These six steps are (1) design; (2) deliver; (3) interact; (4) measure; (5) maintain; and (6) improve.

Design

Under this step, a company needs to define the behavior that it desires to inspire and allow employees to collaborate at all levels. Lin said that a key aspect was relevancy, “But times change—business environments change, cultures change, risk appetites change. We all need to keep in mind that the Code, the ultimate policy, should not be a stale document on the shelf. It needs to inspire, engage, and change with the organization.” Tieck said that your Code of Conduct should be “considered a part of the entity’s overall policy landscape. Leveraging an effective policy lifecycle management framework will promote integration and alignment across the policy governance landscape.”

Deliver

Switzer also identified the delivery of a Code of Conduct as a key element of its effectiveness. She said, “modern communication methods that allow the user to engage, interact, and research further behind the Code into related policies, procedures, and helplines for additional guidance can be better monitored and measured. Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.” This should also include relevant third parties such as suppliers and sales agents. “And failure to comply with the Code can be better identified and tracked, indicating possible need for clarification, additional training, or better screening of employees.”

Interact

Lin pointed out that a Code of Conduct is both a corporate governance document and a marketing document. As such you will need to create a marketing campaign to get the message of your Code of Conduct out to not only your employee base but also relevant third parties, such as suppliers and agents. If you have a large number of non-English speaking personnel or employees without access to online training, these factors needs to be considered when determining the delivery method.

Measure

Initially, you should prioritize both qualitative results with positive feedback by including such metrics as speed of completion, reminders, which must be sent to facilitate completion of Code of Conduct training, and the percent of employees and third parties who attest to review of your Code of Conduct. You should also measure the effectiveness of your communication campaign. Tieck suggests drilling down further because each component of your Code of Conduct sets “an expected behavior. Selecting a few critical behaviors to measure and monitor may be adequate for most organizations. These selected measures might represent an aggregate measure of the overall conformance to the code. Large organizations may be able to mine HR data to capture statistics associated with the identified behaviors. For instance, termination reason codes may be one source.”

Maintain

All commentators note that it is important to keep your Code of Conduct design and conduct fresh. One of the ways to do so is by employee feedback, which can assist you in identifying if your Code of Conduct is not only effective, but truly reflective of your company’s culture. Lin pointed out that to gain these insights you need to incorporate both formal and informal techniques for gauging the relevant employee and third party populations. Some of these techniques include “Questionnaires, surveys, forms and hotlines can be good anonymous sources, but engaging employees in conversation is just as, if not more, important. Make sure executives and managers alike spend time in small-group and one-on-one conversations. Have these conversations throughout the year and across your employee base to get the “real” story. This helps engage the employees and ensure they know you value their input.”

Improve

OCEG advocates that your Code of Conduct should be evaluated for revision at least every two years. This should be done to keep abreast of the changes in laws and regulations and your own business operations and risk tolerances. Switzer said that “Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving forward and as Holmes did in the Abbey Grange, further your cause beyond the simple letter of the law.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

November 20, 2013

Plato, Aristotle and Codes of Conduct

It was once observed that all western philosophy is but a mere footnote to the works of Plato. However others believe that his student Aristotle merits equal standing. I recently read a review of the new book by Arthur Herman “The Cave and the Light” in the Wall Street Journal (WSJ) by reviewer Roger Kimball. In his review, Kimball said that the book seeks to “explain the metabolism of history with a single master idea: the perpetual struggle or ‘creative tension’ between the ideas of Plato – which he says emphasize the idea at the expense of the actual – and those of Aristotle, whose philosophy remains rooted in experience and everyday life.”

I thought about his dichotomy when I recently came across the Words of Wisdom (WOWLW) blog, which is penned by the Capital Markets Group of the law firm of Latham & Watkins. As stated in the FCPA Guidance, “A company’s code of conduct is often the foundation upon which an effective compliance program is built.” As the Department of Justice (DOJ) has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf. The WOWLW blog took a different tack and reviewed the requirements of the Securities and Exchange Commission (SEC) regulations for a Code of Conduct.

Under SEC regulations, it is a requirement under Form 10-K, Reg S-K Item 406, that a company must disclose whether it has adopted a Code of Ethics that applies to the company’s principal executive officer, principal financial officer, principal accounting officer, controller or persons performing similar functions. If the company has not adopted such a Code of Ethics, it must explain why not in writing. As WOWLW noted, “Unsurprisingly, almost all public companies have adopted a code of ethics within the meaning of the SEC regulations.”

The article details the required content to be found in a Code of Conduct. It said that “Item 406(b) defines a ‘code of ethics’ to mean written standards reasonably designed to deter wrongdoing and promote:

  • honest and ethical conduct (including matters regarding “actual or apparent conflicts of interest between personal and professional relationships”);
  • full, fair, accurate, timely and understandable public disclosure;
  • compliance with applicable laws and regulations;
  • prompt internal reporting of violations; and
  • accountability for adherence to the code.”

This requirement also “specifically contemplates that companies may bifurcate their codes of ethics for this purpose:

  • a company “may have separate codes of ethics for different types of officers”; and
  • a code of ethics “may be a portion of a broader document that addresses additional topics or that applies to more persons” other than the officers required to be covered.”

The article noted that a compliant company is able to disclose its codes of conduct in one of three ways, which they stated are as follows:

  • file the code as an exhibit to the Form 10-K;
  • post the code on the company’s website (disclosing that fact and the web address in the Form 10-K);
  • or expressly undertake in the Form 10-K to provide a free copy upon request and explain how to make a request.

Moreover, businesses which have bifurcated their codes of ethics as described above are only required to “file, post or provide the portions of a broader document that constitutes a code of ethics” and made applicable to covered officers.

The SEC also requires certain disclosures of amendments and waivers to codes of conduct. Specifically, “Item 5.05 of Form 8-K requires companies to disclose within 4 business days any amendment or waiver of the Item 406 code of ethics, either:

  • via Form 8-K filing; or
  • on the company’s website, so long as the company previously stated in its most recently filed Form 10-K both the company’s intention to disclose any amendment on its website and the website address (in this scenario, the information must remain posted to the website for at least 12 months, and the company must retain the information for another 5 years).”

This requirement for disclosure does not reach to “technical, administrative or other non-substantive amendments. In addition, companies must disclose amendments to or waivers of their codes of ethics only if specifically required by Item 406(b) (i.e., as one of the five subjects listed above) and applicable to the covered officers” in the company.

Interestingly, if there is an implicit waiver of a company’s Code of Conduct, it must also be reported: A waiver regarding a Code of Conduct is required “as the approval by the company of a material departure from a provision of the code of ethics. This also includes “implicit waivers,” defined under Instruction 2(ii) of Item 5.05 as a failure to act within a reasonable time after an executive officer knows of a material departure from the code of ethics. Implicit waivers, as with express waivers and amendments, require disclosure only if related to the covered officers and the provisions specifically referenced in Item 406(b). Companies may also disclose implicit waivers via website if they satisfy the requirements described above. Of course, codes of ethics sometimes describe situations where board approval is specifically contemplated, and an approval process in accordance with the provisions of the code would not constitute a “departure” that would implicate a waiver.”

In addition to the SEC disclosure requirements, both NASDAQ and NYSE listing rules require listed companies to have a code of conduct whose scope is broader that the code of ethics for the purposes of SEC reporting.

Kimball’s review of The Cave and the Light points out the ongoing tension between Plato’s spirituality and Aristotle’s pragmatism. I think the dichotomy from the FCPA Guidance and the SEC regulations, as set out by WOWLW points to a more unified thesis. Kimball ends his piece by noting that Aristotle’s sentiments are around the future and not the past. But he adds that in Plato’s allegory of the caves he noted that those who leave the cave must return. The same may be said for the Code of Conduct which the Latham & Watkins Capital Markets Group has

It was once observed that all western philosophy is but a mere footnote to the works of Plato. However others believe that his student Aristotle merits equal standing. I recently read a review of the new book by Arthur Herman “The Cave and the Light” in the Wall Street Journal (WSJ) by reviewer Roger Kimball. In his review, Kimball said that the book seeks to “explain the metabolism of history with a single master idea: the perpetual struggle or ‘creative tension’ between the ideas of Plato – which he says emphasize the idea at the expense of the actual – and those of Aristotle, whose philosophy remains rooted in experience and everyday life.”

I thought about his dichotomy when I recently came across the Words of Wisdom (WOWLW) blog, which is penned by the Capital Markets Group of the law firm of Latham & Watkins. As stated in the FCPA Guidance, “A company’s code of conduct is often the foundation upon which an effective compliance program is built.” As the Department of Justice (DOJ) has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf. The WOWLW blog took a different tack and reviewed the requirements of the Securities and Exchange Commission (SEC) regulations for a Code of Conduct.

Under SEC regulations, it is a requirement under Form 10-K, Reg S-K Item 406, that a company must disclose whether it has adopted a Code of Ethics that applies to the company’s principal executive officer, principal financial officer, principal accounting officer, controller or persons performing similar functions. If the company has not adopted such a Code of Ethics, it must explain why not in writing. As WOWLW noted, “Unsurprisingly, almost all public companies have adopted a code of ethics within the meaning of the SEC regulations.”

The article details the required content to be found in a Code of Conduct. It said that “Item 406(b) defines a ‘code of ethics’ to mean written standards reasonably designed to deter wrongdoing and promote:

  • honest and ethical conduct (including matters regarding “actual or apparent conflicts of interest between personal and professional relationships”);
  • full, fair, accurate, timely and understandable public disclosure;
  • compliance with applicable laws and regulations;
  • prompt internal reporting of violations; and
  • accountability for adherence to the code.”

This requirement also “specifically contemplates that companies may bifurcate their codes of ethics for this purpose:

  • a company “may have separate codes of ethics for different types of officers”; and
  • a code of ethics “may be a portion of a broader document that addresses additional topics or that applies to more persons” other than the officers required to be covered.”

The article noted that a compliant company is able to disclose its codes of conduct in one of three ways, which they stated are as follows:

  • file the code as an exhibit to the Form 10-K;
  • post the code on the company’s website (disclosing that fact and the web address in the Form 10-K);
  • or expressly undertake in the Form 10-K to provide a free copy upon request and explain how to make a request.

Moreover, businesses which have bifurcated their codes of ethics as described above are only required to “file, post or provide the portions of a broader document that constitutes a code of ethics” and made applicable to covered officers.

The SEC also requires certain disclosures of amendments and waivers to codes of conduct. Specifically, “Item 5.05 of Form 8-K requires companies to disclose within 4 business days any amendment or waiver of the Item 406 code of ethics, either:

  • via Form 8-K filing; or
  • on the company’s website, so long as the company previously stated in its most recently filed Form 10-K both the company’s intention to disclose any amendment on its website and the website address (in this scenario, the information must remain posted to the website for at least 12 months, and the company must retain the information for another 5 years).”

This requirement for disclosure does not reach to “technical, administrative or other non-substantive amendments. In addition, companies must disclose amendments to or waivers of their codes of ethics only if specifically required by Item 406(b) (i.e., as one of the five subjects listed above) and applicable to the covered officers” in the company.

Interestingly, if there is an implicit waiver of a company’s Code of Conduct, it must also be reported: A waiver regarding a Code of Conduct is required “as the approval by the company of a material departure from a provision of the code of ethics. This also includes “implicit waivers,” defined under Instruction 2(ii) of Item 5.05 as a failure to act within a reasonable time after an executive officer knows of a material departure from the code of ethics. Implicit waivers, as with express waivers and amendments, require disclosure only if related to the covered officers and the provisions specifically referenced in Item 406(b). Companies may also disclose implicit waivers via website if they satisfy the requirements described above. Of course, codes of ethics sometimes describe situations where board approval is specifically contemplated, and an approval process in accordance with the provisions of the code would not constitute a “departure” that would implicate a waiver.”

In addition to the SEC disclosure requirements, both NASDAQ and NYSE listing rules require listed companies to have a code of conduct whose scope is broader that the code of ethics for the purposes of SEC reporting.

Kimball’s review of The Cave and the Light points out the ongoing tension between Plato’s spirituality and Aristotle’s pragmatism. I think the dichotomy from the FCPA Guidance and the SEC regulations, as set out by WOWLW points to a more unified thesis. Kimball ends his piece by noting that Aristotle’s sentiments are around the future and not the past. But he adds that in Plato’s allegory of the caves he noted that those who leave the cave must return. The same may be said for the Code of Conduct which the Latham & Watkins Capital Markets Group has discussed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

discussed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

September 25, 2013

Getting Your Employees to Internally Market Your Compliance Program

7K0A0501It has often struck me that one of the things the compliance function must do is to internally market its role in a company. By this I do not mean the internal competition for funding that occurs annually, although that is certainly something which the compliance function must also go through. The internal marketing function of compliance is to get employees not only to understand the message of compliance but, even more so, to think about and use compliance in their day-to-day operations. I recently heard a podcast on social media marketing which had some concepts I thought applicable to the compliance function and its internal marketing role within a company.

The podcast is on the Social Media Examiner site, which brands itself as “Your Guide to the Social Media Jungle.” The podcast, entitled “Social Sharing: How to Inspire Fans to Share Your Stories” is hosted by Michael Stelzner, Chief Executive Officer (CEO) and Founder of the site. Stelzner interviews Simon Mainwaring, author of We First: How Brands and Consumers Use Social Media to Build a Better World. Mainwaring is a consultant who has worked with brands like Nike and Motorola and is hosting the upcoming “We First Social Branding Seminar” in West Hollywood in a few days.

The focus of the podcast was on the use of social media by your employees and customer base to increase market share. However, Mainwaring said something that struck me as key to building a successful compliance program. He was discussing your employee base as one of your most key marketing resources because they are your first and best line of advertising. He said that to allow them to market successfully there are three key components, (1) Let your employees know what you stand for; (2) Celebrate their efforts; and (3) Give them a tool kit of different ways to participate. I think each of these concepts can play a key role for the compliance practitioner in internally marketing their compliance program.

I.                   Let Your Employees Know What You Stand For

In the FCPA Guidance, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) said that the basis of any anti-corruption compliance program is the Code of Conduct as it is “often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” That well known @CodeMavencc, Catherine Choe, has said that she believes “Two of the primary goals of any Code are first, to document and clarify minimum expectations of acceptable behavior at a company, and second, to encourage employees to speak up when they have questions or witness misconduct.”

But more than the Code of Conduct, does your company really communicate that it stands for compliance? Obviously formal anti-corruption training under the Foreign Corrupt Practices Act (FCPA) is important but I think that more is required to reinforce that your company has a culture of compliance throughout the organization. In other words, are you communicating what you stand for and not simply the rules and regulations of a compliance program?

II.                Celebrate Their Efforts

Once again the FCPA Guidance speaks to the need to incentivize employees in the company realm. The Guidance states, “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many Guiding Principles of Enforcement forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership. Some organizations, for example, have made adherence to compliance a significant metric for management’s bonuses so that compliance becomes an integral part of management’s everyday concern.” But more than simply incentives, it is important that “[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well.”

Mainwaring’s concept means going beyond incentivizing. To me his word ‘celebration’ means a more public display of success. Financial rewards may be given in private, such as a portion of an employee’s discretionary bonus credited to doing business ethically and in compliance with the FCPA. While it is certainly true those employees who are promoted for doing business ethically and in compliance are very visible and are public displays of an effective compliance program. I think that a company can take this concept even further through a celebration to help create, foster and acknowledge the culture of compliance for its day-to-day operations. Bobby Butler, Chief Compliance Officer (CCO) at Universal Weather and Aviation, Inc. has spoken about how his company celebrated compliance through the event of Compliance Week. He said that he and his team attended this event and used it as a springboard to internally publicize their compliance program. Their efforts included three separate prongs: they were hosting inter-company events to highlight the company’s compliance program; providing employees with a Brochure highlighting the company’s compliance philosophy and circulating a Booklet which provided information on the company’s compliance hotline and Compliance Department personnel.

III.             Give Your Employees a Tool Kit For Compliance

Obviously a key component of any effective compliance program is an internal reporting mechanism. The FCPA Guidance states that “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” The Guidance goes on to also discuss the use of an ombudsman to address employee concerns about compliance and ethics. I do not think that many companies have fully explored the use of an ombudsman but it is certainly one way to help employees with their compliance concerns. Interestingly, an interview in the Wall Street Journal (WSJ) today, with Sean McKessy, Chief of the SEC’s Office of the Whistleblower, he stated that “What I hear is that companies are generally investing more in internal compliance as a result of our whistleblower program so that if they have an employee who sees something, they’ll feel incentivized to report it internally and not necessarily come to us.”

But, more than a reporting tool for compliance, there are other ways a company can help employees do business in a compliant manner. One commercial tool which immediately comes to mind is Navigator, developed by the firm of Stroz Friedberg LLC, which the firm calls “a groundbreaking mobile and desktop application that makes your compliance program come alive! It automates clear answers and approval processes, and even offers data analysis for enhanced decision-making. The Navigator “app” is custom-tailored to each client and offers an array of benefits to any organization seeking easier ways to drive a positive corporate compliance culture.” I have seen this tool and it is way cool.

Yet there are other tools which are available, at no cost, and can be downloaded onto a mobile device such as a smartphone or iPad. These include the O’Melveny & Myers LLP Foreign Corrupt Practices Act Resource Guide; which concentrates solely on the FCPA and is primarily a new vehicle to distribute content it already makes available upon request. This content includes O’Melveny’s FCPA Handbook and O’Melveny’s In-House Counsel’s Guide to Conducting Internal Investigations. In addition, the app features five resource sections that serve as an interactive, illustrative directory with titles ranging from ‘O’Melveny Authored Client Alerts’ to ‘DOJ Opinion Releases.’

Another approach is found in the Latham & Watkins LLP’s AB&C Laws app which takes an international approach to anti-corruption and anti-bribery laws and its scope is international, with the content focused on organizing and easing access to statutes and regulatory guidance according to specific fields of interest, from legislative frameworks to extra-territorial application to enforcement and potential penalties. It also includes official guidance such as steps (where available) that can be taken to reduce the risk of liability for bribery and corruption.

There is much to be learned by the compliance practitioner from the disciplines of marketing and social media. These three concepts are useful to aiding companies in getting their sales pitches out and can be of great help to you, the compliance practitioner, in communicating marketing throughout your company as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

August 21, 2013

Loyalty v. Fairness?

Ed. Note-today we have a guest post by that well known Code of Conduct maven, Catherine Choe.

It’s been years since I had a subscription for paper delivery of the news.  I read the news either on my computer or on my phone, and I tend to skim the headlines until I see one that interests me (usually an article on the most recent compliance & ethics failure).  A few weekends ago, I visited friends who still have the Sunday New York Times delivered to their home, and as I sipped coffee, leafing through their paper, I stumbled across an item I would have missed electronically:  “The Whistle-Blower’s Quandary.”

The authors of this piece, found in the Opinion section, are a trio of professors who did a series of studies on why and when people blow the whistle.  The article starts with an obligatory mention of Edward Snowden, and I almost moved onto the next item in the paper, but their definition of whistleblower caught my attention:  “research participants… [who] witnessed unethical behavior and reported it.”  This is the behavior we in C&E try to encourage among our employees, and so, intrigued, I kept reading.

In one of the studies, the participants were asked to describe a time that they witnessed an ethical failure, reported it, and why; they were also asked to describe a time that they witnessed an ethical failure, did not report it, and why.  In analyzing these responses, the authors found something interesting.  When the participants who reported ethical failures described their actions, they “use[d] ten times as many terms related to fairness and justice, whereas non-whistle-blowers [sic] use[d] twice as many terms related to loyalty.”  The short piece concludes that if we want our employees to come forward and report the ethical failures that they witness, we need to be emphasizing fairness and justice in our Codes of Conduct, communications, and training, as those are the concepts that encourage speaking up, where emphasizing loyalty will encourage silence.

This reminded me of one of Matt Kelly’s blog posts at Compliance Week, when Kelly reported the conversations that he facilitated with a group of CCEOs on the topic of cultivating C&E leadership. One of the CCEOs at the roundtable said, “The reward for good conduct is keeping your job.”  But as Kelly correctly notes, “That approach can convince an individual employee not to violate your Code of Conduct, to be sure. But it does not necessarily inspire him to call out other misconduct, when that is exactly what compliance officers desperately need.”  Kelly framed his post with the concept of allegiance, that what CCEOs need are employees who are allegiant, or loyal, to our companies, “people who will act as advocates for the company’s best interests.”

In his blog post, Kelly noted that expecting this level of loyalty from our employees may be a hard sell.  Modern companies exist to make money for their shareholders.  This has caused a situation where we’re all focused on hitting quarterly goals so that we don’t spook Wall Street.  It creates situations where companies don’t, or maybe can’t, exhibit any behaviors that would inspire the kind of loyalty we’re looking for in our employees.  We operate in a business culture where companies that prioritize the satisfaction of their employees are studied and celebrated like the rarities they are, but then we don’t emulate them.

Does the piece in the Times mean that we can stop worrying about loyalty and that we should instead focus on fairness and justice?  Nothing in life is ever that simple.

A few years ago, the Compliance and Ethics Leadership Council did research into what the leading indicators of misconduct are, i.e., the signs that tell us in advance that we’re more likely to find misconduct at our companies.  CELC found that that one of the top leading indicators of misconduct is when employees identify more closely with their individual work groups or departments than they do with the company as a whole.  (You can see versions of this at play in many Sales departments and in one of the justifications for violating the Foreign Corrupt Practices Act:  “this is how WE do business [insert relevant region here.]”)  In follow up research, CELC also found that one of the primary reasons employees don’t report the misconduct that they witness is because they don’t think that the company will do anything about it.  Employees don’t believe that there will be what CELC calls “organizational justice,” where wrongdoers get punished.

What all of this boils down to for me is that fairness and loyalty don’t oppose each other, as the professors posited.  Loyalty reflects fairness, is an accurate measure of how fair we are.  If we consistently enforce our own rules and standards of business conduct, employees will exhibit loyalty by speaking up when they see misconduct.  If they see evidence that the company takes its own rules seriously, employees will exhibit loyalty by following the company’s lead and also take the rules seriously.  If, however, we make exceptions in how we enforce our rules and standards of business conduct (e.g., we can’t fire John because he’s our top performer even though we know he’s unethical; we’re not going to dig deeper into why we were able to penetrate a new market so quickly because we only care about being successful and not how we were successful), employees will exhibit loyalty by keeping silent and enabling the misconduct.

If we can’t back them up with visible action, sprinkling the words “fairness” and “justice” instead of “loyalty” into our Codes and communications and training won’t inspire the kind of loyalty Kelly and his roundtable of CCEOs want.  “Actions speak louder than words” is a cliché for a reason.  It may be overused, but ignoring it or discounting it won’t make the underlying wisdom go away.

————————————————————————————————————————————————————————————————————

My eBook on the GSK bribery and corruption affair in China is out. You can purchase it for reading on your Kindle by clicking here.

————————————————————————————————————————————————————————————————————

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at cchoe@tflcompass.com

August 14, 2013

Bad Things Come In Threes for CCOs

It is often said that bad things come in threes. I have often wondered where this phrase came from. So I checked out Wikipedia, no luck there. How about trying Google as the harbinger of all knowledge? Again no such luck there. Not even About.com could help. Of course there is the good old saying ‘3 strikes and you’re out’ but I suspect that was based on something which preceded it. Whatever the origin of this folkloric belief, all I can say is that over the past couple of weeks, Chief Compliance Officers (CCOs) have taken it on the chin three times and, once again, the job of the CCO just got quite a bit harder and more challenging.

I.                   Banned for Life

Submitted for your consideration is the first item of bad news for the CCOs out there. It is the decision released on August 2nd by the Securities and Exchange (SEC) Administrative Law Judge Carol Fox Foelak (no relation) In the Matter of Daniel Bogar, Bernerd Young and Jason Green. Young was the CCO for disgraced financier Allen Stanford’s companies. For those who may not remember, Allen Stanford who sold “so-called certificates of deposits” through his offshore bank in Antigua, Stanford International Bank Ltd. Unfortunately for all, it turned out that Stanford was running a massive Ponzi-scheme by paying off old investors with monies invested by new ones, to the tune of over $7bn. Stanford was convicted for his crimes.

Young was not charged or convicted with participating in the Ponzi-scheme. However, he was slapped with an administrative penalty for failing to note or follow up on red flags, which, had he investigated, may have uncovered the scheme earlier. These acts (or perhaps inactions) included providing materials to financial advisors, which had he inquired into would have led to a determination that they were false. There were instances where company whistleblowers and others brought information to Young, which if he had properly investigated, he would have determined that a Ponzi-scheme was in place. The Administrative Law Judge also cited the conduct of Allen Stanford himself as raising a red flag which the CCO should have investigated.

As to the penalties that Young received, how about the following: disgorgement of $591,992.46,  a penalty of $260,000 and is barred from “association with any broker, dealer, investment adviser, municipal securities dealer, municipal advisor, transfer agent, or nationally recognized statistical rating organization and IS PROHIBITED, permanently, from serving or acting as an employee, officer, director, member of an advisory board, investment adviser or depositor of, or principal underwriter for, a registered investment company or affiliated person of such investment adviser, depositor, or principal underwriter.” In other words, Young can never be a CCO again or work in this industry again.

Why is this decision so significant to CCOs? It is often said that bad facts make bad law. The facts surrounding Allen Stanford and his multi-billion Ponzi-scheme, short of Bernie Madoff, are about as bad as it gets. Maybe Young does deserve a severe spanking for his role in not asking questions. But the problem for CCOs is now there is a precedent for at least a civil proceeding to be filed by the SEC for failure to engage in sufficient due diligence, see red flags and perform proper investigations. This coupled with the size of the disgorgement, penalty and lifetime ban in working as a CCO or in the industry makes the CCO world quite a bit darker today.

II.                Is Your Code of Conduct Mere Puffery?

The second example is the Dismissal granted by the US District Court for the Northern District of California, in the shareholder derivative action, entitled “Cement & Concrete Workers District Council Pension Fund, et al., v. Hewlett Packard Company, et al.” This lawsuit was some of the continued fallout from the Mark Hurd era at Hewlett Packard (HP). As reported in an AmLaw Litigation Daily article, entitled “Morgan Lewis Beats HP Securities Suit over Hurd Conduct”, “in the fall of 2007, the company hired a marketing consultant named Jodie Fisher.” Fisher later “accused Hurd of sexual harassment. He resigned later that year. The harassment claims were never substantiated, but an internal investigation performed by Covington & Burling turned up evidence that Hurd used company resources to wine and dine Fisher and then tried to hide the relationship from HP’s board.” Hurd later admitted that he had a “very close personal relationship” with Fisher.

A shareholder action was brought by the plaintiff who claimed in part that “HP and Hurd made false and misleading statements when they (1) issued and updated HP’s Standards of Business Conduct Brochure (SBC) in 2006, May 2008 and June 2010”. In the Plaintiff’s Complaint they said that “These statements were misleading because in light of Hurd’s endorsement of these tenets, there was an implication that Hurd was in fact in compliance with them. In truth, Hurd was knowingly violating each of these tenets in his dealings related to Fisher, by (a) inappropriately using his position as CEO to attempt to pursue a romantic relationship with Fisher, (b) submitting expense reports that did not accurately reflect their meetings, and (c) knowingly allowing Fischer to receive compensation and/or expense reimbursement where there was not a legitimate business purpose.”

However the District Court made short shrift of the plaintiff’s claims. In its dismissal, the Court said, ““Generally speaking, the 2008 and 2010 SBCs, as well as other statements relating to HP’s ethical code of conduct, do not constitute actionable misrepresentations or omissions because they are not material. “‘[V]ague, generalized, and unspecific assertions’ of corporate optimism or statements of ‘mere puffing’ cannot state actionable material misstatements of fact under federal securities laws. Such statements include those that are not “‘capable of objective verification’” or “‘lack[ ] a standard against which a reasonable investor could expect them to be pegged.’” “When valuing corporations, . . . investors do not rely on vague statements of optimism like ‘good,’ ‘well-regarded,’ or other feel good monikers.” “Instead, “professional investors, and most amateur investors as well, know how to devalue the optimism of corporate executives.””

How about that to warm the heart of every CCO out there? For that matter how about the Department of Justice (DOJ) or SEC who said in their jointly released FCPA Guidance that “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” So all the talk that we preach about the importance of a Code of Conduct; at least one court has now said it is ‘mere puffing’. Do you think that the Chief Executive Officer (CEO) will want to spend a bunch of money for an aspirational, puffery statement? I hope so because the DOJ and SEC still say it is important. But if a corporation ever takes the DOJ to trial in a Foreign Corrupt Practices Act (FCPA) matter, there is at least one court who has said a Code of Conduct is not important.

III.             Try Getting Your Records Out of Germany Now

Our third, and final item, comes courtesy of Nicholas Elliott from the Wall Street Journal (WSJ) Risk and Compliance Journal, in an article entitled “The Morning Risk Report: Germany’s Forceful Privacy”. Elliott reports that it is “going to be more complicated to do business in Germany, the fifth largest trading partner of the U.S. Angered by news that the U.S. National Security Agency’s electronic surveillance efforts included Germans, that country’s data-protection body declared last month that most data transfers to the U.S. breach its laws. This stance affects not only data transfers for which companies seek approval but also those covered under safe-harbor provisions of European law”.

This may well severely constrict the ability of US companies to investigate, audit or even monitor their German operations or German citizens who are employees or third parties to the company. Not that German companies and citizens have always been 100% lean when it comes to bribery and corruption (See: Siemens-corp division and Ecclestone, Bernie-ind. division). But clearly the US government has seriously infuriated some of its major trading partners for its spying to try and enforce the FCPA and this will come back to bite many US companies in the behind if they cannot get data and information out of Germany and are faulted by the DOJ and SEC for their failure to do so.

I wrote about the data privacy issue back in June in light of Edward Snowden’s revelations about National Security Agency (NSA) spying and the attendant fallout. This issue is now in the forefront of EU-US trade negotiations. An article in the Financial Times (FT), entitled “Data scandal clouds trade talks”, Hannes Swoboda, leader of the socialist members of the European Parliament, was quoted as saying “With all the information that we’ve found out in the recent days about how easily the US spies on people’s private data I think it will be difficult for the Americans to oppose a strong data protection agreement.” The article notes that many of the rules proposed for EU data protection are opposed by US companies because “their business models would be damaged.”

Elliott ends his article with the following, “At the same time, European privacy rules will probably be tightened, with a proposal for fines levied on companies that share data without customers’ permission. The Wall Street Journal reported last week that such rules could create further legal uncertainty by conflicting with U.S. laws such as the Patriot Act and Foreign Intelligence Surveillance Act.” Amen.

These three strikes have the effect of the following: (1) denigrating an entire compliance regime of a company by declaring its foundational document ‘mere puffing’; (2) puts the CCO backside on the firing line for a civil or potentially criminal action if they do not uncover FCPA violations; and (3) making illegal the removal of certain data from Germany where not do so may well be a FCPA violation. Be afraid, be very afraid…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

June 7, 2013

Codes of Conduct: what are they good for?

Ed. Note-today we have a guest post from Catherine Choe, a well known Code of Conduct maven. 

I had an interesting and frustrating conversation with a relative about the work that I do, which includes working with companies on refreshing their Codes of Business Conduct.  Despite working at a large, publicly traded, multinational corporation, I had to describe the Code twice before he recalled having certified reading the one at his company.  It got me thinking about why we have Codes and whether they’re doing an adequate job serving their purposes.

Two of the primary goals of any Code are first, to document and clarify minimum expectations of acceptable behavior at a company, and second, to encourage employees to speak up when they have questions or witness misconduct.  There have been some very compelling articles discussing how important it is to teach employees that even actions that seem like minor misconduct should be reported.  I agree with this, of course, but I think that those of us in compliance & ethics should not lose sight of how difficult the decision to report major misconduct can be for many employees.

I recently heard a story about this that drove home how much anxiety the decision to report can cause.  I was having drinks with Sara, a friend I hadn’t seen in over a year.  Sara and I used to work together, and as we were catching up (i.e., gossiping) about former colleagues and mutual friends, she told me about something that happened to her a couple of weeks earlier.

Sara was attending a happy hour and chatting with Tracy.  Sara and Tracy started at the company on the same day and were in the same orientation group, where they bonded over their shared love of celebrity tabloids and became fast friends.  Over the years, Tracy worked her way up in the sales department to become a senior manager.  At the happy hour, Tracy shared details from the latest bonus trip that she had been selected to attend along with other top sales employees as a reward for outstanding performance.

It seems that in addition to her reputation for exceeding nearly every sales goal put in front of her, Tracy had also developed a habit of dating her colleagues.  In some instances, her partners were at her level, but most of the time, they were junior to her, although not in her reporting line.  All of her relationships were consensual, and she never exerted influence, positive or negative, over their careers.  Tracy simply found that it was more convenient, given the number of hours she worked and the days that she traveled, to find romance at work.  Management turned a blind eye to these activities, despite them being in contravention of company policy.  This was in part because of her performance and in part because nobody ever complained.

Tracy became involved with a junior colleague on the bonus trip and, as friends often do, was starting to share juicy details.  Tracy, wanting to show Sara what the junior colleague looked like, pulled out her phone to show Sara a picture.  Sara expected to see a head shot.  What she saw instead was a picture of the gentleman in question in the shower, with no idea that Tracy was snapping a photograph.

Sara shared the story with her boyfriend as an example of Tracy’s continuing refusal to grow up and a reason for the growing distance between the two friends.  Sara expressed discomfort at having been shown the picture and some sympathy for the gentleman who’d had his picture taken in an intimate moment without his consent.  Her plan for the future was to minimize contact and avoid spending time with Tracy.

Sara’s boyfriend, a lawyer, told her she had a responsibility to report Tracy’s behavior.  Sara disagreed, saying that the relationship was a consensual one between two adults.  In addition, Sara was concerned that Tracy might lose her job at a time when jobs were hard to find; Sara didn’t think it was right to interfere with Tracy’s livelihood

Sara’s boyfriend insisted that Sara report the incident, going so far as to say that if she didn’t tell someone in authority at the company, that he would call the company’s General Counsel to report the behavior himself.  He also noted that she might not have been as reluctant to raise her hand if the genders of the parties involved had been reversed.

Sara felt trapped.  Despite the egregious nature of Tracy’s behavior, Sara was torn between loyalty to her friend and doing what she knew in her heart was the right thing.  After several sleepless nights, she asked her boyfriend to consider calling the helpline rather than calling the GC, which she hoped would make it harder to trace the report back to her.  Out of sympathy for her distress, he agreed but told her she should check to see what her responsibilities were in the company’s Code of Conduct.

Sara downloaded the Code of Business Conduct from the company’s website and checked the Table of Contents and the index.  Both places directed her to the first section of the Code, which stated that employees, officers, and directors had a duty to report misconduct.  Defeated, Sara called the HR business partner for her department the next day.

Two things stood out to me when Sara told me this story:  (1) Sara’s reluctance to report the misconduct despite its egregiousness and (2) the role of the Code of Business Conduct in the resolution.  It’s true that if someone had reported Tracy when she first started dating her colleagues, she might not have reached the point of nonconsensual pictures in the shower, and then Sara would not have faced the dilemma she did.  Despite the existence of HR policies either forbidding romantic relationships at work or requiring their disclosure, workplace romances continue to occur.  As adults, we spend most of our time at the office with our coworkers.  Personal relationships are inevitable.

In addition, we often feel more loyalty to our coworkers than we do to the companies that employ us.  Our colleagues are people.  We work on projects together, we celebrate successes with each other, and we console each other when there are failures.  The collegiality that we build can improve productivity for the company.

Companies employ us.  They provide us with the money we need to shelter and feed ourselves and our families, but companies are not people.  The relationships we have with them are not personal.  What this means for C&E practitioners is that when we tell employees to report misconduct, no matter how small, the choice we are presenting is to be loyal to our coworkers or be loyal to the company.  Respect the teamwork and collegiality we’ve built, or “tattle” on our teammates for minor infractions of a Code that most employees skim once a year.  The decision to report, even in the face of serious misconduct, is gut-wrenching, especially if the bad actor is a friend or simply likeable.

Luckily for Sara’s company, the Code specifically cited a duty to report.  Companies often struggle with the decision as to whether to make reporting a duty or something more voluntary.  Making reporting a duty puts a burden on the company to ensure there are consequences for those who do not report misconduct.  Some decide that the administrative burden is too great or that they are uncomfortable with the potential impact it will have on the company culture.  After the conversation I had with Sara, I believe that the benefits outweigh those potential drawbacks.

We all know that our companies need Codes, so that our expectations around appropriate behavior are written down for employees.  We all know the general topics that should be covered in our Codes.  The level of sophistication in interactivity often depends on the level of technology sophistication of the employee base.  Many of us have gotten savvier about adding specific examples in our Codes to provide additional guidance.  We seem to take it for granted that employees will read the Code with the same attention and focus that we do.

The reality is that employees read the Code when forced to, either because of an annual certification campaign or because they face a dilemma.  In the former situation, employees skim, then sign; in the latter situation, employees look for an answer to a specific question.  Everyone in C&E has a checklist in mind of things that the Code should have and do.  At the top of my checklist is how quickly people like Sara can find the topic of her question and how clearly the Code answers it.  If employees are unable to find clear answers to their dilemmas quickly, the Code is not serving its purpose.

———————————————————————————————————————————————————————-

Catherine Choe  is Managing Member at TFL Compass (www.tflcompass.com), a compliance and ethics consultancy.  She is an authority on the business impact of C&E programs and has lectured widely on harmonizing C&E practices with business processes. Catherine is also an experienced and talented speaker with exceptional communication and presentation skills. She tweets regularly as the Code Maven (@CodeMavencc). She can be reached by phone at  408-337-2463  or email at cchoe@tflcompass.com. 

———————————————————————————————————————————————————————-

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

Many commentators are still mining the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (the “Guidance”), which was released last November. I continue to find nuggets to provide to the compliance practitioner, as do others. But as we are a Base 10 culture, today I want discuss the 10 points listed as the ‘Hallmarks of Effective Compliance Programs”. They are a change in style, but not content, from the prior 13 point minimum best practices that the DOJ has in the Deferred Prosecution Agreements (DPAs) since at least November, 2010 and, indeed, from prior information made available by the DOJ.

I.                   Where Have We Been

Beginning with at least the Metcalfe & Eddy Consent and Undertaking, filed in December, 1999, the DOJ has laid out its thoughts on what should go into a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. In the Metcalfe & Eddy Consent and Undertaking, the DOJ laid out ten points of an effective FCPA anti-corruption compliance program. This was modified somewhat in Opinion Release 04-02, which laid out a best practices compliance program in 12 points, where the DOJ reviewed the proposal by an investment group who were acquiring certain companies and assets from ABB Ltd. ABB Vetco Gray Inc. and ABB Vetco Gray (UK) Ltd., two of the entities being acquired, had previously pled guilty to FCPA violations. The investment group desired to protect itself from further liability, to the extent possible, by proposing to the DOJ a comprehensive best practices compliance program. While the DOJ noted that this compliance program was not a shield against future violations, the DOJ would not “intend to take an enforcement action [against the investors] for violations of the FCPA prior to their acquisition from ABB.”

In the Panalpina DPA, issued in November, 2010, the DOJ laid out a 13 point minimum best practices compliance program. This number was changed this past summer when the Data Systems & Solutions LLC (DS&S) DPA was announced. In this enforcement action the DOJ listed 15 points on its minimum best practices FCPA anti-corruption compliance program. Then later in the summer, the DOJ moved to a 9 point compliance program in the Pfizer DPA. Even with all these changes in the number, the substance of each compliance program has remained the same.

II.                Where Are We Now? Hallmarks of Effective Compliance Programs

The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes that depending on a variety of factors such as size, type of business, industry and risk profile that a company should determine what is appropriate for its own needs regarding a FCPA compliance program. But the Guidance makes clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

  1. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
  2. Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. The Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some of the risks a company should assess include “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”
  3. Oversight, Autonomy, and Resources. This section starts with a discussion on whether a company has assigned a senior level executive to oversee and implement a company’s compliance program. Not only must a company assign such a person with appropriate authority but that person, and the overall compliance function, must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Additionally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
  4. Risk Assessment. The Guidance states that “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
  5. Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
  6. Incentives and Disciplinary Measures. This involves both the carrot and the stick. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” These incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
  7. Third-Party Due Diligence and Payments. Here the Guidance focuses on the ongoing problem area of third parties. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
  8. Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
  9. Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
  10. Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration. Here the DOJ and SEC spell out what it expects in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information is not something that most companies had previously focused on. Basically, a company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

As I commented earlier in this article, the DOJ and SEC have communicated what they believe are the important parts of a risk based, anti-corruption compliance program for many years. I do not think that a compliance defense could be set out any more succinctly. However, I do like things set out in Base 10 and the “Hallmarks of Effective Compliance Programs” is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point for any compliance practitioner to implement a new compliance program or to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

September 4, 2012

Revising Your Code of Conduct – Don’t Wait for Another Great Fire of London

In 1666 the dates of September 4 and 5 are generally recognized as the worst days of the Great Fire of London. The Great Fire started at the bakery of Thomas Farriner on Pudding Lane, shortly after midnight on Sunday, 2 September, and spread rapidly west across the City of London. The fire gutted the medieval City of London inside the old Roman City Walls. It is estimated to have destroyed the homes of 70,000 of the City’s 80,000 inhabitants. The City was rebuilt, with much of the old street plan being recreated in the new City, with improvements in hygiene and fire safety: wider streets, open and accessible wharves along the length of the Thames, with no houses obstructing access to the river, and, most importantly, buildings constructed of brick and stone, not wood. New public buildings were created on their predecessors’ sites; the most famous is St. Paul’s Cathedral and its smaller cousins, Christopher Wren’s 50 new churches.

Not all rebuilding requires such drastic destruction however. In a recent article in the Society for Corporate Compliance and Ethics (SCCE) Magazine, entitled, “Six steps for revising your company’s Code of Conduct” authors Anne Marie Logarta and Ruth Ward suggest considering the following issues before you take on an update of your Code of Conduct.

When was the last time your Code of Conduct was released or revised?

Have there been changes to your company’s internal policies since the last revision?

Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?

Are any of the guidelines outdated?

Is there a budget to create/revise a Code?

After considering these issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. If you decide to move forward the authors have a six-point guide which they believe will assist you in making your revision process successful.

1.      Get buy-in from decision makers at the highest level of the company

The authors believe that your company’s highest level must give the mandate for a revision to a Code of Conduct. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”

2.      Establish a core revision committee

The authors believe that a cross-functional working group should head up your effort to revise your Code of Conduct. They suggest that this group include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, the authors believe that Code of Conduct topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. The authors emphasize that creation of a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”

3.      Conduct a thorough technology assessment

The authors argue that the backbone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” They believe that technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.

In addition to this use of technology in drafting your Code of Conduct revision, you should determine if your Code of Conduct will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code will only be available in hard copy.

4.      Determine translations and localizations

The authors emphasize that “If your company does business internationally, then this step is vital to ensure you have one Code, no matter the language.” They do note that if you decide to translate your Code of Conduct be sure and hire someone who is an “approved company translation subject matter expert.” Here I would simply say to contact Jay Rosen at Merrill Brink, as those guys are the SMEs and know what they are doing when it comes to translations. The key is that “your employees have the same understanding of the company’s Code-no matter the language.”

5.      Develop a plan to communicate the Code of Conduct

A roll-out is always critical because it “is important that the new or revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” The authors believe that your company should use the full panoply of tools available to it to publicize your new or revised Code of Conduct. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide Code of Conduct meeting where the new or revised Code is rolled out across the company all in one day. But remember, with all thing compliance; the three most important aspects are Document, Document and Document. However you deliver the new or revised Code of Conduct, you must document that each employee receives it.

6.      Stay on Target

The authors end by noting that if you set realistic expectations you should be able to stay on deadline and stay within your budget. They state that “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.

Logarta and Ward’s article provides a useful guide to not only thinking through how to determine if your Code of Conduct needs updating, but also practical steps on how to tackle the problem. If you are a compliance practitioner, I would urge you to take a look at your company’s Code of Conduct. If it has been more than five years since it was last updated, you should begin the process that the authors have laid out. Do not wait for a catastrophe like the City of London did with the Great Fire of London to rebuild. It is far better to review and update if appropriate than wait for a massive Foreign Corrupt Practices Act (FCPA) investigation to go through the process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

August 14, 2012

Pfizer DPA Part III – What Does It All Mean?

Last week I began an exploration of the Pfizer Deferred Prosecution Agreement (DPA) which was announced last week by the Department of Justice (DOJ) in connection with its settlement of Foreign Corrupt Practices Act (FCPA) violations. In Part I, I reviewed the Corporate Compliance Obligations, Attachment C.1. In Part II, I reviewed the Enhanced Compliance Obligations, Attachment C.2 and Corporate Reporting Obligation, Attachment C.3, which Pfizer agreed to implement and operate under. In Part III, I will discuss some of the implications raised by the Pfizer DPA for the compliance practitioner.

Below is a comparison chart of the minimum best practices compliance program as set out in the Panalpina DPA and all DPAs coming forward with the minimum best practices compliance program as set out in the Pfizer DPA. While the number of compliance obligations is somewhat different, when read in conjunction with the Enhanced Compliance Obligations of Attachment C.2, there is not significant difference. Therefore, and initially, the compliance practitioner must read both the Corporate Compliance Obligations and Enhanced Compliance Obligations in conjunction with each other.

CORPORATE COMPLIANCE COMPARISON CHART

Panalpina Minimum Best Practices

Pfizer 9 Point Corporate Compliance Program

1. Code of Conduct. To ensure against FCPA violations. 1. Clearly articulated corporate policy against FCPA violations.
2. Tone at the Top. A company will ensure that its senior management provides visible support and commitment to its corporate anti-corruption policy. 2.  Promulgation of compliance standards and procedures designed to reduce the prospect of violations of the anti-corruption laws and Pfizer’s compliance code.
3. Written policies and procedures.  Should be created in the following areas (a) gifts; (b) hospitality, entertainment, and expenses; (c) customer travel; (d) political contributions; (e) charitable donations and sponsorships; (f) facilitation payments; and (g) solicitation and extortion. 3. Assignment of one or more senior corporate execs for implementation and oversight of compliance program. They shall report to the Board.
4. Risk Assessment. Perform risk assessment and use it to inform your compliance program. 9(b)-internal and confidential reporting system. 4. Effective communication of the compliance policies including training and certification of training.
5. Annual Reviews. No less than annually, a company should review and update as appropriate to ensure continued compliance program effectiveness. 5. An effective system for reporting illegal conduct or violations of the company anti-corruption program.
6. Senior Management Oversight and Reporting. Assignment of one or more senior corporate executives for implementation & oversight of compliance program and they shall report to Board of Directors 6. Appropriate disciplinary procedures.
7. Internal controls.  These should include financial and accounting procedures which should ensure that the company has accurate and fair books and records, which cannot be used for or conceal bribery. 7. Appropriate due diligence for retention and oversight of agents and business partners.
8. Training. A company shall effectively communicate compliance program through training and annual certifications 8. Standard compliance terms and conditions in contracts including (1) reps and undertakings re: anti-corruption compliance; (2) right to audit; and (3) right to terminate for breach thereof.
9. Advice and Guidance.  The Company should establish or maintain an effective system for: (a) Providing guidance; (b) Internal and confidential reporting; and (c) Responding to such requests and undertaking appropriate action in response to such reports. 9. Periodic testing of Pfizer compliance code and anti-corruption procedures.
10. Discipline. A company shall institute appropriate disciplinary procedures to address violations compliance policy or ant-corruption laws.
11. Third Party Reps. (a) Properly documented risk-based due diligence and regular oversight of agents and business partners;  (b) Informing agents and business partners of the compliance standards; and (c) Seeking a reciprocal commitment from agents and business partners.
12. Compliance terms and conditions. Should be included in every agent agreement.
13. Ongoing Assessment. Period review and testing of compliance program to evaluate it and improve the program’s effectiveness.

 

In addition to a Chief Compliance Officer (CCO) and Risk Officer (RO) who will have report directly to the Chief Executive Officer (CEO), there was further specified requirements for compliance leads to be appointed with responsibility for each of its business units who would in turn report to the CCO and RO or General Counsel (GC). Finally, similar to the situation we observed in the Halliburton settlement of its shareholder derivative action, Pfizer will have an Executive Compliance Committee, which will sit below the Board of Directors to oversee Pfizer’s compliance program.

The Enhanced Compliance Obligations require that Pfizer maintain policies and procedures regarding gifts, hospitality, and travel in each jurisdiction that are appropriately designed to prevent violations of the anti-corruption laws and regulations, presumably tailored to each jurisdiction. This statement would seem to focus on reasonableness not only in terms of monetary value but also in factoring in the jurisdiction where the gift or hospitality is to be provided. Finally, and as always, travel and training must have a business purpose.

There was a very detailed plan laid out for a risk-based program of annual proactive anti-corruption reviews of high-risk markets. It consists of five markets which are at high risk for corruption because of the business and location. The specifics for each visit will be a useful guide for the compliance practitioner to compare with similar work done by his compliance group. It includes (a) On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training; (b) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with, and payments, to individual foreign government officials or health care providers, as well as other high-risk transactions in the market; (c) Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and (d) a review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk.

Interesting, the DPA specifies that Pfizer will maintain “significant” resources for the compliance function. These significant resources will be dedicated to several different types of compliance tools, including (a) an international investigations group charged with responding to and investigating anti-corruption compliance issues and ensuring that appropriate remedial measures are undertaken after the completion of an investigation; (b) an anti-corruption program office providing centralized assistance and guidance regarding the implementation, updating and revising of the FCPA Procedure, the establishment of systems to enhance compliance with the FCPA Procedure, and the administration of corporate-level training and annual anti-corruption certifications; and (c) a mergers and acquisitions (M&A) compliance team designed to support early identification of compliance risks associated with complex business transactions and to ensure the integration of Pfizer’s compliance procedures into newly acquired entities. There was a slightly different time schedule listed for Pfizer to complete post-acquisition auditing, training and implementation of the Pfizer compliance program into the acquired company. I have added to my recent FCPA M&A Box Score Summary.

Time Frames

Halliburton 08-02

J&J

DS&S

Pfizer

FCPA Audit
  1. High Risk Agents - 90 days
  2. Medium Risk Agents - 120 Days
  3. Low Risk Agents - 180 days
18 months to conduct full FCPA audit As soon “as practicable One year
Implement FCPA Compliance Program Immediately upon closing 12 months As soon “as practicable One year
Training on FCPA Compliance Program 60 days to complete training for high risk employees, 90 days for all others 12 months to complete training As soon “as practicable One Year

While there was no new language regarding risk evaluation, due diligence on, or other management of third party business parties, the DPA did specify that when it is appropriate on the basis of a FCPA risk assessment, the company will provide FCPA and anti-corruption training to relevant agents and business partners, at least once every three years.

The company is also to use annual certifications from senior managers in each of Pfizer’s Business Units, Divisions, and operational functions confirming that their standard operating procedures adequately implement Pfizer’s anti-corruption policies, procedures and controls, including training requirements; that they have reviewed and followed up on any issues identified in FCPA trend analyses; and that they are not aware of any FCFA or other corruption issues that have not already been reported to the Compliance Division or the Legal Division.

There is a wealth of information in the Pfizer DPA and other documents relating to its resolution of these FCPA issues. I would commend all the documents to you to read and see what areas your company may need to look at more closely and how these Compliance and Enhanced Compliance Obligation Attachments may provide insight into areas where you might be lacking or need to enhance your compliance program and coverage.  These enhanced obligations could well become the new minimum best practices in the FCPA compliance arena.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

March 20, 2012

Mendelsohn and Denniston: A Compliance Dialogue

Last week I attended the 2012 Global Ethics Summit hosted by Ethisphere. The first event was a conversation between Mark Mendelsohn and Brackett Denniston, Senior Vice President and General Counsel of General Electric (GE). They both had some interesting observations on the current state of Foreign Corrupt Practices Act (FCPA) compliance. Dennison believes that the conversation on FCPA compliance has evolved to “What can organizations do to create a culture of compliance on a world-wide basis?” To answer this question he gave three overarching themes.

First it all starts with the ubiquitous “tone-at-the-top” but it means more than simply saying the right things on a regular basis. Denniston believes that senior management must “speak often and be sincere” in communicating this tone. If they are not sincere, he believes that employees will pick up on this immediately and any efforts to instill such a culture of compliance will be doomed to fail. Second, senior management must “walk the talk” through both discipline and a system of rewards. The discipline must be clear and delivered decisively. The rewards must be not only direct financial remuneration but also the internal promotion of persons who do business in an ethical manner, under the Company’s Code of Conduct. Lastly, a company as a whole must have the willingness to listen. He directed these remarks to helplines and other mechanisms where employees can report compliance violations or even raise concerns. He was clear that there must be be directly stated and enforced, that there is a no retaliation policy for all reports made in good faith. This also requires a company to keep accurate measurements of such reports and to design and refine its processes around these metrics.

Mendelsohn asked Denniston what were his three biggest challenges at GE regarding compliance and ethics. Denniston responded that the biggest challenge was in integrating acquisitions into the GE compliance culture. This is challenging in remote sites around the globe particularly in locations which do not have a senior management presence nor are visited by senior management on a regular basis. The second area is improper payments on a global basis. While noting that GE bans facilitation payments, these are still a challenge as are payments made through gifts, entertainment and travel. Lastly, he expanded his answer on the top three challenges to add regulatory compliance in general.

Denniston believes that the key for any company is how they will respond when a compliance issue arises. Within the GE world he said that the thing he worries about is that an issue will arise and the local business team will try to clean the matter and will not disclose it to the home office. From afar, such a response would appear as a cover-up of a reportable FCPA violation, even if no one in the US was involved. It could lead to a conclusion by the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) of an entire failure of a company’s compliance program. Recognizing that the cover-up is always worse than the original event, this would seem to echo Number 3 of Paul McNulty’s Maxims of “What did you do when you found about it [a compliance violation]?”

Picking up on his point about one of the things a company must do is listen to its employees, Denniston re-emphasized that communication is important but that a company must also measure the effect that these communications have. Metrics are an important aspect to creating and maintaining a culture of compliance at GE because it allows the company to base its compliance program enhancements on quantifiable data. He added that this helps dissipate the confusion between quality in the overall company compliance regime and simple regulatory compliance.

In a very interesting response to a Mendelsohn question along the lines of “is there too much FCPA enforcement?” Denniston responded that he did not think so as he believes that the DOJ has “got it right.” However, he does not believe this is the case with the SEC. He said that the problem, in his opinion, is around how much “fuzziness” there is from the SEC on the credit a company will receive for a self-disclosure. This is true even if the SEC has a principle which is consistent; Denniston believes that it does not always play out so clearly in practice.

Dennison ended his remarks in responding to a Mendelsohn question on “the single best compliance innovation at GE, during his tenure?” Being a good lawyer, Denniston had three single best compliance innovations. They were (1) every year GE tried to introduce a substantive improvement to its compliance program. These improvements are generated from a variety of sources, from local business unit employees to his aforementioned metrics to lead to an enhancement. (2) The continued efforts in the company to increase reporting of any compliance issues so that they might be evaluated by an appropriate compliance professional. He gave an example of a geographic region which had an inordinately low number of reports of compliance issues, which Dennison viewed as a negative. He sought to have this number increased by a minimum of 20% annually, which was achieved. In other words, if there are no reports, GE wants to know why there are no reports. (3) He said that there is now the creation of an unanticipated risk list. This has turned into an early warning system of issues that might pop up on the compliance radar, however it also forces all employees engaged in the exercise to come up with compliance issues the company is not currently thinking about in any detail.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Next Page »

Customized Rubric Theme Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 4,199 other followers