Archie Bunker, Batgirl and the International Fight Against Corruption

This week saw the death of two notables from the television industry, Bud Yorkin and Yvonne Craig. According to his Obituary in the New York Times (NYT), Yorkin rose up the television industry ranks to eventually team with Norman Lear to produce one of the true “pioneering, provocative and singularly successful satirical series” in the history of television, All In The Family, introducing one of the most recognizable characters in all of TV – Archie Bunker. When I say he began at the bottom end of the business: it literally was that, as he began repairing TVs in New York City bars. All In The Family not only broke ground by discussing taboo subjects it also became “the first TV series to top the Nielsen ratings for five consecutive years.”

Yvonne Craig was known, according to her Obituary in the NYT, as the girl “who kept Gotham safe as Batgirl” whom she played in the 1960s TV series Batman. Craig was a classically trained ballerina who brought athleticism and “a scrappy girl-power element” to the series in its third and final season. However, I remember Craig as the green skinned slave girl in the “Whom The Gods Destroy” episode from the original Star Trek series. Her Obituary noted, “She performed a seductive, loose-limbed dance that seemed to nearly overwhelm William Shatner’s red-blooded Captain Kirk, while Leonard Nimoy’s Mr. Spock pronounced it “mildly interesting.””

Interestingly both of these televisions stars inform today’s compliance issue. Yorkin for the way he and his partner Lear held up a mirror, through All In The Family, to address such issues as “racism, sexism, abortion, gay rights and the war in Vietnam, among other television taboos” and Craig, “who kept Gotham safe as Batgirl.” Of course I am referring to the devastating disaster that occurred last week in the Chinese city of Tianjin. A NYT article, entitled “Report Details Role of Political Connections in Tianjin Disaster”, reported that the death toll now stands at 114, with 674 injured and more than 17,000 homes damaged. An unknown number of persons are still missing.

Is anyone really surprised corruption was involved in the tragedy? Enforcement of anti-corruption laws, such as the Foreign Corrupt Practices Act (FCPA), the UK Bribery Act or even Chinese domestic anti-bribery laws, is not a game for corruption can kill. While most corruption leads to economic damage, there have been clear instances where corruption led to the loss of life. The 2013 massacre at the Narobi Westgate shopping mall was clearly a result of corruption in Kenya that allowed guns used in the attack to be illegally smuggled into the country through bribery.

Now it has been reported that corruption led to the disaster in Tianjin. The FCPA Blog, in a post entitled “Report: Tianjin warehouse owners used guanxi to land phony safety licenses”, wrote that “The owners of the warehouse in the port of Tianjin that exploded last week and killed more than 100 people obtained fraudulent safety licenses through their connections with fire and safety officials, China state media said.” The warehouse where the fire started and spread from was illegally holding certain lethal chemicals. The post also noted, “Ruihai International Logistics owned the warehouse. The main shareholders of the company are ex-Sinochem executive Yu Xuewei and Dong Shexuan, the son of a late police chief, VAO News reported.” The FCPA Blog went on to quote the VOA report for the following, “In an interview with the official Xinhua news agency, Dong and Yu admitted to using their connections, or guanxi, with local officials to obtain various fire safety, land, environmental and safety certifications.”

In addition to the illegally stored chemicals, it turns out there should not even have been a warehouse in that location in the first place. In another NYT article, entitled “Report Details Role of Political Connections in Tianjin Disaster”, Dan Levin reported the warehouse itself was not far enough back from the prescribed distance for residential housing. It seemed clear from the confession of the Mayor of Tianjin that he had been involved in the corruption when he stated, “I bear the unshirkable responsibility for this accident as head of the city.”

Another indicia of Chinese corruption had come into play as well. The executives of the company, which owned the warehouse and illegally stored chemicals, Ruihai, hid their ownership interest. The article reported they “had other people list their shares to avoid the appearance of a conflict of interest.”

In yet another NYT article, entitled “Fear of Toxic Air and Distrust of Government Follow Explosions in China” also by Dan Levin, it was noted “Later on Tuesday, China’s anticorruption agency announced on its website that Yang Dongliang, a former deputy mayor of Tianjin who became the head of the State Administration of Work Safety, was under investigation for “suspected violations of party discipline and the law,” a common euphemism for corruption. The Beijing Youth Daily reported, however, that Mr. Yang has been under investigation for a half-year, raising questions about why the case was announced now. Two other officials accused of taking bribes are also under investigation.”

The fallout from this tragedy continues. However, with such widespread corruption many Chinese feel they are not being told the truth and that their government is protecting corrupt officials. Levin said, “Public reflection on man-made tragedies is politically risky for the ruling Communist Party, according to David Bandurski, an editor of the China Media Project at the University of Hong Kong. “The party leadership is very aware that questions of responsibility in a disaster like this can very quickly move to fundamental issues of power and legitimacy,” he said, explaining that in an authoritarian system, “the buck stops with you.” Mr. Bandurski noted that censors had struggled to control the Tianjin narrative because some Chinese journalists had pushed ahead with their own reporting. “This is a very messy story, and for Chinese media, messy means opportunity,” he said.”

The Petrobras scandal in Brazil is bringing into question the government of President Dilma, it could forebode the same in China. Corruption in all its forms is no laughing matter and enforcing anti-corruption laws is no game. While prosecuting companies engaging in bribery and corruption through the hiring of sons and daughters of government officials to retain or garner new business may seem quite a long way from the Westgate Mall massacre or the massive loss of life in Tianjin; they are clearly on a unidimensional continuum.

Just as Archie Bunker put a light up to many of the social ills of his time, the more light you can shine on corruption, the more you can root it out of the shadows. But do not forget to send in Batgirl and those fighting for justice against corruption as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

What Goes Downhill May Go Uphill in FCPA Compliance

Usually the question I am posed is how far down the chain must you go in your due diligence to ensure that your suppliers are in compliance with the Foreign Corrupt Practices Act (FCPA). I would pose that now, after the Petrobras scandal, a company may need to examine the flow in the other direction. I thought about this directional shift when I read an exhaustive report in the Sunday New York Times (NYT) on the Petrobras scandal, entitled “Brazil’s Great Oil Swindle”, by David Segal. The article reviews the genesis of and details the ongoing nature of the Petrobras scandal.

While I have previously written about the other Brazilian companies that have been caught up in the scandal, such as Oderbrecht, Camargo Corrêa and UTC Engenharia, Segal’s article detailed a level of immersion in corruption that should concern every US Company subject to the FCPA and catch the eye of Department of Justice (DOJ) prosecutors handling FCPA cases. It appears that the companies that had direct contracts with Petrobras also colluded in the old-fashioned anti-trust sense, so that not only did they control all the subcontract work done on any Petrobras project but they would also demand bribes from the subcontractors which they then passed up the chain to Petrobras executives and eventually Brazilian politicians. If this scheme turns out to be true, it literally could explode potential FCPA exposure for any US Company doing business on any subcontract where Petrobras was the eventual beneficiary.

Segal reported, “according to prosecutors, these companies stopped competing and started to collaborate. They formed a cartel and decided, in advance, which of them would win a particular deal. A charade competition was orchestrated, and the anointed winner could charge vastly more than it would in a free market.” Further, “A document obtained by prosecutors laid out what it called the “rules of the game.” The trumped-up bidding process was labeled a “sports tournament”, with an assortment of rounds and a “trophy.” There was a no-sore-loser codicil, too: “The teams that participate in a round should honor the rules that have been agreed on, even when they are not the winner.”

But the corruption did not stop simply at these non-Petrobras entities. These companies would demand bribes from their subcontractors that they passed up the line to Petrobras. Segal wrote, “From 1 to 5 percent of the value of a given contract was diverted to those on the receiving end of the scheme, a group that included 50 politicians from six parties, according to prosecutors. Money from cartel members took a circuitous route to politicians’ pockets, passing through ghost corporations whose owners made bribes look like consulting fees.”

Think about all of this for a minute. What happens when everyone and every company associated with a National Oil Company (NOC) is in on the corruption? I thought about this question when I read an article in the Financial Times (FT) by Andres Schipani, entitled “We were terrorized by the drop in oil prices”, where he discussed how the drop in world oil prices has negatively affected Venezuela more than any other top oil producing company. Part of the country’s trouble is the rampant corruption around its NOC PDVSA. Schipani quoted a former minster for the following, “The design of the political economy here only benefits the corrupt.” Moreover, the country is near the bottom of the Transparency International Corruption Perceptions Index (TI-CPI) coming in at 161^st out of 175 countries listed.

Most Chief Compliance Officers (CCOs) and compliance practitioners had focused their third party risk management program around third parties, first on the sales side and then in the Supply Chain (SC). However now companies may well have to look at other relationships, particularly those where the company is a subcontractor involved in a country prone to corruption with a NOC or other key state owned enterprise. Last year the Wall Street Journal (WSJ) in an article entitled “Venezuelan Firm Is Probed In U.S.”, by José De Córdoba and Christopher M. Matthews, reported that a US company ProEnergy Services LLC (ProEnergy), a Missouri based engineering, procurement and construction company, sold turbines to Venezuelan company Derwick Associates de Venezuela SA (Derwick), who provided them to the Venezuelan national power company. The article reported that the DOJ’s “criminal fraud section are reviewing actions of Derwick and ProEnergy for possible violations of the Foreign Corrupt Practices Act”. Derwick was reported to have been “awarded hundreds of millions of dollars in contracts in little more than a year to build power plants in Venezuela, shortly before the country’s power grid began to sputter in 2009”. All of this with a commission rate paid by ProEnergy to Derwick of a reported 5%.

The Brazilian investigation poses far more dire consequences for any US Company that did business with the cartel of Brazilian companies that had locked up the Petrobras work. It means that you need to go back immediately and not only review the underlying due diligence which you did (probably none); then review the contracts with those entities; and, finally, cross-reference to see if there were any contract over-charges which were rebated back to the cartel members. If so, you may well have a serious problem on your hands as any unwarranted rebates, refunds, customer credits or anything else that could have been readily converted into cash to be used to fund a bribe.

This second part is one thing that challenges many compliance officers. The compliance function does not always have visibility into the transactions assigned to specific contracts or projects like your company might be engaged in for Petrobras in Brazil. However it also speaks to the need for transaction monitoring as not simply a cutting edge technique or even best practice but a required financial controls tool that is also applicable to compliance internal controls as well.

As Brazilian prosecutors expand ever outward from Petrobras, US companies subject to the FCPA and UK companies and others subject to the UK Bribery Act would do well to review everything around their Brazilian operations, contracts and dealings. The Petrobras scandal has shown two clear trends to-date. First is that we are far from the end of this scandal. Second, the prosecutors have been fearless so far in following the corruption trail wherever it may go. If they follow it to US companies, they could prosecute them on their own in Brazil for violation of domestic anti-bribery and anti-corruption laws or turn the evidence over to the DOJ. The thing to do now is to get out ahead of this all too certain waterfall.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Great Structures Week I: Vitruvius, the Brooklyn Bridge and Compliance

I recently completed a course from The Teaching Company, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. It was a wonderful learning experience about some of the world’s greatest structures and the development of structural engineering throughout history. As I worked my way through the course, it occurred to me that many structural engineering concepts are apt descriptors for an anti-corruption compliance program. So today, I will begin the ‘Great Structures Week’ as an entrée into an appropriate topic for your Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption/anti-bribery compliance program. Each day I will discuss a structural engineering concept together with one my favorite examples from Professor Ressler’s course.

To open the series I will consider what makes a structure great. Marcus Vitruvius Pollio (Vitruvius) was a Roman author, architect, and civil engineer during the 1st century BC, known for his work entitled De Architectura. Vitruvius is famous for proclaiming that a structure must exhibit the three qualities of firmitas, utilitas and venustas, meaning that it must be solid, useful and beautiful. These are sometimes termed the Vitruvian Triad and today these are loosely translated that great constructions must have form, function or structure. Form is the arrangement of space and harmony. Function is the measure of usefulness. Structure contains innovative techniques in its creation.

My favorite example of a structure that incorporates all three of these concepts is the Brooklyn Bridge. The beauty of the form follows the functions of the scientific principles that underlie the bridge’s structure. As Ressler noted “Each element of the form of the Brooklyn Bridge serves a structural purpose based on mathematical principles.” First the form itself is one of great beauty. The function remains the same, even if the modes of transport have evolved; the Bridge was designed to carry people from Brooklyn to Manhattan. Yet as Ressler notes, “beyond the aesthetic, these features are a direct reflection of the scientific principles underlying the bridge’s design. They are, in a word, structure – a system of load carrying elements that cause the bridge to stand up.” We have a graceful and elegant design, which operates to safely conduct people over the Hudson River, through an engineering design that allows the structure to act as intended.

This convergence of Vitruvius’ tripartite view of what makes a great structure is an appropriate analogy for a best practices anti-corruption compliance program to facilitate compliance with the FCPA, UK Bribery Act or similar regime. Over the years both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear that each company should have a compliance program that fits its needs. Indeed, in the FCPA Guidance, it could not have been made clearer when it stated, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors. When it comes to compliance, there is no one-size-fits-all program.” The Guidance goes on to state the obvious when it notes, “companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs. Indeed, small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations”.

The Guidance goes on to note, “Compliance programs that employ a “check-the-box” approach may be inefficient and, more importantly, ineffective. Because each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”

Yet when viewed through Vitruvius’ prism, it is clear that an anti-corruption compliance program is much more holistic, with form, function and structure. A good compliance program is really about good financial controls. I think this is one outlook of FCPA compliance which is not discussed enough. Stanley Sporkin, in many ways the progenitor of the law, recognized that if a company was going to engage in corruption it would have to hide such activity through falsified books and records. Hence, he articulated the basis for having the accounting provisions included when Act was originally written and enacted into law. These provisions include both the books and records provision and the internal controls provision. The Guidance says, “the accounting provisions ensure that all public companies account for all of their assets and liabilities accurately and in reasonable detail”. So the form of a compliance program should be largely in financial controls that are baked into a company.

The formula of a compliance program can follow several forms. It can be based on the Ten Hallmarks of an Effective Compliance Program from the FCPA Guidance, the Six Principles of Adequate Procedures as contemplated by the UK Bribery Act; the OECD 13 Good Practices or other formulations such as the Five Elements of an Effective Compliance Program developed by Stephen Martin and Paul McNulty from the law firm of Baker & McKenzie. The form of any of these articulations meets the Vitruvius definition.

Next is the function. Here I think it is appropriate to consider what the FCPA Guidance says regarding internal controls, that being “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitor­ing.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.” This language points to function of any best practices compliance program, to make the company a better-run company.

Finally, in the area of structure it is incumbent to recall that any best practices anti-corruption compliance program continues to evolve. It evolves with technological innovations such as transaction or continuous controls monitoring. But a compliance program must evolve as your company evolves. Changing commercial realities and conditions can create new or increased FCPA compliance risks. Your compliance program needs to be able to detect, assess and manage new risk as your business creates new products; moves into new territories or develops new sales channels. The FCPA Guidance states, “They are dynamic and evolve as the business and the markets change.” To do so, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its custom­ers, the laws that govern its actions, and the standards of its industry.”

For a review of what goes into a best practices compliance program, I would suggest you check out my book, entitled “Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program”, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Doing Compliance – Released in Amazon Kindle and Apple iBook Formats

I am extraordinarily pleased to announce that Compliance Week has released my most recent hardbound book, Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program, in both Amazon Kindle and Apple iBook formats. Of course you can also purchase a hard copy to keep on your reference shelf as well. It is the book that a compliance practitioner should use as a one-volume reference for the everyday ‘Nuts and Bolts’ work of anti-corruption compliance.

Just as the world becomes more flat for business and commercial operations, it is also becoming so for anti-corruption and anti-bribery enforcement. Any company that does business internationally must be ready to deal with a business environment with these new realities. Doing Compliance is designed to be a one-volume work that will give to you some of the basics of creating and maintaining an anti-corruption and anti-bribery compliance program that will meet any business climate you face across the globe. The book format is an easy reference to assist you with your compliance program and I have based my discussion of a best practices compliance program on what the Criminal Division of the US Department of Justice (DOJ) and Enforcement Division of the Securities and Exchange Commission (SEC) set out in their jointly produced “A Resource Guide to the U.S. Foreign Corrupt Practices Act” (the FCPA Guidance) and the “Ten Hallmarks of an Effective Compliance Program”.

The FCPA Guidance wisely made clear that there is no ‘one-size-fits-all’ approach when it stated, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors.” Thus, the book is written to provide insight into the aspects of compliance programs that the DOJ and SEC assess, recognizing that companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs.

The book has struck a cord with other well-known figures in the compliance community. Professor Andy Spalding, writing in the FCPA Blog, in a post entitled “Book Review: Tom Fox’s Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program”, said, “Compliance must be thorough, systematic, and highly attentive to detail. But no one ever said it had to be boring. And Tom Fox has proven this yet again. His Doing Compliance provides the most sophisticated and comprehensive compliance guidance available, with a delivery that is witty, lively, and even entertaining.”

The FCPA Professor, in a post entitled “Doing Compliance” – An FCPA Compliance Toolbox”, said, “Fox approaches the FCPA and related topics with a singular goal in mind: analyzing and articulating the vast body of literature on FCPA best practices in a digestible, practical, and workable way to be of value to compliance professionals in the field. In short, Fox is the “nuts and bolts” guy of FCPA compliance who not only offers his own insight and perspective on best practices, but also effectively aggregates the insights and perspectives of others. Fox’s latest book is “Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program” and in it he provides, in his words, “the basics of how to create and maintain an anti-corruption and anti-bribery compliance program to suit any business climate across the globe.” The nine chapters of the book are grouped around topics such as senior management commitment to compliance; written policies and procedures; conducting a risk assessment; training; hiring and other human resources issues; reporting and investigation; and merger and acquisition due diligence. “Doing Compliance” is peppered with many helpful checklists and factors that compliance professionals can use on a daily basis to implement, assess and improve FCPA compliance policies and procedures.”

This book does not discuss the underlying basis of the FCPA, the UK Bribery Act or any other anti-corruption or anti-bribery legislation. The book is about doing business in compliance with these laws. As with all Americans, I appreciate any list that is deca-based, so the format of 10 hallmarks resonates with me. I have used this basic ten-part organization in laying out what I think you should consider in your anti-corruption and anti-bribery compliance program. In addition to presenting my own views in these areas, I also set out the views of both FCPA practitioners and commentators from other areas of business study and review, including Mike Volkov, the FCPA Professor, David Lawler, Stephen Martin, Marjorie Doyle, Russ Berland and Scott Moritz, and many others.

If there is one book on the ‘Nuts and Bolts’ of how to design, create and implement a best practices compliance program, I submit to you this is the one. I hope that you will check it out in one of the new formats now available. Finally, the price is set at a very reasonable $69.95 so if you are a Chief Compliance Officer (CCO) or General Counsel (GC), you can purchase an entire set for your compliance team. You can even buy them for your friends and family if you want them to have a better understanding of what you do at work!

To purchase a copy of Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program click on one of the links below:

 Hard copy

Amazon Kindle

 Apple iBook

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Ruth Rendell and Developing Better Compliance Solutions

Ruth Rendell died this past weekend. Along with Patricia Cornwell, she was one of the two greatest mystery writers for the past couple of decades. I thoroughly enjoyed her books which, as her New York Times (NYT) obituary said, were “intricately plotted mystery novels that combined psychological insight, social conscience and, not infrequently, teeth-chattering terror.” For a mystery writer, it does not get much better than those accolades. Another crime writer, the Scottish author Val McDermid, was quoted in the NYT that Rendell and P.D. James “transformed what had become a staid and formulaic genre into something that offered scope for a different kind of crime novel. In their separate ways they turned it into a prism for examining the world around them with a critical eye.” Rendell was truly an innovator and a one-of a-kind.

One of the things that Rendell continually challenged was our human bias. I thought about her writing when I read a recent article in the May issue of the Harvard Business Journal (HBJ), entitled “Outsmart Your Own Biases”, authored by Jack B. Soll, Katherine L. Milkman and John W. Payne. I found the article to have some interesting insights for the Chief Compliance Officer (CCO) or compliance practitioner. While noting that using your instincts is something we all engage in and can use to our benefit, the authors believe that “It can be dangerous to rely too heavily on what experts call System 1 thinking – automatic judgments that stem from associations stored in memory – instead of logically working through information that’s available.”

The authors believe the problem is that “Cognitive biases muddy our decision making… and even when we try to use reason, our logic is often lazy or flawed.” They cite the cause of this problem to be that “Instead of exploring risks and uncertainties, we seek closure – it’s much easier. This narrows our thinking about what could happen in the future, what our goals are, and how we might achieve them.” Finally, as a solution they suggest, “By knowing which biases tend to trip us up and using certain tricks and tools to outsmart them, we can broaden our thinking and make better choices.”

The authors suggest that to “debias” your decisions, you must broaden your perspective on three fronts. These are (1) thinking about the future, rather then simply one objective; (2) thinking about objectives, rather than simply the circumstances in front of you; and (3) thinking about options, rather than thinking in isolation.

Thinking About the Future

This is more than simply hedging your bets. The authors believe that “Because most of us tend to be highly overconfident in our estimates, it’s important to “nudge” ourselves to allow for risk and uncertainty.” They suggest that you use the four following techniques. (1) Make three estimates. The author’s state, “To improve your accuracy, work up at least three estimates—low, medium, and high—instead of just stating a range. People give wider ranges when they think about their low and high estimates separately, and coming up with three numbers prompts you to do that.” (2) Think twice. They suggest that you should “make two forecasts and take the average” because they believe that “when people think more than once about a problem, they often come at it with a different perspective, adding valuable information. So tap your own inner crowd and allow time for reconsideration: Project an outcome, take a break (sleep on it if you can), and then come back and project another.” (3) Use premortems. I found this exercise very interesting. The authors explained, “In a premortem, you imagine a future failure and then explain the cause. This technique, also called prospective hindsight, helps you identify potential problems that ordinary foresight won’t bring to mind.” (4) Take an outside view. Here, “You need to complement this perspective with an outside view—one that considers what’s happened with similar ventures and what advice you’d give someone else if you weren’t involved in the endeavor.”

Thinking About Objectives

The authors believe that too often, “people unwittingly limit themselves by allowing only a subset of worthy goals to guide them, simply because they’re unaware of the full range of possibilities.” You should generate objectives and you can work to sort through them as you progress because by “Articulating, documenting, and organizing your goals helps you see those paths clearly so that you can choose the one that makes the most sense in light of probable outcomes.”

The authors suggest two steps will help to ensure that you are “reaching high – and far – enough with your objectives.” First is that you should seek the advice of others, however you should “Outline objectives on your own before seeking advice so that you don’t get “anchored” by what others say. And don’t anchor your advisers by leading with what you already believe… If you are making a decision jointly with others, have people list their goals independently and then combine the lists.” Second you should cycle through your objectives by tackling them one at a time because by “looking at objectives one by one rather than all at once helps people come up with more alternatives. Seeking a solution that checks off every single box is too difficult—it paralyzes the decision maker.”

Thinking About Options

Here the authors believe you should have a “critical mass of options to make sound decisions, you also need to find strong contenders—at least two but ideally three to five.” They note, “Unfortunately, people rarely consider more than one at a time. Managers tend to frame decisions as yes-or-no questions instead of generating alternatives.” The authors also believe that corporate groupthink tends to avoid a loss rather than reaching for a win. To overcome this, they suggest two techniques.

First you should perform a joint evaluation because evaluating options in isolation do not ensure the best outcomes. They write, “A proven way to snap into joint evaluation mode is to consider what you’ll be missing if you make a certain choice. That forces you to search for other possibilities… That simple shift to joint evaluation highlights what economists call the opportunity cost—what you give up when you pursue something else.” Second they propose you should use the “vanishing-option test” which requires you to “Assume you can’t choose any of the options you’re weighing and ask, “What else could I do?” This question will trigger an exploration of alternatives… That might prompt you to consider investing in another region instead, making improvements in your current location, or giving the online store a major upgrade. If more than one idea looked promising, you might split the difference.”

Why is all this important for the CCO or compliance practitioner? It is because we are presented with options that appear to be simply Go/No Go or even one-off decisions. A Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption program should require a variety of responses. Just as all risks are different, the management of risks can be handled differently. As a CCO or compliance practitioner you cannot be Dr. No living in the Land of No; you must be proactive to come up with solutions to help your business unit folks to no only do business in compliance with the relevant laws but to actually do business. Just as Ruth Rendell was able to weave an intricate story line into the traditional mystery format, you, as the CCO or compliance practitioner, should be able come up with solutions to the compliance issues that you face.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

King Arthur Week – the Pentecostal Oath and Code of Conduct – Part II

One thing for which King Arthur is remembered are his chivalric knights. He helped create this legend, in large part, by establishing a Code of Conduct for the Knights of the Round Table. The King required each one of them to swear an oath, called the Pentecostal Oath, which was Arthur’s ideal for a chivalric knight. The Oath stated, “The king established all his knights, and gave them that were of lands not rich, he gave them lands, and charged them never to do outrageousity nor murder, and always to flee treason; also, by no mean to be cruel, but to give mercy unto him that asketh mercy, upon pain of forfeiture of their worship and lordship of King Arthur for evermore; and always to do ladies, damosels, and gentlewomen succor upon pain of death. Also, that no man take no battles in a wrongful quarrel for no law, ne for no world’s goods. Unto this were all the knights sworn of the Table Round, both old and young. And every year were they sworn at the high feast of Pentecost.” (Le Morte d’Arthur, pp 115-116)

Interestingly, the Oath first appeared in Sir Thomas Malory’s Le Morte d’Arthur and in none of the prior incarnations of the legend. In Malory’s telling, after the Knights swore the Oath, they were provided titles and lands by the King. The Oath specifies both positive and negative conduct; that is, what a Knight might do but also what conduct he should not engage in. The Pentecostal Oath formed the basis for the Knight’s conduct at Camelot and beyond. It was clearly a forerunner of today’s corporate Code of Conduct.

The foundational document of any Foreign Corrupt Practices Act (FCPA) compliance program is its Code of Conduct. This requirement has long been memorialized in the US Sentencing Guidelines, which contain seven basic compliance elements that can be tailored to fit the needs and financial realities of any given organization. From these seven compliance elements the Department of Justice (DOJ) has crafted its minimum best practices compliance program, which is now attached to every Deferred Prosecution Agreement (DPA) and Non-Prosecution Agreement (NPA). These requirements were incorporated into the 2012 FCPA Guidance. The US Sentencing Guidelines assume that every effective compliance and ethics program begins with a written standard of conduct; i.e. a Code of Conduct. What should be in this “written standard of conduct”.

Element 1

Standards of Conduct, Policies and Procedures (a Code of Conduct)

An organization should have an established set of compliance standards and procedures. These standards should not be a “paper only” document, but a living document that promotes organizational culture that encourages “ethical conduct” and a commitment to compliance with applicable regulations and laws.

In the FCPA Guidance, the DOJ and Securities and Exchange Commission (SEC) state, “A company’s code of conduct is often the foundation upon which an effective compliance program is built. As DOJ has repeatedly noted in its charging documents, the most effective codes are clear, concise, and accessible to all employees and to those conducting business on the company’s behalf.” Indeed, it would be difficult to effectively implement a compliance program if it was not available in the local language so that employees in foreign subsidiaries can access and understand it. When assessing a compliance program the DOJ and SEC will review whether the company chapter has taken steps to make certain that the code of conduct remains current and effective and whether a company has periodically reviewed and updated its code.

In each DPA and NPA over the past 36 months the DOJ has stated the following as item No. 1 for a minimum best practices compliance program.

1. Code of Conduct. A Company should develop and promulgate a clearly articulated and visible corporate policy against violations of the FCPA, including its anti-bribery, books and records, and internal controls provisions, and other applicable foreign law counterparts (collectively, the “anti-corruption laws”), which policy shall be memorialized in a written compliance code.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.”

There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

As I often say, the three most important things about your FCPA compliance program are ‘Document, Document and Document’. The same is true of communicating your company’s Code of Conduct. You need to do more than simply put it on your website and tell folks it is there, available and that they should read it. You need to document that all employees, or anyone else that your Code of Conduct is applicable to, has received, read, and understands the Code. For employees, it is important that a representative of the Compliance Department, or other qualified trainer, explains the standards set forth in your Code of Conduct and answers any questions that an employee may have. Your company’s employees need to attest in writing that they have received, read, and understood the Code of Conduct and this attestation must be retained and updated as appropriate.

The DOJ expects each company to begin its compliance program with a very public and very robust Code of Conduct. If your company does not have one, you need to implement one forthwith. If your company has not reviewed or assessed their Code of Conduct for five years, I would suggest that you do in short order as much has changed in the compliance world.

What is the value of having a Code of Conduct? I have heard many business folks ask that question over the years. In its early days, a Code of Conduct tended to be lawyer-written and lawyer-driven to “wave in a defense situation” by claiming that “see we have one”. But is such a legalistic code effective? Is a Code of Conduct more than simply, your company’s law? What is it that makes a Code of Conduct effective? What should be the goal in the creation of your company’s Code of Conduct?

Just as the Pentecostal Oath was required to be sworn out each year, you should have your employees recertify their adherence to your Code of Conduct. Moreover, just as King Arthur set his expectations for behavior your company should do so as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Brazilian Corruption Scandal Expands Past Petrobras – Is a FCPA Country Sweep Next?

The Brazilian corruption scandal took a new turn last week, when the Brazilian government announced that it was investigating the country’s health ministry and the state-owned bank Caixa Econômica Federal (Caixa). As reported by Rogerio Jelmayer and Luciana Magalhaes in the Wall Street Journal (WSJ), in an article entitled “Corruption Scandal in Brazil Gets Bigger”, the schemes were similar to those used in the Petrobras scandal, where inflated contracts were awarded to contractors who kick backed the overcharges to those in position to award the business.

This expansion of Brazilian government investigation is also the first reported instance of companies outside the energy sector or those doing business with the Brazilian state-owed enterprise Petrobras being investigated by the Brazilian government. Over the years there have been several Foreign Corrupt Practices Act (FCPA) enforcement actions regarding US companies doing business in Brazil. With this expansion of the Petrobras corruption scandal to other government departments and state-owned entities, a new chapter may be opening. This new chapter may bring not only Brazilian domestic bribery and corruption scrutiny but also draw the attention of US or UK regulators, such as the Department of Justice (DOJ), Securities and Exchange Commission (SEC) or the UK Serious Fraud Office (SFO).

In the health ministry the area of contracts under investigation were those for advertising. The WSJ article said, “the cost of advertising contracts was inflated by as much as 10%, prosecutors said, with the surplus also passed along to politicians. The health ministry said all its advertising contracts meet the legal requirements, and it will investigate the allegations and cooperate with police and prosecutors.” It certainly is comforting when the government says it will cooperate with investigators.

But perhaps more interesting was the timing of the allegations against the country’s third largest state-owned bank Caixa. While the allegations around the scope and extent of the bribery were similar to those made against the Brazilian health ministry, the declarations of these new investigations coincided with the announcement last week by the government Finance Minister Joaquim Levy and Caixa Chief Executive Officer (CEO) Miriam Belchior for “an initial public offering [IPO] in the insurance joint venture it has with French insurer CNP Assurances.”

What do you think the comfort level will be for institutional investors about now in this IPO? I wonder if under IPO rules and regulations in Brazil, whether the CEO must certify either the financial statement as accurate or that there is no evidence of corruption in the organization? Even those in Brazil recognize the gravity of these allegations against Caixa. Luis Santacreu, a banking analyst at the Brazilian rating agency Austin Ratings, said that he thought this announcement would make the IPO more difficult and “the allegations against Caixa show it needs to improve its governance.”

These two developments demonstrate the difficulties that international companies may have in doing business in Brazil going forward. It is not difficult to believe that a country sweep on those doing business in Brazil, with the Brazilian government or with Brazilian state-owned enterprises, may well be coming. Given the recent 2014 World Cup and the upcoming 2016 Olympics, it would not seem too great a stretch for the DOJ or SEC to begin to look at US companies with significant amounts of commerce with and in Brazil.

While we have not seen evidence of country sweeps to-date, there has been evidence of industry sweeps in FCPA enforcement. The FCPA Professor, in a blog post entitled “Industry Sweeps”, posted an article from FCPA Dean Homer Moyer, entitled “The Big Broom of FCPA Industry Sweeps”. In his article, Moyer said that an industry sweep is the situation where the DOJ and/or SEC will focus “on particular industries – pharmaceuticals and medical devices come to mind — industry sweeps are investigations that grow out of perceived FCPA violations by one company that enforcement agencies believe may reflect an industry-wide pattern of wrongdoing.” Moyer further wrote, “Industry sweeps are often led by the Securities and Exchange Commission (“SEC”), which has broad subpoena power as a regulatory agency, arguably broader oversight authority than prosecutors. They are different from internal investigations or traditional government investigations, and present different challenges to companies. Because the catalyst may be wrongdoing in a single company, agencies may have no evidence or suspicion of specific violations in the companies subject to an industry sweep. A sweep may thus begin with possible cause, not probable cause. In sweeps, agencies broadly solicit information from companies about their past FCPA issues or present practices. And they may explicitly encourage companies to volunteer incriminating information about competitors.”

As a compliance professional, one of the key takeaways from the Brazilian corruption scandal is that you should take a very hard and detailed look at your company. With the spread of Brazilian investigations around corruption, we can see that these scandals are not be limited to only the energy or energy-related service industry. One of the first things you can begin to do is to review the list of third parties who might work with the Brazilian government or with Brazilian state-owned enterprises. You should begin by asking such questions as:

• What is the ownership of the third party? Is there a business justification for the relationship?
• Is there anyone in the company who is responsible for maintaining the relationship? Is there ongoing accountability?
• How is the relationship being managed?
• Are you engaging in any transaction monitoring?
• Are you engaging in any relationship monitoring?
• What is the estimated or budgeted size of the spend with the third party?

While the GlaxoSmithKline PLC (GSK) investigation has reverberated throughout the China, I think that the Brazilian corruption scandals will be with us for some time. As bad as it seems about now, and it certainly appears bad, there are many lessons that the compliance practitioner can not only draw from but use for teaching moments within your company. For if you are doing business with the Brazilian government or with Brazilian state-owned enterprises it may not be “if you are subject to a FCPA sweep” but only “when”.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Supply Chain as a Source of Compliance Innovation

On this day we celebrate the greatest upset in the history of the NCAA Basketball Tournament, when Villanova beat Georgetown for the 1985 national championship. Georgetown was the defending national champion and had beaten Villanova at each of their regular season meetings. In the final the Wildcats shot an amazing 79% from the field, hitting 22 of 28 shots plus 22 of 27 free throws. Wildcats forward Dwayne McCain, the leading scorer, had 17 points and 3 assists. The Wildcats’ 6’ 9” center Ed Pinckney outscored 7’ Hoyas’ center, Patrick Ewing, 16 points to 14 and 6 rebounds to 5 and was named MVP of the Final Four. It was one of the greatest basketball games I have ever seen and certainly one for the ages.

I thought about this game when I read an article in the most recent issue of Supply Chain Management Review by Jennifer Blackhurst, Pam Manhart and Emily Kohnke, entitled “The Five Key Components for SUPPLY CHAIN”. In their article the authors asked “what does it take to create meaningful innovation across supply chain partners?” Their findings were “Our researchers identify five components that are common to the most successful supply chain innovation partnerships.” The reason innovation in the Supply Chain is so important is that it is an area where companies cannot only affect costs but can move to gain a competitive advantage. To do so companies need to see their Supply Chain third parties as partners and not simply as entities to be squeezed for costs savings. By doing so, companies can use the Supply Chain in “not only new product development but also [in] process improvements”.

I found their article resonated for the compliance professional as well. It is almost universally recognized that third parties are your highest Foreign Corrupt Practices Act (FCPA) risk. What if you could turn your Supply Chain from being considered a liability under the FCPA to an area that brings innovation to your compliance program? This is an area that not many compliance professionals have mined so I think the article is a useful starting point. The authors set out five keys to successful innovation spanning Supply Chain partners. They are: “(1) Don’t Settle for the Status Quo; (2) Hit the Road in Order to Hit Your Metrics; (3) Send Prospectors Not Auditors; (4) Show Me Yours and I’ll Show You Mine; and (5) Who’s Running the Show?”

Don’t Settle for the Status Quo

This means that you should not settle for simply the status quo. Innovation does not always come from a customer or even an in-house compliance practitioner. Here the key characteristics were noted to be “cooperative, proactive and incremental”. The authors emphasize that “you need to be leading the innovation change rather than catching up from behind.” If a company in your Supply Chain can suggest a better method to do compliance, particularly through a technological solution, it may be something you should well consider.

Hit the Road in Order to Hit Your Metrics

To truly understand your compliance risk from all third parties, including those in the Supply Chain, you have to get out of the ivory tower and on the road. This is even truer when exploring innovation. You do not have hit the road with the “primary goal to be the inception point for innovation” but through such interactions, innovation can come about “organically”. There is little downside for a compliance practitioner to go and visit a Supply Chain partner and have a “face-to-face meeting simply to get to know the partner better and more precisely identify that partner’s needs.”

Send Prospectors Not Auditors

While an audit clause is critical in any Supply Chain contract, both from a commercial and FCPA perspective, the authors believe that “Too often firms use supply chain managers as auditors when they are dealing with supply chain partners.” The authors call these types of managers “innovation partners.” Every third party should have a relationship manager, whether that third party is on the sales side or the Supply Chain side of the business. Moreover, the innovation partners are “able to see synergies where [business] partners can work together for the benefit of everyone involved.”

Show Me Yours and I’ll Show You Mine

Here the authors note, “Trust plays an extremely important role in supply chain innovation. Firms in successful innovations discussed a willingness to share resources and rewards and to develop their partners’ capabilities.” The authors believe that “Through the process of developing trust, firms understand their partner’s strategic goals.” I cannot think of a more applicable statement about FCPA compliance. Another way to consider this issue is that if your Supply Chain partner has trust in you and your compliance program, they could be more willing to work with you on the prevent and detect prongs of compliance regimes. Top down command structures may well be counter-productive.

Who’s Running the Show?

I found this point particularly interesting as for the authors, this prong means “who is doing what, but also what each firm is bringing to the relationship in terms of resources and capabilities.” In the compliance regime it could well lead to your Supply Chain partner taking a greater role in managing compliance in a specific arena or down a certain set of vendors. Your local Supply Chain partner might be stronger in the local culture, which could allow it to lead to collaborations by other vendors in localized anti-corruption networks or roundtables to help move the ball forward for doing business in compliance with the FCPA or other anti-corruption laws such as the UK Bribery Act.

The authors ended by remarking, “we noticed that leveraging lean and process improvement was mentioned by virtually every firm.” This is true in the area of process improvement, which is the essential nature of FCPA compliance. Another interesting insight from the authors was that utilization can increase through such innovation in the Supply Chain. Now imagine if you could increase your compliance process performance by considering innovations from your Supply Chain third parties? The authors conclude by stating that such innovation could lead to three “interesting outcomes 1) The trust and culture alignment is strengthened through the partnership innovation process leading to future innovations and improvement; 2) firms see what is needed in terms of characteristics in a partner firm so that they can propagate the success of prior innovations to additional partners; 3) by engaging supply chain partners as innovation partners, both sides reap rewards in a low cost, low risk, highly achievable manner.” With some innovation Villanova coach Rollie Massimino led his team over the prohibitive favorite Georgetown, and you may be able to tap into a resource immediately available at your fingertips, your Supply Chain.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Farewell to Mr. Spock and Risk Assessment Under COSO

Leonard Nimoy died last Friday. He will be forever associated with the role of Mr. Spock in the original Star Trek television show which premiered in 1966. The original series ran for only three years but had a full life in syndication up through this day. He also reprised the role in six movies featuring the crew of the original series and in the recent reboot.

Mr. Spock was about a personal character for me as I ever saw on television. For a boy going through the insanity of adolescence and the early teen years, I found Mr. Spock and his focus on logic as a way to think about things. He pursued this path while dealing with his half human side, which compelled emotions. This focus also led me to explore Mediations by Marcus Aurelius. But more than simply logic and being a tortured soul, Mr. Spock and his way looking at things and Star Trek with its reach for the stars ethos inspired me when it came out and still does to this day.

Mr. Spock and his pursuit of logic inform today’s blog post. Every compliance practitioner is aware of the need for a risk assessment in any best practices compliance program; whether that program is based on the US Foreign Corrupt Practices Act (FCPA), UK Bribery Act or some other compliance law or regime. While the category of risk assessment is listed as Number 3 in the Ten Hallmarks of an Effective Compliance Program in the FCPA Guidance, both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) intone that your compliance journey begins with a risk assessment for two basic reasons. The first is that you must know the corruption risks your company faces and second, a risk assessment is your road map going forward to manage those risks.

Interestingly Risk Assessment is the second objective in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Cube. In its volume entitled “Internal Control – Integrated Framework”, herein ‘the Framework Volume’, it recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner none of this will sound new or even insightful, however the COSO Framework requires a component of management input and oversight that was perhaps not as well understood. The Framework Volume says that “Management specifies objectives within the category relating to operations, reporting and compliance with such clarity to be able to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider both internal and external changes which can effect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in the realm of anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services which could increase risk of running afoul of these laws.

The objective of Risk Assessment consists of four principles. They are:

Principle 6 – “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.”

Principle 7 – “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”

Principle 8 – “The organization considers the potential for fraud in assessment risks to the achievement of objectives.”

Principle 9 – “The organization identifies and assesses changes that could significantly impact the system of internal control.”

Principle 6 – Suitable Objectives 

Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, it is management who is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words your objectives should form the basis on which your risk assessments are approached.

Principle 7 – Identifies and Analyzes Risk 

Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”

Principle 8 – Fraud Risk 

Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third party contracting and payments and even fraudulent over-charging and pocketing of the differences in sales price. This means that is should be considered as an important risk analysis. It is important that any company follow the flow of money and if the Fraud Triangle is present, management be placed around such risk.

Principle 9 – Identifies and Analyzes Significant Change

It really is true that if there is one constant in business, it is that there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives. Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external, and assess the risks and approaches to mitigate the risk” in a timely manner.

Today’s blog post is a tribute to Mr. Spock as he, Star Trek and its characters continue to teach us lessons which we can apply in business going forward. It is the process of compliance which informs your program going forward. A risk assessment is recognized by sources as diverse as the DOJ, SEC and COSO as a necessary step. Just as Mr. Spock, the Science Officer onboard the Enterprise, was required to assess the risk to the ship and crew from a scientific perspective, a risk assessment can give you the tools to not only assess the corruption compliance risk to your company but a road map to managing that risk. So farewell to my long time friend Mr. Spock, you gave to me more than I ever gave back to you. I can think of no more fitting tribute to Spock than to say Live Long and Prosper.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Doing Less with Less and the Unification of Germany

I am attending the SCCE Utilities and Energy Conference in Houston this week. As usual, the SCCE has put on a great event for the compliance practitioner. This year there is live blogging by Kortney Nordum so there should be much about the conference up on the SCCE blogsite, this week and into the future. Lizza Catalano has put together a first rate program for compliance practitioners of many stripes. As an added benefit, SCCE Chief Executive Officer (CEO) Roy Snell has brought some cold weather down to Houston for the event for our late February enjoyment. While it was 80 on Saturday, today is was a balmy 36 courtesy of our Minnesotan guests.

As you might guess the current economic downturn is on everyone’s mind and a subject of much conversation. Last week I wrote a post about the depression of oil and gas prices in the energy space and some of the increased Foreign Corrupt Practices Act (FCPA) or other anti-corruption risks that might well arise from this economic downturn. Over the next couple of days, I want to explore how a Chief Compliance Officer (CCO) or compliance practitioner might think through responses to this increased compliance risk. Today I will focus on doing less with less. Tomorrow I will suggest some technological solutions.

I have been around long enough to see more than one of these economic events in the energy space. While not suggesting that we Texans never learn not to repeat our mistakes, they do seem to have a pattern. Prices drop precipitously, companies who are overstocked, over-leverage or generally over-panic; over-react and cut head count and spending dramatically to some level that is not based on rational economic analysis. Then they get some handle on where the numbers might be heading and the cuts start to flatten out and some type of equilibrium is reached.

Right now, in the energy space, we are in the cutting phase. That means loss of personnel (head count) and loss of resources even if it was calculated last year based on a summer or fall 2014 economic projection in your annual budgeting process. This means one thing you will need get for a quarter or two will be financial resources to place the personnel your compliance function may have lost. This means that you will have to figure out a way to accomplish more with fewer resources. While I often advocate that the compliance function can and should draw on other disciplines such as Human Resources (HR), IT, Internal Audit and Marketing for support; those functions have most probably been ‘right-sized’ as well so they may not be able to assist the compliance function as much they could have previously.

Now would be a very good time to put into practice what Dresser-Rand CCO Jan Farley often says, “Don’t sweat the small (compliance) stuff.” Farley often speaks about the need not to waste your scarce compliance resources on areas or matters that are low compliance risks. But to do this, you need to understand what are your highest compliance risks. Since you will not have additional resources to perform such an analysis, I would suggest now would be a very good time for you to assess your compliance program and your business model to see what are your highest risks. If you believe there are several, you can fprioritize them. This exercise will give you the basis to deliver your ever-scarcer compliance resources to your highest risk areas.

While I do not believe the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) will be sympathetic to some unsubstantiated claim along the lines of ‘I did my best with what I had’; they also made clear in the FCPA Guidance that “An effective compliance program promotes “an orga­nizational culture that encourages ethical conduct and a commitment to compliance with the law.” Such a program protects a company’s reputation, ensures investor value and confidence, reduces uncertainty in business transactions, and secures a company’s assets. A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” (emphasis supplied)

So while the DOJ and SEC will not accept you bald-faced claims that our company simply did not have the money to spend on compliance, they will most-probably consider a compliance program where you have looked at your risks, in the context of this economic downturn, and delivered the compliance resources you do have to those risks. But the key is Document, Document, and Document your decision-making calculus and your implementation. (Stephen Martin would probably add here that if your annual spend on Yellow Post-It Notes is a factor of 10X your compliance spend, this approach would not be deemed credible.)

In her On work column in the Financial Times (FT), Lucy Kellaway wrote about this the concept of doing less with less for the corporate executive personally, in an article entitled, “No need to ‘lean in’ when laziness can be just as effective”. She cited to the Prussian General Helmuth von Moltke for “devising one of the world’s fist management matrices” when he assessed his officers on two scales: “clever v. dim and lazy v. energetic.” From this he came up with four permutations:

• Dim and lazy – Good at executing orders.
• Dim and energetic – Very dangerous, as they take the wrong decisions.
• Clever and energetic – Excellent staff officers.
• Clever and lazy – Top field commanders as they get results.

The point of Kellaway’s article has direct implications for the CCO or compliance practitioner currently facing an economic downturn, “It is only by being lazy that we become truly efficient, and come to see what is important and what is not.” Kellaway cautioned “the sort of laziness to encourage is not the slobbish variety that means you do bad work. That is not laziness: it is stupidity. Instead, we need the clever version that comes from knowing there is an opportunity cost to every minute we spend working, so we must use our time wisely.”

From the compliance perspective, this translates directly into using your compliance resources wisely. So whether you want to cite the Prussian general who unified Germany, columnist Kellaway, Dresser-Rand CCO Farley or this article’s theme of doing less with less, I would suggest to you there is a manner to maintain “A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations” even in an economic downturn.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015