FCPA Compliance and Ethics Blog

March 30, 2015

Compensation Incentives in a Best Practices Compliance Program

Compensation IncentivesOne of the areas that many companies have not paid as much attention to in their Foreign Corrupt Practices Act (FCPA) anti-corruption compliance programs is compensation. However the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have long made clear that they view incentives, rewarding those employees who do business in compliance with their employer’s compliance program, as one of the ways to reinforce the compliance program and the message of compliance. As far back as 2004, the then SEC Director of Enforcement, Stephen M. Cutler, said “[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it.” The FCPA Guidance states the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership.”

In a Harvard Business Review (HBR) article, entitled “The Right Way to Use Compensation, Mark Roberge, Chief Revenue Officer of HubSpot, wrote about his company’s design and redesign of its employee’s compensation system to help drive certain behaviors. The piece’s subtitle indicated how the company fared in this technique as it read, “To shift strategy, change how you pay your team.” Several interesting ideas were presented, which I thought could be applicable for the Chief Compliance Officer (CCO) or compliance practitioner when thinking about compensation as a mechanism in a best practices compliance program.

Obviously Roberge and HubSpot were focused on creating and retaining a customer base for a start-up company. However because the company was a start-up, I found many of their lessons to be applicable for the compliance practitioner. As your compliance program matures and your strategy shifts, “it’s critical that the employees who bring in the revenue-the sales force-understand and behave in ways that support the new strategy. The sales compensation system can help ventures achieve that compliance.” The prescription for you as the compliance practitioner is to revise the incentive system to focus your employees on the goals of your compliance program. This may mean that you need to change the incentives as the compliance programs matures; from installing the building blocks of compliance to burning anti-corruption compliance into the DNA of your company.

Roberge wrote that there were three key questions you should ask yourself in modifying your compensation incentive structure. First, is the change simple? Second, is the changed aligned with your company values? Third, is the effective on behavior immediate due to the change?

Simplicity

Your employees should not need “a spreadsheet to calculate their earnings.” This is because if “too many variables are included, they may become confused about which behaviors” you are rewarding. Keep the plan simple and even employee KISS, Keep it simple sir, when designing your program. If you do not do so, your employees might fall back on old behaviors that worked in the past. Roberge notes, “It should be extraordinarily clear which outcomes you are rewarding.”

The simplest way to incentive employees is to create metrics that they readily understand and are achievable in the context of the compliance program that you are trying to implement or enhance. This can start with attending Code of Conduct and compliance program training. Next might be a test to determine how much of that training was retained. It could be follow up, online training. It could mean instances of being a compliance champion in certain areas, whether with your employee base or third party sales force.

Alignment

As the CCO or compliance practitioner, you need to posit the most important compliance goal your entity needs to achieve. From there you should determine how your compensation program can be aligned with that goal. Roberge cautions what the DOJ and SEC both seem to understand, that you should not “underestimate the power of your compensation plan.” You can tweak your compliance communication, be it training, compliance videos, compliance reminders or other forms of compliance messaging but it is incumbent to remember that “if the majority of your company’s revenue is generated by salespeople, properly aligning their compensation plan will have greater impact than anything else.”

The beauty of this alignment prong is that it works with your sales force throughout the entire sales channel. So if your sales channel is employee based then their direct compensation can be used for alignment. However such alignment also works with a third party sales force such as agents, representatives, channel ops partners and even distributors. Here Roberge had another suggestion regarding compensation that I thought had interesting concepts for third parties, the holdback or even clawback. This would come into place at some point in the future for these third parties who might meet certain compliance metrics that you design into your third party management program.

Immediacy

Finally, under immediacy, it is important that such structures be put in place “immediately” but in a way that incentives employees. Roberge believes that “any delay in the good (or bad) behavior and the related financial outcome will decrease the impact of the plan.” As a part of immediacy, I would add there must be sufficient communication with your employee or other third party sales base. Roberge suggested a town hall meeting or other similar event where you can communicate to a large number of people.

Even in the world of employee compensation incentives, there should be transparency. He cautioned that transparency does not mean the design of the incentive system is a “democratic process. It was critical that the salespeople did not confuse transparency and involvement with an invitation to selfishly design the plan around their own needs.” However, he did believe that the employee base “appreciated the openness, even when the changes were not favorable to their individual situations.” Finally, he concluded, “Because of this involvement, when a new plan was rolled out, the sales team would understand why the final structure was chosen.”

So just as Roberge, working with HubSpot as a start-up, learned through this experience “the power of a compensation plan to motivate salespeople not only to sell more but to act in ways that support a start-up’s evolving business model and overall strategy”; you can also use your compensation program as such an incentive. For the compliance practitioner one of the biggest reasons is to first change a company’s culture to make compliance more important but to then burn it into the fabric of your organization. But you must be able to evolve in your thinking and professionalism as a compliance practitioner to recognize the opportunities to change and then adapt your incentive program to make the doing of compliance part of your company’s everyday business process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 19, 2015

Ingots of Gold & SEC FCPA Enforcement – Communication – Part IV

Ingots of GoldToday I want to use the Christie’s story Ingots of Gold as an introduction to some of the regular communications that the Securities and Exchange Commission (SEC) representatives frequently provide in public forums, regarding their views on Foreign Corrupt Practices Act (FCPA) enforcement and, more importantly for the compliance practitioner, FCPA compliance. In this story, told by Miss Marple’s friend, he was spending a holiday in Cornwall with an acquaintance called John Newman. It involved a shipwreck and, as the title foretold, valuable cargo. After a stormy night Newman was missing but was later found bound and gagged in a ditch. It is revealed that Newman used this as ruse to cover his tracks from a theft of gold, which, of course, Miss Marple resolves when no one else can do so.

It was the language of this story that struck me. For as famous as Agatha Christie is for her puzzles, she had a great facility for language. At one point Miss Marple said, “You wouldn’t like my opinion, dear. Young people never do, I notice.” Later she describes the antagonist with the following, “his mind might run in strange, unrecognized channels”. Fortunately for the compliance community, one of the significant ways that the SEC communicates with compliance practitioners is through public speeches. We were recently treated to another such example when Andrew Ceresney, the SEC Director, Division of Enforcement, spoke at CBI’s Pharmaceutical Compliance Congress in Washington DC. Ceresney provided some clear guidelines for the compliance practitioner about what the SEC expects from companies in the area of FCPA compliance. More specifically he talked about some specific bribery schemes the SEC has seen in FCPA enforcement actions involving the pharmaceutical industry. These examples provided scenarios that any compliance practitioner in the pharmaceutical space can investigate for their organization.

Pharmaceutical Industry Bribery Schemes

Ceresney discussed ‘Pay-to-Prescribe’ bribery schemes where physicians and hospitals are paid bribes in “exchange for prescribing certain medication, or other products such as medical devices.” These schemes can involve payments of cash or other forms of non-cash benefits such as gifts, travel and entertainment. He described an example where a company “invited “high-prescribing doctors” in the Chinese government to club-like meetings that included extensive recreational and entertainment activities to reward doctors’ past product sales or prescriptions.” Another such scheme involved a running total of points for doctors who prescribed a company’s products, which could later be cashed in for items of value. Another involved a rebate of part of a hospitals overall purchase to certain doctors or hospital administrators.

Another form of bribery was seen where a company would direct charitable donations to the decision-makers “pet” charity. In a couple of FCPA enforcement actions, the charity had nothing to do with the pharmaceutical industry but in one case there was “a purported donation of nearly $200,000 to a public university to fund a laboratory that was the pet project of a public hospital doctor. In return, the doctor agreed to provide business to” the company in question. The point of all of these examples is that “that bribes come in many shapes and sizes, and those made under the guise of charitable giving are of particular risk in the pharmaceutical industry. So it is critical that we carefully scrutinize a wide range of unfair benefits to foreign officials when assessing compliance with the FCPA – whether it is cash, gifts, travel, entertainment, or charitable contributions.”

Compliance Programs

I certainly agree with Ceresney, only adding that I do not think you can say it too loud or too often, when he stated, “The best way for a company to avoid some of the violations that I have just described is a robust FCPA compliance program.” It all begins with a risk assessment so that you will understand what your company’s risks are and you can manage them accordingly through your compliance program. From there Ceresney said, “The best companies have adopted strong FCPA compliance programs that include compliance personnel, extensive policies and procedures, training, vendor reviews, due diligence on third-party agents, expense controls, escalation of red flags, and internal audits to review compliance.” He also specifically mentioned third parties, as they are still perceived to be the highest risk in any FCPA risk matrix. He stated, “To properly combat against these abuses, a compliance program must thoroughly vet its third-party agents to include an understanding of the business rationale for contracting with the agent. Appropriate expense controls must also be in place to ensure that payments to third-parties are legitimate business expenses and not being used to funnel bribes to foreign officials.”

Self-Reporting and Cooperation

Next Ceresney turned to self-reporting and cooperation. After initially noting that the current enforcement environment is greatly aided by self-reporting, he went on to explain why it is in a company’s interest to do so. Beyond the simple credit a company receives for self-reporting, by doing so “parties are positioned to also help themselves by aggressively policing their own conduct”. The SEC will also “continue to find ways to enhance our cooperation program to encourage issuers, regulated entities, and individuals to promptly report suspected misconduct. The Division has a wide spectrum of tools to facilitate and reward meaningful cooperation, from reduced charges and penalties, to non-prosecution or deferred prosecution agreements in instances of outstanding cooperation.” He ended this section of his remarks with a couple of thoughts that I believe succinctly provided the SEC’s position on self-reporting and cooperation. First he said “When I was a defense lawyer, I would explain to clients that by the time you become aware of the misconduct, there are only two things that you can do to improve your plight – remediate the misconduct and cooperate in the investigation.” He then ended with the following, “Companies that choose not to self-report are thus taking a huge gamble because if we learn of the misconduct through other means, including through a whistleblower, the result will be far worse. “

Internal Controls 

Ceresney had some interesting remarks around internal controls. He said they were in the “context of financial reporting”; however I found that they might well have significant implications for the compliance practitioner. I thought his money line was “Internal control problems have been prominently featured in recent enforcement cases we have brought in the financial reporting area, even in cases without accompanying charges of fraud.  This reflects our view that adequate internal controls are the building blocks for accurate financial reporting and can prevent fraudulent activity.” While the specified area of these remarks was around SOX §§302 and 404, I think this portends directly to internal controls under the FCPA.

He went on to state, “my key takeaway is that senior leadership of companies should place strong emphasis on the importance of designing and implementing strong internal controls. Senior officers need to ask questions about what they are being told about their internal controls – but perhaps more importantly, ask questions about the things that are not being reported to them. Dropping those occasional inquiries into conversations where they won’t be expected sends a powerful message that you want these issues to be on your employees’ minds. And what is needed is not just involvement from senior leadership but also from the audit committee. Instead of a check-the-box mentality, it is important to use careful thought at the outset to how controls should be designed in light of a firm’s business operations. This entails an up-front assessment of financial reporting risks, designing controls that address those risks, and ensuring that the resulting controls are well documented and communicated. And, as the company’s business evolves and changes, management must consider whether the existing internal controls are appropriate, or need to be enhanced or changed. Appropriate resources and attention also need to be devoted to monitoring those controls for effectiveness and making changes as needed.” Every time you see the words ‘financial’ simply substitute compliance and I think you will see where the SEC is headed in its internal controls enforcement of the FCPA.

Just as Agatha Christie communicated with her audience in ways broader than simply puzzles, through her great facility for delicious language, the SEC communicates in substantive ways with the compliance community through its speeches. You really do not have to read the tea leaves when you have such a clear message as was delivered by Ceresney at the CBI conference. Moreover, with all the sites that reported on it, talked about it and even linked to the printed text, you did not have to pay to attend. It is all there for you to read and to read for free.

For a copy of the text of Ceresney’s remarks, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

 

March 10, 2015

Taking the Rolls Out for a Spin? Maybe You Should Avoid Brazil

Rolls RoyceJust as the GlaxoSmithKline PLC (GSK) case in China heralded a new day in international anti-corruption enforcement, the Petrobras case may be equally important going forward. The scope and breadth of the investigation is truly becoming worldwide. Last fall, one of the first questions raised was why was the US Securities and Exchange Commission (SEC) was investigating the company as it is headquartered in Brazil. While there is subsidiary Petrobras USA, which is a publicly listed company, it was not immediately apparent what role the US entity might have had in the bribery scandal, which was apparently centered in Brazil. However some recent revelations from across the pond may shed some light on the topic.

As with any corruption scandal there are both bribe payors and bribe receivers. The Petrobras corruption scandal initially focused on the bribe receivers in Petrobras. But last month one of the key bribe receivers, who is now cooperating with the Brazilian authorities, Pedro Barusco has identified the UK Company Rolls-Royce Group PLC as a bribe payor. As reported in the Financial Times (FT) by Samantha Pearson and Joe Leahy, in an article entitled “Rolls-Royce accused in Petrobras scandal”, Barusco has “told police he personally received at least $200,000 from Rolls-Royce — only part of the bribes he alleged were paid to a ring of politicians and other executives at the oil company.”

However the allegations moved far beyond simply Rolls-Royce. The article also reported, “Brazil’s authorities are already investigating allegations that Petrobras officials accepted bribes from SBM Offshore, a Netherlands-based supplier of offshore oil vessels. SBM has said it is co-operating with the investigation. Units of two Singaporean companies, Keppel Corporation and Sembcorp Marine, along with three Brazilian shipbuilders with large Japanese shareholders, have also been accused of participating in the bribes-for-contracts scheme.” Finally, they reported that “Mr Barusco alleged that his friend Luiz Eduardo Barbosa, a former executive of Swiss engineering group ABB, was responsible for organising bribes from Rolls-Royce, SBM and Alusa, a Brazilian construction company.”

Rolls-Royce is currently under investigation by the UK Serious Fraud Office (SFO) and Department of Justice (DOJ) for allegations of corruption in several countries. Katherine Rushton, reporting in The Telegraph in an article entitled “Rolls-Royce investigated in US over bribery claims”, said “Rolls-Royce is being investigated by the US Department of Justice (DoJ), following allegations that its executives bribed officials in Indonesia, China and India in order to win lucrative contracts.” She cited to the company’s annual report for the following, ““The group is currently under investigation by law enforcement agencies, primarily the Serious Fraud Office in the UK and the US Department of Justice. Breaches of laws and regulations in this area can lead to fines, penalties, criminal prosecution, commercial litigation and restrictions on future business.””

But more than simply Rolls-Royce, readers will recognize several names from a rogue gallery of companies either implicated with corruption violations or under investigation. SBM Offshore was a poster child last year for the DOJ deferring to foreign authorities to prosecute claims of bribery and corruption. I wonder if SBM Offshore attested in its settlement documents with the relevant Netherlands authorities that it had not engaged in any other bribery and corruption beyond that which was the basis of its settlement? I wonder if the company made any such averments to the DOJ? I wonder if the DOJ will make any such deferments again given the SBM Offshore settlement with the Dutch authorities? What about ABB?

In addition to the above, SBM Offshore may be the most relevant example in the debate of an international double jeopardy standard. Jordan Moran, writing in the Global Anti-Corruption Blog, has consistently argued that international double jeopardy is a bad idea. Most recently, in an article entitled “Why International Double Jeopardy Is a Bad Idea”, he said, “when it comes to the global fight against transnational bribery, double jeopardy probably isn’t all it’s cracked up to be. To begin, most arguments calling for the U.S. and other OECD member countries to recognize international double jeopardy are nonstarters.”

Also interesting was the reference to ABB as the company went through its own Foreign Corrupt Practices Act (FCPA) enforcement action. As reported by Dick Cassin, in a 2010 FCPA Blog post entitled “ABB Reaches $58 Million Settlement (Updated)”, the company “reached a settlement Wednesday with the DOJ of criminal FCPA charges and will pay a fine $19 million. And in resolving civil charges with the SEC, the company will disgorge $22.8 million and pay a $16.5 million civil penalty. ABB Ltd’s U.S. subsidiary, ABB Inc., pleaded guilty to a criminal information charging it with one count of violating the anti-bribery provisions of the FCPA and one count of conspiracy to violate the FCPA. The court imposed a sentence that included a criminal fine of $17.1 million.” There was no information at that time as to whether the individual that Barusco named as the bribe payment facilitator, one Luiz Eduardo Barbosa, was involved in the prior ABB enforcement action in any way.

We have one or more companies, who are under current DOJ investigations, now being investigated in connection with the Petrobras bribery scandal. There are also companies that have gone through prior bribery and corruption enforcement actions now identified in the scandal. All of this now leads me to have some type of understanding of why the SEC might be investigating Petrobras USA. First, and most probably, it would be to see if the US entity was involved in the apparent decade long bribery scheme that the Brazilian parent now finds itself embroiled in. What if the US subsidiary was paying bribes to its parent to obtain or retain a benefit? Next would be any evidence of violations of the accounting provisions or internal controls requirements found in the FCPA. Finally, the SEC might be looking at Petrobras USA to see who its suppliers might be and if those companies merited investigation. Similar to looking that the Panalpina customer lists the SEC could review the Petrobras USA contractor list.

Just as GSK heralded the first time the Chinese government prosecuted a western company for violation of Chinese law, I believe the Petrobras bribery scandal will be a watershed. The outpouring of information and allegations at this time point to a multi-year, truly worldwide, bribery scheme. While it may in part have been Petrobras officials shaking down contractors for payments, it really does not matter under the FCPA or UK Bribery Act. If any company subject to either or both of those laws paid monies to Petrobras I expect they will be fully prosecuted. Further, given the arguments against an international double jeopardy standard made by Moran and others AND the apparent recidivism of prior bribery offenders, some companies may be in for a long and expensive ride.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 9, 2015

Who is Responsible for Complying with the FCPA?

7K0A0014-2The Department of Justice (DOJ) still faces criticism over its Foreign Corrupt Practices Act (FCPA) enforcement strategy. Some decry that it is too aggressive, that the DOJ has moved into waters Congress never intended the DOJ to navigate into regarding the FCPA. Others worry that the DOJ, through its use of settlement mechanisms such as Deferred Prosecution and Non-Prosecution Agreements (DPAs and NPAs), let corporations off to easily with fines and other monetary penalties being the equivalent of a slap on the wrist. Yet another school of thought says that it is up to the DOJ to tell companies how not to engage in bribery and corruption by specifying precisely what type of anti-corruption compliance program to put into effect.

One thing these commentariat all have in common is that they generally do not look to those responsible for obeying the law, i.e. companies and persons who are subject to the FCPA, for their responsibility of complying with the law. Such failure seems to me to be sadly misplaced. But it is not simply Mike Volkov’s FCPA Paparazzi who fail to assess a corporation’s role in their failure to comply with the law; unfortunately it is also company leaders themselves.

We recently were treated to another such display of ‘What Me Worry?’ mentality by HSBC Chief Executive Officer (CEO) Stuart Gulliver when he said, “Can I know what every one of 257,000 people is doing?” Leaving aside the issue of whether a corporate CEO who has signed one of the largest DPAs in the history of the world (for money-laundering, not FCPA violations); should admit he (1) he doesn’t care or (2) his company is too unwieldy for it to obey the laws that you and I follow everyday; Gulliver inadvertently hit upon one of the key concepts of a best practices compliance program. That concept is a well-rounded program that assures compliance, not some all knowing, all seeing narcissist at the top.

In a Financial Times (FT) article entitled “Too big to manage”, Andrew Hill blasted Gulliver’s statement as “disingenuous” but went on to state, “Knowing what every employee is doing is not the leader’s responsibility. But by using a combination of the right structure, the latest technology and, above all, by imbuing a company with the correct culture and reinforcing regular communication with visits to the shop floor, he or she should be able to limit the chance of a major scandal.” Hill quoted management thinker Henry Mintzberg for the following, ““You can’t excuse [scandals] by saying we have so many employees. You . . . have got to be on the ground to have a sense of what your organisation is all about.””

This means a CEO is not required to know everything but he does need to have an overall sense of whether his company is moving in a direction to do things such as follow the law. I would say this is even truer when you have promised (yet again) in a DPA that your company will follow the law. It also means that the leader sets the tone. If your leader takes the position that he or she cannot know what everyone is doing; that tone will be communicated down to the field troops but the message will be that said maximum leader does not care what the middle and lower levels are doing. Hence the DOJ would say that it all starts with Tone at the Top. Sadly Gulliver does not seem to acknowledge, let alone understand, that issue.

But more than simply having a leader that cares and is engaged; Gulliver’s statement belies other aspects of a best practices compliance program. Technology provides a mechanism for oversight of a compliance regime. Under the FCPA Ten Hallmarks of an Effective Compliance Program, monitor is recognized as a key element so your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with the finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally, the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

In addition to monitoring, structural controls are recognized as an important element. Hill said that large companies “must use structural means to maintain control.” One of the best explanations of the use of internal controls as a structural component of any best practices compliance program comes from Aaron Murphy, a partner at Foley and Lardner in San Francisco, in his book entitled “Foreign Corrupt Practices Act”, where he said, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

I would advocate that it is the interplay of the right message, tools in place to communicate and enforce the message and then oversight to ensure compliance with the message that allows a 250,000 plus employee base company to have a chance to operate in compliance with their legal obligations. Echoing this maxim, Hill quoted Rick Goings, Chairman and CEO of Tupperware Brands Corporation, for the following, “Wars are won not by generals, but by non-commissioned officers. If you have the right kind of structure…and behind that a value system, I think you can do it.”

HSBC continues to be the poster child for compliance lessons learned, whether intentional or not. Hill concluded his piece with the following, “The lesson may be that, irrespective of the size of the company, executives who lose touch with how their staff are using the culture they preach are courting embarrassment and scandal. The trend towards large companies operating through smaller units, with more autonomy and accountability for their actions, does not absolve leaders from meeting their traditional responsibilities to know what is happening on the frontline. As Prof Fischer suggests, they should manage according to the old Russian proverb that Ronald Reagan adopted when dealing with the Soviet Union in the 1980s: trust, but verify.”

There is a plethora of compliance regimes that companies can look to in order to create a best practices compliance program. Simply put, it is a relatively straightforward exercise; perhaps not easy but certainly there are well-articulated compliance programs that companies can follow. To continue to criticize the DOJ (and Securities and Exchange Commission) for failing to communicate what they wish to see in a best practices compliance program, simply fails to take into account the responsibility that corporations have in complying with US laws. The information is out there in abundance. Even a weekend article in the FT lays it out for you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 4, 2015

Minnie Minoso Broke Barriers; Goodyear Pushes Compliance Forward

Minnie MinosoYesterday we celebrated the hard-nosed playing style of Anthony Mason, who recently passed away. Today we honor a true pioneer in professional baseball, Minnie Minoso, or Mr. White Sox. Minoso was the first black Cuban to play in Major League Baseball (MLB) when he debuted for the Cleveland Indians in 1949. In 1951, he was traded to the Chicago White Sox and he became a southside fixture for the rest of the decade. While his numbers were less than 2000 hits and 200 home runs, he was a fearless and speedy base runner and a nine-time All Star. Similarly to Mr. Cub, Ernie Banks, the Chicago White Sox erected a statue in tribute to Mr. White Sox outside their ballpark. Even President Obama was moved to release a statement about Minoso saying in part, “Minnie may have been passed over by the Baseball Hall of Fame during his lifetime, but for me and for generations of black and Latino young people, Minnie’s quintessentially American story embodies far more than a plaque ever could.”

The contribution of Minoso in the exorable march of MLB towards integration informed part of my reading of the recent Goodyear Tire & Rubber Company (Goodyear) Foreign Corrupt Practices Act (FCPA) enforcement strategy of the Securities and Exchange Commission (SEC). This enforcement action was a solo effort by the SEC; there was no corresponding Department of Justice (DOJ) criminal enforcement action. So following this past fall’s triumvirate of SEC enforcement actions involving Smith & Wesson, Layne Christenen and Bio-Rad, the SEC continues to bring enforcement actions based upon the books and records and internal controls civil requirements of the FCPA. Therefore the Goodyear enforcement action is one which provides many lessons to be learned by the Chief Compliance Officer (CCO) or compliance practitioner going forward and should be studied quite carefully by anyone in the compliance field.

The Bribery Schemes

As set out in the SEC Cease and Desist Order (the Order), Goodyear used several different bribery schemes in different countries, all violating the FCPA. In Kenya, Goodyear became a minority owner in a locally owned business which apparently paid bribes the old-fashioned way, in cash to the tune of over $1.5MM, yet falsely recorded the cash bribe payments as “promotional expenses.” In Angola, a wholly-owned subsidiary of the company paid approximately $1.6MM in bribes by falsely marking up invoices with “phony freight and customs clearing costs.” The subsidiary made the payments in cash and through wire transfers to various government officials. Finally, the subsidiary apparently cross-referenced the bribes it paid as follows, “As bribes were paid, the amounts were debited from the balance sheet account, and falsely recorded as payments to vendors for freight and clearing costs.” In other words a complete, total and utter failure of internal controls to forestall any of the foregoing.

Internal Controls Violations

The Order set out the section of the FCPA that the company violated. Regarding the internal controls, the Order stated, “Under Section 13(b)(2)(B) of the Exchange Act issuers are required to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that (i) transactions are executed in accordance with management’s general or specific authorization; (ii) transactions are recorded as necessary (I) to permit preparation of financial statements in conformity with generally accepted accounting principles or any other criteria applicable to such statements, and (II) to maintain accountability for assets; (iii) access to assets is permitted only in accordance with management’s general or specific authorization; and (iv) the recorded accountability for assets is compared with the existing assets at reasonable intervals and appropriate action is taken with respect to any differences.”

The Comeback

Equally important for the CCO or compliance practitioner are the specific steps that Goodyear took to remediate the situation it found itself in through these illegal payments. When the company received the initial reports about “the bribes, Goodyear promptly halted the improper payments and reported the matter to Commission staff.” Moreover, the company also cooperated extensively with the SEC. As noted in the Order, “Goodyear also provided significant cooperation with the Commission’s investigation. This included voluntarily producing documents and reports and other information from the company’s internal investigation, and promptly responding to Commission staff’s requests for information and documents. These efforts assisted the Commission in efficiently collecting evidence including information that may not have been otherwise available to the staff.”

In the area of internal remediation, regarding the entity in Kenya, where Goodyear was a minority owner in a local business, the company got rid of its from its corrupt partners by divesting its interest and ceasing all business dealings with the company. Goodyear is also divesting itself of its Angolan subsidiary. The Order also noted that Goodyear had lost its largest customer in Angola when it halted its illegal payment scheme. The company also took decisive disciplinary action against company employees “including executives of its Europe, Middle East and Africa region who had oversight responsibility, for failing to ensure adequate FCPA compliance training and controls were in place at the company’s subsidiaries in sub-Saharan Africa.”

Finally, in a long paragraph, the SEC detailed some of the more specific steps Goodyear took in the area of remediation. These steps included:

  • Improvements to the company’s compliance function not only in sub-Saharan Africa but also world-wide;
  • In Africa, both online and in person training was beefed up for “subsidiary management, sales and finance personnel”;
  • Regular audits were instituted by the company’s internal audit function, which “specifically focused on corruption risks”;
  • Quarterly self-assessment questionnaires were required of each subsidiary regarding business with government-affiliated customers;
  • For each subsidiary, there were management certifications required on a quarterly basis that required, “among other things controls over financial reporting; and annual testing of internal controls”;
  • Goodyear put in a “new regional management structure, and added new compliance, accounting, and audit positions”;
  • The company made technological improvements to allow the company to “electronically link subsidiaries in sub-Saharan Africa to its global network”;

However these changes were not limited to improvement of Goodyear’s compliance function in Africa only. At the corporate headquarters, Goodyear created the new position of “Vice President of Compliance and Ethics, which further elevated the compliance function within the company”. There was expanded online and in-person training at the corporate headquarters and other company subsidiaries. Finally, the company instituted a new “Integrity Hotline Web Portal, which enhanced users’ ability to file anonymous online reports to its hotline system. With that system, Goodyear is also implementing a new case management system for legal, compliance and internal audit to document and track complaints, investigations and remediation.”

The specific listing of the compliance initiatives or enhancements that Goodyear pushed after its illegal conduct came to light is certainly a welcomed addition to SEC advice about what it might consider some of the best practices a company may engage in around its compliance function. Moreover, this specific information can provide audit and information to the compliance practitioner of strategies that he or she might use to measure a company’s compliance program going forward. The continued message of cooperation and remediation as a way to lessen your overall fine and penalty continues to resonate from the SEC. Finally, just as Minoso helped move forward the integration of baseball and civil rights in general, the Goodyear FCPA enforcement action demonstrates that the SEC will continue to prosecute cases around the failure of or lack of internal controls. The clear import is that a company must have an appropriate compliance internal control regime in place. We are moving towards a strict liability standard under the FCPA around internal controls, which I will have much more to say about later but for now – you have been warned.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 2, 2015

Farewell to Mr. Spock and Risk Assessment Under COSO

Mr. SpockLeonard Nimoy died last Friday. He will be forever associated with the role of Mr. Spock in the original Star Trek television show which premiered in 1966. The original series ran for only three years but had a full life in syndication up through this day. He also reprised the role in six movies featuring the crew of the original series and in the recent reboot.

Mr. Spock was about a personal character for me as I ever saw on television. For a boy going through the insanity of adolescence and the early teen years, I found Mr. Spock and his focus on logic as a way to think about things. He pursued this path while dealing with his half human side, which compelled emotions. This focus also led me to explore Mediations by Marcus Aurelius. But more than simply logic and being a tortured soul, Mr. Spock and his way looking at things and Star Trek with its reach for the stars ethos inspired me when it came out and still does to this day.

Mr. Spock and his pursuit of logic inform today’s blog post. Every compliance practitioner is aware of the need for a risk assessment in any best practices compliance program; whether that program is based on the US Foreign Corrupt Practices Act (FCPA), UK Bribery Act or some other compliance law or regime. While the category of risk assessment is listed as Number 3 in the Ten Hallmarks of an Effective Compliance Program in the FCPA Guidance, both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) intone that your compliance journey begins with a risk assessment for two basic reasons. The first is that you must know the corruption risks your company faces and second, a risk assessment is your road map going forward to manage those risks.

Interestingly Risk Assessment is the second objective in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Cube. In its volume entitled “Internal Control – Integrated Framework”, herein ‘the Framework Volume’, it recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner none of this will sound new or even insightful, however the COSO Framework requires a component of management input and oversight that was perhaps not as well understood. The Framework Volume says that “Management specifies objectives within the category relating to operations, reporting and compliance with such clarity to be able to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider both internal and external changes which can effect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in the realm of anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services which could increase risk of running afoul of these laws.

The objective of Risk Assessment consists of four principles. They are:

Principle 6 – “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.”

Principle 7 – “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”

Principle 8 – “The organization considers the potential for fraud in assessment risks to the achievement of objectives.”

Principle 9 – “The organization identifies and assesses changes that could significantly impact the system of internal control.”

Principle 6 – Suitable Objectives 

Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, it is management who is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words your objectives should form the basis on which your risk assessments are approached.

Principle 7 – Identifies and Analyzes Risk 

Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”

Principle 8 – Fraud Risk 

Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third party contracting and payments and even fraudulent over-charging and pocketing of the differences in sales price. This means that is should be considered as an important risk analysis. It is important that any company follow the flow of money and if the Fraud Triangle is present, management be placed around such risk.

Principle 9 – Identifies and Analyzes Significant Change

It really is true that if there is one constant in business, it is that there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives. Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external, and assess the risks and approaches to mitigate the risk” in a timely manner.

Today’s blog post is a tribute to Mr. Spock as he, Star Trek and its characters continue to teach us lessons which we can apply in business going forward. It is the process of compliance which informs your program going forward. A risk assessment is recognized by sources as diverse as the DOJ, SEC and COSO as a necessary step. Just as Mr. Spock, the Science Officer onboard the Enterprise, was required to assess the risk to the ship and crew from a scientific perspective, a risk assessment can give you the tools to not only assess the corruption compliance risk to your company but a road map to managing that risk. So farewell to my long time friend Mr. Spock, you gave to me more than I ever gave back to you. I can think of no more fitting tribute to Spock than to say Live Long and Prosper.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 25, 2015

Doing Less with Less and the Unification of Germany

Sqeezed Piggy BankI am attending the SCCE Utilities and Energy Conference in Houston this week. As usual, the SCCE has put on a great event for the compliance practitioner. This year there is live blogging by Kortney Nordum so there should be much about the conference up on the SCCE blogsite, this week and into the future. Lizza Catalano has put together a first rate program for compliance practitioners of many stripes. As an added benefit, SCCE Chief Executive Officer (CEO) Roy Snell has brought some cold weather down to Houston for the event for our late February enjoyment. While it was 80 on Saturday, today is was a balmy 36 courtesy of our Minnesotan guests.

As you might guess the current economic downturn is on everyone’s mind and a subject of much conversation. Last week I wrote a post about the depression of oil and gas prices in the energy space and some of the increased Foreign Corrupt Practices Act (FCPA) or other anti-corruption risks that might well arise from this economic downturn. Over the next couple of days, I want to explore how a Chief Compliance Officer (CCO) or compliance practitioner might think through responses to this increased compliance risk. Today I will focus on doing less with less. Tomorrow I will suggest some technological solutions.

I have been around long enough to see more than one of these economic events in the energy space. While not suggesting that we Texans never learn not to repeat our mistakes, they do seem to have a pattern. Prices drop precipitously, companies who are overstocked, over-leverage or generally over-panic; over-react and cut head count and spending dramatically to some level that is not based on rational economic analysis. Then they get some handle on where the numbers might be heading and the cuts start to flatten out and some type of equilibrium is reached.

Right now, in the energy space, we are in the cutting phase. That means loss of personnel (head count) and loss of resources even if it was calculated last year based on a summer or fall 2014 economic projection in your annual budgeting process. This means one thing you will need get for a quarter or two will be financial resources to place the personnel your compliance function may have lost. This means that you will have to figure out a way to accomplish more with fewer resources. While I often advocate that the compliance function can and should draw on other disciplines such as Human Resources (HR), IT, Internal Audit and Marketing for support; those functions have most probably been ‘right-sized’ as well so they may not be able to assist the compliance function as much they could have previously.

Now would be a very good time to put into practice what Dresser-Rand CCO Jan Farley often says, “Don’t sweat the small (compliance) stuff.” Farley often speaks about the need not to waste your scarce compliance resources on areas or matters that are low compliance risks. But to do this, you need to understand what are your highest compliance risks. Since you will not have additional resources to perform such an analysis, I would suggest now would be a very good time for you to assess your compliance program and your business model to see what are your highest risks. If you believe there are several, you can fprioritize them. This exercise will give you the basis to deliver your ever-scarcer compliance resources to your highest risk areas.

While I do not believe the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) will be sympathetic to some unsubstantiated claim along the lines of ‘I did my best with what I had’; they also made clear in the FCPA Guidance that “An effective compliance program promotes “an orga­nizational culture that encourages ethical conduct and a commitment to compliance with the law.” Such a program protects a company’s reputation, ensures investor value and confidence, reduces uncertainty in business transactions, and secures a company’s assets. A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” (emphasis supplied)

So while the DOJ and SEC will not accept you bald-faced claims that our company simply did not have the money to spend on compliance, they will most-probably consider a compliance program where you have looked at your risks, in the context of this economic downturn, and delivered the compliance resources you do have to those risks. But the key is Document, Document, and Document your decision-making calculus and your implementation. (Stephen Martin would probably add here that if your annual spend on Yellow Post-It Notes is a factor of 10X your compliance spend, this approach would not be deemed credible.)

In her On work column in the Financial Times (FT), Lucy Kellaway wrote about this the concept of doing less with less for the corporate executive personally, in an article entitled, “No need to ‘lean in’ when laziness can be just as effective”. She cited to the Prussian General Helmuth von Moltke for “devising one of the world’s fist management matrices” when he assessed his officers on two scales: “clever v. dim and lazy v. energetic.” From this he came up with four permutations:

  • Dim and lazy – Good at executing orders.
  • Dim and energetic – Very dangerous, as they take the wrong decisions.
  • Clever and energetic – Excellent staff officers.
  • Clever and lazy – Top field commanders as they get results.

The point of Kellaway’s article has direct implications for the CCO or compliance practitioner currently facing an economic downturn, “It is only by being lazy that we become truly efficient, and come to see what is important and what is not.” Kellaway cautioned “the sort of laziness to encourage is not the slobbish variety that means you do bad work. That is not laziness: it is stupidity. Instead, we need the clever version that comes from knowing there is an opportunity cost to every minute we spend working, so we must use our time wisely.”

From the compliance perspective, this translates directly into using your compliance resources wisely. So whether you want to cite the Prussian general who unified Germany, columnist Kellaway, Dresser-Rand CCO Farley or this article’s theme of doing less with less, I would suggest to you there is a manner to maintain “A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations” even in an economic downturn.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

February 24, 2015

Victory or Death: William Barret Travis and the Obligations of a CCO

William Barret TravisToday in 1836, Alamo commander William Barret Travis issued his famous ‘Victory or Death’ plea for reinforcements. It was short so I quote it in full:

To the People of Texas & All Americans in the World:

Fellow citizens & compatriots—I am besieged, by a thousand or more of the Mexicans under Santa Anna—I have sustained a continual Bombardment & cannonade for 24 hours & have not lost a man. The enemy has demanded a surrender at discretion, otherwise, the garrison are to be put to the sword, if the fort is taken—I have answered the demand with a cannon shot, & our flag still waves proudly from the walls. I shall never surrender or retreat. Then, I call on you in the name of Liberty, of patriotism & everything dear to the American character, to come to our aid, with all dispatch—The enemy is receiving reinforcements daily & will no doubt increase to three or four thousand in four or five days. If this call is neglected, I am determined to sustain myself as long as possible & die like a soldier who never forgets what is due to his own honor & that of his country—Victory or Death.

William Barret Travis

Lt. Col. Comdt

While Thermopylae will always go down as the greatest ‘Last Stand’ battle in history, the Alamo is right up there in contention for Number 2. Like all such battles sometimes the myth becomes the legend and the legend becomes the reality. In Thermopylae, the myth is that 300 Spartans stood against the entire 10,000 man Persian Army. However there was also a force of 700 Thespians (not actors; but citizens from the City-State of Thespi) and a contingent of 400 Thebans who fought and died alongside the 300 Spartans. Somehow, their sacrifice has been lost to history.

Likewise, the legend that lifts the battle of the Alamo to the land of myth is the line in the sand. The story goes that William Barret Travis, on the day before the final attack, when it was clear that no reinforcements would arrive in time and everyone who stayed would perish; called all his men into the plaza of the compound. He then pulled out his saber and drew a line in the ground. He said that they were surrounded and would all likely die if they stayed. Any man who wanted to stay and die for Texas should cross the line and stand with him. Only one man, Moses Rose, declined to cross the line. The immediate survivors of the battle did not relate this story after they were rescued and this line in the sand tale did not appear until the 1880s.

But the thing about ‘last stand’ battles is they generally turn out badly for the losers.  Very badly. I thought about this when the former head of the Foreign Corrupt Practices Act (FCPA) unit at the Department of Justice (DOJ), Chuck Duross, said at Compliance Week a couple of years ago that he viewed anti-corruption compliance officials as “The Alamo” in terms of the last line of defense in the context of preventing violations of the FCPA. I gingerly raised my hand and acknowledged his tribute to the great state of Texas but pointed out that all the defenders were slaughtered, so perhaps another analogy was appropriate. Everyone had a good laugh back then at the conference. But in reflecting on the history of my state and what the Alamo means to us all; I have wondered if my initial response too facile?

What happens to a Chief Compliance Officer (CCO) or compliance practitioner when they have to make a stand? Do they make the ultimate corporate sacrifice? Will they receive the equivalent of a corporate execution as the defenders of the Alamo received? This worrisome issue has certainly occurred even if the person ‘resigned to pursue other opportunities.’ My fellow FCPA Blog Contributing Editor Michael Scher has been a leading voice for the protection of compliance officers, as have Donna Boehme and Michael Volkov. In a post entitled “Michael Scher Talks to the Feds” he said, “a compliance officer (CO) working in Asia asked for recognition and protection: “A CO will not stand up against the huge pressure to maintain compliance standards if he does not get sufficient protection under law. Most COs working in overseas operations of U.S. companies are not U.S. citizens, but they usually are first to find the violations. Since the FCPA deals with foreign corruption, how could the DOJ and SEC not protect these COs?”” In the same post, he asked the following of the DOJ and SEC “Wal-Mart’s compliance officers and professionals allegedly were intentionally obstructed by senior executives from conducting a compliance review and subjected to career-ending retaliation. If confirmed, will the DOJ and SEC’s settlement demonstrate that such harassment of compliance professionals is not condoned? Will the DOJ and SEC also make it clear that compliance officers working for multi-national companies like Wal-Mart in countries outside of America will receive the same protections as those working in America?”

Writing about the MF Global scandal in the New York Times (NYT) in an article entitled “Another View: MF Global’s Corporate Governance Lesson” Michael Peregrine stated that the “compliance officer is the equivalent of a “protected class” for governance purposes, and the sooner leadership gets that, the better.” Particularly in the post Sarbanes Oxley (SOX) world, a company’s CCO is a “linchpin in organizational efforts to comply with applicable law.” When a company fires, or asks him/her to resign, it is a significant decision for all involved in corporate governance and should not be solely done at the discretion of the Chief Executive Officer (CEO). Jonathan Marks has long advocated that the departure of a CCO from a company is such a material event that it should be disclosed by public companies.

In the area of anti-money laundering (AML) compliance professionals, Reuters, in an article entitled “Bankers anxious over anti-money-laundering push to go after individuals”, reported that at the Securities Industry Financial Markets Association conference, John Davidson, E*Trade Financial’s global head of AML, said that the “new push by regulators and lawmakers to hold individuals, rather than just institutions, accountable for regulatory violations involving money laundering is spooking members of the U.S. financial industry.” He further said that this aggressive trend and a new vigorous AML bill, introduced in Congress by Representative Maxine Waters entitled “Holding Individuals Accountable and Deterring Money Laundering Act”, were all “a little scary.” He found the movement towards more AML enforcement against individuals “an incredibly disturbing trend.” The reason it is so scary, an un-named top level compliance officer said, is “that compliance officers at the largest Wall Street institutions were feeling especially nervous because the power structures in those institutions sometimes did not give compliance officers enough authority to act.”

Upon further reflection I now believe the Alamo reference appropriate for compliance officers. It is because sometimes we have to draw a line in the sand to management. And when we do, we have to cross that line to get on the right side of the issue, the consequences be damned. This means that while you not only have to make hard decisions you may have accept employment separation if your company disregards your advice and engages in illegal activity. I do not pretend that to be a easy decision or one lightly made but CCOs have a different role in a corporation from that of a General Counsel (GC) and no amount of pining about attorney ethical obligations will change that dynamic.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 19, 2015

Assessing Compliance Internal Controls – Part I

Assessing Internal Controls II have recently detailed the COSO 2013 Framework in the context of a best practices compliance regime. However there is one additional step you will need to take after you design and implement your internal controls. That step is that you will need to assess against your internal controls to determine if they are working.

In its Illustrative Guide, the Committee of Sponsoring Organization of the Treadway Organization (COSO), entitled “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), laid out its views on “how to assess the effectiveness of its internal controls”. It went on to note, “An effective system of internal controls provides reasonable assurance of achievement of the entity’s objectives, relating to operations, reporting and compliance.” Moreover, there are two over-arching requirements which can only be met through such a structured post. First, each of the five components are present and function. Second, are the five components “operating together in an integrated approach”? Over the next couple of posts I will lay out what COSO itself says about assessing the effectiveness of your internal controls and tie it to your compliance related internal controls.

As the COSO Framework is designed to apply to a wider variety of corporate entities, your audit should be designed to test your internal controls. This means that if you have a multi-country or business unit organization, you need to determine how your compliance internal controls are inter-related up and down the organization. The Illustrative Guide also realizes that smaller companies may have less formal structures in place throughout the organization. Your auditing can and should reflect this business reality. Finally, if your company relies heavily on technology for your compliance function, you can leverage that technology to “support the ongoing assessment and evaluation” program going forward.

The Illustrative Guide suggests using a four-pronged approach in your assessment. (1) Make an overall assessment of your company’s system of internal controls. This should include an analysis of “whether each of the components and relevant principles is present and functioning and the components are operating together in an integrated manner.” (2) There should be a component evaluation. Here you need to more deeply evaluate any deficiencies which you may turn up and whether or not there are any compensating internal controls. (3) Assess whether each principle is present and functioning. As the COSO Framework does not prescribe “specific controls that must be selected, developed and deployed” your task here is to look at the main characteristics of each principle, as further defined in the points of focus, and then determine if a deficiency exists and it so what is the severity of the deficiency. (4) Finally, you should summarize all your internal control deficiencies in a log so they are addressed on a structured basis.

Another way to think through the approach could be along the following lines. A Principle Evaluation should consider “the controls to effect the principle” and would allow internal control deficiencies to be “identified along with an initial severity determination.” A Component Evaluation would “roll up the results of the component’s principle evaluations” and would allow a re-evaluation of the severity of any deficiency in the context of compensating controls. Lastly, an overall Effectiveness Assessment which would look at whether the controls were “operating together in an integrated manner by evaluating any internal control deficiencies aggregate to a major deficiency.” This type of process would then lend itself to an ongoing evaluation so that if business models, laws, regulations or other situations changed, you could assess if your internal controls were up to the new situations or needed adjustment.

The Illustrative Guide spent a fair amount of time discussing deficiencies. Initially it defined ‘internal control deficiency’ as a “shortcoming in a component or components and relevant principle(s) that reduces the likelihood of an entity achieving its objectives.” It went onto define ‘major deficiency’ as an “internal control deficiency or combination of deficiencies that severely reduces the likelihood that an entity can achieve its objectives.” Having a major deficiency is a significant issue because “When a major deficiency exists, the organization cannot conclude that it has met the requirements for an effective system of internal control.” Moreover, unlike deficiencies, “a major deficiency in one component cannot be mitigated to an acceptable level by the presence and functioning of another component.”

Under a compliance regime, you may be faced with known or relevant criteria to classify any deficiency. For example, if written policies do not have at a minimum the categories of policies laid out in the FCPA Guidance Ten Hallmarks of an Effective Compliance Program, which states “the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments”, also formulated in the Illustrative Guide, such a finding would preclude management from “concluding that the entity has met the requirements for effective internal controls in accordance with the Framework.”

However, if there are no objective criteria, as laid out in the FCPA Guidance, to evaluate your company’s compliance internal controls, what steps should you take? The Illustrative Guide says that a business’ senior management, with appropriate board oversight, “may establish objective criteria for evaluating internal control deficiencies and for how deficiencies should be reported to those responsible for achieving those objectives.” Together with appropriate auditing boundaries set by either established law, regulation or standard, or through management exercising its judgment, you can then make a full determination of “whether each of the components and relevant principles is present and functioning and components are operating together, and ultimately in concluding on the effectiveness of the entity’s system of internal control.”

The Illustrative Guide has a useful set of templates that can serve as the basis for your reporting results. They are specifically designed to “support an assessment of the effectiveness of a system of internal control and help document such an assessment.” The Document, Document, and Document feature is critical in any best practices anti-corruption or anti-bribery compliance program whether based upon the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or some other regulation. With the Illustrative Guide of these Illustrative Tools, COSO has given the compliance practitioner a very useful road map to begin an analysis into your company’s internal compliance controls. When the Securities and Exchange Commission (SEC) comes knocking this is precisely the type of evidence they will be looking for to evaluate if your company has met its obligations under the FCPA’s internal controls provisions. In subsequent blog posts I will take a look at how you might audit your compliance internal controls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 17, 2015

Gary Owens, Laugh-In and Accountability in Your Compliance Program

Gary OwensIf you were alive at all during the 1960s, you will recall that one of the cultural phenomenon’s was NBC’s television show Laugh-In. It was brought to you from the NBC studios in beautiful downtown Burbank and featured one very droll player, who always played himself, Gary Owens, as the show’s announcer – Gary Owens. Owens died last week and I was surprised but pleased to learn in reading his obituary in the New York Times (NYT) that he was also the voice for several cartoon characters in the Jay Ward stable (home of Rocky and Bullwinkle) and he was the voice of Space Ghost which had a renaissance during the early years of the Cartoon Network.

I thought about Owens’ role on Laugh-In not only as the straight man but also the character, who in many ways brought accountability to the manic show when I read this week’s article by Adam Bryant in his NYT Corner Office column, entitled “Making a Habit of Accountability”, which featured his interview of Natarajan Chandrasekaran, the Chief Executive Officer (CEO) of Tata Consulting Services. Chandrasekaran was raised on a farm and one of the things that he learned early on from his farmer father was “the value of money and the value of time. So he made us account for things. It wasn’t that there was a right or wrong way, but he wanted us to be accountable for what we did.”

I considered this concept of accountability in your best practices anti-corruption compliance program, whether based upon the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other program. With the Department of Justice’s (DOJ) recent pronouncements that it will more aggressively prosecute individuals for FCPA violations, perhaps companies should emphasize accountability more in their compliance programs. By doing so, perhaps employees might understand that there really is their personal liberty on the line when they engage in something which might even approach a FCPA violation. Further, by emphasizing personal accountability, companies could demonstrate more pro-active approaches to compliance that the DOJ wants to see going forward.

Chandrasekaran’s remarks went beyond simply emphasizing personal accountability. He also spoke about accountability in the context of a company’s overall culture. In particular I found his thoughts about accountability, learning and culture quite insightful. He said, “Learning cannot be achieved by mandate. It has to be achieved by culture.” He added, “In our executive team meetings, we share experiences and case studies about failures and successes.”

But beyond simply this insight there should also be accountability for helping others achieve the company’s overall goals. While he did not limit it to compliance, I still found it applicable to a best practice compliance regime when he said, “Everybody has to take some accountability for other people, and look for ways to make small contributions to help others. Looking after people has to become everybody’s responsibility. Innovation and caring for people are cultures; they are not departments.” He did admit that such a change would not happen overnight and indeed he has been emphasizing this message for five years at Tata because “It takes time to build that culture.”

Chandrasekaran also had an insight into compliance through his views on company structure. Tata is a flat organization, with multiple business units. He did this so the largest number of employees would feel empowered to make decisions and work collaboratively. While I recognize that such views might be antithetical to US based companies with a more ‘command and control’ approach, Chandrasekaran explained that the leaders of those units are expected “to work together. We said the power of our company will be driven by how well they work together. In some of our bigger monthly meetings, we will start with people presenting examples of their collaborations.”

I considered all of the above in the greater context of a best practices anti-corruption compliance program. One of the things that the FCPA Guidance emphasized was the inter-relatedness of each component of your compliance program. While you might have greater risk in the area of third parties or doing business in certain areas of the world where there are higher perceptions of corruption, you should not pick and choose what prongs of a compliance program you implement. Each step builds upon one another and should all point to accountability for your actions in decision-making calculus for business decisions and their implementations.

However the concept of accountability is not one that is spelled out in the FCPA Guidance or in any formulation of a best practices compliance regime. Yet it is clear that accountability is something that underlies what a compliance program is trying to achieve. Just as Chandrasekaran learned early on there is a value to things; there is a value to time and there is a value to money. So they should be accounted for in the way you do business.

This might best be described as oversight of your compliance program. The issue your company should focus on here is whether employees are accountable within the ambit of your compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are accountable to the compliance program.

Two mechanisms to do so are through the techniques of monitoring, which is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. A second tool is auditing, which is generally viewed as a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to hold employees accountable to doing business under your compliance regime and Code of Conduct. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. While it may seem that accountability means looking over every employees shoulder, it should not simply be seen as the workplace equivalent of parental oversight. Chandrasekaran explained that how you conduct yourself at work can have a huge impact on other employees. He said, “it’s sometimes very hard to imagine, early in your career, how much impact you can have. If you’re in a job and in an organization, the impact you can make is huge, because it’s all about being part of a group that’s driving impact. So look for those opportunities.” If you look for ways to demonstrate accountability you can influence a wide variety of others going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,164 other followers