FCPA Compliance and Ethics Blog

November 2, 2011

The TI Six Step Approach to Implementing or Enhancing a Compliance Program

I often write about what I call the McNulty Maxims of Compliance. I heard them in a presentation by Paul McNulty to the Houston Chapter of the Texas General Counsel Association in my most recent corporate position. They were (1) What did you do to prevent it?; (2) What did you do to detect it?; and (3) What did you do when you found about it? These three maxims generally translate into (1) Your compliance program, made up of policies and procedures; (2) Your internal controls to serve as both a front-line detection and back-up against corruption; and (3) What remedial steps did your company take when they discovered the issue of concern?

So how does a compliance practitioner create the compliance program, or in McNulty Maxim terms create a “What did you do to prevent it?” compliance program? Many companies are still in the infancy of creating their compliance programs with their General Counsel or perhaps hiring an initial Compliance Officer. This person or persons may be somewhat overwhelmed about how to even get started. Transparency International, in its “Business Principles for Countering Bribery: TI Guidance Document” (“Guidance Document”) has provided a specific road map for the implementation of a compliance program. Although the Chapter in the Guidance Document is designed for the Transparency International’s “Business Principles for Countering Bribery: TI Six Step Process”; this process can be used as a guide for any compliance practitioner who must create a compliance program or who needs a guide to assess whether a compliance program should be enhanced.

Step 1

Action: Decide to develop an anti-bribery and anti-corruption policy.

Primary Responsibility: Owner of Company/Board of Directors/Chief Executive Officer (CEO).

Process: Commitment to anti-bribery and anti-corruption policy from the top of the company. Appoint a senior manager to head the compliance function and cross functional Project Team.

Time Span: One Month.

Step 2

Action: Plan the compliance program implementation.

Primary Responsibility: Appoint a senior manager of the Project Team, preferably the new Chief Compliance Officer (CCO).

Process: Define specific company risks and review current practices through a risk assessment, review all anti-bribery and anti-corruption, develop an  initial draft of the compliance program and obtain buy-in from senior management and key stakeholders through the risk assessment process.

Time Span: 3 to 6 months

Step 3

Action: Plan the project implementation: Appoint a senior manager to head risk assessment or bring in an outside expert.

Primary Responsibility: CCO or outside expert.

Process: Integrate the compliance program into your company’s organizational structure and assign appropriate responsibilities, develop detailed implementation plan including human resources policies, a communications program and training programs.

Time Span: 3 to 6 months.

Step 4

Action: Implementation: Getting the compliance program working.

Primary Responsibility: CCO in conjunction with persons brought into the compliance function.

Process: Communicating the compliance program both internally and externally as appropriate through training courses for employees and appropriate third parties, establish anonymous reporting hotlines and advisory function channels to provide employees guidance on day-to-day compliance issues, introduce a sanctions process for violation of the compliance program and a rewards process for conducting business in an ethical manner.

Time Span: One year.

Step 5

Action: Monitoring of the compliance program.

Primary Responsibility: CCO, Compliance Department, Internal and External Auditors.

Process: Regular reviews of the compliance program through basic testing, detailing of and reporting of all hotline calls, statistical reporting of any events or other significant issues which may arise.

Time Span: Continuous.

Step 6

Action: Evaluation of the compliance program.

Primary Responsibility: CCO, in conjunction with specialized outside counsel or external auditors, reporting to Audit/Compliance Committee or Board of Directors.

Process: Annual compliance assessment; quarterly reports to Audit/Compliance Committee of Board of Directors; no less than annual reporting to full Board of Directors.

Time Span: No less than annually. Full compliance audit bi-annually.

The TI six step guide provides the compliance practitioner with a manner to think through how to approach and implement a full compliance program. It can also be used to internally market to management how the program should be created and implement. In short it is yet another example of tools that TI has created and made available at no charge to the compliance practitioner to assist in moving forward to create or enhance a compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

September 23, 2011

Social Media Power-How it Impacts Your Compliance Program

In a September 26, 2011 article in Forbes magazine, entitled “Social Power and the Coming Corporate Revolution”, author David Kirkpatrick argues that the social media revolution has so empowered employees and customers that these groups will soon be calling the shots in companies and not management. He bases this on the use by these groups of social media to obtain and convey information. In the past, management traditionally controlled information and, in a top down hierarchy, would usually dole it out on a need-to-know basis and those who hoarded the information were more powerful within an organization. However, the power and speed of social media have taken this most powerful leverage out of the hands of management and relocated it. Kirkpatrick believes that business leaders now need to demonstrate “authenticity, fairness, transparency and good faith.” If the leaders do not do so, then employees may well come to distrust them, which can lead to disastrous results.

All of this is true of your compliance program but even more so for your compliance program. There has been much gnashing of teeth over the Whistleblower provisions of Dodd-Frank. Corporate America fought tooth and nail to prevent employees from whistleblowing to the Securities and Exchange Commission (SEC) without first going through the company internal whistleblower or reporting systems. Here companies missed the point entirely. If they have a reporting system which is perceived as fair, employees which have a valid compliant or compliance issue to report will do so through the system. The reason is that employees are not employed to discover and report to the US government compliance violations. They work at companies because they desire to be employees. Put more simply – people do not go to work to report compliance violations under Dodd-Frank and wait years to see if they get any money out of it.

In compliance conferences this year a new round of anecdotal stories are making the rounds regarding just how nefarious the Dodd-Frank whistleblower program has become. It goes something like this: an unnamed foreign employee, when faced with termination is alleged to have threated to go to the SEC to report a compliance violation unless he (or she) is paid off. I say, let them go to the SEC. If you have a real compliance problem, your company had better have a detection system in place which rings some bells somewhere in your company.

The key is to develop trust in your overall compliance program. For a US company with a large overseas workforce, trust does not simply happen by ramming a Foreign Corrupt Practices Act (FCPA) compliance program down the throats of its non-US workforce. Kirkpatrick notes that “Trust is developed by sharing vulnerabilities.” He quotes Don Hagel that trust comes not from “the top executive dictating about what needs to be done and when, it’s about providing individuals with the power to connect.” I would add that it also comes from listening to your employees. If employees think that they have a vested interest in the outcome, they will work much harder to make sure the company has success.”

Part of this idea of trust falls under the concept of the Fair Process Doctrine; that is, if employees think that the process is fair, they will be more willing to accept results which they do not necessarily like. Another part of trust is not treating employees like second class step-children. I can remember when a friend from my home town, who worked for a major oil company, told me that it was like being in the third grade. They wanted you at your desk at 8am in your uniform (i.e. coat and tie for men) and to stay there until the closing bell rang. The same mentality is now true for companies which ban the use of social media tools at work. Kirkpatrick quotes Clara Shih that “at least in America our job is such an important part of our identity that most people want to talk about it.” And they do on Facebook, LinkedIn and Twitter. In other words, employees will talk about your company anyway, whether you tell them they cannot do so at work or not.

All of this means that your compliance program should embrace the underlying thesis of Kirkpatrick’s article. A company needs to develop trust under this new dynamic. By developing this new dynamic, having employees who want the company to succeed, they are more likely not to engage in bribery and corruption but also to detect and report it. I think that McNutly’s maxims would apply here (1) What did you do to prevent it?; (2) What did you do to detect it?; and (3) What did you do to fix it? Just image that power of your compliance program if you had employees driving the answers to these three questions in conjunction with your policies and procedures.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

June 29, 2011

Four Steps to Resolving Your FCPA Compliance Issues

As regular readers of this blog know I often cite the three maxims of Paul McNutly as the basis for a good compliance program. They are the questions that the government will ask when they come knocking: (1) What did you do to prevent it?; (2) What did you find when you looked into it?; and (3) What did you do when you found out about it?. One of the keys of these ideas is that if you look for something, through investigation or audit, you cannot be afraid to find something, recognize that it is a problem, then move forward to remedy the problem and use it as a lesson learned going forward. I recently saw an advertisement in the Harvard Business Review for the Columbia Business School which was entitled, “How to realize leadership potential” it occurred to me that it was a way to think through and act upon McNulty’s point 3. So with some modification I present a practical method to implement McNulty.

1.     Recognize Compliance Problem

The key here is to provide the tools to company employees through training that allow them to recognize when a compliance problem has arisen. Your compliance program must have a written Code of Conduct or other formation document which clearly articulates what is expected from the compliance perspective. However, because compliance programs also have a requisite financial controls component, as required by the books and records portion of the Foreign Corrupt Practices Act (FCPA), there also needs to be a clear policy statement which employees can read and understand. This does not mean a compliance policy written by lawyers for lawyers, with lengthy citations to the FCPA, direct cut-out quotes from the US Sentencing Guidelines and other terminology on a lawyer can read and understand. The compliance policy needs to written in plain English or at least in language that a business person can understand. There should also be a detailed statement of the compliance procedures which explain the financial process by which your company will manage the compliance risk.

All of this should be encapsulated in a training program. There are various and numerous approaches to training. It can be live, via video, through a Webex, via audio, computer based or any combination thereof. The key is to provide sufficient training to allow employees to recognize compliance problems. I tell employees that they do not have to understand all the nuances of FCPA law or make a decision on whether the FCPA has been violated. I ask them that if something strikes them as wrong; their gut tells them its an issue; or the hair on the back of their neck stands up-recognize this as a problem and move to Step 2…

2.     Call for Help

So what should you do if you recognize a compliance problem? I train employees to raise there and escalate the problem. Tell your boss, call the compliance or legal department, use the hotline or do something to escalate the problem so that it can be investigated. Here the actions of the company are critical. A company must provide the training for an employee on what they are to do; where they can go. This message must be reinforced by emails, posters, reminders by management and any other form of media to communicate and keep communicating this message.

But this next part is absolutely critical. Your company must be absolutely, positively committed to accepting the employees concern and there must be NO RETALIATION. I know that every company in America will swear up and down that they embrace this basic of compliance; just as they do for all other areas where employees can bring claims, such as harassment, discrimination, SOX concerns or a myriad of others. But if there is one hint or even a whiff of retaliation, it will end, for all time, employees bringing compliance concerns up the line. All of which leads to Step 3, which is…

3.     Address the Issue

There must be a thorough and competent investigation. Do not wait one or two months to perform the investigation. In addition to the mundane concern of evidence becoming stale or disappearing, the reporting employee or other witnesses being harassed; you will lose credibility the longer you wait. Employees who make such reports expect, and I believe reasonably so, for their concerns to be taken seriously. Here I do not mean have the President of your company go in front of the national press to announce the termination of the alleged wrong-doers, well before your President has the correct facts in hand, such as was the case with the recent Renault matter.

My colleague Jim McGrath, author of the Internal Investigations Blog, writes about the use and need for specialized investigative counsel to assist a company at this juncture. Even if you do not follow Jim’s advice, you must get a lawyer on the ground as soon as is possible. This lawyer should be trained in how to investigate; he/she must have an investigation protocol and a good understanding of the facts through a comprehensive review of all documents, before the interviews begin. So perhaps you do need specialized investigative counsel as Jim suggested so as not to any conflict of interest in pursuing any leads in the compliance investigation. With that we move on to Step 4, which is…

4.     Apply Resolution

Here your company must be fearless. It must be not afraid of what may be found in the investigation, it must not be afraid to remedy the issue. Remember McNulty’s Maxims? The third question the government will ask is “What did you do when you found out about it?” You must follow your compliance policy. If discipline is warranted, you must administer it. The discipline must be administered fairly but equally across the globe. I once was at a company which fired Brazilian employees for making mis-statements on their expense accounts but gave a US employee a “Letter of Warning”. What kind of message do you think that action sent?

There may be other resolutions which may not require the administration of discipline. It may be that your internal controls need to be strengthened. Although not in the compliance world, how do you think Citigroup is feeling about its internal controls today; as it had an ex-employee charged with embezzling over $19MM for over a year before he was caught? But the key is to resolve the matter. Use it as a lesson learned and as a teaching tool. Do not hide the issue and if it is a FCPA violation, consult with counsel regarding a self-disclosure to the Department of Justice (DOJ) and Securities and Exchange Commission. If all this happened in your UK subsidiary and your complete your investigation after July 1st, self-disclose to the Serious Fraud Office.

I hope you can use these four steps to assist you in implementing McNulty’s Maxims. This is what the DOJ wants to see if they come knocking.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

« Previous Page

Blog at WordPress.com.