CCO | FCPA Compliance and Ethics Blog

August 4, 2015

Social Media Week Part II – Sharing in the Compliance Function

Filed under: Uncategorized — tfoxlaw @ 12:01 am
Tags: CCO, Chief Compliance Officer, compliance, compliance programs, Social Media, Social Media Examiner

I continue my exploration of the use of social media as a tool of doing compliance by looking at some concepts around the sharing of information. In a recent podcast on Social Media Examiner, entitled “Sharing: The Art and Science of Social Sharing”, podcast host Michael Stelzner interviewed Bryan Kramer, a social strategist and author of the book “Shareology: How Sharing is Powering the Human Economy”. Kramer talked about several concepts that I found particularly useful for a Chief Compliance Officer (CCO) or compliance practitioner to think through when considering the use of a social media strategy in a best practices anti-corruption compliance program, under the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or some other compliance regime.

Kramer’s book Shareology is a study of how, what, where, when and why people and brands share. For this book, Kramer conducted more than 250 interviews with executives, marketers and social media people, as well as professors of linguistics, psychology, sociology and so on, with the question “why people share” in mind.

The answer came down to one thing: connection. He found that “People all have the desire to reach out and connect with other people, whether it’s through sharing content and having someone reply back or by sharing other people’s content and helping them out.” From this research, Kramer identified six types of people who share:

Altruist: Someone who shares something specific about one topic all the time.
Careerist: Someone who wants to become a thought leader in their own industry, so they can see their career grow.
Hipster: Someone who likes to try things for the first time and share it faster than everyone else.
Boomerang: Someone who asks a question so they can receive a comment only to reply.
Connector: Someone who likes to connect one or more persons to each other.
Selective: This is the observer.

I find all of these categories to be relevant to a CCO or compliance practitioner in considering the use of social media in their compliance program. All of these can describe not only the reasons to use social media but they can also help you to identify who in your organization might be inclined to use social media and how it can facilitate your compliance program going forward.

The Altruist, Hipster and Careerist speak to how a CCO or compliance practitioner can be seen in getting out the message of compliance throughout your organization. Whichever category you might fall into, it is still about the message or content going forward. I find nothing negative in being seen as one or the other if your message is useful. Even if you are my age, there is nothing wrong with incorporating a little Hipster into your communication skills. As my daughter often reminds me, Dad you are so uncool that you are retro, but that is cool too. Applying that maxim to your compliance regime, if you can communicate in a manner your workforce sees as interesting or even hip, it may well help facilitation incorporation of that message into their corporate DNA.

I found the Boomerang, Connector and Selective categories as good ways to think about how your customer base in compliance (i.e. your employees) might well use social media tools to communicate with the compliance function. The use of social media is certainly a two-way street and you, as the compliance practitioner, need to be ready to accept those communications back to you. Indeed some comments by your customer base could be the most important interactions that you have with employees as their comments or questions could lead you to uncovering issues which may have arisen before they become Code of Conduct or FCPA violations. More importantly, it could allow you to introduce a proscriptive solution which moves your program beyond even the prevent phase.

Kramer also has some insights about the substance of your social media message. Adapting his insights to the compliance field, I found a key message to be that the problem is that companies do not write the way they speak, and don’t speak the language of their employee base. In many ways, compliance is a brand and Kramer believes that “brands and the people representing those brands need to change their language. If they focus on the title and the quality of the content, among other things, it’ll resonate more with their audience.” He also advocates using the social media tools and apps available to you. He specifically mentions Meerkat and Periscope, Snapchat, memes and/or videos to raise the value of the content. He was quoted as saying, “If you have a blog and there are no visuals, you might as well shut it down.”

It would seem the thesis of Kramer’s work is that sharing is a primary method to communicate and connect. In any far-flung international corporation this is always a challenge, particularly for discipline which can be viewed as home office overhead at best; the Land of No populated by Dr. No at worst. Kramer says that you should work to hone your message through social media. Part of this is based on experimenting on what message to send and how to send it. Yet another aspect was based upon the Wave (of all things) where he discussed its development and coming to fruition in the early 1980s. It took some time for it to become popular but once it was communicated to enough disparate communications, it took off, literally. Kramer noted, “It’s the same thing with social media. On social media, we think something will go viral because the art is beautiful or the science is full of deep analytics, but at the end of the day it really takes time to build the community.”

This means that you will need to work to hone your message but also continue to plug away to send that message out. I think the Morgan Stanley Declination will always be instructional as one of the stated reasons the Department of Justice (DOJ) did not prosecute the company as they sent out 35 compliance reminders to its workforce, over 7 years. Social media can be used in the same cost effective way, to not only get the message of compliance out but also to receive information and communications back from your customer base, the company employees.

Once again please remember that I am compiling a list of questions that you would like to be explored or answered on the use of social media in your compliance program. So if you have any questions email them to me, at tfox@tfoxlaw.com, and I will answer them within the next couple of weeks in my next Mailbag Episode on my podcast, The FCPA Compliance and Ethics Report.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Leave a Comment

July 9, 2015

The Third Man and the Authority of Chief Compliance Officers

Filed under: Best Practices,CCO 2.0,Chief Compliance Officer,Compliance,Compliance and Ethics,Donna Boehme — tfoxlaw @ 12:01 am
Tags: best practices, CCO, compliance, compliance programs

Harry Lime is back, although he really never left us. As reported by Kristin M. Jones in a Wall Street Journal (WSJ) article, entitled “Harry Lime Reborn”, the glorious British film noir The Third Man, written by Gra ham Greene and directed by Carol Reed, has been restored in a new digital version. It opens this week at select theaters and will tour the country this summer. The screenplay was adapted from the book of the same name by the author, Greene. It is the rare movie that is at least as good as the book. Greene himself noted that the story “was never written to be read but only to be seen.”

The story revolves around protagonist Holly Martin (played by Joseph Cotton) who goes to post-war Vienna at the behest of his college buddy Harry Lime (played with aplomb by Orson Welles). Martin arrives after a funeral for Lime and finds out that Lime was dealing in the black market. Martin searches for Lime, meeting his girlfriend and assorted shady characters along the way. He ends up leading the Military Police occupying the city to Lime and there is a final noir-classic chase through the sewers of Vienna.

What’s my favorite scene? There are way too many to name but the clown’s head shadow is one of the great cinematic visions of undulated terror. The final chase through the sewers of Vienna is a classic. The dialogue is both chilling and funny. Chilling when Lime asks Martin, while they are atop the apex of a Ferris wheel, whether he would refuse money to make the dotlike figures of humans below stop moving; Funny when Lime say that in 200 years of warfare between the Borgias, the Medicis and continual conflict in Italy it produced the flowering of the Renaissance, while 500 years of peace in Switzerland produced the Cuckoo Clock. Finally, is the haunting musical score of Anton Kara’s use of the Zither . The movie definitely makes my Top 10 greatest movies of all-time.

I thought about this movie in the context of the ongoing debate in the compliance world about whether a company could or should combine or separate the role of the Chief Compliance Officer (CCO) from that of the General Counsel (GC). There has traditionally been a split in companies on whether the CCO should report into a legal function and the GC or report directly to a company’s head officer. Mike Volkov noted that “According to the last PWC Compliance Survey, only 29 percent of CCOs have made it into the C-Suite but that will increase. Only 27 percent of CCOs continue to report to the general counsel while 34 percent report directly to the CEO.” Whichever path your company employs it is imperative that the CCO speak from a position of authority.

A consistent voice for the importance of the role and voice of the CCO in any organization is noted compliance expert, Donna Boehme. She writes and speaks consistently on the characteristics for a successful CCO. Writing in the SCCE magazine, Compliance & Ethics Professional, in an article entitled “Five essential features of the Chief Ethics and Compliance Officer position”, Boehme articulated five essential features required for a CCO to be successful in an organization.

Independence

It is incumbent that any CCO must have “sufficient authority and independence to oversee the integrity of the compliance program.” Some indicia of independence would include a reporting line to the company’s Board of Directors and Audit/Compliance Committee but more importantly “unfiltered” access to the Board. There should also be protection of employment including an employment contract with a “nondiscretionary escalation clause” and a requirement for Board approval for any change in the terms and conditions of employment, including termination. There must also be sufficient resources in the form of an independent budget and adequate staff to manage the overall compliance program.

Empowerment

A CCO must have “the appropriate unambiguous mandate, delegation of authority, senior-level positioning, and empowerment to carry out his/her duties. Such can be accomplished through a “board resolution and a compliance charter, adopted by the board.” Additionally the CCO job description should be another manner in which to clarify the CCO “mandate, and at a minimum should encompass the single point accountability to develop, implement and oversee an effective compliance program.” All of the above should lead in practice to a “close working relationship with an independent board committee.”

Seat at the Table

The CCO must “have formal and informal connections into the business and functions of the organization – a seat at the table at important meetings where all major business matters (e.g., risk, major transactions, business plans) are discussed and decided.” She argues that, at a minimum, the CCO should participate in “budget reviews, strategic planning meetings, disclosure committee meetings, operational reviews, and risk and crisis management meetings.”

Line of Sight

The CCO should have “unfettered access to relevant information to be able to form independent opinions and manage the [compliance] program effectively.” This does not mean that the CCO should have veto power over functions such as safety or environmental or that such functions must report to the CCO, but unless there is visibility to the CCO for these risk areas, the CCO will not able to adequately assess and manage such risks from the compliance perspective. The correct structuring of the CCO role to allow it visibility into these areas will help the CCO coordinate compliance convergence training.

Resources

It is absolutely mandatory that the CCO be given both the physical resources in terms of personnel and monetary resources to “get the job done.” I have worked at places where the CCO had neither and the CCOs did not succeed because they never even had the chance to do so. Boehme focuses on both types of resources. Under monetary resources she points, as an indicia, to the independence of the CCO from the GC “rather than a shared budget”. This can also bleed over to ‘headcount’ and shared or dotted line reporting resources. There should be independent resources reporting into the compliance function.

Whichever way a company decides to go on this question, it must meet Requirement No. 6 of the Department of Justice’s (DOJ’s) minimum best practices requirement for a Foreign Corrupt Practices Act (FCPA) based compliance program, which reads:

The company will assign responsibility to one or more senior corporate executives for the implementation and oversight of the company’s anti-corruption policies, standards, and procedures. Such corporate official(s) shall have direct reporting obligations to independent monitoring bodies, including internal audit, Company’s Board of Directors, or any appropriate committee of the Board of Directors, and shall have an adequate level of autonomy from management as well as sufficient resources and authority to maintain such autonomy.

Additionally this is reiterated in the 2011 Amendments to the US Sentencing Guidelines, §8B2.1 (b)(2)(C), which states:

Specific individual(s) within the organization shall be delegated day-to-day operational responsibility for the compliance and ethics program. Individual(s) with operational responsibility shall report periodically to high-level personnel and, as appropriate, to the governing authority, or an appropriate subgroup of the governing authority, on the effectiveness of the compliance and ethics program. To carry out such operational responsibility, such individual(s) shall be given adequate resources, appropriate authority, and direct access to the governing authority or an appropriate subgroup of the governing authority.

If you have the chance to see The Third Man this summer I urge you to do so. For a schedule of its showings across the country click here.

© Thomas R. Fox, 2015

Leave a Comment

May 27, 2015

Economic Downturn Week, Part II – The Golden Gate Bridge and Employment Separation – Hotlines and Whistleblowers During Layoffs

Today, we celebrate one of the greatest engineering achievements of the century. On this date in 1937, the Golden Gate Bridge opened. At 4200 feet long, it was at the time the world’s longest suspension bridge. But not only was it an engineering and architectural milestone, its aesthetic form was instantly recognized as classical and to this day is one of the most iconic structures in the US if not the world. With just a few years until its 80^th birthday, it demonstrates that a lasting structure is more than simply form following function but contains many elements that inform its use and beauty.

I use the Golden Gate Bridge as an entrée to my continued discussion on the series on steps that you can use in your compliance program if you find yourself, your company or your industry in an economic downturn. Whether you are a Chief Compliance Officer (CCO) or compliance practitioner, these steps are designed to be achieved when you face reduced economic resources or lessened personnel resources going forward due to a downturn your economic sector. Yesterday, I discussed mapping your current and existing internal controls to the Ten Hallmarks of an Effective Compliance Program so that you can demonstrate your compliance with the Foreign Corrupt Practices Act’s (FCPA) internal control prong to the accounting procedures. Today I want to discuss the issues surrounding the inevitable layoffs your company will have to endure in a downturn.

In Houston, we have experienced energy companies laying off upwards of 30% of their workforce, both in the US and abroad. Employment separations can be one of the trickiest maneuvers to manage in the spectrum of the employment relationship. Even when an employee is aware layoffs are coming it can still be quite a shock when Human Resources (HR) shows up at their door and says, “Come with me.” However, layoffs, massive or otherwise, can present some unique challenges for the FCPA compliance practitioner. Employees can use layoffs to claim that they were retaliated against for a wide variety of complaints, including those for concerns that impact the compliance practitioner. Yet there are several actions you can take to protect your company as much as possible.

Before you begin your actual layoffs, the compliance practitioner should work with your legal department and HR function to make certain your employment separation documents are in compliance with the recent SEC v. KBR Cease and Desist Order regarding Confidentiality Agreement (CA) language which purports to prevent employees from bringing potential violations to appropriate law or regulatory enforcement officials. If your company requires employees to be presented with some type of CA to receive company approved employment severance package, it must not have language preventing an employee taking such action. But this means more than having appropriate or even approved language in your CA, as you must counsel those who will be talking to the employee being laid off, not to even hint at retaliation if they go to authorities with a good faith belief of illegal conduct. You might even suggest, adding the SEC/KBR language to your script so the person leading the conversation at the layoff can get it right and you have a documented record of what was communicated to the employee being separated.

When it comes to interacting with employees first thing any company needs to do, is to treat employees with as much respect and dignity as is possible in the situation. While every company says they care (usually the same companies which say they are very ethical), the reality is that many simply want terminated employees out the door and off the premises as quickly as possibly. At times this will include an ‘escort’ off the premises and the clear message is that not only do we not trust you but do not let the door hit you on the way out. This attitude can go a long way to starting an employee down the road of filing a claim for retaliation or, in the case of FCPA enforcement, becoming a whistleblower to the Securities and Exchange Commission (SEC), identifying bribery and corruption.

Treating employees with respect means listening to them and not showing them the door as quickly as possible with an escort. From the FCPA compliance perspective this could also mean some type of conversation to ask the soon-to-be parting employee if they are aware of any FCPA violations, violations of your Code of Conduct or any other conduct which might raise ethical or conflict of interest concerns. You might even get them to sign some type of document that attests they are not aware of any such conduct. I recognize that this may not protect your company in all instances but at least it is some evidence that you can use later if the SEC (or Department of Justice (DOJ)) comes calling after that ex-employee has blown the whistle on your organization.

I would suggest that you work with your HR department to have an understanding of any high-risk employees who might be subject to layoffs. While you could consider having HR conduct this portion of the exit interview, it might be better if a compliance practitioner was involved. Obviously a compliance practitioner would be better able to ask detailed questions if some issue arose but it would also emphasize just how important the issue of FCPA compliance, Code of Conduct compliance or simply ethical conduct compliance was and remains to your business.

Finally are issues around hotlines, whistleblower and retaliation claims. The starting point for layoffs should be whatever your company plan is going forward. The retaliation cases turn on whether actions taken by the company were in retaliation for the hotline or whistleblower report. This means you will need to mine your hotline more closely for those employees who are scheduled or in line to be laid off. If there are such persons who have reported a FCPA, Code of Conduct or other ethical violation, you should move to triage and investigate, if appropriate, the allegation sooner rather than later. This may mean you move up research of an allegation to come to a faster resolution ahead of other claims. It may also mean you put some additional short-term resources on your hotline triage and investigations if you know layoffs are coming.

The reason for these actions are to allow you to demonstrate that any laid off employee was not separated because of a hotline or whistleblower allegation but due to your overall layoff scheme. However it could be that you may need this person to provide your compliance department additional information, to be a resource to you going forward, or even a witness that you can reasonably anticipate the government may want to interview. If any of these situations exist, if you do not plan for their eventuality before you layoff the employee, said (now) ex-employee may not be inclined to cooperate with you going forward. Also if you do demonstrate that you are sincerely interested in a meritorious hotline complaint, it may keep this person from becoming a SEC whistleblower.

Just as the Golden Gate Bridge provides more to the human condition than simply a structure to get from San Francisco to Marin County, layoffs in an economic downturn provide many opportunities to companies. If they treat the situation appropriately, it can be one where you manage your FCPA compliance risk going forward.

© Thomas R. Fox, 2015

Leave a Comment

May 19, 2015

A CCO Job Function: Managing Talent

Filed under: Uncategorized — tfoxlaw @ 12:01 am
Tags: best practices, CCO, compliance, Compliance Leadership, compliance programs, Financial Times, FT

Garo Yepremian died this past week. For anyone who grew up watching National Football League (NFL) games in the late 1960s or 1970s; this was a name quite familiar to you even if you had trouble pronouncing it. Yepremian was a left-footed field goal kicker who went from the heights of glory such as once kicking six field goals in one game and ending the NFL’s longest game; the Miami Dolphins-Kansas City Chiefs 1971 playoff game which he won with a field goal in the second sudden death overtime. Unfortunately it is not these achievements that he is best known for. That rather ignominious distinction was when he had a field goal blocked in the 1973 Super Bowl against the Washington football team; then picked it up and tried to pass it only to have it slip from his hands into the arms of Mike Bass who ran it in for a touchdown. The score changed a one-sided game from 14-0 Dolphins to 14-7 and put their undefeated season on the line for the remainder of the game. Fortunately for posterity and Yepremian, the Dolphins held on to complete the NFL’s only undefeated season.

I thought about Yepremian, his gaffe and the fact he grew up in Cyprus playing soccer when I read a recent article in the Financial Times (FT), entitled “Game of talents: management lessons from top football coaches”, where Mike Forde and Simon Kuper wrote about how “football [soccer for you Yanks reading this blog] coaches grapple with egos, tantrums and rivalry. Business could learn a lot from them.” This is because talent management is a key component of any successful organization and none more so than on a soccer team where “Football managers are, above all, talent managers.” The article had some interesting insights for the Chief Compliance Officer (CCO) or compliance practitioner which I believe could be helpful when dealing with large egos found in any business organization.

Big talent usually comes with a big ego. Accept it. I grew up professionally in the private practices world of a law firm where big egos not only existed but also thrived and were perhaps even cultivated. This is not always true in the corporate world. The authors believe that “managing difficult people is the best test of a good manager.”
Look for big egos that have ‘gotten over themselves’. At some point we all grow up. In the business world, just as in sports, “some players underperform early in their careers because they are immature.” Maturity can lead to players “accept their limits and become coachable.”
Single out and praise those who make sacrifices for the organization. Reward those who might be willing to make a personal sacrifice. If you do, you behavior as a leader will be noticed and others in the business may well do the same.
The manager shouldn’t aspire to dominate the talent. In soccer “Talent wins matches…Successful managers accept this. They don’t try to emphasise their leadership by dominating talent.” As a CCO, you should not only work to help the business folks succeed but let them take the glory if a big deal is closed.
Ask talent for advice – but only for advice. While it seems self-evident, it always bears repeating if you take someone’s advice to craft a solution, that person will then be personally invested in the success of that solution. The authors quoted David Brailsford, general manager of the Team Sky cycling team, for the following, “We all perform better if we have a degree of ownership of what we do.”
The manager’s job isn’t to motivate. “Great talent motivates itself.” The converse of this means that if you have top-notch sales talent, part of your job as a CCO or compliance practitioner is “not to demotivate them”. But more than simply not ‘demotivating’ your job should be to encourage “long-term commitment: sustained motivation over time.”
Talent needs to trust each other more than it needs to trust the manager. This directly relates to the culture you set. If the only way for employees to succeed is to steal and cheat from their co-workers, you will have a toxic environment. Think of this in the context of your Foreign Corrupt Practices Act (FCPA) investigation protocol; if your goal is to skin some employee to save the company, you will not have much credibility left with your other employees.
Improve the talent. Unfortunately, most managers spend most of their time managing incompetent employees. The authors believe this is a wasted opportunity as most top talent “have a gift for learning and a desire to improve. That desire often drives their career choices.” For a CCO this means you need to provide such opportunities to those on your compliance team. But think about taking this concept out into the workforce. What if you could offer a top sales person or executive a chance to not only learn something but also advance their career by a rotation through the compliance department or a signature project they could lead?
99% per cent of recruitment is about who you don’t sign. Here the message is to use your background due diligence to make sure that that ‘someone’ is the right person in the right situation because “Introducing a weak or undisciplined player [employee] can damage the standards and culture.”
Accept that talent will eventually leave. “Few talented people are looking for a job for life.” Indeed in the compliance arena, since there are no trade secrets around anti-corruption compliance, the skills a compliance practitioner uses can be easily translated into another company. I often think about Jay Martin, the CCO of BakerHughes Inc. (BHI) in Houston. He is now on his third generation of compliance practitioners who work under him. While they are at BHI they have the chance to work under and for one of the top in-house compliance practitioners around and for a company that has a robust compliance program. They work very hard while they are at BHI but they get great experience, a great resume entry and a great reference from one of the top compliance practitioners around. If you are a CCO you might consider the BHI model.
Gauge the moment when talent reaches its peak. In the sports world, the only person who wins every time (eventually) is Father Time. While that may not be as true in the corporate world, burnout is true. I went through it in my 40s as a trial lawyer and many others do as well. If you are a CCO and see reduced enthusiasm or commitment in an employee this may be the reason. Would you consider a sabbatical for the employee? How about a plumb overseas role to rekindle the passion? As a leader, you need to recognize this issue and use your leadership skills to address the situation.

The authors note, “Talent management has been a business obsession at least since 1997, when the consultancy McKinsey identified a “war for talent.”” As a CCO you should certainly consider these issues in managing your compliance function. However I believe the concepts laid out by Forde and Kuper work for the broader corporate world as well. If you are going to use you influence throughout the organization, you should consider incorporating these techniques into your skill set.

© Thomas R. Fox, 2015

Leave a Comment

March 12, 2015

Protections for CCOs from Wrongful Termination

Filed under: Best Practices,Chief Compliance Officer,Compliance,Compliance and Ethics,compliance programs,Department of Justice,Ethical Leadership,Ethics,FCPA,New York Times,SEC — tfoxlaw @ 12:01 am
Tags: CCO, compliance, compliance programs, DOJ, ethical leadership, ethics, ethics and compliance, FCPA Professor, Foreign Corrupt Practices Act, SEC

This week the Houston Texans unceremoniously cut the franchise’s greatest player in its short history, receiver Andre Johnson. This was after his being hauled into the office of the head coach and being told that he would only need to work half as hard next year. As reported by Jerome Solomon in the Houston Chronicle article entitled “Move inevitable, but team bungles its handling”, Head Coach Bill O’Brien told Johnson that his catch total would drop from the 84 he has averaged in his 12 year career with the Texans down to “around 40 passes next season.” But O’Brien went on to add the team’s certain Hall of Fame receiver “wasn’t likely to be a starter next season, definitely not for all of the games.” So much for playing your best player at his position on a full-time basis, but hey, at least the information was made public.

Now imagine you are a Chief Compliance Officer (CCO) and have been one of your company’s senior management for the better part of the past 12 years. While you may not have been the most important member of the management team you certainly have helped navigate the company through rough compliance waters. Now imagine the company Chief Executive Officer (CEO) who tells you that although he has no one in mind to replace you (other than a less experienced and a smaller-salaried compliance specialist) your services will only be needed half the time in the coming year. What if this is in response to advice the head of the company did not like? What should the response be?

You can consider the departure from MF Global of its Chief Risk Officer, the financial services equivalent of a CCO. As reported in a New York Times (NYT) article entitled “MF Global’s Risk Officer Said to Lack Authority” Ben Protess and Azam Ahmed reported that the company replaced its Chief Risk Officer, Michael Roseman, after he “repeatedly clashed with Mr. Corzine [the CEO] over the firm’s purchase of European sovereign debt.” He was given a large severance package and left the company. When he left, there was no public reason given. His replacement was brought into the position with reduced authority.

If you are a public company, you may well need to heed the advice of fraud and compliance expert Jonathan Marks, a partner at Crowe Horwath LLP, who advocates that any time a CCO, a key executive, is dismissed it should be an 8K reporting event because the departure may be a signal of a change in the company’s attitude towards compliance or an alleged ethical breach had taken place. A similar view was expressed by Michael W. Peregrine in a NYT article entitled “Another View: MF Global’s Corporate Governance Lesson”, where he wrote that a “compliance officer is the equivalent of a “protected class” for governance purposes, and the sooner leadership gets that, the better.” Particularly in the post Sarbanes-Oxley world, a company’s CCO is a “linchpin in organizational efforts to comply with applicable law.” When a company fires (or asks him/her to resign), it is a significance decision for all involved in corporate governance and should not be solely done at the discretion of the CEO alone.

In its Code of Ethics for Compliance and Ethics Professionals, the Society for Corporate Compliance and Ethics (SCCE) has postulated Rule 1.4, which reads, “If, in the course of their work, CEPs become aware of any decision by their employing organization which, if implemented, would constitute misconduct, the professional shall: (a) refuse to consent to the decision; (b) escalate the matter, including to the highest governing body, as appropriate; (c) if serious issues remain unresolved after exercising “a” and “b”, consider resignation; and (d) report the decision to public officials when required by law.” As commentary to this rule, the SCCE said, “The duty of a compliance and ethics professional goes beyond a duty to the employing organization, inasmuch as his/her duty to the public and to the profession includes prevention of organizational misconduct. The CEP should exhaust all internal means available to deter his/her employing organization, its employees and agents from engaging in misconduct. The CEP should escalate matters to the highest governing body as appropriate, including whenever: a) directed to do so by that body, e.g., by a board resolution; b) escalation to management has proved ineffective; or c) the CEP believes escalation to management would be futile. CEPs should consider resignation only as a last resort, since CEPs may be the only remaining barrier to misconduct. A letter of resignation should set forth to senior management and the highest governing body of the employing organization in full detail and with complete candor all of the conditions that necessitate his/her action. In complex organizations, the highest governing body may be the highest governing body of a parent corporation.”

What about compensation? The Department of Justice (DOJ) has made clear that it expects a CCO to resign if the company refuses advice and violates the Foreign Corrupt Practices Act (FCPA). The former head of the DOJ-FCPA unit Chuck Duross went so far as to compare CCOs and compliance practitioners to the Texans at the Alamo. To be fair to Duross, I think he was focusing more on the line in the sand part of the story, while I took that to mean they were all slaughtered for what they believed in. But whichever interpretation you may choose to put on it, the DOJ clearly expects a CCO to stand up and if a CEO does not like what they say, he or she must resign. This puts CCOs and compliance practitioners in a very difficult position, particularly if there is no exit compensation for doing the right thing by standing up.

I think the next step should be for the DOJ and Securities and Exchange Commission (SEC) to begin to discuss the need for contractual protection of CCOs and other compliance practitioners against retaliation for standing up against corruption and bribery. The standard could simply be one that protects a CCO and other compliance practitioners against termination without cause. Just as the SEC is investigating whether companies are trying to muzzle whistleblowers through post-employment Confidentiality Agreements, I think they should consider whether CCOs and other compliance practitioners need more employment protection. I think the SEC should also consider the proposals of Marks regarding the required 8K or other public reporting of the dismissal or resignation of any CCO. Finally, I would expand on Peregrine’s suggestion and require that a company Board of Directors approve any dismissal of a CCO. With these protections in place, a CCO or compliance practitioner would have the ability to confront management who might take business decisions that violate the FCPA.

© Thomas R. Fox, 2015

Leave a Comment

January 12, 2015

Get Your Tootsie-Frootsie Ice Cream; Hiring as Part of Your Compliance Program

Filed under: A Day At the Races,Best Practices,Chico,Chief Compliance Officer,Compliance,Compliance and Ethics,compliance programs,Ethics,FCPA,Ft,Groucho,Human Resources,Marx Brothers — tfoxlaw @ 12:01 am
Tags: CCO, Chico, compliance, FCPA, FT, Groucho, HR, Marx Brothers

One of my great loves is the Marx Brothers. I fell in love with their rapid-fire wiseacre remarks as a teenager and have been enthralled with them since then. I have seen all of their movies, most of their television appearances and even read some of their radio scripts. I was reminded of the their unique brand of comedy and contribution to the great good when I read an article in the Financial Times (FT) by Danny Leigh, entitled “Souped-up comedy”. Leigh wrote the article around the British Film Institute’s (BFI) 2015 season, which includes a year-long retrospective of Marx Brothers movies. To honor both the BFI and my beloved Marx Brothers, this week, I am featuring series of Marx Brothers themed blog posts.

Today, I want to look at what many believe is one of their funniest skits, which comes from the MGM-released movie A Day at the Races, the “Tootsie-Frootsie” Ice Cream/Code Book scene. Tony (Chico) poses as an ice-cream vendor outside the racetrack – he is actually a con artist selling racing tips on horses. He knows that in the next race, he can win with 10-1 odds with a bet on Sun-Up, but he needs the cash. So he sets up the scam as gullible victim Dr. Hackenbush (Groucho) arrives at the racetrack to bet two dollars on Sun-Up. Hackenbush is advised by Tony to bet on Rosie, a 40-1 shot. At the betting window, Hackenbush bets two dollars on Rosie, but the bookie tells him the race is already over – Sun-Up was the winner. Hackenbush realizes he has been taken. He thinks for a moment, then dumps the books back in the cart and takes the scammer’s place waiting for a victim, crying: ”Get your Tootsie-Frootsie. Nice ice cream. Nice Tootsie-Frootsie ice cream.”

I thought about the Tootsie-Frootsie ice cream scene in the context of hiring and Foreign Corrupt Practices Act (FCPA) compliance. One of the theories of conventional wisdom about anti-corruption compliance is that you will never be able to reach 5% of your workforce with compliance training because they are predisposed to lie, cheat and steal anyway. Whether they are simply sociopaths, scumbags or just bad people; it really does not matter. No amount of training is going to convince them to follow the rules, such as the FCPA, UK Bribery Act or even foreign domestic laws against bribery and corruption, consider the Chinese domestic laws that GlaxoSmithKline PLC (GSK) was convicted under, they were of no import to such people. They do not think such laws apply to them and they will lie, cheat and steal no matter what industry they are in and what training you provide to them. But knowing such people exist and they may be able to lie, con or otherwise dissimilate their way into your organization does not protect your company from FCPA liability when they inevitably violate the law by engaging in bribery and corruption. It is still the responsibility of your company to prevent and detect such conduct and then remediate if it occurs. Simply put, if you hire Chico, you are going to get a Tootsie-Frootsie ice cream.

I thought about these concepts when reading an article in the Corner Office column of the New York Times (NYT), entitled “Three Keys to Hiring: Skill, Will and Fit”, by Adam Bryant where he reported on an interview with Marla Malcolm Beck, the Chief Executive Officer (CEO) of Bluemercury. She had several lessons that I thought would be helpful for Chief Compliance Officer (CCO) or compliance practitioner in general and in particular when trying to have your company avoid bringing in the five per-center mentioned above.

Be Passionate

Beck related an early leadership lesson that she learned during college, she ran unopposed to be President of a student organization. Since she was unopposed, she ran no campaign but did not receive a majority of votes and therefore was not elected to the position. So she tried to learn from her mistakes, “In the second election, someone ran against me, but I had interviewed a lot of people about why I didn’t get the position the first time, and they said I wasn’t human enough, I wasn’t passionate enough. So I talked more about the mission and my dreams for the organization, and I think people respected me for getting up there again, and I got most of the votes.” For the compliance practitioner or CCO, I think the message here is both communication and passion. If you do not believe in the anti-corruption compliance regime that you are pushing, it will be nearly impossible for the rest of your far-flung corporate work force to believe in it. Talk about compliance and the positive aspects of your program for your company. If you sit in your office, situated as Dr. No in the Land of NO, you and your program will get NOwhere fast.

Problem Solving

Another valuable lesson that Beck related was one she learned early on in her entrepreneurial career and it related to problem solving. She said, “Early on, I kept a lot of the hard problems to myself. Not only did that put more pressure on me, but also people can start working on the wrong things, and you have no way to course-correct if you don’t give them the “why.” I don’t think I was brave enough early on, and I’m more brave now about not keeping things to myself — things that are working, things that are not working, and just being more fluid with communication. I still catch myself now when I’m asking people to do things, and I have to go back to why it’s important and why we need to do this as a company.”

As a CCO or compliance practitioner, you will never have enough time to answer every question, nor should you. If you can provide your employee base the tools to make the right call, I think you will find most of the time they will. In a compliance leadership role, you should have two overriding goals: (1) burn compliance into the DNA of your company deeply enough that the business folks will come up with the right response almost all the time, and (2) be there when they cannot do so. Beck’s query of “why it’s important and why we need to do this as a company.”

The Hiring Process

I found Beck’s remarks on hiring the most interesting. I have long argued that Human Resources (HR) is a key component in any best practices anti-corruption compliance program. This is particularly true in hiring and promotion of employees to senior management. Avoiding the hiring or promotion of the sociopaths, or even the Chico’s of the world, is a key tool that HR brings to the table. Beck’s approach is to take a short interview technique in which she attempts to assess, Skill, Will and Fit. She said, “I’ll ask, “What’s the biggest impact you had at your past organization?” It’s important that someone takes ownership of a project that they did, and you can tell based on how they talk about it whether they did it or whether it was just something that was going on at the organization. Will is about hunger, so I’ll ask, “What do you want to do in five or 10 years?” That tells you a lot about their aspirations and creativity. If you’re hungry to get somewhere, that means you want to learn. And if you want to learn, you can do any job. In terms of fit, I’m looking for people who have some sort of experience with a smaller company. At big companies, your job is really one little piece of the pie. I need someone who can make things happen and is comfortable with ambiguity.”

Through such a structured series of questions, a properly trained HR professional can begin to assess whether an employee might have a propensity to engage in bribery and corruption. By adding information about your company’s values towards doing business ethically and in compliance, you can introduce this topic at either the interview evaluating process or in the promotion process. While true sociopaths will most certainly lie to you, perhaps even convincingly, by introducing the topic at such a pre-employment stage, they may be encouraged to take their skills elsewhere. Or you can just get your Tootsie-Frootsie ice cream.

For a clip of the Get Your Tootsie-Frootsie Ice Cream scene on YouTube, click here.

© Thomas R. Fox, 2015

Leave a Comment

December 11, 2014

On Compliance Leadership: From Edward VIII to LeBron James

Filed under: Chief Compliance Officer,Compliance,Compliance and Ethics,compliance programs,Financial Times,Tone at the Top — tfoxlaw @ 12:01 am
Tags: CCO, Compliance Leadership, FT

On this day in 1936 King Edward VIII became the first English monarch to voluntarily abdicate the throne. He chose to abdicate after the British government, public and the Church of England condemned his decision to marry the American divorcée Wallis Warfield Simpson. On the evening of December 11, he gave a radio address in which he explained, “I have found it impossible to carry on the heavy burden of responsibility and to discharge the duties of king, as I would wish to do, without the help and support of the woman I love.” Despite these protestations of love requiring his abdication, recent scholarship has suggested the King was forced out because of his sympathy to Hitler’s Germany. Indeed I recently saw a documentary, which went so far as to say that the King had agreed to re-assume the monarch’s throne if Germany had successfully invaded England. Whatever the reason or reasons, on December 12, 1936 his younger brother, the Duke of York, was proclaimed King George VI. England was certainly better off for it.

I thought about this excellent example of extremely poor leadership and what a Chief Compliance Officer (CCO) or compliance practitioner might be able to learn from it in the context of a couple of articles I recently came across in the Financial Times (FT). The first was by Andrew Hill in his ‘On Management’ column and was entitled “The dangers of a rising C-level for the business environment”. While the focus of the article was on chief executives, I found some of Hill insights also applicable to a CCO. Hill expressed concern about how chief executives embody “the fallacy of infallibility.” He decried that “The corporate world is similarly deluded in thinking that individual chief executives are a wonder drug that can be injected into ailing businesses. It is better to think of companies as systems. They may not work at all without some sort of hierarchy. But they work much better if managers and leaders recognise that they are merely a single, if important, component and that effective procedures and clear designation of individuals’ roles and responsibilities help the whole work smoothly.”

He cited to the example of one un-named chief executive who “said he had just two ways to influence the company: by setting the tone and culture and by “building the machine”.” I would translate this into process. Hill recognized that “Reliance on mechanical process alone is clearly dangerous. It could “induce mindlessness.” Rigorous procedures and training should instead free innovators to take the necessary risks and leaders to react in the right way to inevitable challenges.”

This means that training employees and giving them the tools to succeed should be a more important skill than simply following orders. If you train your business team in the basics of compliance and then provide the right support to them, it can help bake compliance into the DNA of a company. Simply put a top-down compliance program dictated from the corporate office in the US or UK will not be as effective as a CCO or compliance practitioner getting out into the field and getting the business team to view themselves as compliance colleagues and assume responsibility for doing compliance in everyday transactions.

The second article was by psychologist Naomi Shragai and was entitled “Bloated and shrunken egos both prove bad for business”. Shragai began her article with the following observation, “We are rarely the best judge of our own skills and achievements. Even with the best intentions, we tend to overrate or underrate our abilities. Deluding ourselves that we are better than we are boosts our confidence and helps us to recover from setbacks. Identifying faults in others, the company or circumstances is easier on the ego than believing any deficiency lies within. The problem with this attitude is that it is rooted in a misguided belief that there is nothing to learn or correct.” She also described the contradictory when she wrote, “At the opposite end of the continuum are people who underplay their abilities and tend to see the fault in themselves rather than in others. They might overcompensate for what they perceive as deficiencies in themselves by working hard, but, stuck in a cycle of negativity, they generally fail to take responsibility for their own development.”

Shragai suggests dealing with the former is important because in the long run “their behaviour needs to be managed early before it becomes self-reinforcing and harms the business…Let him or her know that you are not judging the person but the work.” For the latter behavior, she suggests, “The underconfident need to take more responsibility for listening to what others are saying by consciously tuning into reality rather than slipping into negative thoughts…Help them to recognise their skills by presenting them with concrete evidence of their accomplishments.”

From these two articles, I synthesized the importance of the process of compliance. The more that you can make compliance about process, the more you can take out the egos, the over-confident and under-confident out of the equation. But it is much more than a process, as it requires training and providing tools to the employee base and those employees on the front lines in high risk countries, areas, products and services so that they can deal with the situations which they might confront.

As a CCO or compliance practitioner, that means you have to get out of the corporate headquarters, put boots on the ground and learn what your business team’s challenges might be going forward. It also means to instruct them specifically on how to deal with situations where they may be faced with requests to pay bribes and the difference between bribes and extortion. If an employee is faced with a danger to his or her health, safety or liberty it is encumbent on you not only explain the difference but also absolutely support them to remedy or rectify the situation. As Hill said in his article, “building the machine” is a key way to influence a company. But once you build that machine, you have to support it and keep it running.

So today I would ask you to reflect on what the abdication of Edward VIII meant for the UK and even up until today with the current monarch, Queen Elizabeth II. You might even consider Prince William and Princess Kate hanging out with LeBron James.

© Thomas R. Fox, 2014

Leave a Comment

December 4, 2014

Sherlock Holmes and Innovation in the Compliance Function – Part IV, The Valley of Fear

Filed under: Compliance,Compliance and Ethics,compliance programs,Innovation — tfoxlaw @ 12:01 am
Tags: CCO, CCO 2.0, compliance, compliance programs, Harvard Business Review, HBR

Today I conclude my dual-themed week of blog posts featuring Conan Doyle’s four Sherlock Holmes novels and innovation in the compliance function. As the compliance profession matures and we move into what I call the era of CCO 2.0. Today we celebrate Doyle’s final novel, The Valley of Fear. This novel was written in 1914 and serialized in the Strand Magazine between 1914 1915. It was notable for two reasons. The first that it was at least inspired by events in America involving the Molly Maguires, the Pinkerton Agency and its undercover agent James McParland.

In this story, Holmes decodes a cipher from Professor Moriarty’s organization for a person named Douglas in Birlstone. It is discovered that there is a corpse who was an assassin sent to kill Mr. Douglas. Douglas literally blew the head off of his American assassin and dressed the body as himself. Holmes intoned that a dumb-bell weighed down the killer’s clothes in a moat. The assassin left a calling card, monikerred VV341, which was a code for the Vermissa Valley Lodge 341. This was a reference to undercover work that Douglas did years before for the Pinkerton Agency when he went undercover, first with Freemen in Chicago, then west to a desolate mountain coal mine area, to take down corrupt murderers who ran the Valley Freemen Lodge. Years later the US criminals enlisted Professor Moriarty to find Douglas. Holmes warns Douglas to flee England. The second item of interest is that Moriarty prevails as the story ends with Mrs. Douglas wiring Holmes that her husband was lost overboard on his way to South Africa.

I thought about this final Holmes novel, with its multi-continent settings, when I read another article on innovation in the December issue of the Harvard Business Review (HBR), entitled “Managing Yourself Getting Virtual Teams Right”, by Keith Ferrazzi. As any compliance function will have a truly global reach and most likely a number of personnel in cities across the globe, virtual compliance teams are almost a given. The author states, “The appeal of forming virtual teams is clear. Employees can manage their work and personal lives more flexibly, and they have the opportunity to interact with colleagues around the world. Companies can use the best and lowest-cost global talent and significantly reduce their real estate costs.” But in the compliance arena this may go past a simple appeal and become a true need. This means that mastering this most valuable and necessary tool is a skill that any Chief Compliance Officer (CCO) or compliance practitioner will need to become proficient in using.

While this skill may seem straightforward or even intuitive, the author believes that efficient use of virtual teams can greatly increase productivity. He believes that “there are four must-haves: the right team, the right leadership, the right touchpoints, and the right technology. By following simple high-return practices for each, managers can maximize the productivity of teams they must lead virtually.”

The Right Team

The author believes that your team composition is your beginning point. He says you need to consider the right people, the right size and the right roles. This means that the virtual team members have the appropriate set of abilities, such as “good communication skills, high emotional intelligence, an ability to work independently, and the resilience to recover from the snafus that inevitably arise. Awareness of and sensitivity to other cultures is also important in global groups.” He believes this equates to a team that is no larger than 10 people. For roles the author suggests an approach which “defines three tiers of team members: core, operational, and outer. The core consists of executives responsible for strategy. The operational group leads and makes decisions about day-to-day work but doesn’t tackle the larger issues handled by the core. And the outer network consists of temporary or part-time members who are brought in for a particular stage of the project because of their specialized expertise.”

The Right Leadership

Here the author cites to key behaviors that are critical in virtual teams. The first is trust. He said you should provide the opportunity for the team members to get to know each other as people, if only through the virtual format. Once trust is established the next step is foster open dialogue or what he calls “Observable candor” because without frankness among the team it will not succeed. Finally, it is important to clarify goals and guidelines or “the importance of establishing a common purpose or vision, while also framing the work in terms of team members’ individual needs and ambitions. Explain to everyone why you are coming together and what benefits will result, and then keep reiterating the message.”

The Right Touchpoints

The author believes that even virtual teams will need to come together at certain key points. He identifies three: kickoff; onboarding and milestones. Getting together at kickoff will allow everyone to put a face with a name and will help to set “expectations for trust and candor, and clarifying team goals and behavioral guidelines. Eye contact and body language help to kindle personal connections and the “swift trust” that allows a group of strangers to work together before long-term bonds develop.” Onboarding is when you bring a new person onto the virtual team and Ferrazzi explains that it can be intimidating to come on board a team after it is up and running. He suggests bringing a new person to the corporate office and welcome them in person. Finally, Ferrazzi says that even the most dedicated teams can lose momentum as team members begin to feel disconnected. To counter-act this, he suggests bringing the full team together at certain intervals.

The Right Technology

Ferrazzi believes that even the best virtual teams “can be felled by poor technology.” He identifies conference calling, direct calling and text messaging and virtual team rooms all which can make the virtual team experience “open and searchable, making it easy for existing teams to find subject-matter experts or review their own work and for ad hoc teams to form around business-related passions.” Ferrazzi cited to one example where, when data on employee resource use was made available, “a few interested parties self-organized into a virtual project team to create a system that documents individuals’ cost savings over time. As people began to compete for the biggest savings, the company benefited.”

The earliest virtual teams were formed to facilitate innovation among top experts around the world who didn’t have time to travel. However in today’s corporate environment, teams of physically dispersed employees are more often just a necessity of doing business. The compliance function will almost always be dispersed across a wide multi-national area. Some of the tips presented herein can help you run a more efficient organization while allowing greater flexibility going forward.

This post will conclude this week’s Sherlock Holmes-Innovation in the compliance function series. I hope that you have enjoyed it and benefited from it as well. As we move to CCO 2.0, many of these soft skills will become more and more important in the doing of compliance.

Leave a Comment

November 4, 2014

Tribute to Jack Bruce – Finding Talent to Support Your Compliance Function

Filed under: Best Practices,Chief Compliance Officer,Compliance,Compliance and Ethics,compliance programs,Department of Justice,FCPA,FCPA Guidance,Financial Times,Third parties — tfoxlaw @ 12:01 am
Tags: best practices, CCO, compliance, compliance programs, DOJ, FT

Jack Bruce died last week. He was simply one of the greatest rock and roll bassist of all-time, as in ever. He helped form Rock’s first super group Cream when he joined with guitarist Eric Clapton and drummer Ginger Baker to create some of the most memorable music from the 1960s forward. What is your favorite Cream song? Whatever it is Jack Bruce probably wrote it, and you probably thought it was Eric Clapton. For me its Badge with the most haunting bass solo opening of any song I can imagine. I once heard an interview with Jack Bruce and he said he understood what that solo meant to him but what he never anticipated and frankly could not understand was why it was so important to so many other people. That is just the way some music is; once it gets in your soul, it does not leave.

Jack Bruce was also the lead singer of Cream. Once again I am sure you thought it was Eric Clapton, who had much more fame throughout his career. Bob Lefsetz, in his blog post tribute, simply entitled “Jack Bruce”, said, “So, so long Jack Bruce, on the one hand you were born too young, before the Internet era, before everyone could know every detail of your life and hold you close to their bosom. That’s right, we know very little about Jack Bruce, just a few details, his music speaks for him, and ultimately that’s grand.”

I thought about just how little I knew about Jack Bruce, even in relation to his two Cream band-mates, in another context recently. This perspective is also British but comes to us from a very different source. Periodically the UK government declassifies very old documents; sometimes 30 years old, sometimes 50 years old, sometimes even older. This means that historians in particular and the public in general will receive new or supplemental information about past events. It also means that certain events from World War II (WWII) are still being discovered or even re-evaluated due to this declassification process.

Recently the UK government had another such release. One of the more interesting pieces was about a man named Eric Roberts. His tale was told in an article in the On Management column in the Financial Times (FT), entitled “The spy left out in the cold is a tale all bosses should read”, by Andrew Hill. Roberts was a lowly bank clerk at Westminster Bank, which he joined when he was 17. “He worked in various branches. He rose, but not very far, to be a lower-middle grade clerk, who took a couple of holidays in Germany and enjoyed ju-jitsu and judo. He had a family and lived near Epsom. In 1935, the bank sent him on a seven-week “machine accountancy” course. But he also worked undercover for MI-5, controlling and neutralizing hundreds of Nazi sympathizers and “fifth columnists in Britain, by himself”. Hill called him a “genius spy”.

The most surprising thing about Roberts was not his spy work for MI-5 on behalf of his country but something very different and something every Chief Compliance Officer (CCO) and compliance practitioner needs to consider in their respective role. Hill wrote, “The most interesting thing brought to light from the National Archives last week was the note from one of his managers, in answer to a request to release him for war work. It read: “What we would like to know here is what are the particular and especial qualifications of Mr. Roberts – which we have not been able to perceive – for some particular work of national military importance?”

Columnist Hill wrote, “there is something shocking about the dismissive ‘which we have not been able to perceive’ from his superior.” He goes on to state, “It raises the question of how many ‘geniuses’ are languishing with large organizations, and how those organizations can discover and use their neglected talent.” I thought about that in the context of a CCO, compliance practitioner and the compliance function in general. How many of us are very good at “recognizing the true depth of their staff”? However, for the compliance function in general I think this question has wider implications about the doing of compliance in an organization.

The success of a compliance function is largely an organization based on its ability to influence decisions and actions in a company. This means that the CCO, compliance practitioner and compliance function must work in collaboration with other groups in a company. In a top-down, command and control organization, it may be a matter of having the top management set the right tone. But often it is much more that something that simply.

Hill reports, “Studies of those influencers [within an organization] are rarely in positions that the formal hierarchy considers influential.” This insight is particularly important for the CCO or compliance practitioner who wants to leverage others in an entity to help move compliance forward. One of the best examples I can think of is around third party representatives. The FCPA Guidance makes clear that when it comes to a company’s sales-side representatives, “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the services to be performed.” I believe that the best person to fulfill this requirement is a business unit sponsor who not only knows what skills or services a third party can bring to your company but also why they should be used in the place of others who your organization may have a contract with or another outside third party.

But the role of a business sponsor does not end there. One of the five steps in the management of third parties is managing the relationship after the contract is signed. One of the ways to do this is through having your business sponsor be the first point of contact with a third party representative. This business sponsor can and should meet with the third party representative on a regular basis. This business sponsor might even be trained so that he or she could provide the very basics of first-line compliance training. Even at the very least, a business sponsor should be able to talk about your company’s values as reflected in your Code of Conduct, Code of Ethics or other statement of values. This business sponsor can even be trained to provide front-line audit services by spot reviewing invoices to ascertain that they meet requirements, the products or services have been delivered to your company and there are no charges that raise Red Flags. Once again your business sponsor does not have to be a subject matter expert (SME) on auditing but he or she should know your business well enough and, having written the Business Justification, understand why your company’s use of this third party is so business critical that they can at least evaluate the basics set down in an invoice.

This all drives home the need to recognize folks with potential in your organization and the ability to develop that talent. One of the keys in doing so for the CCO or compliance practitioner is to get out of the office and meet business unit employees. Hill believes that by simply getting out of the office and meeting with such employees, you can tie into the “powerful side-effect of encouraging trust between colleagues”. Hill ends his piece with the story of another English bank clerk who apparently showed some talents in other fields, the American TS Eliot, who worked at Lloyds. One bank officer said of Eliot that he “did not see why Eliot mightn’t even become Branch Manager” one day.

There is talent for a compliance function throughout your organization. But in the case of Westminster bank and its putative spy-in-residence Eric Roberts the bank did not even try to find out his talents.

Leave a Comment

October 29, 2014

Doing Compliance-The Book

I have consistently tried to bring a ‘Nuts and Bolts’ approach to my writing about compliance. Last year when describing some of my writing on the building blocks of a Foreign Corrupt Practices Act (FCPA) compliance program to my friend Mary Flood, she said “That’s great but what about actually doing compliance?” Fortunately for me, she did not ask how as there is no telling just how much hot water answering that question would have gotten me into! Her idea about writing a book which a compliance practitioner could use as a one-volume reference for the everyday work of anti-corruption compliance was the genesis of my most recent hardbound book, Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program. I am pleased to announce that the book is hot off the presses and now available for purchase through Compliance Week in the US and Ark Publishing in the UK.

Just as the world becomes more flat for business and commercial operations, it is also becoming so for anti-corruption and anti-bribery enforcement. Any company that does business internationally must be ready to deal with a business environment with these new realities. My book is designed to be a one-volume work which will give to you some of the basics of creating and maintaining an anti-corruption and anti-bribery compliance program which will meet any business climate you face across the globe. I have based my discussion of a best practices compliance program on what the Criminal Division of the US Department of Justice (DOJ) and Enforcement Division of the Securities and Exchange Commission (SEC) set out in their jointly produced “FCPA – A Resource Guide to the U.S. Foreign Corrupt Practices Act”, the FCPA Guidance, the ‘Ten Hallmarks of an Effective Compliance Program.” The FCPA Guidance wisely made clear that there is no ‘one-size-fits-all’ approach when it stated, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors.” Thus, the book is written to provide insight into the aspects of compliance programs that DOJ and SEC assesses, recognizing that companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs.

This book does not discuss the underlying basis of the FCPA, the UK Bribery Act or any other anti-corruption or anti-bribery legislation. I have assumed the reader will have a modicum of knowledge of these laws. If not, there are several excellent works, which can provide that framework. The book is about doing business in compliance with these laws. As with all Americans, I appreciate any list that is deca-based, so the format of 10 hallmarks resonates with me. I have used this basic ten-part organization in laying out what I think you should consider in your anti-corruption and anti-bribery compliance program. In addition to presenting my own views in these areas, I also set out the views of both FCPA practitioners and commentators from other areas of business study and review. The book includes the following:

Chapter 1 – Where It All Begins: Commitment from Senior Management and a Clearly Articulated Policy against Corruption It all begins at the Top, what should management say and do? ‘Tone at the Top’ is a great buzz word but how does a company truly get the message of compliance down through the ranks? This chapter discusses the techniques management can use to move the message of compliance down through middle management and into the lower ranks of the company.

Chapter 2 – Some Written Controls: Code of Conduct and Compliance Policies and Procedures The Cornerstone of your anti–bribery/anti-corruption compliance program is set out in your written standards and internal controls which consist of a Code of Conduct, Compliance Policy and implementing Procedures. This chapter discusses what should be in the written basics of your compliance program and how best to implement these controls.

Chapter 3 – For the CCO: Oversight, Autonomy, and Resources The role and function of a Chief Compliance Officer (CCO) in any compliant organization cannot be overstated. Simply naming a CCO is no longer enough to meet even the minimum requirements of best practices. One of the key areas that the DOJ will review is how is a CCO allowed to fulfill his role. Does the position have adequate resources? Does it have autonomy and support in the corporate environment? Does the Board of Directors exercise appropriate oversight? This chapter reviews the Compliance Function, Oversight, Autonomy and Resources and relates structuring the compliance function in an organization.

Chapter 4 – The Cornerstone of Your Compliance Program: Risk Assessment It all begins here, as a risk assessment is the road map to managing your compliance risk. The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are, but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high-risk areas first. This chapter discusses what risks you should assess, the process for doing so and using that information going forward.

Chapter 5 – Getting Out on the Road: Training and Continuing Advice Once you have designed and implemented your compliance program, the real work begins and you must provide training on the compliance program and continuing advice to your company thereafter. This means that another pillar of a strong compliance program is properly training company officers, employees, and third parties on relevant laws, regulations, corporate policies, and prohibited conduct. However merely conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The expectations for effectiveness are measured by who a company trains, how the training is conducted, and how often training occurs. This chapter discusses getting the message of compliance out to your employees.

Chapter 6 – Do As I Do & As I Say: Incentives and Disciplinary Measures Any effective compliance program will use a variety of tools to help ensure that it is followed. This means that you must employ both the carrot of incentives and the stick of disciplinary measures to further compliance. How can you burn compliance into the DNA of your company? Discipline has long been recognized as an important aspect of a compliance regime but more is now required. This chapter relates structuring compliance into the fabric of your company through hiring, promotion of personnel committed to compliance and how to reward them for doing business ethically and in compliance with the FCPA.

Chapter 7 – Your Greatest Source of FCPA Exposure: Third Parties and How to Manage the Risk Third Parties are universally recognized as the highest risk in any compliance program. Indeed it is estimated that well over 90% of all FCPA enforcement actions involve third parties. Therefore it is important how to manage this highest risk for an anti-corruption program. This chapter provides a five-step process for the investigation and management of any third party relationship; from agents in the sales chain to vendors in the supply chain.

Chapter 8 – How Do I Love Thee: Confidential Reporting and Internal Investigations In any company, your best source about not only the effectiveness of your compliance program but any violations are your own employees. This means that you must design and implement a system of confidential reporting to get your employees to identify issues and then have an effective internal investigation of any issues brought to your attention. Your own employees can be your best source of information to prevent a compliance issue from becoming a FCPA violation. This chapter provides the best practices for setting up internal reporting and investigating claims of compliance violations.

Chapter 9 – How to Get Better: Improvement: Periodic Testing and Review Once you have everything up and running you still need to not only periodically oil but also update the machinery of compliance. You do this through the step of continuous improvement, which is the use of monitoring and auditing to review and enhance your compliance regime going forward. A company should focus on whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program.

Chapter 10 – Should I or Shouldn’t I? Mergers and Acquisitions The last thing you want to bring in through an acquisition is another company’s FCPA violation for which your company must pay the piper; also known as buying a FCPA violation. Effectively managing your mergers and acquisitions (M&A) process can help you to identify risk areas in a potential acquisition and then remediate any issues in the post-acquisition integration phase. This chapter gives you the most recent pronouncements on how to avoid FCPA exposure in this key area of corporate growth and to use the M&A function to proactively manage compliance.

Chapter 11 – A Few Words about Facilitation Payments One of the key differences between the US FCPA and UK Bribery Act is that the US law allows facilitation payments. However, in today’s interconnected world, to allow one part of your company to make facilitation payments while UK subsidiaries or others covered by the UK Bribery Act are exempted out from your standard on facilitation payments has become an administrative nightmare. This chapter explores what is a facilitation payment, how the policing of your internal policy has become more difficult and some companies which have been investigated regarding their facilitation payments. It also provides guidelines for you to follow should your company decide to allow them going forward.

So with thanks to Mary Flood for the idea, Matt Kelly, the Editor of Compliance Week for the publishing platform and Helen Roche & Laura Slater and the rest of the team at Ark Publishing for getting me through the publishing process in a professional manner, I am published to announce that Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program is now available for purchase.

You can purchase a copy of Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program in the US by clicking here. You can purchase a copy of Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program in the UK by clicking here.

Leave a Comment

FCPA Compliance and Ethics Blog

August 4, 2015

July 9, 2015

The Third Man and the Authority of Chief Compliance Officers

May 27, 2015

Economic Downturn Week, Part II – The Golden Gate Bridge and Employment Separation – Hotlines and Whistleblowers During Layoffs

May 19, 2015

A CCO Job Function: Managing Talent

March 12, 2015

Protections for CCOs from Wrongful Termination

January 12, 2015

Get Your Tootsie-Frootsie Ice Cream; Hiring as Part of Your Compliance Program

December 11, 2014

On Compliance Leadership: From Edward VIII to LeBron James

December 4, 2014

Sherlock Holmes and Innovation in the Compliance Function – Part IV, The Valley of Fear

November 4, 2014

Tribute to Jack Bruce – Finding Talent to Support Your Compliance Function

October 29, 2014

Doing Compliance-The Book

January

Blogroll

Pages

Admin

Read by Email

Recent Posts from FCPA Compliance and Ethics Report: FCPA Compliance and Ethics Report

Episode 240-Bill Coffin on Compliance Week 2016

Episode 239-Jonathan Armstong On EU Privacy Shield

Episode 238-John Allen on HR Touch Points in Compliance

Episode 237-Steve McCalmont on the Avior Risk Management Platform

Episode 236-Adam Turteltaub and SCCE CCO Survey