Management of Corruption Risks – Business Lessons from GSK

The Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made it abundantly clear over the past several years that companies should assess their risk and then manage their own risks. In the anti-corruption space, simply putting in a Check-the-Box paper compliance program does not help to prevent, detect or remediate under laws such as the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. In their joint FCPA Guidance, the DOJ and SEC make clear there are a variety of steps a company can take to manage anti-corruption risks.

One of the tired excuses for cutting back on FCPA enforcement is that it costs US companies business overseas because they cannot engage in bribery and corruption, while the commercial enterprises of countries which do not have robust anti-corruption laws essentially bribe at will. However, there are many business solutions available in the management of risk, which companies can profitably use to help ameliorate bribery and corruption risk.

I was interested to read recently about some of the responses that one of the world’s current poster children for bribery and corruption are considering. In an article in the Financial Times (FT), entitled “Witty comes out fighting for GSK”, Andrew Ward reviewed some of the business responses that GlaxoSmithKline PLC (GSK) has contemplated over the past year since the revelations about allegations of bribery in China. Ward reported that in addition to the uncertainty of the ongoing corruption investigation by Chinese authorities, the UK Serious Fraud Office (SFO) for violations of the UK Bribery Act and the DOJ for violations of the FCPA; the company “issued a profits warning that exposed weakness in the company’s core respiratory medicines business.” These warning turned on “the decline in the company’s best selling drug. Revenues from Advair, an asthma treatment that accounts for a fifth of sales, fell 12 per cent in the second quarter, on top of the 15 per cent drop in the three months before that.” Moreover, the company’s stock is down some 14% in the past year.

I was intrigued by the response of GSK’s chief executive, Sir Andrew Witty. Witty did not bemoan the corruption investigations that his company is going through or somehow try to claim that the company simply could not compete because of the scrutiny it is under. On the business front Ward reported, “GSK’s innovation engine is working” as Witty noted that the company had “six new drugs approved across all therapeutic areas last year and a further 40 in advanced development”.

In addition to the specific response regarding the development of new pharmaceutical products, Witty is looking at other sales products and models that will lessen the company’s corruption risk while providing a strong business base. Ward reported that Witty is “strengthening GSK’s two other businesses: vaccines and healthcare.” This move “was reinforced by a $20bn asset swap with Novartis in April under which GSK traded its subscale oncology business for the Swiss group’s vaccines division, while the pair agreed to set up a joint-venture in consumer products.” This means that when this structuring is completed, “half of GSK’s revenues will come from outside [the sale of] pharmaceuticals.”

Witty has also worked to change internal GSK compensation incentives to help manage corruption risks. Late last year, the company announced that it would “sever the link between sales and pay for drug reps and from 2016, stop payments to doctors for promoting its products.” Ward noted that others in the industry have not followed GSK’s lead in changing the way it compensates its sales team but Witty said, “in the long-run, the company will benefit from being the first-mover towards a new marketing model.”

Finally, and perhaps most interestingly, Witty has attempted to become an industry-wide “standard-bearer for [pharmaceutical] industry ethics.” Ward reported that the ongoing scandal has helped Witty “drive home to employees the need for greater transparency.” Ward even quoted Witty for the following, “It gives me the ammunition to say we are in the public eye and our behaviour counts. It’s not just about generating prescriptions, it’s how you do it.”

In another article on the GSK corruption scandal by Ward, entitled “GSK chief floats break-up option”, Ward quoted said that Witty has “zero tolerance for any form of corruption” and that “he was pleased if wrongdoing had been brought to light so that it could be stamped out.” Witty went on to say that “Any company that doesn’t get whistleblower letters isn’t looking hard enough. If you are not getting any don’t dream. It can’t be perfect 100 per cent of the time.”

Another perspective on business solutions to the management of corruption risks came from Tom Mitchell, also writing in the FT in an article entitled “Expats in China should read GSK potboiler carefully”. Mitchell focused on a book by Joe Studwell called The China Dream, which detailed some of the business failures that had befallen western companies in China. Mitchell drew the lesson from Studwell’s book that “When foreign investors’ interests are aligned with those of their domestic partners – as they generally are today in the auto sector – those investors do very well indeed… However, when interests are not aligned – or when outside operators in sectors where they are not required to have joint ventures – foreigners are vulnerable to sudden reversals of fortune instigated by either a bitter partner or by unsympathetic officials.”

How closely does that sound like what happened to GSK? Mitchell noted that GSK “made money from selling goods in China at prices that were – Chinese police allege – were high by the standards of many markets. At the same time, GSK was not sharing revenue streams with a local partner that could help with damage limitation when local authorities appeared on its doorstep.”

The management of risk is essentially a business exercise. That is because risk is what can cause a company to lose money. Some risk is embodied in statutes such as the FCPA or UK Bribery Act. Sometimes risk is a change in the market circumstance. For that I and others have written about the negative side of GSK; the company may well come out the other side of the Chinese corruption scandal stronger because they seem to understand that there is a market based solution to corruption risks. GSK has changed the way it will compensate its sales force and will delete its compensation to doctors. This may take away incentives to cut corners or engage in bribery and corruption. But think about Witty’s steps to diversify the GSK product base. If you are in an industry that is corrupt and you cannot find a way to do business profitably, your company may have other business lines it can move forward to a more prominent role in your business. Lastly, as with most responses to legal issues by lawyers, business executives are only limited by their imaginations in their response to business issues.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

What Can You Do When Risk Changes in a Third Party Relationship?

The GlaxoSmithKline PLC (GSK) corruption matter in China continues to reverberate throughout the international business community, inside and outside China. The more I think about the related trial of Peter Humphrey and his wife, Yu Yingzeng for violating China’s privacy laws regarding their investigation of who filmed the head of GSK’s China unit head in flagrante delicto with his Chinese girlfriend, the more I ponder the issue of risk in the management of third parties under the Foreign Corrupt Practices Act (FCPA). In an article in the Wall Street Journal (WSJ), entitled “Chinese Case Lays Business Tripwires”, reporters James T. Areddy and Laurie Burkitt explored some of the problems brought about by the investigators convictions.

They quoted Manuel Maisog, chief China representative for the law firm Hunton & Williams LLP, who summed up the problem regarding background due diligence investigations as “How can I do that in China?” Maisog went on to say, “The verdict created new uncertainties for doing business in China since the case hinged on the couple’s admissions that they purchased personal information about Chinese citizens on behalf of clients. Companies in China may need to adjust how they assess future merger partners, supplier proposals or whether employees are involved in bribery.”

I had pondered what that meant for a company that wanted to do business in China, through some type of third party relationship, from a sales representative to distributor to a joint venture (JV). What if you cannot get such information? How can you still have a best practices compliance program around third parties representatives if you cannot get information such as ultimate beneficial ownership? At a recent SCCE event, I put that question to a Department of Justice (DOJ) representative. Paraphrasing his response, he said that companies still need to ask the question in a due diligence questionnaire or other format. What if a third party refuses to answer, citing some national law against disclosure? His response was that a company needs to very closely weigh the risk of doing business with a party that refuses to identify its ownership.

The more that I thought about that answer the more I became convinced that it was not only the right answer under any type of FCPA compliance program but also the right response from a business perspective. A company must know who it is doing business with, for a wide variety of reasons. The current situation in China and even the convictions of Humphrey and Yu do not change this basic premise. You can ask the question. If a party does not want to disclose its ownership, you should consider this in any business relationship going forward.

The Humphrey and Yu conviction do not prevent you from asking the question about ownership. Their convictions mean that you may not be able to verify that information through what many people thought was publicly available information, at least publicly available in the west. I was struck by one line in the Areddy and Burkitt article, “It’s not just that the tactical business practices need to change; it’s the mind set” quoting again from Maisog.

I breakdown the management of third parties under the FCPA into five steps, which are:

1. Business Justification and Business Sponsor;
2. Questionnaire to Third Party;
3. Due Diligence on Third Party;
4. Compliance Terms and Conditions, including payment terms; and
5. Management and Oversight of Third Parties After Contract Signing.

The due diligence step is but one of these five. Further due diligence is performed in large part to verify the information that you receive back from a proposed third party. So what if you can longer use avenues previously open to you in markets such as China? Perhaps there are other ways to manage this issue. Areddy and Burkitt also interviewed Jerry Ling, a partner at Jones Day, for the following “companies will need to analyze Chinese accounting documents themselves and conduct more in-person interviews with anyone they want to know more about in China.”

Ling’s point dovetails directly into what I heard from the DOJ representative. There is nothing about the Chinese law, or any other country’s law, which prevents you from asking some basic questions that are found in the Step 2 Questionnaire cited above. You can always ask who the owners of a company are, whether they are direct or beneficial. You can always ask if a company, its owners or its senior management have been involved in any incidents involving bribery and corruption and you can always ask if the company has a Code of Conduct and/or compliance program and whether its owners or senior management are aware of the FCPA and have had training on it.

Assuming the company will answer your questionnaire, the difficulty you may find yourself in now is verifying the information that you receive. In Ronald Reagan parlance, you may trust but you may not be able to verify it. Ling said in the WSJ article that “The challenge now for clients is that it’s hard to get good information.”

However, due diligence is but one step in the management of any third party in a FCPA compliance program. Just as when risk goes up and you increase your management around that risk, the situation is similar in here. Putting it another way, if you cannot obtain private information such as personal identification numbers during the due diligence process, you can put greater management around the other steps that you can take. Further, there has been nothing reported which would suggest that publicly filed corporate licenses or other information that might show ownership can no longer be accessed. Court records and public media searches also seem to still be available.

But what if you simply cannot determine if the information you are provided regarding ownership is accurate or even truthful? You can still work to manage the relationship through your commercial terms by setting your commission or other pay rates at a reasonable amount of scale. If you are dealing with a commissioned sales representative, you can probably manage this area of the relationship by setting the commission in the range of 5%. You can also manage the relationship by reviewing invoices to make sure there is an adequate description of the services provided so that they justify whatever compensation the third party is entitled to receive under the contract. You may also want to schedule such a third party for an audit ahead of other parties to help ensure adherence to your compliance terms and conditions.

There may be times when you cannot verify the true or ultimate beneficial owner of a third party. That does not have to be the end of the analysis. If that situation arises, you may want to see if there are other risk mitigation tools at your disposal. Put another way, if such a red flag arises, can it be cleared? Can it be managed? If your company is looking a major deal for multi-millions and your agent will receive a six or seven figure commission, the risk of not knowing with certainty may be too great because in such a case, an unknown owner could be a government official who has awarded the contract. But if your agent receives a considerably smaller commission and hence there is a considerably small amount of money to constitute a bribe, you may be able to manage that risk through a close and effective relationship management process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

More Lessons From Workplace Safety for the Compliance Practitioner

I have long believed that the compliance discipline has quite a bit to learn from the area of safety in the workplace. This is not only because I believe that the changes in corporate attitudes about safety presage many of the current debates about how to ‘do compliance’ but also because many of the processes and procedures that a safety professional utilizes can be translated into a process for the compliance professional. In a recent Compliance Week article, entitled, “Risk-Management Lessons From The Depths” Richard M. Steinberg reviewed the newly released book Trapped Under the Sea, by Neil Swidey, which is about a catastrophic accident that occurred during the construction of a waste treatment plant in Boston Harbor.

Steinberg’s article focused on the risk management issues, which led to the deaths of men working on a tunnel, dug far beneath Boston Harbor that transported waste out to sea before its release. Steinberg began by looking at the pre-operation factors which laid the “seeds of disaster” leading to the tragedy. (1) There were tight deadlines to be met, “with a federal judge ready to impose huge fines and penalties if they were not”; (2) An inexperienced executive director of the governmental water resources authority overseeing the project, who was suffering from a stress condition his doctor said was off the charts, who was most critically “clearly intimidated by the prime contractor’s chief executive”; and (3) The prime contractor was already in the red on the project, behind schedule and incurring millions of dollars in penalties, rising every day.

With the project, and many jobs on the line, the stress level on the management team grew. Swidey noted that as “organizational behavior research shows that, “As trust levels go down within a group, group members’ creativity and willingness to seek new options also decreases. When intense time pressures are added to the mix, opposing sides tend to become even more fixed in their positions, relying more on cognitive shortcuts. They’re unable to work collaboratively to solve a problem because they have become locked in an adversarial contest: if you win, I lose.”” The actual planning of the key event which led to the catastrophic failure “fell to sub-contractors, with two men calling the shots: Roger Rouleau, who relied on the technical capability of the other man he was to oversee, Harald Grob. The subs needed to please the prime contractor, or risk ruin. Ultimately, those overseeing the project ended up relying on these two men to make some critical final decisions.” As Steinberg noted, “although there was a major general contractor, several sub-contractors, the governmental water resources authority, and the Occupational Safety and Health Administration involved, with a number of smart and seasoned people, the key decisions were left to one sub-contractor, who wasn’t even properly supervised by his boss.”

Steinberg said that the post accident analysis discovered the following:

• There were a series of small, bad decisions, none of which on its own would have been enough to produce a disaster, but together elevated risk to new heights.
• There was a dangerous cocktail of time, money, stubbornness, and frustration near the end of an over-budget, long-delayed project. The major players desperately needed the project to be concluded. They closed their eyes and hoped the plan made sense.
• Serious failings tend to happen late in projects, when confidence runs high and tolerance for delay dips especially low.
• Another factor at play here is EQ, or emotional quotient, which is differentiated from IQ. EQ is the ability to read, process, and manage the emotions of people around you, as well as your own.
• Executives with real authority put a higher value on Grob’s “fresh eyes and can-do attitude” than on their own intimate knowledge of the project and common sense. And doing so afforded them distance from the risks associated with the project.
• It turns out there was a much safer and better approach that wasn’t even considered until much later. Why? The battling parties became so fixed in their positions they could no longer trust the other side’s intentions. They fell prey to the “availability bias” where decisions are based on what was most available to them—in this case, Grob’s plan.

For the anti-corruption practitioner, the lessons from this disaster and Swidley’s book are myriad. Beyond the simple ‘just get it done’ prescription that a Chief Compliance Officer (CCO) often hears about business deals are some clear and direct markers. The first and foremost is that when something is high reward, there is generally a high risk involved. In the case of the Boston Harbor disaster, the high risk was the technology used to supply air to the men working in the tunnel that collapsed, however it had never been adequately tested. In fact the technology was not even understood.

From this the next lesson is to always understand the complete parameters of the transaction. If a party’s role is not set out or well explained, you must make the appropriate inquiries to determine the role. If you have a third party, you should know its role and that role should be specified in its contractual duties so that any compensation payable to the third party can be assessed against some type of standard.

If someone will not answer the direct questions that you pose, you need to have the authority to get those answers. The sub-contractor involved, Grob, refused to brook any criticism of his clearly outlandish plan by refusing to even answer questions about it. Steinberg wrote, “Grob’s bristling when the men raised concerns about his plan, and stressing his rank in the organization chart, made matters much worse.” This means, as a compliance professional, if you cannot get the necessary answers, you have to be able to say No.

As a project moves towards its end, it sometimes takes on a life of its own, which seems to have happened here. This is the time that a compliance professional must remain ever vigilant; dotting every ‘i’ and crossing every ‘t’, to make certain that the company’s internal compliance protocols are followed. As Steinberg noted, “The more people do something without suffering a bad outcome, the harder it becomes for them to remain aware of the risks associated with that behavior.”

I have previously written that there are many lessons to be learned by the compliance discipline from the field of workplace safety. While I still believe that the biggest lesson is that an entire corporate culture can change, just as I have seen safety now become priority Number 1 in the energy industry; there are significant process lessons to be garnered from the study of catastrophic safety system failures. Steinberg’s article and Swidey’s book make an excellent starting point.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Scam Artists from Texas and Compliance Risk Management

Billie Sol Estes died yesterday and when it comes to scam artists from the great state of Texas, before there was Allen Stanford and his magical Certificates of Deposits located in his private bank in Antigua, there was Billie Sol Estes. Before Sir Allen came along, Billie Sol had a 50 year run as the King of Texas Swindlers. He was most well-known for his scam involving phony financial statements and non-existent fertilizer tanks to loot a federal crop subsidy program. He went to jail for mail fraud over this scheme, although his conviction was later over-turned. But his lasting legacy may be the following quote by former Associated Press (AP) correspondent Mike Cochran, who recalled writing how Estes made millions of dollars in phone fertilizer tanks scam and noted “how many city slickers from New York or Chicago can make a fortune selling phantom cow manure?”

Billie Sol’s risk tolerance was quite high and his implementation of a risk management plan may have seemed, well, rather 1950ish. Hopefully your company is a tad more mature in this process. But after you have identified a compliance risk, what should the next steps be for a company’s Chief Compliance Officer (CCO)? This question was explored in an article by C. J. Rathbun, in the May/June issue of Compliance and Ethics Professional Magazine, in an article entitled “You’ve identified a corporate risk—what next?”. Rathbun believes that any consideration of such an identified risk will be in the context of three key questions:

1. The severity of the risk weighed against the company’s appetite for risk.
2. How the company has performed in the past on managing similar risks and if so, what the impact might be on the company if the risk actually occurred.
3. The probability or likelihood of the risk event occurring.

I.                   The Compliance Report

Rathbun explained that a CCO needs to consider several questions when shaping the report which will go to the management group or Chief Executive Officer (CEO) to make any decision on whether a new risk should be accepted. These questions include:

• Who is the audience for the report? Will it be the CEO, Board of Directors or some other senior management group or council? Further, what is the level of trust between the CCO and those constituent groups? Has the CCO been elevated to a C-Suite level position within the company? Could the audience be a regulatory body or perhaps even a Judge?
• What is your company’s organizational structure? In this question you need to consider how decisions of this dimension are usually made in your company.
• What reputational risk for the company should be anticipated? This is the Wall Street Journal (or New York Times) questions. How would your CEO feel if he woke up to read about your company and its decision being on the front page of the Wall Street Journal?
• What should be incorporated into the report? Should other business concerns be incorporated into the report, such as financial or other legal issues?
• How should the report be presented? In what format or with what technology should the report be presented? Will the group or person tasked with making the decision accept a written report or will it simply be a high-level PowerPoint presented to a Board of Directors?

 II.                Weighing the Options

Once the report is considered and the options weighed, what are some of the possible outcomes that a company may utilize? Rathbun breaks the options down to four. The first is risk avoidance, where a company decides that the risk is simply too great. The second option is risk management, where the company implements procedures to manage the risk and then monitors the risk closely. The third is risk shifting where some portion of the risk is transferred through insurance or other mechanism. Fourth, and finally, is that the company can simply accept the risk, so risk acceptance.

III.             Implementation

Rathbun believes that the risk management choice is the one which may well take the most work, particularly for a CCO. You may be required to create new policies and procedures to assist in the risk management process. Any new policies and procedures will need to be implemented with attendant training for the affected employees. There will need to be follow-up monitoring to ensure engagement and accountability.

IV.              Confirming Changes in Behavior

Rathbun articulates that are two mechanisms by which a “checkback” can be performed on policies, procedures, actions and employee accountability. These two mechanisms are monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, more aggressive approaches may be required such as the addition of follow-up assessments to confirm effective management of the new risk.

Rathbun cautions that the use of more standard tools to “checkback” should also be utilized. These include compliance by third parties, testing or otherwise gauging employee knowledge regarding the risk management program and even hotline complaints. Rathbun also suggests that relatively new tools such as transaction monitoring, relationship monitoring and real-time party monitoring of third parties should be considered.

V.                 End Goal

Rathbun believes that the end goal should be “to allow the company to identify a growing concern before it becomes an issue—before consumers are harmed or regulators become concerned.” While a well-structured program does require vigilance it also allows the opportunity for continuous improvement for your company. Rathbun concludes by stating that your goal should be to “help ensure that you and your company ‘will get the first crack’ at addressing a problem, if one occurs.”

I found the Rathbun article to provide a good method for the compliance practitioner to think through, then design and implement a risk management plan, within the context of your overall compliance program. Although she never states it, a key component that she outlined is the Document, Document, Document component of any compliance program. The Department of Justice and Securities and Exchange Commission said in their FCPA Guidance “In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.” I believe that you can achieve such a carefully designed and earnestly implemented risk management program by using Rathbun’s suggestions.

Finally, if a long, tall Texan comes to you wanting to borrow money against some fertilizer tanker; do not just turn and walk, run in the other direction.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Lessons from Bill Belichick for the Compliance Practitioner

I recently read “War Room: The Legacy of Bill Belichick and the Art of Building the Perfect Team” by Michael Holley which is about Bill Belichick, the rise of the New England Patriots and the sophisticated player evaluation system that Belichick and others installed in New England. The book also talked about Belichick disciples Scott Pioli and Thomas Dimitroff who took this player evaluation system to new General Manager positions at Kansas City and Atlanta respectively. Neither disciple has had the sustained success that Belichick has maintained for a full decade now. In fact Pioli was fired this year from his position after three straight losing seasons in Kansas City. Dimitroff has achieved a bit more success, with Atlanta winning its first playoff game under his regime this year.

One of the things that struck me about the Belichick player evaluation system and how it was used by all three men for their respective teams is that is a building block system. It takes a system and builds that system, building block by building block until the overall system is completed. This is then fine-tuned and updated through continuous monitoring, assessment and review. For the compliance practitioner, I found this approach to have several valuable lessons.

The values of a risk assessment are well known. It is something that should be a part of every compliance program. I recently wrote in praise of the mock audit where an in-house team performs a preliminary assessment of a utility plant to get that facility ready for a more formal federal or state regulatory mandated audit. The concepts of monitoring and reviewing are also well known if often being confused. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records.

However using the Belichick model as a guide, I also think that it also points to less formal, but equally useful reviews of the process and system of compliance. Of course you can take a look and self-assess your overall program, particularly if you benchmark it against the US Sentencing Guidelines, Seven Elements of an Effective Compliance Program or the FCPA Guidance’s Ten Hallmarks of an Effective Compliance Program. So I think you should take the opportunity to perform informal testing throughout the year. My colleague Mary Jones told me that she would occasionally pull third party representative invoices and review them to determine if they were billing as per their contract with Global Industries and whether the descriptions for services raised any red flags. This allowed her to catch any problems early in the cycle but also gave her the chance to informally determine if the training she was putting on was effective or if it needed to be modified in any manner.

Sitting on the flip side of continued updating is how this building block system can help a compliance practitioner when they are faced with what may appear to be an insurmountable compliance related task. I have often heard stories where an Associate General Counsel (AGC) is tasked with putting together a vendor compliance program or other task that simply seems so large it is difficult to even get one’s arms around it before the task is due to be completed. It may be a full policy and procedure update, writing a new set of internal controls or any other task that simply seems monumental.

The Belichick player evaluation system provides a guide which is to construct your overall system, building block by building block. You can think about constructing your compliance program in the same manner. The added benefit to this approach is that comports with what I believe to be one of the key takeaways from the Department of Justice (DOJ)/Securities and Exchange Commission (SEC) FCPA Guidance, that being that a company should assess its risk and then manage those risks, starting with the highest risks and moving on from there. Another way to put it might be construct your compliance program, building block by building block, beginning with the high risk and use that as the foundation to construct your overall program.

Getting back to the AGC tasked with the Supply Chain task, one approach might be to risk rank the vendors based on the following approach:

1. Government Services Providers – Any vendor who represents your company before a foreign government, such as a freight forwarder, logistics company, import/export services provider or customs broker.
2. High Risk Supplier – Any supplier who meets one of the following criteria: (A) Is based in or supplies goods/services from a high risk country; (B) Is more of a business partner, similar to a joint venture partner; (C) It has been convicted of, or is alleged to have been involved in, illegal conduct and has failed to undertake effective remedial actions.
3. Low Risk Supplier – Any supplier who meets the following criteria: (A) Is based in a low risk country where the goods or services are delivered, it has no involvement with any foreign government, government entity or Government Official; or (B) Is subject to the US Foreign Corrupt Practices Act (FCPA) and/or Sarbanes-Oxley (SOX) compliance.
4. Nominal Risk Supplier – Is a supplier who meets the following criteria: (A) Supplies goods or services which are non-specific; (B) For any particular job or assignment; and (C) The value of each transaction is less than $10,000.
5. Supplier of General Goods and Services – Is a supplier who: (A) Supplies goods or services which are widely available to the public; and (B) Does not fall under the definition of Minimal Risk Supplier.

Based upon this risk ranking, you can set your compliance process, building block by building block. You start with the highest risk ranking and move down from there. Indeed this is what I believe the FCPA Guidance suggests when it says the following, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors. When it comes to compliance, there is no one-size-fits-all program. Thus, the discussion below is meant to provide insight into the aspects of compliance programs that DOJ and SEC assess, recognizing that companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs. Indeed, small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations”. That means you can use a system like the one I laid out above or come up with your own system but make it one that works for your company and your risk profile.

If you focus on the risks to your company, I think that you can use the model of Bill Belichick and the New England Patriots as a guide. Build from the ground up by assessing your risk and then managing that risk. When you have completed the part of your compliance program which deals with the highest risk that you have assessed move on to the next risk or level of risk and begin the process of constructing a compliance system to assess that level of risk. But do not forget the second part of the Belichick formula. You do not have to wait until an annual assessment to revamp your system. You can take more informal input from a variety of sources to tweak your program and move it forward. Constant evaluation and improvement are the hallmarks of any successful system and you should incorporate these concepts into your compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Distributors under the FCPA – Post Game Wrap Up

This week we have focused on distributors and how a company might think through ranking the risk, performing due diligence on and, finally, how to manage distributors going forward. This was spurred on by a discussion that David Simon and I had engaged in previously on LinkedIn. In today’s post I will try and wrap up and wrap together our approaches so that you might decide which works best for you and your organization.

But first I must note the passing of one of the most famous Texans of the 20th Century, Van Cliburn, the pianist who won the first-place award at the 1958 Tchaikovsky International Competition in Moscow. His gold medal in the inaugural year of the Tchaikovsky competition, won in Moscow, was viewed at the time as an American triumph over the Soviet Union at the height of the cold war. He became a cultural celebrity of pop-star dimensions and brought overdue attention to the musical assets of his native land. But he gave back as well, starting his own piano competition which also became world famous.

While I had been initially skeptical of David’s approach, as I read his White Paper on the subject and his guest post this week, I became convinced that his approach has merit because it follows what is set out in the recently released Department of Justice (DOJ)/Securities and Exchange Commission (SEC) Foreign Corrupt Practices Act (FCPA) Guidance, which I quote from the introductory section of the Ten Hallmarks of an Effective Compliance Program:

Compliance programs that employ a “check-the-box” approach may be inefficient and, more importantly, ineffec­tive. Because each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corpo­rate compliance program most appropriate for that particu­lar business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.[emphasis supplied]

Based upon this language, I believe that if a company takes a carefully designed and  reasoned approach to assessing the risk of its distributors and then manages that risk, it is something that meets the above prescription from the FCPA Guidance. While I believe that distributors should be considered the same as agents under the FCPA, I am persuaded that David’s approach meets the cited recommendation from the FCPA Guidance.

I.                   Fox Approach – The Full Monty Approach

While I wish I had thought of that name I have to credit it to Simon. In 2012, there were three enforcement actions which I believe made clear that there were no distinctions between agents and distributors. They were, the Smith & Nephew, Inc., (S&N) Deferred Prosecution Agreement (DPA) for criminal FCPA violations, the Oracle SEC Complaint for books and records violations and the Eli Lilly and Company (Lilly) SEC Compliant for books and records violations. I reviewed the enforcement actions and based upon the deficiencies noted by both the DOJ and SEC, that these enforcement agencies were classing distributors the same as agents or other similar entities in the sales chain.

In the S&N enforcement action, it was clear that S&N had not performed sufficient due diligence on these distributors nor did they document any due diligence that they may have engaged in. In the Lilly case, the policies and procedures in place to flag unusual distributor discounts were deficient as the enforcement action “noted that the company relied on representations of the sales and marketing manager without adequate verification and analysis of the surrounding circumstances of the transactions.” In the Oracle enforcement action it demonstrated that Oracle needed to institute the proper controls to prevent its employees at Oracle India from creating and misusing the parked funds in the distributor’s account and that Oracle needed to audit and compare the distributor’s margin against the end user price to ensure excess margins were not being built into the pricing structure. What I gleaned from these enforcement actions was that the full five steps suggested for agents and other third parties in the sales chain was needed for distributors. They are (1) Business Justification; (2) Due diligence, the level being based on your risk assessment; (3) Evaluation of due diligence; (4) Written contract with compliance terms and conditions; and (5) Management of the relationship going forward.

II.                Simon Approach – The Agency Approach

Simon advocated that a risk analysis should more appropriately based on the nature of a company’s relationships with their distributors. The goal should be to determine which distributors are the most likely to qualify as agents; for whose acts the company would likely to be held responsible.  He argues that it is a continuum of risk; that is, on the low-risk end are distributors that are really nothing more than re-sellers with little actual affiliation with the supplier company. On the high-risk end are distributors who are very closely tied to the supplier company, who effectively represent the company in the market and end up looking more like a quasi-subsidiary than a customer.

Simon looks at agency principles to guide his analysis of whether a distributor qualifies as an agent for FCPA purposes. He argues that factors to consider include:

• The volume of sales made to the distributor;
• The percentage of total sales of the distributor’s total business the principal’s product represents;
• Whether the distributor represents the principal in the market, including whether it can (and does) use the company trademarks and logos in its business; and
• Whether the principal company is involved in the running of the distributor’s business (such as by training the distributor’s sales agents, imposing performance goals and objectives, or providing reimbursement for sales activity).

Once a company segregates out the high-risk distributors that likely qualify as agents and potentially subject the company to FCPA liability from those that are mere resellers and pose less FCPA risk, FCPA compliance procedures can be tailored appropriately. For those distributors that qualify as “agents” and also pose FCPA risk, full FCPA due diligence, certifications, training and contract language are imperative. For those that do not, more limited compliance measures that reflect the risk-adjusted potential liability are perfectly appropriate.

III.              Athanas Approach – Management of the Relationship

I often say that once you have a business justification, perform and evaluate due diligence on an agent and then ink a contract; your real work now begins as you have to manage that relationship going forward. Athanas set out a plan to assist in that management component under which he provides a framework to help provide a business justification, assess/manage and document any discount offered to a distributor; all of which he calls the ‘Discount Authorization Request’ (DAR) and states as follows:

1.         Capturing and Memorializing Discount Authorization Requests

 Athanas says that it all begins with a DAR. This is so important that he argues a DAR template should be prepared, which is designed to capture the particulars of a given request and allow for an informed decision about whether it should be granted. Because the specifics of a particular DAR are critical to evaluating its legitimacy, it is expected that the employee submitting the DAR will provide details about how the request originated as well as an explanation in the business justification for the elevated discount. In addition, the DAR template should be designed so as to identify gaps in compliance that may otherwise go undetected.

2.         Evaluation and Authorization of DARs

The next step is that channels should be created to evaluate DARs. The precise structure of that system will depend on several factors, but ideally the goal should be to allow for tiered levels of approval. Athanas believes that three levels of approval are sufficient, but can be expanded or contracted as necessary. The key is the greater the discount contemplated, the more scrutiny the DAR should receive. The goal is to ensure that all DARs are vetted in an appropriately thorough fashion without negatively impacting the company’s ability to function efficiently.

3.         Tracking of DARs

Lastly comes the Document, Document, Document component. Once the information gathering, review and approval processes are formulated, there must be a system in place to track, record and evaluate information relating to DARs, both approved and denied. The documentation of the total number of DARs allows companies to more accurately determine where and why discounts are increasing, whether the standard discount range should be raised or lowered, and gauge the level of commitment to FCPA compliance within the company. This information, in turn, leaves these companies better equipped to respond to government inquiries down the road.

IV.              Bringing It All Home

You do not have to dream like Van Cliburn did but you can try other or new approaches. Whether you use the Fox ‘Full Monty’ approach or the Simon ‘Agency’ approach will depend on many different factors unique to your organization. You are only limited by your imagination. There may well be other approaches you can take if they are carefully thought out and well-reasoned.

But whatever approach you take on risk ranking and performing due diligence on your distributors, I would urge you to use Athanas’ DAR system or something similar to it. While it is of the utmost importance that you do so from the compliance perspective, the business reason is even more compelling. A company really does need to know what discounts it is giving to distributors and why they are receiving said discounts.

I hope that you have enjoyed our discussion and dialogue on distributors this week. I wanted to thank, once again, David Simon and Bill Athanas for their most excellent and timely posts. I certainly have learned quite a bit.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Distributors Should Be Analyzed As Any Other Third Party Representative in the Sales Chain

Ed. Note-David Simon is a partner at Foley and Lardner and Bill Athanas is a partner at Waller Lansden Dortch & Davis, LLP. Both have practices which include FCPA compliance.  After my recent post on distributors under the FCPA, David and I had a dialogue on how distributors should be reviewed and analyzed under the FCPA. Bill also had some thoughts on the subject. I asked them if they would contribute guest posts with their ideas.

As this is the first time that I have had a dialogue with two other FCPA practitioners based on a post, this week we will have 3 days of discussion and dialogue on distributors. Today, I provide my suggestions on how to risk rank and the manage distributors. Tomorrow, Daivd will contribute his thoughts on a different approach. On Wednesday, Bill will lay out his ideas on the topic. Finally on Thursday I will try to wrap up and weave together our three articles. I hope that you will find this series instructive and useful. I know I certainly have in my dialogues with these two other excellent FCPA compliance practitioners.

In today’s post, I advocate that distributors should be treated as any other third party representative in the sales chain; IE., agents and resellers.

============================================================================================

In 2012, there were three enforcement actions which I believe made clear that there were no distinctions between agents and distributors. They were, the Smith & Nephew, Inc., (S&N) Deferred Prosecution Agreement (DPA) for criminal FCPA violations, the Oracle SEC Complaint for books and records violations and the Eli Lilly and Company (Lilly) SEC Compliant for books and records violations.

These enforcement actions involved three separate bribery schemes which I believe call for three different but overlapping responses. In the case with Lilly, the SEC Complaint noted the following “Lilly-Brazil’s pricing committee approved the discounts without further inquiry. The policies and procedures in place to flag unusual distributor discounts were deficient.” Lastly, as stated by Matt Ellis, the enforcement action “noted that the company relied on representations of the sales and marketing manager without adequate verification and analysis of the surrounding circumstances of the transactions.”

The Lilly enforcement action also makes clear the need for internal audit to follow up with ongoing monitoring and auditing. Internal audit can be used to help determine the reasonableness of a commission rate outside the accepted corporate norm. As stated by Jon Rydberg, of Orchid Advisors, in an article entitled “Eli Lilly’s Remedial Efforts for FCPA Compliance – After the Fact”, the company should be “implementing compliance monitoring and corporate auditing specifically tailored to anti-corruption” for the distributor sales model.

The Oracle enforcement action demonstrates that Oracle needed to institute the proper controls to prevent its employees at Oracle India from creating and misusing the parked funds in the distributor’s account. The Company needed to audit and compare the distributor’s margin against the end user price to ensure excess margins were not being built into the pricing structure. Oracle should have sought to either (1) seek transparency in its dealing with the distributor or (2) audit third party payments made by the distributors on Oracle’s behalf, both of which would have enabled the Company to check that payments were made to appropriate recipients.

What are some of the factors that demonstrate the distributors used by S&N were fraudulent and did not have a legitimate business purpose? It was clear that S&N did not perform sufficient due diligence on these distributors nor did they document any. I would note that the distributor was domiciled in a location separate and apart, the UK, from the sole location it was designed to deliver products or services into, Greece. This clearly demonstrated that the entities were used for a purpose that the company wished to hide from Greek authorities. While it is true that a distributor might sell products into a country different than its domicile, if the products are going into a single country, this should have raised several Red Flags.

However, the biggest indicium of corruption was the amount of the commission paid. The traditional sales model for a distributor has been to purchase a product, take the title, and therefore the risk, and then sell it to an end user. Based upon this sales model, there has been a commission structure more generous than those usually accorded a reseller or sales agent, who is usually only a negotiator between the Original Equipment Manufacturer (OEM) and the end user. This difference in taking title, and risk of loss, have led to a cost structure which has provided a deeper discount of pricing for distributors than commission rates paid to resellers or sales agents. The sales structure used by S&N had pricing discounts of between 26-40% off the list price. Further, this money was used precisely to pay bribes to Greek Doctors to use S&N products.

These three enforcement actions make clear that distributors will be treated like any other representative in the sales chain. This means that distributors need to go through the same rigorous due diligence and review, contracts and management going forward as agents or resellers.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

How Do You Change to a Culture of Compliance? Go See The Twilight Zone Movie

As a compliance practitioner, how often have your heard something along the lines of “But we’ve always done it that way” or [my favorite] “That’s the way those people do business”? As a recovering trial lawyer, I spent the first 18 years of my career largely defending companies which were sued for catastrophic injury claims. From this vantage point, I saw the cost to corporations in the form of jury awards and insurance premiums that they paid for commercial general insurance coverage. A large part of it was due to the fact that safety was not mission critical to most of the companies that I represented.

However, this began to change in the late 1980s/early 1990s. Companies began to make clear, in a very public manner that safety was the No. 1 priority for them. One of the most public changes was at Exxon after the Exxon Valdez oil spill, where senior management made it clear that as closely as Exxon’s management watched costs, it also made clear to every worker that the one cardinal sin was skimping on safety. I recently saw an article, from a completely unrelated industry which made the same type of change, published in the online journal Slate, entitled “How tragedy on the set of the 1983 feature-length adaptation of The Twilight Zone changed the way movies are made”, where author Robert Weintraub reviewed the changes in movie-making safety after a horrific accident, on the set of the movie The Twilight Zone, led to the death of three actors.

The deaths occurred in a scene where the actor Vic Morrow was carrying two child actors to safety from a bombing raid. With cameras rolling, the helicopter which was bombing the children’s village was engulfed in fireballs forcing it down into a river where the actors waded. As a hundred or so people looked on, the right skid of the aircraft crushed 6-year-old actor Renee Chen. The helicopter then toppled over, and its main blade sliced through Morrow and 7-year-old actor Myca Dinh.

There were civil suits against the studio and the film’s director John Landis, which were all settled. However, Landis and three others were criminally charged for involuntary manslaughter where they were all found not guilty by a Los Angeles jury in 1985. As horrible as all of this was Weintraub found that “some good did come of it.” The movie making culture was changed in three significant ways in the industries approach to safety.

Movie Industry Response

The first change noted by Weintraub was in the industry’s attitude and approach to safety. At Warner Bros., Vice President John Silvia “convened a committee that created standards for every aspect of filmmaking, from gunfire to fixed-wing aircraft to smoke and pyrotechnics.” All the unions and guilds in the business were represented. The committee’s codicils were collected into a group of standards called Safety Bulletins. The studios then issued a manual to their employees based on the bulletins, known as the Injury and Illness Prevention Program. Every time there was a serious accident on a movie site, a New Safety Bulletin was issued.

Insurance Industry Response

The insurance industry made sure that safety provisions stuck, though the reason the insurance industry did so was market based. Weintraub noted that before disaster on The Twilight Zone movie set, insurance companies did not view the movie business as a source of profit. Because of the low level of safety on film sets, the likelihood of an accident and payout was just too high for carriers to make money. However, after the incident, the movie industry’s commitment to improving safety, along with increasing budgets, made Hollywood a better risk and therefore allowed greater profits to be made by insurers. With more affordable insurance rates to underwrite movie shoots, such liability insurance became a basic part of the movie-making business. But this meant that, in large part, the movie industry had to dance “to the insurance industry’s tune. The insurance companies want to know everything. They want your resume, the resumes of everyone participating. They want to see your licensing, a list of materials, the number of people working on each shot, the distance they will each be from the explosive, the number of fire extinguishers available on set. Then the fire department comes out to look at what you’re doing, and they have a long list of safety criteria to meet, too. It’s a pain in the butt, sure, but that’s the way it is.”

Risk Management

The Twilight Zone disaster also led to the creation of a Risk Management position for movie making. Weintraub quoted Chris Palmer, a risk management consultant who was a part of the original committee which created the safety standards, who said “The Twilight Zone accident created my job. It was a sea change in the movie industry. No one in risk management was ever on set before then.” Unlike the insurance industry, which helps companies manage risks through financial instruments, risk management attempts to avoid or at least control risk.

Risk managers like Palmer become involved in a film long before principal photography begins, scanning scripts for issues, starting with the location. Weintraub quoted Palmer again for the following, “If you want to shoot in the Caribbean during hurricane season,” Palmer says, “you’ve got a problem, unless you have a specific plan in place to protect the production.” Additionally, a risk manager such as Palmer can act as a safety valve, similar to an anonymous reporting line in a compliance program. One of Palmer’s jobs on a movie set is to step in when crew members want to play it safe but feel their careers would be in jeopardy if they spoke up. Palmer was quoted as saying “I can’t be terminated by the director or producer. … That takes the pressure off the crew because it can be intimidating to be the one to stand up and say ‘hold on.’”

I found the major point of the article to be that a company can change the way it does business. I personally observed the energy industry become more conscious about safety and introduce it into every level of a company’s DNA. Weintraub’s article made it clear that the movie industry also made a sea change of culture when it came to safety. So the next time you hear the mindless prattle of “But we’ve always done it that way” point them to the changes in safety over the past 20 years. And the next thing you should consider is going to the head of your company’s Safety Group to sit down and get some ideas on how to change your company’s compliance culture.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Napoleon’s Invasion of Russia and Risk Management

Today, June 12 is the traditional date given for Napoleon’s invasion of Russia. I cannot think of a better anniversary to use to introduce the discussion of risk management.  Do you think he made a risk assessment so that he could manage his risks? If he did, what were his risks and how would he go about managing them. While more of a post-mortem than risk assessment, the chart at the right is probably the best statistical graphic ever drawn. It shows a data map drawn by Charles Joseph Minard, showing the losses suffered by Napoleon’s army in the Russian campaign of 1812. Beginning at the Polish-Russian border, the thick band shows the size of the army at each position. The path of Napoleon’s retreat from Moscow in the bitterly cold winter is depicted by the dark lower band, which is tied to temperature and time scales. Certainly an excellent visual representation.

I thought about risk assessments and risk management when pondering that as companies become more mature in their compliance programs, they can use the information generated in a risk assessment in a variety of ways to facilitate an overall risk management program. In an article in the June issue of the Harvard Business Review, entitled “Managing Risks: A New Framework”, authors Robert Kaplan and Annette Mikes posit that the initial step a company must take to create an effective risk management system is to understand “the qualitative distinctions among the types of risk that an organization faces.” The authors have separated business risk into three categories: (1) Preventable Risks; (2) Strategy Risks; and (3) External Risks. They state that companies should design their risk management strategies to each category because what may be an adequate risk management strategy for the management of preventable risks is “wholly inadequate” for the management of strategy or external risks.

Category I: Preventable Risks. These are internal risks, arising from within an organization. The authors believe that “companies should seek to eliminate these risks since they get no strategic benefits for taking them on.” The authors specifically mention anti-corruption and anti-bribery risks as falling in this category. This risk category is best managed through active prevention both through operational processes and training employees’ behaviors and decisions towards a stated goal. The control model to manage preventable risks is to develop an integrated culture and compliance model. Such a system would typically consist of a Code of Conduct or Business Ethics, standard operating procedures, internal controls to spell out the requirement and internal audit to test efficiencies. The role of the Compliance Department in managing Category I risks is to coordinate and oversee the compliance program and then revise the program’s controls as needed on an ongoing basis, all the while acting as independent overseers or the risk management function to the business units.

Category II: Strategy Risks. These risks are those which a company may accept in some form because they are “not inherently undesirable.” In other words, a company may be willing to accept some types of risks in this category so that it may increase profits. This category of risk cannot be managed through the rules based system used for preventable risks, instead the authors believe that “you need a risk management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur.”

The authors list several specific techniques to use as the control model for strategic risks. These include “interactive discussions about risks to strategic objectives drawing on tools” such as heat maps and key risk indicator scorecards. The Compliance Department’s role here is to run risk management workshops and risk review meetings, usually acting as the “devil’s advocate” to the business units involved. Another key role of the Compliance Department is the marshaling and the delivery of resources allocated to mitigate the strategic risk events identified in this process. Finally, the authors believe that the relationship of the Compliance Department to the business units in managing a Category II strategic risk is to act as “independent facilitators, independent experts or embedded experts.”

Category III: External Risks. These are risks which arise outside the company’s control and may even be beyond its influence. This type of risk would be a natural disaster or economic system shutdown, such as a recession or depression. The authors here note that as companies cannot prevent such risks, their risk management strategy must focus on the identification of the risk beforehand so that the company can mitigate the risk as much as possible. Recognizing the maxim that ‘you don’t know what you don’t know’; the authors see the control model for Category III risks as “envisioning risks through: tail-risk assessments and stress testing; scenario planning; and war-gaming” with the management team. Under this Category III risk, the authors believe that the relationship of the Compliance Department to the business units is to either complement the strategy team or to “serve as independent facilitators of envisioning exercises.”

The authors conclude with a discussion of the leadership challenge in managing risks, which they believe is quite different than managing strategy. The reason is that managers “find it antithetical to their culture to champion processes that identify the risks to strategies they helped to formulate.” Nevertheless without such preparation, the authors believe that companies will not be able to weather risks which turn into serious storms under the right conditions. They believe that the key element is that the risk management team must have a direct reporting line to senior management because “a company’s ability to weather [risk] storms depends very much on how seriously executives take their risk-management function when the sun is shining and there are no clouds on the horizon.” I could not have said it better myself.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012