FCPA Compliance and Ethics Blog

January 17, 2014

Naval Theorists and the Measurement of Compliance

7K0A0129If are interested in naval history, strategy and tactics, I have a question for you: Are you a disciple of Alfred Mahan or Julian Corbett? If you are a Mahanian, you probably focus on large naval engagements or the great battle concept. If you are Corbettian, you probably think about a series of smaller engagements, with an offensive-defensive mentality. I pose this as I am currently studying great military strategic thinkers. One thing they both advocate is information collection and analysis as a tool to not only predict potential future outcomes but to remediate defects as they might appear. In other words, measurement.

Why should an organization measure its compliance program? One quick answer is that it is one way to demonstrate that your compliance program is ‘effective’ under the US Sentencing Guidelines for Organizations. But more holistically, such measurements allow a company to know if it is operating within the parameters it has set and in compliance with anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. Further, such metrics can provide more and better information for strategic decision making, help employee engagement with compliance and can aid to produce a clearer picture of compliance risks and requirements.

An article in Compliance Week, entitled “Measuring the Integrity of an Organization”, author Michael Rasmussen explored this issue and then facilitated a roundtable discussion on the topic. Rasmussen’s article was paired with another in the series of Open Compliance and Ethics Group (OCEG) GRC Illustrated pieces entitled, “Integrated Compliance & Ethics Metrics”.

In the roundtable, Patrick Quinlan, Chief Executive Officer (CEO) of Convercent, said, “compliance should be looking at objectively measuring how a location, a department, or employee behavior stacks up against the organization’s values and policies. You should measure to compare, monitor, and pursue participation, engagement, and improvements where needed. Regulators may want to see checked boxes of compliance (percentage of policy attestations and training courses completed; controls in place; responses to incidents). Culture and engagement metrics can serve as valuable indicators of issues that may rise to the surface later. Employees respond to how they are evaluated; making ethical behavior a part of performance evaluations is an important part of instilling compliance at every level.”

Jose Tabuena, Global Compliance & Regulatory Counsel for Orion Health, believes that it is important for a compliance practitioner to “Develop a scorecard to give stakeholders information about the compliance program and where there is risk. Metrics should be gathered from both inside (e.g., investigations, compliance committee meetings, subject matter audits, etc.) and outside (e.g., government agency audits and observations, including fines and penalties). These metrics monitor the program over time and identify legal and other minefields that are ripe for corrective action.” Anita Helpert, Director of Internal Audit at Raytheon, specified four areas that organizations should compare. First, “awareness training completions that answer: Have we equipped attendees to understand expected conduct, to recognize issues, and to feel confident in reporting issues?” Second, you should look at tone-at-the-top: “What evidence supports leaders setting examples and nurturing an environment of ethical behavior?” The third is hotline reporting: “Do reports confirm or deny our “ethics checks” and provide insight on how people ask for guidance or report potential issues?” Fourth, and finally, is ethics metrics: “When we respond to a report or question, what do we find? How does this trend over time, by organizational structure, by leader, by location?”

In the GRC Illustrated compendium, it detailed success factors. These included:

  • Top level support – you can gain the endorsement of management and obtain a larger allocation of resources by “demonstrating how strategic decisions making depends on analysis and timely delivery of information.
  • Employee engagement – by engaging employees you not only make them more comfortable with compliance but also more meaningful and beneficial.
  • Knowing your needs – you need to determine what information is required to assist in “strategic decision making, support established values, improve compliance efforts and better manage resources.”
  • Single source of information – there should be one centralized system to consolidate metrics and ensure increased accuracy for better analysis and decisions.
  • Ease of use – the compliance practitioner needs to “enable quick, simple and meaningful management of data and dashboards for viewing and analysis of metrics.”

An interesting glossary in the GRC Illustrated compendium defined the types of metrics and examples that might be used. They were:

  • Number – you should count the number of incidents, policies, surveys, reports, automated controls, and employee conduct – whether good or bad.
  • Frequency – you should determine how often training and surveys take place, incidents occur, issues are reported and the workforce is surveyed.
  • Flagged – you should identify policies requiring review or individuals, locations, and operations with multiple problems, high-level risks or strength in desired conduct.
  • Ranking – here you should assess the severity of incidents, benchmarking outcomes, employee leadership qualities and the risk ranking of third parties.
  • Trends – you should evaluate metrics for specific areas such as training completion or level of employee engagement over time and relate them to program changes.
  • Relationships – you should consider the controls per risk, incident trends to training frequency or survey completion rates to the number of reminders.

Rasmussen ends his article by noting that these types of approaches to ethics and compliance allow not only the demonstrable proof that regulators such are the Department of Justice (DOJ) or Serious Fraud Office (SFO) are looking for but also “shifts the focus of efforts from being reactive and “checking the box” to proactive and forward-looking. This shift enables compliance to monitor integrity by processing and managing metrics across the organization in the context of rapidly changing business, regulatory, legal, and reputational risks to ensure compliance is operationally effective.”

With this integrated compliance architecture a company can create “an optimized infrastructure to report on metrics, benchmark integrity, and understand compliance in the context of business strategy and execution. Measuring integrity requires that the organization have clear insight into metrics supporting the development and communication of clear policies, continual feedback from employees, effectiveness of training programs, incident reporting, and the engagement of employees with these systems. All of these lead to an efficient and effective compliance program responsible for being the champion of organizational integrity.”

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

Many commentators are still mining the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (the “Guidance”), which was released last November. I continue to find nuggets to provide to the compliance practitioner, as do others. But as we are a Base 10 culture, today I want discuss the 10 points listed as the ‘Hallmarks of Effective Compliance Programs”. They are a change in style, but not content, from the prior 13 point minimum best practices that the DOJ has in the Deferred Prosecution Agreements (DPAs) since at least November, 2010 and, indeed, from prior information made available by the DOJ.

I.                   Where Have We Been

Beginning with at least the Metcalfe & Eddy Consent and Undertaking, filed in December, 1999, the DOJ has laid out its thoughts on what should go into a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. In the Metcalfe & Eddy Consent and Undertaking, the DOJ laid out ten points of an effective FCPA anti-corruption compliance program. This was modified somewhat in Opinion Release 04-02, which laid out a best practices compliance program in 12 points, where the DOJ reviewed the proposal by an investment group who were acquiring certain companies and assets from ABB Ltd. ABB Vetco Gray Inc. and ABB Vetco Gray (UK) Ltd., two of the entities being acquired, had previously pled guilty to FCPA violations. The investment group desired to protect itself from further liability, to the extent possible, by proposing to the DOJ a comprehensive best practices compliance program. While the DOJ noted that this compliance program was not a shield against future violations, the DOJ would not “intend to take an enforcement action [against the investors] for violations of the FCPA prior to their acquisition from ABB.”

In the Panalpina DPA, issued in November, 2010, the DOJ laid out a 13 point minimum best practices compliance program. This number was changed this past summer when the Data Systems & Solutions LLC (DS&S) DPA was announced. In this enforcement action the DOJ listed 15 points on its minimum best practices FCPA anti-corruption compliance program. Then later in the summer, the DOJ moved to a 9 point compliance program in the Pfizer DPA. Even with all these changes in the number, the substance of each compliance program has remained the same.

II.                Where Are We Now? Hallmarks of Effective Compliance Programs

The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes that depending on a variety of factors such as size, type of business, industry and risk profile that a company should determine what is appropriate for its own needs regarding a FCPA compliance program. But the Guidance makes clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

  1. Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
  2. Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. The Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some of the risks a company should assess include “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”
  3. Oversight, Autonomy, and Resources. This section starts with a discussion on whether a company has assigned a senior level executive to oversee and implement a company’s compliance program. Not only must a company assign such a person with appropriate authority but that person, and the overall compliance function, must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Additionally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
  4. Risk Assessment. The Guidance states that “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
  5. Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
  6. Incentives and Disciplinary Measures. This involves both the carrot and the stick. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” These incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
  7. Third-Party Due Diligence and Payments. Here the Guidance focuses on the ongoing problem area of third parties. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
  8. Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
  9. Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
  10. Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration. Here the DOJ and SEC spell out what it expects in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information is not something that most companies had previously focused on. Basically, a company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

As I commented earlier in this article, the DOJ and SEC have communicated what they believe are the important parts of a risk based, anti-corruption compliance program for many years. I do not think that a compliance defense could be set out any more succinctly. However, I do like things set out in Base 10 and the “Hallmarks of Effective Compliance Programs” is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point for any compliance practitioner to implement a new compliance program or to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

April 9, 2012

Bill James, the Baseball Abstract and the Use of Metrics in Compliance

As of today, the Houston Astros (at 2-1) are above .500 in wins and losses for the first time since July 2009. So we celebrate that most important of baseball metrics, the wins and losses.

One of the joys of baseball is the almost innumerable metrics available to the fan, fantasy league manager or just plain stat freak. Batting Average (BA), On-Base Percentage (ONP), Slugging Percentage (SP), On-Base Slugging Percentage (OBSP), and Earned Run Average (ERA) are but a few. Indeed there are full glossaries to define the various statistical measurements used in baseball now. The use of statistics in baseball was made most popular by Bill James and his development of his work, “Baseball Abstract” and more recently popularized in the book by Michael Lewis made into the Oscar-nominated movie “Moneyball” starring Brad Pitt.

However, in the world of Foreign Corrupt Practices Act (FCPA) and other anti-corruption compliance metrics, many compliance practitioners are still in the infancy of using statistics to help inform and measure a compliance program. A recent article in the April 2012 issue of the Harvard Business Review, entitled “Good Data Won’t Guarantee Good Decisions” by Shvetank Shah, Andrew Horne and Jaime Capella, explores this issue and comes to a conclusion which bedevils many compliance practitioners. It is that “most companies have too few analytic-savvy workers.” The article then goes on to provide guidance on how to develop them. The authors begin by identifying four main problems which they believe prevent companies from utilizing the data that they generate.

Four Problems

1.      Analytics skills are concentrated in too few employees within the company. The authors note that “when a new form of analytics enters the workplace” companies will hire experts to manage and interpret it. They somehow believe that this expert knowledge will ‘trickle down’ throughout the ranks of the company. However, the experts who install the technology to generate the data may not even train before their consulting assignment is over. Even if they put on training, company employees may well not use the technology or data very often and the training may not be retained. If the experts are not kept onboard for ongoing mentoring or data interpretation, the company will not know how to use the data.

2.      Company IT functions need to spend more time on the “information” quotient of IT and less time on the “technology” quotient. The authors believe that most IT functions were developed in conjunction with Finance, Human Resources (HR), Supply Chain or other departments within an organization “where the business needs are clearly defined, stable and relatively consistent over a wide group of users.” Though, in other groups or departments such as compliance, there may be diverse data or a group of compliance practitioners which cannot fully articulate their specific needs. The authors believe that most IT departments cannot meet such “anthropological skills and behavioral understanding.”

3.      The problem is not that there is too much information but that it is too hard to locate. Even if IT can collect the appropriate data, the authors believe that many within organizations do not have a “coherent, accessible structure for the data” which the company has collected. They liken the situation as one similar to a “library without a card catalogue” (how’s that for old school!). Even with the rise of mobile computing platforms such as tablets or smartphones, it is now harder to manage analytic content.

4.      Senior management is not trained to manage information as well as they are trained to manage talent, capital and brand. Here the authors seem to be the most critical. They almost scream out when they say, “Management needs to wake up to the fact that their data investments are providing limited returns because their organization is under-invested in understanding the information.” They believe that too few senior managers treat data as something that the company’s IT department should handle and analyze. Conversely senior management considers its time too valuable to make sure that the appropriate information is shared appropriately across the organization.

Three Prescriptions

Does any of the above sound like problems in your organization? The authors deliver three prescriptions which they believe can help to overcome the issues that they identify as impediments to the use of data analytics. First and foremost is training. The authors believe that companies should spend more time and money training employees on the use of statistics. Recognizing that almost anyone with any type of business degree from a college or university had some type of statistics course, the authors believe that companies should offer refreshers or build upon this base. But they point out that training should not end with classroom courses or refreshers. Ongoing coaching is equally important to provide follow up and answer the inevitable questions that arise in the day-to-day use of new analytics.

The second change that the authors urge companies to make is how to “more efficiently incorporate information into decision making.” They point out that some of the best data-driven companies “have formalized the decision-making process, setting up standard procedures so that employees can obtain and correctly use the most appropriate data.” This should be reinforced by a company through its rewards system in the form of employee reviews and specific job objectives but a key is make certain employees are not penalized for making “diverse contributions, challenges and second-guesses” to data.

The third prescription is for a company to provide its employees with the right tools to use the data. The authors believe that “half of all employees find that information from corporate sources is in an unusable format.” The authors believe that the best practice for a company is to employ improved data “filtering and better visualization.” However, the authors caution that whatever tools are used, the unfiltered data needs to be available if an employee wants or needs to drill down into the raw data.

The authors have presented a framework which a Compliance Department can begin to think about what metrics it wants to evaluate, how to set up a program to train the department’s compliance practitioners to use the data. A Compliance department needs to ensure that it provides closure for any gaps that it might have in the interpretation of data and to keep pace with the information which it imports into its compliance program. If you need more help, consider reading “Moneyball” to see how the Oakland Athletics’ used analytics to help build a record setting team.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Blog at WordPress.com.