OIG Compliance Guidance for Health Care Governing Boards

On the front page of the Saturday New York Times (NYT) was an obituary for Edward Thomas, who joined the Houston Police Department (HPD) in 1948 and finally retired in 2011 at the age of 90. As reported in the article, entitled “Edward Thomas, Policing Pioneer Who Wore a Burden Stoically, Dies at 95”, when Thomas joined the HPD, “he could not report for work through the front door. He could not drive a squad car, eat in the department cafeteria or arrest a white suspect. Walking his beat, he was once disciplined for talking to a white meter maid.” The reason was that Thomas was the first African-America to don a uniform for the HPD. Yet through stoic service and professional leadership, Thomas became the longest serving Houston police officer and had the HPD Police headquarters renamed in his honor earlier this year.

I thought about how Thomas led the HPD to the modern era in the area of race relations in the context of a report, issued in April, by the Office of Inspector General (OIG), Department of Health and Human Resources, entitled “Practical Guidance for Health Care Governing Boards on Compliance Oversight” (the OIG Guidance). Through this paper, the OIG provided compliance practitioners and health care company Board of Directors its views on the proper role of a Board in overseeing a corporate compliance function.

As an introduction, the OIG Guidance states that a Board must act in good faith around its obligations regarding compliance. This means that there must be both a corporation information and reporting system and that such reporting mechanisms provide appropriate information to a Board. It stated, “The existence of a corporate reporting system is a key compliance program element, which not only keeps the Board informed of the activities of the organization, but also enables an organization to evaluate and respond to issues of potentially illegal or otherwise inappropriate activity.” The OIG Guidance sets out four areas of Board oversight and review of a compliance function; “(1) roles of, and relationships between, the organization’s audit, compliance, and legal departments; (2) mechanism and process for issue-reporting within an organization; (3) approach to identifying regulatory risk; and (4) methods of encouraging enterprise-wide accountability for achievement of compliance goals and objectives.”

While noting that a corporate compliance function should promote the prevention, detection and remediation of compliance violations, the OIG Guidance goes on to state that an organization’s Chief Compliance Officer (CCO) “should neither be counsel for the provider, nor be subordinate in function or position to counsel or the legal department, in any manner.” Rather the Board must ensure the CCO and compliance function have resources to fulfill their assigned role within an organization and access to the Board. The Board should “evaluate and discuss how management works together to address risk, including the role of each in:

1. identifying compliance risks,
2. investigating compliance risks and avoiding duplication of effort,
3. identifying and implementing appropriate corrective actions and decision-making, and
4. communicating between the various functions throughout the process.”

A key component of Board oversight is through the flow of information. The OIG Guidance says, “The Board should set and enforce expectations for receiving particular types of compliance-related information from various members of management. The Board should receive regular reports regarding the organization’s risk mitigation and compliance efforts—separately and independently”. These reports can come to the Board via a variety of reporting mechanisms; regular Board meetings, special Executive Sessions where the Board meets with the CCO or compliance leadership outside of the presence of senior management and ad hoc communications from the CCO. All of these help create a “continuous expectation of open dialogue” which is paramount for proper Board oversight. Of course, if a serious compliance issue arises, it needs to be communicated directly, and in a timely manner, to the Board.

But in addition to setting the expectations for the flows of information, a Board must also set expectations for holding senior management accountable for areas such as compliance. This can be through the assessment of “individual, department, or facility-level performance or consistency in executing the compliance program” and using this information to payout or withhold discretionary based bonuses “based upon compliance and quality outcomes.” The OIG Guidance also notes, “Some companies have made participation in annual incentive programs contingent on satisfactorily meeting annual compliance goals. Others have instituted employee and executive compensation claw-back/recoupment provisions if compliance metrics are not met.” However the key component is that “Through a system of defined compliance goals and objectives against which performance may be measured and incentivized, organizations can effectively communicate the message that everyone is ultimately responsible for compliance.”

A Board also needs to have regular reports on the risks that any organization may face. This means keeping abreast of “relevant and emerging regulatory risks, the role and functioning of an organization’s compliance program in the face of those risks and the flow and elevation of reporting of potential issues and problems to senior management.” The OIG Guidance speaks to technological solutions when it says, “Some Boards use tools such as dashboards—containing key financial, operational and compliance indicators to assess risk, performance against budgets, strategic plans, policies and procedures, or other goals and objectives—in order to strike a balance between too much and too little information. For instance, Board quality committees can work with management to create the content of the dashboards with a goal of identifying and responding to risks and improving quality of care.”

Moreover, a Board should also mandate that the company’s compliance function have the proper tools in place to facilitate compliance reporting internally. It states, “Boards should also consider establishing a risk-based reporting system, in which those responsible for the compliance function provide reports to the Board when certain risk-based criteria are met. The Board should be assured that there are mechanisms in place to ensure timely reporting of suspected violations and to evaluate and implement remedial measures. These tools may also be used to track and identify trends in organizational performance against corrective action plans developed in response to compliance concerns.”

Ultimately a Board should drive home of the message of compliance as “a way of life” so that it permeates into the DNA of a health care organization. For if a Board can help drive compliance into the fabric of an organization, it will have done more than simply fulfill its legal obligations starting in the Caremark decision and going forward. The Board will have helped to make the entire organization more compliance-centric and when a Board can help to facilitate such a change in attitudes, it will have moved the organization several steps down the road of doing business in compliance with relevant laws and issues.

The OIG Guidance is an excellent review for not only compliance professionals and others in the health care industry but a good primer for Boards around their own duties under a best practices compliance program. The US Federal Sentencing Guidelines, the Ten Hallmarks of an Effective Compliance Program, the “OIG voluntary compliance program guidance documents, and OIG Corporate Integrity Agreements (CIAs) can be used as baseline assessment tools for Boards and management in determining what specific functions may be necessary to meet the requirements of an effective compliance program. The Guidelines “offer incentives to organizations to reduce and ultimately eliminate criminal conduct by providing a structural foundation from which an organization may self-police its own conduct through an effective compliance and ethics program.” The compliance program guidance documents were developed by OIG to encourage the development and use of internal controls to monitor adherence to applicable statutes, regulations, and program requirements.”

It is a document well worth your consideration.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Maurice Gilbert, CCI and Ten Questions A Board Should Consider About Compliance

For those of you in the compliance world who do not know Maurice Gilbert, you should. I could probably write an entire post on the number of hats that he wears. For the Chief Compliance Officer (CCO) or compliance practitioner, two of the most significant are as Managing Director at Consileum Inc., which I consider to be one of the premier compliance related search firms in America and as Founder and Managing Editor of Corporate Compliance Insights, known as CCI in the compliance world (full disclosure – I blog and write for CCI). If you are looking for some of the country’s top compliance talent for a corporate compliance position Maurice should be about the first person you call when even thinking about such a task. He can help you to define the scope of the position and then craft the position to attract some great talent for you to consider. Of course, you should always know one of the country’s top compliance talent recruiters because you never know when the right opportunity might be presented by a client to Maurice and you could perfectly fill the bill.

However it is his other hat that I want to highlight today. As Founder and Managing Editor of one of the top online compliance resources, Maurice leads a team that continually generates and posts some of the most insightful and useful pieces of information around the entire panoply of issues related to compliance. From my world of anti-corruption compliance, to trade-compliance, corporate boards and governance, auditing and much more, CCI is a resource you should have on your favorites toolbar. It was through Maurice and CCI that I was introduced to the writings and assorted wisdom of Jim DeLoach, who is one of my favorite contributors to read on CCI.

DeLoach is a Managing Director with global consulting firm Protiviti. He regularly writes and blogs on issues relating to Enterprise Risk Management (ERM). He put out such great material and a plethora of it that Maurice persuaded him to put it together for us in an eBook, entitled “Making Risk Management Work for You”. In the section entitled “10 Questions You Should Ask About Risk Management”, DeLoach lists 10 questions he says that a board and senior management should think about when considering ERM. I have used this section as a basis to reformulate the questions from a compliance perspective.

• What are the company’s top compliance risks, how severe is their impact and how likely are they to occur? – Just as managing enterprise risk at a strategic level requires focus, the same is true for compliance. This requires you limiting your top risks to a handful so they can accurately be assessed and managed. DeLoach suggests that you should be emphasizing no more than five to 10 risks. Furthermore, “Day-to-day risks are an ongoing operating responsibility.”
• How often does the company refresh its assessment of the top [compliance] risks? – As the Department of Justice (DOJ) continually reminds us, your compliance risk assessment process should be responsive to change in the business environment. It is now mandatory that teams have in place “a robust process for identifying and prioritizing the critical [compliance] risks, including emerging [compliance] risks, is vital to an evergreen view of the top risks.”
• Who owns the top compliance risks and is accountable for results, and to whom do they report? – While this might seem self-evident in any best practices compliance program it is not always opaque within an organization. Clearly your CCO should own the top compliance risks and manage them but there should also be proper board oversight and reporting. DeLoach warns, “Gaps and overlaps in risk ownership should be minimized, if not eliminated.”
• How effective is the company in managing its top [compliance] risks? – Just how effective is your compliance regime is a key question that any CCO or compliance practitioner needs to be thinking about on a regular basis. However, for the board and senior management level, there should be “a robust process for managing and monitoring each of the critical [compliance] risks.” Moreover, your “risk management capabilities must be improved continuously as the speed and complexity of business change.”
• Are there any organizational “blind spots” around [compliance] warranting attention? – Some practitioners believe that the entire Foreign Corrupt Practices Act (FCPA) enforcement regime is a failure because companies are still engaging in bribery and corruption. But the simple fact is that since corporations are made up with people there will always likely be wrongdoers. DeLoach notes that “Cultural issues and dysfunctional behavior can undermine the effectiveness of [compliance] risk management and lead to inappropriate risk taking or the undermining of established policies and processes.” He cites several examples including “lack of transparency, conflicts of interest, a shoot-the-messenger environment and/or unbalanced compensation structures may encourage undesirable behavior and compromise the effectiveness of risk management.”
• Does the company understand the key assumptions underlying its [compliance] strategy and align its competitive intelligence process to monitor external factors for changes that could alter those assumptions? – You might not think it could happen in a compliance regime but if a company fails to recognize that its business paradigm is changing, it could be too late to affect an appropriate compliance strategy for a new product line/service offering or breaking into a new geographic territory. Here DeLoach believes that while “no one knows for sure what will happen that could invalidate the company’s strategic assumptions in the future, monitoring the validity of key assumptions over time as the business environment changes is a smart thing to do.”
• Does the company articulate its risk appetite and define risk tolerances for use in managing the business? – This is one area that always bears discussion. For some companies there is enough business in the middle of the road that they feel like they do not have to go up to the line of a FCPA violation to garner sales, while other companies have done deals that may have been lawful but, at the end of the day, had awful consequences for the business. Just because you can do something does not mean you should do it and a large part of such a calculus is round your risk appetite dialogue. DeLoach believes such ongoing conversations can assist to “bring balance to the conversation around which risks the enterprise should take, which risks it should avoid and the parameters within which it should operate going forward. The risk appetite statement is decomposed into risk tolerances to address the question, “How much variability are we willing to accept as we pursue a given business objective?” For example, separate risk toler­ances may be expressed differently for objec­tives relating to earnings variability, interest rate exposure, and the acquisition, develop­ment and retention of people.”
• Does the company’s [compliance] risk reporting provide management and the board information they need about the top risks and how they are managed? – Compliance reporting should begin with relevant information about the critical compliance risks and how those compliance risks are managed. DeLoach believes that some of the questions you should be asking under this prong are along the lines of the following: “Are there opportunities to enhance the [compliance] risk reporting process to make it more effective and efficient? Is there a process for moni­toring and reporting critical [compliance] risks and emerging [compliance] risks to executive management and the board?”
• Is the company prepared to respond to extreme [compliance] events? – DeLoach calls it an extreme event but I would ask, what will you do if your company is on the front page of the New York Times (NYT), Wall Street Journal (WSJ), Financial Times (FT) or any other similar media outlet for a compliance related violation or issue? Do you have a response plan in place? More so “Has it prioritized its high-impact, low-likeli­hood risks in terms of their reputational effect, velocity to impact and persistence of impact, as well as the enterprise’s response readiness?”
• Does the board have the requisite skill sets to provide effective [compliance] risk oversight? – This goes to the heart of frustrations from both the compliance function side and the board side of the equation. Does your board and senior management have specific FCPA or other relevant anti-corruption training and understand your business model well enough to provide input regarding critical compliance risk issues on a timely basis? From the board’s perspective they may feel the information they receive is asymmetrical and that they do not receive enough material information to render good decision-making. From the CCO or compliance practitioner’s perspective, they may feel that they cannot get enough time in front of the board, audit committee or senior management to properly educate them on the issues.

I have only scratched the surface of DeLoach’s thoughts on ERM. I urge you to go to the CCI site and download the entire work. Did I mention the best thing about CCI and DeLoach’s book? It is free on the CCI site. So after you download DeLoach’s book, stick on the site and noodle around to find something that interests you or could be of assistance in your compliance practice. Don’t forget to check out CCI’s job listing because Maurice has that other hat that he wears as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

West Side Story and GSK In China – Board Oversight and Tone in the Middle

Yesterday, I celebrated the anniversary of one of America’s cultural lows. But today, I am extremely pleased to open with exactly the opposite, that being one of America’s greatest gifts to the performing arts. For on this day in 1957, the musical West Side Story premiered on Broadway. There are so many facets to one of the great, even greatest, works of musical theater. Leonard Bernstein penned the score, Stephen Sondheim wrote the lyrics, Jerome Robbins choreographed the dance and the story was by Arthur Laurents, inspired by Romeo and Juliet.

There are many great songs, dances and moments in the play. Most of us (at least of my age) outside New York were introduced to the play via television where it ran for one showing in 1971. The show never toured until the 2000s. When I finally got to see the stage production I was absolutely blown away. I had never seen anything like and it and I will never forget the 5-counter point singing by Tony, Maria, Anita, Bernardo and the Sharks, and Riff and the Jets, as they all anticipate the events to come that night in the song Tonight’s Quintet. The show truly is one of America’s gems.

I thought about the continuing appeal of West Side Story as a musical and why the story continues to resonate with the American people when I continued to consider some of the lessons learned from the GlaxoSmithKline PLC (GSK) matter in China. Today’s areas for reflection should be the role of a company’s Board of Directors and the second is the ‘tone in the middle’. While we have not heard from the GSK Board on this case, it has become clear that the GSK Board was aware of both the anonymous whistleblower allegations and the release of the tape of the GSK China Country Manager and his girlfriend. One of the lessons learned from the GSK scandal is that a Board must absolutely take a more active oversight role not only when specific allegations of bribery and corruption are brought forward but also when companies are operating in high risk environments. Further how can a company move its message of doing business ethically and in compliance down the employee chain.

In a NACD Directorship article, entitled “Corruption in China and Elsewhere Demands Board Oversight”, authors Eric Zwisler and Dean Yoost noted that as “Boards are ultimately responsible for risk oversight” any Board of a company with operations in China “needs to have a clear understanding of its duties and responsibilities under the FCPA and other international laws, such as the U.K. Bribery Act”. Why should China be on the radar of Boards? The authors reported, “20 percent of FCPA enforcement actions in the past five years have involved business conduct in China. The reputational and economic ramifications of misinterpreting these duties and responsibilities can have a long-lasting impact on the economic and reputation of the company.”

The authors understand that corruption can be endemic in China. They wrote, “Local organizations in China are exceedingly adept at appearing compliant while hiding unacceptable business practices. The board should be aware that a well-crafted compliance program must be complemented with a thorough understanding of frontline business practices and constant auditing of actual practices, not just documentation.” Further, “the management cadence of monitoring and auditing should be visible to the board.” All of the foregoing would certainly apply to GSK and its China operations.

Moreover, the FCPA Guidance makes clear that resources and their allocation are an important part of any best practices compliance program. So if that risk is perceived to be high in a country such as China, the Board should follow the prescription in the Guidance, which states “the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”

To help achieve these goals, the authors suggested a list of questions that they believe every director should ask about a company’s business in China.

• How is “tone at the top” established and communicated?
• How are business practice risks assessed?
• Are effective standards, policies and procedures in place to address these risks?
• What procedures are in place to identify and mitigate fraud, theft, and corruption?
• What local training is conducted on business practices and is it effective?
• Are incentives provided to promote the correct behaviors?
• How is the detection of improper behavior monitored and audited?
• How is the effectiveness of the compliance program reviewed and initiated?
• If a problem is identified, how is an independent and thorough investigation assured?

Third parties generally present the most risk under a Foreign Corrupt Practices Act (FCPA) compliance program and are believed (at least anecdotally) to comprise over 90 percent of reported FCPA cases, which subsequently involve the use of third-party intermediaries such as agents or consultants. But this is broader than simply third party agents because any business opportunity in China will require some type of business relationship.

One of the major failings of the GSK Board was that it apparently did not understand the actual business practices that the company was engaging in through its China business unit. While $500MM may not have been a material monetary figure for the Board to consider; the payment of such an amount to any third party or group of third parties, such as Chinese travel agencies, should have been raised to the Board. All of this leads me to believe that the GSK Board was not sufficiently engaged. While one might think a company which had received a $3bn fine and was under a Corporate Integrity Agreement (CIA) for its marketing sins might have sufficient Board attention; perhaps legal marketing had greater Board scrutiny than doing business in compliance with the FCPA or UK Bribery Act. The Board certainly did not seem to understand the potential financial and reputational impact of a bribery and corruption matter arising in China. Perhaps they do now but, for the rest of us, I think the clear lesson to be learned is that a Board must increase oversight of its China operations from the anti-corruption perspective.

GSK Chief Executive Officer (CEO) Sir Andrew Witty has certainly tried to say all of the right things during the GSK imbroglio on China. But did that message really get down into to the troops at GSK China? Moreover, did that message even get to middle management, such as the GSK leadership in China? Apparently not so, one of the lessons learned is moving the Olympian Pronouncements of Sir Andrew down to lower levels on his company. Just how important is “Tone at the Top”? Conversely, what does it say to middle management when upper management practices the age-old parental line of “Don’t do as I do; Do as I say”? In his article entitled, “Ethics and the Middle Manager: Creating “Tone in The Middle” Kirk O. Hanson, listed eight specific actions that top executives could engage in which demonstrate a company’s and their personnel’s commitment to ethics and compliance. The actions he listed were:

1. Top executives must themselves exhibit all the “tone at the top” behaviors, including acting ethically, talking frequently about the organization’s values and ethics, and supporting the organization’s and individual employee’s adherence to the values.
2. Top executives must explicitly ask middle managers what dilemmas arise in implementing the ethical commitments of the organization in the work of that group.
3. Top executives must give general guidance about how values apply to those specific dilemmas.
4. Top executives must explicitly delegate resolution of those dilemmas to the middle managers.
5. Top executives must make it clear to middle managers that their ethical performance is being watched as closely as their financial performance.
6. Top executives must make ethical competence and commitment of middle managers a part of their performance evaluation.
7. The organization must provide opportunities for middle managers to work with peers on resolving the hard cases.
8. Top executives must be available to the middle managers to discuss/coach/resolve the hardest cases.

What about at the bottom, as in remember those China unit employees who claimed they were owed bonuses because their bosses had instructed them to pay bribes? Well if your management instructs you to pay bribes that is a very different problem. But if your company’s issue is how to move the message of compliance down to the bottom, Dawn Lomer, Managing Editor at i-Sight Software, provided some concrete suggestions in an article in the SCCE magazine, entitled “An ethical corporate culture goes beyond the code”, where she wrote that that the unofficial message which a company sends to its employees “is just as powerful – if not more powerful – than any messages carried in the code of conduct.” Lomer suggested that a company use “unofficial channels” by which your company can convey and communicate its message regarding doing business in an ethical manner and “influence employee behavior across the board.” Her suggestions were:

1. Reward for Integrity – Lomer writes that the key is to reward employees for doing business in an ethical manner and that such an action “sends a powerful message without saying a word.”
2. The three-second ethics rule – It is important that senior management not only consistently drives home the message of doing business ethically but they should communicate that message in a short, clear values statement.
3. Environmental cues – Simply the idea that a company is providing oversight on doing business ethically can be enough to modify employee behavior.
4. Control the images – It is not all about winning but conducting business, as it should be done.
5. Align Messages – you should think about the totality of the messages that your company is sending out to its employees regarding doing business and make sure that all these messages are aligned in a way that makes clear your ethical corporate culture clear. 

The GSK case will be in the public eye for many months to come. Both the UK Serious Fraud Office (SFO) and US authorities have open investigations into the company. Just as the five counter-point singing or the rooftop symphonic dance scene to the song America demonstrates the best of that art form; you can draw lessons from GSK’s miss-steps in China now for implementing or enhancing your anti-corruption compliance program going forward now.

And while you are ending your week of considering GSK and its lessons learned for your compliance program, crank up your speakers to 11 and listen to some five counter-point singing the movie version of the Tonight Quintet, by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Board Investigations and the Curse of the Mummy’s Tomb – Part II

Yesterday I began an exploration of a recent article in the Corporate Board magazine, entitled “Successful Board Investigations” by David Bayless and Tammy Albarrán, partners in the law firm of Covington & Burling LLP. In Part I, I reviewed the authors’ five key objectives, which they believe a board must pursue to ensure a successful investigation. Today, I will look at the authors’ seven considerations to facilitate a successful board investigation.

1.             Consider whether you need independent outside counsel

The authors consider that the appearance of partiality “undermines the objectivity and credibility of an investigation.” That means you should not use your regular counsel. The authors cite to the Securities and Exchange Commission (SEC) analysis of how independent board members truly are to explain the need for independent counsel. They state, “the SEC considers the following criteria when determining whether (and how much) to credit self-policing, self-reporting, remediation and cooperation” which will consist of the following factors:

• Did management, the board or committees consisting solely of outside directors oversee the review?
• Did company employees or outside persons perform the review?
• If outside persons, have they done other work for the company?
• If the review was conducted by outside counsel, had management previously engaged such counsel?
• How long ago was the firm’s last representation of the company?
• How often has the law firm represented the company?
• How much in legal fees has the company paid the firm?

As Andre Agassi might say, ‘perception is reality’.

2.             Consider hiring an experienced “investigator” to lead the internal investigation

Noted internal investigation expert Jim McGrath has written and spoken about the need to utilize specialized counsel in any serious investigation. If a board is leading an investigation, I would submit by definition it is serious. The authors say that your investigation needs to lead by a lawyer with significant experience in conducting internal investigations; a strong background in criminal or SEC enforcement; and has substantive experience in the particular area of law at issue. The traits are needed so that your designated counsel will think like an investigator, not like an in-house lawyer or civil litigator.

3.             Consider the need to retain outside experts

In any Foreign Corrupt Practices Act (FCPA) or other anti-corruption investigation, there will be the need for a wider variety of subject matter experts (SME’s) than a compliance professional. The authors correctly recognize that “ if there are accounting issues, forensic accountants might be needed. In this day and age, an electronic discovery consultant is often required, and can be a cost effective option for gathering and processing electronic data for review.” These types of investigations will most probably be cross-border as well and this will require other varieties of expertise. The authors caution that, “The lowest bid may not necessar­ily be the best for a particular investigation. While cost is important, understand the limitations of each consultant and, with input from your investigator, determine which consultant best meets your goals.”

4.             Analyze potential conflicts of interest at the outside and during the investigation

The authors see two types of conflicts of interest that may come to light during an investigation. First is the one which comes up when the law firm or lawyers conducting the inves­tigation are those whose prior legal advice has some bearing on the matters being investigated because a company’s regular outside lawyers represent the company. During an internal investigation, however, the lawyers may be hired by, and represent, the board or its committee. The second occurs when a lawyer or law firm jointly represents the board and employees at the company as regulators have become increasingly concerned with joint representations. Moreover, “The trickier question is what to do when there simply is a risk that representing one client could limit the lawyers’ duties to the other.” So in these situations, joint representation may not be appropriate.

5.             Carefully evaluate Whistleblower allegations

With the advent of Sarbanes-Oxley (SOX) and Dodd-Frank, whistleblowers have become more important and taking their allegations seriously is paramount. This does not mean trying to find out who the whistleblowers might be to punish or stifle them, even if they are located outside the United States and therefore do not have protections under these laws. They can still get hefty bounties. The authors recognize that companies can come to grief when “companies run into problems when whistleblower allegations are discounted, if not outright dismissed, especially if the whistleblower has a history of causing trouble or is perceived as incompetent. When this type of whistleblower makes a claim, it is easy to presume ulterior motives.” While such motives might exist, it does not matter one iota when it comes to the investigation, as “Regulators are very wary of boards that do not satisfactorily evaluate a whistleblower’s complaint based on a perception of the whistleblower himself, as opposed to the substance of the complaint.”

6.             Request regular updates from outside counsel, without limiting the investigation

These types of investigations are long and very costly. They can easily spin out of cost control. But, by trying to manage these costs, a board might be perceived as placing improper limits on the investigation. The “goal is to strike the right balance between the cost of the investigation and its thoroughness and credibility.” To do so, the authors advise that flexibility is an important ingredient. A board can begin the project with an agreed upon initial scope of work and then “revisit the scope of work as the investigation progresses. If conduct is discovered that legitimately calls for expanding the scope of the investigation, then the board can revisit the issue at that point. Put another way, the scope of what to investigate is not a static, one-time decision. It can, and usually does, evolve.” By seeking regular updates and questioning counsel on what they are doing and why, directors can manage costs, while at the same time ensuring that the investigation is sufficiently thorough and credible.

7.             Consider whether an oral report at the conclusion of the investigation is sufficient

While there may be instances in which, due to complexity and the nature of allegations involved, a written report is necessary, the authors believe that there may be times when an oral report delivered to a board is better than a written report for “a written report may be easier to follow and appear to be the logical conclusion to an investigation, it is an expensive and time-consuming endeavor, and it comes with great risk.” The authors indicate three reasons for this position.

First, it is much easier to inadvertently waive the attorney-client privilege if a written report is created and in the wrong hands, such a written report may well create “a road map to a plaintiff” in any shareholder action. Second, once those findings and conclusions are written they may become “set in stone. If later information comes to light that impacts the report’s conclusions, altering the conclusions may undermine the credibility of the entire investigation. So, retaining flexibility to change the findings if further information is later learned is a real advantage of an oral report.” Third, and finally, “it takes time to prepare a well-written and thorough report. When an internal investigation must be conducted quickly, spending time to prepare a written report may not be an efficient use of time.” For all of these reasons, and perhaps others, an oral report presented to the board and documented in the Board of Director meeting minutes may be sufficient.

The authors conclude their piece by stating, “By keeping in mind the issues addressed above, the board will be better prepared for the investigation and readily able to exercise good judgment throughout the review. A well-conducted investigation by the board may spare the company further disruption and costs associated with follow-on investigations by the regulators, or at the very least minimize the company’s exposure.” I would only add that by following some of the prescriptions set out by Bayless and Albarrán your Board might also avoid the fate that befell Lord Carnarvon and the Curse of the Mummy’s Tomb.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Board Investigations and the Curse of the Mummy’s Tomb – Part I

On this day in 1923, the tomb of King Tut was opened. It created a worldwide stir that has in many ways continued down into the 21^st century. Clearly, the boy ruler influenced Steve Martin , (How’d you get so funky?, Funky Tut). Moreover, when the King Tut exhibit first toured the US in the 1970s, it sold out everywhere that it went. And, of course, there was the Curse of the Mummy’s Tomb, which led to some great Universal classic horror pictures. This curse may have killed the dig’s benefactor, Lord Carnarvon who died just months after entering the tomb in November 1923, but the archeologist who discovered King Tut, Howard Carter, seemingly outlived the curse, dying at the age of 64 on the eve of World War II.

I thought about the techniques employed by these two archeologists in the Curse of the Mummy’s Tomb when I read an article in the Corporate Board magazine, entitled “Successful Board Investigations” by David Bayless and Tammy Albarrán, partners in the law firm of Covington & Burling LLP. Why the Curse of the Mummy’s Tomb? It is because if a Board of Directors does not get an investigation which it handles right, the consequences can be quite severe. Over the next two posts I will explore the article by Bayless and Albarrán. Today in Part I, I will review the author’s five key objectives, which they believe a board must pursue to ensure a successful investigation. Tomorrow. in Part II, I will review the authors seven considerations to facilitate a successful board investigation.

The authors recognize that the vast majority of investigations will be handled or directed by in-house counsel. However, if and when such an investigation is needed, it is critical that it be handled with great care and skill. The authors note that “While this task is fraught with peril, there are a number of steps a board can take to ensure that the investigation accomplishes the board’s goals, which will enable it to make informed decisions, and withstands scrutiny by third parties” because it is this third party scrutiny, in the form of regulators, government officials, judges/arbitrators or plaintiffs’ counsel in shareholder actions, who will be reviewing any investigation commissioned by a Board of Directors. The authors believe that there are five key goals that any investigation led by a Board of Directors must meet. They are:

Thoroughness – The authors believe that one of the key, and most critical, questions that any regulator might pose is just how thorough is an investigation; to test whether they can rely on the facts discovered without having to repeat the investigation themselves. Regulators tend to be skeptical of investigations where limits are placed (expressly or otherwise) on the investigators, in terms of what is investigated, or how the investigation is conducted. This question can be an initial deal-killer particularly if the regulator involved views an investigation insufficiently thorough, its credibility is undermined. And, of course, it can lead to the dreaded ‘Where else’ question.

• Objectivity – Here the authors write that any “investigation must follow the facts wherever they lead, regardless of the consequences. This includes how the findings may impact senior management or other company employees. An investigation seen as lacking objectivity will be viewed by outsiders as inadequate or deficient.” I would add that in addition to the objectivity requirement in the investigation, the same must be had with the investigators themselves. If a company uses its regular outside counsel, it may be viewed with some askance, particularly if the client is a high volume client of the law firm involved, either in dollar amounts or in number of matters handled by the firm.
• Accuracy – As in any part of a best practices anti-corruption compliance program, the three most important things are Document, Document and Document. This means that the factual findings of an investigation must be well supported. For if the developed facts are not well supported, the authors believe that the investigation is “open to collateral attack by skeptical prosecutors and regulators. If that happens, the time and money spent on the internal investigation will have been wasted, because the government will end up conducting its own investigation of the same issues.” This is never good and your company may well lose what little credibility and good will that it may have engendered by self-reporting or self-investigating.
• Timeliness – Certainly in the world of Foreign Corrupt Practices Act (FCPA) enforcement, an internal investigation should be done quickly. This has become even more necessary with the tight deadlines set under the Dodd-Frank Act Whistleblower provisions. But there are other considerations for a public company such as an impending Securities and Exchange Commission (SEC) quarterly or annual report that may need to be deferred absent as a timely resolution of the matter. Lastly, the Department of Justice (DOJ) or SEC may view delaying an investigation as simply a part of document spoliation. So timeliness is crucial.
• Credibility – One of the realities of any FCPA investigation is that a Board of Directors led investigation is reviewed after the fact by not only skeptical third parties but also sometimes years after the initial events and investigation. So not only is there the opportunity for Monday-Morning Quarterbacking but quite a bit of post event analysis. So the authors believe that any Board of Directors led investigation “must be (and must be perceived as) credible as to what was done, how it was done, and who did it. Otherwise, the board’s work will have been for naught.”

To help manage these five issues the authors have seven tangible considerations they suggest that a Board of Directors follow to help make an investigation successful. Tomorrow I will review and scrutinize these seven considerations.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014