Innovation and Compliance

Can compliance be innovative? Or can innovation inform your compliance program? Can some of the techniques and strategies of the world’s most innovative companies be brought to bear in the field of anti-corruption and anti-bribery?

I thought about those questions, and perhaps some others, while reading the March issue of Fast Company, with a cover title of “The World’s 50 Most Innovative Companies”. In his column, “From the Editor”, Robert Safian wrote about the “The Lessons of Innovation.” He said in reviewing the Top 50 most innovative company, he drew eight key themes. As I read these I thought about them and their relationship to compliance. So with a tip of the hat to Mr. Safian, here is my compliance spin on his eight key themes of corporate innovation.

1.      Compliance should be a strategy, not a tactic. Starbucks recognized that profit alone is a “fairly shallow aspiration, and it’s not enduring.” Most people want to do business with companies which do not engage in bribery and corruption. Indeed the UK Bribery Act enshrines this in its Six Principles of an Adequate Procedures by stating that a company should only conduct business with other ethical companies.

2.      Big companies need to be as nimble as small companies. Safian notes that the top four companies: Apple, Google, Facebook and Amazon.com all continue to “drive the agenda across the global economy.” This should also be true of your compliance program. You need to use the tools available to you to update your risk assessment if you move into new business lines, products or geographical areas. Similarly if one of your competitors comes under anti-corruption scrutiny, you should review any similar practices that your company might have, such as its sales model or vendors in the Supply Chain.

3.      Technology is disruptive in unexpected places. Here Safian gives the example of LegalZoom, which is “challenging the definition of a law practice” by providing useful legal forms and documents to consumers. In the compliance arena, the number of technological innovations is as broad as it is deep. Companies like Catelas and VisualRisk IQ have developed software products which can allow review and assessment of a large number of data points or other quantitative data. You can even get apps for smartphones which allow submission of expense requests directly to your compliance department.

4.      Compliance is a competitive advantage. Apple has never been publicly reported as going through a Foreign Corrupt Practices Act (FCPA) investigation. What is their stock price today and is it still undervalued? Even when it recently received negative publicity regarding its manufacturing facilities in China, it responded quickly and brought in an outside monitor to assess and report. Apple also annually assesses its third party vendors and makes that report public. Do you think that keeps vendors on their collective toes? You bet it does.

5.      Use of social media makes compliance better. My former speaking cohort, Stephen Martin, then General Counsel for Corpedia, often spoke about Code of Conduct 3.0, which is a web-based interactive tool which helps guide employees through a Code in an interesting and stimulating manner. The same is true of training. You no longer need to simply have a video conference to deliver compliance training around the world. Companies like Click4Compliance have interactive, web-based solutions that you can utilize. I noted above about the smartphone app which allows employees from around the world to submit expense requests to the compliance department and receive an instant response back from an assigned compliance team member.

6. Data is power. If you don’t document it, you can’t measure it. If you don’t measure it, you can’t assess it. If you don’t assess it, you can’t improve it. That is how an engineer tends to look at things. In the compliance world, if you don’t document it, it never existed (Cue drum roll for: document, document and document). Both are true. You have to document things to prove that you actually did them. But if you do not have data, you cannot determine if your compliance program is successful or improve it.

7.      Money is flowing. Here, Safian does not mean necessarily that more funding is available. However, in the compliance world what I believe that this means is forces, other than legal compliance, for example: the US Department of Justice (DOJ) or the UK Serious Fraud Office (SFO) enforcements are beginning to drive compliance. Insurance companies have developed insurance coverage for FCPA investigations; D&O insurers are requiring companies to have a compliance program to cover directors and officers sued in shareholder derivative actions based upon admitted FCPA violations; and perhaps most interestingly, banks and other financial institutions are reviewing anti-corruption compliance programs to determine if they meet minimum best practices and then writing maintenance of these programs into their loan covenants.

8.      Copycats are history. Saflan notes that emerging market entrepreneurs aren’t just following the successes of others, they are creating new, distinct models”. In the compliance arena I believe that ‘out-of-the-box’ solutions are no longer best practices. Companies need to assess their specific compliance risks and then design programs to specifically manage those compliance risks. If your company uses a sales model of agents, one type of compliance management strategy may need to be employed. However, if your company is a manufacturing company, which sells through distributors, another compliance management strategy may be required. Do not simply purchase a compliance program off the shelf. Either design it to fit the needs (and realities) of your business model or work with an expert who can do so.

The innovation angle is not one that is usually in the front of the line at compliance conferences or in thinking through compliance programs. But if you listen to Lanny Breuer, Chuck DuRoss or any other DOJ speaker, they continually talk about evolving best practices in anti-corruption compliance. Any reader of Deferred Prosecution Agreements (DPAs) over the past 18 months is well aware of the changes in focus that the DOJ has in these documents. Certainly, many of the compliance techniques are driven by the compliance challenges in the individual companies. But if your company has engaged in mergers and acquisitions, why would it not follow the ‘enhanced’ compliance guidance found in the Johnson & Johnson DPA and train all high risk employees within 12 months of acquisition and perform a full compliance audit, within 18 months of acquisition? So my conclusion is that innovation in the compliance arena is key. As compliance programs mature and as companies mature in their approach to compliance, innovation will continue to lead best practices.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Regulatory Compliance Risk Assessment: Identifying Key Legal/Regulatory Risks

Ed. Note-I recently posted an article by Mary Shaddock Jones entitled “Suggestions for Starting a Regulatory Compliance Risk Assessment”.   Based on the response to the posting, I asked Mary to drill down a little more in subsequent articles on a few of the steps she suggested outlined in that article.  This is the first posting in this follow up series.

Remember that the hypothetical in the original article was that you had just been asked to perform a regulatory compliance risk assessment in all of the countries that your company currently operates. 

We believe that you can use the Enterprise-wide Risk Management (ERM) Framework to identify, analyze, respond to and monitor critical regulatory compliance risks on a country by country basis. The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) ERM Framework defines ERM as follows:

 

Enterprise risk management is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

 

The key is that ERM is process.  It is not a “one time” exercise.  The same holds true for Legal/Regulatory /Compliance risks facing your company.  Laws and regulations can change on a regular basis.  Keeping up with the myriad of changes can be a difficult task for compliance and legal departments- especially at smaller firms or companies.  This is why we suggest that you need to “divide” the company into various “Risk Centers” and identify the “Risk Owners” within each Risk Center.  Responsibility for monitoring and notifying the Legal/Compliance departments of any change in the legal/regulatory requirements should remain with the “Risk Owner”.

So who are some of the key “Risk Owners” in any organization?  Clearly the Human Resources department is one key “Risk Center”.  There are a myriad of U.S. Federal and State employment laws including, but not limited to: (a) Title VII of the Civil Rights Act of 1964; (b) Age Discrimination in Employment Act; (c) Americans with Disabilities Act; (d) Equal Pay Act; (e) Immigration Reform and Control Act of 1986. In addition, if you are a company operating internationally, you must have a “risk owner” who has responsibilities for the local Human Resources laws.  For instance did you know that the Mexican Constitution (at least at one point in time) contained a “Declaration of Social Rights” that deals with minimum working conditions, salaries, equality of treatment, job security, the right to strike, and mandatory profit sharing?  The Brazilian Labor Code has adopted many of the same principles and has created a system of Labor Courts that are quite favorable to all Brazilian workers – both blue and white collar.  But there are small differences in the employment laws between Mexico and Brazil that require someone with specialized knowledge within your company to “own” the risk.

Another “Risk Center” could be the Logistics or Supply Chain Management Department.  If this Department is responsible for interfacing with Freight Forwarder companies (i.e. A company which is hired to move shipments between foreign and domestic locations, or a portion of the way.  Freight forwarders handle many of the formalities involved in exporting and importing such shipments), then it should “own” the legal/regulatory compliance risks associated with exporting and importing.  Again, there are a myriad of U.S. Federal and State laws and regulations touching upon Import and Export activities including, (a) The Export Administration Act; (b) The Export Administration Regulations (EAR); (c) The International Traffic In Arms (ITAR); (d) Trading with the Enemy Act; (e) Antiboycott Regulations; (f) Foreign Corrupt Practices Act, to name a few.  In addition to the U.S. laws, there are significant local laws in foreign countries that regulate the importation and exportation of goods into the countries.  Did you know that there are different laws for the importation of vessels into Brazil depending upon whether or not the vessel is being used in the oil and gas industry?  Or that there are laws regarding the importation of automobiles into China? The point is that there are so many laws and regulations in every aspect of doing business that the most practical way of ensuring compliance is by having identifiable “Risk Centers” which designate a “Risk Owner” who has the compliance responsibility.  The compliance department can then act as the repository of the information, but the Risk Owner (i.e. that person closest to the risk).

What about Financial Record Keeping and Reporting?  Tom Fox has written numerous blogs regarding the Books and Records requirements contained within the Foreign Corrupt Practices Act.  The FCPA requires “issuers” (any company including foreign companies) with securities traded on a U.S. exchange or otherwise required to file periodic reports with the Securities and Exchange Commission (“SEC”) to keep books and records that accurately reflect business transactions and to maintain effective internal controls.  Another U.S. law which has significant internal Control requirements in the Sarbanes-Oxley Act of 2002.   Clearly, the Accounting/Financial Department(s) are another “Risk Center”.

What are the laws/regulations under each area? What is the appropriate “Risk Center” for each law/regulation for your company? Who is the designated “Risk Owner”?  Mapping out the answers to these questions will clearly be a step in the right direction in performing your Legal/Regulatory Risk Assessment.   Here are a few legal risk areas for your consideration: (a) Antitrust; (b) Bribery, Gifts and Entertainment; Conflicts of Interest; (c) Consumer Protection; (d) Customs, Import and Export Controls; (e) Environmental, Health and Safety; (f) Labor and Employment Law; (g) Financial Record Keeping and Reporting; (h) Government Contracting; (i) Intellectual Property; (j) HIPAA/ Security and Privacy; (k) Records Management; (l) Securities and Insider Trading;  and (m) Anti-Money Laundering.   This doesn’t even touch applicable international laws!  But it should help you get started with your Risk Assessment.  Good Luck!

Mary Shaddock Jones, Attorney at Law can be reached via email at  msjones@msjllc.com or via phone at 337-515-8527 (c); 337-513-0335 (0).

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. 

We’re No. 1: What Level of Due Diligence Should You Perform?

New Zealand is generally recognized as having some of the lowest instances of corruption across the globe, at least that is the perception. Over the past 3 years it has either been Number 1 or led outright the Transparency International Corruptions Perceptions Index with scores of

• 2010-9.3
• 2009-9.4
• 2008-9.3

It was, therefore, with some surprise that I came across a story referred to in yesterday’s Corruptions Currents blog by the Wall Street Journal (WSJ), on a website in New Zealand, Stuff.co.nz, entitled “NZ firms linked to money laundering” authored by Michael Field.

The article reported that companies created in New Zealand had been linked to “Russian crime, a Mexican drug cartel and Romanian extortion.” Additionally it reported that certain companies created in New Zealand had been tied to a company alleged to have smuggled arms into North Korea. These were accomplished by the creation of New Zealand shell companies which were used to move monies through to avoid detection.

The article reported certain international criticisms of New Zealand corporate registration protocols. The Canadian Financial Transactions and Reports Analysis Centre, “identified the “exploitation of New Zealand’s weak company registration laws” as a problem. International expert Martin Woods was quoted in the article as saying that shell companies were “ideal vehicles for money launderers, tax evaders and arms traffickers”. But the topper is the following line, “The government admits there is a problem but says it has had other priorities” but we do note that this final quote is not attributed.

The problem all of this raises for a compliance practitioner here in the US is how to evaluate a company for due diligence purposes? The Transparency International Corruptions Perceptions Index is a generally recognized index that many companies rely on to set the appropriate level of due diligence. New Zealand, with a sterling score of 9.3 or 9.4 and a ranking of Number 1 over the past three years, is a country that may be perceived to have one of the lowest levels of corruption in the world. However, the article in Stuff.co.nz demonstrates the need for active and strong due diligence in all places across the globe.

The article reports that one individual was, at one point, listed as a Director of over 300 New Zealand formed companies. Another person, listed as the Director of the New Zealand company alleged to have been involved with the shipment of arms to North Korea was “convicted of 75 breaches of the Companies Act for giving false addresses on registration forms”. Both of these examples cited in the article should give pause to companies when they set their due diligence levels. A traditional Level One US/UK database search may not be enough to protect your company.

You may need to move to a more sophisticated search such as one which makes a database search for in-county records. It is certainly important to know if and when a person holds multiple Directorships in various and not obviously related companies. This should raise a very big Red Flag.

The moral of this story is that due diligence is not a rote exercise. Care must be given in all phases. Simply because you are doing compliance due diligence for Foreign Corrupt Practices Act (FCPA) issues does not mean you can ignore money laundering and export control issues. I have written on compliance convergence and heard my colleague Howard Sklar talk on this several times. Your compliance program needs to be cognizant and integrated to evaluate and manage these risks for your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011