FCPA Compliance and Ethics Blog

October 6, 2014

Chief Compliance Officer as Chief Persuasion Officer

Shuba and RobinsonThe roles of a Chief Compliance Officer (CCO) can be many and varied but one role of any successful CCO is that of Chief Persuasion Officer (CPO). I say this because it is often the case that the most a CCO has in his or her arsenal is the ability to persuade. While there may be times that the CCO can veto something outright, it may not only be difficult but also risk long-developed corporate political capital that might be best used at another time or in another arena. I thought about this concept of persuasion and how even the smallest gesture can pay great dividends when I read the New York Times (NYT) obituary of George Shuba. Shuba was a little known outfielder from the old Brooklyn dodgers who had a decent seven-year professional career with the team. He played on the losing side in two World Series in 1952 and 1953 but was with the Dodgers for their only win over the Yankees in the World Series of 1955.

However, Shuba is remembered for one dramatic gesture. In 1946, both he and Jackie Robinson were playing for the Dodgers farm team, the Montreal Royals. In the first professional game that Robinson played when he was the first African-American to break the color line; Robinson hit a home run in the third inning. Shuba was on deck and went to the plate to shake Robinson’s hand. A photographer was on hand to snap a picture and when that photo went out over the wire services it was viewed as a gesture of racial tolerance. While there would be many opposite events for Robinson when he finally made it up to the major leagues, that one picture made a difference. Shuba’s comment on the 60th anniversary of the handshake, “I couldn’t care less if Jackie was Technicolor.”

Such small gestures can make a difference. I recently read a book review in the New York Review of Books, for a biography of Dale Carnegie by Steven Watts, entitled “Self-Help Messiah: Dale Carnegie and Success in Modern America, penned by Ian Frazier. Carnegie is of course well known for his seminal work “How to Win Friends and Influence People” first published in 1936. I was somewhat surprised to learn that the text was largely drawn up as transcripts to lectures Carnegie was giving in New York City in the mid-1903s. Carnegie’s main thesis was to provide concrete steps on how ordinary people could help master the art of persuasion. While it has been some time since I read this book, what I recall is that to influence people, one has to listen to them. So for me, the book was about how to become a better listener.

I cannot say enough about this skill for a CCO. If you hear any long-term CCO speak about their job, they will tell you it is largely about listening to people; whether those people are employees, senior management or the Chief Executive Officer (CEO) and Board members. By listening to others you not only hear, and hopefully will come to understand their concerns, but you allow them to come to decisions themselves and you are not in the position of telling them what to do. It is a skill that has served many CCOs very well for many years.

I recently wrote about a presentation at the SCCE 2014 Compliance and Ethics Institute about influence and was reminded of this when I read an unattributed article in the Financial Times (FT) entitled “Persuasion for the time pressed”. In this article it discussed Professor Robert Cialdini, the Regents’ Professor of Psychology and Marketing and Arizona State University. Professor Cialdini is one of the leading proponents of ‘persuasion science’, which draws upon various disciplines, including “psychology, neuroscience and behavioural economics”. The Professor has been in this field for over 30 years and has been dubbed “The Godfather of Influence” based upon his work. One of his insights was that corporations should have a “chief persuasion officer” because such a person can help to bring influence upon others and “often it is the smallest changes that can make the biggest differences.”

In his work, entitled “Influence: The Psychology of Persuasion”, Professor Cialdini laid out what he believed to be six “universal principals of persuasion” which I have adapted for the compliance practitioner.

  1. Reciprocity – Cialdini believes that people will feel obligated to return favors performed for them. But for the compliance practitioner, I think this means listening and using skills to help manage risk or even high-risk areas. One of the points of compliance is that unless a transaction involves bags of cash being paid to get a deal done, there usually a way to manage compliance risk. If you, as a CCO, can help an executive or your company to successfully manage a high compliance risk, this will be remembered.
  2. Authority – Cialdini believes that people look for experts to show them the way. The Department of Justice (DOJ) expects a company’s compliance experts to have subject matter experts (SMEs) on Foreign Corrupt Practices Act (FCPA) anti-corruption compliance programs. This is made clear in the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program. For the CCO, Cialdini’s insight is that you or someone on your staff must be able answer the day-to-day questions that come up on doing business not only in compliance with the FCPA but your company’s compliance regime.
  3. Scarcity – Here Cialdini takes a slightly different tack by noting that the less a resource is available, the more people want it. For the CCO, I think this translates to the scarcity of your time. A good chuck of your time must be spent at the corporate office but a large amount must be spent out in the field. Your employee base will respond to you more often and with a deeper symbiosis if you can get out into the field and meet people.
  4. Liking – Noting the self-obvious Cialdini says that the more people like you, the more they want to say yes to you. However, as noted in point 3 above, for the CCO I think this means getting out into the field, training employees who want to do business the right way on how to do so and simply meeting and talking with them. In my corporate life I put on contract and transaction law training across the world for the company’s business units and the universal response was along the line of ‘thank you for coming out here to talk to us.’
  5. Consistency – Here Cialdini intones that people want to act on concert with their values. I believe that most people do want to conduct their business ethically and in compliance with anti-corruption laws such as the FCPA. By providing them a way to do so, you can help them do something they were inclined to do anyway. I once had an employee in the Far East tell me that there was more then enough business for the company to garner in the middle of the road. He did not see the need to even get close to the line of bribery and corruption. With that type of attitude, a CCO can almost be a facilitator.
  6. Social Proof – This can be a tricky one for a CCO. Cialdini believes that people will look to others on what to do to guide their own behavior. This means that a compliance program must have sufficient incentives to get the message of compliance through middle management and down to the troops. Simply put if employees see a high revenue producer get bonuses and promotions for conduct which may violate your company’s Code of Conduct; they will come to believe in short that management is much more concerned about the bottom line than doing business ethically and in compliance.

From these articles and perspectives, I believe that several conclusions can be drawn. First, as in the case of George Shuba, a little can mean a lot. Second, from Dale Carnegie, one of the primary keys to influencing people is to listen to them. Thirdly, from Professor Cialdini, a CCO can be a CPO and by using the six principals of persuasion, can create a more effective compliance program. Finally, always seek to improve your soft skills.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 17, 2014

Use of Influence in the Compliance Function

IMG_1213One of the challenges for any Chief Compliance Officer (CCO) is how to influence the conduct and actions in a corporate environment, particularly as compliance is viewed as non-revenue generating and usually does not exist simply to protect the company, which is how the legal department is often viewed. Folks like myself who came into compliance from the legal function tend to think of a top-down approach where compliance is centralized at the corporate officer, usually in the United States. But because the role is very different than that of a General Counsel (GC), a CCO needs to bring another skill set to bear to do his or her job. In a session at the SCCE 2014 Compliance and Ethics Institute, SCCE Chief Executive Officer (CEO) Roy Snell and Jenny O’Brien, CCO at United Health Care, talked about the techniques that a CCO can use to influence decision making in a company in order to do business in compliance and ethically.

Snell began the session with some basic questions about why there are positions such as a CCO and why there is a compliance function within an organization. After all, departments like legal and internal audit have existed in business organizations for up to at least a few hundred years. He posed two questions that I found interesting “Why are we here?” and “What did those who came before us to fail to do?” He listed some of the scandals from the late 90s and early 00s such as Enron, WorldCom, HealthSouth, Adelphia and others where he believed that the problems, which led to the disintegration of these organizations, were well known within the companies themselves. So the situation was not that people did not find the problems, the issue was that the people inside these organizations did not fix the problems. Snell believed that the persons who could and would have stood up to raise questions or say this should stop lacked some skill or ability to influence others to make the right decision. He concluded that such business and ethical collapses were a failure of influence.

This led into his presentation with O’Brien about techniques for a CCO to employ to help influence decision-making within an organization. They labeled them as the “Seven Steps of Influence” and they are as follows:

  1. Collaboration. O’Brien emphasized that as a CCO you need to know your company’s business. If you are new to an organization she said you must take time to learn the business. You should sit in on sales meetings and, when appropriate, you should go out on sales call. Channeling her inner Atticus Finch, she characterized this as walking in the shoes of the business leaders you are assisting. By doing so, you will not only understand the products and services that your company offers but also the challenges that your business development team will face out in the world.
  2. Here O’Brien emphasized that she has to work constantly at active listening, which is listening, thinking and then speaking, and not just jump into the middle of a conversation, talk to people in a manner that will address their concerns. When you do speak you should be prepared to make the case for the compliance proposition that you are trying to get across. She noted that as a CCO or compliance practitioner, you should strive to be relevant in every interaction you have with your senior management peers. O’Brien said that sometimes it means speaking up at meetings or other forums but sometimes it means listening. You should try to develop a rapport with your business team and this rapport can lead to trust building.
  3. Relationships. Snell opened his remarks on this topic by intoning that by relationships he did not mean inter-personal relationships. He believes that it is mainly through relationships with other functions in an organization that a CCO or compliance practitioner can best bring influence to bear. It all begins with building trust with others within your organization. Invest time to find others in your organization that you want to work and with those with whom you desire to build relationships. Snell believes that some of the more key relationships that a CCO or compliance practitioner can develop are with the audit function, the legal department, Human Resources, IT and corporate communications. Snell said that when one of these groups offered to help him move the ball forward in compliance he always viewed it as a positive and wanted to work with these and other corporate groups. He did not view it as a turf war at all. The only thing that he said he requested were the terms of working together. Of those, he said the most important was that if another group in the company took on some project related to compliance, such an internal audit, that the group finish whatever they take on.
  4. Humility. O’Brien believes that humility is important because it empowers. Moreover, it can empower others to expand the circle of influence and get others in a corporation to influence an ever-expanding circle on behalf of compliance. The CCO does not need center stage. She reiterated her belief that business units should solve compliance issues, as compliance is really just another business process. Further, through such influence where you can get the business unit resources to solve a compliance problem, you will hold down the costs of the compliance function. She ended by noting that it is not about being right but about moving the compliance ball forward in the right direction.
  5. Negotiation. Here Snell said that negotiation should not be about the dichotomy of winning and losing an argument or debate. A CCO should strive to redefine what a win might look like or what a win might consist of for a business unit employee. He said that when faced with such a confrontation, he would try to determine what both sides wanted then give them something else in addition to what they thought they wanted. He provided the example of a CCO quietly listening and when the room is just right and all the participants are worn out, you, as the compliance practitioner, throw out an idea where the apparent loser in the argument receives even more than they thought they were asking for in the requesting. A CCO can be considered a mediator not just simply an enforcer or Dr. No from the Land of No. He ended by saying that as a compliance practitioner you need to learn the art of compromise.
  6. Triple ‘C’. What do the three C’s stand for? Calm, cool and collected. O’Brien believes that all company employees, up and down the chain, are watching the CCO. For this reason, she said that as a compliance practitioner you should be poker faced. To this end she keeps the sign “Keep Calm and Carry On” in her office. She believes that the Triple C’s are important because organizations look to the CCO to solve complex issues with simple solutions. When faced with a compliance issue or an obstacle you should endeavor to keep everything on an even keel and never let them see you sweat.
  7. Credibility. The final of the seven pillars was that the CCO role needs to be adequately scoped and that the accountabilities need to be clearly defined. Put another way, what is your job scope as the CCO and what is the function of the compliance department? What is your accountability to decide the resolution to an issue? Snell agreed with O’Brien that there should be business unit ownership for every issue that comes into the compliance department. Yet, as a CCO, you must demonstrate your value as a non-revenue function. This may require you to get out of your office and put on a PR campaign for compliance. Finally, Snell ended by saying that a CCO needs to guard their independence in job function and reporting. You must make clear that you will have independent reporting up to the Board or Audit Committee of the Board.

Snell concluded by reminding us all that influencing is not a one-time activity. It is ongoing. Tying back to his original question of why the compliance function exists in the quantum it does today, he said that he believes a CCO or compliance practitioner exists to help influence a company to build a better business environment by acting more ethically and responsibility. By moving the ball forward in this manner, it may well lead to a country’s economy to be trusted which could well lead to greater economic development.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 9, 2014

SCCE 2014 Compliance and Ethics Institute

SCCE LogoNext week, from September 14-17, the Society of Corporate Compliance and Ethics (SCCE) will hold its 13th annual Compliance and Ethics Institute in Chicago. For my money, it is the top event for compliance practitioners held each fall. This year is no different and Roy Snell and his team have put together a fabulous event for anyone even remotely interested in the field of compliance and ethics. I wanted to highlight some of the reasons why you should attend and some of the reasons why I am attending.

The individual sessions are arranged into learning tracks to help facilitate course selection. Each track is arranged around a specific area of interest, enabling the attendees to quickly find the sessions that match their educational needs. The learning tracks are designed so that someone can follow one learning track all the way through, or hop around between them. The learning tracks include the following:

 General Compliance/Hot Topics

Here you can cover everything from Compliance 101 to hot topics like detecting identity theft and privacy breaches. This track will keep you up to date on everything that is currently happening in the compliance and ethics environment as well as bring you back to the basics and keep you grounded. Learn what you need to know from compliance & ethics officers, regulators, outside and in-house counsel, auditors, providers and industry experts.

Risk

This learning track, developed by Risk Track Program Chai, Greg Triguba, is designed to provide insight into how to effectively manage the risks your company faces. In today’s business environment, risk and how to effectively manage it has become a top priority for most organizations. The specific sessions are focused on top compliance and ethics risks. There will be interactive sessions led by experts in the compliance, ethics, and risk management field. Participants in this track will take a deep dive into important risk areas and will learn strategies for effectively managing these risks.

Ethics

This track allows you to immerse yourself in ethics. The SCCE believes, and I hardily agree, that there are few things more challenging or rewarding to manage than ethics issues. Moreover it is a topic upon which everyone has an opinion. The subtleties are great and they can make all the difference in the world. The sessions will cover the considerations that compliance and ethics professionals need to understand and manage effectively.

Case Studies

The Case Studies learning track is designed to present the facts detailing just what companies have actually done to effectively manage ethical challenges and will take you inside companies to show you how they have handled specific issues in real world situations.

Multi-National/International

For companies facing new and fast changing complexities, SCCE will present the International/Multinational learning track, which is chaired by Marjorie Doyle. This learning track will take a deep dive into the needs of the global compliance program and the topics that are creating the biggest challenges for global companies today.

Advanced Discussion Groups

There will also be the ever-popular Advanced Discussion Group. This learning track is designed for the more ‘Been there, done that?’ Join an advanced discussion group and share what you know. If you are an experienced compliance and ethics professional or are looking for a more interactive program, this provides you with the opportunity to gain greater insight and knowledge, as well as share back with others in our profession. Each Advanced Discussion Group session is designed to involve everyone in the room. There are no formal presentations, just discussion facilitated by industry experts.

Compliance Lawyer

Here we have a new offering for in-house and outside counsel practicing in any compliance related field. This learning track is designed to meet the specific needs of the legal community on the hot compliance topics for legal counsel. If you attend this learning track you will be rewarded with insights of value to your compliance practice and your clients.

But the SCCE National Compliance and Ethics Institute is much more than even these fabulous learning track sessions. One of the things that has always impressed me with the SCCE and this event is the way they use and treat vendors. The vendors are clearly viewed as a part of the overall compliance and ethics solution that we are all working towards, not as some sponsor who is simply there to peddle some wares in the farthest of the back rooms. So the vendors will be located in a large exhibit hall where they will be lined up for easy viewing and access.

Moreover, the exhibit hall doubles as the breakfast/coffee/refreshments/cocktail hour room. Each time there is a break and the conference delegates get together, you not only have the opportunity to visit with other compliance professional but view some of the newest, coolest and most useful products and services in the compliance space. Are vendors in business to make sales? That answer would be yes. But at the conference, they take up the mantle of education as much as any speaker and use the form to help educate compliance professionals on their offerings and how they can assist your company to move the ball forward in ethics and compliance.

On Sunday, September 14, SCCE is hosting two events, SpeedNetworking and SpeedMentoring, which you should consider. If you are looking to build out your network with like-minded ethics and compliance professionals, I would recommend you sign up for the SpeedNetworking session. It can be an enjoyable manner in which to connect with peers who share your challenges in a wide-range of compliance arenas.

If you are looking for a mentor in the compliance and ethics space, then the SpeedMentoring session is the place for potential mentors and mentees to be connected ‘face-to-face’. I would suggest that if you are a seasoned compliance professional and are willing to give back to the compliance profession by sharing your expertise, you should sign up to be a mentor.

Whichever option you choose you are in control of the people you connect with and are provided with an excellent opportunity to learn from others and grow long-lasting professional relationships. I hope that you will join my in Chicago next week. It looks to be a great event.

Information on the SCCE Compliance and Ethics Institute can be found be clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

August 10, 2014

Where to Now St. Peter? – Due Diligence Going Forward in China

Tumbleweed ConnectionWhatever you might think of where his career went, Elton John had some great early stuff. I still rank Tumbleweed Connection right up there as one of my favorite albums of all-time. And while it was packed with some great tracks, one of my most favorite was Where to Now St. Peter? It was the opening track on Side 2 and dealt with whether a dying soldier would end up in heaven or hell. While perhaps having quite the spiritual overtones, I did think about this song when I read about the convictions on Saturday of Peter William Humphrey, a 58-year-old British national, and his wife, Yu Yingzeng, a 61-year-old naturalized American, on charges of illegally purchasing personal information about Chinese nationals.

In a one day trial the couple was convicted of illegally purchasing information on Chinese citizens. In an article in the Financial Times (FT), entitled “China court hands GSK investigator jail term and orders deportation”, Gabriel Wildau and Andrew Ward reported that husband Humphreys received a two and a half year jail term which was “just short of the three-year maximum”. In an article in the Wall Street Journal (WSJ), entitled “China Convicts Two Corporate Investigators”, James T. Areddy and Laurie Burkitt reported that he was also ordered to pay a fine of approximately $32,500 and will be deported from the country when his jail term is completed. Wife Yingzeng received a two year jail term and was ordered to pay a fine of approximately $23,000 but will be allowed to remain in the country after her sentence is completed.

In a New York Times (NYT) article, entitled “In China, British Investigator Hired by Glaxo, and Wife, Sentenced to Prison”, David Barboza reported that the couple “acknowledged that from 2009 to 2013, they obtained about 250 pieces of private information about individuals, including government-issued identity documents, entry and exit travel records and mobile phone records, all apparently in violation of China’s privacy laws.” According to the NYT article, wife Yu claimed that she did not know her actions where illegal and was quoted as saying, “We did not know obtaining these pieces of information was illegal in China. If I had known I would have destroyed the evidence.” According to the WSJ, the privacy law which was the basis of the conviction, was enacted in 2009 “to make it illegal to handle certain personal medical records and telephone records” but that the law itself “remains vague” on what precisely might constitute violation.

From the court statements, however, it did appear that the couple had trafficked in personal information. As reported by the WSJ, “In separate responses over more than 10 hours, My Humphreys and Ms. Yu denied that their firm trafficked in personal information, saying they had hired others to obtain personal data when clients requested it.” From the documents presented by the prosecution, it would seem clear that the couple had obtained my items which were more personal in nature. They were alleged by prosecutors to have “used hidden cameras to gather information as well as government records on identification numbers, family members, real-estate holdings, vehicle owner, telephone logs and travel records.”

Recognizing the verdicts under Chinese laws are usually predetermined and the entire trials are scripted affairs, there is, nonetheless, important information communicated to the outside world by this trial. First and foremost is, as reported in the NYT article is a “chilling effect on companies that engage in due diligence work for global companies, many of whom believe the couple may have been unfairly targeted.” The WSJ article went further quoting Geoffrey Sant for the following, “It impacts all attempts to do business between the U.S. and China because it will be very challenging to verify the accuracy of company or personal financial information.” In other words, things just got a lot tougher to perform, what most companies would expect to be a minimum level of due diligence.

Second is the time frame noted in the court statements as to the time of the violations, from 2009 to 2013. Many had assumed that Humphreys and Yingzeng’s arrests related to their investigation work on behalf of the British pharmaceutical giant GlaxoSmithKline PLC (GSK) which was trying to determine who had filmed a sex tape of the company’s head of Chinese operations, which was then provided to the company via an anonymous whistleblower. This would seem to beg the question of whether the couple would have been prosecuted if they not engaged in or accepted the GSK assignment.

But as Elton John asked, “Where to now St. Peter?” You should always remember that performing due diligence is but one of five steps in the management of the third party life cycle. If you cannot perform due diligence at a level that you do in other countries or that you could even have done in China before the Humphreys and Yu trial, you can beef up the other steps to help proactively manage your third parties. I often say that your real work with third parties begins when the contract is executed because then you have to manage the relationship going forward. So, if you cannot perform the level of due diligence you might like, you can put more resources into monitoring the relationship, particularly in the area of invoice review and payments going forward.

In a timely article found in this month’s issue of the SCCE magazine, Compliance and Ethics Professional, Dennis Haist and Caroline Lee published an article, entitled “China clamps down on bribery and corruption: Why third-party due diligence is a necessity” where they discussed a more robust response to the issue as well. They note that the retention of third party’s to do business in China is an established mechanism through which to conduct business. They advise “For multinationals with a Chinese presence, or plans to enter the market in the near future, now is the time to pay close attention to the changing nature of the business landscape as it relates to bribery and corruption.” Further, they suggest that “In order to ensure compliance with ABAC [anti-bribery/anti-corruption] regulatory scrutiny, multinationals must demonstrate a consistent, intentional and systematic approach to third-party compliance.” But in addition to the traditional background due diligence, they believe that companies should consider an approach that moves to proactively managing and monitoring third parties for compliance. Lastly, at the end of the day if a regulator comes knocking from the Department of Justice (DOJ) or Serious Fraud Office (SFO), you will need to demonstrate the steps you have put in place and your active management of the process.

In the FT, WSJ and NYT articles it was clearly pointed out that the invisible elephant in the room was GSK. Also it is not clear what the personal tragedy that Humphreys and Yu have endured will mean for GSK or the individuals caught up in that bribery scandal going forward. Humphreys had previously said that he would not have taken on the GSK sex tape assignment if it had been disclosed to him that the company had sustained allegations of corruption by an internal whistleblower. Perhaps one lesson may be that in the future companies will have to disclosure more to those they approach to perform such investigative services.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 22, 2014

Code of Conduct, Compliance Policies and Procedures-Part I

Policies and ProceduresFor the remainder of this week, I will have a four-part episode on your Code of Conduct and anti-corruption compliance policies and procedures. In today’s post I will review the underlying legal and statutory basis for the documents as a foundation of your overall anti-corruption regime. In subsequent posts, I will review how to go about drafting your Code of Conduct and anti-corruption compliance policies and procedures and how to assess, review and revise them on a timely basis.

The cornerstone of a US Foreign Corrupt Practice Act (FCPA) compliance program is its written protocols. This includes a Code of Conduct, policies and procedures. These requirements have long been memorialized in the US Federal Sentencing Guidelines (FSG), which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). These requirements were incorporated into the 2012 FCPA Guidance. The FSG assumes that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct? The starting point, as per the FSG, reads as follows:

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws. 

In the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program, DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.”

In each DPA and NPA over the past 36 months the DOJ has said the following as item No. 1 for a minimum best practices compliance program.

  1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code. 

Stephen Martin and Paul McNulty, partners in the law firm of Baker and McKenzie, developed one of the best formulations that I have seen of these requirements in their Five Elements of an Effective Compliance Program. In this formulation, they posit that your Code of Conduct, policies and procedures should be grouped under the general classification of ‘Standards and Procedure’. They articulate that every company has three levels of standards and controls. First, every company should have a Code of Conduct, which should, most generally express its ethical principles. But simply having a Code of Conduct is not enough. So a second step mandates that very company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. From the base of a Code of Conduct and standards and policies, every company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors which should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed your Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

June 9, 2014

Why the Compliance Function is Different Than the Legal Function

Joseph WelchI have long been proud of my profession. I would often tell students that they ware about to join a profession which extended as far back as Demosthenes, who practiced his closing orations against crashing sea waves so that the full Greek demos might hear him when he closed a trial. Further, while thoughts of Atticus Finch are never far from a Southern lawyer’s mind, if not aspirations to emulate him, today we celebrate a real life lawyer who did the profession proud. It was on this day, 60 years ago in 1954 that Joseph Welch, then Special Counsel to the US Army, unmasked Senator Joseph McCarthy for what he and his hearings into communism were. In response to McCarthy’s charge, that Frederick G. Fisher a young associate in Welch’s law firm had been a long-time member of an organization that was a “legal arm of the Communist Party,” Welch responded, “Until this moment, Senator, I think I never really gauged your cruelty or your recklessness.” Welch then uttered these immortal lines, “Have you no sense of decency, sir, at long last?” The audience applauded Welch’s stinging comeback. The hearings closed one week later. The US Senate officially condemned McCarthy for contempt against his colleagues later that year.

Unfortunately the legal profession took one in the eye last week when General Motors (GM) released its internal investigation into the company’s failure to recall millions of defective small cars, and found no evidence of a cover-up. As reported by Bill Vlasic in a New York Times (NYT) article, entitled “G.M. Lawyers Hid Fatal Flaw, From Critics and One Another”, stated the GM law department did not come out of this matter looking too well. Vlasic said that “interviews with victims, their lawyers and current and former G.M. employees, as well as evidence in the report itself, paint a more complete picture: The automaker’s legal department took actions that obscured the deadly flaw, both inside and outside the company.”

While GM’s General Counsel (GC), Michael Millikin, survived dismissal in the aftermath of the internal investigation, he certainly did not come out as a GC who was particularly engaged with what was going on in his own department. Vlasic reported, “At least three senior lawyers are among the employees who lost their jobs as a result of the investigation conducted by the former United States attorney Anton R. Valukas… One of the lawyers dismissed this week was William Kemp, who had been orchestrating G.M.’s legal strategy and in-house investigations of the defective ignition switch for more than two years before the recall. Yet it was not until early February, days after a high-level committee finally ordered the switch recall, that Mr. Kemp informed Mr. Millikin of the deadly consequences of the flawed part. G.M. has linked 13 deaths and 54 crashes to the defect.” Two other lawyers reported to have been dismissed, as a result of the internal investigation, were Lawrence Buonomo, head of product litigation, and Jennifer Sevigny.

Equally damning were the internal investigations report that during safety meetings relating to the ignition switch failure, “Mr. Valukas said employees he interviewed told him they had refrained from taking notes in safety meetings “because they believed G.M. lawyers did not want notes taken.”” Beyond this ban on note taking, Vlasic said “The secrecy factor extended to how some employees kept or discarded old emails. According to two former G.M. officials, company lawyers conducted annual audits of some employees’ emails that could be used as evidence in lawsuits against the company.” While GM euphemistically called this email deleting program “information life-cycle management,” when the purpose is to remove evidence that could be used against the company in lawsuits, it once again shines a very bad light on my legal profession brethren.

This sordid tale of the complicity of the GM legal department is all part of what GM Chief Executive Officer (CEO) Mary Barra “denounced as a “pattern of incompetence and neglect” at the company that allowed a defective part to exist in its vehicles for more than 10 years.” But more than simply causing the corpse of Atticus Finch to spin over in his fictional grave, the GM legal department’s role in the company’s debacle points to something that Donna Boehme and Mike Volkov have been articulating and writing about for some time. It is not simply that the Chief Compliance Officer (CCO) needs to be out from under the roof of the GC’s office; it is that the compliance function is different than the legal function.

When I initially went in-house, it was made clear to me that the role of the in-house department in the company I worked for was to protect the company. When I became a GC, I took that role to heart and felt like I was the company’s lawyer (even if the CEO felt like I was his lawyer). But as Boehme points out in her article in the June 2014 issue of the SCCE Magazine, entitled “Toldya. (Reason #119 why Compliance is not a subset of Legal),” there are distinct differences in approaches to doing compliance from practicing law. She said, “one thing is clear – the two functions have very different mindsets, mandates and priorities.” She notes that the legal department mandate is to “advise and protect the company.” However, Boehme believes that the compliance mandate is much broader. She writes, “Compliance, on the other hand, is tasked with detecting and preventing misconduct.” The compliance mandate includes constant vigilance on the integrity of the compliance program, protecting internal whistleblowers (in part to demonstrate to others that it is safe to come forward), and supporting a culture of accountability, especially at levels of management.

I might say that a corporate legal department’s role has traditionally been seen to protect the company from problems, while the role of the compliance function is to remedy problems. Here you can think of McNulty’s Maxim No. 3 – What did you do to fix it when you found out about it? But Boehme takes it a step further by noting, “A well-run compliance program requires hundreds of judgments, big and small, to be made on a weekly basis. The company with the political will to elevate their chief compliance officer to a “separate but equal” status in the C-suite will benefit from those judgments being made with an independent compliance mindset, and not “Always Legal but Occasionally Compliance” prism.”

I often repeat the legal truism that bad facts make bad law. Make no mistake about it; the GM ignition switch imbroglio is very bad. But the GM legal department’s role in the company’s ongoing scandal, clearly points out the difference between the roles of legal and compliance. I am sure that the GM lawyers involved, and those who were terminated, thought their job was to defend the company at all costs. But I have never met a CCO who felt that way. They believe that their job is to prevent, detect and remedy any compliance issues that arise. You cannot do that if you are instructing others not to take notes in relevant meetings, deleting potentially incriminating emails and hiding from your boss that there is a real problem out that that must be dealt with.

For the rest of you out there who are lawyers and reading this, remember Joseph Welch today as a far better example of our historical brethren.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

April 24, 2014

Gifts, Travel and Entertainment under the FCPA – Part III

Travel and GiftsNow that we have reviewed all of the public record pronouncements from the Department of Justice (DOJ) and Securities and Exchange Commission (SEC), this post will try and suggest what you might need in your Foreign Corrupt Practices Act (FCPA) compliance policy and attendant procedures regarding gifts, travel and entertainment. Most generally, every company has three levels of written standards and controls around its compliance function. The first is its Code of Conduct, which every company should have to express its ethical principles. I assume your company has a Code of Conduct but if you are reading this blog post and you do not have a Code of Conduct, call me. The second is its standards and policies, which every company should use to build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. The third, and final component, is procedures, which every company should have to ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

Rebecca Walker, writing in the Society for Corporate Compliance and Ethics Complete Compliance Manual [Second Edition], in an article entitled “Gifts and Entertainment Compliance”,said written policies around gifts, travel and entertainment typically contain the following elements:

  • An introduction explaining why gifts and entertainment are acceptable and why it is important to place limits on them;
  • A discussion of the types of gifts and entertainment that are acceptable (e.g., commonly accepted business courtesies);
  • A discussion of the types of gifts and entertainment that are unacceptable (e.g., cash);
  • Dollar limits and approval requirements;
  • More stringent rules applicable to employees in particular functions, as appropriate;
  • A mention or discussion of different rules applicable to government officials; and
  • References to other policies.

Mike Volkov, in a blog post entitled “Safe Harbors and Gifts, Meals, Travel, and Entertainment Expenses”, gave these general guidelines about gifts:

  1. Given openly and transparently;
  2. Properly recorded in the company’s books and records;
  3. Motivated to express esteem or gratitude (and not corrupt intent); and
  4. Permitted under local law.

About travel he had the following insights:

  1. Do not select the foreign officials to participate in the event, or use a systematic evaluation to identify appropriate officials to attend;
  2. Pay all costs directly to vendors and do not put “cash” in the pockets of any foreign officials attending an event (as an advance or for reimbursement);
  3. Ensure that stipends are reasonable estimates of expected costs and do not provide any additional compensation or money to foreign officials;
  4. Ensure that payments are transparent and accurately reflected in company books and records;
  5. Do not condition payments on any specific action by foreign official; and
  6. Obtain written confirmation payments do not violate local law.

Below are some of my thoughts about what should go into your gifts, travel and entertainment policy.

A.     Gifts

  • The gift should be provided as a token of esteem, courtesy or in return for hospitality.
  • The gift should be of nominal value but in no case greater than $500.
  • No gifts in cash.
  • The gift shall be permitted under both local law and the guidelines of the employer/governmental agency.
  • The gift should be a value which is customary for the country involved and appropriate for the occasion.
  • The gift should be for official use rather than personal use.
  • The gift should showcase the company’s products or contain the company logo.
  • The gift should be presented openly with complete transparency.
  • The expense for the gift should be correctly recorded on the company’s books and records.

B.     Entertainment

There are no Opinion Releases on the threshold that a Company can establish as a value for entertainment. I am comfortable that such a value can go up to $500 in an appropriate circumstance. However this must be tempered with clear guidelines incorporated into the business expenditure component of a FCPA compliance policy, which should include the following:

  • A reasonable balance must exist for bona fide business entertainment during an official business trip.
  • All business entertainment expenses must be reasonable.
  • The business entertainment expenses must be permitted under (1) local law and (2) customer guidelines.
  • The business entertainment expense must be commensurate with local custom and practice.
  • The business entertainment expense must avoid the appearance of impropriety.
  • The business entertainment expense must be supported by appropriate documentation and properly recorded on the company’s book and records.

C.     Travel

  • Any reimbursement for air fare will be for economy class. However, you may be able to make exceptions for senior government officials, extremely long haul flights, or where you are contractually mandated to pay for business class travel.
  • Do not select the particular officials who will travel. That decision will be made solely by the foreign government.
  • Only host the designated officials and not their spouses or family members.
  • Pay all costs directly to the service providers; in the event that an expense requires reimbursement, you may do so, up to a modest daily minimum (e.g., $35), upon presentation of a written receipt.
  • Any souvenirs you provide the visiting officials should reflect the business and/or logo and would be of nominal value, e.g., shirts or tote bags.
  • Apart from the expenses identified above, do not compensate the foreign government or the officials for their visit, do not fund, organize, or host any other entertainment, side trips, or leisure activities for the officials, or provide the officials with any stipend or spending money.
  • The training costs and expenses will be only those necessary and reasonable to educate the visiting officials about the operation of your company.

The incorporation of these concepts into a FCPA compliance policy is a good first step towards preventing potential FCPA violations from arising, but it must be emphasized that they are only a first step. They must be coupled with active training of all personnel, not only on the policy and procedures, but also on the corporate and individual consequences that may arise if the FCPA is violated regarding gifts, travel and entertainment. Lastly, it is imperative that all such gifts, travel and entertainment be properly recorded, as required by the books and records component of the FCPA.

I view one of the key reasons for the attendant procedure of implanting the company policy around gifts, travel and entertainment is to allow oversight by a second set of eyes. Process validation requires oversight of compliance with gifts and entertainment policies is important to ensuring consistency in policy enforcement. This helps to ensure that there is the perception of fairness in this area, particularly if there must be discipline administered. Nothing is worse for an organization if, say, a salesman from the US is disciplined via a warning letter for cheating on his expense account whereas salesmen in Brazil are fired for the same offense.

Mike Volkov, in another blog post entitled “Creating a Framework for Reviewing Gifts, Meals, Travel and Entertainment Expenses”, said that he believes “There are three basic requirements for making the review process more efficient.” They include:

  1. Prospective standards – Companies need to adopt and enforce a prospective policy which carves out standards for the review and approval of such expenditures. The policy has to be clear on the standards and the procedures to be followed.
  2. Documentation – Companies have to document the process, maintain records, and audit the process. Without documentation, the policy is doomed to fail, and provides no protection when government prosecutors conduct an investigation.
  3. Advice of Counsel – Outside counsel should be used to review and approve any close calls. The run-of-the-mill situations can be handled by the policy. In close cases, outside counsel should review the matter, provide a short memo analyzing and approving the expenditure. The memo should be added to the file and available to auditors and the government if needed.

The final point from Walker, Volkov and myself is that whatever policy and procedures you set up and utilize, they should be designed for your company. The FCPA Guidance speaks to a well-thought out and designed system for any compliance risk and gifts, travel and entertainment is no different. Further, you must not only train but monitor and audit on your gifts, travel and entertainment. As this is one of the top areas that employees generate monies from their employers it is one of the top areas for fraud and hence corruption. And finally, Document, Document and Document.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 26, 2014

The Alchemist of Comedy and Utility Industry Compliance

Harold Ramis as Dr. SpenglerHarold Ramis died on Monday. For a generation of comedians and fans of comedy he was one of the driving lights of that genre. He was one of the screenwriters of Animal House and wrote the screenplays for both of the Ghostbuster movies, in addition to starring in them. His New York Times (NYT) obituary called him the “Alchemist of Comedy” and quoted from Paul Weingarten, who wrote, in The Chicago Tribune Magazine in 1983, “More than anyone else, “Harold Ramis has shaped this generation’s ideas of what is funny.”” So thanks Harold Ramis for Blutto, Otter, Founder, D-Day, Dr. Spengler and all the rest.

I am currently attending the Society of Corporate Compliance & Ethics (SCCE), 2014 Utilities & Energy Conference. As usual, it is an excellent event for the compliance practitioner. One of the things that I find not only intriguing but also extremely useful about this conference is the pairing of compliance practitioners from the fields of energy and utility. I did not attend the utility focused sessions for the first couple of years but now prefer those sessions because they focus so much on the process of compliance. While the actual compliance issues are not anti-bribery or anti-corruption, the process-oriented approach utilized in the utility energy can be a great set of lessons for the energy industry compliance practitioner to consider when looking at an energy company compliance regime.

On Monday there was a presentation by David Douglass, Federal Energy Regulatory Commission (FERC) Compliance at Kansas City Power & Light Company. Initially, Douglass presented several different compliance models, which the anti-corruption compliance practitioner can use to benchmark or evaluate your company’s compliance program. The first one Douglass termed the Compliance Maturity Model – Compliance at Every Level. It included:

  • Step 1 – Reacting only and engaging in panic. The elements of this level of maturity include the admonition to “Get it done”. Typically under this step compliance is operating in isolation and can only marshal resources as necessary and where ever they might be found.
  • Step 2 – Anticipating and acceptance of compliance. This increased maturity can help to bring about some efficiency, usually through the accepted use of automation. This allows a compliance practitioner to see connections between multiple programs and take steps to plan future approaches to ongoing and ad hoc compliance challenges as they might arise.
  • Step 3 – Collaborating. Under this step, compliance moves to being seen as a collaborative partner with the business units. This allows the identification of risks, the assessment of the company’s exposure to those risks and to prioritizing actions to meet those assessed risk. Finally, the collaboration step can allow for the re-use of technological components for multiple purposes, thus reinforcing great cost savings and value.
  • Step 4 – Orchestrating through and with the rest of the company. Under this ultimate step in the model, compliance works to help set enterprise wide objectives to help to coordinate enterprise wide risk analysis and response. The corporate wide visibility to risk analysis, management and remediation as well as compliance performance.

In addition to the above Compliance Maturity Model, Dougalss discussed two of the programs were set out by federal utility regulators. The first was the FERC’s Effective Compliance Program, which has the following seven standards:

  1.  Internal standards and procedures to prevent and detect violations;
  2. High-level management knowledge and oversight of internal compliance programs;
  3. Reasonable (due diligence) efforts to screen out “poor performers”;
  4. Reasonable internal communications and training efforts;
  5. Reasonable steps to evaluate program effectiveness, including confidential reporting options for employees;
  6. Creating and enforcing compliance incentives and noncompliance sanctions;
  7. After detection of a violation, companies shall take reasonable, responsive steps.

He then cited to the North American Electric Reliability Corporation’s (NERC’s) four hallmarks of effective compliance programs, which included the following:

1.    Senior management / leadership

  • Compliance Program is established in the company.
  • Compliance Program is formally documented and widely disseminated throughout the organization.
  • The Compliance Program is supervised by a high ranking company representative.
  • The head of the compliance function has access to President / CEO and Board.
  • The Compliance Program is designed and managed with independence.
  • There are sufficient resources dedicated to implement Compliance Program.
  • The Compliance Program has the full support of all company leadership

2.    Preventive measures are in place

  • A sufficient frequency of review of compliance program occurs.
  • There is sufficient frequency of training of employees on compliance program.
  • There is sufficiency of subject matter training of employees on compliance program.

3.    Prompt detection, cessation, and self-reporting

  • There is a sustainable process to internally assess compliance with regulations.
  • There is a sufficient response to identification of wrong-doing or misconduct.

4.    Effective remediation

  • There are effective internal controls and procedures present to prevent recurrence of misconduct.

Douglass also discussed the ‘3-lines of defense concept” for a best practices compliance program. Under this concept a properly constructed compliance program has three lines of defense to prevent a compliance incident. These three lines of defense are identified as (1) the Risk Content Owners line of defense; (2) the Risk Process Owners line of defense; and (3) the Risk Content and Content Monitoring Owners line of defense.

 I.                Risk Content Owners

This first line of defense is the business owner(s) who are on the front lines for any company. Their roles include management of day-to-day business risks and to recommend actions to manage and treat that risk. This group also is tasked with complying with the company’s risk management process. Where appropriate, this group will implement risk management processes where applicable and this group will execute risk assessments and identify emerging risk.

 II.             Risk Process Owners

This second line of defense is typically the company legal and compliance departments. Not only are these the standard setters in an organization but they may also be charged with certain monitoring tasks. This group should establish policy and process for risk management. This group is the strategic link for a company in terms of risk. It should provide guidance and coordination among constituencies. It should identify enterprise trends, synergies, and opportunities for change. This group should also initiate change, integration and operationalization of new compliance best practices. Typically this group is the liaison between the third and first lines of defense. Lastly, this group will oversee certain risk areas and in terms of certain enterprise objectives such as compliance with regulations such as Foreign Corrupt Practices Act (FCPA), Export Control, etc.

III.           Risk Content and Monitoring Owners

This third, and final, line of defense is generally thought of as the Assurance Providers and consists of senior management, Internal Audit and up to the Board of Directors. Its roles include either working with or through senior management and/or the Board of Directors. This line of defense is tasked to rationalize and systematize risk assessment and governance reporting so that it is not only transparent but useful and stored in a manner that can be retrieved if a regulator comes calling. It will provide oversight on risk management content/processes, followed by the second line of defense. Finally, it will provide assurance that risk management processes are adequate and appropriate.

This tripartite model is an excellent way for a company to not only think through how to design an overall structure but as an outline to assess how well it may be doing in any one specific compliance area such as anti-corruption compliance under the FCPA. The first line of defense should be driven down to the Business Unit level. This will allow, indeed require, the Business Unit to buy into the overall compliance program. The legal and compliance departments are the key bridge that writes and leads implementation of the overall compliance program through training but also assesses whether the compliance program is effective and remains robust. The role of senior management is to provide overall leadership and deployment of resources throughout this entire process.

I have found that the anti-corruption compliance, or indeed the anti-money laundering (AML) or export-control practitioner can learn quite a bit from their peers in the utility industry. While they may not rise to the level of “Alchemist of Comedy”, as did Harold Ramis, you might want to listen to what they have to say.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

February 24, 2014

Commitment to Compliance: the Compliance Committee

Iwo Jima Flag RaisingSunday was the 69th anniversary the most iconic photo of World War II, at least from the American perspective. Of course it was the raising of the American flag at Mt. Suribachi on Iwo Jima. To say that one photo cannot change the lives of those pictured is belied by this image. The photographer, Joe Rosenthal, won a Pulitzer Prize for the photograph. While three of the six flag-raisers died fighting on Iwo Jima, one survivor, Rene Gagnon appeared during half time at the 1969 Orange Bowl; Ira Hayes was immortalized songs both by Johnny Cash and Bob Dylan and the last remaining flag-raiser, John Bradley, died in 1994.

I once tried a lawsuit in Harlingen County, Texas, where the name of one of the flag-raisers, Harlon Block, is inscribed in the Memorial to the county’s deceased war veterans on the courthouse square. The Judge of the trial used it as an example of civic duty and, years later, when I read James Bradley’s book, “Flags of Our Fathers”, about his father John Bradley and the men who raised this flag, I learned that the Judge in my trial was one of 16 high school seniors from Harlingen High School who all volunteered for enlistment on the same day. Harlon Block was one of the Judge’s classmates and they volunteered together. I am still moved when I think of that story.

One of the commitments I believe can enhance a compliance program is the creation of a compliance committee. As far back as in the 2005 Monsanto Corporation Deferred Prosecution Agreement (DPA) the compliance committee concept appears to have found favor with the Department of Justice (DOJ). In Appendix B to the DPA, Monsanto agreed to, among other things, “the establishment and maintenance of a committee to supervise the review of (I) the retention of any agent, consultant, or other representative for purposes of business development or lobbying in a foreign jurisdiction”, or a Compliance Committee. Later, this concept was used in the settlement of Halliburton’s shareholder action around its Foreign Corrupt Practices Act (FPCA) enforcement action.

The Monsanto DPA provides guidance on this point by stating “The majority of the committee shall be comprised of persons who are not subordinate to the most senior officer of the department or unit responsible for the relevant transaction;” this would indicate that senior management should be involved in the Compliance Committee. It would also indicate that more than one department should be represented on the Compliance Committee. This would include senior representatives from the Accounting (or Finance) Department, Compliance & Legal Departments and Business Unit Operations.

The Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual suggests the following language in its proposed form of Compliance Committee Charter:

The compliance officer shall have ultimate responsibility for operating the compliance program, with the support and assistance of the compliance committee. The committee shall consist of ### members, representative of each major department or area. The committee may appoint ad hoc members, each to serve at the pleasure of the committee, to assist and advise the committee in carrying out this charter. While the ad hoc members of the committee are not entitled to vote on matters formally considered by the committee, the ad hoc members shall be entitled to call a meeting of the committee and, further, to have any matter included on the agenda of any meeting of the committee. The committee shall designate the proper manner for calling meetings and the setting of agendas thereto.

 The compliance officer and committee shall retain a direct line of communication with and a direct reporting responsibility to the board of directors, executive committee, and CEO.

In the November/December issue of the SCCE Compliance & Ethics Professional magazine, Donna Boehme wrote an article entitled “Building a horse and not a camel: The compliance committee”. Where she cautioned that “More often than not, a [compliance] committee that is conceived with all best intentions evolves into something less that ideal: (a) a team of micromanagers that routinely substitutes its judgment for that of the CCO; (b) a source of unnecessary red-tape and ‘make-work’ for the compliance function, (c) a filter between the CCO and the governing body.”

To remedy these potential pitfalls, Boehme recommends three rules for building an effective compliance committee.

  1. The compliance committee should have a clear, written charter that sets out the functionality, goals, and parameters of the group, along the lines discussed above.
  2. The CCO should chair a committee of her peers-senior level officers in a position to make decisions and marshal resources.
  3. The compliance committee should be periodically reviewed for effectiveness and adjusted as necessary to meet the stated goals of the charter.

One of the things  Boehme makes clear is that “every compliance structure should be fit-for-purpose.” In other words, if your company’s highest compliance risk is third party relationships, I think you should focus your compliance committee resources on that issue. The scope of this was not fleshed out in the Monsanto DPA. However, it suggested that a company should incorporate both a pre-execution function and a post-execution management function in overseeing the full relationship with any third party. While this would most necessarily focus on FCPA compliance, there should also be a commercial component to this function.

To this end, a compliance committee should review all documents relating the full panoply of a third party’s relationship with a US company. This would begin with a review of any initial requests to engage a new third party. The information presented to the compliance committee would include a Business Unit’s request to engage the third party, the costs and benefits. The next step would be to review the due diligence and all background investigative materials on the prospective third party.

The compliance committee should receive copies of, and approve, all due diligence and background investigative materials before a contract is executed with a third party. Particular attention should be paid to the form of the contract. If there are deviations from the company’s standard form of agreement, with regard to the FCPA compliance issues, there should be a full explanation by the third party or Business Unit. The compliance committee should determine if the company is taking on any unwarranted FCPA compliance risk if non-standard FCPA compliance terms and conditions are used.

After the commercial relationship has begun the compliance committee should monitor this relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations on the third party with at least a minimum of a Level One Due Diligence and higher levels of Due Diligence based upon an appropriate risk rating. There should be an evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third parties. All FCPA compliance training should be reviewed and certifications confirmed. The compliance committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. As with all things FCPA the three most important words here are Document, Document and Document. If you cannot produce documentary evidence to the DOJ of your annual review and its findings, it is of no use to your company.

In addition to the above remedial review, the compliance committee should review all payments requested by the third party to assure such payments are within the company guidelines and are warranted by the contractual relationship with the third party. Lastly, the compliance committee should review any request to provide the third party with any type of non-monetary compensation and, as appropriate, approve such requests.

The compliance of a third party is one of the key tools that a company can use to prevent and detect any violation of its own Code of Ethics and Compliance and the FCPA. The proper structure of the compliance committee and its full engagement with all aspects of a company’s relationship with a third party is one of the areas that the DOJ will look for in a successful FCPA compliance program.

A compliance committee is a key tool, which can be utilized by a company to manage its relationships with its third parties. Its use has been commented upon favorably by the DOJ through its citation in the Monsanto DPA. A Compliance Committee does not replace any of the other key components of an effective FCPA compliance program but it does provide an additional level of protection, back-up and transparency for all deals with a third party. It should be employed by US companies as an additional protection against any type of FCPA compliance and ethics violation “slipping through the cracks” to become a much larger problem down the road.

But take Boehme’s cautionary words to heart, that the guiding principles of a compliance committee should be that it helps and does not hurt your overall compliance efforts going forward. And then use the raising of the flag on Iwo Jima to think about commitment.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 24, 2013

How Do You Develop a Compliance Practitioner?

The Morrill Act was a seminal moment in American education. This law, passed in 1862, provided that land-grant institutions of higher learning should be created “without excluding other scientific and classical studies and including military tactic, to teach such branches of learning as are related to agriculture and the mechanic arts, in such manner as the legislatures of the States may respectively prescribe, in order to promote the liberal and practical education of the industrial classes in the several pursuits and professions in life.”

Under the Act, each eligible state received a total of 30,000 acres of federal land, either within or contiguous to its boundaries, for each member of congress the state had as of the census of 1860. This land, or the proceeds from its sale, was to be used toward establishing and funding the educational institutions described above. The law had been introduced in the 1850s but the Southern land aristocracy, who most assuredly did not want universal education for the masses, prevented it from being enacted into law. With the South in rebellion, the measure passed in the first Congress elected after the Civil War had begun.

I was at Michigan State University (MSU) this past weekend and one of the school’s biggest points of pride is that it was an original land-grant college, originally named Michigan Agricultural College. I met with the Director of my old graduate program, which is now Human Resources-Labor Relations (HR-LR), Bill Cooke. One of the things that the school does is to train HR professionals. I talked with Director Cooke about my beliefs on how HR ties into a company’s compliance program. That led to a discussion about the training HR professionals receive on anti-corruption compliance programs such as those designed to comply with the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act.

My visit to MSU, and the discussions about training in graduate programs, got me to thinking about the training of a compliance profession. How do you do it? What should go into it? Most compliance practitioners’ experience is somewhat similar to mine; I am a lawyer and worked in a corporate legal department. I was thrown into a compliance role with not little training, but no training. It was simply go to a seminar and learn about FCPA compliance. And, of course, good luck. I had the same happy experience when I was appointed as world-wide export control director. At least I could spell FCPA when I started that role.

What is available out there if you want to learn how to become a compliance practitioner? If you are a law student and attending Southern Illinois University (SIU) School of Law, you could take the FCPA Professor’s upper-level elective course entitled “Current Developments in American Law: Foreign Corrupt Practices Act”. The Professor was interviewed about his class in the Chicago Daily Law Bulletin, in an article entitled “Students take bribe(ry class).” The article noted that through this study of the FCPA itself, its history, judicial decisions involving it, enforcement of it and resolved FCPA enforcement actions, the FCPA Professor believes that “Understanding how the law is enforced and critically analyzing it and developing FCPA compliance skills is really a skill set for any future lawyer to have.” The FCPA Professor also uses this course to expose his students to other areas, “including corporate criminal liability, U.S. Department of Justice and SEC enforcement policies and “a working knowledge of resolution vehicles that are used to resolve FCPA enforcement actions.””

But this is a law school class for (most probably) prospective lawyers. There are many compliance practitioners out there who are not lawyers. In my discussions with Director Cooke there are so many areas where a HR professional can help inculcate compliance into a company’s DNA. Think about some or all of the following areas that are in the core function of HR.

Training – A key role for HR in any company is training. This has traditionally been in areas such as discrimination, harassment and safety, to name just a few and based on this traditional role of HR in training it is a natural extension of HR’s function to expand to the area of FCPA compliance and ethics.

Employee Evaluation and Succession Planning – One of the very important functions of HR is assisting management in setting the criteria for employee bonuses and in the evaluation of employees for those bonuses. This is an equally important role in conveying the company message of adherence to a FCPA compliance and ethics policy. In addition to employee evaluation, HR can play a key role in assisting a company to identify early on in an employee’s career the propensity for compliance and ethics by focusing on leadership behaviors in addition to simply business excellence.

Hotlines and Investigations – One of the traditional roles of HR in the US is to maintain a hotline for reporting of harassment claims, whether based on EEOC violations or other types of harassment. It is a natural extension of HR’s traditional function to handle this role.

I believe that the compliance practitioner needs a multi-disciplinary training. The legal training is a good basis but if you went to a law school like mine, real world discussion were considered what ‘other’ law schools did. Further, there are non-legal areas such as review of financial data and financial controls which are a part of any compliance practitioners remit which also need to be considered. Most of these areas are a part of separate disciplines which need to be tied together for the compliance practitioner.

One resource for such training is the SCCE, which provides a compliance certification through its Compliance Certification Board (CCB) which has developed criteria to determine competence in the practice of compliance and ethics across various industries and specialty areas, and recognizes individuals meeting these criteria through its compliance certification programs. But even these programs only provide a starting point as best practices in a compliance regime continue to evolve, particularly through the use of advanced analytics.

Just as the Morrill Act provided an initial basis for professional studies in agricultural and mechanical disciplines, land-grant colleges continue to evolve. MSU, for instance, wants to be a university to the world. The same evolution is true for compliance practitioners. As our field matures, the need for the development of compliance practitioners will increase. Courses like the FCPA Professor leads for lawyers and the SCCE puts on for compliance practitioners will help drive the next generation of compliance professionals.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Next Page »

Blog at WordPress.com.