Policies and Procedures | FCPA Compliance and Ethics Blog

July 14, 2015

Great Structures Week II – Structures from Ancient Egypt and Greece

I continue my Great Structures Week with a focus on great structures from the earliest times, ancient Egypt and Greece. I am drawing these posts from The Teaching Company course, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. From Egypt there are of course the Pyramids, of which Ressler says, “They’re important, not just because they’re great structures, but also because they represent some of the earliest human achievements that can legitimately be called engineering. The Great Pyramid of Giza stands today as a testament to the strength and durability of Egyptian structural engineering skills.”

From Greece we derive what Vitruvius called the “Empirical Rules for Temple Design” which define a “single dimensional module equal to the radius of a column in the temple portico, then specify all other dimensions of the building in terms of that module.” These rules are best seen in Greek temples, largely consisting of columns, which are defined as “a structural element that carries load primarily in compression” and beams, which are “structural elements subject to transverse loading and carry load in bending.” My favorite example of the use of columns is seen in the Parthenon; the most famous of all Greek temples still standing.

In many ways these two very different structures stand as the basis of all structural engineering and Great Structures that come later throughout history. For any anti-corruption compliance regime based on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery statutes, the same is true for a Code of Conduct and written policies and procedures. They are both the building blocks of everything that comes thereafter.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2^nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” Parethnon

There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Another way to think of policies, procedures and controls was stated by Aaron Murphy, now a partner at Foley & Lardner, in his book “Foreign Corrupt Practices Act”, when he said that you should think of all three as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Borrowing from an article in the Houston Business Journal (HBJ) by John Allen, entitled “Company policies are source and structure of stability”, I found some interesting and important insights into the role of policies in any anti-corruption compliance program. Allen says that the role of policies is “to protect companies, their employees and consumers, and despite an occasional opposite outcome, that is typically what they do. A company’s policies provide a basic set of guidelines for their employees to follow. They can include general dos and don’ts or more specific safety procedures, work process flows, communication guidelines or dress codes. By establishing what is and isn’t acceptable workplace behavior, a company helps mitigate the risks posed by employees who, if left unchecked, might behave badly or make foolhardy decisions.”

Allen notes that policies “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.

Allen believes that there are five key elements to any “well-constructed policy”. They are:

identify to whom the policy applies;
establish the objective of the policy;
explain why the policy is necessary;
outline examples of acceptable and unacceptable behavior under the policy; and
warn of the consequences if an employee fails to comply with the policy.

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, the logistics alone of such training can appear daunting. Consider gathering small groups of employees, where detailed questions about policies can be raised and discussed, as a powerful teaching tool. Allen even suggests posting Frequently Asked Questions (FAQ’s) in common areas as another technique. And do not forget that one of the reasons Morgan Stanley received a declination to prosecute by the Department of Justice (DOJ) was that it sent out bi-monthly compliance reminder emails to its employee Garth Peterson for the seven years he was employed by the company.

The FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” Allen puts a bit differently in that “it is important that policies are applied fairly and consistently across the organization.” He notes that the issue can be that “If policies are applied inconsistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

For a review of what goes into the base structures of a best practices compliance program, I would suggest you check my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Leave a Comment

July 28, 2014

Bringing It All Home, the Two Tough Cookies Wrap It Up For You, Part I

Filed under: Best Practices,Compliance,Compliance and Ethics,compliance programs,Culture,Ethical Leadership,Ethics,FCPA,Policies and Procedures — tfoxlaw @ 6:41 am
Tags: best practices, compliance, compliance programs, ethical leadership, ethics, ethics and compliance, FCPA

Note-I asked the Two Tough Cookies if they could put together a series of blog posts wrapping up the lessons they have seen and learned and written about in their series of Tales from the Crypt. They graciously put together a series of posts on the seven elements of an effective compliance program from their 10 tales of Business Conduct. Today, Part I of a Three Part Series…

We’ve talked a lot in our Tales from the Crypt about the signs to watch for that indicate something’s gone wrong, from minor cultural twists to lapses of integrity that are tantamount to criminal activity. We all wish we had a crystal ball we could peer into to predict how various maneuvers will translate into the larger universe of corporate culture. One of the best tools to use to gauge the cultural baseline is an organizational ethics audit, reminding yourself that “what gets reported gets measured.”

Your first hurdle, of course, is getting executive leadership to support the initiative. If they don’t support it, then you have your first cultural indicator. After all, if you have nothing to hide, you have nothing to lose by peering under the covers, now do you? So let’s assume your leadership is supportive of developing, and/or sustaining, a “high integrity” organization. So what do you want to measure? The ‘seven elements of an effective compliance program’ is a good start, but by no means exhaustive. After all, many organizations fulfill “ethics oversight” by having a CCO in title (usually, the GC or CFO), but the day-to-day oversight and management of the program is led by staff members who are not empowered to work towards positive change. You know who you are, you know the daily frustration of knowing what should be done, and what leadership will allow. So while “oversight” is met, is it really “effective?”

So let’s remind ourselves of the seven elements once again:

1. Establish Policies, Procedures and Controls

2. Exercise Effective Compliance and Ethics Oversight

3. Exercise Due Diligence to Avoid Delegation of Authority to Unethical Individuals

4. Communicate and Educate Employees on Compliance and Ethics Programs

5. Monitor and Audit Compliance and Ethics Programs for Effectiveness

6. Ensure Consistent Enforcement and Discipline of Violations

7. Respond Appropriately to Incidents and Take Steps to Prevent Future Incidents

How do these elements translate into an organizational ethics audit? And how do our 10 rules of business conduct in the workplace (from our “Tales from the Crypt” series) fit in? Let’s break it down into manageable chunks.

1. Establish Policies, Procedures and Controls

Under this “bucket” include your Code of Conduct, your Vision and Values statements for your organization, and the various policies and procedures you rely upon to get business done. What you want to know, when conducting your audit, is not just do you have these, but

Does your Vision statement create an actionable description of the future? If so, what is it, and more importantly, do your people know it, and understand what role they play in achieving that future?
Is “Integrity” one of your Values?
What’s the purpose and Focus of your Code of Conduct? What kind of tone does it set, is it widely distributed, prominently displayed, easy to read? Does it have learning aids, and examples of not only wrong doing, but “right” doing behaviors? What expectation does it set? Is it universal or have you caved to various constituencies and created multiple versions (not translations, but actual versions) to “meet the needs” of various cultures. If you have, then you are net setting a single standard that all can live by, and you will have people applying their own standard to their behaviors, not yours. Ethics should not be subject to interpretation, nor external pressures such as Worker’s Councils, unions, or special interest groups.
Are your policies relevant to your business, or did someone just borrow something from an HR toolkit to get you started? Do you have a formal non-retaliation policy (and not just a nod towards the concept in your Code of Conduct), and formal procedures to deter retaliation. The rules in this area need to be cut and dry to make people know you “have their back” when the you know what hits the fan. You want to encourage people to step up, and the only way you can do that is a rock solid approach to non-retaliation.
Last, but not least, are your policies “uniformly enforced?” Much like the sentencing guidelines, organizations, large and small alike, should be dealing with transgressions with an even hand to truly have an ethical culture. People like boundaries, like to know where the line in the sand is drawn. Trust me on this. So do you know exactly where your organization’s boundaries are? Or does the line move from incident to incident?

2. Exercise Effective Compliance and Ethics Oversight

As I mentioned before, many organizations have day-to-day oversight managed by staff, with a titular CECO residing with one of the executive leaders, like the GC or the CFO. Larger organizations have dedicated compliance officers who aren’t forced to wear multiple hats, who truly have teams of dedicated compliance officials reporting up to their organization. This is particularly true in highly regulated industries, such as finance, insurance, healthcare, food and drug manufacturing, where government oversight plays a large role in day to day business. It is fair to say that smaller organizations don’t need to have a dedicated compliance officer per se, but when you have a staff attorney, for instance, managing the day to day operations of your ethics and compliance program, you have put that person in a Catch 22. Period. You may want an attorney in that spot for attorney client privilege, but if you do that recognize that you’ve also handcuffed the person from being able to independently report wrong doing if something goes drastically wrong, as they are duty bound to keep matters confidential, even within the business.

So you want to measure whether or not the person with day-to-day oversight has the freedom (or mechanisms) to raise concerns.

If it’s a staff attorney, is the job description written so that when wearing the compliance hat, the attorney hat comes off? Tough to do, but possible.
Are there layers of management between the day-to-day person who is managing the ethics and compliance program, and the person with the “title” CECO?
Are there many people with “compliance” in their title, and do they work together, or independently? I have worked in organizations where “compliance” was part of several functions, but the right hand, and the left hand, weren’t speaking to each other. Trade Compliance reported to one division, Environmental Compliance reported to another division, product compliance reported to yet a third division, HIPAA compliance to yet a fourth, and so on. None of these units worked together, some were staffed heavily, some staffed thinly, and the actual “head” of Integrity & Compliance was ineffective at convincing senior leadership that all compliance functions should be at least working towards the same goals in the organization. It all depended on the business leader at the top of the silo and whether or not they were effective in getting the support they needed to run their business. It also depended on whether or not the business unit was a profit center or a cost center, and if a cost center, where it reported up into the business – as a G&A expense, or an administrative cost aligned with operations. Those that were part of operations were well-funded, those reporting in on the administrative side as a pure cost center (including the “head”) were poorly resourced.
Do you have an ethics steering committee or working group that represents all functions and business units, and is staffed by executive or senior leaders who are in a position to make decisions for the larger organization? This serves as a checks and balance that is critical if the day-to-day oversight is led by a staffer. The staffer can build consensus with a larger group that has a vested interest in the outcome by holding those critical meetings before the meeting to test run proposals, and receive important feedback on how to effectively present a proposal to the team to ensure acceptance and success. The staffer can also go to a trusted member of the committee if he or she feels that the CECO is not receptive to hearing concerns and serve as a sounding board. Hopefully, that is.

Tomorrow, elements 3-7.

Who are the Two Tough Cookies?

Tough Cookie 1 has spent the more than half of her 20+ legal career working in the Integrity and Compliance field, and has been the architect of award-winning and effective ethics and compliance programs at both publicly traded and privately held companies. Tough Cookie 2 is a Certified Internal Auditor and CPA who has faced ethical and compliance challenges in a variety of industries and geographies and recently led a global internal audit team. Their series “Tales from the Crypt: Tough Choices for Tough Cookies” are drawn largely from real life experiences on the front line of working in Integrity & Compliance, and personal details have been scrubbed to protect, well, you know, just about everyone…

This publication contains general information only and is based on the experiences and research of the authors. The authors are not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The authors, their affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Authors give their permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the authors.

Comments (2)

July 25, 2014

Code of Conduct, Compliance Policies and Procedures-Part IV

Filed under: Best Practices,Bribery Act,Code of Conduct,Compliance,Compliance and Ethics,compliance programs,Department of Justice,FCPA,FCPA Guidance,Policies and Procedures — tfoxlaw @ 12:01 am
Tags: best practices, Code of Conduct, compliance, compliance programs, DOJ, FCPA, Policies and Procedures

This is the fourth and final installment of my series on the the importance of a Code of Conduct and anti-corruption compliance policies and procedures in your compliance program and how you should go about drafting or updating Code of Conduct and anti-corruption compliance policies and procedures. On Tuesday, I reviewed the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I looked at how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures. Today, I will end the series on how to keep all of the above vibrant and dynamic through a discussion of how to assess, review and revise them and your Code of Conduct on a timely basis.

Simply having a Code of Conduct, together with policies and procedures is not enough. As articulated by former Assistant Attorney General, for the Criminal Division of the US Department of Justice, Lanny Breuer, “Your compliance program is a living entity; it should be constantly evolving.” In an article in the SCCE Magazine, entitled “Six steps for revising your company’s Code of Conduct”, authors Anne Marie Logarta and Ruth Ward suggest considering the following issues before you take on an update of your Code of Conduct.

When was the last time your Code of Conduct was released or revised?
Have there been changes to your company’s internal policies since the last revision?
Have there been changes to relevant laws relating to a topic covered in your company’s Code of Conduct?
Are any of the guidelines outdated?
Is there a budget to create/revise a Code?

After considering these issues, the authors suggest that you should benchmark your current Code of Conduct against others companies in your industry. I would also add that your standards, policies and procedures should be reviewed and updated in the same manner. If you decide to move forward the authors have a six-point guide which they believe will assist you in making your revision process successful, which I have used as a basis to include revisions to your compliance policies and procedures.

Get buy-in from decision makers at the highest level of the company

The authors believe that your company’s highest level must give the mandate for a revision to a Code of Conduct and compliance polices and procedures. It should be the Chief Executive Officer (CEO), General Counsel (GC) or Chief Compliance Officer (CCO), or better yet all three to mandate this effort. Whoever gives the mandate, this person should be “consulted at every major step of the Code review process if it involves a change in the direction of key policies.”

Establish a core revision committee

You should have a cross-functional working group would be ideal to head up your effort to revise your Code of Conduct and compliance polices and procedures. This group should include representatives from the following departments: legal, compliance, communications, HR; there should also be other functions which represent the company’s domestic and international business units; finally there should be functions within the company represented such as finance and accounting, IT, marketing and sales.

From this large group, the topics can be assigned for initial drafting to functions based on “relevancy or necessity”. These different functions would also solicit feedback from their functional peers and deliver a final, proposed draft to the Drafting Committee. The authors emphasize that creation of a “timeline at the outset of the revision is critical and hold the function representatives accountable for meeting their deliverables.”

Conduct a thorough technology assessment

The cornerstone of the revision process is how your company captures, collaborates and preserves “all of the comments, notes, edits and decisions during the entire project.” They believe that technology such as SharePoint or Google Cloud can be of great assistance to accomplish this process even if you are required to train team members on their use.

In addition to this use of technology in drafting your Code of Conduct and compliance polices and procedures revisions, you should determine if they will be available in hard copy, online or both. If it will be available online, you should assess “the best application to launch your Code and whether it includes a certification process”. Lastly, there must be a distribution plan, particularly if the Code and compliance polices and procedures will only be available in hard copy.

Determine translations and localizations

The authors emphasize, “If your company does business internationally, then this step is vital to ensure you have one Code, no matter the language.” They do note that if you decide to translate your Code of Conduct be sure and hire someone who is an “approved company translation subject matter expert.” Here I would simply say to contact Jay Rosen at Merrill Brink, as those guys are the one of the top Language Service Providers and know what they are doing when it comes to translations. The key is that “your employees have the same understanding of the company’s Code-no matter the language.”

Develop a plan to communicate the Code of Conduct

A rollout is always critical because it “is important that the new or revised Code is communicated in a manner that encourages employees to review and use the Code on an ongoing basis.” Your company should use the full panoply of tools available to it to publicize your new or revised Code of Conduct and compliance polices and procedures. This can include a multi-media approach or physically handing out a copy to all employees at a designated time. You might consider having a company-wide Code of Conduct and compliance polices and procedures meeting where the new or revised documents are rolled out across the company all in one day. But remember, with all thing compliance; the three most important aspects are ‘Document, Document and Document’. However you deliver the new or revised Code of Conduct, you must document that each employee receives it.

6. Stay on Target

The authors end by noting that if you set realistic expectations you should be able to stay on deadline and stay within your budget. They state that “You want to set aside enough time so that you won’t feel rushed or in a hurry to get it done.” They also reiterate that to keep a close watch on your budget so that you do not exceed it.

These points are a useful guide to not only thinking through how to determine if your Code of Conduct, and compliance policies and procedure needs updating, but also practical steps on how to tackle the problem. If it has been more than five years since it was last updated, you should begin the process that the authors have laid out. It is far better to review and update if appropriate than wait for a massive FCPA investigation to go through the process.

There are numerous reasons to put some serious work into your Code of Conduct, policies and procedure. They are certainly a first line of defense when the government comes knocking. The FCPA Guidance makes clear that “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” And by considered, I think it is clear that this means the regulators will take a strong view against a company that does not have well thought out and articulated policies, procedures or Code of Conduct; all of which are systematically reviewed and updated. Moreover, as Allen emphasized, “having policies written out and signed by employees provides what some consider the most vital layer of communication.” Together with a signed acknowledgement, these documents can serve as evidentiary support if a future issue arises. In other words, the ‘Document, Document and Document’ mantra applies just as strongly to this area of anti-corruption compliance.

© Thomas R. Fox, 2014

Leave a Comment

July 24, 2014

Code of Conduct, Compliance Policies and Procedures-Part III

Filed under: Best Practices,Compliance,Compliance and Ethics,compliance programs,Culture,Department of Justice,Document Document Document,Ethical Leadership,Ethics,FCPA,FCPA Guidance,Michael Rasmussen,Policies and Procedures — tfoxlaw @ 6:13 am
Tags: best practices, compliance, compliance programs, ethics and compliance, FCPA

Today, I continue with Part III of my four-part series on the best practices surrounding your Code of Conduct and anti-corruption policies and procedures. In this post, I take a look at drafting policies and procedures. I conclude with some thoughts by well-known policy pundit Michael Rasmussen on management of policies going forward.

One of the key components of any best practices compliance regime under any anti-bribery and anti-corruption program is policies and procedures. Policies and procedures tie together a company, its business environment, the risks it faces and the compliance requirements. Policies procedures are a specific requirement for any anti-corruption/anti-bribery compliance regime. In the FCPA Guidance it stated, “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” Under the UK Bribery Act, policies are discussed in the Six Principles of an Adequate Procedures compliance program under Principle V – Communication, where it states “The business seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the company through internal and external communication, including training, that is proportionate to the risks it faces.”

As further stated in the FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Allen believes that there are five key elements to any “well-constructed policy”. They are:

identify to whom the policy applies;
establish the objective of the policy;
explain why the policy is necessary;
outline examples of acceptable and unacceptable behavior under the policy; and
warn of the consequences if an employee fails to comply with the policy.

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, simply the logistics of training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Allen even suggests posting FAQ’s in common areas as another technique. And please do not forget that one of the reasons Morgan Stanley received a declination to prosecute by the DOJ was that it sent out bi-monthly compliance reminder emails to its employee Garth Peterson for the seven years he was employed by the company.

Interesting, Allen emphasizes, “having policies written out and signed by employees provides what some consider the most vital layer of communication. A signed acknowledgement can serve as evidentiary support if a future issue arises.” I also like it when others recognize my ‘Document, Document and Document’ mantra for FCPA compliance.

While I think that most compliance practitioners understand this need for policies and procedures, one of the things that is not usually emphasized at a company is effective policy management. Michael Rasmussen writing in Compliance Week in an article entitled “Improving Policies Through Metrics” discussed the need for effective policy management. He believes that it requires that a company must periodically review their policies to ensure that they are relevant and aligned with both current laws and corporate objectives. This is because today’s business environment is dynamic and involves both internal and external factors, so, consequently, as a company evolves and changes its policies need to be updated to reflect these changes.

Rasmussen believes that at a minimum, policies must be reviewed annually. He recommends that each policy should go through a yearly review process to determine if it is still appropriate. There should be a “system of accountability and workflow that facilitates” any policy review process. The end product should be a decision to “retire the process, keep the policy as it is, or revise the policy.” Rasmussen lists five items that a policy owner should evaluate as a part of the policy review process.

Violations. Here Rasmussen believes that information from reporting systems such as hotlines or other anonymous lines as well as internal or external investigations must be reviewed. Not only would such information indicate if a company policy was violated but the follow-up investigation would help to determine how the policy might have failed, whether it was through “lack of awareness, unauthorized exceptions [or] outright violations.”
Understanding. Here Rasmussen writes that there should be an analysis of “training and awareness programs, policy attestations” and attendant metrics to determine an appropriate level of policy understanding. He believes that questions to a helpdesk or compliance department could help to discover any ambiguities in a policy that might need to be corrected.
Exceptions. If you have a policy it should be followed. If an exception to a policy was granted the reason for the exception should have been documented. If there are too many exceptions granted for a policy, it might indicate that “the policy is inappropriate and unenforceable” and therefore should be revised.
Compliance. A policy should govern and authorize internal controls. These internal controls should be reviewed in conjunction with the policy review to determine overall policy effectiveness. This is because “At the end of the day the policy needs to be complied with.”
Environment. All the factors around a policy are in flux. This includes a company’s risk profile, its business strategy, laws and regulations. Since a business’ climate is dynamic, a policy should be reviewed in the context of a company’s overall situation and revised accordingly.

If there is a change in a policy it is important that not only the correct change be made but that any change is documented. An audit trail is a key component for a company to internally understand when a change is made and the reason for that change but also to demonstrate to a regulator effective policy management and to present “a defensible history of policy interactions on communications, training, acknowledgements, assessments and related details needed to show the was enforced and operational.” This audit trail should include “key data points such as the owner, who read it, who was trained, acceptance acknowledgements and dates for specific policy versions”. In addition to an audit trail, policy revisions should be archived for referral back at a later time. So, once again, the key message is document, document and document.

Just as best practices in the FCPA compliance arena evolve, so do business practices, markets and risks. If you throw in the complexities from an inter-connected global business milieu, the task becomes even tougher. Business policies are one of the keystones of a company’s communications to its employees on what it expects and what is required of its employees. To keep policies up-to-date and properly take advantage of this valuable tool, policies need to be evaluated and updated as appropriate. If your company fails to do so this takes away from the value of having policies in the first place. I hope that you will use the techniques which Rasmussen has described to help you effectively manage your policies going forward.

© Thomas R. Fox, 2014

Leave a Comment

July 22, 2014

Code of Conduct, Compliance Policies and Procedures-Part I

For the remainder of this week, I will have a four-part episode on your Code of Conduct and anti-corruption compliance policies and procedures. In today’s post I will review the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I will review how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures and how to assess, review and revise them on a timely basis.

The cornerstone of a US Foreign Corrupt Practice Act (FCPA) compliance program is its written protocols. This includes a Code of Conduct, policies and procedures. These requirements have long been memorialized in the US Federal Sentencing Guidelines (FSG), which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). These requirements were incorporated into the 2012 FCPA Guidance. The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws.

In the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In each DPA and NPA over the past 36 months the DOJ has said the following as item No. 1 for a minimum best practices compliance program.

Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.

Stephen Martin and Paul McNulty, partners in the law firm of Baker and McKenzie, developed one of the best formulations that I have seen of these requirements in their Five Elements of an Effective Compliance Program. In this formulation, they posit that your Code of Conduct, policies and procedures should be grouped under the general classification of ‘Standards and Procedure’. They articulate that every company has three levels of standards and controls. First, every company should have a Code of Conduct, which should, most generally express its ethical principles. But simply having a Code of Conduct is not enough. So a second step mandates that very company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. From the base of a Code of Conduct and standards and policies, every company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

There are several purposes identified by the authors which should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

© Thomas R. Fox, 2014

Leave a Comment

July 24, 2013

Honoring Helen Thomas and Praising FCPA Compliance Policies

Filed under: Best Practices,compliance programs,Department of Justice,FCPA,FCPA Guidance,Policies and Procedures — tfoxlaw @ 1:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, NYT, SEC

This past weekend Helen Thomas passed away. She truly was a one-of-a-kind. The Dean of the White House Press Corp when she died, having covered every president from John F. Kennedy to Barack Obama for United Press International (UPI) and later for Hearst Newspapers. According to her obituary in the New York Times (NYT), entitled “50 Years of Tough Questions and ‘Thank You, Mr. President’”, by David Stout “She covered John F. Kennedy’s presidential campaign in 1960, and when he won she became the first woman assigned to the White House full time by a news service.” I remember her for the Hearst syndicated bi-weekly column she wrote on national issues, she would mix in tales of her long reporting career with current events for some great pieces.

I thought about Helen Thomas, her reporting and her columns when I read a recent piece in the Houston Business Journal (HBJ) by John Allen, entitled “Company policies are source and structure of stability”. This article has some interesting and important insights into the role of policies in any Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance program. Allen says that the role of policies is “to protect companies, their employees and consumers, and despite an occasional opposite outcome, that is typically what they do. A company’s policies provide a basic set of guidelines for their employees to follow. They can include general dos and don’ts or more specific safety procedures, work process flows, communication guidelines or dress codes. By establishing what is and isn’t acceptable workplace behavior, a company helps mitigate the risks posed by employees who, if left unchecked, might behave badly or make foolhardy decisions.”

Indeed in the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance, compliance policies are one of the ten hallmarks of an effective compliance program. The FCPA Guidance states that the DOJ and SEC will consider “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures” in making any assessment of whether to prosecute a company.”

Allen believes that there are five key elements to any “well-constructed policy”. They are:

identify to whom the policy applies;
establish the objective of the policy;
explain why the policy is necessary;
outline examples of acceptable and unacceptable behavior under the policy; and
warn of the consequences if an employee fails to comply with the policy.

The FCPA Guidance list several components of what should be considered in compliance policies and states “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ world-wide work force, simply the logistics of training can appear daunting. Small groups where questions about compliance policies can be discussed and detailed questions raised can be a powerful teaching tool. Allen even suggests posting FAQ’s in common areas as another technique. And please do not forget that one of the reasons Morgan Stanley received a declination to prosecute by the DOJ was that it sent out bi-monthly compliance reminder emails to its employee Garth Peterson for the seven years he was employed by the company.

Interesting, Allen emphasizes “having policies written out and signed by employees provides what some consider the most vital layer of communication. A signed acknowledgement can serve as evidentiary support if a future issue arises.” I also like it when others recognize my ‘Document, Document and Document’ mantra for FCPA compliance.

The FCPA Guidance ends its section on compliance policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” Allen puts a bit differently in that “it is important that policies are applied fairly and consistently across the organization.” He notes that the issue can be that “If policies are applied inconsistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

One of the things that I think made Helen Thomas great as a reporter was that she did her homework, she researched the issues, sought out knowledgeable sources and then asked direct questions when she was in front of the most powerful person in the world, the President of the United States. In her NYT obit, it stated, “In an interview with The New York Times in May 2006, Ms. Thomas was characteristically uncompromising and unapologetic. “How would you define the difference between a probing question and a rude one?” she was asked. “I don’t think there are any rude questions,” she said.”

I think that the same concept can be brought across to compliance policies. The work may not seem glamorous but it is essential to creating a viable component to any effective compliance program. Allen ended his article with the following “When policies take into account the interests of employees, partners and external stakeholders, and not merely the company’s self-preservation, they can be an excellent source of stability and strength.” This closely mirrors the FCPA Guidance which says that anti-corruption compliance policies, “can be a good way to conserve corporate resources while, if properly implemented, preventing and detecting potential FCPA violations.”

So thank you Helen Thomas and I can’t wait for your first Press Conference in the great hereafter.

© Thomas R. Fox, 2013

Leave a Comment

May 23, 2013

Getting Employees to Care About a Compliance Policy

Filed under: Best Practices,Bribery Act,compliance programs,Compliance Week,FCPA,Policies and Procedures — tfoxlaw @ 5:58 am
Tags: best practices, compliance, compliance programs, Compliance Week, FCPA

Putting a compliance policy into practice is not something that most companies do very well. How do you get buy-in for a new or amended compliance policy? How do you determine if a new compliance policy contradicts anything that you currently have in your compliance policy portfolio?

When thinking about such questions regarding compliance policies I am reminded of four questions posed by Stephen Page, in his book “Achieving 100% Compliance Of Policies and Procedures”, wherein he poses the following questions: (1) What is the nature of the policies owner’s function? As these are compliance policies, they are critical to a company doing business in compliance with relevant anti-corruption/anti-bribery laws such as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. (2) What is your organization’s overall vision and mission? This question speaks to management’s commitment to doing business ethically and in compliance with legal requirements. (3) What is the content of the policies? This speaks to the connection of the policy goals with other incentives, such as compensation and promotion. (4) What is your company’s receptivity to the policy? This question speaks to training and communication so that employees will understand not only the underlying reason for the policy but drive adherence to the policy.

These and other questions were explored at the recently concluded Compliance Week 2013 event in a session entitled “Case Study: Putting Policies into Practice at Dell”. Kristi Kevern, Director of Operational Compliance and Page Motes, Director, Strategic Programs Office – Global Ethics & Compliance from Dell Corporation, were the two panelists for the event. Kristi discussed how Dell overhauled its entire compliance policy management program and I will discuss her remarks in a later blog. Motes does not come from a compliance background but came from business development. I found her perspective quite different from the usual compliance perspective. From where she sits, she recognizes the need to internally market a new compliance policy; however this marketing plan must begin at the inception of a compliance policy and not after it has been drafted.

Motes said that it is incumbent to obtain buy-in from the business units before a compliance policy is drafted because, after all, it is the business units which will implement a compliance policy. This begins with a business unit sponsor who should have ownership of any new compliance policy. After the initial draft is made, it should be circulated to make sure that the compliance policy is workable and that it is translated from legalese (or accounting-ese) or other technical jargon into plain English. She said that is one of her key roles.

The next step is the internal market. Here Motes believes that a key is to move away from words such as ‘ethics’ to words that denote behaviors. She said that her group would talk about trust, honesty, respect, judgment and responsibility. After rollout the compliance group must train on the new policy and then monitor to ensure that it is followed. Finally, there must be some consequences to an employee if they are trained but fail after multiple warnings to follow a policy.

I thought about Motes’ ideas when I read a recent article in the June issue of Fast Company magazine, entitled “Starbucks’s Leap of Faith” which discussed the company’s rollout and approach to innovation. One of the examples in the article was when Starbucks rolled out its mobile application to allow customers to pay through their smart phones. The company worked with staff on proto-types, then trained and followed up with interviews to determine how the new system was working. Recognizing that there were technical glitches to overcome, the company persevered. Ryan Records, Vice President of Payments, was quoted as saying “it became seamless and flawless and an elegant way to pay” and that payment method now accounts for roughly 10% of the company’s total pay each day.

The Starbucks story drove home to me the key message from Motes. You must work with the business units to operationalize any policy. While it is true that a compliance professional will be the subject matter expert on the requirements of what should go into a compliance policy, but it is equally important on how that information is imparted and getting employees to care about the policy. Page puts it in a slightly different light. He said “From a systems viewpoint, it is often the organization’s infrastructure, and not its people, which is rigid and inflexible, often leading to angry and frustrated employees. If people cannot approach problems, talk openly, or give opinions, then this prevailing attitude can cause withdrawal and people who do not care. The clearer the tie between what an organization is doing and the results, the more energy, commitment, and excitement they will generate during a change process.” I think the latter sentence is what you need to strive for in the realm of compliance policies.

Leave a Comment

May 16, 2013

Four Keys to Compliance Leadership

Filed under: Adam Bryant,Best Practices,compliance programs,Culture,Ethical Leadership,Ethics,New York Times,Policies and Procedures,Tone at the Top,Training — tfoxlaw @ 1:01 am
Tags: best practices, compliance programs, ethical leadership, ethics, ethics and compliance, Hiring, New York Times, promotion, training

One of the most divisive moments in American history occurred on this date in 1868. On this day the US Senate voted against impeaching President Andrew Johnson thereby acquitting him of having committed “high crimes and misdemeanors” as required under the US Constitution. After all the arguments had been presented for and against him, Johnson waited for his fate, which hung on one swing vote, as there is a Constitutional requirement that requires a vote of 2/3rds of the Senate for impeachment. The vote was one short, at 35-19. Johnson was acquitted and finished out his term. If Johnson had been impeached, it surely would have led to a very different political development in the US, where not liking the sitting President could have become a constitutional basis for impeachment.

The Radical Republicans who ran the Congress immediately after the conclusion of the Civil War certainly did not think much of President Johnson’s leadership style. So what about you as a compliance officer? Certainly part of your leadership is implementing and enhancing policies and procedures? In many ways it is the human element, which President Johnson sorely lacked, that you may well need to devote most of your time focusing on. I recently read an excellent article it the Corner Office section of the New York Times (NYT), entitled “We’re Family Yes, but We’re Still Accountable”, in which Adam Bryant reported on his interview with Brooke Denihan Barrett, the co-Chief Executive Officer (co-CEO) of the Denihan Hospitality Group (Denihan), a 50-year old family business which focuses on the hospitality business.

Training

One of the things that Barrett has learned is how to train people. She explained that “I thought the way you got things done was by telling people what to do. That’s where I learned what not to do. I spent a good portion of my time telling people what they did wrong instead of really encouraging them about what they did right.” She came to realize that was perhaps not the best way to manage people and “learned to cut people some slack.” She said that she found “that you get a lot more with the carrot routine than the stick routine. I also realized that you really needed to explain the “why” of things. You need to give people a little bit of space to come around, and say, “Yeah, that makes sense,” before you really engage them in what needed to be done.”

I found that her final point may be critical for compliance training. By explaining the why of compliance, employees can better understand what the company is trying to accomplish. So if your goal is to do business in an ethical manner, then explain this and how the company’s compliance program will help to accomplish this goal through its policies and procedures.

Accountability

One of the things that Barrett emphasized was the erroneous perception that because her company was a family business there was no accountability. She made clear that “You have to set certain standards that you want people to live up to. And if people need help, then we want to help them along the way.” However, accountability is a two-way street. Just as the employee must be held accountable, so must the company in terms of providing support to allow employees who want to do the right thing and to do their job well. Barrett said, “Sometimes organizations can fall down if they don’t also ask: How do you give people the tools they need to be successful? How do you get that person to understand what change needs to happen, and how do you help them along the way? Because people can’t always figure it out on their own, and nor should you expect them to.”

Listening

Many of the CEOs that Bryant interviews for his Corner Office section speak about the need for listening skills. Barrett was no exception. But as CEO she found that employees were sometimes reluctant to speak openly and candidly with her. So she began to meet with employees in small groups of 10 to 12 people. At Denihan they call them ‘Roundtables’. Barrett said that she will say to them ““Tell me something I don’t know.” And I’ll get comments like: “Oh, but you know everything. You’re the C.E.O.” It’s just a reminder of the perceptions that people have of the head of the company. But every time I ask that question, I learn something new.” Imagine as a compliance officer if you were to ask that question in a roundtable, what do you think you might hear back from your company’s employees?

Barrett also spoke about how to have a ‘difficult conversation’. She said that if there is a mistake made she views it as an opportunity for learning and professional growth. At Denihan, they call them ‘lessons learned conversations’ and they may occur with a group where a problem has arisen. Barrett related, “we might bring people together in a room who were involved in a project and ask: What were the things that worked? What were the things that didn’t? What could we have done differently? And we’ve had some very spirited and cathartic conversations. You have to be able to let people put something on the table without actually pointing the finger. It allows things to come out in more of a non-accusatory manner.”

Hiring and Promotion

These are two key areas in compliance that are finally beginning to receive the attention that they deserve. Barrett’s thoughts on how she views these in the context of her interviewing are instructive. She acknowledged that by the “time somebody meets me, you can assume that the skills are there. So what I interview for is fit. And I’m always very curious to know, what is it about our company that appeals to that person?” She asks specifically about culture, requesting the candidate define it and how do you think that culture is special. She also asks candidates to talk about a failure and what lessons that they learned from the experience and how they dealt with the experience. I would suggest that both of those lines of inquiries should be used when evaluating a candidate for hire or promotion.

Barrett’s interview provided some interesting insights on leadership. Moreover, her experience in professional growth has shown there are different styles and techniques that you can successfully use in your company’s compliance program. Train people on the reasons why your company is doing compliance so that they will understand how to do it. Make them accountable but also provide them with the compliance tools and support to do business the right way. If there is a problem or issue, use it as a lesson learned so that employees can profit from the experience. Lastly, make a discussion of culture a cornerstone in your hiring interview or promotion interview process.

Leave a Comment

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

Many commentators are still mining the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) publication, A Resource Guide to the U.S. Foreign Corrupt Practices Act, (the “Guidance”), which was released last November. I continue to find nuggets to provide to the compliance practitioner, as do others. But as we are a Base 10 culture, today I want discuss the 10 points listed as the ‘Hallmarks of Effective Compliance Programs”. They are a change in style, but not content, from the prior 13 point minimum best practices that the DOJ has in the Deferred Prosecution Agreements (DPAs) since at least November, 2010 and, indeed, from prior information made available by the DOJ.

I. Where Have We Been

Beginning with at least the Metcalfe & Eddy Consent and Undertaking, filed in December, 1999, the DOJ has laid out its thoughts on what should go into a Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program. In the Metcalfe & Eddy Consent and Undertaking, the DOJ laid out ten points of an effective FCPA anti-corruption compliance program. This was modified somewhat in Opinion Release 04-02, which laid out a best practices compliance program in 12 points, where the DOJ reviewed the proposal by an investment group who were acquiring certain companies and assets from ABB Ltd. ABB Vetco Gray Inc. and ABB Vetco Gray (UK) Ltd., two of the entities being acquired, had previously pled guilty to FCPA violations. The investment group desired to protect itself from further liability, to the extent possible, by proposing to the DOJ a comprehensive best practices compliance program. While the DOJ noted that this compliance program was not a shield against future violations, the DOJ would not “intend to take an enforcement action [against the investors] for violations of the FCPA prior to their acquisition from ABB.”

In the Panalpina DPA, issued in November, 2010, the DOJ laid out a 13 point minimum best practices compliance program. This number was changed this past summer when the Data Systems & Solutions LLC (DS&S) DPA was announced. In this enforcement action the DOJ listed 15 points on its minimum best practices FCPA anti-corruption compliance program. Then later in the summer, the DOJ moved to a 9 point compliance program in the Pfizer DPA. Even with all these changes in the number, the substance of each compliance program has remained the same.

II. Where Are We Now? Hallmarks of Effective Compliance Programs

The Guidance cautions that there is no “one-size-fits-all” compliance program. It recognizes that depending on a variety of factors such as size, type of business, industry and risk profile that a company should determine what is appropriate for its own needs regarding a FCPA compliance program. But the Guidance makes clear that these ten points are “meant to provide insight into the aspects of compliance programs that DOJ and SEC assess”. In other words you should pay attention to these and use this information to assess your own compliance regime.

Commitment from Senior Management and a Clearly Articulated Policy Against Corruption. It all starts with tone at the top. But more than simply ‘talk-the-talk’ company leadership must ‘walk-the-walk’ and lead by example. Both the DOJ and SEC look to see if a company has a “culture of compliance”. More than a paper program is required, it must have real teeth and it must be put into action, all of which is led by senior management. The Guidance states that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards.” This prong ends by stating that the DOJ and SEC will “evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”
Code of Conduct and Compliance Policies and Procedures. The Code of Conduct has long been seen as the foundation of a company’s overall compliance program and the Guidance acknowledges this fact. But a Code of Conduct and a company’s compliance policies need to be clear and concise. The Guidance makes clear that if a company has a large employee base that is not fluent in English such documents need to be translated into the native language of those employees. A company also needs to have appropriate internal controls based upon the risks that a company has assessed for its business model. Some of the risks a company should assess include “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.”
Oversight, Autonomy, and Resources. This section starts with a discussion on whether a company has assigned a senior level executive to oversee and implement a company’s compliance program. Not only must a company assign such a person with appropriate authority but that person, and the overall compliance function, must have “sufficient resources to ensure that the company’s compliance program is implemented effectively.” Additionally, the compliance function should report to the company’s Board of Directors or an appropriate committee of the Board such as the Audit Committee. Overall the DOJ and SEC will “consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
Risk Assessment. The Guidance states that “assessment of risk is fundamental to developing a strong compliance program”. Indeed, if there is one over-riding theme in the Guidance it is that a company should assess its risks in all areas of its business. The Guidance lists factors that a company should consider in any risk assessment. They are “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.” The Guidance is also quite clear that when the DOJ and SEC look at a company’s overall compliance program, they “take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”
Training and Continuing Advice. Communication of a compliance program is a cornerstone of any anti-corruption compliance program. The Guidance specifies that both the “DOJ and SEC will evaluate whether a company has taken steps to ensure that relevant policies and procedures have been communicated throughout the organization, including through periodic training and certification for all directors, officers, relevant employees, and, where appropriate, agents and business partners.” The training should be risk based so that those high risk employees and third party business partners receive an appropriate level of training. A company should also devote appropriate resources to providing its employees with guidance and advice on how to comply with their own compliance program on an ongoing basis.
Incentives and Disciplinary Measures. This involves both the carrot and the stick. Initially the Guidance notes that a company’s compliance program should apply from “the board room to the supply room – no one should be beyond its reach.” There should be appropriate discipline in place and administered for any violation of the FCPA or a company’s compliance program. Additionally, the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance program, and rewards for ethics and compliance leadership.” These incentives can take the form of a part of senior management’s bonuses or simply recognition on the shop floor.
Third-Party Due Diligence and Payments. Here the Guidance focuses on the ongoing problem area of third parties. The Guidance says that companies must engage in risk based due diligence to understand the “qualifications and associations of its third-party partners, including its business reputation, and relationship, if any, with foreign officials.” Next a company should articulate a business rationale for the use of the third party. This would include an evaluation of the payment arrangement to ascertain that the compensation is reasonable and will not be used as a basis for corrupt payments. Lastly, there should be ongoing monitoring of third parties.
Confidential Reporting and Internal Investigation. This means more than simply a hotline. The Guidance suggests that anonymous reporting, and perhaps even a company ombudsman, might be appropriate to have in place for employees to report allegations of corruption or violations of the FCPA. Furthermore, it is just as important what a company does after an allegation is made. The Guidance states, “once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken.” The final message is what did you learn from the allegation and investigation and did you apply it in your company?
Continuous Improvement: Periodic Testing and Review. As noted in the Guidance, “compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.” The DOJ/SEC expects that a company will review and test its compliance controls and “think critically” about its own weaknesses and risk areas. Internal controls should also be periodically tested through targeted audits.
Mergers and Acquisitions. Pre-Acquisition Due Diligence and Post-Acquisition Integration. Here the DOJ and SEC spell out what it expects in not only the post-acquisition integration phase but also in the pre-acquisition phase. This pre-acquisition information is not something that most companies had previously focused on. Basically, a company should attempt to perform as much substantive compliance due diligence that it can do before it purchases a company. After the deal is closed, an acquiring entity needs to perform a FCPA audit, train all senior management and risk employees in the purchased company and integrate the acquired entity into its compliance regime.

As I commented earlier in this article, the DOJ and SEC have communicated what they believe are the important parts of a risk based, anti-corruption compliance program for many years. I do not think that a compliance defense could be set out any more succinctly. However, I do like things set out in Base 10 and the “Hallmarks of Effective Compliance Programs” is an excellent compilation of where we are and what you need in place to go forward. I recommend this as a good a starting point for any compliance practitioner to implement a new compliance program or to evaluate the state of an ongoing compliance regime so assess your company’s risks and use these hallmarks as a basis to move forward.

Leave a Comment

January 21, 2013

The Tube and Updating Your Compliance Policies

Filed under: Best Practices,Bribery Act,Communication,compliance programs,Compliance Week,Department of Justice,FCPA,Policies and Procedures,SEC — tfoxlaw @ 8:35 pm
Tags: best practices, compliance programs, Compliance Week, Department of Justice, DOJ, ethics and compliance, FCPA, Michael Rasmussen, SEC

2013 is the 150^th anniversary of the London Underground, affectionately known as “The Tube.” It truly is one of the great urban architectural marvels of all-time. The oldest sections of the London Underground completed 150 years of operations on 10 January 2013. The Underground serves 270 separate stations and has 250 miles of track, 45% of which is underground. In 2011, it served over 1.2 billion riders but, like any transportation system, it has to be evaluated and upgraded. For my money, the most useful upgrade would be to air condition the cars as they can become unbearably hot in the summer but that may not be on the top of Prime Minister’s Cameron’s list about now.

I thought about this auspicious anniversary and maintenance of the London Underground when I read a recent article in the Compliance Week magazine by Michael Rasmussen, entitled “Improving Policies Through Metrics”. Rasmussen believes that effective policy management requires that a company must periodically review their policies to ensure that they are relevant and aligned with both current laws and corporate objectives. This is because today’s business environment is dynamic and involves both internal and external factors, so, consequently, as a company evolves and changes its policies need to be updated to reflect these changes.

One of the key components of any best practices compliance regime under any anti-bribery and anti-corruption program is policies. Policies tie together a company, its business environment, the risks it faces and the compliance requirements. Policies are a specific requirement for any anti-corruption/anti-bribery compliance regime. In the recently released Department of Justice (DOJ) Guidance on the Foreign Corrupt Practices Act (FCPA), it stated, “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” Under the UK Bribery Act, policies are discussed in the Six Principles of an Adequate Procedures compliance program under Principle V – Communication, where it states “The business seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the company through internal and external communication, including training, that is proportionate to the risks it faces.”

While I think that most compliance practitioners understand this need for policies one of the things that is not usually emphasized at a company is effective policy management. One technique which can be used is to elevate the policy function to the senior management level. One of my former employers, Halliburton, did this when it created a Vice President for Policies back in 2006. So kudos to Halliburton for leading the industry by creating the position of Vice President for Policies.

Violations. Here Rasmussen believes that information from reporting systems such as hotlines or other anonymous lines as well as internal or external investigations must be reviewed. Not only would such information indicate if a company policy was violated but the follow-up investigation would help to determine how the policy might have failed, whether it was through “lack of awareness, unauthorized exceptions [or] outright violations.”
Understanding. Here Rasmussen writes that there should be an analysis of “training and awareness programs, policy attestations” and attendant metrics to determine an appropriate level of policy understanding. He believes that questions to a helpdesk or compliance department could help to discover any ambiguities in a policy that might need to be corrected.
Exceptions. If you have a policy it should be followed. If an exception to a policy was granted the reason for the exception should have been documented. If there are too many exceptions granted for a policy, it might indicate that “the policy is inappropriate and unenforceable” and therefore should be revised.
Compliance. A policy should govern and authorize internal controls. These internal controls should be reviewed in conjunction with the policy review to determine overall policy effectiveness. This is because “At the end of the day the policy needs to be complied with.”
Environment. All the factors around a policy are in flux. This includes a company’s risk profile, its business strategy, laws and regulations. Since a business’ climate is dynamic, a policy should be reviewed in the context of a company’s overall situation and revised accordingly.

Leave a Comment

FCPA Compliance and Ethics Blog

July 14, 2015

Great Structures Week II – Structures from Ancient Egypt and Greece

July 28, 2014

Bringing It All Home, the Two Tough Cookies Wrap It Up For You, Part I

July 25, 2014

Code of Conduct, Compliance Policies and Procedures-Part IV

July 24, 2014

Code of Conduct, Compliance Policies and Procedures-Part III

July 22, 2014

Code of Conduct, Compliance Policies and Procedures-Part I

July 24, 2013

Honoring Helen Thomas and Praising FCPA Compliance Policies

May 23, 2013

Getting Employees to Care About a Compliance Policy

May 16, 2013

Four Keys to Compliance Leadership

January 23, 2013

The FCPA Guidance on the Ten Hallmarks of an Effective Compliance Program

January 21, 2013

The Tube and Updating Your Compliance Policies

January

Blogroll

Pages

Admin

Read by Email

Recent Posts from FCPA Compliance and Ethics Report: FCPA Compliance and Ethics Report

Episode 240-Bill Coffin on Compliance Week 2016

Episode 239-Jonathan Armstong On EU Privacy Shield

Episode 238-John Allen on HR Touch Points in Compliance

Episode 237-Steve McCalmont on the Avior Risk Management Platform

Episode 236-Adam Turteltaub and SCCE CCO Survey