Risk Assessments-the Cornerstone of Your Compliance Program, Part I

Yesterday, I blogged about the Desktop Risk Assessment. I received so many comments and views about the post, I was inspired to put together a longer post on the topic of risk assessments more generally. Of course I got carried away so today, I will begin a three-part series on risk assessments. In today’s post I will review the legal and conceptual underpinnings of a risk assessment. Over the next couple of days, I will review the techniques you can use to perform a risk assessment and end with a discussion of what to do with the information that you have gleaned in a risk assessment for your compliance program going forward.

One cannot really say enough about risk assessments in the context of anti-corruption programs. Since at least 1999, in the Metcalf & Eddy enforcement action, the US Department of Justice (DOJ) has said that risk assessments that measure the likelihood and severity of possible Foreign Corrupt Practices Act (FCPA) violations identifies how you should direct your resources to manage these risks. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The UK Bribery Act has a similar view. In Principal I of the Six Principals of an Adequate Compliance program, it states, “The commercial organisation regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” In other words, risk assessments have been around and even mandated for a long time and their use has not lessened in importance. The British have a way with words, even when discussing compliance, and Principal I of the Six Principals of an Adequate Compliance program says that your risk assessment should inform your compliance program.

Jonathan Marks, a partner in the firm of Crowe Horwath LLP, said the following about risk assessments in his 13-step FCPA Compliance Action Plan, “A comprehensive assessment of the potential bribery and corruption risks – both existing and emerging risks – associated with a company’s products and services, customers, third-party business partners, and geographic locations can serve as the basis for the compliance program. The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company.”

The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face. Both the both the US Sentencing Guidelines, the UK Bribery Act’s Consultative Guidance list Risk Assessment as the initial step in creating an effective anti-corruption and anti-bribery program.

What Should You Assess?

In 2011, the DOJ concluded three FCPA enforcement actions which specified factors which a company should review when making a Risk Assessment. The three enforcement actions, involving the companies Alcatel-Lucent SA, Maxwell Technologies Inc. and Tyson Foods Inc. all had common areas that the DOJ indicated were FCPA compliance risk areas which should be evaluated for a minimum best practices FCPA compliance program. Both the Alcatel-Lucent and Maxwell Technologies Deferred Prosecution Agreements (DPAs) listed the seven following areas of risk to be assessed.

1. Geography-where does your Company do business.
2. Interaction with types and levels of Governments.
3. Industrial Sector of Operations.
4. Involvement with Joint Ventures.
5. Licenses and Permits in Operations.
6. Degree of Government Oversight.
7. Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

All of these factors were reiterated in the FCPA Guidance which stated, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”

These factors provide guidance into some of the key areas that the DOJ apparently believes can put a company at higher FCPA risk. These factors supplement those listed in the UK Bribery Consultative Guidance states, “Risk Assessment – The commercial organization regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” The Guidance points towards several key risks which should be evaluated in this process. These risk areas include:

1. Internal Risk – this could include deficiencies in

• employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks;
• employee training or skills sets; and
• the company’s compensation structure or lack of clarity in the policy on gifts, entertaining and travel expenses.

2. Country risk – this type of risk could include:

(a) perceived high levels of corruption as highlighted by corruption league tables published by reputable Non-Governmental Organizations such as Transparency International;

(b) factors such as absence of anti-bribery legislation and implementation and a perceived lack of capacity of the government, media, local business community and civil society to effectively promote transparent procurement and investment policies; and

(c) a culture which does not punish those who seeks bribes or make other extortion attempts.

3. Transaction Risk – this could entail items such as transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents.
4. Partnership risks – this risk could include those involving foreign business partners located in higher-risk jurisdictions, associations with prominent public office holders, insufficient knowledge or transparency of third party processes and controls.

Another approach was detailed by David Lawler, in his book “Frequently Asked Questions in Anti-Bribery and Corruption”. He broke the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Sector Risk, (4) Transaction Risk and (5) Business Partnership Risk. He further detailed these categories as follows:

1. Company Risk-Lawyer believes this is “only to be likely to be relevant when assessing a number of different companies – either when managing a portfolio of companies from the perspective of a head office of a conglomerate or private equity house.” High risk companies involve, some of the following characteristics:

• Private companies with a close shareholder group;
• Large, diverse and complex groups with a decentralized management structure;
• An autocratic top management;
• A previous history of compliance issues; and/or
• Poor marketplace perception.

2. Country Risk-this area involves countries which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. Obviously the most recent, annual Transparency International Corruption Perceptions Index can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.
3. Sector Risk-these involve areas which require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:

• Extractive industries;
• Oil and gas services;
• Large scale infrastructure areas;
• Telecoms;
• Pharmaceutical, medical device and health care;
• Financial services.

4. Transaction Risk-Lawyer says that this risk “first and foremost identifies and analyses the financial aspects of a payment or deal. This means that it is necessary to think about where your money is ending up”. Indicia of transaction risk include:

• High reward projects;
• Involve many contractor or other third party intermediaries; and/or
• Do not appear to have a clear legitimate object.

5. Business Partnership Risk-this prong recognizes that certain manners of doing business present more corruption risk than others. It may include:

• Use of third party representatives in transactions with foreign government officials;
• A number of consortium partners or joint ventures partners; and/or
• Relationships with politically exposed persons (PEPs).

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Houston – The Epicenter of FCPA Conferences in June

Next month the 7^th Annual Compliance Week Conference will be held in Washington DC. In my opinion, it is the very best all-around compliance conference in the country and I would urge you to attend if you can do so. However, in the month of June, the city of Houston is playing host to three of the best conferences focusing on the Foreign Corrupt Practices Act (FCPA) compliance that I have recently seen. If you are a compliance practitioner and want to hear about the most cutting edge best practices regarding FCPA compliance and meet some of the top compliance practitioners in the US, you should plan to attend one or all of these upcoming events. So for one month Houston will be the epicenter of FCPA conferences, rather than its prior moniker as the epicenter of FCPA enforcement actions.

University of Houston

The University of Houston, Law Center – Center for Consumer Law, is hosting the “First Annual Ethics and Compliance Symposium” on Thursday June 7. The event is billed as one “to provide practical advice about real-world challenges that face ethics and compliance officers.  From training, to monitoring and auditing, to specific emerging risks like export controls, the Symposium is meant to be an interactive and useful event for the practicing E&C professional.”

The panelists include practitioners from the sponsoring law firm of Baker and McKenzie, notably Paul McNulty (he of the ‘McNulty’s maxims’) and White Collar specialist Ryan McConnell. There are also several Chief Compliance Officers (CCO’s) from well-known local energy companies such as Doug Walter from Phillips 66, Jay Martin from Baker Hughes and Dan Chapman from Parker Drilling. Rounding out the presenters are those from forensic and consulting firms such as Michael Schwartz from KPMG, Ramsey Pace from FTI and Mike McConnell from Grant Thorton LLP.

Bottom Line: Anytime you can hear Paul McNulty talk about “What Enforcement Authorities Expect in a Company’s Compliance Program” drop what you are doing and go listen.

World Check

World Check continues its program of top FCPA speakers with an event in Houston on June 26. The panel includes two of the best compliance practitioners I know; my “This Week in FCPA” cohort Howard Sklar and Jonathan Marks, he of the Marks’ “13 Step FCPA Action Plan”. I have heard them both speak and they are good.

Howard will examine ‘Schedule C’, which is the Department of Justice’s (DOJ) minimum 13-point best practices list of elements which should be included in your compliance program. It is found in recent Deferred Prosecution Agreements (DPA) entered into by the DOJ. Howard provides a color-by-number guide to compliance in his usually cool, calm and collected manner.

Jonathan Marks, a Partner & Leader in the Fraud, Ethics & Anti-corruption Practice at Crowe Horwath LLP, will give an overview of how organizations can deter problems before they arise and how to work toward building or enhancing a culture of compliance that addresses both the FCPA and the UK Bribery Act. I have used Jonathan’s 13 Step FCPA Action Plan in my practice. It is an excellent guide by which you can evaluate or assess your current compliance program and it is flexible enough to act as a guidepost for compliance program implementation or enhancement.

Bottom Line: Are you kidding – would you miss the opportunity to see Howard Sklar rant in person? But seriously, I know both of these guys and they both know their stuff as well as anyone in the field. This is the Tuesday event that I will attend. And the price is right – as in the event is complimentary.

Hanson Wade – Oil and Gas Supply Chain Compliance

Hanson Wade has put together one of the absolute best aggregations of FCPA compliance talent that has ever come to Houston for a conference; over three days, June 26-28. I realize the first day overlaps with the World Check event but that’s the way the cookie crumbles. The first day of the conference is Workshop Day with two great workshops. One on Supplier Due Diligence presented by Paul Liebman and the second on Managing the Risk of Third Parties by Rich Battaglia.

I have previously written about Dan Chapman and his interview presaging the event. In addition to Dan and several other top CCOs from the Houston area, the conference will be the only Texas appearance of the FCPA Professor, Mike Koehler, who will moderate a panel on “Does the Current FCPA Enforcement Environment Adequately Recognize Good Faith Compliance?” In addition to Dan Chapman, the FCPA Professor and other CCOs who will speak, there are some of the very top compliance practitioners, from both in-house and private practice, who will speak about doing the business of compliance on a day-to-day basis. It all starts with Jeff Spalding, Assistant General Counsel of Halliburton who is the event’s Chairman. Also included are such compliance industry leaders as Julia Symon from KBR; Julian Ranzato from DHL; Sam Tate from BP; Steven Gyeszly from Weatherford; Arvind Sharma from Flowserve and Ronald Sponberg from Baker Hughes.

The topics will be among the most relevant and most informative that you could ever ask for. They include FCPA prosecutions and enforcement actions, risk assessments and risk intelligence, dealing with facilitation payments, FPCA compliance training, and FCPA risk assessment in merger and acquisition work and in dealing with joint ventures, auditing and compliance convergence. Simply put the scope of the Hanson Wade event is as broad and far-ranging as you might ask for nevertheless the focus is on the compliance practitioner and the business of doing compliance inside a corporation.

Bottom Line: This is one of the very best FCPA conferences that has ever been staged in Houston. It will offer some of the most cutting edge best practices on a wide variety of issues that bedevil compliance practitioners on a day-to-day basis. This list of speaker is the most ‘A-List’ that has ever been seen at such an event in Houston. You owe it to yourself to attend.

For information on the Hanson Wade Conference, click here. For readers of this blog, a discount is offered by Hanson Wade. You can receive the discount by entering the online discount code: FOXLAW. You can also use this discount code if you register directly with Hanson Wade.

For information on the World Check event, click here. The event is free so no discount is needed.

For information on the University of Houston event, click here. Sorry but I haven’t been authorized to offer any discounts.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Jonathan Marks Tweets and Why You Should Be On Twitter

Yesterday my Fraud Examiner colleague Tracy Coenen posted a blog entitled, “Why I’m quitting Twitter (and you should too)”. My blog today will set forth the reasons why the compliance practitioner should refrain from quitting Twitter, actively participate and why the greater compliance world benefits from participation from experts like Tracy Coenen. So Tracy, do not quit!

Twitter is an excellent resource for anyone in the compliance community. It provides real time reporting and more importantly excellent resources for the compliance practitioner. AND BEST OF ALL IT IS FREE!

Why should you participate on Twitter? My experience is that it is one of the most efficient ways to get your name out in the field you practice. Whether it is law, forensic accounting, finance or selling flowers, it does not matter. The key is to stay focused on your area of specialty. If you tweet about where you are or that you are the Mayor of some such place it will not assist you professionally.

What did I do? I began my social media journey focusing on Twitter. Beginning in January, 2010, I reposted every tweet I could find on the Foreign Corrupt Practices Act (FCPA). I did not post original content because I was learning the Twitter ropes and was not sure what to do. I stayed focused on the area of the FCPA which led to me being named in February as one of the Top 15 “Must Follows” in the area of Securities Law (FCPA) by Bruce Carton, author of the Securities Docket Blog and his list was posted in Compliance Week.

I then decided to see if I could begin to send articles to different blogs and websites for posting. I always send an email introducing myself and they all come back with something along the lines of the following, “We know who are and thanks for re-tweeting our tweets.” To date they have all said yes to me sending in a contribution for consideration. So I was able to make a name for myself through Twitter. Of course I had to follow up with substantive content and perhaps I could have sent blind submissions but Twitter was the tool which introduced me to the wider compliance world.

How else can one use Twitter to meet and develop substantive business? In December 2010, I noticed a tweet by Jonathan Marks where he mentioned that he had developed a 13-step action plan for FCPA compliance programs. I thought that this was an interesting item but there was no link to the document or information, so I took the direct approach and Direct Messaged Jonathan, on Twitter, to ask if he would be willing to share with us the 13-step action plan, which he was willing to do.

I met Jonathan (virtually) through LinkedIn and his hosting of the LinkedIn group ‘Fraud Pentagon.’ Through his profile I was able to discover Jonathan’s interesting professional journey, he is the Partner In-Charge of the Fraud, Ethics and Anti-Corruption practice at Crowe Horwath and has worked with the US Attorney’s office, the FBI, the IRS Criminal Investigation Division and US Customs officials during his career. Jonathan has also served as the Chief Audit Executive at several public companies and is a Certified Public Accountant, Certified Fraud Examiner and is certified in financial forensics.

I spoke to Jonathan to find out how he developed this plan and he told me that from his meetings with clients, on the issue of compliance over the years, he wanted to develop a non-legalistic approach that he could easily convey to clients. After the interview and his sharing of his 13-step program I wrote a blog about the program by which a company could review its FCPA compliance program, assess where the program is in terms of best practices, and then use the same action plan as a guide for implementing some or all of the best practices.

The response to the blog posting was so great that Jonathan wrote a White Paper on his 13-step program which I assisted him with some of the drafting. All of this happened because he tweeted about his 13-step program. In other words, one little tweet led to all of the above.

How does all of this relate to Ms. Coenen and her pronouncement? I say to Tracy, do not stop tweeting – WE NEED YOU. One other reason to continue to participate in Twitter is the absolute wealth of information that is available to any chosen profession. However, I can speak only to the compliance world and in that world there is significant information available to all AT NO COST. If you are in a company on a budget, and who is not, you can obtain the best practices of FCPA compliance, Bribery Act compliance, fraud and forensic accounting compliance by participating on Twitter. Tracy’s tweets are substantive and if she retweets someone else’s tweets, I am confident that it is substantive as well.

Twitter is but one tool and to any professionals a quiver of tools it is a significant and useful tool (did I mention that it is FREE?) for both marketing and research. I do agree with Tracy that I cannot point to one client I have obtained exclusively from Twitter. It is always some combination of Twitter/LinkedIn/Blogging/Speaking/White Papers and word of mouth. But it is a significant tool and, in my opinion, a tool that you should not forsake.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Jonathan Marks 13-Step FCPA Compliance Action Plan-the details

Ed. Note-we recently blogged about Jonathan Marks 13 Step FCPA Compliance Action Plan. Jonathan received numerous requests for more information on the plan and so he fleshed it out in a blog posting yesterday on his blog site, the FCPAExpert. He graciously allowed us to repost the details of his plan today. Jonathan Marks can be reached via email at jonathantmarks@verizon.net and phone at 267-261-4947.

On January 11, 2011, Tom Fox (see the Blog post below) was kind enough to post the “13 Step FCPA Compliance Action Plan” that I cobbled together.  Since that time I have received many calls and e-mails for more information, so I decided to post it for others to consider using in practice.  My goal is to continuously tweak the plan.  Your suggestions and comments are always welcome.

13 Step FCPA Compliance Action Plan

Note:  The draft guidance is not prescriptive and does not detail specific anti-bribery measures, but instead adopts a principles-based approach, which is intended to be used as a guide by a company when implementing their own anti-bribery compliance programs.

Governance

The audit committee is responsible for overseeing the financial reporting process and controls, the internal audit function, and the external auditors, including the appointment of the company’s external auditor. It oversees management’s implementation of policies that are intended to foster an ethical environment and mitigate financial reporting risks. In this process, the audit committee has the responsibility to see that management designs, documents, and operates effective controls to reduce the risk of financial reporting fraud to an acceptable level. The Sarbanes-Oxley Act also makes the audit committee responsible for establishing mechanisms for the receipt, retention, and treatment of complaints received by the company regarding accounting, internal accounting controls, or audit matters, and confidential, anonymous submissions by employees of concerns regarding questionable accounting and auditing matters (generally referred to as the ethics or whistleblower program).

In addition, it is increasingly common for the audit committee to have a link with the compensation committee through overlapping members, joint meetings, or attendance of the audit committee chair at certain compensation committee meetings. The objective of this process is to satisfy both committees that the executive compensation structure provides sound incentives for achieving corporate strategies without unintentionally providing motivations for fraud or other unethical behavior. The focus on compensation structures will likely increase as a result of legislation and regulatory rules regarding corporate compensation policies and practices.

Source: Center for Audit Quality Anti-Fraud Report: Deterring and Detecting Financial Reporting Fraud: A Platform for Action

1. Top level commitment – “Tone from The Top”

• Top-level management (usually the board of directors and senior executives) must establish a culture within their company in which bribery is unacceptable.  They also should ensure that the company’s policy to operate without bribery is effectively communicated throughout the company.  The draft guidance provides examples of what top-level commitment should include:
• a “zero tolerance policy” toward bribery in all parts of the company’s operation;
• clear explanation of the consequences that employees and business partners will suffer if they violate the corporate policy;
• personal involvement in the development of a code of conduct, or ensuring the publication and communication of anti-bribery measures to all employees, subsidiaries and business partners; and,
• appointing a senior manager to oversee the development of an effective anti-bribery program.
• “Top level commitment” is another commonly identified element of an effective compliance program.  This principle, as articulated in the draft guidance, appears to combine the requirement of a strong “tone at the top,” noted by almost every respected guide on compliance programs from the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) to the US Department of Justice, and the need for a clear, firm anti-bribery policy—a principle also widely endorsed in the compliance literature and by governmental organizations.

2. Corruption and Bribery Risk Assessment

The OECD Good Practice states that a compliance program should be developed on the basis of a risk assessment.

Conduct a comprehensive review of the company and assess the potential bribery and corruption risks associated with its products and services, customers, third-party business partners and geographic locations where it operates.

The risk assessment can serve as the documented rationale for the compliance program.

Businesses must be aware of the current bribery risks they face in the sectors and markets in which they operate.  The proper nature of any risk assessment procedures will depend on the size of the company, as well as its activities, customers and markets.  But company’s are generally advised to consider the following:

Whether those performing the risk assessment are “adequately skilled“; and,

What data sources should inform the risk assessment.  The draft guidance suggests the use of internal data (annual audit reports, internal investigation reports, focus groups and staff, client or customer complaints) and external data (analyzing publicly available information on bribery issues in particular sectors or jurisdictions).

For multinational corporations already subject to the US Foreign Corrupt Practices Act (“FCPA”) and other anti-bribery enforcement regimes, this requirement should be no surprise.  Section 8B2.1 of the US Sentencing Guidelines for Organizations already list periodic risk assessments as a component of an effective compliance program.  And the OECD’s Working Group on Bribery in International Business Transactions issued guidance in November 2009 that similarly advised risk assessments as a good practice for companies.  Regardless of official guidance, no company can properly design a compliance program without identifying and understanding the risks it wishes to guard against.

3. Internal Controls

• Most companies struggle with implementing mitigating controls to support their internal anti-bribery and anti-corruption policies.
• Develop, document and maintain a system of internal financial controls to ensure that all payments are accurately recorded in the company’s books and records in accordance with applicable regulatory requirements.
• Special attention should be paid to those areas that may directly affect the anti-bribery and corruption compliance program such as procurement, on-boarding of vendors, agents, consultants, and other third-party business payees.
• Gifts and entertainment controls.  Managing the offering and receiving of corporate gifts, entertainment and travel has become increasingly important in today’s environment of increasing regulatory oversight. Gifts given with the best of intention can be incorrectly perceived and lead to millions of dollars in government fines, as well as loss of potential business.

4. Structuring and Defining Roles & Responsibilities

• Anti-corruption director (See Daimler)
• Chief Compliance Officer or Other Senior Corporate Official
• The assignment of responsibility to one or more senior corporate officials of implementation (see discussion within), oversight of compliance with policies, standards and procedures FCPA and other applicable anti-corruption official (the authority to report matters directly to the Board.
• Understanding the US Sentencing Guidelines changes that became effective on November 1, 2010, and included a change related to the Direct Report. The amendment changed the reporting structure in companies where the Chief Compliance Officer (CCO) reports to the General Counsel (GC) rather than a committee on the Board of Directors.  The change reads “the individual…with operational responsibility for the compliance and ethics program…have direct reporting obligations to the governing authority or any appropriate subgroup… (e.g. an audit committee or the board of directors)”. If a company has the CCO reporting to the GC, who then reports to the Board, such structure may not qualify as an effective compliance and ethics program under the amended Sentencing Guidelines. The better practice would now appear to be that the CCO should be a direct report to the Board or appropriate subcommittee of the Board such as compliance or audit.

5. Risk-based Third Party Due Diligence

• Develop and document an investigative due diligence protocol that will assess the potential bribery and corruption risks associated with third parties such as vendors, consultants, suppliers, agents and joint venture partners.
• The nature and extent of the investigative due diligence should be based on the third party’s risk profile.
• The protocol should set forth the remedial steps that may be taken for those parties that represent an elevated risk of bribery and corruption, including, but not limited to escalated due diligence or the termination of the relationship.
• Types or Levels of Due diligence
• Basic: simple database checks
• Medium: more in-depth review
• High: reputation checks, site visits, forensic review of financial statements, and investigative procedures outside the US

6. Clear, Practical, Current, And Accessible Policies And Procedures

• There should be a clearly articulated policy against bribery and corruption that enforces a tone of compliance from the board and management.
• Procedures and processes that clearly set forth permitted and prohibited conduct, supervisory and compliance approvals for certain conduct and documentation of such approvals.

7. Documenting a Detailed Multi-year Compliance Plan

Companies must embed anti-bribery policies and procedures throughout the business.  “Paper compliance” is insufficient.  Companies should consider establishing an implementation strategy detailing the rollout of these policies and procedures:

• Who bears responsibility for program implementation;
• How to communicate the policies and procedures internally and externally;
• The content and nature of anti-bribery training and how to roll it out effectively;
• How senior management will monitor the program’s implementation;
• Whether and how the company will use external assurance processes;
• The processes for monitoring compliance;
• The implementation timetable;
• An explicit statement of penalties for violating relevant anti-bribery policies and procedures;
• The date of the program’s next review; and
• A decision on whether to require or suggest that business partners take part in anti-corruption training courses.

Warning!  “Paper Compliance” is insufficient echoes warnings issued numerous times by US enforcement officials.  Indeed, US Deputy Attorney General Mark Filip’s famous 2008 memorandum on prosecuting business organizations explicitly cautions that a mere “paper program,” lacking the necessary design, implementation, and review, will not protect a company from prosecution.

8. Appropriate Disciplinary Procedures To Address Violations

Appropriate disciplinary procedures to address, among other things, violations of FCPA, UK Bribery Act, and other applicable anti-corruption laws or compliance code by directors, agents and business partners.

9. Ensuring Robust Monitoring and Review (Utilizing Internal Audit)

• Develop and document processes and/or controls to periodically assess the effectiveness of the compliance program and potential vulnerabilities and monitor for employee compliance.
• Such processes may include periodic testing and validation, review of available metrics and design of self-assessment forms and exercises.

10. Training

Develop training materials that clearly and concisely interpret applicable legal, regulatory, policy and procedural requirements as well as the possible ramifications associated with non-compliance. The training materials should be reviewed periodically to ensure their continued adequacy.

Training should be provided regularly to senior management and key compliance and business personnel.

11. An Effective System for Reporting Suspected Criminal Conduct and/or Violations of the Applicable Anticorruption Laws for Directors, Employees, Agents and Business Partners.

Develop and maintain a system for receiving complaints containing allegations of bribery and corruption as well as a system to investigate such allegations and document the actions taken with respect to such complaints and investigations.

12. Other Risk Mitigation Procedures

• Standard provisions in contracts and agreements that include at a minimum:
• Anti-corruption representations and undertakings relating to compliance with FCPA, UK Bribery Act and other applicable anti-corruption laws;
• Rights to conduct audits of the books and records; and
• Rights to terminate as a result of any violation of anti-corruption laws, and regulations or representations and undertakings related to such matters.

13. Annual Testing of The Compliance Program

The US Sentencing Guidelines state that there should be periodic reviews of a company’s compliance program, utilizing internal resources, such as a company’s Internal Audit function, and outside professional consultants. (emphasis added)

The OECD Good Practice states that a compliance program should be developed on the basis of a risk assessment addressing the individual circumstances of a company, in particular the foreign bribery risks facing the company (such as its geographical and industrial sector of operation). Such circumstances and risks should be regularly monitored, re-assessed, and adapted as necessary to ensure the continued effectiveness of the company’s internal controls, ethics, and compliance program or measures.

The UK Bribery Act Consultative Guidance, recently released by the UK Ministry of Justice, requires ongoing risk review, monitoring, and review by noting that a compliance program and procedures should be reviewed regularly and encourages senior management of higher risk and larger companies to consider external verification or assurance of the effectiveness of anti-bribery policies.

In a recent speech, Assistant Attorney General for the Criminal Division of the US Department of Justice, Lanny Breuer, indicated that such an external verification or assurance of the effectiveness of a compliance program is a key component to assist a company in maintaining a ‘best practices’ FCPA compliance program. He noted that it is through a mechanism such as an ongoing assessment that company could continue to evaluate its own compliance program with reference to compliance standards, which are evolving. Breuer has advocated an annual compliance program assessment by each company and I do as well.

Higher risk and larger companies should consider external verification or assurance of the effectiveness of anti-bribery policies.

Jonathan Marks’ 13 Step FCPA Compliance Action Plan

Back in December 2010, we noticed a tweet by Jonathan Marks where he mentioned that he had developed a 13-step action plan for Foreign Corrupt Practices Act (FCPA) compliance programs. We were certainly intrigued by this information but, alas, there was no link to the document or information, so we took the direct approach and DM’d Jonathan to ask if he would be willing to share with us the 13-step action plan, which he was willing to do. So today’s blog will begin with a reminder of the incredible tools that are available to the FCPA compliance practitioner through today’s internet.

I met Jonathan (virtually) through LinkedIn and his hosting of the LinkedIn group ‘Fraud Pentagon.’ Through his profile I was able to discover Jonathan’s interesting professional journey, he is the Partner In-Charge of the Fraud, Ethics and Anti-Corruption practice at Crowe Horwath and has worked with the US Attorney’s office, the FBI, the IRS Criminal Investigation Division and US Customs officials during his career. Jonathan has also served as the Chief Audit Executive at several public companies and is a Certified Public Accountant, Certified Fraud Examiner and is certified in financial forensics.

I spoke to Jonathan to find out how he developed this plan and he told us that from his meetings with clients on the issue of compliance over the years, he wanted to develop a non-legalistic approach that he could easily convey to clients. So he studied the available literature, talked to others in the compliance arena and sought counsel from US government agencies tasked with enforcing the FCPA to come up with a framework by which a company could review its FCPA compliance program, assess where the program is in terms of best practices, and then use the same action plan as a guide for implementing some or all of the best practices.

Jonathan’s 13-step action plan includes the following:

1.    Assisting in obtaining top-level commitment from boards and senior executives, setting the “tone from the top”

2.    Executing a Corruption and Bribery Risk assessment that drives the compliance program and modifies it accordingly

3.    Improving/Strengthening Internal Controls

4.    Structuring and Defining Roles & Responsibilities

5.    Performing Risk-based Third Party Due Diligence

6.    Developing Clear, Practical, Current and Accessible Policies and Procedures

7.    Documenting a Detailed Multi-year Compliance Plan

8.    Defining Appropriate Disciplinary Procedures

9.    Ensuring Robust Monitoring and Review (Utilizing Internal Audit)

10. On-going Training

11. Violation Reporting System is in Place and Multi-lingual

12. Reviewing Ancillary Risk Mitigation Procedures

13. Performing Independent Compliance Program Testing Annually

During our phone conversation, Jonathan indicated that while his 13-step action plan was designed with the FCPA in mind, it is also a solid basis for any company to use when reviewing, creating or implementing an “adequate procedures” program under the UK Bribery Act. Jonathan also shared with us some of the literature and references he had used to put his 13-step action plan together. These included the US Sentencing Guidelines, the OECD Good Practices, blog postings and articles discussing best practices and information he had gleaned from attending seminars and conferences. We applaud Jonathan for developing his action plan and making it available for discussion in our blog. We hope that it can be of assistance to the FCPA compliance practitioner.

We also want to take this opportunity to emphasize the wealth of material which is available, at no charge, to the FCPA compliance practitioner. The genesis of this posting came through Twitter, which has an active group of FCPA compliance and ethics professions tweeting throughout the day. We have also been able to obtain a large amount of helpful material through joining only a portion of the  LinkedIn groups which discuss issues related to the FCPA compliance practitioner; which include: FCPA – Foreign Corrupt Practices Act – Anti-Corruption Compliance Group; Society of Corporate Compliance and Ethics (SCCE); Dow Jones Risk & Compliance;  Anti-Corruption Professionals; AML, FCPA, and Investigative Due Diligence Thought Leadership; The Forum for Chief Compliance Officers and Chief Risk Officers and Anti-Corruption Compliance Asia. This list is by no means complete but is a small sample of what is available to you and sometimes you are able to meet like-minded professionals such as Jonathan Marks.

Jonathan Marks can be reached via email at jonathantmarks@verizon.net and phone at 267-261-4947.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011