Code of Conduct | FCPA Compliance and Ethics Blog

July 14, 2015

Great Structures Week II – Structures from Ancient Egypt and Greece

I continue my Great Structures Week with a focus on great structures from the earliest times, ancient Egypt and Greece. I am drawing these posts from The Teaching Company course, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. From Egypt there are of course the Pyramids, of which Ressler says, “They’re important, not just because they’re great structures, but also because they represent some of the earliest human achievements that can legitimately be called engineering. The Great Pyramid of Giza stands today as a testament to the strength and durability of Egyptian structural engineering skills.”

From Greece we derive what Vitruvius called the “Empirical Rules for Temple Design” which define a “single dimensional module equal to the radius of a column in the temple portico, then specify all other dimensions of the building in terms of that module.” These rules are best seen in Greek temples, largely consisting of columns, which are defined as “a structural element that carries load primarily in compression” and beams, which are “structural elements subject to transverse loading and carry load in bending.” My favorite example of the use of columns is seen in the Parthenon; the most famous of all Greek temples still standing.

In many ways these two very different structures stand as the basis of all structural engineering and Great Structures that come later throughout history. For any anti-corruption compliance regime based on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery statutes, the same is true for a Code of Conduct and written policies and procedures. They are both the building blocks of everything that comes thereafter.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2^nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” Parethnon

There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Another way to think of policies, procedures and controls was stated by Aaron Murphy, now a partner at Foley & Lardner, in his book “Foreign Corrupt Practices Act”, when he said that you should think of all three as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Borrowing from an article in the Houston Business Journal (HBJ) by John Allen, entitled “Company policies are source and structure of stability”, I found some interesting and important insights into the role of policies in any anti-corruption compliance program. Allen says that the role of policies is “to protect companies, their employees and consumers, and despite an occasional opposite outcome, that is typically what they do. A company’s policies provide a basic set of guidelines for their employees to follow. They can include general dos and don’ts or more specific safety procedures, work process flows, communication guidelines or dress codes. By establishing what is and isn’t acceptable workplace behavior, a company helps mitigate the risks posed by employees who, if left unchecked, might behave badly or make foolhardy decisions.”

Allen notes that policies “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.

Allen believes that there are five key elements to any “well-constructed policy”. They are:

identify to whom the policy applies;
establish the objective of the policy;
explain why the policy is necessary;
outline examples of acceptable and unacceptable behavior under the policy; and
warn of the consequences if an employee fails to comply with the policy.

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, the logistics alone of such training can appear daunting. Consider gathering small groups of employees, where detailed questions about policies can be raised and discussed, as a powerful teaching tool. Allen even suggests posting Frequently Asked Questions (FAQ’s) in common areas as another technique. And do not forget that one of the reasons Morgan Stanley received a declination to prosecute by the Department of Justice (DOJ) was that it sent out bi-monthly compliance reminder emails to its employee Garth Peterson for the seven years he was employed by the company.

The FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” Allen puts a bit differently in that “it is important that policies are applied fairly and consistently across the organization.” He notes that the issue can be that “If policies are applied inconsistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

For a review of what goes into the base structures of a best practices compliance program, I would suggest you check my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Leave a Comment

April 28, 2015

King Arthur Week – the Pentecostal Oath and Code of Conduct – Part II

One thing for which King Arthur is remembered are his chivalric knights. He helped create this legend, in large part, by establishing a Code of Conduct for the Knights of the Round Table. The King required each one of them to swear an oath, called the Pentecostal Oath, which was Arthur’s ideal for a chivalric knight. The Oath stated, “The king established all his knights, and gave them that were of lands not rich, he gave them lands, and charged them never to do outrageousity nor murder, and always to flee treason; also, by no mean to be cruel, but to give mercy unto him that asketh mercy, upon pain of forfeiture of their worship and lordship of King Arthur for evermore; and always to do ladies, damosels, and gentlewomen succor upon pain of death. Also, that no man take no battles in a wrongful quarrel for no law, ne for no world’s goods. Unto this were all the knights sworn of the Table Round, both old and young. And every year were they sworn at the high feast of Pentecost.” (Le Morte d’Arthur, pp 115-116)

Interestingly, the Oath first appeared in Sir Thomas Malory’s Le Morte d’Arthur and in none of the prior incarnations of the legend. In Malory’s telling, after the Knights swore the Oath, they were provided titles and lands by the King. The Oath specifies both positive and negative conduct; that is, what a Knight might do but also what conduct he should not engage in. The Pentecostal Oath formed the basis for the Knight’s conduct at Camelot and beyond. It was clearly a forerunner of today’s corporate Code of Conduct.

The foundational document of any Foreign Corrupt Practices Act (FCPA) compliance program is its Code of Conduct. This requirement has long been memorialized in the US Sentencing Guidelines, which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). These requirements were incorporated into the 2012 FCPA Guidance. The US Sentencing Guidelines assume that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct”.

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)

An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws.

In the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program the DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.

In each DPA and NPA over the past 36 months the DOJ has stated the following as item No. 1 for a minimum best practices compliance program.

Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

As I often say, the three most important things about your FCPA compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed their Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Just as the Pentecostal Oath was required to be sworn out each year, you should have your employees recertify their adherence to your Code of Conduct. Moreover, just as King Arthur set his expectations for behavior your company should do so as well.

© Thomas R. Fox, 2015

Comments (1)

July 25, 2014

Code of Conduct, Compliance Policies and Procedures-Part IV

Filed under: Best Practices,Bribery Act,Code of Conduct,Compliance,Compliance and Ethics,compliance programs,Department of Justice,FCPA,FCPA Guidance,Policies and Procedures — tfoxlaw @ 12:01 am
Tags: best practices, Code of Conduct, compliance, compliance programs, DOJ, FCPA, Policies and Procedures

This is the fourth and final installment of my series on the the importance of a Code of Conduct and anti-corruption compliance policies and procedures in your compliance program and how you should go about drafting or updating Code of Conduct and anti-corruption compliance policies and procedures. On Tuesday, I reviewed the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I looked at how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures. Today, I will end the series on how to keep all of the above vibrant and dynamic through a discussion of how to assess, review and revise them and your Code of Conduct on a timely basis.

Simply having a Code of Conduct, together with policies and procedures is not enough. As articulated by former Assistant Attorney General, for the Criminal Division of the US Department of Justice, Lanny Breuer, “Your compliance program is a living entity; it should be constantly evolving.” In an article in the SCCE Magazine, entitled “Six steps for revising your company’s Code of Conduct”, authors Anne Marie Logarta and Ruth Ward suggest considering the following issues before you take on an update of your Code of Conduct.

When was the last time your Code of Conduct was released or revised?
Have there been changes to your company’s internal policies since the last revision?
Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?
Are any of the guidelines outdated?
Is there a budget to create/revise a Code?

After considering these issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. I would also add that your standards, policies and procedures should be reviewed and updated in the same manner. If you decide to move forward the authors have a six-point guide which they believe will assist you in making your revision process successful, which I have used as a basis to include revisions to your compliance policies and procedures.

Get buy-in from decision makers at the highest level of the company

The authors believe that your company’s highest level must give the mandate for a revision to a Code of Conduct and compliance polices and procedures. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”

Establish a core revision committee

You should have a cross-functional working group would be ideal to head up your effort to revise your Code of Conduct and compliance polices and procedures. This group should include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, the topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. The authors emphasize that creation of a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”

Conduct a thorough technology assessment

The cornerstone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” They believe that technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.

In addition to this use of technology in drafting your Code of Conduct and compliance polices and procedures revisions, you should determine if they will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code and compliance polices and procedures will only be available in hard copy.

Determine translations and localizations

The authors emphasize, “If your company does business internationally, then this step is vital to ensure you have one Code, no matter the language.” They do note that if you decide to translate your Code of Conduct be sure and hire someone who is an “approved company translation subject matter expert.” Here I would simply say to contact Jay Rosen at Merrill Brink, as those guys are the one of the top Language Service Providers and know what they are doing when it comes to translations. The key is that “your employees have the same understanding of the company’s Code-no matter the language.”

Develop a plan to communicate the Code of Conduct

A rollout is always critical because it “is important that the new or revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” Your company should use the full panoply of tools available to it to publicize your new or revised Code of Conduct and compliance polices and procedures. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide Code of Conduct and compliance polices and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all thing compliance; the three most important aspects are ‘Document, Document and Document’. However you deliver the new or revised Code of Conduct, you must document that each employee receives it.

6. Stay on Target

The authors end by noting that if you set realistic expectations you should be able to stay on deadline and stay within your budget. They state that “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.

These points are a useful guide to not only thinking through how to determine if your Code of Conduct, and compliance policies and procedure needs updating, but also practical steps on how to tackle the problem. If it has been more than five years since it was last updated, you should begin the process that the authors have laid out. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

There are numerous reasons to put some serious work into your Code of Conduct, policies and procedure. They are certainly a first line of defense when the government comes knocking. The FCPA Guidance makes clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” And by considered, I think it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Moreover, as Allen emphasized, “having policies written out and signed by employees provides what some consider the most vital layer of communication.” Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.

© Thomas R. Fox, 2014

Leave a Comment

July 23, 2014

Code of Conduct, Compliance Policies and Procedures-Part II

Filed under: Best Practices,Carol Switzer,Code of Conduct,Compliance,Compliance and Ethics,Compliance Week,FCPA,OCEG — tfoxlaw @ 12:01 am
Tags: Code of Conduct, compliance, compliance programs, Compliance Week, ethics and compliance, FCPA, OCEG

This week, I am reviewing the importance of a Code of Conduct and anti-corruption compliance policies and procedures in your compliance program and how you should go about drafting or updating Code of Conduct and anti-corruption compliance policies and procedures. Yesterday, I reviewed the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. Today, I want to look at how to go about drafting your Code of Conduct. In subsequent posts, I will consider both anti-corruption compliance policies and procedures and how to assess, review and revise them and your Code of Conduct on a timely basis.

Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), explored some of these questions in an article in Compliance Week, entitled “The Code of Conduct Conundrum”. As a part of her article, Switzer interviewed Jimmy Lin, Vice President (VP) of Product Management and Corporate Development at The Network, and Kendall Tieck, VP of Internal Audit at Workday, for their thoughts on what makes an effective Code of Conduct.

Tieck views a Code of Conduct as not simply a static piece of paper or document “but as a set of expected behaviors that are integral to the fabric of the business and an organization’s value system. A Code of Conduct is not a compliance activity, but how an entity demonstrates integrity and acquires trust from markets, shareholders, customers, partners, and governments. To achieve these outcomes, a careful plan, aligned with a policy lifecycle management framework, should articulate how the Code is integrated in the core of the company’s activities and culture.”

Switzer believes that one of the key components of a best practices Code of Conduct is to integrate the connection between a business’ objectives, its risk and compliance management. There are numerous factors, which can move a company towards having such an effective integration. Switzer wrote that some of these include, “external stakeholder expectations and pressures, internal culture and context, objectives for the code, process of development and implementation, content of the code, consequences for non-conforming conduct, strength of sub-codes (e.g. policies), and employee character.”

Switzer ends her piece by relating that there is a huge benefit to a company for a well thought out Code of Conduct, as a tool to drive both corporate values and sinew the expectations of conduct into the fabric of the company. By designing a Code of Conduct, which can be measured for effectiveness, you can continuously keep the goals moving.

A GRC Illustrated series, provided with Switzer’s article, entitled “The Next Generation Code of Conduct”, lays out six steps for the compliance practitioner to think through and implement during a Code of Conduct upgrade or rewrite. These six steps are (1) design; (2) deliver; (3) interact; (4) measure; (5) maintain; and (6) improve.

Design

Under this step, a company needs to define the behavior that it desires to inspire and allow employees to collaborate at all levels. Lin, said that a key aspect was relevancy, “But times change—business environments change, cultures change, risk appetites change. We all need to keep in mind that the Code, the ultimate policy, should not be a stale document on the shelf. It needs to inspire, engage, and change with the organization.” Tieck said that your Code of Conduct should be “considered a part of the entity’s overall policy landscape. Leveraging an effective policy lifecycle management framework will promote integration and alignment across the policy governance landscape.”

Deliver

Switzer also identified the delivery of a Code of Conduct as a key element of its effectiveness. She said, “modern communication methods that allow the user to engage, interact, and research further behind the Code into related policies, procedures, and helplines for additional guidance can be better monitored and measured. Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.” This should also include relevant third parties such as suppliers and sales agents. “And failure to comply with the Code can be better identified and tracked, indicating possible need for clarification, additional training, or better screening of employees.”

Interact

Lin pointed out that a Code of Conduct is both a corporate governance document and a marketing document. As such you will need to create a marketing campaign to get the message of your Code of Conduct out to not only your employee base but also relevant third parties. If you have a large number of non-English speaking personnel or employees without access to online training, these factors need to be considered when determining the delivery method.

Measure

Initially, you should prioritize both qualitative results with positive feedback by including such metrics as speed of completion, reminders, which must be sent to facilitate completion of Code of Conduct training, and the percent of employees and third parties who attest to the review of your Code of Conduct. You should also measure the effectiveness of your communication campaign. Tieck suggests drilling down further because each component of your Code of Conduct sets “an expected behavior. Selecting a few critical behaviors to measure and monitor may be adequate for most organizations. These selected measures might represent an aggregate measure of the overall conformance to the code. Large organizations may be able to mine HR data to capture statistics associated with the identified behaviors. For instance, termination reason codes may be one source.”

Maintain

All commentators note that it is important to keep your Code of Conduct design and content fresh. One of the ways to do so is by employee feedback, which can assist you in identifying if your Code of Conduct is not only effective, but also truly reflective of your company’s culture. Lin points out that to gain these insights you need to incorporate both formal and informal techniques for gauging the relevant employee and third party populations. He states, “Questionnaires, surveys, forms and hotlines can be good anonymous sources, but engaging employees in conversation is just as, if not more, important. Make sure executives and managers alike spend time in small-group and one-on-one conversations. Have these conversations throughout the year and across your employee base to get the “real” story. This helps engage the employees and ensure they know you value their input.”

Improve

OCEG advocates that your Code of Conduct should be evaluated for revision at least every two years. This should be done to keep abreast of the changes in laws and regulations and your own business operations and risk tolerances. Switzer said, “Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.”

© Thomas R. Fox, 2014

Leave a Comment

July 22, 2014

Code of Conduct, Compliance Policies and Procedures-Part I

For the remainder of this week, I will have a four-part episode on your Code of Conduct and anti-corruption compliance policies and procedures. In today’s post I will review the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I will review how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures and how to assess, review and revise them on a timely basis.

The cornerstone of a US Foreign Corrupt Practice Act (FCPA) compliance program is its written protocols. This includes a Code of Conduct, policies and procedures. These requirements have long been memorialized in the US Federal Sentencing Guidelines (FSG), which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). These requirements were incorporated into the 2012 FCPA Guidance. The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws.

In the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In each DPA and NPA over the past 36 months the DOJ has said the following as item No. 1 for a minimum best practices compliance program.

Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.

Stephen Martin and Paul McNulty, partners in the law firm of Baker and McKenzie, developed one of the best formulations that I have seen of these requirements in their Five Elements of an Effective Compliance Program. In this formulation, they posit that your Code of Conduct, policies and procedures should be grouped under the general classification of ‘Standards and Procedure’. They articulate that every company has three levels of standards and controls. First, every company should have a Code of Conduct, which should, most generally express its ethical principles. But simply having a Code of Conduct is not enough. So a second step mandates that very company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. From the base of a Code of Conduct and standards and policies, every company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

There are several purposes identified by the authors which should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

© Thomas R. Fox, 2014

Leave a Comment

January 27, 2014

The Abbey Grange, the Quality of Justice and Codes of Conduct

Filed under: Best Practices,Carol Switzer,Code of Conduct,Compliance Week,Culture,Ethical Leadership,Ethics,Jimmy Lin,OCEG,The Network — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, ethical leadership, ethics, ethics and compliance, OCEG

In honor of the return of Sherlock Holmes to PBS with Season 3, I begin a week of Sherlockian themed posts. Today we consider the quality of justice that Holmes discussed in The Abbey Grange, he allowed a man who murdered a wife-abusing husband to go free. Holmes concern with justice, as opposed to simply following the letter of the law, is an excellent introduction into the subject of Codes of Conduct.

Carol Switzer, President of the Open Compliance and Ethics Group (OCEG), explored some of these questions in a recent article in Compliance Week, entitled “The Code of Conduct Conundrum”. As a part of her article, Switzer interviewed Jimmy Lin, Vice President (VP) of Product Management and Corporate Development at The Network and Kendall Tieck, VP of Internal Audit at Workday, for their thoughts on what makes an effective Code of Conduct.

Tieck views a Code of Conduct as not simply a static piece of paper or document but “but as a set of expected behaviors that are integral to the fabric of the business and an organization’s value system. A Code of Conduct is not a compliance activity, but how an entity demonstrates integrity and acquires trust from markets, shareholders, customers, partners, and governments. To achieve these outcomes, a careful plan, aligned with a policy lifecycle management framework, should articulate how the Code is integrated in the core of the company’s activities and culture.”

In a GRC Illustrated series, provided with Switzer’s article, entitled “The Next Generation Code of Conduct”, lays out six steps for the compliance practitioner to think through and implement during a Code of Conduct upgrade or rewrite. These six steps are (1) design; (2) deliver; (3) interact; (4) measure; (5) maintain; and (6) improve.

Design

Under this step, a company needs to define the behavior that it desires to inspire and allow employees to collaborate at all levels. Lin said that a key aspect was relevancy, “But times change—business environments change, cultures change, risk appetites change. We all need to keep in mind that the Code, the ultimate policy, should not be a stale document on the shelf. It needs to inspire, engage, and change with the organization.” Tieck said that your Code of Conduct should be “considered a part of the entity’s overall policy landscape. Leveraging an effective policy lifecycle management framework will promote integration and alignment across the policy governance landscape.”

Deliver

Interact

Lin pointed out that a Code of Conduct is both a corporate governance document and a marketing document. As such you will need to create a marketing campaign to get the message of your Code of Conduct out to not only your employee base but also relevant third parties, such as suppliers and agents. If you have a large number of non-English speaking personnel or employees without access to online training, these factors needs to be considered when determining the delivery method.

Measure

Initially, you should prioritize both qualitative results with positive feedback by including such metrics as speed of completion, reminders, which must be sent to facilitate completion of Code of Conduct training, and the percent of employees and third parties who attest to review of your Code of Conduct. You should also measure the effectiveness of your communication campaign. Tieck suggests drilling down further because each component of your Code of Conduct sets “an expected behavior. Selecting a few critical behaviors to measure and monitor may be adequate for most organizations. These selected measures might represent an aggregate measure of the overall conformance to the code. Large organizations may be able to mine HR data to capture statistics associated with the identified behaviors. For instance, termination reason codes may be one source.”

Maintain

All commentators note that it is important to keep your Code of Conduct design and conduct fresh. One of the ways to do so is by employee feedback, which can assist you in identifying if your Code of Conduct is not only effective, but truly reflective of your company’s culture. Lin pointed out that to gain these insights you need to incorporate both formal and informal techniques for gauging the relevant employee and third party populations. Some of these techniques include “Questionnaires, surveys, forms and hotlines can be good anonymous sources, but engaging employees in conversation is just as, if not more, important. Make sure executives and managers alike spend time in small-group and one-on-one conversations. Have these conversations throughout the year and across your employee base to get the “real” story. This helps engage the employees and ensure they know you value their input.”

Improve

OCEG advocates that your Code of Conduct should be evaluated for revision at least every two years. This should be done to keep abreast of the changes in laws and regulations and your own business operations and risk tolerances. Switzer said that “Code content that is integrated with efforts to monitor changes in the external and internal environment can be updated as needed rather than on a static schedule.”

© Thomas R. Fox, 2014

Comments (1)

November 20, 2013

Plato, Aristotle and Codes of Conduct

Filed under: Best Practices,Code of Conduct,compliance programs,Department of Justice,FCPA,FCPA Guidance,SEC,Wall Street Journal — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, DOJ, FCPA, SEC, Wall Street Journal, WSJ

It was once observed that all western philosophy is but a mere footnote to the works of Plato. However others believe that his student Aristotle merits equal standing. I recently read a review of the new book by Arthur Herman “The Cave and the Light” in the Wall Street Journal (WSJ) by reviewer Roger Kimball. In his review, Kimball said that the book seeks to “explain the metabolism of history with a single master idea: the perpetual struggle or ‘creative tension’ between the ideas of Plato – which he says emphasize the idea at the expense of the actual – and those of Aristotle, whose philosophy remains rooted in experience and everyday life.”

I thought about his dichotomy when I recently came across the Words of Wisdom (WOWLW) blog, which is penned by the Capital Markets Group of the law firm of Latham & Watkins. As stated in the FCPA Guidance, “A company’s code of conduct is often the foundation upon which an effective compliance program is built.” As the Department of Justice (DOJ) has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf. The WOWLW blog took a different tack and reviewed the requirements of the Securities and Exchange Commission (SEC) regulations for a Code of Conduct.

Under SEC regulations, it is a requirement under Form 10-K, Reg S-K Item 406, that a company must disclose whether it has adopted a Code of Ethics that applies to the company’s principal executive officer, principal financial officer, principal accounting officer, controller or persons performing similar functions. If the company has not adopted such a Code of Ethics, it must explain why not in writing. As WOWLW noted, “Unsurprisingly, almost all public companies have adopted a code of ethics within the meaning of the SEC regulations.”

The article details the required content to be found in a Code of Conduct. It said that “Item 406(b) defines a ‘code of ethics’ to mean written standards reasonably designed to deter wrongdoing and promote:

honest and ethical conduct (including matters regarding “actual or apparent conflicts of interest between personal and professional relationships”);
full, fair, accurate, timely and understandable public disclosure;
compliance with applicable laws and regulations;
prompt internal reporting of violations; and
accountability for adherence to the code.”

This requirement also “specifically contemplates that companies may bifurcate their codes of ethics for this purpose:

a company “may have separate codes of ethics for different types of officers”; and
a code of ethics “may be a portion of a broader document that addresses additional topics or that applies to more persons” other than the officers required to be covered.”

The article noted that a compliant company is able to disclose its codes of conduct in one of three ways, which they stated are as follows:

file the code as an exhibit to the Form 10-K;
post the code on the company’s website (disclosing that fact and the web address in the Form 10-K);
or expressly undertake in the Form 10-K to provide a free copy upon request and explain how to make a request.

Moreover, businesses which have bifurcated their codes of ethics as described above are only required to “file, post or provide the portions of a broader document that constitutes a code of ethics” and made applicable to covered officers.

The SEC also requires certain disclosures of amendments and waivers to codes of conduct. Specifically, “Item 5.05 of Form 8-K requires companies to disclose within 4 business days any amendment or waiver of the Item 406 code of ethics, either:

via Form 8-K filing; or
on the company’s website, so long as the company previously stated in its most recently filed Form 10-K both the company’s intention to disclose any amendment on its website and the website address (in this scenario, the information must remain posted to the website for at least 12 months, and the company must retain the information for another 5 years).”

This requirement for disclosure does not reach to “technical, administrative or other non-substantive amendments. In addition, companies must disclose amendments to or waivers of their codes of ethics only if specifically required by Item 406(b) (i.e., as one of the five subjects listed above) and applicable to the covered officers” in the company.

Interestingly, if there is an implicit waiver of a company’s Code of Conduct, it must also be reported: A waiver regarding a Code of Conduct is required “as the approval by the company of a material departure from a provision of the code of ethics. This also includes “implicit waivers,” defined under Instruction 2(ii) of Item 5.05 as a failure to act within a reasonable time after an executive officer knows of a material departure from the code of ethics. Implicit waivers, as with express waivers and amendments, require disclosure only if related to the covered officers and the provisions specifically referenced in Item 406(b). Companies may also disclose implicit waivers via website if they satisfy the requirements described above. Of course, codes of ethics sometimes describe situations where board approval is specifically contemplated, and an approval process in accordance with the provisions of the code would not constitute a “departure” that would implicate a waiver.”

In addition to the SEC disclosure requirements, both NASDAQ and NYSE listing rules require listed companies to have a code of conduct whose scope is broader that the code of ethics for the purposes of SEC reporting.

Kimball’s review of The Cave and the Light points out the ongoing tension between Plato’s spirituality and Aristotle’s pragmatism. I think the dichotomy from the FCPA Guidance and the SEC regulations, as set out by WOWLW points to a more unified thesis. Kimball ends his piece by noting that Aristotle’s sentiments are around the future and not the past. But he adds that in Plato’s allegory of the caves he noted that those who leave the cave must return. The same may be said for the Code of Conduct which the Latham & Watkins Capital Markets Group has

honest and ethical conduct (including matters regarding “actual or apparent conflicts of interest between personal and professional relationships”);
full, fair, accurate, timely and understandable public disclosure;
compliance with applicable laws and regulations;
prompt internal reporting of violations; and
accountability for adherence to the code.”

This requirement also “specifically contemplates that companies may bifurcate their codes of ethics for this purpose:

a company “may have separate codes of ethics for different types of officers”; and
a code of ethics “may be a portion of a broader document that addresses additional topics or that applies to more persons” other than the officers required to be covered.”

The article noted that a compliant company is able to disclose its codes of conduct in one of three ways, which they stated are as follows:

file the code as an exhibit to the Form 10-K;
post the code on the company’s website (disclosing that fact and the web address in the Form 10-K);
or expressly undertake in the Form 10-K to provide a free copy upon request and explain how to make a request.

via Form 8-K filing; or
on the company’s website, so long as the company previously stated in its most recently filed Form 10-K both the company’s intention to disclose any amendment on its website and the website address (in this scenario, the information must remain posted to the website for at least 12 months, and the company must retain the information for another 5 years).”

discussed.

Comments (1)

September 25, 2013

Getting Your Employees to Internally Market Your Compliance Program

Filed under: Best Practices,Catherine Choe,Code of Conduct,compliance programs,Culture,Department of Justice,Ethical Leadership,Ethics,FCPA,FCPA Guidance — tfoxlaw @ 1:01 am
Tags: Michael Stelzner, Simon Mainwaring, Social Media Examiner

It has often struck me that one of the things the compliance function must do is to internally market its role in a company. By this I do not mean the internal competition for funding that occurs annually, although that is certainly something which the compliance function must also go through. The internal marketing function of compliance is to get employees not only to understand the message of compliance but, even more so, to think about and use compliance in their day-to-day operations. I recently heard a podcast on social media marketing which had some concepts I thought applicable to the compliance function and its internal marketing role within a company.

The podcast is on the Social Media Examiner site, which brands itself as “Your Guide to the Social Media Jungle.” The podcast, entitled “Social Sharing: How to Inspire Fans to Share Your Stories” is hosted by Michael Stelzner, Chief Executive Officer (CEO) and Founder of the site. Stelzner interviews Simon Mainwaring, author of We First: How Brands and Consumers Use Social Media to Build a Better World. Mainwaring is a consultant who has worked with brands like Nike and Motorola and is hosting the upcoming “We First Social Branding Seminar” in West Hollywood in a few days.

The focus of the podcast was on the use of social media by your employees and customer base to increase market share. However, Mainwaring said something that struck me as key to building a successful compliance program. He was discussing your employee base as one of your most key marketing resources because they are your first and best line of advertising. He said that to allow them to market successfully there are three key components, (1) Let your employees know what you stand for; (2) Celebrate their efforts; and (3) Give them a tool kit of different ways to participate. I think each of these concepts can play a key role for the compliance practitioner in internally marketing their compliance program.

I. Let Your Employees Know What You Stand For

In the FCPA Guidance, the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) said that the basis of any anti-corruption compliance program is the Code of Conduct as it is “often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” That well known @CodeMavencc, Catherine Choe, has said that she believes “Two of the primary goals of any Code are first, to document and clarify minimum expectations of acceptable behavior at a company, and second, to encourage employees to speak up when they have questions or witness misconduct.”

But more than the Code of Conduct, does your company really communicate that it stands for compliance? Obviously formal anti-corruption training under the Foreign Corrupt Practices Act (FCPA) is important but I think that more is required to reinforce that your company has a culture of compliance throughout the organization. In other words, are you communicating what you stand for and not simply the rules and regulations of a compliance program?

II. Celebrate Their Efforts

Once again the FCPA Guidance speaks to the need to incentivize employees in the company realm. The Guidance states, “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many Guiding Principles of Enforcement forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership. Some organizations, for example, have made adherence to compliance a significant metric for management’s bonuses so that compliance becomes an integral part of management’s everyday concern.” But more than simply incentives, it is important that “[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well.”

Mainwaring’s concept means going beyond incentivizing. To me his word ‘celebration’ means a more public display of success. Financial rewards may be given in private, such as a portion of an employee’s discretionary bonus credited to doing business ethically and in compliance with the FCPA. While it is certainly true those employees who are promoted for doing business ethically and in compliance are very visible and are public displays of an effective compliance program. I think that a company can take this concept even further through a celebration to help create, foster and acknowledge the culture of compliance for its day-to-day operations. Bobby Butler, Chief Compliance Officer (CCO) at Universal Weather and Aviation, Inc. has spoken about how his company celebrated compliance through the event of Compliance Week. He said that he and his team attended this event and used it as a springboard to internally publicize their compliance program. Their efforts included three separate prongs: they were hosting inter-company events to highlight the company’s compliance program; providing employees with a Brochure highlighting the company’s compliance philosophy and circulating a Booklet which provided information on the company’s compliance hotline and Compliance Department personnel.

III. Give Your Employees a Tool Kit For Compliance

Obviously a key component of any effective compliance program is an internal reporting mechanism. The FCPA Guidance states that “An effective compliance program should include a mechanism for an organization’s employees and others to report suspected or actual misconduct or violations of the company’s policies on a confidential basis and without fear of retaliation.” The Guidance goes on to also discuss the use of an ombudsman to address employee concerns about compliance and ethics. I do not think that many companies have fully explored the use of an ombudsman but it is certainly one way to help employees with their compliance concerns. Interestingly, an interview in the Wall Street Journal (WSJ) today, with Sean McKessy, Chief of the SEC’s Office of the Whistleblower, he stated that “What I hear is that companies are generally investing more in internal compliance as a result of our whistleblower program so that if they have an employee who sees something, they’ll feel incentivized to report it internally and not necessarily come to us.”

But, more than a reporting tool for compliance, there are other ways a company can help employees do business in a compliant manner. One commercial tool which immediately comes to mind is Navigator, developed by the firm of Stroz Friedberg LLC, which the firm calls “a groundbreaking mobile and desktop application that makes your compliance program come alive! It automates clear answers and approval processes, and even offers data analysis for enhanced decision-making. The Navigator “app” is custom-tailored to each client and offers an array of benefits to any organization seeking easier ways to drive a positive corporate compliance culture.” I have seen this tool and it is way cool.

Yet there are other tools which are available, at no cost, and can be downloaded onto a mobile device such as a smartphone or iPad. These include the O’Melveny & Myers LLP Foreign Corrupt Practices Act Resource Guide; which concentrates solely on the FCPA and is primarily a new vehicle to distribute content it already makes available upon request. This content includes O’Melveny’s FCPA Handbook and O’Melveny’s In-House Counsel’s Guide to Conducting Internal Investigations. In addition, the app features five resource sections that serve as an interactive, illustrative directory with titles ranging from ‘O’Melveny Authored Client Alerts’ to ‘DOJ Opinion Releases.’

Another approach is found in the Latham & Watkins LLP’s AB&C Laws app which takes an international approach to anti-corruption and anti-bribery laws and its scope is international, with the content focused on organizing and easing access to statutes and regulatory guidance according to specific fields of interest, from legislative frameworks to extra-territorial application to enforcement and potential penalties. It also includes official guidance such as steps (where available) that can be taken to reduce the risk of liability for bribery and corruption.

There is much to be learned by the compliance practitioner from the disciplines of marketing and social media. These three concepts are useful to aiding companies in getting their sales pitches out and can be of great help to you, the compliance practitioner, in communicating marketing throughout your company as well.

Leave a Comment

August 21, 2013

Loyalty v. Fairness?

Filed under: Best Practices,Catherine Choe,Code of Conduct,compliance programs,Compliance Week,Ethical Leadership,Ethics,FCPA,Matt Kelly — tfoxlaw @ 1:01 am

Ed. Note-today we have a guest post by that well known Code of Conduct maven, Catherine Choe.

It’s been years since I had a subscription for paper delivery of the news. I read the news either on my computer or on my phone, and I tend to skim the headlines until I see one that interests me (usually an article on the most recent compliance & ethics failure). A few weekends ago, I visited friends who still have the Sunday New York Times delivered to their home, and as I sipped coffee, leafing through their paper, I stumbled across an item I would have missed electronically: “The Whistle-Blower’s Quandary.”

The authors of this piece, found in the Opinion section, are a trio of professors who did a series of studies on why and when people blow the whistle. The article starts with an obligatory mention of Edward Snowden, and I almost moved onto the next item in the paper, but their definition of whistleblower caught my attention: “research participants… [who] witnessed unethical behavior and reported it.” This is the behavior we in C&E try to encourage among our employees, and so, intrigued, I kept reading.

In one of the studies, the participants were asked to describe a time that they witnessed an ethical failure, reported it, and why; they were also asked to describe a time that they witnessed an ethical failure, did not report it, and why. In analyzing these responses, the authors found something interesting. When the participants who reported ethical failures described their actions, they “use[d] ten times as many terms related to fairness and justice, whereas non-whistle-blowers [sic] use[d] twice as many terms related to loyalty.” The short piece concludes that if we want our employees to come forward and report the ethical failures that they witness, we need to be emphasizing fairness and justice in our Codes of Conduct, communications, and training, as those are the concepts that encourage speaking up, where emphasizing loyalty will encourage silence.

This reminded me of one of Matt Kelly’s blog posts at Compliance Week, when Kelly reported the conversations that he facilitated with a group of CCEOs on the topic of cultivating C&E leadership. One of the CCEOs at the roundtable said, “The reward for good conduct is keeping your job.” But as Kelly correctly notes, “That approach can convince an individual employee not to violate your Code of Conduct, to be sure. But it does not necessarily inspire him to call out other misconduct, when that is exactly what compliance officers desperately need.” Kelly framed his post with the concept of allegiance, that what CCEOs need are employees who are allegiant, or loyal, to our companies, “people who will act as advocates for the company’s best interests.”

In his blog post, Kelly noted that expecting this level of loyalty from our employees may be a hard sell. Modern companies exist to make money for their shareholders. This has caused a situation where we’re all focused on hitting quarterly goals so that we don’t spook Wall Street. It creates situations where companies don’t, or maybe can’t, exhibit any behaviors that would inspire the kind of loyalty we’re looking for in our employees. We operate in a business culture where companies that prioritize the satisfaction of their employees are studied and celebrated like the rarities they are, but then we don’t emulate them.

Does the piece in the Times mean that we can stop worrying about loyalty and that we should instead focus on fairness and justice? Nothing in life is ever that simple.

A few years ago, the Compliance and Ethics Leadership Council did research into what the leading indicators of misconduct are, i.e., the signs that tell us in advance that we’re more likely to find misconduct at our companies. CELC found that that one of the top leading indicators of misconduct is when employees identify more closely with their individual work groups or departments than they do with the company as a whole. (You can see versions of this at play in many Sales departments and in one of the justifications for violating the Foreign Corrupt Practices Act: “this is how WE do business [insert relevant region here.]”) In follow up research, CELC also found that one of the primary reasons employees don’t report the misconduct that they witness is because they don’t think that the company will do anything about it. Employees don’t believe that there will be what CELC calls “organizational justice,” where wrongdoers get punished.

What all of this boils down to for me is that fairness and loyalty don’t oppose each other, as the professors posited. Loyalty reflects fairness, is an accurate measure of how fair we are. If we consistently enforce our own rules and standards of business conduct, employees will exhibit loyalty by speaking up when they see misconduct. If they see evidence that the company takes its own rules seriously, employees will exhibit loyalty by following the company’s lead and also take the rules seriously. If, however, we make exceptions in how we enforce our rules and standards of business conduct (e.g., we can’t fire John because he’s our top performer even though we know he’s unethical; we’re not going to dig deeper into why we were able to penetrate a new market so quickly because we only care about being successful and not how we were successful), employees will exhibit loyalty by keeping silent and enabling the misconduct.

If we can’t back them up with visible action, sprinkling the words “fairness” and “justice” instead of “loyalty” into our Codes and communications and training won’t inspire the kind of loyalty Kelly and his roundtable of CCEOs want. “Actions speak louder than words” is a cliché for a reason. It may be overused, but ignoring it or discounting it won’t make the underlying wisdom go away.

————————————————————————————————————————————————————————————————————

My eBook on the GSK bribery and corruption affair in China is out. You can purchase it for reading on your Kindle by clicking here.

Comments (2)

August 14, 2013

Bad Things Come In Threes for CCOs

Filed under: Best Practices,Code of Conduct,compliance programs,Data Privacy,Department of Justice,Ethics,EU,FCPA,Financial Times,SEC — tfoxlaw @ 1:01 am
Tags: DOJ, FCPA, FT, NSA, SEC

It is often said that bad things come in threes. I have often wondered where this phrase came from. So I checked out Wikipedia, no luck there. How about trying Google as the harbinger of all knowledge? Again no such luck there. Not even About.com could help. Of course there is the good old saying ‘3 strikes and you’re out’ but I suspect that was based on something which preceded it. Whatever the origin of this folkloric belief, all I can say is that over the past couple of weeks, Chief Compliance Officers (CCOs) have taken it on the chin three times and, once again, the job of the CCO just got quite a bit harder and more challenging.

I. Banned for Life

Submitted for your consideration is the first item of bad news for the CCOs out there. It is the decision released on August 2^nd by the Securities and Exchange (SEC) Administrative Law Judge Carol Fox Foelak (no relation) In the Matter of Daniel Bogar, Bernerd Young and Jason Green. Young was the CCO for disgraced financier Allen Stanford’s companies. For those who may not remember, Allen Stanford who sold “so-called certificates of deposits” through his offshore bank in Antigua, Stanford International Bank Ltd. Unfortunately for all, it turned out that Stanford was running a massive Ponzi-scheme by paying off old investors with monies invested by new ones, to the tune of over $7bn. Stanford was convicted for his crimes.

Young was not charged or convicted with participating in the Ponzi-scheme. However, he was slapped with an administrative penalty for failing to note or follow up on red flags, which, had he investigated, may have uncovered the scheme earlier. These acts (or perhaps inactions) included providing materials to financial advisors, which had he inquired into would have led to a determination that they were false. There were instances where company whistleblowers and others brought information to Young, which if he had properly investigated, he would have determined that a Ponzi-scheme was in place. The Administrative Law Judge also cited the conduct of Allen Stanford himself as raising a red flag which the CCO should have investigated.

As to the penalties that Young received, how about the following: disgorgement of $591,992.46, a penalty of $260,000 and is barred from “association with any broker, dealer, investment adviser, municipal securities dealer, municipal advisor, transfer agent, or nationally recognized statistical rating organization and IS PROHIBITED, permanently, from serving or acting as an employee, officer, director, member of an advisory board, investment adviser or depositor of, or principal underwriter for, a registered investment company or affiliated person of such investment adviser, depositor, or principal underwriter.” In other words, Young can never be a CCO again or work in this industry again.

Why is this decision so significant to CCOs? It is often said that bad facts make bad law. The facts surrounding Allen Stanford and his multi-billion Ponzi-scheme, short of Bernie Madoff, are about as bad as it gets. Maybe Young does deserve a severe spanking for his role in not asking questions. But the problem for CCOs is now there is a precedent for at least a civil proceeding to be filed by the SEC for failure to engage in sufficient due diligence, see red flags and perform proper investigations. This coupled with the size of the disgorgement, penalty and lifetime ban in working as a CCO or in the industry makes the CCO world quite a bit darker today.

II. Is Your Code of Conduct Mere Puffery?

The second example is the Dismissal granted by the US District Court for the Northern District of California, in the shareholder derivative action, entitled “Cement & Concrete Workers District Council Pension Fund, et al., v. Hewlett Packard Company, et al.” This lawsuit was some of the continued fallout from the Mark Hurd era at Hewlett Packard (HP). As reported in an AmLaw Litigation Daily article, entitled “Morgan Lewis Beats HP Securities Suit over Hurd Conduct”, “in the fall of 2007, the company hired a marketing consultant named Jodie Fisher.” Fisher later “accused Hurd of sexual harassment. He resigned later that year. The harassment claims were never substantiated, but an internal investigation performed by Covington & Burling turned up evidence that Hurd used company resources to wine and dine Fisher and then tried to hide the relationship from HP’s board.” Hurd later admitted that he had a “very close personal relationship” with Fisher.

A shareholder action was brought by the plaintiff who claimed in part that “HP and Hurd made false and misleading statements when they (1) issued and updated HP’s Standards of Business Conduct Brochure (SBC) in 2006, May 2008 and June 2010”. In the Plaintiff’s Complaint they said that “These statements were misleading because in light of Hurd’s endorsement of these tenets, there was an implication that Hurd was in fact in compliance with them. In truth, Hurd was knowingly violating each of these tenets in his dealings related to Fisher, by (a) inappropriately using his position as CEO to attempt to pursue a romantic relationship with Fisher, (b) submitting expense reports that did not accurately reflect their meetings, and (c) knowingly allowing Fischer to receive compensation and/or expense reimbursement where there was not a legitimate business purpose.”

However the District Court made short shrift of the plaintiff’s claims. In its dismissal, the Court said, ““Generally speaking, the 2008 and 2010 SBCs, as well as other statements relating to HP’s ethical code of conduct, do not constitute actionable misrepresentations or omissions because they are not material. “‘[V]ague, generalized, and unspecific assertions’ of corporate optimism or statements of ‘mere puffing’ cannot state actionable material misstatements of fact under federal securities laws. Such statements include those that are not “‘capable of objective verification’” or “‘lack[ ] a standard against which a reasonable investor could expect them to be pegged.’” “When valuing corporations, . . . investors do not rely on vague statements of optimism like ‘good,’ ‘well-regarded,’ or other feel good monikers.” “Instead, “professional investors, and most amateur investors as well, know how to devalue the optimism of corporate executives.””

How about that to warm the heart of every CCO out there? For that matter how about the Department of Justice (DOJ) or SEC who said in their jointly released FCPA Guidance that “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” So all the talk that we preach about the importance of a Code of Conduct; at least one court has now said it is ‘mere puffing’. Do you think that the Chief Executive Officer (CEO) will want to spend a bunch of money for an aspirational, puffery statement? I hope so because the DOJ and SEC still say it is important. But if a corporation ever takes the DOJ to trial in a Foreign Corrupt Practices Act (FCPA) matter, there is at least one court who has said a Code of Conduct is not important.

III. Try Getting Your Records Out of Germany Now

Our third, and final item, comes courtesy of Nicholas Elliott from the Wall Street Journal (WSJ) Risk and Compliance Journal, in an article entitled “The Morning Risk Report: Germany’s Forceful Privacy”. Elliott reports that it is “going to be more complicated to do business in Germany, the fifth largest trading partner of the U.S. Angered by news that the U.S. National Security Agency’s electronic surveillance efforts included Germans, that country’s data-protection body declared last month that most data transfers to the U.S. breach its laws. This stance affects not only data transfers for which companies seek approval but also those covered under safe-harbor provisions of European law”.

This may well severely constrict the ability of US companies to investigate, audit or even monitor their German operations or German citizens who are employees or third parties to the company. Not that German companies and citizens have always been 100% lean when it comes to bribery and corruption (See: Siemens-corp division and Ecclestone, Bernie-ind. division). But clearly the US government has seriously infuriated some of its major trading partners for its spying to try and enforce the FCPA and this will come back to bite many US companies in the behind if they cannot get data and information out of Germany and are faulted by the DOJ and SEC for their failure to do so.

I wrote about the data privacy issue back in June in light of Edward Snowden’s revelations about National Security Agency (NSA) spying and the attendant fallout. This issue is now in the forefront of EU-US trade negotiations. An article in the Financial Times (FT), entitled “Data scandal clouds trade talks”, Hannes Swoboda, leader of the socialist members of the European Parliament, was quoted as saying “With all the information that we’ve found out in the recent days about how easily the US spies on people’s private data I think it will be difficult for the Americans to oppose a strong data protection agreement.” The article notes that many of the rules proposed for EU data protection are opposed by US companies because “their business models would be damaged.”

Elliott ends his article with the following, “At the same time, European privacy rules will probably be tightened, with a proposal for fines levied on companies that share data without customers’ permission. The Wall Street Journal reported last week that such rules could create further legal uncertainty by conflicting with U.S. laws such as the Patriot Act and Foreign Intelligence Surveillance Act.” Amen.

These three strikes have the effect of the following: (1) denigrating an entire compliance regime of a company by declaring its foundational document ‘mere puffing’; (2) puts the CCO backside on the firing line for a civil or potentially criminal action if they do not uncover FCPA violations; and (3) making illegal the removal of certain data from Germany where not do so may well be a FCPA violation. Be afraid, be very afraid…

Comments (2)

FCPA Compliance and Ethics Blog

July 14, 2015

Great Structures Week II – Structures from Ancient Egypt and Greece

April 28, 2015

King Arthur Week – the Pentecostal Oath and Code of Conduct – Part II

July 25, 2014

Code of Conduct, Compliance Policies and Procedures-Part IV

July 23, 2014

Code of Conduct, Compliance Policies and Procedures-Part II

July 22, 2014

Code of Conduct, Compliance Policies and Procedures-Part I

January 27, 2014

The Abbey Grange, the Quality of Justice and Codes of Conduct

November 20, 2013

Plato, Aristotle and Codes of Conduct

September 25, 2013

August 21, 2013

Loyalty v. Fairness?

August 14, 2013

Bad Things Come In Threes for CCOs

January

Blogroll

Pages

Admin

Read by Email

Recent Posts from FCPA Compliance and Ethics Report: FCPA Compliance and Ethics Report

Episode 240-Bill Coffin on Compliance Week 2016

Episode 239-Jonathan Armstong On EU Privacy Shield

Episode 238-John Allen on HR Touch Points in Compliance

Episode 237-Steve McCalmont on the Avior Risk Management Platform

Episode 236-Adam Turteltaub and SCCE CCO Survey