FCPA Compliance and Ethics Blog

February 17, 2015

Gary Owens, Laugh-In and Accountability in Your Compliance Program

Gary OwensIf you were alive at all during the 1960s, you will recall that one of the cultural phenomenon’s was NBC’s television show Laugh-In. It was brought to you from the NBC studios in beautiful downtown Burbank and featured one very droll player, who always played himself, Gary Owens, as the show’s announcer – Gary Owens. Owens died last week and I was surprised but pleased to learn in reading his obituary in the New York Times (NYT) that he was also the voice for several cartoon characters in the Jay Ward stable (home of Rocky and Bullwinkle) and he was the voice of Space Ghost which had a renaissance during the early years of the Cartoon Network.

I thought about Owens’ role on Laugh-In not only as the straight man but also the character, who in many ways brought accountability to the manic show when I read this week’s article by Adam Bryant in his NYT Corner Office column, entitled “Making a Habit of Accountability”, which featured his interview of Natarajan Chandrasekaran, the Chief Executive Officer (CEO) of Tata Consulting Services. Chandrasekaran was raised on a farm and one of the things that he learned early on from his farmer father was “the value of money and the value of time. So he made us account for things. It wasn’t that there was a right or wrong way, but he wanted us to be accountable for what we did.”

I considered this concept of accountability in your best practices anti-corruption compliance program, whether based upon the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other program. With the Department of Justice’s (DOJ) recent pronouncements that it will more aggressively prosecute individuals for FCPA violations, perhaps companies should emphasize accountability more in their compliance programs. By doing so, perhaps employees might understand that there really is their personal liberty on the line when they engage in something which might even approach a FCPA violation. Further, by emphasizing personal accountability, companies could demonstrate more pro-active approaches to compliance that the DOJ wants to see going forward.

Chandrasekaran’s remarks went beyond simply emphasizing personal accountability. He also spoke about accountability in the context of a company’s overall culture. In particular I found his thoughts about accountability, learning and culture quite insightful. He said, “Learning cannot be achieved by mandate. It has to be achieved by culture.” He added, “In our executive team meetings, we share experiences and case studies about failures and successes.”

But beyond simply this insight there should also be accountability for helping others achieve the company’s overall goals. While he did not limit it to compliance, I still found it applicable to a best practice compliance regime when he said, “Everybody has to take some accountability for other people, and look for ways to make small contributions to help others. Looking after people has to become everybody’s responsibility. Innovation and caring for people are cultures; they are not departments.” He did admit that such a change would not happen overnight and indeed he has been emphasizing this message for five years at Tata because “It takes time to build that culture.”

Chandrasekaran also had an insight into compliance through his views on company structure. Tata is a flat organization, with multiple business units. He did this so the largest number of employees would feel empowered to make decisions and work collaboratively. While I recognize that such views might be antithetical to US based companies with a more ‘command and control’ approach, Chandrasekaran explained that the leaders of those units are expected “to work together. We said the power of our company will be driven by how well they work together. In some of our bigger monthly meetings, we will start with people presenting examples of their collaborations.”

I considered all of the above in the greater context of a best practices anti-corruption compliance program. One of the things that the FCPA Guidance emphasized was the inter-relatedness of each component of your compliance program. While you might have greater risk in the area of third parties or doing business in certain areas of the world where there are higher perceptions of corruption, you should not pick and choose what prongs of a compliance program you implement. Each step builds upon one another and should all point to accountability for your actions in decision-making calculus for business decisions and their implementations.

However the concept of accountability is not one that is spelled out in the FCPA Guidance or in any formulation of a best practices compliance regime. Yet it is clear that accountability is something that underlies what a compliance program is trying to achieve. Just as Chandrasekaran learned early on there is a value to things; there is a value to time and there is a value to money. So they should be accounted for in the way you do business.

This might best be described as oversight of your compliance program. The issue your company should focus on here is whether employees are accountable within the ambit of your compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are accountable to the compliance program.

Two mechanisms to do so are through the techniques of monitoring, which is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. A second tool is auditing, which is generally viewed as a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to hold employees accountable to doing business under your compliance regime and Code of Conduct. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. While it may seem that accountability means looking over every employees shoulder, it should not simply be seen as the workplace equivalent of parental oversight. Chandrasekaran explained that how you conduct yourself at work can have a huge impact on other employees. He said, “it’s sometimes very hard to imagine, early in your career, how much impact you can have. If you’re in a job and in an organization, the impact you can make is huge, because it’s all about being part of a group that’s driving impact. So look for those opportunities.” If you look for ways to demonstrate accountability you can influence a wide variety of others going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

July 11, 2014

Friday Comings and Goings

7K0A0032I wish I could be there.

Next week, the FCPA Professor is leading his first FCPA Institute this summer over two days, July 16 and 17. The event will be held in Milwaukee and hosted by the law firm of Foley and Lardner.

The Professor’s stated goal in leading this first Institute is “to develop and enhance fundamental skills relevant to the FCPA and FCPA compliance in a stimulating and professional environment with a focus on learning. Information at the FCPA Institute is presented in an integrated and cohesive way by an expert instructor with FCPA practice and teaching experience.” Some of the topics, which will be covered, include the following:

  • An informed understanding of why the FCPA became a law and what it seeks to accomplish;
  • A comprehensive understanding of the FCPA’s anti-bribery and books and records and internal controls provisions and related enforcement theories;
  • Various realties of the global marketplace which often give rise to FCPA scrutiny;
  • The typical origins of FCPA enforcement actions including the prominence of corporate voluntary disclosures;
  • The “three buckets” of FCPA financial exposure and how settlement amounts in an actual FCPA enforcement action are typically not the most expensive aspect of FCPA scrutiny and enforcement;
  • Facts and figures relevant to corporate and individual FCPA enforcement actions including how corporate settlement amounts are calculated;
  • How FCPA scrutiny and enforcement can result in related foreign law enforcement investigations as well as other negative business effects from market capitalization issues, to merger and acquisition activity, to FCPA related civil suits; and
  • Practical and provocative reasons for the general increase in FCPA enforcement.

In other words, it is what you have come to expect from the FCPA Professor; well-thought out reasoned analysis, practical knowledge and learning, and provocative thinking and assessment. But more than all of the above I believe you will receive some great insight into and why the FCPA Professor continually challenges the status quo in many areas about the FCPA. He and I often look at the same thing and see different views but by seeing more than one view, I believe you will come away with a deeper overall understanding of the entire FCPA picture.

For complete information on the FCPA Institute, click here.

As Monty Python might say And Now For Something Completely Different. If you would like a much shorter view of some FCPA and anti-corruption related topics, check out some of my most recent podcasts, the FCPA Compliance and Ethics Report. 

In Episode 74, I visit with Paul McNulty about his upcoming move to become the President of his alma mater, Grove City College.

In Episode 72, I visit with the GRC Pundit, Michael Rasmussen about why companies have such a disconnect when it comes to the theory and practice of their GRC practices.

In Episode 69, I visit with Joe Oringel about his company’s exciting new approach to transaction monitoring in the anti-corruption space.

In Episode 68, I interview Neil Swidey, author of Trapped Under the Sea about his experiences in researching and writing his book.

In Episode 66, the FCPA Professor shares his thoughts on the Esquenazi decision.

In Episode 63 and 64, I have a two-part discussion of the management of third parties under the FCPA.

For those few of you on the planet not aware of it, the World Cup final will be held this coming Sunday. Mike Brown and I have been discussing the World Cup, FIFA and anti-corruption in our World Cup Report series. You can check out Part I, Part II, Part III, Part IV, or Part V.

All of the episodes of the FCPA Compliance and Ethics Report are available for download on iTunes at no cost so if you want to catch up on all things FCPA and compliance related on the drive to work, you can do so. A happy Friday and enjoyable weekend to all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

May 28, 2014

What Does an Effective Compliance Program Look Like? – The Regulators Perspective

Compliance ProgramWhat does an effective compliance program look like? Is it one that follows the Ten Hallmarks of an Effective Compliance Program as set out in the 2012 FCPA Guidance? How about one that uses the Six Principals of Adequate Procedures relating to the UK Bribery Act as its guideposts? Or should a company follow the OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance? More importantly, for anti-corruption enforcement under the Foreign Corrupt Practices Act (FCPA), what does the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) look for when assessing a compliance program?

Over the years, we have heard various formulations of inquiries that regulators might use when reviewing a compliance program. While not exactly a review of a compliance protocol, one of my favorites is what I call McNulty’s Maxims or the three questions that former United States Deputy Attorney General, and  Baker & McKenzie LLP partner, Paul McNulty said were three general areas of inquiry the he would assess regarding an enforcement action when he was at the DOJ. They are: first: “What did you do to stay out of trouble?” second: “What did you do when you found out?” and third: “What remedial action did you take?”

Paul’s former partner at Baker & McKenzie, Stephen Martin, who still runs Baker & McKenzie Compliance Consulting LLC, said that an inquiry he might make was along the lines of the following. First he would ask someone who came in before the DOJ what the company’s annual compliance budget was for the past year. If the answer started with something like, “We did all we could with what we had ($100K, $200K, name the figure), he would then ask, “How much was the corporate budget for Post-It Notes last year?” The answer was always in the 7-figure range. His next question would then be, “Which is more business critical for your company; complying with the FCPA or Post-It Notes?” Unfortunately, it has been Martin’s experience that most companies spent far more on the Post-It Notes than they were willing to invest into their compliance program.

Last week at Compliance Week 2014, Andrew Ceresney, Director of the Division of Enforcement of the SEC, gave one of the Keynote Addresses. In his remarks he talked about the importance that the SEC is putting into compliance. He said “I start from the premise that the companies that have done well in avoiding significant regulatory issues typically have prioritized legal and compliance issues, and developed a strong culture of compliance across their business lines and throughout the management chain. This is something I observed firsthand while in private practice and have come to fully appreciate from my perch at the SEC.”

But, more importantly, he said that he has “found that you can predict a lot about the likelihood of an enforcement action by asking a few simple questions about the role of the company’s legal and compliance departments in the firm.” He then went on to detail some rather straightforward questions that he believes can show just how much a company is committed to having a robust compliance regime.

  • Are legal and compliance personnel included in critical meetings?
  • Are their views typically sought and followed?
  • Do legal and compliance officers report to the CEO and have significant visibility with the board?
  • Are the legal and compliance departments viewed as an important partner in the business and not simply as support functions or a cost center?

Beyond simply going into the DOJ or SEC and claiming that your company is very ethical and does business in compliance with the FCPA, how can a company demonstrate the above? This is where the Tom Fox Mantra of Document, Document and Document comes into play. No matter how much input the compliance function has into the above suggested inquiries if the inputs are not documented, it is if they did not exist. So for meetings, you should keep attendance sheets or notations. A compliance representative can put a short, three to four sentence memo into the file about the recommendations and the response thereto. If the compliance department advise was not followed, there should be a business reason documented for the decision. Moreover, if there is a rejection of the compliance function advise and the course of action leads to some type of FCPA issue, it may well be assumed the company knew or should have known that the course of action taken could reasonably lead to a FCPA issue if not full blown violation. As to the issues of compliance visibility at the Board level, once again the documentation of any presentation and their substance can provide evidence to answer the query in the affirmative. But the key to all of these questions is if there is documentation to prove the assertions that they actually occurred.

Near the end of his presentation, Cerensey said that “Far too often, the answer to these questions is no, and the absence of real legal and compliance involvement in company deliberations can lead to compliance lapses, which, in turn, result in enforcement issues. When I was in private practice, I always could detect a significant difference between companies that prioritized legal and compliance and those that did not. When legal and compliance were not equal partners in the business, and were not consulted as a matter of course, problems were inevitable.”

McNulty’s Maxims, Martin’s question on budget and now Cerensey’s questions all provide significant guideposts to how regulators think about FCPA compliance programs. For me, I think the point is that companies which actually Do Compliance are easy to spot. For all the gnashing of teeth about how hard it is to comply with what the DOJ and SEC want to see in FCPA compliance, when the true focus can be distilled into whether a company actually does compliance as opposed to saying how ethical they are, I think it simplifies the inquiry and the issues senior management and a Board of Directors really needs to pay attention to.

For a copy of the full text of Director Cerensey’s remarks, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

December 11, 2013

Keep Your Hand on the Control

#14748 Hand on the Throttle by Karl-Heinz Morawietz 2011-01-27Yesterday Nelson Mandela’s casket was driven to the state capital where he will lay in state until his funeral on Sunday 15th December. Dignitaries from all over the world will attend. Mandela was praised for his non-violent approach to ending apartheid in South Africa and his leadership in the peaceful transition of power. But he was also recognized as incorruptible. So today we honor that aspect of his career.

I am continually amazed at the seemingly disparate current events which provide tangible lessons for the compliance practitioner. In an article in the New York Times (NYT), entitled “Hearings on San Francisco Crash Set to Explore Broader Problems”, reporter Matthew L. Wald wrote about the upcoming National Transportation Safety Board (NTSB) hearings on the deadly plane crash last July at San Francisco International Airport. Investigators quickly were able to determine the immediate cause of the crash; that being the pilots failure to monitor their airspeed. However these hearings will go further and try to determine more basic reasons which led to the pilots to make the decisions which caused or contributed to the disaster.

The first was an over-reliance on technology. Crews for the airline involved, Asiana, are “accustomed to programming the autopilot to land their planes” rather than manually taking over during the landing procedure. The first problem was compounded and became disaster when a second problem apparently arose which was that the pilots had “evidently limited ability to manage the ubiquitous automated systems in the cockpit.” So they flew expecting the auto-pilot to land the plane but did not realize or appreciate that the auto-throttle portion of the system was in the off position. The article was clear that, even with these reasons, the problems which led to the crash were “more broad than bad pilots.”

The reliance on technology or big data has become an issue in the Foreign Corrupt Practices Act (FCPA) or other anti-corruption laws such as the UK Bribery Act. The Department of Justice (DOJ) has brought up the tool of transaction monitoring as a best practice at least since the Morgan Stanley Declination. But, just as these tools are important to the compliance practitioner, it is important to keep in mind that one of the remedies certain US based airlines have come up with will make it harder for crews to overlook problems like low airspeed, even when a plane’s auto-pilot is turned on during a descent. The solution is elegant for its simplicity, certain airlines mandated that “a pilot keep a hand on the throttle, to sense its position, during descent.” Simple, elegant and cost effective I would add.

For the compliance professional this also means a compliance program is more than simply about numbers and systems. As Paul McNutly and Stephen Martin say in their five essential elements of an effective compliance program, it is important to not only understand but ascertain if your employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. Two of the seven compliance elements in the Federal Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three highlighted activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

The next area that the NTSB hearings will look at is training and procedures. One thing that US pilots are trained on and given a wide berth to do is to “speak up if they sense a problem, even if the pilot at the controls has seniority, and to listen to subordinates.” Recognizing that part of the issue here is cultural, because South Korean crews “have had trouble with those procedures”,  the clear message here is training. For the compliance practitioner, the message is also clear, again it is training, training and training. Whether you call it a ‘Speak Up, Speak Out’ or ‘Raise Your Hand’ culture, such a system must be put in place to allow an employee who senses a problem to get that information to people who can take a more focused look at the problem.

But, more than training, the company has to commit to more than having a system. The company must commit to listening. One of the biggest changes in the airlines cockpits is that more senior pilots are instructed listen to junior pilots. The same must be true in a company. The company has to listen to employee concerns. This requirement to listen has been made even stronger with the Dodd-Frank Whistleblower provisions. But the clear message for the compliance practitioner is that speaking up and listening are a two-way exercise.

Just as in every catastrophic accident, in almost every circumstance regarding a compliance issue which becomes a FCPA violation, there is at some point a situation where an employee did not report a situation or event up to an appropriate level for additional review. This failure to escalate led to the issue not reaching the right people in the company for review/action/resolution and the issue later became more difficult and more expensive to deal with in the company. This means that a company needs to have a culture in place to not only allow elevation but to actively encourage elevation. Additionally, both a structure and process for that structure must exist. Lastly, while a whistleblower process or hotlines are necessary these should not be viewed as the only systems which allow an employee to escalate a concern. In the cockpit it means a junior pilot can speak directly to a more senior pilot.

One of the things that I have learned practicing compliance is that process is very important. But the investigation into the Asiana crash shows that keeping your hand on the throttle to understand the pulse of things is a very good technique to maintain.

—————————————————————————————————————————————————————–

Please join myself and Eddie Cogan, CEO of Catelas as we discuss Risk-Based 3rd Party Vetting, Screening and Monitoring Strategies for High Risk Jurisdictions Thursday, December 12. For information and registration click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

December 6, 2013

The Rogue Employee Myth: Prevention and Detection in a FCPA Compliance Program

I cannot think of any criminal enforcement actions against a corporation involving the Foreign Corrupt Practices Act (FCPA) where there was a lone wolf employee engaging in bribery and corruption on his or her own. There might well be some internal investigations and even self-disclosures to the Department of Justice (DOJ) of such conduct but the public usually does not know about them since the DOJ would issue a Declination under such circumstances. The only publicly announced Declination where the company was identified was the Morgan Stanley Declination. In that matter, a Managing Director, Garth Peterson was prosecuted for his individual action in violating the FCPA. But from the information made available, it appears that the company uncovered Peterson’s conduct, investigated and self-reported it to the DOJ.

One of things that Donna Boehme and Jim McGrath regularly rail against is the claim that violations of the FCPA, UK Bribery Act and other anti-corruption laws are the result of some ‘rogue employee’ out there, dreaming up ways to engage in bribery and corruption to obtain or retain business. Organizations such as the US Chamber of Commerce want to limit corporate liability for the criminal actions of their employees saying it is not fair for a company to pay for the sins of these alleged rogue employees.

While I recognize the US Supreme Court may soon make all of the above moot by deciding that corporations have the same rights, obligations and duties of real persons, those individuals making the claim of rogue-ness do not seem to contemplate how much work and effort must go into any ongoing bribery scandal which would result in a FCPA violation and how much is attributable to the company. First if the company, explicitly or implicitly, communicates that the bottom line, quarterly numbers or anything like that is the most important action an employee will be evaluated on, guess what, their numbers, and employees will always find a way to make their numbers. Further, if employees can either manipulate or over-ride a company’s internal controls to help fund or hide the payment of bribes, it is the fault of the company not having robust controls in the first place.

Remember Paul McNulty’s Three Maxims? (1) What did you do to prevent it? (2) What did you do to detect it? (3) What did you when you found out about it? If a company’s internal controls are so porous that employees can slide the payment of bribes through the system, I would say that you have failed to answer Maxim 1 in the affirmative. If your auditing or monitoring is so poor that you cannot find any evidence of bribery and corruption because you didn’t want to (See: Wal-Mart’s initial investigation into its Mexican subsidiary) or because the auditing and monitoring is so poor (See: GSK in China where they somehow missed $500MM in payments to ‘travel agents’); you have also failed to answer McNulty Maxim 2 in the affirmative.

Yesterday I wrote about psychopaths in the guise of Chief Executive Officers (CEOs). I do not think there could be a better example of this than Bernie Madoff. His grandiosity extended to attempting to claim to federal investigators that his multi-decade, multi-billion dollar fraud and Ponzi scheme was all his work alone, that no one else in his company was involved or even knew about it. That outsized claim is being put to the test over the next couple of months in a courtroom in New York where five former employees are currently on trial for participating in this massive fraud.

In fascinating testimony Frank DiPascali, a former top lieutenant to Madoff, reported in a Wall Street Journal (WSJ) article, entitled “Madoff’s Cold Play Outwitted Auditor” by James Sterngold, the schemes used to defraud customers and fool auditors and regulators. Initially, he noted that NONE of the trades recorded in the company’s books and records ever took place and that “a number of staff members spent most of their time producing large volumes of fake documents to convince customers there were earning attractive returns.” To put an explanation point on his testimony, when asked if Madoff’s staff created trades out of thin air, he responded, “Literally, yes.” To confuse and misdirect an auditor from KPMG, when the accounting firm demanded to see “detailed daily trading logs to confirm that the firm was actually engaged in trading”, Madoff’s staff not only created the fake logs but put them in the refrigerator to “cool them down”. Another time, the staff tossed them around “like a medicine ball to make them look used and crinkled.” All of this was presented as evidence in the trial which indicates that more people had to be involved in the fraud.

The clear lesson for the compliance practitioner from the Madoff employees’ trial testimony to-date is that there cannot be one person or the ubiquitous ‘rogue employee’ who decides to engage in bribery and corruption. There has to be more than one person. To circumvent a company’s internal controls takes work. For in any criminal FCPA enforcement matter, it is because the company involved had such weak internal controls that such circumvention could occur in the first place. But more than this circumvention, it means that the company did not employ sufficient systems to detect such bribery and corruption. And if the documentation you are reviewing is cold to the touch that may now constitute a red flag.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

May 22, 2013

What Are The Essential Elements of a Corporate Compliance Program?

Can you synthesize and reconcile the world’s leading laws, regulations and commentaries on the best practices an anti-bribery and anti-corruption compliance program. I recently saw one such approach by Paul McNulty and Stephen Martin of the law firm, Baker and McKenzie. They have developed what they term the five essential elements of a corporate compliance program. These five elements are based upon the best practices as set out in the seven elements of a corporate compliance program under the US Sentencing Guidelines; the 13 Good Practices by the OECD on Internal Controls, Ethics, and Compliance; the FCPA Guidance’s Ten Hallmarks of Effective Compliance Program and the UK Bribery Act’s Six Principles of an Adequate Procedures compliance program. The five elements are:

  • Leadership
  • Risk Assessment
  • Standards and Controls
  • Training and Communication
  • Oversight

I.                   Leadership

The point means more than simply “Tone-at-the-top”; a successful compliance program must be built on a solid foundation of ethics that are fully and openly endorsed by senior management. There should be an unambiguous, visible and active commitment to compliance. But even more than support or the right tone, compliance standards require that companies must have high-ranking compliance officers with the authority and resources to manage the program on a day-to-day basis. And compliance officers must have the ear of those ultimately responsible for corporate conduct, including the board of directors.

Some of the questions you might think about in connection with the leadership of your compliance program are the following: How is board oversight implemented? Is there an ethics or audit committee reporting to the full board? What is the role of the Chief Compliance Officer? What is the role of the General Counsel? How do the legal and compliance departments interact? Does the CCO have “real power”? Is she or he treated as a second-class citizen?

Equally the Board of Directors has a key role to fulfill. The Board must ensure compliance policies, systems and procedures are in place and it should monitor implementation and effectiveness of the compliance program:

  • Be actively involved
  • Attend Board meetings
  • Review, consider and evaluate information provided
  • Inquire further when presented with questionable circumstances or potential issues
  • Once Board knows of a potential compliance issue it must act.
  • Regularly receive compliance briefings and training.

II.                Risk Assessment

The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high risk areas first.

What are some of the areas where you need to assess your risks?

  1. Country Risk – What is the correlation between growth markets and corruption risk and what is the perceived level of corruption? In other words, the Transparency International Corruption Perceptions Index or similar list.
  2. Sector Risk – Has government publicly stated industry is under scrutiny or already conducted investigations in sector? Are there corruption risks particular to the industry?
  3. Business Opportunity Risk – Is the business opportunity a high value project for your company? Are there multiple contractors or intermediaries involved in the bidding or contract execution phase?
  4. Business Partnership Risk – Does this business opportunity require a foreign government relationship? Does a foreign government require you to rely upon any third parties?
  5. Transaction Risk – Will your company be required to make any “compelled giving” through any requirements for political or charitable contributions? Are you required to use any intermediaries to obtain licenses and permits?

In addition to an initial risk assessment to either (1) inform your compliance program or (2) help you to identify high risks and prioritize their remediation, risk assessments should be a regular, systemic part of compliance efforts rather than an occasional, ad hoc exercise cobbled together when convenient or after a crisis. They should be conducted at the same time every year and performed by a consistent group, such as your internal audit department or enterprise risk management team. Such annual risk assessments act as a strong preventive measure if they are performed before something goes wrong as it avoids a “wait and see” approach.

III.             Standards and Controls

Generally, every company has three levels of standards and controls. (1) Code of Conduct. Every company should have a Code of Conduct which should express its ethical principles. However, a Code of Conduct is not enough. (2) Standards and Policies. Every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. (3) Procedures. Every Company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

IV.              Training

Another pillar of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct. Simply conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The Department of Justice’s (DOJ) expectations of effectiveness are measured by who a company trains, how the training is conducted and how often training occurs.

There are several key elements to training. First is that you need to train the right people. You must prioritize which audience to educate by starting your training program in higher risk markets and focus on directors, officers and sales employees who may have direct contact with government officials or deal with state-owned entities. Again, focus initially on training country managers in your company’s high-risk markets, then expand geographically and through the ranks of employees.

Second, in high risk markets and for high risk employees or third parties you should conduct live, annual training. Enforcement officials have made it clear that live, in-person training is the preferred method in high-risk markets and also that it should be regular and frequent. Another benefit of live training is the immediate feedback from employees that would be much less likely to occur during a webinar or other remote training. Lastly, during live training, employees are more likely to make casual mention of a potentially risky practice, giving you the opportunity to address it before it becomes a larger problem.

It is important that you pay attention to what employees say during training. This is because training can alert you to potential problems based on the type of questions employees ask and their level of receptiveness to certain concepts. For example, during training employees might ask specific questions about important compliance considerations such as their interactions with government officials or gift-giving practices. Such questions can raise red flags and uncover issues that should be reviewed and addressed quickly.

V.                 Oversight – including monitoring, auditing and responses

The issue your company should focus on here is whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. These ongoing efforts demonstrate your company is serious about compliance.

Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem.

Finally, what are your remediation efforts? Your company should remediate problems quickly. A key concept behind the oversight element of compliance is that if a company is policing itself on compliance-related issues, the government will not have to do it for them. Remediation, then, is an important component of oversight. It is not enough to just gather information and identify compliance problems through monitoring and auditing. To fulfill this essential element of compliance, you also have to respond and fix the problems.

I have found that the Baker ‘Five Essentials’ approach is an excellent way to think through your obligations under a wide variety of anti-corruption and anti-bribery requirements. It allows you to put in place a program which should meet virtually any legal requirements you may come up against by doing business anywhere in the world. Lastly, the five-step approach is an excellent way for you to benchmark your current compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

April 26, 2013

Remedies of FCPA Violations – Lessons Learned from the Boeing 787 Lithium-ion Battery Issue

Over the past three months, the aircraft manufacturer Boeing has gone through a public relations nightmare and financial disaster over the failure of lithium-ion batteries in its new flagship aircraft, the 787. This Boeing case study can provide some interesting lessons for the compliance professional who is working under a Foreign Corrupt Practices Act (FCPA) or Bribery Act compliance program.

One of the issues raised over this matter was the use of third party supplier and subcontractors to third party suppliers for the design and manufacturing of the batteries. As reported in a New York Times (NYT) article by James B. Stewart, entitled Japan’s Role in Making Batteries for Boeing, the construction of the batteries at issue was outsourced by Boeing to a Japanese company called GS Yuasa. Stewart’s article points out the need for close review of suppliers and what can happen if the quality does not meet the standards required for the project. In an article entitled, “Boeing and the Conduct of Due Diligence on Sub-Suppliers”, I considered the use of sub-suppliers from the anti-corruption/anti-bribery compliance program perspective. In this post, I will consider Boeing’s response to the problem of the failure of the lithium-ion batteries.

In a Wall Street Journal (WSJ) article, entitled “How Boeing Rescued the 787”, reporter Andy Pasztor discussed the background to Boeing’s problems and the company’s response. The planes, which have been grounded since mid-January due to “The images of the burned batteries—one of which prompted an emergency landing and passenger evacuation of a Dreamliner in Japan—tarnished a plane that Boeing executives have said is key to its future.” While the company has not “disclosed the cost of the 787’s grounding, but analysts say the company could have to pay penalties to customers. The grounding also halted new Dreamliner deliveries, delaying hundreds of millions of dollars in revenue.” Further, the public relations disaster was palatable.

Somewhat naively, after the initial grounding, Boeing executives “told FAA officials that a few easy changes in cockpit checklists, some enhanced battery inspections, and stepped-up surveillance of battery health during flights would be enough to solve the problem.” But that was not good enough for Transportation Secretary Ray LaHood who said at “a news conference the planes wouldn’t resume flying until regulators were “1,000% sure” they were safe.” Based on this statement, it became clear to Boeing that “the FAA would insist on more extensive and time-consuming changes.”

Yet, even in the face of Secretary LaHood’s pronouncement, Boeing’s engineers were frustrated in all their attempts to determine the cause of the batteries’ failures. As reported by Pasztor, “By the end of the first week on the ground, Boeing “had 500 engineers dedicated to understanding” the complex technical issues, Mike Sinnett, the 787’s chief engineer, said last month. Their next focus was to try to pinpoint the specific cause of internal battery short circuits, and develop a targeted engineering solution. Boeing teamed up with government investigators from the U.S. and Japan, but the goal remained elusive.”

From these initial frustrations, Boeing engineers turned to the concept of a “containment box.” The containment “box serves several purposes: withstanding higher temperatures than the old design, and keeping dangerous chemicals from leaking. It also vents smoke outside the plane, and in the event of overheating automatically sucks oxygen from the battery. That is intended to snuff out any fire in a fraction of a second.”

I think that Secretary LaHood was on to something when he said that the 787 would not fly again until “regulators were “1000% sure” they were safe.” It is not simply a fix on a specific issue, although that is a part of any solution. But the solution must be reviewed with a holistic approach in mind. There must be additional protections in place so that if there is another failure, that failure will be contained. For Boeing this would prevent a replay of the scene on the Japan Airlines 787 where a fire in the lithium-ion batteries spread outside the battery itself.

From the anti-corruption/anti-bribery compliance program perspective what I found interesting was the final solution which Boeing hit upon, even if forced to by Secretary LaHood. Since Boeing was not able to determine the specific cause of the lithium-ion batteries failures, it took a more systemic approach to the remedy. The company “shifted to wide-ranging internal battery fixes aimed at combating a variety of potential causes.” This is the type of response which we saw highlighted in the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance released last year. In the section on ‘Declinations’ the Guidance had information on six declinations to prosecute companies who self-disclosed FCPA violations. Two of the common factors to each declination were that (1) each company remedied the specific matter which gave rise to the FCPA violation but equally importantly (2) each company made their overall compliance program more robust.

In other words, do not simply remedy the conduct at issue; make sure you catch it quickly before it spreads. This would also equate to McNutly Maxim’s One and Two. 1-What did you do to prevent it?and 2-What did you do to detect it? Or as my process oriented wife might say, ‘you need a second set of eyes on it’ to validate the process and prevent failure in the process.

Perhaps the most interesting thing about this entire Boeing 787 episode is to show the intersection of anti-corruption/anti-bribery compliance and safety. I have often pondered how closely these disciplines seem to interact and overlap. I think that this Boeing situation shows that we in compliance can learn quite a bit from our colleagues in safety.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

March 26, 2013

McNulty’s Maxim No. 3 and Response to Allegations of Bribery

In a Wall Street Journal (WSJ) article by Chris Matthews, Joe Palazzolo and Shira Ovide, entitled “U.S. Probes Microsoft Bribery Allegations”, they reported that the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) were investigating “kickback allegations made by a former Microsoft representative in China, as well as the company’s relationship with certain resellers and consultants in Romania and Italy”. A whistleblower alleged that an executive of Microsoft’s China subsidiary had told the whistleblower “to offer kickbacks to Chinese officials in return for signing off on software contracts”. Additionally, they reported that “investigators are also reviewing whether Microsoft had a role in allegations that resellers offered bribes to secure software deals with Romania’s Ministry of Communications”.

Interestingly, as reported by Chris Matthews in a WSJ post in Corruption Currents, entitled “Microsoft Responds to FCPA Allegations”, Microsoft publicly responded to the reports. Matthews reported that Deputy General Counsel (GC) John Frank wrote in a blog post “As our company has grown and expanded around the world, one of the things that has been constant has been our commitment to the highest legal and ethical standards wherever we do business”. Frank also said that “The matters raised in the Wall Street Journal are important, and it is appropriate that both Microsoft and the government review them.”

Commenting on this situation with Microsoft, Alexandra Wrage, President of Trace International, wrote an article on Forbes.com, entitled “Microsoft And The Rising Federal Scrutiny Of Bribery”, where she said, “All of this should not be discouraging to companies worried about complying with anti-bribery laws. Strong compliance programs, even those that fail to prevent all forms of bribery, do provide protection from liability. “[A] company’s failure to prevent every single violation does not necessarily mean that a particular company’s compliance program was not generally effective,” write the DOJ and SEC in their recently published Resource Guide to the FCPA. “[The] DOJ and SEC…do not hold companies to a standard of perfection,” the Guide continues. This may not be enough to guarantee corporate compliance officers a full night’s rest, but it should provide some comfort.”

Wrage also noted that the Microsoft investigation underscores that fact that with any company that does business internationally you cannot watch all the people, or indeed all the third parties, all the time and that violations of anti-corruption laws such as the FCPA or anti-bribery laws, such as the UK Bribery Act, are a constant risk in worldwide business operations. She believes that Microsoft, by all accounts, would appear a robust anti-bribery compliance program. She understands that Microsoft’s Standards of  Business Conduct intones a strict policy against bribes, quoting it for the following:

“Microsoft prohibits corruption of government officials and the payments of bribes or kickbacks of any kind, whether in dealings with public officials or individuals in the private sector. Microsoft is committed to observing the standards of conduct set forth in the United States Foreign Corrupt Practices Act and the applicable anti-corruption and anti-money laundering laws of the countries in which we operate.”

The company also requires all outside vendors to read and comply with the Microsoft Vendor Code of Conduct, which also prohibits incentives such as kickbacks or bribes.

But, as she says, for a large multinational like Microsoft, which has offices in more than 100 countries, it does not always mean that thousands of business partners all across the globe will be compliant all of the time. Indeed, as admitted by Microsoft Deputy GC Frank in his blog post, “In a company of our size, allegations of this nature will be made from time to time. It is also possible there will sometimes be individual employees or business partners who violate our policies and break the law. In a community of 98,000 people and 640,000 partners, it isn’t possible to say there will never be wrongdoing.”

I think the final quote from Frank above, points to the specific usefulness of the Guidance, which states, “In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.” These three clauses point to Paul McNulty’s three maxims but the Microsoft response points to McNulty Maxim No. 3, “What did you do about it?

I have asked Paul what he meant by this which he broke down into two parts. The first part is did you investigate it thoroughly and did you remediate those factors which led to the underlying issue? As reported by Matthews, Palazzolo and Ovide “The allegations in China were also the subject of a 10-month internal investigation that Microsoft concluded in 2010, according to people briefed on the internal investigation. The probe, conducted by an outside law firm, found no evidence of wrongdoing, these people said.” As noted above, DOJ and SEC lawyers are now looking at these allegations, as well as those issues in Romania and Italy.

The second part is what remediation did you do? At this point it is not clear what remediation, if any, will be appropriate so we may have to leave that prong open at this time. However, there is one other matter brought up by the Guidance that is certainly raised in the context of this Microsoft matter that should be looked at. It is government involvement. One of the nine factors listed in the US Sentencing Guidelines state, “the corporation’s timely and voluntary disclosure of wrongdoing and its willingness to cooperate in the investigation of its agents”. Further, the Guidance makes clear throughout that a company benefits from self-disclosing and cooperating with the government. While it is not clear if Microsoft self-disclosed anything back in 2010 when it conducted its internal investigation, it does appear that it is cooperating with the DOJ and SEC at this time.

While several commentators have pointed to this Microsoft matter as an example of how difficult it might be to do business in full compliance with the US Foreign Corrupt Practices Act (FCPA) all the time, I draw a different lesson from this matter. I believe that an aggressive approach to McNulty Maxim No. 3 shows that it is not about how hard it is to do business internationally, or that the FCPA is too difficult to follow; but it is the strength of your compliance program and your response to allegations which should be the determinative factor for compliance. I think McNulty’s advice was good when I initially heard and I think it is good now. Moreover, it is a part of the FCPA Guidance which shows it is not just how McNulty might think through these issues but how the DOJ and SEC do so as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

August 22, 2012

The Face of Battle: Sir John Keegan and the Individual in Compliance

On August 2, Sir John Keegan died. He was one of the most influential military historians I have ever read or had the chance to hear speak in person. Keegan was knighted for massive output. In his August 3, 2012 obituary in the New York Times (NYT), David Binder noted that “Sir John’s body of work ranged across the centuries and continents and, as a whole, traced the evolution of warfare and its destructive technology while acknowledging its constraints: the terrors of combat and the psychological toll that soldiers have endured.” For Tip O’Neill, all politics was local, for Sir John Keegan, all military history was individual.

I, probably like most Americans, was introduced to Keegan through his seminal work “The Face of Battle” which launched his publishing career. The Historian J.H. Plumb called it “so creative, so original” and “a huge achievement.” Binder commented that “He examined three battles in the book: Agincourt in 1415, Waterloo in 1815 and the Somme in 1916…all involving the English. His tale was somber and compelling about what happens in the heat of battle, including the execution of prisoners.” Further, “the military historian, on whom, as he recounts the extinction of this brave effort or that, falls an awful lethargy, his typewriter keys tapping leadenly on the paper to drive the lines of print, like the waves of a Kitchener battalion failing to take its objective, more and more slowly toward the foot of the page.”

But for me, he drove home what battle was like for the ordinary soldier. I can still recall his descriptions of the English long bowmen and the French knights they decimated. In another book, entitled “The American Civil War”, he looked at the role of geography in conflict. Once again he approached the subject of military history in a new and fresh way that brought the subject alive to me while challenging me to reconsider the traditional great man view of military history.

I thought about Keegan’s focus on the everyman of battle today while participating in a webinar entitled “A Real-Time Solution to Managing Fraud and Corruption Risk” hosted by the company Oversight, they have a software product which allows continuous monitoring of data. One of the topics covered in the webinar was fraud and employees who commit fraud. Fellow presenter, Jeff Harfenist, who is a CPA, MBA and a Director with the Berkeley Research Group, emphasized that fraud almost always start small, with the participant or participants typically starting out small, then increasing in complexity and aggressiveness. The perpetrators will then often grow the fraud in magnitude, while sometimes increasing the number of participants. Unfortunately they will rarely cease on their own accord. In other words, the concepts Jeff talked about seemed to me to fit into Sir John’s analysis of the everyman of battle: what they did and how they did it.

Jeff further explained that data mining software, such as that by the event sponsor Oversight, coupled with advanced analytics and exception management capabilities added together with established forensic protocols and recognized investigative methods could provide real-time (or near real-time) detection in variety of areas. Some of these could include inefficiencies in purchasing, potentially anomalous transactions, high-risk relationships, compliance failures and circumvention of internal controls.

I often talk about McNulty’s Three Maxims of Compliance: (1) What did you do to prevent it? (2) What did you do to detect it? And (3) When you discovered it, what did you do to remedy it? Control monitoring moves an internal audit function from the second step, “detection”, to the first step “prevention” through the active, ongoing and real time process as it evaluates 100% of the transactions or associated target functions in real-time (or near real-time) which is highly automated and can be repeated on an as frequent basis as required. The continuous monitoring approach allows you to experience what the individuals in your company are doing on a real-time (or near real-time) basis down to the single transactional level on a repeated basis.

Listening to Jeff Harfenist speak, I thought about Sir John and his work. Just as you can learn and experience history by studying the individuals who participated in great events, your compliance program should be aimed at individuals to guide their ethical behavior based upon your company’s compliance regime. So think of Sir John Keegan’s work on the individual in battle in conjunction with what your compliance program is doing to prevent and detect fraud of individuals in your company.

=========================================================================================================================================================

If you were not able to attend the webinar, you can listen to it, while viewing the slides by clicking here.

=========================================================================================================================================================

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

April 4, 2012

Compliance Self-Assessment: The Good, The Bad and The Ugly

Today we channel Sergio Leone and Clint Eastwood in the context of the compliance assessment, which has been something that has evolved into a key component of a minimum best practices Foreign Corrupt Practices Act (FCPA) compliance program over the past few years. Item No. 13 on the Department of Justice’s (DOJ’s) 13 steps for a minimum best practice compliance program reads:

13. Ongoing Assessment. A Company should conduct periodic review and testing of its anti-corruption compliance code, standards, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and the Company’s anti-corruption code, standards and procedures, taking into account relevant developments in the field and evolving international and industry standards.

While many commentators have argued that this item requires a professional, independent third party to perform this Ongoing Assessment, I recently came across an article which gave me pause to think that another avenue may be open to the compliance professional to follow this guidance.

The article published in the Sunday, April 1, New York Times Business Section, Corner Office Column, entitled “The Best Scorecard Is the One That You Keep for Yourself”, writer Adam Bryant interviewed Charlotte Beers, the former Chief Executive Officer (CEO) of Ogilvy & Mather Worldwide. Her thesis was that “it’s vital to make self-assessments, and to include the good, the bad and the ugly.”

Beers talked about her use of self-assessment in her rise up the corporate ladder until she became a CEO. She believes that continual self-assessment can provide self-knowledge which is the key for an employee to transcend up to become a superior employee and then a corporate leader. It will also improve your team relationships and enhance your ability to handle complex relationships. She says that you must reach for the “intangible and the invisible… but find out if they have confidence about the things that matter, their own ability to think and to get to the true center of things.”

I thought that the concepts discussed by Beers would be very useful in the compliance context. Many compliance practitioners have struggled with the assessment theory. When, how often, and who should perform it, are questions I am often asked. While having an outside third party perform an assessment at a one or two year basis may certainly be a good start, a compliance self-assessment should be integrated into your compliance program. It provides the benefits of a continual model which would allow you to test and assess various portions of your compliance program on an ongoing basis. Also the cost would not be great as you would not be required to bring an outside consultant.

You could begin by trying to determine your company employee’s real attitudes towards compliance. If they observed something amiss, would they have the “interior tensile strength” to report the matter? Has your company made reporting as easy and straightforward as possible? One former compliance officer told me that in auditing the company’s hotline in a Far East country it was determined that the toll free line did not ring through and the only way to call the home office in the US was by using a special cell phone provided only to senior managers of the company. How many calls do you think came through that hotline?

The more I have listened to ex-DOJ lawyers, like my former speaking partner Stephen Martin and his current law firm partner, Paul McNulty, the more I hear things like “move the ball forward” and “how did you use the resources you did have” to enhance your compliance program. Charlotte Beers observation that the “best scorecard is the one that you keep for yourself” clearly is a mechanism suggested by Martin and McNulty’s words of wisdom.

So how about Leone and Eastwood? For my money, the best movie of the first phase of the Spaghetti Western genre was their classic “The Good, The Bad and The Ugly.” That is the final word from Beers. In your self-assessment you must be prepared to look at all aspects, the good, the bad and the ugly. Learn and grow from each and all.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Next Page »

Blog at WordPress.com.