FCPA Compliance and Ethics Blog

January 18, 2013

How to Reach Your Audience in Compliance Training – The Use of Charisma

One often hears or reads about complaints that compliance training is dull, nay even boring. I mean, how many times can you expect someone to be lectured to on the riveting subject of the Foreign Corrupt Practices Act (FCPA) or even the UK Bribery Act? Coupled with the legally spellbinding subject, the sessions are often led by lawyers who are training non-lawyers. What can I say; the audience does not always have the appreciation of the subject that I do. I thought about this ongoing conundrum when I came across a recent article in the Financial Times (FT), entitled “The subtle secrets of charisma”, by author Alicia Clegg. The focus of her article was that senior managers, by learning techniques of rhetoric, vocal cadence and gesture, can help make senior managers more like leaders. However, I thought that her tips could also help the compliance practitioner in the more mundane area of compliance training.

In her article, Clegg cited to the example of an Infosys executive who was introducing a “controversial HR policy to his company.” During the talk, he felt that his audience was quite restless and “sensed that he was failing to take his listeners with him.” The Infosys executive was quoted as saying “After the talk, people asked me, privately ‘Do you really think this is the right thing to do?’” “I thought: ‘Well, yes, actually, I do. Isn’t that what I said?’” He had failed to convince. Today, however, the executive would deliver a far different talk. Clegg said that “he would acknowledge his colleagues’ concerns, share his own feelings and perhaps tell a personal story. He might modulate his voice; organise his key points into pithy three-part lists; use metaphors; smile or frown occasionally, while gradually building to a statement of personal conviction or a vision of a better future.” In other words, he would work these concepts of ‘charisma’ into his chat.

Clegg discussed the work of John Antonakis, a professor of organizational behavior at Lausanne University. In a June Harvard Business Review article he published, along with colleagues Marika Fenley and Sue Liechti, entitled “Leaning Charisma”, Antonakis argues, however, that having charismatic qualities can turn a competent manager into someone that others notice and want to follow. Antonakis and his team claim to have identified twelve communication habits, rooted in the principles of “classic rhetoric, that make a speaker appear more authoritative, trustworthy and persuasive – in short, more like a leader. Nine of the techniques are verbal: using metaphors and easy-to-remember three-part lists; telling stories; drawing vivid contrasts; asking rhetorical questions; expressing moral conviction; reflecting an audience’s sentiments; and setting high but achievable goals. The rest are non-verbal: raising and lowering your voice, letting your feelings show in face and hand gestures to reinforce what you say.” Their case for their charisma training runs counter to a recent theme in management ideas that plays down corporate stars in favor of teams.

Clegg writes about old ways of making new points. She says that the modern-day science of persuasion is rooted in three “rhetorical appeals” described long ago by Aristotle. The three are: ethos, logos and pathos.

  • Ethos – establishing your credentials and building rapport. Here you should use “useful ethos techniques include speaking your audience’s language and reflecting their concerns in what you say.” You should recognize that staff are likely to be more interested in what’s changing for them – how will their job be different?
  • Logos – persuading through logic. Under this you should consider “using useful logos techniques include contrasts and rhetorical questions, which can clarify choices by juxtaposing good and bad outcomes and combine reason with emotion; three-point lists are easy to recall and suggest completeness.” As a lawyer, I found comfort that, as stated in the article, using trios of points can add a purposeful edge to your presenting technique.
  • Pathos – persuasion with emotion. Under this technique you should endeavor to use “useful pathos techniques include stories, metaphors, lowering or raising your voice; while gestures and facial expressions can heighten emotional force.” But here one must be careful to respect cultural differences, as “What Asians consider over-the-top, southern Europeans may consider emotionally repressed.”

Clegg cites to other examples of effective rhetoric. She quotes Sam Leith, author of “You Talkin’ to Me?” who says “Effective rhetoric need not be fancy rhetoric.” Rather than cultivating a high-flown style, he advises novices to tune into how their audience thinks, and to listen to how they speak. He identifies General George Patton as a master of the art of persuasive plain-speaking. In the final weeks of World War II, the general exhorted his troops to redouble their efforts with the words “The quicker they are whipped, the quicker we can go home”. This got the audience of his troops on his side because getting home was what mattered to them the most.

Clegg also discussed the well-known technique of repetition. She included Martin Luther King’s ‘I Have a Dream’ speech where King used the device of repeated phrases at the start of successive clauses so that there develops ‘an appreciation of what is easy on the ear is important.” Clegg also discussed the technique of chiasmus, “in which the second half of a statement reverses the order of words in the first − as in “ask not what your country can do for you – ask what you can do for your country”. The words were simple and direct – and their impact all the greater.”

Antonakis argues that these techniques can be taught and, more importantly, learned and that “everyone can improve with practice.” But Clegg cautioned that there is more than simply having commanding rhetoric. A good leader must be a good listener as well. She cites to the work of Harvard academician Rosabeth Moss Kanter who argues in her blog that “it is how well you listen, rather than how well you talk, that persuades people to do things.”

Clegg appropriately ends by noting that no matter how good your rhetorical techniques are, “It is not just what you say, or how you say it, that convinces people you are not phony. You can dress things up with all the anaphora and epistrophe in the world, but if you don’t have a deep sense that something is important you’re not going to persuade anyone.”

So for the compliance practitioner who puts on training there is plenty of good advice on rhetorical techniques that you can use. But, most importantly, don’t be phony.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

October 16, 2012

The Battle of Hastings and Diversity – How to Integrate It Into Your Compliance Culture

Sunday, October 14th was the anniversary of the Battle of Hastings, in 1066. In addition to being the last time there was a successful invasion of Britain, several other positive things came from this most historic event for English-speaking people. An article in the Telegraph, entitled “In everything we say, there is an echo of 1066”, writer Alan Massie said that “the most enduring legacy is also the richest: our wonderful hybrid language and the golden treasury that is English literature.” He went on to state that “Without the Norman Conquest, Shakespeare would not have been Shakespeare, because his language would have resembled 16th-century German or Dutch. He would never have written a phrase like “the multitudinous seas incarnadine”. Our language often loses vitality if it moves too far from the Anglo-Saxon and is overweighed by Latinate words, but much of its richness and scope derives from its dual inheritance. “Shall I compare thee to a summer’s day?  / Thou art more lovely and more temperate.”

I thought about Massie’s article when reading this past Sunday’s New York Times (NYT) Corner Office section in which reporter Adam Bryant interviewed Hilton Worldwide President and Chief Executive Officer (CEO) Christopher Nassetta, in an article entitled “On a Busy Road, a Company Needs Guardrails”. For all you compliance practitioners who work at large multi-national companies with employee numbers between 50,000 to 100,000; you should think about the compliance challenge at Hilton, which has over 300,000 employees worldwide. Nassetta said that one of the things he found when he initially took the position was that “I discovered when I joined the company five years ago is that we had a lot of segments of the company that operated very independently, and we had massive amounts of duplication and fragmentation. We needed alignment. We needed people to understand who we were, what we stood for and the key priorities of the company. And we needed them, once they understood that, to get their oars in the water and head in a common direction.” Nassetta traveled all over the world and met with employees. He believed that Hilton employees had good values but that as many times as he asked what the company values were, he got as many different answers. There were so many different value formulations that he “stopped counting when I got to 30 different value statements at our offices.” Nassetta viewed his job, as the CEO, was “to create the right culture, set the tone, the high-level strategy.” To accomplish this in the company Nassetta set up teams around the world to look at their value statements and “boil them down.” They then took all of the formulations and derived 6, which they stated as follows:

  • H for hospitality
  • I for integrity
  • L for leadership
  • T for teamwork
  • O for ownership
  • N for now.

He felt by using the Hilton name as the acronym for the company’s values, it could be reinforced every time the name was used. In other words, it drove these values down into the company’s DNA by continual reinforcement. While acknowledging that repeating can lead to value fatigue, Nassetta felt like he and the company could not say it enough. He stated, “in my case, there are 300,000 people who need to hear it, and I can’t say it enough. So what might sound mundane and like old news to me isn’t for a lot of other people. That is an important lesson I learned as I worked in bigger organizations.”

Nassetta’s message drove home to me that a company cannot only integrate a wide variety of compliance values into its culture but more so, that the message needs to be repeated. I thought about the Morgan Stanley declination which was released in May. As a part of the Department of Justice (DOJ) release they noted that Morgan Stanley had done the following for the employee Garth Peterson, who pled guilty to violations of the Foreign Corrupt Practices Act (FCPA): The Securities and Exchange Commission (SEC) Complaint detailed the compliance program Morgan Stanley had in place and how it directly related to Peterson. The Compliant specified:

(1) Morgan Stanley trained Peterson on anti-corruption policies and the FCPA at least seven times between 2002 and 2008. In addition to other live and web based training, Peterson participated in a teleconference training conducted by Morgan Stanley’s Global Head of Litigation and Global Head of Morgan Stanley’s Anti-Corruption Group in June 2006.

(2) Morgan Stanley distributed to Peterson written training materials specifically addressing the FCPA, which Peterson maintained in his office.

(3) A Morgan Stanley compliance officer specifically informed Peterson in 2004 that employees of Yongye, a Chinese state-owned entity, were government officials for purposes of the FCPA.

(4) Peterson received from Morgan Stanley at least thirty five FCPA-compliance reminders. These reminders included FCPA-specific distributions; circulations and reminders of Morgan Stanley’s Code of Conduct, which included policies that directly addressed the FCPA; various reminders concerning Morgan Stanley’s policies on gift-giving and entertainment; the circulation of Morgan Stanley’s Global Anti-Bribery Policy; guidance on the engagement of consultants; and policies addressing specific high-risk events, including the Beijing Olympics.

(5) Morgan Stanley required Peterson on multiple occasions to certify his compliance with the FCPA. These written certifications were maintained in Peterson’s permanent employment record.

(6) Morgan Stanley required each of its employees, including Peterson, annually to certify adherence to Morgan Stanley’s Code of Conduct, which included a portion specifically addressing corruption risks and activities that would violate the FCPA.

(7) Morgan Stanley required its employees, including Peterson, annually to disclose their outside business interests. In other words, Morgan Stanley continued to drive home the message of compliance during the tenure of Peterson’s employment with the company.

Further, when the DOJ came calling, Morgan Stanley was able to prove to the DOJ’s satisfaction that the company had indeed done what it had claimed because the documentation was available to present to the DOJ. So just as Nassetta continues to preach the HILTON values of the company, Morgan Stanley was providing direct information to Peterson on his responsibilities under the FCPA. Nassetta said one other thing that struck me as important in his interview. He said, “One simple philosophy I have as a leader of a big organization is to have really steady hands on the wheel. In a tumultuous world, with so many things going on around you, you have to know who you are, what you stand for and where you are going, and keep everyone pointed in the same direction and have the discipline to stick with it.”

From this I understand that if you know your values and have the discipline to stick with them during turbulent times, these values will protect you. I think that Morgan Stanley shows that training on the FCPA, certification by its employees to abide by it, training on their Code of Conduct or Business Ethics, including conflicts of interest and annual certifications; can go a long way towards protecting a company in the event of a FCPA investigation. And please do not forget those email compliance reminders, the DOJ specifically pointed out that Morgan Stanley sent Peterson 35 email reminders about the FCPA over 7 years. Even with my trial lawyer math, that is only 5 per year.

Massie in his article about what the Battle of Hasting meant for Britain wrote, “So, if you were to begin by asking, in Monty Python style, “what have the Normans ever done for us?” you might first reply that the most enduring consequence of the Conquest is the richness of the English language, with its Anglo-Saxon base and Franco-Latin superstructure. This mixture gives us a huge vocabulary, and many words with essentially the same meaning, yet a different shade of emphasis: fatherly and paternal, for example.” This richness came from diversity. The values of the Hilton Corporation came from the values of its 300,000 employees. The richness is out there and one of your jobs as a compliance practitioner is to use that diversity to create a compliance program that works for your entire company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

October 3, 2012

NFL Replacement Referees-the Lessons of Training Temporary Employees

The short autumn of our discontent is over as the United States has ended one of its greatest national convolutions of recent memory. Am I speaking of the attack on the US Consulate in Libya; the current stalemate of US politics and the Presidential race or the upcoming financial cliff on which the US may dive over on December 31?

No, I am talking about the debacle of replacement referees by the National Football League (NFL). After an eight week lockout by management, including three regular season games, the results were so catastrophic for America that the NFL finally game to its senses and settled the labor dispute.

How bad was the fallout? So bad that the controversy not only made the front page of the Financial Times (FT) last week but it also made the FT’s Op-Ed page on September 29, in a piece written by FT Senior Editor Christopher Caldwell, in an article entitled “NFL falls foul of the ‘drunken Santa’ problem”. Caldwell used the (unfortunately) well known fact of US department stores hiring alcoholics to pose as Santa Claus during the Christmas holidays as the lead in for a discussion of “O-Ring Theory of Economic Development” as articulated by Michael Kremer. Kremer’s thesis is that in “high-value added fields, where one malfunction in a complex chain can destroy all value, special rules apply.” This leads to the concept, found in the employment relations context, where there is a “positive correlation between the wages of workers in different occupations within enterprises.”

I would add one additional corollary to the above. That is training. The replacement referees obviously did not know the rules and when they did know the rules, they had great trouble applying them in game situations. In other words, they had not been properly trained.

Why is training of temporary employees important in the context of an anti-corruption/anti-bribery compliance program? I would point to the ongoing Foreign Corrupt Practices Act (FCPA) investigation into the activities of Hewlett-Packard (HP) as the Poster Child for training of temporary (or contract) employees on your company’s anti-corruption, anti-bribery program. As reported by Karin Matussek of Bloomberg News on September 13, 2012 three former HP managers were charged in Germany in a corruption investigation over improper payments made to win a €35 million ($45 million) sale of computers to Russia about nine years ago. One of the ex-managers charged is a Finnish woman; the other two are men, one American and one German. The German authorities started their probe back in 2009, after provincial tax authorities found, in a routine audit of an unrelated company, evidence of payments for which “real use could be established for some payments found in the accounts. The owner of that company was charged.” German Prosecutors also requested and received permission from the Court to make HP an associated party to the case. Prior to the Court ruling on this request, Matussek quoted Wolfgang Klein, spokesman for Saxony’s Chief Prosecutor’s Office, who told her that “If the court grants that request and the allegations are proved, Hewlett-Packard’s profits from the transaction may be seized”.

The HP story was broken in the US by the Wall Street Journal (WSJ) in April, 2010. In the article it was reported that one witness said that the transactions in question were internally approved by HP through its then existing, contract approval process. Mr. Dieter Brunner, a bookkeeper who is a witness in the probe, said in an interview that he was surprised when, as a temporary employee of HP, he first saw an invoice from an agent in 2004. “It didn’t make sense” because there was no apparent reason for HP to pay such big sums to accounts controlled by small-businesses. He then proceeded to say he processed the transactions anyway because he was the most junior employee handling the file, “I assumed the deal was OK, because senior officials also signed off on the paperwork”.

Think what position HP might be in today if this temporary employee had been trained on the company’s system for internally reporting compliance issues? If Brunner had escalated his concern that the payment to the agent “didn’t make sense” perhaps HP would not have been under investigation by governmental authorities in Germany and Russian. In the United States, both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have announced they will also investigate the transaction, which it can only be supposed are for potential FCPA violations. While HP has not made any public announcements regarding the costs of the investigation date, it can only be speculated that the costs are in the millions because HP is the subject of investigations in at least three separate jurisdictions, the US, Germany and Russia, regarding the transaction at issue. Further, HP is now investigating other international operations to ascertain if other commissions paid involved similar allegations of bribery and corruption as those in this German subsidiary’s transaction.

Training is recognized as one of the points in the 13 point minimum best practices compliance program as delineated by the DOJ and as one of the elements under the US Sentencing Guideline’s Seven Elements of an Effective Compliance Program. It is also recognized in Principle 5 of the Six Principles of an Adequate Procedures compliance program as set out by the UK Ministry of Justice (MOJ). Lastly, it is recognized by the OECD in its 13 Good Practices for Internal Controls, Ethics and Compliance.

When refereeing a sporting event, one has to know the rules and how to apply them. What were the real referees doing while the NFL had locked them out? They were training. Each week, they took a written test on the rules of football. Each week they studied the games which were played for issues that arose. In other words, during the NFL lock-out of its referees, the referees were still training. This ongoing training for the real referees was nothing new or different than they have traditionally done as they did so when a contract existed and they were working NFL games.

I understand that compliance training fatigue can set in if such training is given too often. However companies need to realize that when professionals handle job duties which are high risk within the context of a FCPA or UK  Bribery Act compliance regime; there must be training on not only the specifics of a company system but also on how to escalate a concern. Think about where HP might be right now if the contract accountant had been trained on how to use the company hotline.

So the autumn of our discontent has turned into glorious fall colors with the return of the real referees. But for the compliance professional, the real lesson is training. Coupled with the ongoing HP FCPA investigation matter as a teaching moment, I would suggest that you review how many contract employees your company has in high risk compliance positions. Do not simply look at persons in the sales chain but also those in positions who may be reviewing high risk transactions. Do you have any contract accountants, such as HP had in its German subsidiary? How about contract attorneys or even outside counsel reviewing such transaction? What about contract personnel in internal audit? If so, have they been trained on your company’s compliance program and how to escalate a concern?

I hope that you will consider these questions before you end up as a national laughingstock or on the front page of the FT.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

June 20, 2012

DS&S DPA: Lessons Learned for the Compliance Practitioner

On Monday, June 18, the Department of Justice (DOJ) announced the resolution of a matter involving violations of the Foreign Corrupt Practices Act (FCPA) by Data Systems & Solutions LLC (DS&S), a US entity based in Virginia. The settlement resulted in the company agreeing to a two year and 7 day Deferred Prosecution Agreement (DPA). The case was interesting for a number of reasons and it has some significant lessons which the compliance practitioner can put into place in a corporate compliance program. The charges related to DS&S’s business included the design, installation and maintenance of instrumentation and controls systems at nuclear power plants, fossil fuel power plants and other critical infrastructure facilities. In reading the Criminal Information, I can only say that this was no one-off or rogue employee situation but this was a clear, sustained and well known bribery scheme that went on within the company.

I.                   The Criminal Information

The bribery scheme involved payments made to officials at a state-owned nuclear power facility in Lithuania, named Ignalina Nuclear Power Plant (INPP). The payments were made to allow DS&S to obtain and retain business with INPP. The Information listed contracts awarded to DS&S in the amount of over $30MM from 1999 to 2004. Significantly, DS&S did not self-disclose this matter to the DOJ but only began an investigation after receiving a DOJ Subpoena for records.

The Players Box Score

DS&S Officials INPP Officials Subcontractors
Exec A – VP of Marketing and Business Development (BD) Official 1 – Deputy Head of Instrumentation and Controls Department Subcontractor A – Simulation Technology Products and Services
Official 2 – Head of Instrumentation and Controls Department Subcontractor B – Beneficially owned by Official 1 and which employed INPP Officials
Official 3 – Director General at INPP Subcontractor C – Shell company used a funneling entity to pay bribes
Official 4 – Head of International Projects at INPP
Official 5 – Lead SW Engineer at INPP

The bribery scheme used by DS&S recycled about every known technique there is to pay bribes. The Information listed 51 instances of bribes paid or communications via email about the need to continue to pay bribes. The bribery scheme laid in the Information reflected the following techniques used by:

  •       Payment of bribes by Subcontractors to Officials on behalf of DS&S;
  •       Direct payment of bribes by DS&S into US bank accounts controlled by INPP Officials;
  •       Creation of fictional invoices from the Subcontractors to fund the bribes;
  •      Payment of above-market rates for services allegedly delivered by the Subcontractors so the excess monies could be used to fund bribes;
  •      Payment of salaries to INPP Officials while they were ‘employed’ by Subcontractor B;
  •       Providing travel and entertainment to Officials to Florida, where DS&S has no facilities and which travel and entertainment had no reasonable business purpose; and last but not least…
  •      Purchase of a Cartier watch as a gift.

II.                The Deferred Prosecution Agreement

I set out these details with some specificity for two reasons. The first is that the Information is a must read for anyone in Internal Audit who reviews books and records. It gives you the precise types of Red Flags to look for. But secondly is the fact that DS&S received a discount of 30% off the low end of the penalty range as calculated under the US Sentencing Guidelines. The calculation as listed in the DPA is as follows:

Calculation of Fine Range:

Base Fine $10,500,000

Multipliers 1.20(min)/2.40(max)

Fine Range $12,600,000/$25,200,000

The ultimate fine paid by DS&S was only $8.82MM, which the DPA states is “an approximately thirty-percent reduction off the bottom of the fine range…” So for the compliance practitioner the question is what did DS&S do to get such a dramatic reduction? We know that one thing they did NOT do was self-report as the DPA notes that this case began as a DOJ investigation and DS&S received Subpoenas “in connection with the government’s investigation.” However, after this initial delivery of Subpoenas DS&S engaged a clear pattern of conduct which led directly to this 30% discount of the low end of the fine range. The DPA reports that DS&S took the following steps:

 

  • Internal Investigation. DS&S initiated an internal investigation and provided real-time reports and updates of its investigation into the conduct described in the Information and Statement of Facts.
  • Extraordinary Cooperation. DS&S’s cooperation has been extraordinary, including conducting an extensive, thorough, and swift internal investigation; providing to the Department searchable databases of documents downloaded from servers, computers, laptops, and other electronic devices; collecting, analyzing, and organizing voluminous evidence and information to provide to the DOJ in a comprehensive report; and responding promptly and fully to the DOJ’s requests.
  • Extensive Remediation. The number of steps DS&S took in regard to remediation included the following:
    • Termination of company officials and employees who were engaged in the bribery scheme;
    • Dissolving the joint venture and then reorganizing and integrating the dissolved entity as a subsidiary of DS&S;
    • Instituting a rigorous compliance program in this newly constituted subsidiary;
    • Enhancing the company’s due diligence protocols for third-party agents and subcontractors;
    • Chief Executive Officer (CEO) review and approval of the selection and retention of any third-party agent or subcontractor;
    • Strengthening of company ethics and compliance policies;
    • Appointment of a company Ethics Representative who reports directly to the CEO;
    • The Ethics Representative provides regular reports to the Members Committee (the equivalent of a Board of Directors in a LLC); and
    • A heightened review of most foreign transactions.
    • Enhanced Compliance Program. More on this in the next section.
    • Continued Cooperation with DOJ. The company agreed to continue to cooperate with the Department in any ongoing investigation of the conduct of DS&S and its officers, directors, employees, agents, and subcontractors relating to violations of the FCPA and to fully cooperate with any other domestic or foreign law enforcement authority and investigations by Multilateral Development Banks.

III.             Enhanced Compliance Obligations

One of the interesting aspects of the DS&S DPA is that there are 15 points listed in the Corporate Compliance Program, attached as Schedule C to the DPA, rather than the standard 13 items we have seen in every DPA since at least November 2010. The new additions are found on items 13 & 14 on page C-6 of Schedule C and deal with mergers and acquisitions. They read in full:

13. DS&S will develop and implement policies and procedures for mergers and acquisitions requiring that DS&S conduct appropriate risk-based due diligence on potential new business entities, including appropriate FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. If DS&S discovers any corrupt payments or inadequate internal controls as part of its due diligence of newly acquired entities or entities merged with DS&S, it shall report such conduct to the Department as required in Appendix B of this Agreement.

14. DS&S will ensure that DS&S’s policies and procedures regarding the anticorruption laws apply as quickly as is practicable to newly acquired businesses or entities merged with DS&S and will promptly:

a. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to DS&S, on the anti-corruption laws and DS&S’s policies and procedures regarding anticorruption laws.

b. Conduct an FCPA-specific audit of all newly acquired or merged businesses as quickly as practicable.

This language draws from and builds upon the prior Opinion Release 08-02 regarding Halliburton’s request for guidance during an attempted acquisition and the Johnson and Johnson (J&J) Enhanced Compliance Obligations which were incorporated into its DPA. While the DS&S DPA does note that it is specifically tailored as a solution to DS&S’s FCPA compliance issues, I believe that this is the type of guidance that a compliance practitioner can rely upon when advising his or her clients on what the DOJ expects during Mergers and Acquisitions (M&A). The five keys under these new items, 13 & 14 highlighted above, are: (1) develop policies and procedures for M&A work prior to engaging in such transactions; (2) full FCPA audit of any acquired entities “as quickly as practicable”; (3) report any corrupt payments or inadequate internal controls it discovers in this process to the DOJ; (4) apply DS&S anti-corruption policies and procedures to the newly acquired entities; and (5) train any persons who might “present a corruption risk to DS&S” on the company’s policies and procedures and the law.

IV.              Summary

The DS&S DPA provides some key points for the compliance practitioner. First and foremost, I believe that it demonstrates the reasonableness of the DOJ. The bribery scheme here was about as bad as it can get, short of suitcases of money carried by the CEO to pay bribes. The company did not self-report, yet received a significant reduction on the minimum level of fine. The specificity in the DPA allows a compliance practitioner to understand what type of conduct is required to not only avoid a much more significant monetary penalty but also a corporate monitor. Lastly, is the specific guidance on FCPA compliance in relation to M&A activities, to the extent that if anyone in the compliance arena did not understand what was required in the M&A context; this question would seem to be answered in the DS&S DPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

May 21, 2012

The Homestead Act and Doing Compliance

What was the single greatest transfer of property from the US government to its citizens? It was public lands that were given to persons willing to farm the land. Today we celebrate the 150th anniversary of the Homestead Act, passed on May 20, 1862, which facilitated this donation. Under this law, any person, over 21, could stake a claim of up to 160 (later increased to 640) acres if they were a citizen or declared the intention to become a US citizen and agreed to farm the land for five years. In an article in the Saturday Wall Street Journal (WSJ), entitled “How the West Was Really Won”, author Fergus Borderwich quoted President John F. Kennedy who stated in celebrating the Centenary of the Homestead Act, “more than 1.1 billion acres of the original public [domain] have been transferred to private and non-federal public ownership.”

Borderwich goes on to write that it was farming that tamed and then settled the West. But more than simply planting, it led to technical innovations in agriculture, animal-feeding and water management. Land-grant colleges followed to provide educations to children of these homesteaders, which led to further growth and innovation. Borderwich quotes Bonnie-Lynn Sherow, “If you measure the achievement of homesteading by the value of today’s GDP alone, it was an enormous success.” From the article I gleaned that it was the day-to-day work of farmers, innovators, educators and a host of others that created the great breadbasket that is the United States.

This drove home to me that what a company really needs to accomplish regarding compliance is to do the day-to-day work in its company to help create and foster a culture of compliance. Recently May 7-11 was designated as “Compliance and Ethics Week”. One of the panelists I saw last week at the IQPC Upstream Contract Risk Management conference spoke about how his company celebrated this event and used it as a springboard to internally publicize its compliance program. Their efforts included three separate prongs: they were hosting inter-company events to highlight the company’s compliance program; providing employees with a Brochure highlighting the company’s compliance philosophy and circulating a Booklet which provided information on the company’s compliance hotline and Compliance Department personnel.

Inter-Company Events

These were ‘Lunch-N-Learn’ events hosted throughout the week. Topics included

  • Monday: Navigate and Learn the Corporate Compliance Website;
  • Tuesday: How to Determine if You Have a Conflict of Interest;
  • Wednesday: Review of the company’s pre-approval procedures for gifts, travel and entertainment of non-US officials and employees of State Owned Enterprises;
  • Thursday: Understanding the purpose and importance of the Company’s Alertline; and
  • Friday: Ethical Behavior that Wins Business and Attracts Top Talent.

Participation in these events allowed the Compliance Department to meet informally with the business unit folks. Even in a corporate headquarters, most conferences are more formalized training but the ‘Lunch-N-Learn’ concept provides a more casual atmosphere and, therefore, better opportunities for interaction.

Cost: Sandwiches for lunch

Brochure

The Company regularly distributes a short Compliance Brochure. In the Brochure, which announced the company’s celebration of Compliance Week, it included the following phraseology that I quote in its entirety as I thought it was so eye-catching. The Brochure had spelled out ‘Compliance’ vertically and assigned phrases to each letter so that it reads as follows:

Commit to ‘Doing the Right Thing’

Observe the policies that apply to your job

Make compliance awareness a part of your job

Put Code of Conduct in assessable place

Lead by example

If in doubt, check it out

Attend educational and mandatory training sessions

Notify your supervisor of possible wrongdoings

Communicate openly and honestly

Ethics is a part of all activities

In addition to the above phrasing the Brochure included information on the Company hotline; contact information for the Compliance Department and a listing of some of the information available on the Company’s internal intranet site.

Cost: Regular printer paper

Compliance Booklet

The final piece of information provided during the company’s Compliance Week celebration was a four-page Booklet provided to each employee, specifically tailored to the Compliance Week celebration. It listed out several elements from the company’s compliance program and  the company’s Vision and Core Values. It also provided the contact information on the company hotline and contact information on the Compliance Department personnel. One of the most interesting things it listed was the company’s Compliance Department philosophy about what it believed it owed the company’s employees. This included the following:

  • Guidance on the policies and procedures that apply to your duties
  • Training to enable your compliance with all applicable policies and procedures
  • Monitoring to ensure compliance with policies, procedures and laws
  • An environment that will not tolerate retaliation against those who report compliance concerns in good faith

Cost: Thick printer paper

I have set out all of the above in some detail to demonstrate some of the lessons learned from the Morgan Stanley declination/Garth Peterson enforcement action. You can take steps right now, as in this minute, to help foster a culture of compliance in your organization. The Department of Justice (DOJ), in its Press Release regarding the declination, listed persuasive events such as training and as simply as email notices sent to Peterson. What is the cost of sending out an email notice? Not too high.

The Compliance Week celebration demonstrates, once again, that it is doing compliance which drives home not only the message of compliance within a company but also demonstrates to any regulatory body reviewing a company, that compliance is living part of the organization. So just as the Homestead Act created the opportunity for the taming and settling of the American West, it was the homesteaders, doing the work of farming which the Homestead Act was designed to foster, who made it a reality.

============================================================================================

We send out a big congratulations to Chelsea and all their fans for winning the UEFA Cup on Saturday evening.

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

May 15, 2012

Letter to Cicero – Lesson for the Compliance Practitioner from the Roman Republic

Most people will recognize the name Cicero as that of one of the greatest orators of the Roman Republic. In 64 BC he ran for Consul and was elected, beginning his term in March, 63 BC. In this month’s issue of Foreign Affairs, the political strategist James Carville writes a commentary based upon a letter that Quintus Tullius Cicero (the younger brother) wrote to Marcus Tullius Cicero (the older brother and the one we remember as ‘Cicero’) about how to run a political campaign. Although James Carville uses the letter to discuss political campaigns, I found some interesting prescriptions for the (modern day) compliance practitioner.

Use Your Supporters

Cicero the Younger advised his older brother that “Few outsiders have the number and variety of supporters that you do.” I believe that the vast majority of employees want to do business in an ethical manner, compliant with whatever anti-corruption or anti-bribery law that they might operate under, whether it is the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. This translates into not only employees who will follow the requirements of your company’s Code of Conduct and compliance program; but also means that these people can help to not only sustain but grow your compliance program.

Work to Maintain the Goodwill of Your Supporters

Cicero the Younger also advised that his older brother provide helpful advice to his supporters and to also reach out to them by asking for their counsel in return. In the US Department of Justice’s (DOJ) 13 points of a minimum best practices compliance program, providing day-to-day compliance advice is a key component. Item No. 9 Ongoing Advice and Guidance reads in part:

The Company should establish or maintain an effective system for: a. Providing guidance and advice to directors, officers, employees, and, where necessary and appropriate, agents and business partners, on complying with the Company’s anti-corruption compliance policies, standards, and procedures, including when they need advice on an urgent basis or in any foreign jurisdiction in which the Company operates;

The DOJ clearly wants a designated person or persons available to provide compliance advice to company employees on a regular, as needed basis. But Cicero the Younger goes further by saying that providing such advice can cultivate and maintain goodwill. This is certainly true for the compliance practitioner.

Cultivate Relationships

The third point that Cicero the Younger advised his brother to engage upon was to “cultivate relationships” with key decision makers. These relationships will not only assist in winning the election but when the time comes for you to govern, these same relationships will assist you in educating people on your programs.

These three steps, as advised by Cicero the Younger, reminded me of a technique used by Leonard Shen, the Chief Compliance Officer (CCO) at PayPal. Shen said that in a company which is initiating its compliance program, it can be perceived as a change of culture. To alleviate some employee fears, he used an approached which worked to alleviate those types of concerns but had the additional benefit of providing enough information to perform a robust assessment which could be used to form the basis of an effective compliance program. He termed this type of approach as one to “engage and educate.” While the approach had a two word name, it actually had three purposes; (1) to engage the employees in what would form the basis for an enhanced compliance program; (2) to educate the employees generally in compliance and ethical behavior; and (3) through the engagement of employees, to gather information which could be used to form the basis of a risk assessment.

A.    Engagement

Shen and his compliance team traveled to multiple company locations, across the globe, to meet with as many employees as possible. A large number these meetings were town hall settings, and key employee leaders, key stakeholders and employees identified as high risk, due to interaction with foreign governmental official touch-points, were met with individually or in smaller groups. Shen and his team listened to their compliance concerns and more importantly took their compliance ideas back to the home office.

From this engagement, the team received several thousand employee suggestions regarding enhancements to the company’s compliance program. After returning to the US, Shen and his team winnowed down this large number to a more manageable number, somewhere in the range of a couple of hundred. These formed the basis of a large core of the enhancements to the existing company compliance program.

After the enhanced compliance program was rolled out formal training began. During the training, the team was able to give specific examples of how employee input led to the changes in the enhanced program. This engaged the employees and made them feel like they were a part of, and had a vested interest in, the company’s compliance program. This employee engagement led to employee buy-in.

B.    Education

During the town hall meetings, and the smaller more informal group meetings, Shen and his team were doing more than simply listening, they were also training. However, the training was not on specific compliance provisions; it was more generally on overall ethics and how the employees could use compliance as a business tool.

As pointed out by another speaker at Compliance Week 2011, most ethical standards of a company are not found in an existing compliance program, they are found in the general anti-discrimination guidelines and ethical business practices, such anti-competitiveness and use of customer confidential information prohibitions. Often these general concepts can be found in a company’s overall Code of Conduct or similar statement of business ethics; workplace anti-discrimination and anti-harassment guidelines can be found in Human Resource policies and procedures. Concepts such as anti-competitiveness and use of customer and competitor’s illegally obtained confidential information may be found in anti-trust or other business practice focused guidelines.

Shen and his team’s aim for the education component of “Engage and Education” was to have the company employee’s start thinking about doing business the ethical way. It was ethical concept based training designed to be in contrast to a rules based approach, where employees believe they are taught the rules, and then try to see how close they can get to the line of violating the compliance rule without actually stepping over the line. Moreover, by having this general ethical business training, it laid the groundwork for the enhancement of the company’s compliance program and the training that would occur when the enhancement was rolled out.

It is often said in the legal profession that there are no new ideas. This may also be true in the compliance profession. However, there are innumerable resources from which the compliance practitioner can draw inspiration and the Letter to Cicero is certainly one.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

May 2, 2012

Morgan Stanley Goes One for One with a Best Practices Compliance Program

On Monday night, Houston Astros manager Brad Mills went to the mound five times to change pitchers against five straight New York Mets batters. This set the Astros twitter community literally ‘a-twitter’ as it was noted that, according to the Elias Sports Bureau, the  “Astros became the 1st team in MLB history to use 5 different pitchers against 5 consecutive hitters.” Why did he do so? Mills has not made public his reasons yet it seemed to work out as only one of the five hitters was able to get a hit against the normally abysmal Astro relief corp. And the Astros actually won the game, which is an increasing rare occurrence this season since having a winning record of 2-1 after three games.

I thought about the Mills treks to the mound last night when reading the recent Foreign Corrupt Practices Act (FCPA) enforcement action against former Morgan Stanley Managing Director Garth Peterson. According to the US Department of Justice (DOJ) Press Release, Peterson pled guilty to one count of criminal information charging him with “conspiring to evade internal accounting controls that Morgan Stanley was required to maintain under the FCPA.” Assistant Attorney General Lanny Breuer was quoted as saying, “Mr. Peterson admitted today that he actively sought to evade Morgan Stanley’s internal controls in an effort to enrich himself and a Chinese government official. As a Managing Director for Morgan Stanley, he had an obligation to adhere to the company’s internal controls; instead, he lied and cheated his way to personal profit.  Because of his corrupt conduct, he now faces the prospect of prison time.” Peterson will be sentenced in June.

The Allegations

According to the DOJ Press Release, Peterson conspired with others to circumvent Morgan Stanley’s internal controls in order to transfer a multi-million dollar ownership interest in a Shanghai building to himself and a Chinese public official with whom he had a personal friendship. Peterson encouraged Morgan Stanley to sell an interest in a Chinese real-estate deal to Shanghai Yongye Enterprise (Yongye) a state-owned and state-controlled entity through which Shanghai’s Luwan District managed its own property and facilitated outside investment.  Peterson falsely represented to others within Morgan Stanley that Yongye was purchasing the real-estate interest, when in fact Peterson knew the interest would be conveyed to a shell company controlled by him, a Chinese public official associated with Yongye and an un-named Canadian attorney. After Peterson and his co-conspirators falsely represented to Morgan Stanley that Yongye owned the shell company, Morgan Stanley sold the real-estate interest in 2006 to the shell company at a discount to the interest’s actual 2006 market value. As a result, the conspirators realized an immediate paper profit of more than $2.5 million. Even after the sale, Peterson and his co-conspirators continued to claim falsely that Yongye owned the shell company. In the years since Peterson and his co-conspirators gained control of the real-estate interest, they have periodically accepted equity distributions and the real-estate interest has appreciated in value.

Declination to Prosecute

However, the greater import of this enforcement action for my money was what did NOT happen to Morgan Stanley. They were not indicted. In fact both the DOJ, in its Press Release, and Securities and Exchange Commission (SEC), in its civil Compliant, went out of their way to praise the Morgan Stanley compliance program. This written praise demonstrated that not only do company’s receive credit from the DOJ for having a compliance program in place but also gave solid information as to why the DOJ declined to prosecute Morgan Stanley. In other words, it was a very public pronouncement of a declination to prosecute.

The SEC Complaint detailed the compliance program it had in place and how it directly related to Peterson. The Compliant specified:

(1) Morgan Stanley trained Peterson on anti-corruption policies and the FCPA at least seven times between 2002 and 2008. In addition to other live and web based training, Peterson participated in a teleconference training conducted by Morgan Stanley’s Global Head of Litigation and Global Head of Morgan Stanley’s Anti-Corruption Group in June 2006.

(2) Morgan Stanley distributed to Peterson written training materials specifically addressing the FCPA, which Peterson maintained in his office.

(3) A Morgan Stanley compliance officer specifically informed Peterson in 2004 that employees of Yongye, a Chinese state-owned entity, were government officials for purposes of the FCPA.

(4) Peterson received from Morgan Stanley at least thirty five FCPA-compliance reminders. These reminders included FCPA-specific distributions; circulations and reminders of Morgan Stanley’s Code of Conduct, which included policies that directly addressed the FCPA; various reminders concerning Morgan Stanley’s policies on gift-giving and entertainment; the circulation of Morgan Stanley’s Global Anti-Bribery Policy; guidance on the engagement of consultants; and policies addressing specific high-risk events, including the Beijing Olympics.

(5) Morgan Stanley required Peterson on multiple occasions to certify his compliance with the FCPA. These written certifications were maintained in Peterson’s permanent employment record.

(6) Morgan Stanley required each of its employees, including Peterson, annually to certify adherence to Morgan Stanley’s Code of Conduct, which included a portion specifically addressing corruption risks and activities that would violate the FCPA.

(7) Morgan Stanley required its employees, including Peterson, annually to disclose their outside business interests.

(8) Morgan Stanley had policies to conduct due diligence on its foreign business partners, conducted due diligence on the Chinese Official and Yongye before initially conducting business with them, and generally imposed an approval process for payments made in the course of its real estate investments. Both were meant to ensure, among other things, that transactions were conducted in accordance with management’s authorization and to prevent improper payments, including the transfer of things of value to officials of foreign governments.

Based on the foregoing, the DOJ declined to prosecute Morgan Stanley and noted in its Press Release, “After considering all the available facts and circumstances, including that Morgan Stanley constructed and maintained a system of internal controls, which provided reasonable assurances that its employees were not bribing government officials, the Department of Justice declined to bring any enforcement action against Morgan Stanley related to Peterson’s conduct.  The company voluntarily disclosed this matter and has cooperated throughout the department’s investigation.”

Compliance Program as Compliance Defense

The second point of note in this enforcement action is that if it was not clear that a company receives credit for having a best practices compliance program it is now. Recognizing that a compliance program is not available as a formal affirmative defense, it is clear that Morgan Stanley was able to use not only their written compliance program, but its ongoing maintenance, communication and due diligence aspects to shield the employer from liability. Remember that Peterson was a Managing Director for Morgan Stanley. This is not a low level functionary but a person far up the food chain. Neither the DOJ nor the SEC invoked the doctrine of Respondeat Superior in any enforcement action against Morgan Stanley. The bottom line is what the DOJ and SEC representatives have been saying all along and that is that companies with best practices compliance programs receive credit in negotiating with the government. Here the DOJ spelled it out in their Press Release so kudos to the DOJ and SEC for doing so in such a public manner.

What Can You Do?

So what can you as a compliance officer do with the lessons learned from this enforcement action? Borrowing from my This Week in FCPA Colleague Howard Sklar’s recent blog post, entitled “The Most Marketable Compliance Officer In The World” I suggest the following:

(1) Regularly update your policies and procedures. The DOJ has said over and over, and has included in Schedule C – its description of an effective anti-corruption compliance program – that companies must update programs, and have several areas of compliance mentioned. Morgan Stanley took that lesson and did exactly what the DOJ expected.

(2) Increase the frequency of your training. Peterson was trained on the FCPA seven times and over a 7-year period Morgan Stanley trained its Asia-based employees 54 times on anti-corruption. This clearly shows that training is important and the documentation of training is critical. How else was Morgan Stanley able to demonstrate the DOJ just how many training sessions Peterson had sat through?

(3) Send out compliance reminders. Peterson received reminders about FCPA compliance 35 times. This is an easy and quick action that you can take often. You can send them out by email, use your internal messaging system or a myriad of other media. Better yet, you could write an email for your company President pointing out that Morgan Stanley was NOT indicted because it had such a robust compliance program.

(4) Engage in ongoing Due Diligence, including transaction monitoring. As Howard noted, “Morgan Stanley had a robust due diligence program. The program included transaction monitoring – a sure sign that a company really cares about diligence is the extent it realizes diligence is ongoing – and included random audits of people and partners.” Ongoing due diligence and monitoring is becoming the new normal so I suggest that you get ahead of the curve, as in now.

I believe that the Peterson enforcement action is one of the most significant in 2012 to date. It provides solid guidance to the compliance practitioner on what the DOJ and SEC think is important and gives you actions that you can engage in now to increase the visibility of your compliance program within your company. Kudos to Morgan Stanley for their compliance victory. You do not have to parade in five pitchers to pitch to five different batters as Brad Mills did, but I think the import should be to take action now.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

March 6, 2012

The President and Lin-sanity: Lesson Learned III For Your Compliance Program

Lin-sanity still reigns and it may well now have reached its penultimate level. What evidence do I have of this cultural phenomenon? It is that both US President Barack Obama AND Sarah Palin are now on the Lin-sanity bandwagon. Palin, who played basketball in high school, is pictured at the left with the highly coveted Lin gear outside her Manhattan hotel. Not to be outdone, last week on the B.S. Report, a weekly podcast hosted by the Sports Guy Bill Simmons, held at the White House, President Barrack Obama talked about Lin-sanity and his fellow Harvard alum Jeremy Lin.

The President made an interesting comment, which I thought spoke to an ongoing issue in the compliance world. His observation was that Lin’s in-game success did not happen overnight, so question for you where were all of the ubiquitous NBA coaches all through his practices during the 15 months he has been in the NBA? The President thought that some coach, should have seen something, which indicated Lin had some talent. While we can ponder the wisdom of the 30+ coaches, between the Warriors and Rockets, who all blew that one, one of the things that the President’s comment brought up for me is the role of training in any best practices compliance program. Why you might ask? The answer is because one of focuses within an organization is to not only develop talent, but to evaluate talent in everyday work situations; similar to evaluating a basketball player in practice. So the Lin-sanity Lesson III is that one of the areas of training is to teach business unit employees to coach and evaluate compliance talent in an organization.

This is an area that Human Resources (HR) can be of great assistance to the Compliance Department. Compliance can take the lead in training on the substance of compliance. However, HR can assist in training managers to evaluate and audit employees on whether they conduct themselves within a culture of compliance and ethics. This is the traditional role of HR. While there is a training requirement for any minimum best practices compliance program, based upon the requirements in the US Sentencing Guidelines, I would submit that there is an opportunity to bring additional and more focused HR based training to bear which would enable a company to develop leaders who are thoroughly grounded in compliance and ethics.

Under the US Sentencing Guidelines, companies are mandated to “take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.” This requirement would also suggest that training results should also be evaluated and once again HR can fill this role. As part of this evaluation, a candidate for promotion can be assessed in not only their interest in the area but their retention of the materials going forward. Lastly, HR can evaluate how a candidate for promotion incorporates compliance and ethics not only into his or her work but how the candidate might help to foster a culture of compliance in the company.

President Obama’s remark about Jeremy Lin and what he may have shown in practice brought up the day-to-day work that any NBA player must go through which is watched by numerous NBA coaches. This concept is the same in a business organization. The day-to-day practices equate to how employees comport themselves whilst doing the routine and daily business of their companies. It’s a good bet that if an employee acts in an ethical manner in his or her routine dealings, they will do so in a situation which requires conducting business through a culture of compliance. HR is a part of the corporate organization that can evaluate these day-to-day scenarios. HR can also train business unit employees to evaluate personnel on compliance and ethics issues. You should not miss this opportunity to watch and evaluate your employees!

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

February 8, 2012

Haas School Training for Compliance and Ethics Leadership

There are a myriad of compliance and ethics conferences across the country each year. I regularly attend and speak at some of these. There are also more regular webinar and local events which may focus on specific topics or themes. However, there are relatively few educational programs, put on by universities or business schools which focus on the ‘how to’ of compliance leadership. This situation will soon change.

A recent article in the European Business Review, entitled “Leading with Ethics and Compliance”, author Mark Meaney discussed the Occupy Wall Street movement and similar protests in the context of the requirement for “business schools to address the need for greater accountability and transparency in business decision-making.” He pointed towards Dean Rich Lyons of the Haas School of Business at the University of California, Berkeley, who has argued for the “importance of creating a culture within the business school that encourages students to go beyond themselves as future business leaders in learning to accept responsibility for the impact on society of their actions.” In addition to its traditional business school curriculum the Haas School also has “training and education for individuals who will have as their function to change the ethical climate of corporations from the inside in their role as Chief Ethics and Compliance Officers (CECOs).”

This outreach program is based upon research done at the Haas School which concluded that compliance programs usually adopt one of two approaches to corporate ethics and compliance training: a rules-based approach or a values-based approach. The Haas School has taken the belief that neither approach is entirely effective at corporate compliance and ethics. In a rules-based approach, compliance programs use “deterrence as a means of enforcing employee compliance with corporate policies, ethical standards, and government rules and regulations.” This emphasis on the rules and the investigation and punishment of employees creates a ‘culture of fear’ that stifles open communication. In a values-based approach, compliance programs will “emphasize creating a corporate culture that encourages employees to speak up about potential issues without the fear of retaliation. While a vast improvement over the rules-based approach, the values-based approach to corporate compliance and ethics still does not go far enough.”

The Haas School’s approach is that an ethics and compliance program only becomes truly effective when an organization fully integrates compliance into the company’s overall strategic planning process. Once senior executives make the connection between brand reputation and success in an “idea economy” they will realize the return on investment (ROI) of an ethics and compliance program. Companies can then learn how best to leverage their ethics and compliance programs in strategic planning to maximize innovation and performance with integrity in gaining a competitive edge.

The focus has led to the creation of an executive learning program, entitled  “Leading with Ethics and Compliance”, which is designed to provide compliance practitioners with the necessary tools that will empower them to achieve strategic relevance by partnering with key decision makers to cultivate influence, earning a reputation as a creative thinker intent on progress and not obstruction, and by measuring how ethics and compliance improves the organization’s ability to meet its corporate objectives.

This intensive three day intensive course will be taught at the UC Berkeley, Center for Executive Education from February 13 to 15. I had the opportunity to review the agenda and its faculty and speakers recently and it appears to have an impressive array of notables in the compliance and ethics field. The faculty includes the aforementioned Mark Meaney and others from the Haas School, melded with speakers from a wide range of compliance practices, both in-house and third party service providers.

The curriculum includes the following broad categories: (1) Ethics and Compliance 3.0, which includes topics such as From Check Box to Culture to Strategy; Ethics, Compliance, and Organizational Strategy; and Leading Change, Leveraging Culture. (2) The E&C Officer as Strategic Partner, including topics such as Power and Influence with Integrity; Transformational Leadership and Building Your Base. (3) Tools of the Successful E&C Officer; including such topics as Data Privacy and Security in Information Management; Managing Hotlines and Conducting Internal Investigations; Global Compliance Risk Mitigation; and Sector Regulatory Update.

If you hold a leadership position in compliance, or aspire to, this Haas School program would appear to be an excellent place for you to hear about some of the most current best practices in compliance leadership. For more information on the program, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

February 1, 2012

Third Party Checkup

In a January 29, 2012 editorial in the New York Times (NYT), entitled “Made in the World”, columnist Thomas Friedman wrote about the end of ‘outsourcing’; his thesis being the “world is now so integrated that there is no “out” and no “in” anymore. In their businesses, every product and many services now are imagined, designed, marketed and built through global supply chains that seek to access the best quality talent at the lowest cost, wherever it exists.” However, the ‘cheapest’ does not necessarily mean the best for your company.

What are your company’s risks for not knowing such information? Clearly anti-corruption legislation has remedies for civil and criminal liability. However, equally great may be reputational damage, “even from public investigations into a third party.” Put another way, how do you think the folks at Apple felt when they woke up on the morning of January 25, 2012 to find the following headline on the front page of the NYT “In China, Human Costs are Built into an iPad”?

In a recent White Paper, entitled “Third Party Essentials: A Reputation/Liability Checkup When Using Third Parties Globally”, authors Marjorie Doyle and Diana Lutz posit that in most foreign business partner relationships, your company will be held responsible for the actions of third parties which work for and with your company. The new global expectation is that “you know who they are, you have vetted them and you are in control of the activities for which you hired them.” They further believe that such is even more important when anti-corruption and anti-bribery laws, such as the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other OECD based legislation, are applicable. They note, “Gone are the days when organizations could wash their hands of liability or damage to reputation from outsourced work due to ethics and compliance failure.”

To help companies navigate through the issues, the authors have prepared a checklist to test an “organizations health status concerning your relationship to your third parties.” It is as follows:

  1. Do you have a list or database of all your third parties and their information? Does your company have a full list of all third parties including such basic information as name, location, type of services provided, contract files and dates, principals of the third party and primary contact, due diligence files and any other information you might need to manage the third party relationship going forward?
  2. Have you done a risk assessment of your third parties and prioritized them by level of risk? You need to know which third party services present the greatest risk to your company by asking some of the following questions: (a) Is the third party’s service critical to your business?; (b) Is the third party’s service performed with little company supervision or oversight?; (c) Does the third party have access to any company funds, resources or assets?; (d) Can the third party fund the company contractually?; and (e) Does the third party obtain any foreign governmental licenses, certifications or other approvals for your company?
  3. Do you have a due diligence process for the selection of third parties, based on the risk assessment? You should use the information determined through the risk assessment to “tailor the level of diligence to the level of risk.” Assign a risk profile to categories, such as high, medium and low. The higher the risk, the more due diligence will be required to vet the third party.
  4. Once the risk categories have been determined, create a written due diligence process. Here you need to have a written policy and defined procedures to implement that policy. The policy should include the following: (a) who is responsible for implementation; (b) list of red flags and how such red flags are to be dealt with and cleared; (c) a procedure to pay for any due diligence performed; (d) reference checks on third parties; (e) procedures for in-person interviews for third parties in a high risk category; (f) conflicts of interest checks, and (g) process for documentation and storage of all of the above information.
  5. Once the third party has been selected based on the due diligence process, do you have a contract with the third party stating all the expectations? In addition to your standard commercial terms, your third party contract should also include compliance terms and conditions, which should including the following: (a) anti-corruption and anti-bribery certification; (b)requirement that the third party maintain accurate books and records and that your company has audit rights; (c) indemnity rights; (d) anti-corruption and anti-bribery training for the third party’s employees; (e) an anonymous reporting mechanism for ethics complaints; (f) require the third party to obtain pre-approval to subcontract out any of its work for your company; (g) require the third party to report any ownership change back to your company, and lastly (h) clear termination rights.
  6. Is there someone in your organization who is responsible for the management of each of your third parties? Just as your company would never have an employee who is not supervised, your company should not have a third party which does not have company oversight. You should designate a manager to maintain the third party relationship with your company. Such relationship manager should maintain and update documentation on the third party, work with Internal Audit to schedule and perform audits, meet regularly with the third party and oversee adherence to the third party’s contract with your company.
  7. What are “red flags” regarding a third party? Red flags are generally recognized as signs or situations which should give rise to further investigation by your company. While there are innumerable questions which can be asked and answered, I believe that red flags are generally organized into some or more of the following categories: (a) something seems out of the ordinary; (b) reluctance of party to supply information/difficulty of verifying information; (c) the company/services/principals are not verifiable by data, only anecdotally; and (d) mismatch in business experience with the product or services offered. Whatever red flags you list, if they are undiscovered or left unresolved, it could certainly cost a reputational loss or worse for your company.

Many companies understand the maxim “Know Your Customer (KYC)”, nevertheless, in today’s global economy this maxim may well need to be expanded to “Know Your Third Party”. The authors conclude by agreeing with Thomas Friedman’s observation in his Op-Ed piece “that there is no “out” and no “in” anymore” and that “the rule is: Source everywhere, manufacture everywhere, sell everywhere.” However, with this opportunity brings potential costs. Your company should “apply the same rigor in selecting, training and managing third parties” as it does for its own employees. A good place to start is with a third party checkup.

============================================================================================
Episode 29 of This Week in FCPA is up. Howard Sklar and I visit with the winning defense lawyers in the O’Shea case.

============================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

« Previous PageNext Page »

Blog at WordPress.com.