FCPA Compliance and Ethics Blog

April 6, 2015

Tribute To Eddie LeBaron and CCO as Compliance Project Sponsor

Eddie LeBaronToday we celebrate Eddie LeBaron, who died last week. LeBaron was a diminutive pro quarterback for 11 seasons in the National Football League (NFL) in the 1950s and 1960s. He was also a lawyer and decorated veteran, having been awarded the Bronze Star during the Korean Conflict. In his New York Times (NYT) obituary, Frank Litsky wrote “In a position where players are now routinely 6 feet 3 inches or taller, LeBaron was 5-foot-7, and his weight never reached 170 pounds. But he had no fear of scrambling.” LeBaron quarterbacked the Dallas Cowboys from 1960 to 1963, before handling the reins of Coach Tom Landry’s offense over to Don Meredith with his retirement. After his retirement he worked as a color analyst for CBS Sports, who covered the NFL in those days. One of the things that I remember from his commentary work was the need for planning in any game plan. It was one of the first things I recall learning about pro football.

One of the skills you may be called upon as a Chief Compliance Officer (CCO) or compliance practitioner is the initiation, integration or enhancement of a Foreign Corrupt Practices Act (FCPA) compliance solution into an organization. Most assuredly, one of the things that is not taught in law school or in any compliance course is project management. As CCO, you may either lead such a project on a day-to-day basis or you may take the role of project sponsor, while delegating the day-to-day running of the project to a compliance practitioner in your group.

I thought about this issue when reading a recent article in the MIT Sloan Management Review, entitled “How Executive Sponsors Influence Project Success”, by Timothy J. Kloppenborg and Debbie Tesch. In their article they note, “The role of a project sponsor is often overlooked. But for every stage of a project, there are key executive sponsor behaviors that can make the difference between success and failure.” I found their article has some excellent tips for the CCO or compliance practitioner who may be facing such a task. The authors break the project life cycle stage into four stages: (1) Initiating Stage; (2) Planning Stage; (3) Executing Stage; and (4) Closing Stage.

I.   Initiating Stage

In this stage there are three key activities that a sponsor should pursue. First, the sponsor needs to set the performance standards. This “can be accomplished in the project charter by stating goals about the project’s strategic value and how it will be measured.” But beyond the written details there must be a “clear understanding of expectations about performance” of which dialogue is critical. Second, the project sponsor must mentor the project manager, whose key responsibility is to explain, “how the project fits into the big picture, defining the performance standards and helping the project manager set priorities.” Finally, the project manager must establish the project priorities, with the “most compelling” questions being “what needs to happen first and how should conflicts by settled?”

II.  Planning Stage

In the Planning Stage the authors believe that there are two critical project sponsor behaviors. The first is to “ensure planning” activities are completed by providing “leadership so that the project manager and team can set goals that align with the vision and broader organizational goals. The second is to “develop productive relationships with stakeholders”. This means frequent meetings and communications. Interestingly, the project sponsor should not only see that “needs are identified and understood” but also make “sure that stakeholders’ emotional concerns are given adequate consideration.” Admittedly this is not something lawyers do particularly well but it is mandatory for the CCO or compliance professional.

III.  Executing Stage

In the Execution Stage the authors identify three elements. First the project sponsor must “ensure adequate and effective communication.” This means that regular communications must occur as the project progresses “to make sure that expectations are met.” However this may require the project sponsor to “stand ready to manage the organizational politics with internal and external stakeholders.” Second, a project sponsor must work to help “maintain relationships with stakeholders.” This element helps facilitate the project manager and project team communications noted in the first element. Here the project sponsor should be “open to direct feedback from team members” to ensure that expectations are met. Finally, the project sponsor should work to “ensure quality” by practicing “appropriate decision-making methods and work to resolve issues fairly.”

IV.  Closing Stage

Finally, in the Closing Stage the authors write that there are two elements that project sponsors should emphasize. The first is to “identify and capture lessons learned.” They should be properly “categorized, stored and distributed in such a manner that future project teams will be able to understand and capitalize on”. The second element is to “ensure that capabilities and benefits are realized.” Capabilities, the authors suggest, “could include employees becoming more committed and more capable”. Further, that processes are “more effective and efficient.” Benefits relates to “verifying that the deliverables that were specified at the beginning were actually provided, work correctly and satisfy customer needs.”

To the extent they know much about project management, most CCOs or compliance practitioners are aware of the “iron triangle” of factors to determine a project success. The authors define these as “cost, schedule and performance.” But the authors’ research has led them to conclude that for a project to be a success it must meet an organization’s expectations. The next evaluative point is did the project come in on time, within budget and to the project’s specifications? Finally, did the project succeed in bringing its touted positive benefits to the organization?

By using the steps the authors have outlined, a CCO can think through the organization and ongoing performance of a project to set it up for success. Equally importantly for the CCO, if the project management has been delegated to compliance team members or with other disciplines inside your organization, such as legal, internal audit, IT or human resources; the continued involvement of a CCO as the project sponsor can be key component. The authors posit, “for every project stage, there are success factors that project sponsors should consider” and that a CCO must engage in an ongoing and continual dialogue with the project manager. Finally, key lessons learned should be captured and used down the road to help facilitate other projects or issues as applicable.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

November 21, 2014

The Strategic Use of Compliance

StrategyWhat is your company’s compliance strategy? By this I do not mean what is your company doing to put in a place a best practices anti-corruption compliance program that meets the requirement of the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. My inquiry goes both further and deeper. Has your company moved beyond the view that compliance with the FCPA is simply enough by incorporating compliance into your business strategy to secure a competitive advantage going forward? I thought about this issue when I read a recent article in the MIT Sloan Management Review, entitled “Finding the Right Corporate Legal Strategy”, by Robert C. Bird and David Orozco. While the authors posed the questions from the legal perspective, I found their insights equally valid from the compliance perspective.

While I am fairly certain that Chief Compliance Officers (CCOs) and compliance practitioners understand the need for the integration of compliance into the day-to-day business operations of a company, many business types still view compliance “as a constraint on managerial decisions, primarily perceiving” compliance as simply a cost. The authors believe that the more enlightened approach is for companies to use functions such as compliance “in order to secure long-term competitive advantage.” To do so the authors detailed five different legal strategies, which they call pathways, that companies might use that I will translate into compliance strategies. They are in ascending order of importance: (1) avoidance; (2) compliance; (3) prevention; (4) value and (5) transformation. The right strategy for your company will depend on a variety of factors such as maturity of your compliance function, commitment by senior management to compliance, your business model and the compliance function’s ability to collaborate with business managers.

Avoidance

This is the idiot response where a company either disregards anti-corruption laws such as the FCPA or UK Bribery Act or engages in willful blindness. Unfortunately, there are many major US and foreign corporations that have come to grief under the FCPA because they did not take some of the most basic steps to comply with these laws. It is largely because senior management believes that compliance provides “little concrete value, so they make no effort to” even acquiring knowledge in the area. Worse yet are companies who gain a modicum of knowledge about such anti-corruption laws “only so that they can circumvent it to achieve a desired objective.” The authors note that while “An avoidance strategy can sometimes be effective…it can also lead to disaster.” This lead to the compliance function and the CCO only being called in an emergency, after the conduct has occurred so that compliance is always in a reactionary mode.

Compliance

This pathway means complying with laws, not the compliance function itself. Under this pathway, “companies recognize that the law is an unwelcome but mandatory constraint on their activities.” So while following this strategy would allow a company to have subject matter expert (SME) practitioners in the field of compliance, it would exist only “so the business could operate within its legal bounds.” Under this pathway, companies still view compliance as a cost to be minimized. Moreover, anti-corruption laws such as the FCPA or UK Bribery Act are “viewed as primarily inflexible—externally imposed rules that cannot be changed or adapted to suit a particular corporate strategy.” This means that business managers will simply not understand that compliance can be used to further business goals. It also leads most business unit folks to believe that compliance is the Land of No and the CCO is in reality ‘Dr. No’ who is there “primarily as a watchdog that polices corporate conduct for illegal activity.”

Prevention 

Under the prevention pathway, senior management acknowledges that anti-corruption laws can be used as competitive advantage “to further well-defined business roles.” This means that the compliance is proactive rather than reactive. Senior managers understand how the law relates to their business areas “and they appreciate how it can be used to minimize particular business risks.” The compliance function “seeks partnerships with managers to help them achieve their risk-management goals.” This pathway has the added benefit that allows compliance practitioners to recognize the importance of measuring and quantifying compliance issues and data “as a part of a broader effort to support a business oriented strategy.” It also means that the compliance function is available to the business unit when the competitive landscape is “strategically assessed” by the business unit. This is more than simply having a seat at the table; it is being a part of and contributing to the commercial strategy.

Value

Companies operating in this pathway use compliance to “create tangible and identifiable value.” But to do so requires a true corporate commitment because business unit managers will need to have a strong understanding of anti-corruption compliance and how it can be tailored to generate value for the company. The CCO, and indeed the entire compliance function, must see itself “as a key stakeholder in helping the company to increase its return on investment” and should see itself in helping to create value for the company. Usually this comes about in two ways. The first is by using compliance to lower costs of doing business, particularly through third parties. Here you can think of reducing the number of vendors who perform the same services or provide the same products to you by appropriate management of your third party compliance program. The second way is by using compliance to increase revenues.

Transformation

In this final pathway, a company will incorporate compliance directly into its business model. While the authors note that few companies have been able to move this far in the legal arena, those who have done so possess a rare and valuable “capability that can provide a competitive advantage that is difficult for a business rival to imitate.” One of the keys to making this transformation is that not only is compliance integrated within “the company’s various value-chain activities; it is also linked with the value chains of important external partners as part of the larger business ecosystem.” This pathway is only available to companies with the most mature compliance function and most usually when compliance is combined with “the business model and core competencies of the company.”

Clearly there is no ‘one size fits all’ approach to compliance strategies. However if your compliance program has maturity and senior management can operate with their eyes open, they will see that while the first three strategies focus on managing risk, the final two are targeted towards generating business opportunities or least have compliance as a part of the team doing so. As compliance practitioners move into the CCO 2.0 role that I have advocated, these pathways can provide you with a tangible starting point to educate senior management on what compliance can bring to the (business) table.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 3, 2014

Gettysburg Day 3 – Failure of QA/QC and the Evolution of Your Compliance Program

Rebel ArtilleryToday is the 151st anniversary of Day 3 of the Battle of Gettysburg. Last year I focused on Pickett’s Charge and lessons that a compliance practitioner might draw from it. This year I want to look at the Confederate artillery bombardment, which preceded Pickett’s doomed attack. It was the largest of the Civil War with up to 170 Confederate guns opening fire on the Union center and approximately 80 Federal guns opening up to return fire. If you have seen the movie Gettysburg, you will remember the awesome cannonades and the young Confederate Artillery General Porter Alexander reporting to General Lee. At the time, it was reported that the barrage was so loud it could be heard as far away as Philadelphia and Baltimore.

The artillery barrage lasted just over one hour. The Confederate guns inflicted some damage on the Union batteries, but they largely overshot their targets. It was believed at the time that the reason the Confederate bombardment was ineffective was that Confederate artillerymen tended to aim high and missed their marks due to poor visibility from all the smoke on the battlefield.

However, a commentator named Captain Thorton, posting online in the American Civil War message board, had the following comments, “A week after the battle, Lt James Dinwiddie working for the Ordnance Dept. conducted tests on the various fuses supplied from around the Confederacy at the Richmond Laboratories. His findings showed that while those fuses manufactured in Charleston and Selma were made of exceptional quality, the rate of burn for those fuses was markedly less. In his findings compared with those fuses as previously supplied to the ANV from the Richmond arsenals it was found the fuses from Charleston and Selma burned at a rate of one second longer for the same length of fuse. The result of course was that those fuses in shells intended to explode over the Federal position at Gettysburg ranged anywhere from 150 to 200 yrds further to the rear before exploding. A 4 inch fuse would burn at the rate as one cut to 5 inches”. In other words, it was the quality in the supply chain, aka QA/QC.

I thought about this problem of quality and how it might relate to the compliance practitioner when I read a recent  article in the MIT Sloan Review of Management, entitled “What to Expect from a Corporate Lean Program”, by Torbjørn Netland and Karsa Ferdows. The focus of their articles was around ‘lean’ programs in the manufacturing sector and how “misplaced expectations of how quickly these programs can improve performance can make their implementation more difficult.” The key findings the authors made were threefold: (1) Management should set appropriate targets to move the process along; (2) There is a positive relationship between company or plant maturity in system implementation and its performance; and (3) Plants need to engage in continual assessment in where they are in the process.

Using the article as a basis for a Chief Compliance Officer (CCO) or compliance practitioner, the effectiveness of a compliance system depends on two variables: (1) how widely the compliance system has been implemented in a company, and (2) how thoroughly the company follows its prescriptions. A typical production system has many modules. Typically, at the beginning of an implementation, only a few modules are launched, throughout the company. However as compliance implementation is expanded to other the areas the initial implementation continues to receive upgrades and enhancements. The combination of these two variables — how widely and how thoroughly the compliance system is implemented — reflects a company’s “maturity” in the implementation.

The authors believe this leads to competing arguments for how “maturity in an implementation should affect its performance. On the one hand, if a lean program is a journey of incremental but continuous improvement, we should expect to see a linear relationship between implementation and effect on performance. On the other hand, the “low-hanging fruits” argument suggests that as a plant becomes more mature in an implementation, there would be fewer simple and quick improvements. Therefore, the rate of performance improvement would slow down.”

From this the authors derive four stages of performance improvement, which I believe adapt directly for the CCO or compliance practitioner and in demonstrating how the roles evolve during the life-cycle of a compliance program implementation. 

Stage I – Beginner Compliance Programs

Step One can always be the most difficult but can lead to the greatest results. The difficulty is in bringing in something that people consider new. If you are initially implementing a compliance program there may be some initial resistance to new programs or requirements. But it also provides the greatest opportunity for growth in your compliance regime. So you should expect a low but gradual rate of improvement in the implementation of your compliance regime. As CCO or compliance practitioner you should expect to hold extensive meetings with both the key stakeholders in the business units, senior management and those employees deemed high risk under any anti-corruption regime such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. There should be a dedicated compliance team to drive and coach the program implementation going forward. The budget should set small, measurable targets for improvement and the metrics should be closely followed.

Stage II – In Transition Compliance Programs

When you start to look for ways to improve compliance you inevitably find many low-hanging fruits and simple projects with quick returns. They not only improve the performance of the unit but also convince those directly involved of the value of a production system. Here you can expect to seen improvements in your compliance regime at a high and increasing growth rate. Your role as the compliance practitioner should be threefold. First to set stretch targets and have an expected accelerated rate of improvement. Second, to publicize your compliance program successes throughout the organization. Finally, the authors suggest the need to be ever vigilant for complacency.

Stage III – Advanced Compliance Programs

Companies with advanced compliance programs generally have accumulated both knowledge or and experience with the compliance program. In such companies, the authors predict that there will still be a high rate of improvement but it will be a decreasing rate of growth. However, the low hanging fruit of easy compliance implementation and successes will have been achieved and as the CCO or compliance practitioner in charge you will need to continue to set stretch targets but you may well be faced with a decelerating rate of improvement throughout your organization. You may well need to move your budget to areas for continuous improvement projects such as transaction, third party or relationship monitoring. However, this may be tempered by the fact that you can move more of the ‘doing’ of compliance down into the business units as your program matures.

Stage IV – Gold Standard Compliance Programs

When your compliance program moves to one of the top in your industry it will be time to “move beyond the frontiers of your industry.” As the CCO or compliance practitioner, you can expect to see low rates of improvement and decreasing rates of growth in your overall compliance program improvement. However this does mean you can simply sit around on your hands, as staying at this level is not easy. One thing that will assist you is that there will be a larger pool of compliance talent for you to draw from throughout your organization to help you move to a continuous monitoring model of compliance. By this stage you should have good working relationships with most of the other support functions in your organization which will allow you to leverage upon their specific disciplines for your compliance initiatives going forward.

The authors end their article with something that is often said but bears repeating, that senior management must be committed to the implementation and you must establish a reliable process for measuring the gains you make and the maturity you have achieved. Moreover, the assessment process can be an effective mechanism to transfer best compliance practices and expertise across your organization.

In the aftermath of the Confederate failure at Gettysburg, testing was done on the fuses for Southern artillery shells. This testing showed the reason why the Confederate caissons had been largely ineffective on Day 3 of the battle. However, as your compliance program evolves, your role may well need to change in reference to it. Certainly the roles compliance teams and those in the company business units who assist in the compliance effort will need to be assessed and reviewed as your compliance program matures.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

June 27, 2014

The Berlin Airlift and Different Approaches to Compliance Issues

Berlin AirliftAs the USA played Germany in the World Cup yesterday, it is perhaps appropriate that we look back at another June 26th event that involved the US as we celebrate one of the great relief efforts in post-war Europe and the Cold War, the Berlin Airlift. On June 26, 1948, US and British pilots begin delivering food and supplies by airplane to Berlin after the city is isolated by a Soviet Union blockade. Though some in President Truman’s administration called for a direct military response to this aggressive Soviet move, the President was concerned that such a response would trigger another world war. As an alternative, he coordinated a massive airlift operation under the control of General Lucius D. Clay, the American-appointed military governor of Germany. The first planes took off from England and western Germany on June 26, loaded with food, clothing, water, medicine and fuel. By July 15, an average of 2,500 tons of supplies was being flown into the city every day. The massive scale of the airlift made it a huge logistical challenge and at times a great risk, with planes landing at Tempelhof Airport every four minutes, round the clock for the next 15 months. This broke the Soviet blockade.

I thought about this alternative approach that Truman employed, a supply line rather than a military response, when I read MIT Sloan Management Review article, entitled “What Businesses Can Learn From Sports Analytics”, by Thomas H. Davenport. In his article, Davenport explored how “the use of analytics in the sports world has much to teach managers about alignment, performance improvement and business ecosystems.”

For his article, Davenport “interviewed more than 30 representatives of teams, sports analytics vendors and consultants for a report on the state of the art in sports analytics,” in which he “focused on three different areas of activity, each of which is growing rapidly. In order of decreasing prevalence, they are: team and player performance analytics, sports business analytics, and health and injury prevention analytics.” From this research, he developed five key lessons that almost any business could adopt. However I thought about his points in the context of compliance ecosystems rather than business ecosystems so I will use his article as a starting point to consider what compliance can learn from sports analytics.

  1. Align leadership at multiple levels 

Davenport believes “In sports, key decisions — which players to acquire, how much to pay them, and which strategies to adopt for better athletic and business performance — must be made and overseen at multiple levels. As a result, alignment along different management levels is crucial.” Based on his research I believe the message for Chief Compliance Officers (CCOs), compliance practitioners and analytical practitioners is to work together closely and consult frequently.

  1. Focus on the human dimension 

Davenport’s key finding about sports teams is that they realize that their players are both their most important and expensive resources and that sports teams focus on the human dimension of performance in a variety of ways. “First, they address individual-level game performance by monitoring points scored, rebounds gathered, batting averages and other increasingly sophisticated measures of both offensive and defensive performance… Second, teams are beginning to assess not just individual performance, but performance in context.” They will also assess a team’s performance “with and without a combination of players.”

However, if companies say they focus on their employees as their most valuable resource, they typically only focus their analytics on “operational or marketing issues and not on the human dimension of performance.” The key insight here is for compliance to focus on more of a team aspect by investigating a group’s compliance performance “with or without a particular person’s presence could be a valuable insight.” This could be expanded to reviewing wider sales teams in a region, country or product/service line.

  1. Exploit video and locational data 

In Major League Soccer (MLS), players wear a GPS-based locational device that captures all movements around the field. In the NBA, six cameras in the ceiling of each arena capture all movements of the players and ball. All Major League Baseball (MLB) stadiums have cameras that track every pitch, and many teams also track every hit and fielding play with video cameras. This allows a more complete view of the raw numbers that metrics generates.

While it may not seem readily apparent, this type of approach can also benefit the compliance function. The key is that it looks at raw numbers in a different way. So transaction monitoring could be pared with relationship monitoring or other indicia. Also travel and communications could be considered to show what might be happening in locations that are not readily apparent. The key takeaway is that there is more information available by obtaining more types of data.

  1. Work within a broader ecosystem

Davenport found that “Professional sports teams are relatively small businesses, with much of their revenue going toward player salaries, leaving just nominal funds for any data and analytics projects. As a result, teams often need to work within a broader ecosystem of data, software and services providers.” Based on this he believes that a “key in these partnerships is to draw as much as possible from the partner while maintaining key internal capabilities.”

For the compliance professional, you should try to develop relations with key vendors because there are just too many different techniques, types of data and other aspects of analytics to exploit, and even the largest corporation can’t excel on its own. The GRC Pundit, Michael Rasmussen has observed that in GRC there is more than one technology. The same holds true in the compliance space. Jon Rydberg, founder of the Orchid Advisors, has called this the “Compliance Ecosystem Transformation” which he defines as “The coordinated development of compliance activities that transcend your entire supply chain, from suppliers – to manufacturers – to distributors – to retailers.”

  1. Support “analytical amateurs”

Finally, Davenport found that “Some professional athletes have begun to analyze their own performance in depth using public or team data and reports. Specifically, a number of soccer and football players have become assiduous reviewers of their video and GPS data, although the most frequent users have been professional baseball players, particularly pitchers.”

For the compliance professional, this translates that they could also benefit from becoming such ‘analytical amateurs”. Moreover, they could work with business unit personnel to could keep track of their own scores on compliance measures and use that information to improve their performance. Analytics-minded salespeople and managers could, for example, use the extensive data from compliance management management systems to assess and improve their performance.

I found Davenport’s article to be quite thought provoking. For just as President Truman was able to come up with a different approach for a situation that could have led to World War III or at the very least a completely communist dominated unified Berlin, there are different ways to look at problems and find solutions. Using the analytical approach that has become so prevalent in the sports world may lead you to new and different thinking in the compliance arena.This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

January 15, 2014

Compliance Networks as Knowledge Networks

7K0A0246As compliance programs mature, they become less top down driven and more inculcated into the DNA of a company. The more doing business ethically and in compliance becomes part of the way your company does business, the better off you will be down the road. One of the methods that you can use is to set up a compliance network within your organization. I recently read an article in the Fall issue of the MIT Sloan Management Review, entitled “Designing Effective Knowledge Networks”, by Katrina Pugh and Laurence Prusak, in which they discussed knowledge network design as a mechanism to facilitate desired behaviors and outcomes. I found their ideas very useful in the compliance context.

Generally speaking, knowledge networks are a “collection of individuals and teams who come together across organizational, spatial and disciplinary boundaries to invent and share a body of knowledge. The focus of such networks is usually on developing, distributing and applying knowledge.” This is what a compliance regime should strive for within a company’s organizational structure. The authors believe that with the design of an effective knowledge network, a company can not only affect dynamics but also drive behaviors. In designing such a knowledge network, the authors postulate that there are “8 dimensions of a knowledge network” which encompass strategic, structural and tactical issues which must be considered. They are as follows:

  1. What is your Leaders’ shared theory of change?
  2. What are the objectives/outcomes/purposes of the knowledge network?
  3. What is the role of expertise and experimental learning in the knowledge network?
  4. What is your inclusion and participation in the knowledge network?
  5. What is the operating model of your knowledge network?
  6. How do you convene structures and infrastructures for your knowledge network?
  7. What is your facilitation and social norm development?
  8. What are your measurements, how do you elicit feedback and provide incentives?

Leaders’ Shared Theory of Change

This dimension is “as much about being explicit about how to have an impact as about how to be a leadership team. We found that good leaders were role models, inspiring members to act, and they did not delegate work such as being online and responding to discussions.” You should be able to describe the mechanism through which compliance will have an impact on both the organization generally and employees individually. This dimension encompasses such issues as how will employees learn and adapt their compliance knowledge into action.

Objectives/Outcomes/Purposes

Here the authors suggest a formal charter to define the “purpose and target outcomes.” In the compliance arena, this may be the Code of Business Conduct or other foundational document for your compliance program. Components can also be drawn from you policy and procedures. But the key under this dimension is that there is community purpose, norms, values and outcomes which are documented for moving forward.

Role of Expert and Learner

For the compliance knowledge network, this dimension signifies communication both downward and up the command chain of the company. So not only should an organization be open to innovation on issues but upper management should also encourage participation and must listen. There are different ways in which compliance can be achieved and these lines of communication need to be fostered. But, equally importantly, this dimension speaks to internal company reporting and whistle-blowing.

Inclusion and Participation

A compliance network positions the network among other operations within the company’s organizational models. A compliance network should seek out cognitive, geographical and professional diversity, or an amalgamation of separate social networks within your organization. You may also need to balance technical or operational expertise with convening or networking skills. You could create profiles for the types of people you want within your compliance network to allow you to easily and early on identify candidates for the network.

Operating Model

Your compliance leadership should decide what roles, responsibilities and decision processes are needed for your compliance network. All stakeholders should be described in the operating model, and there should be clarity about how resources are allocated. This should be true for core team members as well as small project teams or working groups that assemble for just a few months to complete a task.

Convening Infrastructures

This dimension concerns the structures which are used to build cohesion, connectivity, collaboration and engagement. Core network teams may develop a matrix for the channels or vehicles that are used to identify both the purpose and the team members who will be involved. Even with the social media that is available in today’s business world, the authors believe “recent research that found that teams’ performance correlated directly to the frequency and variety of real-time interactions.” The degree of face-to-face and voice-to-voice interaction depends on the compliance objectives involved. Rapid idea development and innovation require live discussions (online or in meetings), while intellectual capital management requires document management and broadcast communication. However it may be that if you have a wide compliance knowledge network, in many countries, a text based approach may be more appropriate, particularly if English is a second language to many of your team members.

 Facilitation and Social Norm Development

 The authors advocate that certain compliance network members be designated as “facilitators and change agents” whose role would include leading “members in meetings, discussions, games, events and other interactions to draw out their hidden insights or to provoke a common curiosity.” Added to this concept, the authors believe that “Social norms — such as inclusion, openness, transparency, accountability, curiosity and quality — are integrated explicitly into the facilitation processes. For example, respect for diversity could be conveyed in the tone and language of meeting agendas, discussions, blogs and quick polls.” This means not only prodding and pulling questions and answers from team participants but sometimes translating concepts for the group’s benefit.

Measurement, Feedback and Incentives

Some of the things that you need to consider under this dimension are what are the outcomes you are trying to achieve and how will you know when you meet them; in other words, what metrics will you employ? You will need to consider evidence of failure or success in the compliance network participation as well as mechanisms to incentivize employees to be involved. The authors recognize that performance metrics for compliance network performance can be “elusive” but they believe that by having a map with ongoing checkpoints, which delineates the pathway between inputs and outcomes, can be a key technique to aid in measurement. The authors note that “Incentives include the extrinsic (community celebrations or letters or appreciation directed to managers or network members) as well as the intrinsic (learning something new or solving a problem quickly). High-performing network leaders manage to minimize bureaucratic review and tie performance to incentives quickly so that members feel pride, connection and even healthy competition.”

One of the goals of any compliance program is to become part of the fabric of a corporation. Ironically, some of the most innovative compliance initiatives are made by companies with a sole Chief Compliance Officer and a miniscule compliance budget who is forced to ‘do more with less’. Creating a compliance knowledge network can be one manner in which to leverage your employee talent base across your organization. However you go about it and whatever your reasons might be, in creating a compliance knowledge network, you will drive compliance into the DNA of your company.

 Episode 33 of the FCPA Compliance and Ethics Report is up. In this episode I visit with Bruce Carton, Founder and Editor of Securities Docket.com on his top SEC issues from 2013. You can check out the interview by clicking here. It is also available for download on iTunes.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

September 27, 2013

Compliance Programs as Knowledge Networks

The more I read articles about management and business systems, the more I am convinced that compliance with anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act can be viewed as a formative business process. In this month’s issue of the MIT Sloan Management Review, in an article entitled “Designing Effective Knowledge Networks” authors Katrina Pugh and Laurence Prusak explore how companies can help to facilitate desired behaviors and outcomes by paying attention to the dimensions of knowledge network design.

The authors begin by noting that knowledge networks are as old as humanity itself. They define knowledge networks as “collections of individuals and teams who come together across organizational, spatial and disciplinary boundaries to invent and share a body of knowledge. The focus of such networks is usually on developing, distributing and applying knowledge. For-profit and nonprofit organizations of all sizes are seizing on this model to learn more quickly and collaborate productively. However, for every successful network, others have lost steam due to poor participation, goal ambiguity, mixed allegiances or technology mismatches.” What intrigued me about this concept was that if you think of a compliance regime as a knowledge network of how to do business ethically and in compliance, the authors have some key concepts to help you in your system design.

I.                   Framework for Knowledge Network Effectiveness

The authors begin by setting out a framework to capitalize on the “cohesion, conversation and connectedness” of a knowledge network. It all begins with an outcome, which is then calculated to meet your area of focus, which, for the compliance practitioner, is your compliance program. Next are the Behaviors, which the authors deem to be “conducive to outcomes: cohesion, demonstration of trust, connection sharing, using a common technology platform and making investments in collaboration”. Here the key is that network members are committed to “moving knowledge sharing to the platform so that everyone can benefit” from it. Next are the Dynamics, which are defined as “feedback loops, the systems and structures that sustain a given behavior. Dynamics can also be patterns of interaction with the outside world, such as reactions to market threats and incentives.” Finally, the authors detail the Design/Construction of the network. This final framework component “encompasses the set of conditions that network leaders explicitly put in place to trigger those dynamics and, in turn, set behaviors into motion.”

II.                 Eight Design Dimensions of Knowledge Networks

The authors identified eight performance information techniques and incentives to move behaviors forward. These eight design dimensions encompass three general concepts; those being Strategic, Structural and Tactical.

A.    Strategic

  1. Leader’s Shared Theory of Change. Here the authors said that leaders can describe the mechanisms through which the “network activities will have an impact on” its members and the organization. It is important so that everyone is well aligned and acts consistently.
  2. Objectives/Outcomes/Purpose. The authors state “leaders help define the network’s purpose and target outcomes. Outcomes can be solving a specific problem or combining forces and knowledge. They can be classified as one or more of the network goals described earlier, such as support of individual members.” They further advocate that a “charter or similar document lays out the network’s objectives and purpose, which need to be sufficiently crisp that members can state them.”
  3. Role of Expertise and Experimental Learning. Interestingly the authors believe that safety and respect are critical so that members will feel like they can speak out and speak up. It is critical that those persons who have the most knowledge do not dominate all of the proceedings. Leaders who understand the disparity of knowledge in their team members can “set a tone of safety and humility.”
  4. Inclusion and Participation. This part is key for the compliance practitioner because a knowledge network does not exist in a vacuum. There are always operational or other competing organizational models. It is not necessarily convergence but rather to “balance technical or operational expertise with convening or networking skills.”

B.     Structural

  1. Operating Model. Under this step “Knowledge network leaders decide what roles, responsibilities and decision processes are needed for optimal network operations. All stakeholders, including the public, should be described in the operating model, and there should be clarity about how resources are allocated.” However this step is dynamic and not static as operations can change over time and “the core leadership team may rotate to add fresh ideas and reduce burnout.”
  2. Convening Structures and Infrastructures. Under this piece, the authors proposed that leaders should use all the business’ communications tools available, stating “online and real-time or live convenings serve to build cohesion, connectivity, collaboration and engagement.” The amount of “face-to-face and voice-to-voice interaction depends on the network objectives. Rapid idea development and innovation require live discussions (online or in meetings), while intellectual capital management requires document management and broadcast communication.”
  3. Facilitation and Social Norm Development. Here the authors suggest that knowledge network leaders should “take on the roles of facilitators and change agents, not just project managers.” To do so, they “could agree about how to model and develop positive interactions within the network.” Many prevailing social norms, “such as inclusion, openness, transparency, accountability, curiosity and quality” should therefore be integrated explicitly into the facilitation processes.

C.    Tactical

  1. Measurement, Feedback and Incentives. Network leaders should look for evidence of the success or failure of participation in the network. Once again this is key for the compliance practitioner. The metrics must be both “credible and appropriate in terms of effort and relevance.” This database can be viewed monthly, quarterly or on different time frames but the key is to use the data to assess where you might be going and what improvements you might need to made. The authors end this point by stating that “High-performing network leaders manage to minimize bureaucratic review and tie performance to incentives quickly so that members feel pride, connection and even healthy competition.”

III. Conclusion

I found this article very useful because it presented many of the concepts that a compliance practitioner must work through in the implementation or enhancement of a compliance program. While the authors’ presentation was focused on knowledge networks, if you accept that a compliance program is really a network of knowledge which helps guide employees on how to conduct business in compliance with anti-corruption laws such as the FCPA; I believe it can help to do business within the guidelines of a best practices compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

August 29, 2013

How to Build a Culture of Ethics and Compliance: the Greatest Article Ever – Part III

Today I conclude my exploration of the article in the summer 2013 issue of the MIT Sloan Management Review, entitled “Designing Trustworthy Organizations”, by the quartet of authors: Robert F. Hurley, Nicole Gillespie, Donald L. Ferrin and Graham Dietz. In case you missed the previous articles, or are reading Part III before Parts I or II, let me start by reiterating – IF THERE IS ONLY ONE ARTICLE THAT YOU READ ON ETHICS AND COMPLIANCE IN 2013 THIS IS THE ONE TO READ. This the single best article I have ever read on how to build or maintain a culture of compliance, as it gives a specific road map to the compliance practitioner, in-house counsel or any other business executive on how to instill a culture of ethics and compliance in your company. In Part I, I looked at why such ethics and compliance failures occur from an organizational perspective. In Part II, I considered how to build ethical organizations which do business in a compliant manner. For Part III, I will conclude with the steps a company can take to rebuild trust in an organization after a catastrophic failure in ethics and compliance.

The authors correctly note that much can be learned from an organization in how it responds to crisis. Paul McNulty often says that the key analysis to make in any assessment of a potential penalty under the Foreign Corrupt Practices Act (FCPA) is “What did you do about it?” I label this as “McNulty’s Maxim No. 3”. However, after every storm there is an opportunity for a company to rebuild a culture of ethical behavior and doing business in compliance. The authors identified what they believe to be three critical stages in any such comeback. They are (1) investigation; (2) organizational reform; and (3) evaluation.

I.                   Investigation

In order to begin the process of repairing a corrupt corporation, the authors believe that there must “credibility, rigor, independence and accuracy of the investigation.” A clear example where this was not done was in the situation where the Wal-Mart corporate office sent the investigation of allegations of bribery and corruption in its Mexican subsidiary back to the people alleged by the company’s internal whistleblower to have headed up the bribery and corruption; with predictable results. The authors believe situations like this occur when a company is “so concerned with appearance and damage control that they are unwilling to engage in the degree of examination required to root out entrenched” ethics and corruption violations.

The FCPA Guidance anticipates this prong when it advised companies to “Moreover, once an allegation is made, companies should have in place an efficient, reliable, and properly funded process for investigating the allegation and documenting the company’s response, including any disciplinary or remediation measures taken”. Jim McGrath, among others, regularly writes about the need for companies to employ outside counsel who specialize in such investigations. McGrath’s suggestion would certainly fit with the authors’ recommendation on this point.

The authors also note that the investigation must drill down and determine “how each element of the organizational system directly or indirectly contributed” to the ethical and compliance failures. Only by such a thorough investigation can a company begin the road to recovery. So not only will an independent investigation bring a jaundiced eye to discover the facts but such a granular view will lead to the necessary “recommendations for systemic reform.”

II.                Organizational Reform

The authors begin with a single line that all compliance practitioners need to paste in front of senior management and company executives, “Since all trust [i.e. compliance] failures are systemic, the organizational reforms need to be systemic as well.” ‘Rogue’ employees exist or are created by a company culture and internal control system that either encourages such behavior or actively rewards it. Due to this, the authors recommend that “Structures, systems and processes should be the first point of intervention”. But the authors caution that this is only the start and if these are the only items addressed, they are “unlikely to produce sustainable change.” This is because the more difficult, yet more important, changes in ethics and doing business in compliance involve an organization’s “culture, strategy and leadership and management practice.” In other words, if management does not make the start at changing the culture, violations will likely continue.

To make such a universal change, the authors believe that “systemic reforms need to be reinforcing and congruent so that trustworthiness becomes embedded in the organization’s culture over time.” So not only do leaders have to change the way that they lead, but the way employees do their work must also change. A true change in company DNA may be required to move to doing business ethically and in compliance with the burgeoning world-wide regime of anti-bribery and anti-corruption legislation.

III.             Evaluation

The authors caution that even if systemic changes are made by an organization, they still “must be evaluated to ensure that they are working as intended and pitfalls must be addressed.” Because a true systemic change can be so difficult the most important prong in repairing a culture which has fallen short of doing business ethically and in compliance is through “ongoing assessment, learning and course correction”. The first step is “to take a systems perspective to accurately diagnose and reform the true faults in the organizational system, and then to evaluate the effectiveness of the reforms.” This aids to not only help repair a culture of ethics and compliance but to embed such values in an organization. Lastly, by embedding such values within an entity it becomes more resilient to future ethics and compliance failures by (hopefully) detecting them early and remediating the issue(s) quickly.

IV.              Three Examples

The authors concluded with examples of three well-known companies which were able to repair themselves and do business more ethically and in compliance.

A. Siemens

Siemens AG is well-known for having the highest fine, $800MM, in the history of the world to date for its FCPA violations, $800 MM, paid to the US government. It also paid the equivalent amount to the German government for a total fine in the neighborhood of $1.6 bn. Such costs do not include the investigative costs. The authors detailed the following steps that Siemens took:

  • Appointment of an externally led, comprehensive and independent investigation, including some staff amnesty provisions during the investigation.
  • Appointment of a respected independent expert to advise on ethics and compliance reforms.
  • Revisions to the company’s Code of Conduct, reformation to policies and procedures on doing business ethically and in compliance, creation of an internal company ombudsman and compliance help desk.
  • The training of more than 200,000 employees on anti-corruption practices to shift beliefs and values.
  • Streamlined structures to provide clear lines of responsibility.
  • There was a five-fold increase in the number of employees dedicated to doing business ethically and in compliance.
  • There were high-profile departures from the company and more than 900 disciplinary actions related to anti-corruption.

B. BAE Systems

It is well-known that former British Prime Minister Tony Blair is famous for shutting down his country’s Serious Fraud Office’s investigation into bribery and corruption allegations against the UK aircraft manufacturer under UK anti-bribery and anti-corruption law. However such help from friends on high did not help the company stay out of bribery and corruption hot water as it was hit with a $400MM fine for its FCPA transgressions. The authors reported that it took the following steps in its repair of its ethics and compliance culture:

  • The formation of the Woolf Committee to investigate the company and eventually make 23 recommendations regarding doing business ethically and in compliance.
  • New responsible trading practices were put in place to help employees in commercial decision making going forward.
  • The Code of Conduct was revised and new policies and procedures were put in place on bribes, donations, hospitality and political lobbying.
  • A new corporate governance structure was put in place which allowed oversight by an independent ethical leadership group and the creation of an ethics helpline.
  • A training program for all senior management in ethics and compliance was instituted.

C. Mattel Toys

The company was not faced with anti-corruption allegations as were the first two companies above. However, its sins may have been even worse because of the safety issues involved. A Chinese manufacturer for the company outsourced the production of certain toys. This allowed the use of lead-based paint by the sub in the production of millions of toys. The use of lead paints has been banned for the use of toys for many years in the US due to safety concerns. The authors reported that Mattel took the following steps:

  • Production in the facilities alleged to have used lead-based paint was ceased and all products were recalled.
  • There was full and proactive cooperation with regulators across the globe.
  • There was an independent and thorough investigation.
  • There was a second product recall, linked to faults in Mattel’s own design of a toy.
  • There were coordinated sector level discussions in the company on mandatory safety regulation.
  • There was a revision and strengthening of supply chain audit procedures.
  • The company established a new corporate responsibility division which reports directly to the Chief Executive Officer (CEO).
  • The company agreed to an audit by an independent Non-Governmental Organization (NGO) of its supply chain practices.

I have labeled the GlaxoSmithKline PLC (GSK) corruption and bribery scandal as the most significant event for compliance practitioners in 2013. This is because of the entry of the Chinese government into the investigation and possible prosecution of western companies for conduct that the Chinese government heretofore turned a blind eye towards. I do not believe it will be long before other countries begin to look at the corruption of their officials under the rubric of their own domestic anti-bribery legislation. Subsequently, companies need to have a system in place to do the three things that the FCPA Guidance suggests, that being “A well-constructed, thoughtfully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.”

But more than simply having such a system in place to comply with anti-corruption laws, “An effective compliance program promotes “an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”” The authors have taken their concepts and wrapped them into an entire corporate culture. They believe that organizations with such commitment to doing business ethically and in compliance “tend to be high-performing, with lower employee and customer turnover, lower monitoring costs and even better financial returns.” That final sentence is the bottom line for all of this; companies committed to such conduct do better financially. It does not get much starker or clearer than that.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

August 28, 2013

How to Build a Culture of Ethics and Compliance: the Greatest Article Ever – Part II

Today I continue my exploration of the article in the summer 2013 issue of the MIT Sloan Management Review, entitled “Designing Trustworthy Organizations”, by the quartet of authors: Robert F. Hurley, Nicole Gillespie, Donald L. Ferrin and Graham Dietz. In case you missed Part I or are reading Part II first, let me start by reiterating – IF THERE IS ONLY ONE ARTICLE THAT YOU READ ON ETHICS AND COMPLIANCE IN 2013 THIS IS THE ONE TO READ. This the single best article I have ever read on how to build or maintain a culture of compliance, as it gives a specific road map to the compliance practitioner, in-house counsel or any other business executive on how to instill a culture of ethics and compliance in your company. Today I will discuss how to build ethical organizations which do business in a compliant manner. In Part III, I will conclude with the steps a company can take to rebuild trust in an organization after a catastrophic failure.

Building an Ethical Organization

To do this the compliance practitioner needs to instill ethics and compliance into the organization. This can include “setting formal and informal constraints, incentives, expectations, values and norms” all of which influence the behaviors of employees and even third parties with whom the company does business. The authors note that employees are influenced by both formal and informal controls; which can promote either “diligence and honesty—or recklessness and malfeasance.” Lastly, positive signals, through various mechanisms, all help but if you have mixed or “deviant messages” this can lead to cynicism or unethical behavior by your company’s employees.

Near and dear to my heart is the role of such anti-corruption legislation as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act, which the authors acknowledge play an integral role in supporting a company’s ethics and compliance program. But they note the warning, as voiced in the FCPA Guidance, that such laws are only the starting point to create an effective ethics and compliance regime. Moreover, and this next statement speaks directly to those who believe that a compliance defense will lead to more companies following the prescripts of the FCPA, the authors note “Sadly, external regulation may give organizations a false sense of security that can lull them and their stakeholders into complacency” about their ethics and compliance regime. Once again, witness GlaxoSmithKline PLC (GSK) which had about the strongest paper program that a company can provide.

The authors have devised a six-step approach which they call a “Model of Organizational Trust” (Model) and I believe are six steps you can use to build up a culture of ethics and compliance. This Model is based upon their collective research and study, systems theory and strategic organizational design. The Model, which allows you to embed such a culture of ethics and compliance into your organization, weaves the six signals that employees draw upon when making decisions of trust into “their infrastructure and core processes” which the authors believe over time earns the trust of the various company stakeholders. Their Model of Organizational Trust and some key questions pertaining to each step are as follows:

  • Leadership and Management. This requires leaders who embody the company values and expect the same from its employees.
    • Does management at all levels model company values?
    • Does management serve stakeholder interests before self, act with integrity and competently and predictably deliver on commitments?
    • Does management communicate openly, listen and demonstrate concern for employees?
    • Do managers hold their teams accountable for competent execution of strategy while upholding company values?
  • Culture. This requires strong shared norms and beliefs that encourage all stakeholders to uphold companywide values and deter deviation from those values.
    • Are there strong cultural values and beliefs that bond people and unify subcultures to serve stakeholders?
    • Are the values of respect and fairness for stakeholders, acting with integrity, doing business with competence and predictability on delivering on expectations held deeply enough within the company that acting against them is perceived to be wrong?
    • Are company values articulated and activated such that employees support the company’s mission beyond the interests of self or subgroups?
  • Systems. There must be systems in place for planning, reporting, budgeting to reinforce ethical and compliant behaviors, all linked to culture and strategy.
    • Do selection, induction, training, compensation, promotion, evaluation and succession systems reinforce the company espoused values?
    • Do communication, planning and information systems enable effective coordination, alignment of interests and meaningful mutual dialogue?
    • Are there robust mechanisms to surface and facilitate reporting of ethical violations?
  • Product and Service Development, Production and Delivery. There must be processes in place which ensure that stakeholder needs and expectations are met, that company values are upheld and that relevant anti-bribery and anti-corruption laws are met.
    • Are development and production processes focused on serving both company and stakeholder interests, including those of the customers and suppliers?
    • Is there testing to ensure that production competently and predictably meets standards?
    • Is the company’s supply chain monitored to ensure that it meets the goals of respect, fairness, predictability and competence to reach stakeholder expectations?
    • Does the company listen and respond to non-company stakeholders such as the supply chain and customers?
    • Is there a robust product service recovery process?
  • Structure. There must be formal organization and governance that set clear roles and accountability and provide discretion within prudent internal oversight.
    • Does the company structure provide clear roles, responsibilities, accountabilities and alignment of interests across groups?
    • Does the company structure provide adequate governance and monitoring at all levels to ensure competent execution of strategy in a manner that upholds the company’s values?
    • Does the company structure engage and facilitate open communication with stakeholders?
  • Strategy. The organization must have a clear mission that it will do business ethically and in compliance and that these values accommodate stakeholder values as well.
    • Is the company clear about its mission and strategy to serve all stakeholders?
    • Is the execution of this strategy evaluated from all stakeholders’ perspectives?
    • Does the company strategy align with its values?
    • Are decisions made and resources allocated in a way that shows respect, fairness, integrity and alignment with stakeholder interests?
    • Do the stakeholders perceive that strategic trade-offs are made in a transparent and fair manner?

The authors write that all six of these concepts must be fully integrated. So an “effective organizational infrastructure (strategy; leadership and management; culture; structure and systems)” should work to generate and sustain the “effective core processes (development, production and delivery of products and services).” For the compliance practitioner, this means that elements of doing business ethically and in compliance must be woven into all elements of infrastructure and core company processes over time. If not, ethics and compliance failures are likely to occur, “when important elements are allowed to become misaligned.”

But, at the end of the day, the authors report that the “key differentiator between companies that violate trust and those that sustain it is integrity and consistency within and across the organization.” While every company says it does business with integrity, this review shows how the message from the top of an organization can be driven down through the DNA of the entity. Not to be overlooked is the second part of the phrase; that being ‘consistency’. If leadership sends out mixed signals about the values that it deems paramount, then all the talk about doing business ethically and in compliance may well be for naught.

In the final review of this article I will look at three companies which the authors believe have restored their business’ commitment to doing business ethically and in compliance. Until then…

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

August 26, 2013

How to Build a Culture of Ethics and Compliance: The Greatest Article Ever – Part I

Donna Boehme and Jim McGrath continually rail against the notion that a ‘rogue employee’ causes the majority of bribery and corruption charges under such laws as the Foreign Corrupt Practices Act (FCPA) and UK Bribery Act. Companies continually claim that they do business ethically and in compliance with such anti-bribery and anti-corruption legislation and that it is only one or a few of ‘them-those pesky rogue employees’ who have brought the company to grief. Even GlaxoSmithKline PLC (GSK) is now beginning to distance itself from its Chinese business unit and executives who confessed to engaging in bribery and corruption to sell GSK products in China.

The first problem with this ‘rogue employee’ claim is that it is wrong. The second problem is that by making this bogus claim and denying that it was a company failure; a company may well never correct the underlying problem which led to the compliance failure. However if a company does not recognize its role in any such compliance catastrophe, it will probably have a repeat of a similar event in the not do distance future. Once again witness GSK, which agreed, in 2012, to a $3bn fine for fraud in marketing of its products and within one year is caught up in allegations of corruption in China.

I recently read an article in the summer 2013 issue of the MIT Sloan Management Review, entitled “Designing Trustworthy Organizations”, by the quartet of authors: Robert F. Hurley, Nicole Gillespie, Donald L. Ferrin and Graham Dietz. In this article, the authors address the question of “How can companies recover from trust failures and create reputations for trustworthiness?” Let me put this as succinctly as possible – IF THERE IS ONLY ONE ARTICLE THAT YOU READ ON ETHICS AND COMPLIANCE IN 2013 THIS IS THE ONE TO READ. This the single best article I have ever read as it gives a specific road map to the compliance practitioner, in-house counsel or any other business executive on how to instill a culture of ethics and compliance in your company. I will be discussing the article over my next three posts. Today I will look at why such ethics and compliance failures occur from an organizational perspective; in Part II I will talk about how to build ethical organizations which do business in a compliant manner, and in Part III I will conclude with the steps a company can take to rebuild trust in an organization after a catastrophic failure.

Signals of an Ethical Business

In the FCPA Guidance, both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) make clear that paper compliance which companies only employ to “check-the-box” on compliance with the FCPA are doomed to fail. The FCPA Guidance states, “A well-designed compliance program that is not enforced in good faith, such as when corporate management explicitly or implicitly encourages employees to engage in misconduct to achieve business objectives, will be ineffective. DOJ and SEC have often encountered companies with compliance programs that are strong on paper but that nevertheless have significant FCPA violations because management has failed to effectively implement the program even in the face of obvious signs of corruption.” This is a clear recognition that more than simply having a compliance program in place is required to make it effective. Unfortunately many companies seem to believe that simply having an ethics and compliance program in place is sufficient.

While the authors write about ‘trust’ I believe that their research, findings and framework all translate to ethics and compliance; so I will make that substitution throughout my discussion of their article. To begin their discussion, the authors believe that there are “six identifying signals” that employees consider when deciding to follow a company. They are:

  1. Common values: does the company share our beliefs and values?
  2. Aligned interests: do the company interests coincide, rather than conflict with ours?
  3. Benevolence: does the company care about our welfare?
  4. Competence: is the company capable of delivering on its commitments?
  5. Predictability and integrity: does the company abide by commonly accepted ethical standards and is the company predictable in how it behaves?
  6. Communication: does the company listen and engage in a dialogue or not?

Why Do Ethical and Compliance Violations Occur?

Here the authors begin with a definition. They define trust as “a judgment of confident reliance on another (a person, group, organization or system) based upon positive expectations of future behavior.” For the compliance practitioner a violation of that trust occurs and there is unethical behavior which is not in compliance with the norm, for example when “a party significantly deviates from positive expectations” by engaging in such conduct as bribery and corruption. The authors believe that they see such conduct condoned, explicitly or tacitly from management, they also lower their own personal expectations of the type of conduct they will personally engage in.

Such a failure leads to individual employees engaging in bribery and corruption. However, the authors make clear that this is not down simply to the individual or ‘rogue’ employee but such unethical conduct is “predictable in organizations which allow dysfunctional, conflicting or incongruent elements of their organizational system to take hold.” The authors cited three examples where this played out with devastating results for companies. The first was the Mattel Corporation, which had a strong reputation for quality but weak oversight of its supply chain led to production of contaminated toys and a massive toy recall. The second was BP and the Deepwater Horizon disaster, where the company’s strategy and culture of minimizing costs to enhance profitability conflicted with its stated emphasis on safety; all leading to a multi-billion dollar claim. Finally, Goldman Sachs and its role in the Abacus fund where “investigators found that Goldman’s stated values of client focus and integrity were at time overshadowed by a less formal culture that emphasized getting deals done with less than full disclosure.”

The authors noted that in all three examples they cited, each company had extensive systems processes and procedures in place to produce “trustworthy behavior”. However there were “other elements undermined the companies’ ability to deliver on their core responsibilities.” Recall that as part of its $3 billion settlement GSK agreed to a Corporate Integrity Agreement (CIA). The company had a Compliance Committee, whose job was to oversee full implementation of the CIA and all compliance functions at the company. The company had Integrity Champions within each business unit and management accountability and certifications from each business unit. Training of GSK employees was specified.

GSK’s Code of Conduct stated, “The GSK attitude towards corruption in all its forms is simple: it is one of zero tolerance, whether committed by GSK employees, officers, complementary workforce or third parties acting for or on behalf of the company.” The company had a Third Party Code of Conduct, which required that third parties shall conduct their business in an ethical manner and act with integrity.

All of this was backed up by “a Global Ethics & Compliance team which is responsible for providing oversight and guidance to ensure compliance with applicable laws, regulations, and company policies, as well as fostering a positive, ethical work environment for all employees.” The Code of Conduct also stated that “GSK has an active system of internal management controls to identify company risks, issues and incidents with appropriate corrective actions taken. Our Risk Management and Compliance Policy provides the framework for these internal controls, to ensure significant risks are escalated to the proper levels of senior management.”

The authors research led them to several different areas of organizational weakness which allow for ethics and compliance violations to occur. Company leaders “focused on fundamental aspects of how the organization functioned: organizational restructuring and instability; poor support and follow-through; poor talent management; lack of communication and information; and leadership and strategies.” Interestingly, when employees were interviewed they had the following thoughts on how to improve ethics and compliance, “improve communication, enhance senior management capability, provide more accountability for performance, empower employees and enhance collaboration groups.”

Yet in their examinations, the authors found “one type of incongruence that frequently led” to breakdowns in doing business ethically and in compliance. That breakdown came when the interests of one stakeholder group was favored over another stakeholder group. The authors identified some various stakeholders as shareholders, employees, customers, suppliers and communities. The authors said that this incongruence has “been defined as letting shareholder profits take precedence over core responsibilities to other stakeholders.” But it is simply more, than serving on stakeholder better than the others. It is favoring one stakeholder to the extent of “the expense of and even causing harm to” other stakeholders.

In other words, if profits are put ahead of all other measurements for an employee, that employee will get the message and make sure that he or she makes their numbers. The authors conclude this section by noting that with the current 24 hour news cycle and social media, what may have been yesterday’s event can rapidly spiral across the globe and out of control more quickly than ever. Once again witness just how quickly GSK seemed to be on notice of allegations of corruption and bribery in China to the time its Chinese employees admitted to such conduct on state TV. It was mere days.

In tomorrow’s post I will look at building high trust in organizations and how that relates to ethics and compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

April 1, 2013

How to Introduce Innovation in Your Compliance Program

News Flash: Houston Astros Lead AL in Wins!

 In case you were too worn out from this weekend’s college basketball tournament bonanza, both the men’s and women’s, to stay up on Sunday night and watch ESPN; the Houston Astros won their 4000th game and had their first American League (AL) win so that they now lead the AL in overall wins. I guess Astros owner Jim Crane, he of “I-made-a-$100-million-dollars-so-I-must-know-what-I-am-doing”, thinks he knows a thing or two about innovation. Or perhaps not?

While Brother Crane is no doubt reveling in his first win as the Astros owner, I thought about the question of how a compliance professional can use innovation to improve a company’s overall compliance program? This topic of innovation was recently explored in an article in the MIT Sloan Management Review,  Spring 2013 issue, entitled “How Innovative is Your Company’s Culture?” by Jay Rao and Joseph Weintraub. In this article, the authors tried to determine how companies could develop a more innovative culture. While the article did not focus on compliance, I found the ideas that they put forward as a useful manner for compliance practitioners to think through and implement innovation into their Foreign Corrupt Practices Act (FCPA) or UK Bribery Act compliance programs.

The authors believe that when it comes to innovation, most companies focus on resources, processes and measurement because they are tool-oriented and more easily measured. Conversely companies tend to focus less on people-oriented components of innovation success, for example values, behaviors and climates, because they are harder to measure. The authors quote one Chief Executive Officer (CEO) who had said, “The soft stuff is the hard stuff.” Yes the authors believe that it is the soft-stuff, people issues where the greatest opportunity for innovation can occur. I believe that this holds true for innovation in a company’s compliance program as well.

The authors posit that there are six building blocks to an innovative culture. These six building blocks are not static conditions but are inter-related and to an extent, interdependent on each other. The six building blocks are:

  1. Values. The authors believe that it is a company’s values which drive both its priorities and its decisions. It is also reflected in where a company spends its money. If a company is innovative, it tends to emphasize creativity and encourage continuous learning. Values are more than what leaders say or what they write but drive by what they do and what they invest in.
  2. Behaviors. This describes how company employees act in the cause of innovation. This is demonstrated when leaders work to energize employees and to make sure that things happen within the company. For employees it means working to overcome obstacles around innovation and making things happen when “resources and budgets are thin.”
  3. Climate. The authors believe that climate is “the tenor of workplace life.” This means that innovation is encouraged and employees take it on “with enthusiasm.” People are allowed to take risks within a safe environment and the company encourages “independent thinking.”
  4. Resources. Within the framework of their six building blocks, the authors believe that resources have “three main factors” people, systems and projects.” Of these three factors, people are the most important because they have the most “powerful impact on the organization’s values and climate.”
  5. Processes. The authors state that processes are the route by which innovations follow as they are developed within an organization. These processes include not only the track they follow but also the criteria for capturing and sifting through new ideas for “reviewing and prioritizing projects and prototyping.
  6. Successes. The authors believe that successes in a company are “captured at three levels: external, enterprise and personal.” These can help to demonstrate if an innovation is paying off. But more than simply financial success, this building block “reinforces the enterprise’s values, behaviors and processes, which in turn drive many subsequent actions and decisions”.

There are several lessons that the compliance practitioner can derive from these six building blocks to help put innovation into your company’s compliance program. I think the first is that you must create an environment where innovation is not only accepted but encouraged in your company. A simple top-down structure will not accomplish this goal. Not only do you have to go out into the field but you must listen to what people in the field are telling you. Simply because you get push-back from the business folks does not mean that their suggestions are always wrong. There might be some nugget in such push-back which allows you to do something faster, quicker or with more compliance efficiency. Even if the suggestion or push-back does not warrant inclusion into your compliance program, you should at least acknowledge employees for their suggestion.

Another technique that you might use based on these building blocks is the compliance champion. Such a person can be used not only as an initial point-of-contact for your compliance program but you can use non-compliance department compliance champions as innovation leaders in your compliance program. You could have them meet (in person or virtually) on quarterly intervals to discuss compliance program innovations that they might come up with based upon their more focused training and work as a compliance champion in your company. As the authors might say, you can develop your own internal community of compliance innovation experts that you could call upon as an internal resource. Further, in their role as your initial point-of-contact for your compliance program, these compliance champions could also act as a filter to bring you other innovative ideas from your company’s workforce.

This article by Rao and Weintraub had some very interesting ideas about how a company can ingrain innovation into its compliance program. Many companies have worked very diligently on resources, processes and measurement of their compliance program. However, as compliance programs mature and become a part of every well-run company, compliance practitioners can move towards other themes of innovation; that of values, behaviors and climates. So while I am not yet convinced that the Astros $20MM payroll really was a positive innovation, I do believe that the authors have set out some very thoughtful ideas that you can incorporate into your compliance efforts going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,257 other followers