FCPA Compliance and Ethics Blog

June 7, 2013

Codes of Conduct: what are they good for?

Ed. Note-today we have a guest post from Catherine Choe, a well known Code of Conduct maven. 

I had an interesting and frustrating conversation with a relative about the work that I do, which includes working with companies on refreshing their Codes of Business Conduct.  Despite working at a large, publicly traded, multinational corporation, I had to describe the Code twice before he recalled having certified reading the one at his company.  It got me thinking about why we have Codes and whether they’re doing an adequate job serving their purposes.

Two of the primary goals of any Code are first, to document and clarify minimum expectations of acceptable behavior at a company, and second, to encourage employees to speak up when they have questions or witness misconduct.  There have been some very compelling articles discussing how important it is to teach employees that even actions that seem like minor misconduct should be reported.  I agree with this, of course, but I think that those of us in compliance & ethics should not lose sight of how difficult the decision to report major misconduct can be for many employees.

I recently heard a story about this that drove home how much anxiety the decision to report can cause.  I was having drinks with Sara, a friend I hadn’t seen in over a year.  Sara and I used to work together, and as we were catching up (i.e., gossiping) about former colleagues and mutual friends, she told me about something that happened to her a couple of weeks earlier.

Sara was attending a happy hour and chatting with Tracy.  Sara and Tracy started at the company on the same day and were in the same orientation group, where they bonded over their shared love of celebrity tabloids and became fast friends.  Over the years, Tracy worked her way up in the sales department to become a senior manager.  At the happy hour, Tracy shared details from the latest bonus trip that she had been selected to attend along with other top sales employees as a reward for outstanding performance.

It seems that in addition to her reputation for exceeding nearly every sales goal put in front of her, Tracy had also developed a habit of dating her colleagues.  In some instances, her partners were at her level, but most of the time, they were junior to her, although not in her reporting line.  All of her relationships were consensual, and she never exerted influence, positive or negative, over their careers.  Tracy simply found that it was more convenient, given the number of hours she worked and the days that she traveled, to find romance at work.  Management turned a blind eye to these activities, despite them being in contravention of company policy.  This was in part because of her performance and in part because nobody ever complained.

Tracy became involved with a junior colleague on the bonus trip and, as friends often do, was starting to share juicy details.  Tracy, wanting to show Sara what the junior colleague looked like, pulled out her phone to show Sara a picture.  Sara expected to see a head shot.  What she saw instead was a picture of the gentleman in question in the shower, with no idea that Tracy was snapping a photograph.

Sara shared the story with her boyfriend as an example of Tracy’s continuing refusal to grow up and a reason for the growing distance between the two friends.  Sara expressed discomfort at having been shown the picture and some sympathy for the gentleman who’d had his picture taken in an intimate moment without his consent.  Her plan for the future was to minimize contact and avoid spending time with Tracy.

Sara’s boyfriend, a lawyer, told her she had a responsibility to report Tracy’s behavior.  Sara disagreed, saying that the relationship was a consensual one between two adults.  In addition, Sara was concerned that Tracy might lose her job at a time when jobs were hard to find; Sara didn’t think it was right to interfere with Tracy’s livelihood

Sara’s boyfriend insisted that Sara report the incident, going so far as to say that if she didn’t tell someone in authority at the company, that he would call the company’s General Counsel to report the behavior himself.  He also noted that she might not have been as reluctant to raise her hand if the genders of the parties involved had been reversed.

Sara felt trapped.  Despite the egregious nature of Tracy’s behavior, Sara was torn between loyalty to her friend and doing what she knew in her heart was the right thing.  After several sleepless nights, she asked her boyfriend to consider calling the helpline rather than calling the GC, which she hoped would make it harder to trace the report back to her.  Out of sympathy for her distress, he agreed but told her she should check to see what her responsibilities were in the company’s Code of Conduct.

Sara downloaded the Code of Business Conduct from the company’s website and checked the Table of Contents and the index.  Both places directed her to the first section of the Code, which stated that employees, officers, and directors had a duty to report misconduct.  Defeated, Sara called the HR business partner for her department the next day.

Two things stood out to me when Sara told me this story:  (1) Sara’s reluctance to report the misconduct despite its egregiousness and (2) the role of the Code of Business Conduct in the resolution.  It’s true that if someone had reported Tracy when she first started dating her colleagues, she might not have reached the point of nonconsensual pictures in the shower, and then Sara would not have faced the dilemma she did.  Despite the existence of HR policies either forbidding romantic relationships at work or requiring their disclosure, workplace romances continue to occur.  As adults, we spend most of our time at the office with our coworkers.  Personal relationships are inevitable.

In addition, we often feel more loyalty to our coworkers than we do to the companies that employ us.  Our colleagues are people.  We work on projects together, we celebrate successes with each other, and we console each other when there are failures.  The collegiality that we build can improve productivity for the company.

Companies employ us.  They provide us with the money we need to shelter and feed ourselves and our families, but companies are not people.  The relationships we have with them are not personal.  What this means for C&E practitioners is that when we tell employees to report misconduct, no matter how small, the choice we are presenting is to be loyal to our coworkers or be loyal to the company.  Respect the teamwork and collegiality we’ve built, or “tattle” on our teammates for minor infractions of a Code that most employees skim once a year.  The decision to report, even in the face of serious misconduct, is gut-wrenching, especially if the bad actor is a friend or simply likeable.

Luckily for Sara’s company, the Code specifically cited a duty to report.  Companies often struggle with the decision as to whether to make reporting a duty or something more voluntary.  Making reporting a duty puts a burden on the company to ensure there are consequences for those who do not report misconduct.  Some decide that the administrative burden is too great or that they are uncomfortable with the potential impact it will have on the company culture.  After the conversation I had with Sara, I believe that the benefits outweigh those potential drawbacks.

We all know that our companies need Codes, so that our expectations around appropriate behavior are written down for employees.  We all know the general topics that should be covered in our Codes.  The level of sophistication in interactivity often depends on the level of technology sophistication of the employee base.  Many of us have gotten savvier about adding specific examples in our Codes to provide additional guidance.  We seem to take it for granted that employees will read the Code with the same attention and focus that we do.

The reality is that employees read the Code when forced to, either because of an annual certification campaign or because they face a dilemma.  In the former situation, employees skim, then sign; in the latter situation, employees look for an answer to a specific question.  Everyone in C&E has a checklist in mind of things that the Code should have and do.  At the top of my checklist is how quickly people like Sara can find the topic of her question and how clearly the Code answers it.  If employees are unable to find clear answers to their dilemmas quickly, the Code is not serving its purpose.

———————————————————————————————————————————————————————-

Catherine Choe  is Managing Member at TFL Compass (www.tflcompass.com), a compliance and ethics consultancy.  She is an authority on the business impact of C&E programs and has lectured widely on harmonizing C&E practices with business processes. Catherine is also an experienced and talented speaker with exceptional communication and presentation skills. She tweets regularly as the Code Maven (@CodeMavencc). She can be reached by phone at  408-337-2463  or email at cchoe@tflcompass.com. 

———————————————————————————————————————————————————————-

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. 

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

Many commentators are still mining the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (the “Guidance”), which was released last November. I continue to find nuggets to provide to the compliance practitioner, as do others. But as we are a Base 10 culture, today I want discuss the 10 points listed as the ‘Hallmarks of Effective Compliance Programs”. They are a change in style, but not content, from the prior 13 point minimum best practices that the DOJ has in the Deferred Prosecution Agreements (DPAs) since at least November, 2010 and, indeed, from prior information made available by the DOJ.

I.                   Where Have We Been

Beginning with at least the Metcalfe & Eddy Consent and Undertaking, filed in December, 1999, the DOJ has laid out its thoughts on what should go into a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. In the Metcalfe & Eddy Consent and Undertaking, the DOJ laid out ten points of an effective FCPA anti-corruption compliance program. This was modified somewhat in Opinion Release 04-02, which laid out a best practices compliance program in 12 points, where the DOJ reviewed the proposal by an investment group who were acquiring certain companies and assets from ABB Ltd. ABB Vetco Gray Inc. and ABB Vetco Gray (UK) Ltd., two of the entities being acquired, had previously pled guilty to FCPA violations. The investment group desired to protect itself from further liability, to the extent possible, by proposing to the DOJ a comprehensive best practices compliance program. While the DOJ noted that this compliance program was not a shield against future violations, the DOJ would not “intend to take an enforcement action [against the investors] for violations of the FCPA prior to their acquisition from ABB.”

In the Panalpina DPA, issued in November, 2010, the DOJ laid out a 13 point minimum best practices compliance program. This number was changed this past summer when the Data Systems & Solutions LLC (DS&S) DPA was announced. In this enforcement action the DOJ listed 15 points on its minimum best practices FCPA anti-corruption compliance program. Then later in the summer, the DOJ moved to a 9 point compliance program in the Pfizer DPA. Even with all these changes in the number, the substance of each compliance program has remained the same.

II.                Where Are We Now? Hallmarks of Effective Compliance Programs

The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes that depending on a variety of factors such as size, type of business, industry and risk profile that a company should determine what is appropriate for its own needs regarding a FCPA compliance program. But the Guidance makes clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

  1. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
  2. Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. The Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some of the risks a company should assess include “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”
  3. Oversight, Autonomy, and Resources. This section starts with a discussion on whether a company has assigned a senior level executive to oversee and implement a company’s compliance program. Not only must a company assign such a person with appropriate authority but that person, and the overall compliance function, must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Additionally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
  4. Risk Assessment. The Guidance states that “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
  5. Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
  6. Incentives and Disciplinary Measures. This involves both the carrot and the stick. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” These incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
  7. Third-Party Due Diligence and Payments. Here the Guidance focuses on the ongoing problem area of third parties. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
  8. Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
  9. Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
  10. Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration. Here the DOJ and SEC spell out what it expects in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information is not something that most companies had previously focused on. Basically, a company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

As I commented earlier in this article, the DOJ and SEC have communicated what they believe are the important parts of a risk based, anti-corruption compliance program for many years. I do not think that a compliance defense could be set out any more succinctly. However, I do like things set out in Base 10 and the “Hallmarks of Effective Compliance Programs” is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point for any compliance practitioner to implement a new compliance program or to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

September 4, 2012

Revising Your Code of Conduct – Don’t Wait for Another Great Fire of London

In 1666 the dates of September 4 and 5 are generally recognized as the worst days of the Great Fire of London. The Great Fire started at the bakery of Thomas Farriner on Pudding Lane, shortly after midnight on Sunday, 2 September, and spread rapidly west across the City of London. The fire gutted the medieval City of London inside the old Roman City Walls. It is estimated to have destroyed the homes of 70,000 of the City’s 80,000 inhabitants. The City was rebuilt, with much of the old street plan being recreated in the new City, with improvements in hygiene and fire safety: wider streets, open and accessible wharves along the length of the Thames, with no houses obstructing access to the river, and, most importantly, buildings constructed of brick and stone, not wood. New public buildings were created on their predecessors’ sites; the most famous is St. Paul’s Cathedral and its smaller cousins, Christopher Wren’s 50 new churches.

Not all rebuilding requires such drastic destruction however. In a recent article in the Society for Corporate Compliance and Ethics (SCCE) Magazine, entitled, “Six steps for revising your company’s Code of Conduct” authors Anne Marie Logarta and Ruth Ward suggest considering the following issues before you take on an update of your Code of Conduct.

When was the last time your Code of Conduct was released or revised?

Have there been changes to your company’s internal policies since the last revision?

Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?

Are any of the guidelines outdated?

Is there a budget to create/revise a Code?

After considering these issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. If you decide to move forward the authors have a six-point guide which they believe will assist you in making your revision process successful.

1.      Get buy-in from decision makers at the highest level of the company

The authors believe that your company’s highest level must give the mandate for a revision to a Code of Conduct. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”

2.      Establish a core revision committee

The authors believe that a cross-functional working group should head up your effort to revise your Code of Conduct. They suggest that this group include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, the authors believe that Code of Conduct topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. The authors emphasize that creation of a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”

3.      Conduct a thorough technology assessment

The authors argue that the backbone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” They believe that technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.

In addition to this use of technology in drafting your Code of Conduct revision, you should determine if your Code of Conduct will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code will only be available in hard copy.

4.      Determine translations and localizations

The authors emphasize that “If your company does business internationally, then this step is vital to ensure you have one Code, no matter the language.” They do note that if you decide to translate your Code of Conduct be sure and hire someone who is an “approved company translation subject matter expert.” Here I would simply say to contact Jay Rosen at Merrill Brink, as those guys are the SMEs and know what they are doing when it comes to translations. The key is that “your employees have the same understanding of the company’s Code-no matter the language.”

5.      Develop a plan to communicate the Code of Conduct

A roll-out is always critical because it “is important that the new or revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” The authors believe that your company should use the full panoply of tools available to it to publicize your new or revised Code of Conduct. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide Code of Conduct meeting where the new or revised Code is rolled out across the company all in one day. But remember, with all thing compliance; the three most important aspects are Document, Document and Document. However you deliver the new or revised Code of Conduct, you must document that each employee receives it.

6.      Stay on Target

The authors end by noting that if you set realistic expectations you should be able to stay on deadline and stay within your budget. They state that “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.

Logarta and Ward’s article provides a useful guide to not only thinking through how to determine if your Code of Conduct needs updating, but also practical steps on how to tackle the problem. If you are a compliance practitioner, I would urge you to take a look at your company’s Code of Conduct. If it has been more than five years since it was last updated, you should begin the process that the authors have laid out. Do not wait for a catastrophe like the City of London did with the Great Fire of London to rebuild. It is far better to review and update if appropriate than wait for a massive Foreign Corrupt Practices Act (FCPA) investigation to go through the process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

August 14, 2012

Pfizer DPA Part III – What Does It All Mean?

Last week I began an exploration of the Pfizer Deferred Prosecution Agreement (DPA) which was announced last week by the Department of Justice (DOJ) in connection with its settlement of Foreign Corrupt Practices Act (FCPA) violations. In Part I, I reviewed the Corporate Compliance Obligations, Attachment C.1. In Part II, I reviewed the Enhanced Compliance Obligations, Attachment C.2 and Corporate Reporting Obligation, Attachment C.3, which Pfizer agreed to implement and operate under. In Part III, I will discuss some of the implications raised by the Pfizer DPA for the compliance practitioner.

Below is a comparison chart of the minimum best practices compliance program as set out in the Panalpina DPA and all DPAs coming forward with the minimum best practices compliance program as set out in the Pfizer DPA. While the number of compliance obligations is somewhat different, when read in conjunction with the Enhanced Compliance Obligations of Attachment C.2, there is not significant difference. Therefore, and initially, the compliance practitioner must read both the Corporate Compliance Obligations and Enhanced Compliance Obligations in conjunction with each other.

CORPORATE COMPLIANCE COMPARISON CHART

Panalpina Minimum Best Practices

Pfizer 9 Point Corporate Compliance Program

1. Code of Conduct. To ensure against FCPA violations. 1. Clearly articulated corporate policy against FCPA violations.
2. Tone at the Top. A company will ensure that its senior management provides visible support and commitment to its corporate anti-corruption policy. 2.  Promulgation of compliance standards and procedures designed to reduce the prospect of violations of the anti-corruption laws and Pfizer’s compliance code.
3. Written policies and procedures.  Should be created in the following areas (a) gifts; (b) hospitality, entertainment, and expenses; (c) customer travel; (d) political contributions; (e) charitable donations and sponsorships; (f) facilitation payments; and (g) solicitation and extortion. 3. Assignment of one or more senior corporate execs for implementation and oversight of compliance program. They shall report to the Board.
4. Risk Assessment. Perform risk assessment and use it to inform your compliance program. 9(b)-internal and confidential reporting system. 4. Effective communication of the compliance policies including training and certification of training.
5. Annual Reviews. No less than annually, a company should review and update as appropriate to ensure continued compliance program effectiveness. 5. An effective system for reporting illegal conduct or violations of the company anti-corruption program.
6. Senior Management Oversight and Reporting. Assignment of one or more senior corporate executives for implementation & oversight of compliance program and they shall report to Board of Directors 6. Appropriate disciplinary procedures.
7. Internal controls.  These should include financial and accounting procedures which should ensure that the company has accurate and fair books and records, which cannot be used for or conceal bribery. 7. Appropriate due diligence for retention and oversight of agents and business partners.
8. Training. A company shall effectively communicate compliance program through training and annual certifications 8. Standard compliance terms and conditions in contracts including (1) reps and undertakings re: anti-corruption compliance; (2) right to audit; and (3) right to terminate for breach thereof.
9. Advice and Guidance.  The Company should establish or maintain an effective system for: (a) Providing guidance; (b) Internal and confidential reporting; and (c) Responding to such requests and undertaking appropriate action in response to such reports. 9. Periodic testing of Pfizer compliance code and anti-corruption procedures.
10. Discipline. A company shall institute appropriate disciplinary procedures to address violations compliance policy or ant-corruption laws.
11. Third Party Reps. (a) Properly documented risk-based due diligence and regular oversight of agents and business partners;  (b) Informing agents and business partners of the compliance standards; and (c) Seeking a reciprocal commitment from agents and business partners.
12. Compliance terms and conditions. Should be included in every agent agreement.
13. Ongoing Assessment. Period review and testing of compliance program to evaluate it and improve the program’s effectiveness.

 

In addition to a Chief Compliance Officer (CCO) and Risk Officer (RO) who will have report directly to the Chief Executive Officer (CEO), there was further specified requirements for compliance leads to be appointed with responsibility for each of its business units who would in turn report to the CCO and RO or General Counsel (GC). Finally, similar to the situation we observed in the Halliburton settlement of its shareholder derivative action, Pfizer will have an Executive Compliance Committee, which will sit below the Board of Directors to oversee Pfizer’s compliance program.

The Enhanced Compliance Obligations require that Pfizer maintain policies and procedures regarding gifts, hospitality, and travel in each jurisdiction that are appropriately designed to prevent violations of the anti-corruption laws and regulations, presumably tailored to each jurisdiction. This statement would seem to focus on reasonableness not only in terms of monetary value but also in factoring in the jurisdiction where the gift or hospitality is to be provided. Finally, and as always, travel and training must have a business purpose.

There was a very detailed plan laid out for a risk-based program of annual proactive anti-corruption reviews of high-risk markets. It consists of five markets which are at high risk for corruption because of the business and location. The specifics for each visit will be a useful guide for the compliance practitioner to compare with similar work done by his compliance group. It includes (a) On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training; (b) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with, and payments, to individual foreign government officials or health care providers, as well as other high-risk transactions in the market; (c) Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and (d) a review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk.

Interesting, the DPA specifies that Pfizer will maintain “significant” resources for the compliance function. These significant resources will be dedicated to several different types of compliance tools, including (a) an international investigations group charged with responding to and investigating anti-corruption compliance issues and ensuring that appropriate remedial measures are undertaken after the completion of an investigation; (b) an anti-corruption program office providing centralized assistance and guidance regarding the implementation, updating and revising of the FCPA Procedure, the establishment of systems to enhance compliance with the FCPA Procedure, and the administration of corporate-level training and annual anti-corruption certifications; and (c) a mergers and acquisitions (M&A) compliance team designed to support early identification of compliance risks associated with complex business transactions and to ensure the integration of Pfizer’s compliance procedures into newly acquired entities. There was a slightly different time schedule listed for Pfizer to complete post-acquisition auditing, training and implementation of the Pfizer compliance program into the acquired company. I have added to my recent FCPA M&A Box Score Summary.

Time Frames

Halliburton 08-02

J&J

DS&S

Pfizer

FCPA Audit
  1. High Risk Agents – 90 days
  2. Medium Risk Agents – 120 Days
  3. Low Risk Agents – 180 days
18 months to conduct full FCPA audit As soon “as practicable One year
Implement FCPA Compliance Program Immediately upon closing 12 months As soon “as practicable One year
Training on FCPA Compliance Program 60 days to complete training for high risk employees, 90 days for all others 12 months to complete training As soon “as practicable One Year

While there was no new language regarding risk evaluation, due diligence on, or other management of third party business parties, the DPA did specify that when it is appropriate on the basis of a FCPA risk assessment, the company will provide FCPA and anti-corruption training to relevant agents and business partners, at least once every three years.

The company is also to use annual certifications from senior managers in each of Pfizer’s Business Units, Divisions, and operational functions confirming that their standard operating procedures adequately implement Pfizer’s anti-corruption policies, procedures and controls, including training requirements; that they have reviewed and followed up on any issues identified in FCPA trend analyses; and that they are not aware of any FCFA or other corruption issues that have not already been reported to the Compliance Division or the Legal Division.

There is a wealth of information in the Pfizer DPA and other documents relating to its resolution of these FCPA issues. I would commend all the documents to you to read and see what areas your company may need to look at more closely and how these Compliance and Enhanced Compliance Obligation Attachments may provide insight into areas where you might be lacking or need to enhance your compliance program and coverage.  These enhanced obligations could well become the new minimum best practices in the FCPA compliance arena.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

March 20, 2012

Mendelsohn and Denniston: A Compliance Dialogue

Last week I attended the 2012 Global Ethics Summit hosted by Ethisphere. The first event was a conversation between Mark Mendelsohn and Brackett Denniston, Senior Vice President and General Counsel of General Electric (GE). They both had some interesting observations on the current state of Foreign Corrupt Practices Act (FCPA) compliance. Dennison believes that the conversation on FCPA compliance has evolved to “What can organizations do to create a culture of compliance on a world-wide basis?” To answer this question he gave three overarching themes.

First it all starts with the ubiquitous “tone-at-the-top” but it means more than simply saying the right things on a regular basis. Denniston believes that senior management must “speak often and be sincere” in communicating this tone. If they are not sincere, he believes that employees will pick up on this immediately and any efforts to instill such a culture of compliance will be doomed to fail. Second, senior management must “walk the talk” through both discipline and a system of rewards. The discipline must be clear and delivered decisively. The rewards must be not only direct financial remuneration but also the internal promotion of persons who do business in an ethical manner, under the Company’s Code of Conduct. Lastly, a company as a whole must have the willingness to listen. He directed these remarks to helplines and other mechanisms where employees can report compliance violations or even raise concerns. He was clear that there must be be directly stated and enforced, that there is a no retaliation policy for all reports made in good faith. This also requires a company to keep accurate measurements of such reports and to design and refine its processes around these metrics.

Mendelsohn asked Denniston what were his three biggest challenges at GE regarding compliance and ethics. Denniston responded that the biggest challenge was in integrating acquisitions into the GE compliance culture. This is challenging in remote sites around the globe particularly in locations which do not have a senior management presence nor are visited by senior management on a regular basis. The second area is improper payments on a global basis. While noting that GE bans facilitation payments, these are still a challenge as are payments made through gifts, entertainment and travel. Lastly, he expanded his answer on the top three challenges to add regulatory compliance in general.

Denniston believes that the key for any company is how they will respond when a compliance issue arises. Within the GE world he said that the thing he worries about is that an issue will arise and the local business team will try to clean the matter and will not disclose it to the home office. From afar, such a response would appear as a cover-up of a reportable FCPA violation, even if no one in the US was involved. It could lead to a conclusion by the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) of an entire failure of a company’s compliance program. Recognizing that the cover-up is always worse than the original event, this would seem to echo Number 3 of Paul McNulty’s Maxims of “What did you do when you found about it [a compliance violation]?”

Picking up on his point about one of the things a company must do is listen to its employees, Denniston re-emphasized that communication is important but that a company must also measure the effect that these communications have. Metrics are an important aspect to creating and maintaining a culture of compliance at GE because it allows the company to base its compliance program enhancements on quantifiable data. He added that this helps dissipate the confusion between quality in the overall company compliance regime and simple regulatory compliance.

In a very interesting response to a Mendelsohn question along the lines of “is there too much FCPA enforcement?” Denniston responded that he did not think so as he believes that the DOJ has “got it right.” However, he does not believe this is the case with the SEC. He said that the problem, in his opinion, is around how much “fuzziness” there is from the SEC on the credit a company will receive for a self-disclosure. This is true even if the SEC has a principle which is consistent; Denniston believes that it does not always play out so clearly in practice.

Dennison ended his remarks in responding to a Mendelsohn question on “the single best compliance innovation at GE, during his tenure?” Being a good lawyer, Denniston had three single best compliance innovations. They were (1) every year GE tried to introduce a substantive improvement to its compliance program. These improvements are generated from a variety of sources, from local business unit employees to his aforementioned metrics to lead to an enhancement. (2) The continued efforts in the company to increase reporting of any compliance issues so that they might be evaluated by an appropriate compliance professional. He gave an example of a geographic region which had an inordinately low number of reports of compliance issues, which Dennison viewed as a negative. He sought to have this number increased by a minimum of 20% annually, which was achieved. In other words, if there are no reports, GE wants to know why there are no reports. (3) He said that there is now the creation of an unanticipated risk list. This has turned into an early warning system of issues that might pop up on the compliance radar, however it also forces all employees engaged in the exercise to come up with compliance issues the company is not currently thinking about in any detail.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

March 1, 2012

Banning Beer in the Clubhouse? How to Sustain a Culture of Trust and Integrity

Continuing our sports theme this week, I was interested in my friend, Jay Rosen’s former hometown team, the Boston Red Sox move to ban alcohol from the clubhouse. I found fascinating the commentary on this move, which seemed to me to break down into two categories: (1) Pro-supporting new manager Bobby Valentine, it was a good move and needed to instill some much needed discipline in the clubhouse, which had been lost under prior manager Terry Francona; and (2) Anti-dumb and useless PR move-supporting the prior manager Terry Francona, who broke the Curse of the Bambino by leading Boston to its first two World Series wins in 86 years. We should note that Valentine did not ban Buffalo wings from the clubhouse, which were also listed as evidence by the Red Sox front office as lack of clubhouse discipline.

I thought about those questions in the context of a presentation made that the SCCE Utilities and Energy Conference here in Houston this week. In a presentation by Duane Woods, Senior Vice President of Waste Management, entitled “Sustaining a Culture of Trust and Integrity in Challenging Times”, he talked about the efforts of Waste Management to build and sustain a culture of trust and integrity throughout the organization.

Policies and Procedures

He began with Policies and Procedures, which he described as follows: Policies are used to set the rules of conduct and the desired behavior for employees; Procedures serve to provide a detailed set of uniform processes for employees to follow and they support compliance with the policies. He said that Waste Management tries to use these tools through four disciplines:

  1. Regulatory – Those required by law, such as Sarbanes-Oxley;
  2. Performance – The financial performance of the company;
  3. Customer – They can provide guidance to the organization about customer relations particularly in the area of credit; and
  4. Brand and Reputation – Letting employees know what the company brand stands for. Woods stated that this is usually set forth in a company’s Code of Conduct.

These are things that drive loyalty. Woods acknowledged that all companies make mistakes. However, his point was that the key was to rectify the error and then recover the relationship with the customer.

Metrics

Woods next turned to metrics as he believes that if you don’t measure it, you can’t manage it. Metrics are present to help measure and track the successful implementation of policies, procedures and performance. They can also be used to help govern and reward behavior and to help support a culture of compliance. Metrics are critical to defining required and desired behavior. However, even policies, procedures, systems and metrics will not sustain Compliance or Ethics if there is not the right culture of compliance within the organization. If metrics and incentives are poorly designed and implemented they will cause undesired behavior and help to make a confused culture. He also noted that even the “best compliance programs may not ensure right decisions in tough situations.” He emphasized the following points:

  • Alignment – Metrics should align with Vital Business Functions and Values.
  • Simplicity – Keep it simple. A common problem faced by managers is overloading of metrics.
  • Good enough is perfect – Select metrics that are easy to track and easy to understand.
  • Indicators – Use metrics as indicators. Key Performance Indicators (KPIs) are metrics. A KPI does not troubleshoot anything, but rather indicates something is amiss.
  • Less is more – Use only a few good metrics as too many metrics, even if they are effective, can overwhelm a team.
  • Metrics drive both good and bad behavior.  People do what you pay them to do, so choose carefully.

Character

Woods started off this section of his presentation by noting that Warren Buffett, when hiring people, looks for three things. “The first is personal integrity, the second is intelligence, and the third is a high energy level. But, if you don’t have the first, the other two will kill you.” Woods stated that he believes you should hire leaders with demonstrated character, who are capable of inspiring trust and confidence in others. It is more important that leaders be authentic, they must be sincere. Honesty and congruent behavior must be maintained in that you have consistent behavior. Of course respect for others and holding yourself accountable for your direct employees is paramount. Lastly, Woods noted that you should be constantly assessing character talent, are your employees living the values you want?

With these, Woods believes that you can build a culture of character in your organization and to do so starts with trust, which he believes comes from living the values and delivering the results. Trust works on several levels, these include: (1) Individual; (2) Relationship; (3) Market-customer base; (4) Community; and (5) Regulatory. With trust as the base, Woods next turned to building a culture of character within your organization. He emphasized these steps as:

  • Set clear expectations.
  • Train with focus on integrity, mission and values
  • Coaching – The importance of role play circumstances for people.
  • Mentor to reinforce behavior.
  • Accountability for all employees.
  • Engage your workforce – Survey to find out who the key influencers in the company are. Not necessarily the designated leaders.
  • Communication – Here Woods emphasized that you should over communicate. The importance of using stories as teaching tools and lessons learned.

Woods concluded by listing the primary benefits that he sees from having the right culture at your company. They include that your organization will become more self-governing, with less need for management intervention in this area. There will be less employee misconduct and greater employee innovation. There will be not only be more customer loyalty but great employee satisfaction, and when a real crisis arises, the employee base should work together to resolve it.

So now on to question time: How about those Red Sox and their banning of beer in the clubhouse? Do you think that is evidence of a culture of compliance or should people, who are old enough to legally drink, be allowed to make that choice on their own? Does the move strengthen the Red Sox in any of their communities: themselves, their fans, the American League East Division or in the eyes of Major League Baseball? What about some of the benefits that Woods listed: will the Red Sox players be more productive or indeed even have greater employee satisfaction? Will the employees become more self-governing and impose discipline among themselves? What about those pesky Buffalo wings that were NOT banned; what role do they play in all of this? Alas, I do not have answers for the above, only questions, questions, and more questions…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

February 24, 2012

Innovation and Compliance

Can compliance be innovative? Or can innovation inform your compliance program? Can some of the techniques and strategies of the world’s most innovative companies be brought to bear in the field of anti-corruption and anti-bribery?

I thought about those questions, and perhaps some others, while reading the March issue of Fast Company, with a cover title of “The World’s 50 Most Innovative Companies”. In his column, “From the Editor”, Robert Safian wrote about the “The Lessons of Innovation.” He said in reviewing the Top 50 most innovative company, he drew eight key themes. As I read these I thought about them and their relationship to compliance. So with a tip of the hat to Mr. Safian, here is my compliance spin on his eight key themes of corporate innovation.

1.      Compliance should be a strategy, not a tactic. Starbucks recognized that profit alone is a “fairly shallow aspiration, and it’s not enduring.” Most people want to do business with companies which do not engage in bribery and corruption. Indeed the UK Bribery Act enshrines this in its Six Principles of an Adequate Procedures by stating that a company should only conduct business with other ethical companies.

2.      Big companies need to be as nimble as small companies. Safian notes that the top four companies: Apple, Google, Facebook and Amazon.com all continue to “drive the agenda across the global economy.” This should also be true of your compliance program. You need to use the tools available to you to update your risk assessment if you move into new business lines, products or geographical areas. Similarly if one of your competitors comes under anti-corruption scrutiny, you should review any similar practices that your company might have, such as its sales model or vendors in the Supply Chain.

3.      Technology is disruptive in unexpected places. Here Safian gives the example of LegalZoom, which is “challenging the definition of a law practice” by providing useful legal forms and documents to consumers. In the compliance arena, the number of technological innovations is as broad as it is deep. Companies like Catelas and VisualRisk IQ have developed software products which can allow review and assessment of a large number of data points or other quantitative data. You can even get apps for smartphones which allow submission of expense requests directly to your compliance department.

4.      Compliance is a competitive advantage. Apple has never been publicly reported as going through a Foreign Corrupt Practices Act (FCPA) investigation. What is their stock price today and is it still undervalued? Even when it recently received negative publicity regarding its manufacturing facilities in China, it responded quickly and brought in an outside monitor to assess and report. Apple also annually assesses its third party vendors and makes that report public. Do you think that keeps vendors on their collective toes? You bet it does.

5.      Use of social media makes compliance better. My former speaking cohort, Stephen Martin, then General Counsel for Corpedia, often spoke about Code of Conduct 3.0, which is a web-based interactive tool which helps guide employees through a Code in an interesting and stimulating manner. The same is true of training. You no longer need to simply have a video conference to deliver compliance training around the world. Companies like Click4Compliance have interactive, web-based solutions that you can utilize. I noted above about the smartphone app which allows employees from around the world to submit expense requests to the compliance department and receive an instant response back from an assigned compliance team member.

6. Data is power. If you don’t document it, you can’t measure it. If you don’t measure it, you can’t assess it. If you don’t assess it, you can’t improve it. That is how an engineer tends to look at things. In the compliance world, if you don’t document it, it never existed (Cue drum roll for: document, document and document). Both are true. You have to document things to prove that you actually did them. But if you do not have data, you cannot determine if your compliance program is successful or improve it.

7.      Money is flowing. Here, Safian does not mean necessarily that more funding is available. However, in the compliance world what I believe that this means is forces, other than legal compliance, for example: the US Department of Justice (DOJ) or the UK Serious Fraud Office (SFO) enforcements are beginning to drive compliance. Insurance companies have developed insurance coverage for FCPA investigations; D&O insurers are requiring companies to have a compliance program to cover directors and officers sued in shareholder derivative actions based upon admitted FCPA violations; and perhaps most interestingly, banks and other financial institutions are reviewing anti-corruption compliance programs to determine if they meet minimum best practices and then writing maintenance of these programs into their loan covenants.

8.      Copycats are history. Saflan notes that emerging market entrepreneurs aren’t just following the successes of others, they are creating new, distinct models”. In the compliance arena I believe that ‘out-of-the-box’ solutions are no longer best practices. Companies need to assess their specific compliance risks and then design programs to specifically manage those compliance risks. If your company uses a sales model of agents, one type of compliance management strategy may need to be employed. However, if your company is a manufacturing company, which sells through distributors, another compliance management strategy may be required. Do not simply purchase a compliance program off the shelf. Either design it to fit the needs (and realities) of your business model or work with an expert who can do so.

The innovation angle is not one that is usually in the front of the line at compliance conferences or in thinking through compliance programs. But if you listen to Lanny Breuer, Chuck DuRoss or any other DOJ speaker, they continually talk about evolving best practices in anti-corruption compliance. Any reader of Deferred Prosecution Agreements (DPAs) over the past 18 months is well aware of the changes in focus that the DOJ has in these documents. Certainly, many of the compliance techniques are driven by the compliance challenges in the individual companies. But if your company has engaged in mergers and acquisitions, why would it not follow the ‘enhanced’ compliance guidance found in the Johnson & Johnson DPA and train all high risk employees within 12 months of acquisition and perform a full compliance audit, within 18 months of acquisition? So my conclusion is that innovation in the compliance arena is key. As compliance programs mature and as companies mature in their approach to compliance, innovation will continue to lead best practices.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

February 23, 2012

Code of Conduct – The Cornerstone of Your FCPA Compliance Program

The cornerstone of a Foreign Corrupt Practices Act (FCPA) compliance program is the US Federal Sentencing Guidelines (FSG). They contain seven (7) basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)

An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws.

 In each DPA and NPA over the past 18 months the DOJ has said the following as item No. 1 for a minimum best practices compliance program.

1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.

In an article in the SCCE Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors which should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this in a Code by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena to do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasis it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are document, document and then document. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

December 13, 2011

The Worst Conflict of Interest Move of All-Time (at least since Enron)

Last week, I observed one of the worst actions by a major league sports commissioner in my lifetime. Not the worst, as I will give that “worst award  for a decision made by a sports commissioner in my lifetime”, to either of two Baseball Commissioners; Ford Frick, for the * next to Roger Maris 61 homer season or to Bowie Kuhn for his entire stewardship of major league baseball. This “one-of-the-worst” award goes to National Basketball Association (NBA) Commissioner David Stern for his voiding the 3-way trade last week which would have shipped Chris Paul from the woeful New Orleans Hornets to the LA Lakers in a three way trade also involving the Houston Rockets.

My hometown Houston Rockets would have received Paul Gasol and the Hornets would have received 4 players from the Rockets, plus a first round pick in the NBA draft, plus Lamar Odom from the Lakers. All of this for one player, Chris Paul, who is leaving New Orleans at the end of the season via free agency for which the Hornets will receive a big fat nothing. For the best basketball analysis of this debacle, check out the post by Bill Simmons (a/k/a “The Sports Guy”), entitled, “The Sixth Day of NBA Christmason his site, Grantland.com.

This blog post is not a substitute for a Howard-Sklar inspired rant on behalf of my hometown Rockets, so hang on as there really is a compliance angle here. (But clearly I am somewhat biased so be advised.) This conflict of interest is set up by the anomalous fact that the NBA itself owns the New Orleans Hornets. Commissioner Stern stated that he vetoed the trade because it “wasn’t in the interest of the league owned Hornets.” So what interest was Commissioner Stern referring to here; the interest of the Hornets, the interest of the three teams involved in the trade, the interest of the LA Clippers who have to share the LA market with the Lakers (apparently not as even the Clippers backed out of a trade for Paul on Monday), the interest of the ever-vindictive owner of the Cleveland Cavaliers, Dan Gilbert, still smarting over LeBron James leaving his team via free agency for Miami, or the interest of just the omnipotent ‘they’? After calming down and listening to and reading the sports commentariat, the one which the most struck me was Mike Wilbon on Pardon the Interruption, a talking heads sports show on ESPN. Wilbon said that as the NBA has a financial interest in the Hornets plus a NBA wide competitive interest, which equals a conflict of interest.

Often overlooked as the point number 1 on the Department of Justice’s (DOJ) suggested 13 points for a minimum best practices anti-corruption compliance program is

  1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy should be memorialized in a written compliance code.

In every Code of Conduct that I have seen there is a Conflict of Interest (COI) provision. Many people, including myself, have wondered why something so self-obvious as a written company Code of Conduct would be listed as the point number 1 in a best practices compliance program. The reason I believe that a written Code of Conduct should be the first is because, as stated by Jeffery Kaplan in introducing his Conflict of Interest Blog, conflicts of interest, “as a general matter, present the most common sort of C&E issues in business organizations. They can also be the most difficult to resolve, both because there is no overarching set of COI-related laws (unlike, for instance, competition law) and also because COI issues are frequently raised in an intensely personal circumstances.” If you work for a large publicly owned entity, the COI provision probably prevents ownership in another entity, other than some level of stock, without notice to and consent by your employer. The reason this notice and consent requirement exists is so that you will not be in the same position as Commissioner Stern; that is conflicted, leading you to making bad decisions.

So how does this relate to anti-corruption compliance you ask? (And I am glad you asked that question.) Anytime someone engages in bribery, they put the recipient in a conflicted position. The recipient agrees, overtly or tacitly, to favor the interests of the bribe-maker over that of his employer. Recognizing that the Foreign Corrupt Practices Act (FCPA) is a supply side focused law, it does have the benefit and that is if the law is followed, or not watered down, of reducing such conflicts of interests in foreign lands. A clear benefit for US companies is that they will not be sued as well, as evidenced by the ongoing Alba v. Alcoa matter in federal district court.

How does Enron work into all this? Recently, the tenth anniversary of the Enron self-implosion passed. One of the things I was reminded about in some of the articles discussing this anniversary is that the Enron Board of Directors actually voted on and approved a waiver of the Enron Code of Conduct to allow the Chief Financial Officer (CFO), Andy Fastow, to not only own entities which competed with Enron but to negotiate with others in the company, who worked under him, on behalf of the entities in competition with Enron. Sound like a conflict of interest to you? More to the point, what does such an action by a company’s Board of Directors say about the culture of a company. Perhaps it says that compliance is not too high on the agenda, ya think?

So have some respect for a Code of Conduct, it really is an important document. As strongly as I feel Commissioner Stern’s clear conflict of interest in voiding the Chris Paul trade it is, none the less, a great teaching moment that you can use in your compliance training. You should also sign up to receive Jeff Kaplan’s blog on conflicts of interest. Lastly, if you are on the Board of Directors of a company step up and have some backbone.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

October 31, 2011

The Seven Deadly Sins for a Compliance Program

In an article in the October/November issue of Society of Corporate and Compliance Ethics Magazine (SCCE), entitled “The seven biggest mistakes companies make that erode ethical culture and destroy reputation”, author Eric Feldman reviews his version of the Seven Deadly Sins for a company’s compliance and ethics program. While noting that the “most severe consequences of corporate ethical lapses can be mitigated, even avoided, by proactive care and feeding of a corporate culture” when a compliance crisis arises it may well be “too late to put the genie back in the bottle.” However, by following his seven prescriptions, it may well be the difference between a “bump in the road or falling into quicksand” when the government comes knocking.

1.      Putting the Code of Conduct on your Shelf

A Code of Conduct is not solely a reference tool, like a dictionary. An effective Code of Conduct is a “manifestation of a company’s core values.” In the words of Lanny Breuer, it is a living document and should be regularly updated, not sitting on the shelf for many years, without any updates. Recommendation- Demonstrate leadership and tone at the top.

2.      Ignoring your Company’s Culture

Feldman defines compliance as adherence to “laws, rules and regulations” and ethics as a guiding set of “core principles that “guide a company’s behavior”.” Put another way, does your company only “talk the talk” of ethics or more importantly does it “walk the walk” as well? Recommendation – Corporate focus on regular assessment and improvement of ethical culture.

3.      Worshiping at the Altar of Highest Grade Point Average

Interestingly, Feldman believes that companies which proudly proclaim that they hire only the “best and the brightest” may be setting themselves up for a big compliance problem. His root cause analysis, Gen X’ers and Gen Y’ers have more problems with “résumé credibility” than older workers. He notes that integrity needs to be a high basis in employee recruitment. Recommendation – Incorporate an ethics component into your hiring and interview process.

4.      Letting the Money Talk

There needs to be a clear compensation system based on reference to how an employee conducts business. This is true both for monetary compensation and promotion in the organization. Recommendation – System of sanctions for ethical violations and rewarding those who do business in an ethical manner.

5.      The Parent Trap – Do as I say, not as I do

This relates to Point 2. Your company needs to have in place a compensation and promotion system which rewards good ethics and compliance. I often use the example of the following: some Regional VP (outside the US – you pick the foreign region) is alleged to have said the following, “If I violate the Code of Conduct, I may or may not get caught; If I violate the Code of Conduct and get caught, I may or may not be disciplined; If I miss my numbers for two months, I will be fired.” If that is the reality, guess what, the Regional Vice President (VP) will make his or her numbers. Recommendation – Values based ethics training.

6.      Ethics in the Corner

Feldman writes that nothing speaks volumes louder than creating a company Chief Compliance Officer (CCO) and not giving sufficient clout within an organization to get the job done. This will certainly be true if the government comes knocking. If the CCO is not high enough up in the organization or does not have the budget to accomplish the compliance mission, employees will clearly see this and react accordingly. Recommendation – A CCO who has both the authority and the budget to get the job done.

7.      Shooting or Ignoring the Messenger

Here Feldman is referring to the employee who reports ethical misconduct and suffers retaliation. Although every company says they never retaliate, the sad truth is very different in corporate America. This leads to too many employees staying silent about “fraud and misconduct striving in their organizations.” Worse yet is when the government comes knocking and they tell the investigator, that they were afraid to report the misconduct. Recommendation – An anonymous hotline that earns employee credibility.

Feldman’s seven deadly mistakes provide an excellent framework for any company to assess  their overall compliance program from a high level. While perhaps not rising to the level of “sins”, the answers will allow the compliance practitioner to be ready to respond if the Department of Justice comes a calling.

=======================================================

My This Week in FCPA colleague Howard Sklar begins a 4 part webinar series on “A Brave New World FCPA and UKBA: Take Steps to protect your organization now” next week. Registration and information is available at http://ht.ly/7ewKI. 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

« Previous PageNext Page »

Blog at WordPress.com.