FCPA Compliance and Ethics Blog

February 21, 2013

How to Introduce Change into Your FCPA Compliance Program (Without Blowing It Up)

Thucydides or Herodotus; Herodotus or Thucydides. Which is your favorite? I admit to vacillating between the two. Thucydides wrote about the end of the Athenian dynasty from the Peloponnesian War and the debacle of the Sicilian Invasion. Herodotus wrote about the beginnings of the Golden Age of the Greek City State through the defeat of the Persian Invasion of Greece. Slogging through both is never easy but it is far and away worth the effort. One of the things that both of these ancient authors wrote about was massive change.

I recently read a book review of a couple of new volumes which looked at these authors and thought about the changes wrought when implementing or enhancing a Foreign Corrupt Practices Act (FCPA) compliance program. In making a large change, most compliance practitioners think of bringing it all to a company in one fell swoop. This is usually based on a Board of Directors or senior management directive to ‘get it done’. Sometimes this can simply be overwhelming to the compliance practitioner or information overload to the troops in the field, particularly those outside the US. However, a recent article in the MIT Sloan Management Review, entitled “How to Change an Organization Without Blowing It Up”, suggests that a different approach might be appropriate. In this article, author Karen Golden-Biddle writes that there is a middle ground between wholesale change and tentative pilot projects which could allow an organization to operate more effectively.

The author believes that “Too often, conventional approaches to organizational transformation resemble the Big Bang theory.” Further, that this “Big Bang transformation attempts often fail, fostering employee discontent and producing mediocre solutions with little lasting impact.” To overcome this she believes that “organizations can seed transformation by collectively uncovering “everyday disconnects” — the disparities between our expectations about how work is carried out and how it actually is. The discovery of such disconnects encourages people to think about how the work might be done differently.”

She suggests that there are three techniques for discovering these disconnects and turning them into a way to “seed transformation from the bottom up.” These three techniques are (1) Work Discovery; (2) Better Practices; and (3) Test Training. I will look at all three and discuss how a compliance practitioner can bring them to bear to help move a compliance program forward.

I.                   Work Discovery – Examine Firsthand the Work Where It Is Actually Conducted

The author states that “instead of assuming that you know if the work process will be successful as it is designed, you should examine it firsthand, “as it is actually conducted.”” This will allow a company to “turn the (inevitable) surprises you uncover into assets.” She advises that senior management needs to actually see how the organization works to understand not only the expectations that they have set but also to uncover disconnects in the process. She cautions that this is not the same as a pilot project but rather should be viewed as part of a larger exploration of how a system might become the best that it can be. Put another way, the initial “design and rollout was always connected with the larger possibility, even though the possibility was in the process of becoming defined.”

For the compliance practitioner, this examination ‘in the field’ allows you to find the  disconnect in the proposed compliance program or changes to facilitate the reconsideration of expectations in the program or understanding of how the program is designed to be conducted, but further allows you to  entertain new possibilities  of how to make the program work better. Compliance professionals can talk through the proposed changes to generate insights and possibilities for change and help company employees understand what the program changes will be and how the compliance program will work in their day-to-day operations.

II.                Better Practices – Instead of Adopting the Best Practices of Others, Screen Your Work Through Those Best Practices in Order to Generate New Ideas

Often times, particularly in the compliance arena, companies will simply review and determine the best compliance practices and then adopt them into their organization. This approach was certainly not suggested by the recently released Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA Guidance, where it stated “When it comes to compliance there is no one-size-fits-all program.” This sentiment was echoed by Golden-Biddle when she recommended that a company should not simply adopt another organization’s best practices, but instead should screen the way work gets done in your company and use those other’s best practices in order to generate new ideas. “In other words, use best practices to generate even better practices.”

However other companies’ best practices can be more effectively used as a discovery technique, enabling people to go beyond replication and discover new methods for meaningful change. The author opines that by studying other companies’ best practices as a discovery technique this will allow employees to compare their expectations of how a new system or program will work as it is currently constituted with what might be offered by the best practice. Further, “this discovery tool imports the unfamiliar in the form of others’ best practices and pairs them with the familiar. Exploring this pairing enables people to move beyond their expectations and tease out new possibilities that are suggested by best practices elsewhere. Overlaying your current practices with someone else’s best practices in this way generates better practices — better than best because they are relevant in highly specific ways to your organization’s work.”

Ways that a compliance practitioner might do this is to ask the following questions. First, what would you do differently as a result of the new compliance practice and what might you wish to incorporate into the company’s compliance practices? Next, is there anything in the new compliance policy that was not included that you believe should have been or are there any issues in the new policy which you did not know how to address when using the new policy?

III.             Test Training – Use Training to Experiment With Emergent Possibilities for the Way Work Will Be Done

This part may be the most intriguing and useful as the author advocates that you can use training to develop new possibilities so that “Instead of locking down standard operating procedures during training, experiment with other, potentially better possibilities for changing the way the work will get done.” Training typically comes at the end of a policy/program revamp or enhancement. However, the use of the phrase “test training” means something different than the usual corporate training. She says that it allows a company to uncover the “disconnects between people’s expectations for how proposed solutions might operate and the actual experience of the solution in experimental settings such as training or trials. This enables people to see and come to understand what they don’t know about the solution as well as to continue to shape it for implementation, often in significant ways.”

This type of testing would allow the compliance practitioner to obtain insights from those in the field on not only what does not work but also what might work better. Consider training on a third party management program. You would usually walk the designated training group through all of the steps your policy would entail. But those in the training test group might suggest new, other or different information that might be relevant to evaluate a third party in the context of compliance. But also such “test training” provides an opportunity to find out what is not being discovered through the third party investigation process and provide the opportunity to suggest a new solution.

Golden-Biddle ends her article with five points that she believes Discovery Techniques can bring to an organization. They are:

  1. Achieve the benefits of transformation without risking wholesale disruption of operations.
  2. Build a culture of continuous improvement that is embraced by leadership and employees throughout the organization.
  3. Avoid the often exorbitant costs of Big Bang transformation associated with wholesale replacement of employees.
  4. Leverage existing employee knowledge and experience for transformation.
  5. Cultivate collective, not just individual, capacity in surfacing disconnects and generating new insights and ideas that seed transformation.

To her list I would add one more but I might put it as Number 1 on the list. It is that you bring your employees into the process. By listening to them and incorporating their ideas on what works and what does work, they not only become invested in the final compliance product but they feel like you care about what they think. That may be the biggest reason to take up some of Golden-Biddle’s Discovery Techniques.

If you want to look at how change blew things up, pick up a copy of Herodotus or Thucydides and settle down for a long winter’s read.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

February 11, 2013

Quadrophenia and Four Compliance Issues

This past weekend I saw the remaining members of The Who perform in their Quadrophenia Tour. While I had seen Roger Daltry perform the rock opera Tommy, I had never seen Pete Townsend in concert. To say I was blown away would be putting it mildly, especially as Quadrophenia does not even make it into my top three favorite Who albums, which are, in descending order, Who’s Next, Tommy and Live at Leeds. While Roger Daltry’s voice was not as strong as it was during his Tommy tour, not doubt due to the longer duration of this tour, it was still a great performance and it was worth it to see Pete Townsend. He can still rock. Also they ended the show with three songs from Who’s Next, which alone was worth the price of admission.

The story generally revolves around four themes based upon the four personalities of the members of the band; Daltry, Townsend, Keith Moon and John Entwhistle. However, it was also a play on (for those of you old enough to remember) quadrophonic sound. According to Pete Townsend, “”The whole conception of Quadrophenia was geared to quadraphonic, but in a creative sort of way. I mean I wanted themes to sort of emerge from corners. So you start to get the sense of the fourness being literally speaker for speaker.” So inspired by ‘fourness’ today, I will review four issues that have, or will, impact the compliance practitioner.

I.                   EU and Data Privacy

In an article in the Financial Times (FT), entitled “EU refuses to bend on tough data privacy law”, reporter James Fontanella-Khan wrote that Viviane Reding, the EU Commissioner for Justice, said that she will continue to fight any US attempts to water down its proposed data protection and privacy law, “which would force global technology companies to obey European standards across the globe.” Further, “Exempting non-EU countries from our data protection regulations is not on the table. It would mean applying a double standard.” Fontanella-Khan said that “US tech companies argue that it would be unfair for them to be subject to EU laws that are too stringent and could result in expensive administrative burdens and hefty fines for errant companies.” Can you think of any US laws that non-US companies have to comply with?

Issues for the compliance practitioner? There could be a myriad, from internal investigations, to sharing data with US regulators to ongoing monitoring and auditing. While it is currently US technology companies which are leading the fight against these new tough standards, non-tech companies could do well to assess how these changes may well impact them.

II.                Will DOJ Open FCPA Investigation Against EADS?

Perhaps not fully appreciating the irony in reporting the EADS story in the same issue as the above EU data privacy story, the FT also had an article by Carola Hoyos, entitled “FBI probe of EADS unit claims”, who reported that the Federal Bureau of Investigation (FBI) has interviewed “a witness and taken possession of documents in connection with allegations” that a British subsidiary of the European aerospace entity EADS, named GPT Special Management Systems, bribed Saudi Arabian military officials, in connection with business dealings. Hoyos reported that GPT “made ₤11.5 of unexplained payments – some via the US – to bank accounts in the Cayman Islands.”

Although there is no known open US Department of Justice (DOJ) investigation open into the EADS matter at this point, Hoyos noted that it was the DOJ which led the effort to investigate and eventually fine the UK company BAE, the amount of $400MM after the British government ordered the Serious Fraud Office (SFO) inquiry into allegations of BAE bribery for sales of equipment into Saudi Arabia “citing economic and diplomatic interests”. The FBI interviews occurred even though the SFO is currently investigating the matter. Hoyos also reported that EADS “maintained that its own investigations into the matter had yielded no evidence of wrongdoing.”

III.             Think Before You Hit That Send Button

In a post in his blog, the D&O Diary, entitled “Damning E-mails: Can We Talk?”, author Kevin LaCroix wrote that “revelations this past week arguably represent some type of high-water mark, as a cluster of serious allegations were accompanied by a trove of embarrassing excerpts from emails and instant messages. While the latest disclosures provide yet another reminder of the dangers associated with ill-considered use of modern electronic communications technology, they also raise questions about the use that regulators and claimants are attempting to make of the communications.” He was talking about the Commodities Futures Trading Commission’s press releases announcing RBS’s settlement this past week of charges of alleged Libor manipulation drew heavily on excerpts from the bank’s internal electronic communications. While noting that “emails do sometimes in fact evidence wrongdoing” the problem with them “is that when seemingly damning email excerpts are blasted into the media, it is very difficult to appreciate the larger context within which the excerpts fit.”

As much as he has distaste for the selective use of emails in this manner by regulators, LaCroix believes that they can provide a teachable moment. He writes that “a useful exercise to try to adopt is to pause and ask yourself, before hitting “send”, how the message would look if it were to fall into the hands of a hostile and aggressive adversary who was looking for ways to try to make you or your company look bad. Were this simple test to be more widely implemented, we would certainly see a marked reduction in, for example, running email jokes about the French maid’s outfit. My final thought is this – we all know that many electronic messages are written in haste and sometimes with insufficient care. With full awareness of this attribute of electronic communications, we should hesitate to jump to too many conclusions about the seemingly damaging inferences that could be drawn from email or instant message excerpts. But we should also learn from the inferences that regulators and claimants are trying to draw and try to take that into account in our own communications.” I could not have put it better myself.

IV.              Trust Your Gut and Raise Your Hand

There have recently been a plethora of articles about ‘big data’ and how it can help in the monitoring of a Foreign Corrupt Practices Act (FCPA) compliance program. I have been one of the folks to write and talk about it. However, in an article in the New York Times (NYT), entitled “Sure, Big Data is Great. But So Is Intuition”, reporter Steve Lohr wrote that while he thinks that big data is a powerful tool and an unstoppable tread it “might be a time for reflection, questions and qualms about this technology.” This is because, like all mathematical models, big data is “a simplification.” He quotes Thomas Davenport for the following. “A major part of managing Big Data projects, he says, is asking the right questions: How do you define the problem? What data do you need? Where does it come from? What are the assumptions behind the model that the data is fed into? How is the model different from reality?”

So the underlying basis for analyzing big data may actually be “too simple minded, rather than too smart.” All of this leads back to intuition. I would add that if the hair on the back of your neck stands up, your gut tells you something is wrong or something does not smell right, it probably isn’t right. The implications for the compliance practitioner? I would like to propose that the largest is in the area of training. What I try and tell non-compliance practitioners when I put on training is that if you see, smell or sense one of the above, just raise your hand. You do not have to know the ins and outs of the FCPA or know the answer but I do ask that you raise your hand and get the issue to a person who does have the expertise to analyze the issue.

If you have the chance to see The Who on their Quadrophenia Tour, all I can say is to drop whatever you are doing and go see it. I do not know if it will be your last chance to see Pete Townsend but when he winds up for one of those trademark windmill slams down the guitar strings, just close your eyes and listen. It is pure bliss and a quad of sensations for the ages.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

Blog at WordPress.com.