FCPA Compliance and Ethics Blog

August 23, 2012

What is Your Integrity Capital?

Compliance practitioners often hear that bribes must be paid in emerging markets to get anything done. Indeed a recent survey by CEB (formerly Corporate Executive Board) of more than 700,000 employees of multinationals around the world, discussed in a Harvard Business Review article, entitled “Greased Palms, Giant Headaches”, by Dan Currell and Tracy Davis Bradley reported that there was a large jump in the payments of bribes, providing or receiving improper gifts and failures to report conflicts of interest in the BRIC (Brazil, Russia, India and China) countries over developed countries. Is bribery really pervasive in those countries or is it simply the perception? On the other hand, as Andre Agassi was found to say “Perception is reality.” Certainly the story by the New York Times (NYT) about Wal-Mart in Mexico paying over $24 million to be the first big box retailer into the Mexican market may lead some credence to that perception. While the authors did not specifically address the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act, they did report that “bribery and corruption is the second leading category of unlawful activity by Western companies in emerging markets”.

However, Currell and Bradley focus their collective attention on the US corporate headquarters in their article. They note that “Our research suggests that one driver originates at headquarters-multinationals’ increasing growth imperative in emerging markets.” While it certainly is a recognized and valid long-term growth strategy to identify and develop new markets, the authors believe that companies are now thinking that they can “meet our targets by increasing revenues quickly in markets” like the BRIC countries. In other words, long-term strategic plans suddenly become “short-term necessities” and this change can increase “the pressure on local employees to make their numbers, tempting some to break the law.”

What is a company to do when short term goals cause pressure, pressure and more pressure for increased revenues? The authors acknowledge that a robust compliance program is a key component for protection against bribery and corruption by employees, but they believe that more is needed. They identify “Integrity Capital” as a key component to “lower levels of misconduct along with higher levels of reporting when employees do witness wrongdoing. Integrity capital is embedded in the culture, not instituted through controls, and it helps shape employee behavior, which could include offering a bribe or defrauding the company.” The authors identify the following as five factors of Integrity Capital:

  1. Management takes action when it becomes aware of misconduct. This means that companies “must insist on a swift response to complaints, unbiased investigations” and even “public hangings” of offenders.
  2. Employees are comfortable speaking up about misconduct and don’t fear retaliation. While this would seem to be self-evident, it is a sad fact that in many companies, whistleblowers are ostracized or even blamed for the conduct in question. Witness the initial response by Wal-Mart management in the 2005 time frame to allegations of corruption made by an employee with knowledge of the conduct. He was blamed for the conduct at issue. Even in the recent allegations brought to light with EADS, the whistleblowers were marginalized or worse by the company.
  3. Senior leaders and managers treat employees with respect. The authors believe that in addition to not mistreating whistleblowers, companies should “praise employees who have the courage to call out wrongdoing.”
  4. Managers hold employees accountable. Simply put, if an employee engages in bribery or corruption, they need to be disciplined or discharged. Allowing high revenue generators or high income generating territories or business units to avoid scrutiny and/or sanctions is a clear recipe to destroy the integrity of a compliance program.
  5. High levels of trust exist among colleagues. Your employees must believe that the company will take allegations seriously and will act on the information that they provide.

The authors conclude their article with three different concepts which they believe will minimize the occurrences of bribery and corruption within an organization. First, a company should use commonsense observation. If an emerging market shows success in “speeding things along”, such as regulatory approvals for the construction of bricks-and-mortar facilities, this made need to be looked at closer. Since regulatory approvals do not happen quickly in BRIC countries, it may be that the skids were greased with cash to pay bribes. The second is that a company must be proactive in seeking out and obtaining information from employees about allegations of bribery and corruption. The authors “advise companies to also proactively solicit information from frontline employees and to use surveys or online tools to guarantee anonymity” in reporting allegations of bribery and corruption. Lastly, the authors insist that companies have organization justice so that if there are credible reports of misconduct they are not swept under the rug.

Currell and Bradley provide interesting observations which can be used by a compliance professional to evaluate the sufficiency of their compliance program. Their thoughts on things to look for from an emerging market provide solid guidance on searching for potential red flags which might warrant further investigation from internal audit or a FCPA based compliance audit team. There are a number of practitioners and ethicists who talk about the need for ethics in any company culture to compliment a compliance program. The article by Currell and Bradley provides some of their guidance on what that may look like.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

August 21, 2012

What Are Some of the Benefits of a Compliance Hotline?

Is your hotline working for you? The Securities and Exchange (SEC) Whistleblower line certainly appears to be working according to an article in the August issue of Compliance Week Magazine, entitled “Promoting Effective Us of the Compliance Hotline” by Columnist José Tabuena. In the article, Tabuena quotes SEC Deputy Director of Enforcement George Canellos, who related at a recent conference that “What’s really clear is quality of those tips has greatly improved and that market manipulation, dishonest accounting and potential violations of the Foreign Corrupt Practices Act (FCPA) are the most popular topics of whistleblower reports.”

In his article Tabuena gave an excellent example of the power of a hotline. He wrote about the case study of a company which had not integrated its IT function into its regular compliance and ethics training programs. As such there were zero calls into the hotline by employees from the IT department. This dynamic was changed and IT was integrated into the company’s regular compliance and ethics training. Thereafter, the hotline received several calls from IT department employees where there were two major areas of complaints. The first general area was that there were conflicts of interests between IT department managers, family members who were hired and perceptions of favoritism. The second generally revolved around allegations that certain company managers were manipulating data to maximize their bonuses.

The Favoritism Problem

The Human Resources (HR) department led an investigation that included questioning all IT managers about their direct reports and employees of their unit. The company determined that there was only one instance of a manger hiring a family member (a brother-in-law), but that person did not report to the manager and was in a different section of the IT organization. This finding made clear that there were misperceptions in the IT department, which affected the department morale. To remedy this all IT managers received training on appropriate employment practices, communications were also delivered to all IT employees explaining policies and practices regarding the hiring of family members. Most satisfyingly, Tabuena noted that during follow-up with callers to the helpline, the callers stated that the work environment in the IT department had noticeably improved. They also expressed gratitude that their questions were answered and that their issues were addressed. The callers felt their concerns were taken seriously when they saw the communications on hiring practices and upon having discussions with managers during staff meetings. Staff retention started improving in the department.

Manipulation of Data for Bonuses

The company used the hotline to obtain more information from the callers on “isolating the metrics and the managers in question. It was determined that the bonuses of a select few IT managers were indeed influenced by a questionable data source, which was controlled by a non-manager with minimal oversight and controls. Following interviews with the key individual and review of the data file (including forensic analysis), it was determined that one IT manager had misrepresented information provided to the staff person maintaining the data. Notably, this staff person also reported to this manager. As a result, the IT manager’s bonus compensation was inflated. He was subsequently terminated.

Basic Tenets of an Effective Hotline

Tabuena provided three lessons which he felt were demonstrated in his article.

  • First, a helpline is of no value if the workforce is not aware of it. Although a helpline was in place, it became apparent that a segment of the company had not been informed. It was hotline data that revealed this gap. By reviewing data segmented by region, department, incident classification, and other criteria, it became obvious in comparison to the rest of the organization that the IT department had not used the helpline.
  • Second, the ethics and compliance office obtained support from the Chief Information Officer (CIO) for making IT part of the helpline community and for designating a  liaison within the IT function. The support of department leadership likely influenced the success of the training and communications delivered by the ethics and compliance staff.
  • Third, the awareness of the helpline is not sufficient to ensure success. The company made sure that issues and allegations were addressed and investigated, as needed. Employees who choose not to report wrongdoing indicate a belief that nothing will be done anyway, so why take the risk? Employees also cite fear of retaliation as a reason for not reporting.

Tabuena’s article showed the power of a hotline. The company’s Compliance Department “established the credibility of the helpline as a resource to raise issues and report misconduct. The concerns regarding nepotism and conflicts of interest were taken seriously, and although the   violations were not as widespread as the calls indicated, the review went a long way to clear the air.” Equally important, the helpline proved to be a successful management tool as well. The company was able to manage potential compliance issues and improve employee morale.

============================================================================================

Interested in learning more about continuous monitoring in compliance. Join myself and Jeff Herfenest, Director of the Berkeley Research Group for a free webinar today at 1 PM CDT entitled, “Continuous Analysis:A Real-Time Solution to Managing Fraud and Corruption Risk” . Information and registration can be found by clicking here

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

August 2, 2012

Compliance Lessons from Macbeth: Listen to Your Gut

I have always found Macbeth to be one of Shakespeare’s most terrifying plays. Every time I see the production and hear Lady Macbeth say that she would “have plucked from my nipple his boneless gums and dashed his brains out” of her baby or see her ghost after her suicide, it sends chills up my spine. But there are other lessons which can be drawn from the play that could be applicable to the compliance practitioner and a Foreign Corrupt Practices (FCPA) or UK Bribery Act compliance program. In an article in the July 16 edition of the Texas Lawyer, entitled “Shakespeare’s ‘Macbeth’ Teaches Lawyers Life Lessons”, author Michael Maslanka said that one of the plays lessons for him was to “listen to your gut” when faced with a dubious proposition.

Maslanka cites to the dialogue between two characters, Macduff and Malcolm, when Malcolm is when deciding whether Macduff is a friend or an enemy. Malcolm falsely tells Macduff that he is unfit to succeed his father because of his unbridled sexual appetites. “The cistern of my lust, and my desire all continent impediments would o’erbear that did oppose my will,” Malcolm says. After more back and forth, Macduff concludes Malcolm is not fit to be king. Malcolm has found an honest man who will stand up for what is right, not what is expedient. Maslanka goes on to cite these two characters for the suggestion that “When in doubt on a dubious proposition, go with your gut-level reaction.” At first, Macduff tries to negotiate his conscience, because he so desperately wants an honest leader for Scotland. He acknowledges Malcolm’s weaknesses, telling him, “All these are [bearable] with other graces weighed.” But, when Malcolm says there are no other graces, Macduff declares, “Fare thee well, lord.” The lesson: ethics are not negotiable.

This type of choice can also play out in the compliance world. The starkest example of which I am aware of is the HP matter involving its German subsidiary and allegation of bribery to receive a contract for the sale of hardware into Russia. At least one witness has said that the transactions in question were internally approved by HP through its, then existing, contract approval process. This employee, Mr. Dieter Brunner, a contract employee who was working as an accountant on the group that approved the transaction, said in an interview in the Wall Street Journal (WSJ) that he was surprised when, as a temporary employee of HP, he first saw an invoice from an agent in 2004. “It didn’t make sense,” because there was no apparent reason for HP to pay such big sums to accounts controlled by small-businesses, Mr. Brunner said. He then proceeded to say he processed the transactions anyway because he was the most junior employee handling the file, “I assumed the deal was OK, because senior officials also signed off on the paperwork”.

In almost every circumstance where a significant compliance matter has arisen, if the issue had been reported, or at least sent up the chain for consideration, there is a good chance that the incident would not have exploded into a full FCPA compliance violation. This is the concept of escalation and it is a key feature of any successful compliance program; to escalate compliance concerns up the chain for consideration and/or resolution.

This failure to escalate leads to the issue not reaching the right people in the company for review/action/resolution and the issue later becomes more difficult and more expensive to deal with. A company needs to have a culture in place to not only allow elevation but to actively encourage elevation and this requires that both a structure and process exist. The company must then train, train and train, all of its employees. Lastly, while a whistleblower process or hotlines are necessary these should not be viewed as the only systems which allow an employee to escalate a concern.

As Shakespeare might opine, Mr. Brunner did not “listen to his gut” when it told him that the transaction in question did not make sense. Think what position HP might be in today if this temporary employee had been trained by HP that he could escalate his concern if something “didn’t make sense” to a higher level within the company for review. The key is to have the systems in place to allow such escalation and to train all employees, including contract employees, on how to escalate an issue. In FCPA training sessions, one of the things that I try to emphasize is that employees to not have to know the ins and outs of the FCPA, but if something does not feel right, smell right or look right; please raise your hand and say “it doesn’t make sense” to me.

Maslanka then draws to what he believes is the play’s over-arching eternal lesson: “Bet on concrete values like ethics, not ephemeral desires. The witches who predicted that Macbeth would become Cawdor (King) disappear as Macbeth and Banquo are speaking with them. “Banquo remarks they are like “bubbles” in the water and wonders where they have gone. Macbeth’s penetrating insight: “Into the air, and what seemed corporal melted, as breath into the wind.” This insight should compel him to embrace the concrete: the ethical behavior in honor, loyalty, friendship. But his insight fades and instead Macbeth he embraces the ephemeral: title, power, castles.”

So as July has now passed into August and the summer moves towards a close, think about how you might use Shakespeare to illustrate some of the key concepts of your compliance program. It might be time to talk about your hotline or reporting lines with employees to “listen to your gut” or “just raise your hand” if something does not seem right in a transaction. You can also use Shakespeare to show the timeliness and universality of the ethical values that you wish to inculcate into your company’s DNA. For as the author of this most interesting article also observes, “Once an ethical boundary is crossed there is no going back to ethical behavior.” Maslanka again quotes Macbeth who says, “I am in blood stepped in so far that, should I wade no more, returning were as tedious as go o’er.” There always is a window of opportunity to step back from the ethical precipice. Fail to take it and, like Macbeth, the downward spiral is triggered with no incentive to return to an ethical state.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

July 26, 2012

FCPA and Bribery Act Hotlines: Staying Out of Hot Water with Other Jurisdictions

It is finally here. Today is the Opening Ceremony of the Games of the XXX Olympiad in London. The first Olympics I can remember watching were the 1964 Games in Tokyo. I was enthralled with watching the world’s greatest athletes compete and the boyhood joy about the Games still exists for me. And, for my money, the best sporting event will be held in world’s greatest city. It should be a great show for the next two weeks. They are a must watch for me and I hope that you will enjoy them as much as I intend to.

Today’s compliance thoughts relate to the Olympics in another way. I recently came across not only a must read article for the compliance practitioner but also a must save article. In the International Lawyer, Winter 2011*Volume 45*Number 4, I came across an excellent article, entitled “How to Launch and Operate a Legally-Compliant International Workplace Report Channel” or in Foreign Corrupt Practices Act (FCPA) parlance, a hotline. It was authored by Donald Dowling of the law firm of White and Case. Dowling provides a very useful guide to help navigate the challenges of setting up a multi-national whistleblower’s hotline, such as is required under the FCPA and UK Bribery Act. The majority of his article “analyzes the six categories of laws that can restrict whistleblower hotlines abroad, focusing on compliance.” You should obtain a copy of this article and keep it for reference in regards to your company’s hotlines. It is available on the White and Case website, by clicking here.

1.      Laws Mandating Whistleblower Procedures

This group of laws “comprises mandates that require setting up whistleblower hotlines in the first place.” This includes the US Sarbanes-Oxley (SOX) as well as other jurisdiction laws which generally protect whistleblowers from retaliation but do specifically require any hotlines be set up on a company wide basis. Dowling also found a couple of countries, Norway and Liberia, which require general receiving and processing of “public interest disclosures.”

2.      Laws Promoting Denunciations to Government Authorities

This category of laws generally related to legal requirements for the reporting of illegal acts to government authorities in two ways. First, these laws encourage whistleblowing to government which then compete with employer hotlines by enticing internal whistleblowers to divert denunciations from company compliance experts and over to outside law enforcers who indict white collar criminals. This first approach is found in Dodd-Frank, which offers bounties. Second, these “laws that require (as opposed merely to encourage) government denunciations rarely except corporate hotline sponsors. These laws therefore force hotline sponsors to divulge hotline allegations over to law enforcement.” This second approach is found in SOX which “requires an employer to offer internal hotline procedures”.

3.      Laws Restricting Hotlines Specifically

This category is exemplified by European data protection laws which act to restrict companies’ freedom to launch and operate reporting programs. Dowling believes that these laws are based upon the fact that Europeans “see hotlines as threatening privacy rights of denounced targets and witness”. Also this would seem to be in response to the totalitarian past from the World War II era. The author identifies what he termed “the four biggest hurdles” set up to frustrate hotlines in EU jurisdiction. They are “(1) restrictions against hotlines accepting anonymous denunciations; (2) limits on the universe of proportionate infractions on which a hotline accepts denunciations; (3) limits on who can use a hotline and be denounced by hotline; and (4) hotline registration requirements.

4.      Laws Prohibiting Whistleblower Retaliation

This category will be familiar to US compliance practitioners through the applications of US laws such as SOX, Dodd-Frank and numerous state whistleblower statutes. Additionally, the author lists numerous foreign jurisdictions which have such laws. But here he believes that the key is communication because in many countries and foreign jurisdictions, there is no tradition of protection of persons who make reports against superiors so that an “employer needs to overcome worker fear of reprisal for whistleblowing.”

5.      Laws Regulating Internal Investigations

Typically laws on internal investigation do not impact hotlines because a hotline is a “pre-investigation tool.” However, the author believes that No. 4 above, communication by the employer is critical to complying with laws that enact procedural safeguards for persons under investigation. Heavy-handed communications about a hotline could blow back against employers in claims by employees that “an employer rigged the investigation process.” So companies should ensure that communications about hotlines do not convey an “overzealous approach to complaint processing and investigations.”

6.      Laws Silent on, but Possibly Triggered By, Whistleblower Hotlines

Here the author recognizes that the title of this category “is necessarily vague and determining which laws fall into it is difficult.” Nevertheless, he writes that the most “likely candidates are data protection laws silent on hotlines and labor laws imposing negotiation duties and work rules.” Regarding the former, the author argues that hotlines are not databases but conduits for the transmittal of information. He acknowledges that EU data privacy laws reject this distinction and treat hotlines as if they were databases where information is stored. He does not identify other jurisdictions which yet take this aggressive approach but he believes this may become a trend. The labor law issue is also tricky and may turn on the interpretation of whether the institution of a hotline is viewed as substantive change in working conditions under a union-management labor agreement and therefore subject to collective bargaining.

In addition to all information I have only skimmed what is in the body of the text; the author also provides a handy chart which has the following headings:

Jurisdiction Is the authority binding law? Must confine hotline to certain topics only? Are anonymous whistleblower calls ever OK? Is outsourced (vs. in-house) hotline favored? Must disclose hotline to data agency?

So just as the London Olympics is a must watch for me, this article is a must read and a must download for compliance practitioners.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

July 15, 2012

Penn State, the Freeh Report and Implications for the FCPA Compliance Practitioner

The Freeh Report was released last week. It detailed a series of actions and inactions taken by officials at Penn State University (Penn State) which allowed Jerry Sandusky to continue his abuse of young boys from at least 1998 up until the time he was arrested. This incident is the worst scandal involving the American higher education system that I have witnessed in my lifetime. As noted in a New York Times (NYT) articled published on July 13, entitled “In Report, Failures at Every Level of Hierarchy”, the Freeh Report found a series of failures all the way up the Penn State chain of command. The article stated, “shortcomings that were the result of any insular and complacent culture in which football was revered, rules were not applied and the balance of power was dangerously out of whack.” As bad a situation as the Freeh Report portrays, I believe that there are significant lessons for the Foreign Corrupt Practices Act (FCPA) compliance practitioner and this post will try draw out some of these lessons learned.

I.                   Insular and Complacent Culture

A. Failure of Top Officials and Role of a Board of Directors

The Freeh Report portrayed the Penn State Board of Trustees, the University equivalent to a corporate Board of Directors, “as passive overseers, so in thrall to the president and the coach that they failed to demand even the barest displays of accountability.” Even if the University President actively withheld information from the Board, a Board has the responsibility to ask tough questions. The NYT article quoted Anne Neal, president of the American Council of Trustees and Alumni for the following, “For too long, the boards have been viewed more as boosters that as legal fiduciaries.”

In the aftermath of the Wal-Mart scandal, the FCPA Professor opined that the problems Wal-Mart encountered were largely a failure of corporate governance. While I disagree with the FCPA Professor on the quanta of the role of the Wal-Mart Board, I do agree that the Wal-Mart Board did not ask tough questions of its senior management regarding its FCPA compliance. If senior management deceives its own Board that is certainly a big problem but it is also a problem, if the Board never makes the inquiries. In both the Wal-Mart case and the Penn State scandal, it appears the respective Boards abrogated their duties.

B.  Reporting of Violations – Anonymous Reporting Hotline

One thing that the Department of Justice (DOJ) has insisted on for several years as a minimum best practice in a FCPA compliance reporting is anonymous reporting and can be found in its current formulation of minimum best practices which reads:

9. Ongoing Advice and Guidance. The Company should establish or maintain an effective system for:

a. Providing guidance to directors, officers, employees, and its agents and business partners, on complying with the Company’s anti-corruption compliance policies, including when they need advice on an urgent basis or in any country in which the Company operates;

b. Internal and confidential reporting and protection of those reporting breaches of the law or professional standards or ethics concerning anticorruption occurring within the company, suspected criminal conduct, and/or violations of the compliance policies directors, officers, employees; and

c. Responding to such requests and undertaking appropriate action in response to such reports.

There were at least two separate instances where low level employees witnessed Jerry Sandusky abusing children. An incident witnessed by Graduate Assistant Mike McQueary, who did report the incident to his supervisor, Head Coach Joe Paterno. While Paterno did report this incident to the University President, the Freeh Report found that the University President did not report this incident to any police or other authorities. As troubling as this incident is, perhaps more troubling is incident involving Penn State employee Jim Calhoun, a school janitor who witnessed Sandusky abusing a child earlier, in 2000. Although Calhoun told another employee and his supervisor of the incident, not one of these three men reported the incident to the police or other authorities because they were all afraid of losing their jobs. This was after Jerry Sandusky had ‘retired’ from Penn State in 1999. So they should not have been afraid that Sandusky would threaten them. These men were so afraid of implicating the power of the Penn State football program that they were afraid to report the conduct. Apparently there was no anonymous mechanism for them to do so.

This description makes crystal clear why a company must have an anonymous reporting system. While I firmly believe that most employees will report misconduct if they see it or become aware of it if they care at all about their company, the Penn State situation makes clear that if there is fear and trepidation for such reporting, a system must be put in place to facilitate it. But a company cannot stop there. A company must have both the commitment to non-retaliation and train people on this key company component.

II.     Rules Were Not Applied and Compliance with Legal Requirements

One of the laws that has become more widely known in the general populace since the Sandusky scandal broke is the Clery Act. This federal law requires colleges (and universities) “to pull together on crime from a variety of sources and warn the university community about potential threats. The law holds a wide range of college employees – including football coaches – responsible for contributing to the report.” While this law has been on the books since 1990 the NYT article said in the Freeh Report that the Penn State officials, “did not know until recently that anyone but the campus police had that obligation, and the police paid little attention to the law until 2007.” More damningly, Penn State did not even adopt a plan for complying with this law until 2009 and, when the Sandusky scandal was revealed last fall, the 2009 plan had still not even been adopted by Penn State.

The FCPA has been the law of the land since 1977. However, there are a large number of US companies which have never adopted any compliance program or have one that is so old, it bears little to no resemblance to current minimum best practices. The Clery Act was well known within the academic community just as the FCPA is well known within the US international business community. Simply put you must comply with the law. The legal liability for such failure can be astronomical. It could well lead to personal criminal liability for senior management of a corporation.

III.   Where the Balance of Power is Dangerously Out of Whack – When a Football Program Runs a University

I grew up in a small town in Texas. Friday Night Lights was true then and it’s true now. My hometown is appended to a major university where football is king on Saturday afternoon. I attended a university in Texas where football is just as big as it was at Penn State during Joe Paterno’s tenure. In short, I have lived in a state where the culture of football is a religion and the Head Coach is viewed with near godlike status (that’s god with a little ‘g’; not the God). Even though I can understand how it might happen, it does not mean that it is right. At a major university, just as in a small town school district, even the head coach is an employee who reports to someone; the University President, the Athletic Director or the School District Administrator. And even in Texas, the primary mission of a University and school district is education, not football.

A football program must be subject to the same rules and regulations as others departments. The Freeh Report noted that the Penn State football program chose not to participate in the “university’s efforts to train people in recognizing and reporting violence and sexual abuse.” Get that – the football program chose not to even participate in such training, let alone recognize that the same rules applied to it. The NYT article quoted Alison Kiss, Executive Director of the Clery Center for Security on Campus, who said that “In our experience, when an athlete or coach is involved, many times it does get treated differently. We have to change that culture.”

In the corporate world, remember Enron, where the traders ran the company. Look at Enron today, oops it doesn’t exist anymore and most of its top management went to prison, hmmm what does that tell you? Or for a more contemporary example, how about Barclay’s where the traders told the bankers what information to report to set the LIBOR rate. For the compliance practitioner, I think all of this means that your corporate culture must not only be dedicated to doing business legally and ethically but dedication must be translated through constant communication, including training to your employees. I recognize that compliance and ethics training fatigue can set in at some point. But think back to Morgan Stanley and its declination in the Garth Peterson enforcement action. Morgan Stanley had very novel and creative ways to communicate compliance to its employees on a worldwide basis. Even something as simple as an email reminder was cited by the DOJ as evidence of the robustness of Morgan Stanley’s compliance program.

The Sandusky scandal and the Freeh Report will reverberate for a long time to come. For the compliance practitioner, there are several lessons learned that you should take away from this terrible and preventable tragedy. If you work in a university environment, I think that Monday morning you need to sit down and read the entire Freeh Report and then hire an outside third party to come in and within the next 30 days assess the university’s culture, governance, compliance policies and procedures for protecting our children. Please, for the sake of our children.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

October 31, 2011

The Seven Deadly Sins for a Compliance Program

In an article in the October/November issue of Society of Corporate and Compliance Ethics Magazine (SCCE), entitled “The seven biggest mistakes companies make that erode ethical culture and destroy reputation”, author Eric Feldman reviews his version of the Seven Deadly Sins for a company’s compliance and ethics program. While noting that the “most severe consequences of corporate ethical lapses can be mitigated, even avoided, by proactive care and feeding of a corporate culture” when a compliance crisis arises it may well be “too late to put the genie back in the bottle.” However, by following his seven prescriptions, it may well be the difference between a “bump in the road or falling into quicksand” when the government comes knocking.

1.      Putting the Code of Conduct on your Shelf

A Code of Conduct is not solely a reference tool, like a dictionary. An effective Code of Conduct is a “manifestation of a company’s core values.” In the words of Lanny Breuer, it is a living document and should be regularly updated, not sitting on the shelf for many years, without any updates. Recommendation- Demonstrate leadership and tone at the top.

2.      Ignoring your Company’s Culture

Feldman defines compliance as adherence to “laws, rules and regulations” and ethics as a guiding set of “core principles that “guide a company’s behavior”.” Put another way, does your company only “talk the talk” of ethics or more importantly does it “walk the walk” as well? Recommendation – Corporate focus on regular assessment and improvement of ethical culture.

3.      Worshiping at the Altar of Highest Grade Point Average

Interestingly, Feldman believes that companies which proudly proclaim that they hire only the “best and the brightest” may be setting themselves up for a big compliance problem. His root cause analysis, Gen X’ers and Gen Y’ers have more problems with “résumé credibility” than older workers. He notes that integrity needs to be a high basis in employee recruitment. Recommendation – Incorporate an ethics component into your hiring and interview process.

4.      Letting the Money Talk

There needs to be a clear compensation system based on reference to how an employee conducts business. This is true both for monetary compensation and promotion in the organization. Recommendation – System of sanctions for ethical violations and rewarding those who do business in an ethical manner.

5.      The Parent Trap – Do as I say, not as I do

This relates to Point 2. Your company needs to have in place a compensation and promotion system which rewards good ethics and compliance. I often use the example of the following: some Regional VP (outside the US – you pick the foreign region) is alleged to have said the following, “If I violate the Code of Conduct, I may or may not get caught; If I violate the Code of Conduct and get caught, I may or may not be disciplined; If I miss my numbers for two months, I will be fired.” If that is the reality, guess what, the Regional Vice President (VP) will make his or her numbers. Recommendation – Values based ethics training.

6.      Ethics in the Corner

Feldman writes that nothing speaks volumes louder than creating a company Chief Compliance Officer (CCO) and not giving sufficient clout within an organization to get the job done. This will certainly be true if the government comes knocking. If the CCO is not high enough up in the organization or does not have the budget to accomplish the compliance mission, employees will clearly see this and react accordingly. Recommendation – A CCO who has both the authority and the budget to get the job done.

7.      Shooting or Ignoring the Messenger

Here Feldman is referring to the employee who reports ethical misconduct and suffers retaliation. Although every company says they never retaliate, the sad truth is very different in corporate America. This leads to too many employees staying silent about “fraud and misconduct striving in their organizations.” Worse yet is when the government comes knocking and they tell the investigator, that they were afraid to report the misconduct. Recommendation – An anonymous hotline that earns employee credibility.

Feldman’s seven deadly mistakes provide an excellent framework for any company to assess  their overall compliance program from a high level. While perhaps not rising to the level of “sins”, the answers will allow the compliance practitioner to be ready to respond if the Department of Justice comes a calling.

=======================================================

My This Week in FCPA colleague Howard Sklar begins a 4 part webinar series on “A Brave New World FCPA and UKBA: Take Steps to protect your organization now” next week. Registration and information is available at http://ht.ly/7ewKI. 

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

August 8, 2011

United Breaks Guitars: Lesson Learned for Companies and Whistleblowers

Filed under: compliance programs,FCPA,Hotline — tfoxlaw @ 1:46 am
Tags: ,

One of the ongoing debates in the compliance world has been over the Whistleblower Provision of Dodd-Frank and whether this provision will aid or diminish a company’s overall compliance program. One of the points in this debate is whether or not a whistleblower should be required to go through an internal hotline, or other reporting mechanism, before going to the Securities and Exchange Commission (SEC) and reporting alleged violations of the Foreign Corrupt Practices Act (FCPA) or other US Securities laws which may apply to the company in question.

Many compliance professionals argue that the entire purpose of an internal reporting structure will be destroyed if a whistleblower can report to the SEC, receive anti-discriminatory employment protections and a potential monetary bonus for any fines and penalties collected by the SEC. Whistleblower proponents point to examples of employees who reported violations or made complaints and were terminated or in other ways discriminated against in their continued employment with the company.

Even without the above debate, one of the ongoing discussions in any compliance department is how much of any compliance investigation to share within the company and the attendant question of whom to share the results of any investigation with inside the company. I can attest to this debate from personal experience. In my last corporate position, I was sent to investigate an alleged compliance violation in a South American country. After completing the investigation, the Compliance Department determined that the remedy was that the employee be reprimanded; receive additional training and a Letter of Reprimand was placed in their file. However, there was no indication to the business unit where the hotline complaint was initiated that any action had been taken and the person who made the compliant was never told of the resolution. Needless to say this led to some very hard feelings by the employees who had jointly reported the compliance allegation and loss of credibility for the Compliance Department.

All of the above came to mind when I was reading an article entitled “>When Unhappy Customers Strike Back on the Internet” in the MIT Sloan Management Review, Spring 2011 Issue. In the article authors Thomas Tripp and Yany Grégorie explored the topic of “How should companies respond to, or prevent, irate customers’ online public complaints?” The authors began their article with the very omnipresent example of musician Dave Carroll and his experiences with United Airlines. After traveling on a United flight, Carroll found that his $3,500 guitar had been damaged during baggage handling. He initially attempted to resolve the issue with United personnel at the arrival airport who  could not or would not provide any assistance to Carroll. He then spent “nine months of running the company’s customer service gauntlet” to eventually be told “that he was ineligible for compensation.”

Perhaps treating a professional musician in such a manner in the YouTube age is not the best PR move as Carroll wrote a song and created a music video, entitled United Breaks Guitars” about his experiences; as of the writing of the article the video has had over 9 million viewings. Eventually United conceded that perhaps compensation was appropriate by “offering to compensate Carroll for the damage” and promised to re-evaluate its policies.

Tripp and Grégorie provide suggestions for the understanding and managing of online public complaints. However, their points have application for the compliance practitioner in the context of the Dodd-Frank Whistleblower issues identified above. So the question becomes, what can a company do to manage its internal whistleblower process so that an employee does not become so dissatisfied that he or she subsequently runs to the SEC?

The authors break their analysis down into two components, which I believe relate to the compliance context. The first is to understand what would drive an employee to go outside the internal reporting process? It is usually due to what the employee feels is a sense of betrayal. That is the employee has made a compliant in good faith but either nothing happens or nothing seems to happen. After the internal compliant has been initiated it must be triaged based on its severity. Just as a battlefield or hospital triage, the more serious a complaint, the quicker it should be investigated and resolved.

In my experience the initial compliant was made in October and I was not sent to investigate until early of the following year. So just as customer complaints should be dealt with expeditiously and efficiently, internal employee hotline complaints must also be dealt with in such a manner and the issue should not be allowed to fester.

The second component is that the employee must understand the internal reporting system and expectations should be set. This can begin through overall compliance training but it must also be specifically tailored to the report. At a recent conference I attended, a member of the audience asked a Department of Justice (DOJ) representative why 6 years after making a complaint regarding an export control violation at his company, there was no DOJ resolution. The audience member asking the question had recognized the DOJ representative as the person who had initially interviewed him after he made his complaint. The DOJ representative replied that the investigation was ongoing so he could not make any formal comments, but he then proceeded the time and difficulty it took to develop evidence across many different US and foreign jurisdictions and coordinate an investigation with several US agencies. Perhaps if all of that had been explained at the beginning, or at some point throughout the process, it would have set a more realistic expectation of the whistleblower. The key is that the company must strive for fairness in the entire process.

The authors end their article with what I believe to be the key component to resolve the issue and that is “that process matters more than outcomes.” They point to the “fair process effect” from the labor-management context in which employees are willing to tolerate disappointing outcomes as long as they believe the ‘decision making processes surrounding the outcomes to be fair.” This drives home the point that a best practices compliance program is about process; having the right process in place is an important starting point for any compliance program, moreover, the process should be communicated throughout the company and administered in a fair and equitable manner.

While I do not believe that most Compliance Departments will face the PR disaster that United has had to endure over “United Breaks Guitars”, the failure to have a fair and equitable process for managing employee compliance complaints, which are reported internally, can lead to very serious financial consequences. One need only to look at the recent example of GlaxcoClineSmith which agreed to pay a $750 million fine to the US Food and Drug Administration based on a whistleblowing employee who had tried to internally alert the company to the issues which led to the fine. Now whistleblowing employees can go directly to the SEC and if there is a monetary fine, they get a piece of the action.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

February 3, 2011

The ERC on Whistle Blowing Workplace Misconduct: Attitude Matters

In December 2010, the Ethics Resource Center (ERC) released a White Paper entitled, “Blowing the Whistle on Workplace Misconduct.” This White Paper report detailed several findings that the ERC had determined through surveys, interviews and dialogues. Although the article reviewed types of misconduct broader than the compliance and ethics sphere, we believe that the ERC’s findings can be of particular use to the Foreign Corrupt Practices Act (FCPA) compliance practitioner in designing, assessing and revising a company’s whistle-blower program.

Need to Report Misconduct?
The ERC began by discussing some of the results of its own 2009 survey entitled, “Reporting: Who’s Telling You What You Need to Know, Who Isn’t and What Can You Do About It”. This report determined that over 60% had observed and reported misconduct within their respective companies, most usually to an internal authority. This led the ERC to conclude that almost 40% of employees who had observed misconduct did not step forward to report it and noted that convincing employees to step forward when they do observe misconduct is a challenge for any compliance practitioner. ERC opined that to remedy this situation, some companies have linked ethical conduct to performance reviews to make clear that good behavior is a job expectation. Other companies, believing that some workers do not report violations because they fear retaliation, have set up hotlines that assure reporting can be done in private with less risk of being seen by a co-worker. Even Congress have gotten into the whistle blower’s action, with the inclusion of legal protections for whistleblowers and the establishment monetary rewards for tipsters to encourage insiders to come forward with information that could send wrongdoers to jail for US securities violations in the 2010 Dodd-Frank Act.

Retaliation and Methods of Reporting
The ERC 2009 Survey also found that up to 15% of employees who had reported misconduct felt that they had been retaliated against. The retaliation conduct had ranged from receiving the cold should from fellow employees to job loss or even felt threatened by physical retaliation. This finding was contrasted with the discovery that almost all who reported misconduct did not use an anonymous reporting hotline but directly to another person in the company. The reason for this was that most employees felt that their reports would be taken more seriously if there were shared face-to-face with someone else in the company. This reporting was to both immediate supervisors and upper management.

The ERC believes that understanding the method by which employees choose to report misconduct can assist a company to understand the motivation involved in reporting and how to encourage that motivation. ERC has confidence that informs the compliance practitioner that the decision by an employee to report to one’s direct supervisor versus higher management is related to the ethical culture and climate of the workplace. In strong ethical cultures, with a tone at the top that makes it clear that ethics do matter; where supervisors aggressively reinforce the ethics message; and where both employees and managers alike are held to high ethical standards, more employees report to their direct supervisor. Conversely, reporting to higher management increases in weaker cultures and among employees who feel pressure not to report such misconduct or for those employees who are not confident that that their direct managers are fully committed to strong ethics. These concerns may also include the fear of retaliation for reporting misconduct. However, it may be that employees simply lack confidence that their direct supervisor will pursue their reports. In those instances, turning to senior management can provide the safety of the organizational structure and a belief that higher management has the resources to address the issue effectively.

A Culture of Ethics Matters
The ERC notes in its White Paper report that the key take-away from all of the data is that a culture of ethics within a company does matter. Such a culture should start with a strong commitment to ethics at the top, however it is also clear that this message must be reinforced throughout all levels of management, and that employees must understand that their company has the expectation that ethical standards are vital in the business’ day-to-day operations. If employees have this understanding, they are more likely to conduct themselves with integrity and report misconduct by others when they believe senior management has a genuine and long-term commitment to ethical behavior. Additionally those employees who report misconduct are often motivated by the belief that their reports will be properly investigated. Conversely, most employees are less concerned with the particular outcome than in knowing that their report was seriously considered.

For the FCPA compliance practitioner the message would seem clear. It is not just “Tone at the Top” but also in the middle and below. If all employees have a reasonable belief in an ethical culture, these same employees can be your best resource to prevent, deter and detect any compliance violations going forward. The ERC ends its White Paper by noting that when a company succeeds at building an ethical culture, with strong training programs and committed management, reporting of misconduct goes up and wrongdoing goes down. Attitude matters. If you wish to boost the odds of ethical conduct in your company, attitude and culture are places for focus.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011


August 5, 2010

HOTLINES AS A FCPA COMPLIANCE TOOL

Employees are a company’s best source of information about what is going on in the company. It is certainly a best practice for a company to listen to its own employees, particularly to help improve its processes and procedures. But more than listening to its employees, a company should provide a safe and secure route for employees to escalate their concerns. This is the underlying rationale behind an anonymous reporting system within any organization. This concept is one key components of a Foreign Corrupt Practices Act (FCPA) compliance and ethics ‘best practices’ program. Both the Principles of Federal Prosecution of Business Organization (US Sentencing Guidelines) and the OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance (“OCED Good Practices”) list, as one of their components, an anonymous reporting mechanism by which employees can report compliance and ethics violations. This concept, in the FCPA world, is usually referred to as a “Hotline”. This article will discuss how the use of a Hotline can assist a company with its overall FCPA compliance and ethics efforts.

The US Sentencing Guidelines state:

(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

The OECD Good Practices states:

v) companies to provide channels for communication by, and protection of, persons not willing to violate professional standards or ethics under instructions or pressure from hierarchical superiors, as well as for persons willing to report breaches of the law or professional standards or ethics occurring within the company in good faith and on reasonable grounds, and should encourage companies to take appropriate action based on such reporting;

Confidential reporting is critical to any organization, not only from the legal requirements which specify that such a mechanism be available for employees, but also to allow escalation of compliance and ethics issues in a manner which is safe for employees and can lead the discovery of significant FCPA compliance issues. Two recent examples of employees reporting issues include the Daimler and, the ongoing, Avon matters. A company’s commitment to a hotline provides a means by which employees can elevate compliance and ethics concerns before they become full blown FCPA enforcements actions.

While there is no generally accepted industry standard regarding the implementation and employment of Hotline, Ethicspoint, in a White Paper, entitled “It’s Not Your Father’s Hotline”, suggested the following as the ‘best practices’ for internal Hotlines:

1. Availability-a Hotline should be available 24 hours a day/7 days a week and toll-free. It should be available in the native tongue of the person utilizing it so if your work force uses more than one language for inter-company communications, your Hotline should reflect this as well.
2. Escalation-after a report is received through the Hotline it should be distributed to the appropriate person or department for action and oversight. This would also include resolution of the information presented, if warranted and consistent application of the investigation process throughout the pendency of the matter.
3. Follow-Up-there should be a mechanism for follow-up with the Hotline reporter, even if the report is made anonymously. This allows the appropriate person within your organization to substantiate the report or obtain additional information at an early stage, if appropriate.
4. Oversight-the information communicated through the Hotline should be available to the appropriate Board Committee or Management Committee in the form of statistical summaries and that an audit trail be available to the appropriate oversight group of actions taken and resolution of any information reported through the Hotline.

The Hotline can be a key company tool in an effective FCPA compliance program. Properly advertised and then utilized, it can assist a company to learn about issues and take appropriate actions before these issues erupt into more serious problems. Lastly the proper maintenance of a Hotline can not only allow a company to track compliance issues as they come into the system and document its response but also use this information as an ongoing audit of its FCPA compliance system.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2010

« Previous Page

Blog at WordPress.com.