The FCPA Compliance and Ethics Report

If you have not done so, I hope that you might go over to my podcast site, the FCPA Compliance and Ethics Report,  to check out some of my recent podcasts. The episodes are between 20-30 minutes long and they are available for download on iTunes so you can listen to them on your commute to work or when working out at the gym.

Internal Controls

I have begun a series on internal controls in a best practices FCPA compliance program with noted internal controls expert Henry Mixon. In Parts I & II, Mixon and I discuss the basics of what are internal controls. These podcasts supplement some of my recent blogs on internal controls.

Episode 85-What Are Internal Controls, Part I

Episode 87-What Are Internal Controls, Part II

HR and Compliance

One of the best allies for the compliance function in any company is the Human Resources department. I explore how HR can assist compliance in a myriad of components of any best practices compliance program.

Episode 86-Use of HR in a Compliance Program

Continuous Improvement of a Compliance Program

In the FCPA Guidance and in almost every speech I have heard by a Department of Justice official, they talk about how your compliance program should evolve to meet new compliance risks, changes in best practices, geographic markets where your company does business and new product/service offerings. You can do this by continuous improvement of your compliance program.

Episode 84-Continuous Improvement of Your Compliance Program

The Compliance EcoSystem

Jon Rydberg is the Founder and CEO of Orchid Advisors. He is also the former CCO of Smith & Wesson and was at the company when it navigated it way through a FCPA investigation and enforcement proceeding. From these experiences, Rydberg has developed a holistic approach to compliance which he has trademarked as the “Compliance EcoSystem”. I explore his ideas on an fully integrated approach to compliance

Episode 83-Interview with Jon Rydberg

Use of Interviews in Your Compliance Program

Brian Ching is the most famous player in the history of the Houston Dynamos soccer club. Ching recently retired and moved into the front office as the General Manager of the Houston Dash, the Houston professional women’s soccer club. I interviewed Ching on his transition to management and how the Dash use the face-to-face interview process to not only assess the non-soccer skills that the team requires of its players but also to communicate the team’s expectations. There are some very significant insights about how a company can communicate its expectations regarding ethical business practices.

Episode 79-Interview with Brian Ching

The FCPA Professor

Finally and last but certainly not least, I bring back the FCPA Professor for a two-part podcast on his new book The Foreign Corrupt Practices Act In a New Era.

Episode 80, Interview with the FCPA Professor, Part I

Episode 81-Interview with the FCPA Professor, Part II

A good weekend to all.

Continuous Improvement Of Your Compliance Program, Part II

Yesterday, I began a two-part series on continuous monitoring of your anti-corruption compliance program. In Monday’s post, I looked at the regulatory framework for such a requirement. In today’s conclude with some thoughts on how to continually improve and update your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance regime and take a look again at how the regulators might view your program, in some quick, easy and pithy ways.

Anti-corruption, anti-bribery, anti-money laundering (AML) programs policies and procedures and even export control systems are seemingly in a constant state of evolution. Many companies are struggling with the challenge of implementing effective controls and monitoring risks across a spectrum that could include the three above listed compliance areas as well as others. One area that has evolved into a minimum best practices requirement for compliance is that of continuous monitoring.

While many companies will look at continuous monitoring as a software solution that can assist in managing risk, provide reporting metrics and, thereby, insights across an organization, it should be viewed more holistically. You will need to take many disparate systems, usually across a wide international geographic area, which may seem like an overwhelming process. Justin Offen, explained this in his article, entitled “Mission Impossible? Six steps to continuous monitoring”, where he detailed a six-point program to ensure that your “CM solution doesn’t become part of the problem” rather than a solution.

1. Know your global IT footprint. It is important to understand how continuous monitoring will be incorporated into your company’s overall IT strategy as well as your compliance strategy. This advocates that this inquiry begins with understanding what your current IT structure is and what it is anticipated to be in 3 and 5 years. Once you identify your global IT footprint you can determine which system will be the best fit.
2. Define scope and necessary resources. You should determine what your goal is, begin by identifying your needs and then prioritize them. You should perform a risk analysis and then rank the risks. Next, you need to understand the amount of talent you have in your organization, identify who can implement and work with the system and determine your budget, which may need to be increased based upon your need for outside experts and unknown contingencies.
3. Conduct a pilot or proof of concept. A phased rollout can be used as a proof of concept, which can yield greater functioning efficiency throughout your entire program implementation. It should also allow you to chalk up an early success to present to the inevitable nay-sayers in your organization.
4. Decrease false positives. This is important because improper or incomplete testing may well lead to a larger amount of false positives which you are required to evaluate and clear. From each test, you can further refine your continuous monitoring solution to the specific needs of your organization and increase time and efficiency in your overall continuous monitoring program.
5. Establish your escalation protocol. You should establish a response protocol when an exception or Red Flag arises. This protocol should include an escalation protocol if the Red Flag suggests that it is warranted or additional investigation determines a wider problem exists. This protocol should include specific individuals and departments that need to be notified, the makeup of your initial and secondary triage team and the accountability for each person in the process, all the way up to the Board.
6. Demonstrate control through case management. This demonstrates once again the maxim of Document, Document and Document. You need to be ready to “respond with appropriate documentation of any transaction that’s been reviewed, showing the level of review and any additional steps taken.”

The benefits of such a continuous monitoring program are significant; the creation of documentation that can lead to a ‘ready response’ by a company to an issue before it becomes a larger problem, coupled with the ability to recall all steps and information when a regulator comes knocking. Internally, using the pilots or proofs of concepts, the compliance department can bring in other stakeholders to see the value of continuous monitoring within the organization.

You Have a Strategic Plan – Now What Do You Do?

Have you thought about your anti-corruption through the lens of a strategic plan? If not, you might want to use the formulation proffered by Bruce Rector, in an article entitled “Strategic planning needs constant follow-up to be successful”. Recognizing that a strategic plan can serve as guide for your company going forward, it must actually be utilized to garner any use out of it. I believe that the steps he lays out translate, without difficulty, into steps a compliance officer can take to meet the suggestion laid out by Offen above.

• Review the Goals of the Strategic Plan. This requires that you arrange a time for the Chief Compliance Officer (CCO) and team to review the goals of the Strategic Plan. To the extent possible this should be done in person. The CCO should lead a discussion of the Strategic Plan and determine how this goal in the Plan measures up to its implementation in your company.
• Design an Execution Plan. The “Keep it Simple Sir” or KISS method is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straightforward plan to ensure that the goal in question is being addressed. Any such plan must be specific with clear goals for all involved, with tasks handed out, deliverables defined and a definite timeline for delivery.
• Put Accountabilities in Place. In any plan of execution, there must be accountabilities attached to them. Simply having a time line is not enough. This means that the persons tasked with the responsibility of performing the tasks be clearly identified, by both the individual so tasked and the actual task they are assigned to complete. Accountability requires that there be follow-up to confirm that these targets are met. This requires the CCO or other senior compliance department representative to put these in place and then mandate a report requirement on how the task assigned is being achieved.
• Schedule the Next Review of the Plan. There should be a regular review of the process. While noting that this may seem time consuming, this means the group responsibility gets into a regularity, which will assist the process moving forward more smoothly. It also allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis.

It is a function of the CCO to reinforce the vision and goals of the compliance function, where assessment and updating are critical to an ongoing best practices compliance program. If you follow this protocol, you will put a mechanism in place to demonstrate your company’s commitment to compliance by following through on intentions as set forth in your strategic plan.

The Regulators Perspective

What does an effective compliance program look like? Over the years, we have heard various formulations of inquiries that regulators might use when reviewing a compliance program. While not exactly a review of a compliance protocol, one of my favorites is what I call McNulty’s Maxims or the three questions that former United States Deputy Attorney General, and Baker & McKenzie LLP partner, Paul McNulty said were three general areas of inquiry the he would assess regarding an enforcement action when he was at the DOJ. They are: first: “What did you do to stay out of trouble?” second: “What did you do when you found out?” and third: “What remedial action did you take?”

Stephen Martin said that an inquiry he might make was along the lines of the following. First he would ask someone who came in before the DOJ what the company’s annual compliance budget was for the past year. If the answer started with something like, “We did all we could with what we had ($100K, $200K, name the figure), he would then ask, “How much was the corporate budget for Post-It Notes last year?” The answer was always in the 7-figure range. His next question would then be, “Which is more business critical for your company; complying with the FCPA or Post-It Notes?” Unfortunately, it has been Martin’s experience that most companies spent far more on the Post-It Notes than they were willing to invest in compliance.

Andrew Ceresney, Director of the Division of Enforcement of the SEC, speaking at Compliance Week 2014, said that he has “found that you can predict a lot about the likelihood of an enforcement action by asking a few simple questions about the role of the company’s legal and compliance departments in the firm.” He then went on to detail some rather straightforward questions that he believes could show just how much a company is committed to having a robust compliance regime.

• Are legal and compliance personnel included in critical meetings?
• Are their views typically sought and followed?
• Do legal and compliance officers report to the Chief Executive Officer (CEO) and have significant visibility with the board?
• Are the legal and compliance departments viewed as an important partner in the business and not simply as support functions or a cost center?

Near the end of his presentation, Cerensey said that “Far too often, the answer to these questions is no, and the absence of real legal and compliance involvement in company deliberations can lead to compliance lapses, which, in turn, result in enforcement issues. When I was in private practice, I always could detect a significant difference between companies that prioritized legal and compliance and those that did not. When legal and compliance were not equal partners in the business, and were not consulted as a matter of course, problems were inevitable.”

McNulty’s Maxims, Martin’s question on budget and now Cerensey’s questions all provide significant guideposts to how regulators think about FCPA compliance programs. For me, I think the point is that companies which actually Do Compliance are easy to spot. For all the gnashing of teeth about how hard it is to comply with what the DOJ and SEC want to see in FCPA compliance, when the true focus can be distilled into whether a company actually does compliance as opposed to saying how ethical they are, I think it simplifies the inquiry and the issues senior management and a Board of Directors really needs to pay attention to.

Continuous improvement through continuous monitoring or other techniques will help key your compliance program abreast of any changes in your business model’s compliance risks and allow growth based upon new and updated best practices specified by regulators. A compliance program is in many ways a continuously evolving organism, just as your company is. You need to build in a way to keep pace with both market and regulatory changes to have a truly effective anti-corruption compliance program. The Guidance makes clear that the “DOJ and SEC will give meaningful credit to thoughtful efforts to create a sustainable compliance program if a problem is later discovered. Similarly, undertaking proactive evaluations before a problem strikes can lower the applicable penalty range under the U.S. Sentencing Guidelines. Although the nature and the frequency of proactive evaluations may vary depending on the size and complexity of an organization, the idea behind such efforts is the same: continuous improve­ment and sustainability.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Theme from Shaft and Continuous Improvement of Your Compliance Program, Part I

The composer of what I believe to be the absolute coolest movie theme ever was born on this date in 1942, Isaac Hayes. Hayes continually succeeded in many areas. In the 1960s it was with soul music on the great label Stax. In the 90s it was as the voice of Chef on the animated TV series South Park. But for my generation it was for the theme song, and indeed entire soundtrack, to the movie Shaft that I will always remember Hayes for. The success of that soundtrack led not only to nearly four more decades in the public eye, but as I will never forget sight of Isaac Hayes, playing shirtless in heavy chains and sunglasses as he performed the #1 pop single “Theme from ‘Shaft'” on national television the night he was awarded the Academy Award for Best Score.

How Hayes continued to reinvent of himself as a performer informs my blog posts over the next two days as I look at continuous improvement in your Foreign Corrupt Practices Act (FCPA) compliance program. Today, I will review the regulators view on continuous improvement and tomorrow I will provide some specific techniques that you can engage in to help satisfy this prong of the Ten Hallmarks of an Effective Compliance Program.

You should keep track of external and internal events that may cause change to business process, policies and procedures. Some examples are new laws applicable to your business organization and internal events driving changes within a company. Such internal changes could be a company reorganization or major acquisition. This type of review appears to be similar to the Department of Justice (DOJ) advocacy of ongoing risk assessments. The FCPA Guidance (Guidance) specifies, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”

Continuous improvement requires that you not only audit but also monitor whether employees are staying with the compliance program. In addition to the language set out in the FCPA Guidance, two of the seven compliance elements in the Federal Sentencing Guidelines (FSG) call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

A review plan is an excellent tool for the compliance practitioner because it provides a method for the ongoing evaluation of policies and sets forth a manner to communicate and train on any changes that are implemented. More than simply staying current, this approach will help provide the dynamics that the DOJ continually talks about in keeping your program fresh. Lastly, such a review plan can also guide the compliance practitioner in creating an ongoing game plan for compliance program upgrades and updates that Stephen Martin advocates.

The Guidance makes clear that each company should assess and manage its risks and specifically notes that small and medium-size enterprises likely will have different risk profiles and therefore different attendant compliance programs than large multi-national corporations. Moreover, this is something that the DOJ and Securities and Exchange Commission (SEC) take into account when evaluating a company’s compliance program in any FCPA investigation. This is why a “Check-the-Box” approach is not only disfavored by the DOJ, but, at the end of the day, it is also ineffectual. It is because each compliance program should be tailored to the enterprise’s own specific needs, risks, and challenges.

One tool that is extremely useful in the continuous improvement cycle, yet is often misused or misunderstood, is ongoing monitoring. This can come from the confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information.

Auditing is a more limited review that targets a specific business component, region, or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. Although unique in protocol, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance, if you notice a trend of suspicious payments in recent monitoring reports from AsiaPac, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks, and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local Finance departments in your foreign offices to ask if they’ve noticed any accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries in which they manage. These ongoing efforts demonstrate that your company is serious about compliance.

The DOJ emphasized again with the 2011 Pfizer Deferred Prosecution Agreement (DPA), the need for a company to establish protocols for auditing. It included the following detail on auditing protocols:

• On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training.
• Review of a representative sample (appropriately adjusted for the risks of the market) of contracts with and payments to individual foreign government officials as well as other high-risk transactions in the market.
• Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations.
• A review of the books and records of a sample of third party representatives that, in the view of the FCPA proactive review team, may present corruption risk. Prior to such an investigation, however, the company should have procedures in place to make sure every investigation is thorough and authentic, including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently.

Tomorrow, I will review some specific steps you can take to meet these goals.

For your listening pleasure, close your eyes and listen to the Theme From Shaft, by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014