Code of Conduct, Compliance Policies and Procedures-Part III

Today, I continue with Part III of my four-part series on the best practices surrounding your Code of Conduct and anti-corruption policies and procedures. In this post, I take a look at drafting policies and procedures. I conclude with some thoughts by well-known policy pundit Michael Rasmussen on management of policies going forward.

One of the key components of any best practices compliance regime under any anti-bribery and anti-corruption program is policies and procedures. Policies and procedures tie together a company, its business environment, the risks it faces and the compliance requirements. Policies procedures are a specific requirement for any anti-corruption/anti-bribery compliance regime. In the FCPA Guidance it stated, “Whether a company has policies and procedures that outline responsibilities for compliance within the company, detail proper internal controls, auditing practices, and documentation policies, and set forth disciplinary procedures will also be considered by DOJ and SEC.” Under the UK Bribery Act, policies are discussed in the Six Principles of an Adequate Procedures compliance program under Principle V – Communication, where it states “The business seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the company through internal and external communication, including training, that is proportionate to the risks it faces.”

As further stated in the FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Borrowing from an article in the Houston Business Journal (HBJ) by John Allen, entitled “Company policies are source and structure of stability”, I found some interesting and important insights into the role of policies in any anti-corruption compliance program. Allen says that the role of policies is “to protect companies, their employees and consumers, and despite an occasional opposite outcome, that is typically what they do. A company’s policies provide a basic set of guidelines for their employees to follow. They can include general dos and don’ts or more specific safety procedures, work process flows, communication guidelines or dress codes. By establishing what is and isn’t acceptable workplace behavior, a company helps mitigate the risks posed by employees who, if left unchecked, might behave badly or make foolhardy decisions.”

Allen notes that policies “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.

Allen believes that there are five key elements to any “well-constructed policy”. They are:

• identify to whom the policy applies;
• establish the objective of the policy;
• explain why the policy is necessary;
• outline examples of acceptable and unacceptable behavior under the policy; and
• warn of the consequences if an employee fails to comply with the policy.

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, simply the logistics of training can appear daunting. Small groups, where detailed questions about policies can be raised and discussed, can be a powerful teaching tool. Allen even suggests posting FAQ’s in common areas as another technique. And please do not forget that one of the reasons Morgan Stanley received a declination to prosecute by the DOJ was that it sent out bi-monthly compliance reminder emails to its employee Garth Peterson for the seven years he was employed by the company.

Interesting, Allen emphasizes, “having policies written out and signed by employees provides what some consider the most vital layer of communication. A signed acknowledgement can serve as evidentiary support if a future issue arises.” I also like it when others recognize my ‘Document, Document and Document’ mantra for FCPA compliance.

While I think that most compliance practitioners understand this need for policies and procedures, one of the things that is not usually emphasized at a company is effective policy management. Michael Rasmussen writing in Compliance Week in an article entitled “Improving Policies Through Metrics” discussed the need for effective policy management. He believes that it requires that a company must periodically review their policies to ensure that they are relevant and aligned with both current laws and corporate objectives. This is because today’s business environment is dynamic and involves both internal and external factors, so, consequently, as a company evolves and changes its policies need to be updated to reflect these changes.

Rasmussen believes that at a minimum, policies must be reviewed annually. He recommends that each policy should go through a yearly review process to determine if it is still appropriate. There should be a “system of accountability and workflow that facilitates” any policy review process. The end product should be a decision to “retire the process, keep the policy as it is, or revise the policy.” Rasmussen lists five items that a policy owner should evaluate as a part of the policy review process.

• Violations. Here Rasmussen believes that information from reporting systems such as hotlines or other anonymous lines as well as internal or external investigations must be reviewed. Not only would such information indicate if a company policy was violated but the follow-up investigation would help to determine how the policy might have failed, whether it was through “lack of awareness, unauthorized exceptions [or] outright violations.”
• Understanding. Here Rasmussen writes that there should be an analysis of “training and awareness programs, policy attestations” and attendant metrics to determine an appropriate level of policy understanding. He believes that questions to a helpdesk or compliance department could help to discover any ambiguities in a policy that might need to be corrected.
• Exceptions. If you have a policy it should be followed. If an exception to a policy was granted the reason for the exception should have been documented. If there are too many exceptions granted for a policy, it might indicate that “the policy is inappropriate and unenforceable” and therefore should be revised.
• Compliance. A policy should govern and authorize internal controls. These internal controls should be reviewed in conjunction with the policy review to determine overall policy effectiveness. This is because “At the end of the day the policy needs to be complied with.”
• Environment. All the factors around a policy are in flux. This includes a company’s risk profile, its business strategy, laws and regulations. Since a business’ climate is dynamic, a policy should be reviewed in the context of a company’s overall situation and revised accordingly.

If there is a change in a policy it is important that not only the correct change be made but that any change is documented. An audit trail is a key component for a company to internally understand when a change is made and the reason for that change but also to demonstrate to a regulator effective policy management and to present “a defensible history of policy interactions on communications, training, acknowledgements, assessments and related details needed to show the was enforced and operational.” This audit trail should include “key data points such as the owner, who read it, who was trained, acceptance acknowledgements and dates for specific policy versions”. In addition to an audit trail, policy revisions should be archived for referral back at a later time. So, once again, the key message is document, document and document.

Just as best practices in the FCPA compliance arena evolve, so do business practices, markets and risks. If you throw in the complexities from an inter-connected global business milieu, the task becomes even tougher. Business policies are one of the keystones of a company’s communications to its employees on what it expects and what is required of its employees. To keep policies up-to-date and properly take advantage of this valuable tool, policies need to be evaluated and updated as appropriate. If your company fails to do so this takes away from the value of having policies in the first place. I hope that you will use the techniques which Rasmussen has described to help you effectively manage your policies going forward.

The FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” Allen puts a bit differently in that “it is important that policies are applied fairly and consistently across the organization.” He notes that the issue can be that “If policies are applied inconsistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Friday Comings and Goings

I wish I could be there.

Next week, the FCPA Professor is leading his first FCPA Institute this summer over two days, July 16 and 17. The event will be held in Milwaukee and hosted by the law firm of Foley and Lardner.

The Professor’s stated goal in leading this first Institute is “to develop and enhance fundamental skills relevant to the FCPA and FCPA compliance in a stimulating and professional environment with a focus on learning. Information at the FCPA Institute is presented in an integrated and cohesive way by an expert instructor with FCPA practice and teaching experience.” Some of the topics, which will be covered, include the following:

• An informed understanding of why the FCPA became a law and what it seeks to accomplish;
• A comprehensive understanding of the FCPA’s anti-bribery and books and records and internal controls provisions and related enforcement theories;
• Various realties of the global marketplace which often give rise to FCPA scrutiny;
• The typical origins of FCPA enforcement actions including the prominence of corporate voluntary disclosures;
• The “three buckets” of FCPA financial exposure and how settlement amounts in an actual FCPA enforcement action are typically not the most expensive aspect of FCPA scrutiny and enforcement;
• Facts and figures relevant to corporate and individual FCPA enforcement actions including how corporate settlement amounts are calculated;
• How FCPA scrutiny and enforcement can result in related foreign law enforcement investigations as well as other negative business effects from market capitalization issues, to merger and acquisition activity, to FCPA related civil suits; and
• Practical and provocative reasons for the general increase in FCPA enforcement.

In other words, it is what you have come to expect from the FCPA Professor; well-thought out reasoned analysis, practical knowledge and learning, and provocative thinking and assessment. But more than all of the above I believe you will receive some great insight into and why the FCPA Professor continually challenges the status quo in many areas about the FCPA. He and I often look at the same thing and see different views but by seeing more than one view, I believe you will come away with a deeper overall understanding of the entire FCPA picture.

For complete information on the FCPA Institute, click here.

As Monty Python might say And Now For Something Completely Different. If you would like a much shorter view of some FCPA and anti-corruption related topics, check out some of my most recent podcasts, the FCPA Compliance and Ethics Report. 

In Episode 74, I visit with Paul McNulty about his upcoming move to become the President of his alma mater, Grove City College.

In Episode 72, I visit with the GRC Pundit, Michael Rasmussen about why companies have such a disconnect when it comes to the theory and practice of their GRC practices.

In Episode 69, I visit with Joe Oringel about his company’s exciting new approach to transaction monitoring in the anti-corruption space.

In Episode 68, I interview Neil Swidey, author of Trapped Under the Sea about his experiences in researching and writing his book.

In Episode 66, the FCPA Professor shares his thoughts on the Esquenazi decision.

In Episode 63 and 64, I have a two-part discussion of the management of third parties under the FCPA.

For those few of you on the planet not aware of it, the World Cup final will be held this coming Sunday. Mike Brown and I have been discussing the World Cup, FIFA and anti-corruption in our World Cup Report series. You can check out Part I, Part II, Part III, Part IV, or Part V.

All of the episodes of the FCPA Compliance and Ethics Report are available for download on iTunes at no cost so if you want to catch up on all things FCPA and compliance related on the drive to work, you can do so. A happy Friday and enjoyable weekend to all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

The Berlin Airlift and Different Approaches to Compliance Issues

As the USA played Germany in the World Cup yesterday, it is perhaps appropriate that we look back at another June 26^th event that involved the US as we celebrate one of the great relief efforts in post-war Europe and the Cold War, the Berlin Airlift. On June 26, 1948, US and British pilots begin delivering food and supplies by airplane to Berlin after the city is isolated by a Soviet Union blockade. Though some in President Truman’s administration called for a direct military response to this aggressive Soviet move, the President was concerned that such a response would trigger another world war. As an alternative, he coordinated a massive airlift operation under the control of General Lucius D. Clay, the American-appointed military governor of Germany. The first planes took off from England and western Germany on June 26, loaded with food, clothing, water, medicine and fuel. By July 15, an average of 2,500 tons of supplies was being flown into the city every day. The massive scale of the airlift made it a huge logistical challenge and at times a great risk, with planes landing at Tempelhof Airport every four minutes, round the clock for the next 15 months. This broke the Soviet blockade.

I thought about this alternative approach that Truman employed, a supply line rather than a military response, when I read MIT Sloan Management Review article, entitled “What Businesses Can Learn From Sports Analytics”, by Thomas H. Davenport. In his article, Davenport explored how “the use of analytics in the sports world has much to teach managers about alignment, performance improvement and business ecosystems.”

For his article, Davenport “interviewed more than 30 representatives of teams, sports analytics vendors and consultants for a report on the state of the art in sports analytics,” in which he “focused on three different areas of activity, each of which is growing rapidly. In order of decreasing prevalence, they are: team and player performance analytics, sports business analytics, and health and injury prevention analytics.” From this research, he developed five key lessons that almost any business could adopt. However I thought about his points in the context of compliance ecosystems rather than business ecosystems so I will use his article as a starting point to consider what compliance can learn from sports analytics.

1. Align leadership at multiple levels 

Davenport believes “In sports, key decisions — which players to acquire, how much to pay them, and which strategies to adopt for better athletic and business performance — must be made and overseen at multiple levels. As a result, alignment along different management levels is crucial.” Based on his research I believe the message for Chief Compliance Officers (CCOs), compliance practitioners and analytical practitioners is to work together closely and consult frequently.

2. Focus on the human dimension 

Davenport’s key finding about sports teams is that they realize that their players are both their most important and expensive resources and that sports teams focus on the human dimension of performance in a variety of ways. “First, they address individual-level game performance by monitoring points scored, rebounds gathered, batting averages and other increasingly sophisticated measures of both offensive and defensive performance… Second, teams are beginning to assess not just individual performance, but performance in context.” They will also assess a team’s performance “with and without a combination of players.”

However, if companies say they focus on their employees as their most valuable resource, they typically only focus their analytics on “operational or marketing issues and not on the human dimension of performance.” The key insight here is for compliance to focus on more of a team aspect by investigating a group’s compliance performance “with or without a particular person’s presence could be a valuable insight.” This could be expanded to reviewing wider sales teams in a region, country or product/service line.

3. Exploit video and locational data 

In Major League Soccer (MLS), players wear a GPS-based locational device that captures all movements around the field. In the NBA, six cameras in the ceiling of each arena capture all movements of the players and ball. All Major League Baseball (MLB) stadiums have cameras that track every pitch, and many teams also track every hit and fielding play with video cameras. This allows a more complete view of the raw numbers that metrics generates.

While it may not seem readily apparent, this type of approach can also benefit the compliance function. The key is that it looks at raw numbers in a different way. So transaction monitoring could be pared with relationship monitoring or other indicia. Also travel and communications could be considered to show what might be happening in locations that are not readily apparent. The key takeaway is that there is more information available by obtaining more types of data.

4. Work within a broader ecosystem

Davenport found that “Professional sports teams are relatively small businesses, with much of their revenue going toward player salaries, leaving just nominal funds for any data and analytics projects. As a result, teams often need to work within a broader ecosystem of data, software and services providers.” Based on this he believes that a “key in these partnerships is to draw as much as possible from the partner while maintaining key internal capabilities.”

For the compliance professional, you should try to develop relations with key vendors because there are just too many different techniques, types of data and other aspects of analytics to exploit, and even the largest corporation can’t excel on its own. The GRC Pundit, Michael Rasmussen has observed that in GRC there is more than one technology. The same holds true in the compliance space. Jon Rydberg, founder of the Orchid Advisors, has called this the “Compliance Ecosystem Transformation” which he defines as “The coordinated development of compliance activities that transcend your entire supply chain, from suppliers – to manufacturers – to distributors – to retailers.”

5. Support “analytical amateurs”

Finally, Davenport found that “Some professional athletes have begun to analyze their own performance in depth using public or team data and reports. Specifically, a number of soccer and football players have become assiduous reviewers of their video and GPS data, although the most frequent users have been professional baseball players, particularly pitchers.”

For the compliance professional, this translates that they could also benefit from becoming such ‘analytical amateurs”. Moreover, they could work with business unit personnel to could keep track of their own scores on compliance measures and use that information to improve their performance. Analytics-minded salespeople and managers could, for example, use the extensive data from compliance management management systems to assess and improve their performance.

I found Davenport’s article to be quite thought provoking. For just as President Truman was able to come up with a different approach for a situation that could have led to World War III or at the very least a completely communist dominated unified Berlin, there are different ways to look at problems and find solutions. Using the analytical approach that has become so prevalent in the sports world may lead you to new and different thinking in the compliance arena.This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

From the Bad Boy Pistons to GRC: The Building Blocks of Compliance

I recently watched the ESPN documentary series 30-for-30 on the Bad Boy Detroit Pistons from the late 1980s and early 1990s. It was a great review of a different era of the National Basketball Association (NBA) and the perfect way to get ready for the current playoffs, even if the Rockets did choke their way out of Round 1 as usual. But more than great entertainment, the show focused on the building blocks of a pro basketball team. The Pistons were created player by player who were pieces of the overall team structure. The team then had to become battle hardened by losing some tough playoff games, first in the Eastern Conference to Boson and then in the NBA Championship to the Lakers, before they eventually succeeded in becoming two time NBA champs. In other words, it was a lengthy process, which started in 1982 when the Pistons drafted Isaiah Thomas and it took almost 10 years for them to win the title.

I thought about this process orientation when I read a GRC Illustrated series article in the March issue of Compliance Week, , entitled “The Principled Performance Vision”, by Carole Switzer, co-founder and President of the Open Compliance and Ethics Group (OCEG) and Scott L. Mitchell, the co-founder and Chair of OCEG. In their article, and accompanying GRC Illustrated presentation entitled “Pathway to Principled Performance”, they discuss the need for companies to have a mechanism to address ever-changing business and legal risks in the context of the high performance required by internal and external stakeholders. They articulate “a point of view and approach to business that helps organizations reliably achieve objectives while addressing uncertainty and acting with integrity.”

The biggest problems that they identify are issues of loss of cohesion and insular nature of a management and reporting system between business units within an organization. For instance they point to a wide variety of disciplines within a company, such as “as governance, finance, production, and sales to adjunct areas like performance management, risk management, internal control, compliance, and audit” which must use the same data but often never share the results with each other. The authors posit that a more holistic approach is required and this “can only be achieved by integrating and orchestrating information and functions that, in many organizations, are fragmented and siloed. Then, these integrated capabilities must be supported with strong communication, effective technology, and development of the desired ethical culture.”

Coupled with the article and illustrated framework is a roundtable discussion led by Switzer of several leading compliance practitioners and thought leaders. The participants included Brian Barnier, Principal at ValueBridge Advisors; Paul Liebman, Chief Compliance Officer (CCO) at the University of Texas; Tony Miller, Chief Operating Officer (COO) and Partner at The Vistria Group and Michael Rasmussen, Principal and Chief GRC Pundit at GRC 20/20 Research LLC. Switzer asked them the basic question of how does one get started in such an initiative for a company? Barnier believes that, in large part it is about messaging by “treating it as a business initative to drive profitable revenue and risk-adjusted return” as opposed to “yet another compliance task to achieve while cutting cost.” Liebman focused on the ‘why’ he changed when he noted, “true change depends upon three things: a profound sense of discomfort in the current condition, a vision that things could be better, and a plan to get there. I think the first step is therefore to assess and explain the current level of discomfort—i.e., what is wrong and why.” Moreover, he believes that it is important to “have a vision of the direction you want to go and plan accordingly.” Finally, he said that “Focus on structure and process so that you are constantly moving forward. Slow, incremental but sustainable change in the right direction is far more important than quick, substantial but unsustainable change. Slow, incremental and sustainable change happens by taking advantage of pre-existing organizational processes and mental models that are already working well. Don’t force new or redundant processes but, rather, seek to understand how others are thinking and acting and explain how your vision is really just a logical extension of what they are already trying to accomplish.”

Miller took a somewhat different approach when he said that “Principled performance needs to be part of the culture, reflected in the strategy, and embedded in an organization’s operating systems and processes.” To accomplish this he listed three steps, “(1) the chief executive officer and the senior executive team explicitly acknowledging that this is an important problem that must be addressed; (2) establishing clear metrics and goals for improvement; and (3) assigning point accountability at the executive team level for developing and “owning” the process that will enable the organization to meet the principled performance goals.”

Switzer asked the participants if they could point to situations where there has been a failure to interconnect the various functions of GovernanceRiskCompliance (GRC) which has led to catastrophic consequences. Miller pointed to the siloed nature of the financial services industry when he said, “That’s why we’ve seen significant breaches in the financial services industry with excessive risk taking by traders, the mortgage services industry in lax and exploitive underwriting practices, and the education services industry with overly aggressive student recruitment practices.” Liebman pointed to that well known risk area under the Foreign Corrupt Practices Act (FCPA) by noting, “Third-party relationships are an example where disparate processes and strategic goals can lead to significant non-compliance, waste, and surprise. For example, companies often create a business strategy at a high level and then ask others to implement the strategy with little or no oversight or structure… Accordingly, when a problem surfaces creating a bad reality, such as bribery in the supply chain, and expectations were set too high, the result is significant unhappiness for stakeholders.” Barnier focused on the management of risk without coordination due to the insular nature of management and reporting systems when he observed, “Much of this results from typical silo behavior—especially when reinforced by a control culture with its usual compartments that diminishes individual engagement and end-to-end views. Principled performance, with its focus on outcomes, brings together a range of decisions and activities to improve the likelihood of achieving those objectives.”

While some might find it interesting that the notorious “Bad Boys” of the NBA can teach the compliance practitioner a thing or two, it is clear that their General Manager (GM) Jack McCloskey had a plan in mind when putting the pieces of the team together. That team then had to be molded together and tested. This real world example would seem to be what Rasmussen said when he summed up his views by stating, “A mature GRC program will have an integrated strategy, process, information, and technology architecture that brings efficiency, effectiveness, and agility to GRC across the business and aligned with the business.”

If you have a team left in the NBA playoffs, good luck. Otherwise I hope that you will back me in supporting the Spurs yet again.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014