FCPA Compliance and Ethics Blog

March 12, 2015

Protections for CCOs from Wrongful Termination

Wrongful TerminationThis week the Houston Texans unceremoniously cut the franchise’s greatest player in its short history, receiver Andre Johnson. This was after his being hauled into the office of the head coach and being told that he would only need to work half as hard next year. As reported by Jerome Solomon in the Houston Chronicle article entitled “Move inevitable, but team bungles its handling”, Head Coach Bill O’Brien told Johnson that his catch total would drop from the 84 he has averaged in his 12 year career with the Texans down to “around 40 passes next season.” But O’Brien went on to add the team’s certain Hall of Fame receiver “wasn’t likely to be a starter next season, definitely not for all of the games.” So much for playing your best player at his position on a full-time basis, but hey, at least the information was made public.

Now imagine you are a Chief Compliance Officer (CCO) and have been one of your company’s senior management for the better part of the past 12 years. While you may not have been the most important member of the management team you certainly have helped navigate the company through rough compliance waters. Now imagine the company Chief Executive Officer (CEO) who tells you that although he has no one in mind to replace you (other than a less experienced and a smaller-salaried compliance specialist) your services will only be needed half the time in the coming year. What if this is in response to advice the head of the company did not like? What should the response be?

You can consider the departure from MF Global of its Chief Risk Officer, the financial services equivalent of a CCO. As reported in a New York Times (NYT) article entitled “MF Global’s Risk Officer Said to Lack Authority” Ben Protess and Azam Ahmed reported that the company replaced its Chief Risk Officer, Michael Roseman, after he “repeatedly clashed with Mr. Corzine [the CEO] over the firm’s purchase of European sovereign debt.” He was given a large severance package and left the company. When he left, there was no public reason given. His replacement was brought into the position with reduced authority.

If you are a public company, you may well need to heed the advice of fraud and compliance expert Jonathan Marks, a partner at Crowe Horwath LLP, who advocates that any time a CCO, a key executive, is dismissed it should be an 8K reporting event because the departure may be a signal of a change in the company’s attitude towards compliance or an alleged ethical breach had taken place. A similar view was expressed by Michael W. Peregrine in a NYT article entitled “Another View: MF Global’s Corporate Governance Lesson”, where he wrote that a “compliance officer is the equivalent of a “protected class” for governance purposes, and the sooner leadership gets that, the better.” Particularly in the post Sarbanes-Oxley world, a company’s CCO is a “linchpin in organizational efforts to comply with applicable law.” When a company fires (or asks him/her to resign), it is a significance decision for all involved in corporate governance and should not be solely done at the discretion of the CEO alone.

In its Code of Ethics for Compliance and Ethics Professionals, the Society for Corporate Compliance and Ethics (SCCE) has postulated Rule 1.4, which reads, “If, in the course of their work, CEPs become aware of any decision by their employing organization which, if implemented, would constitute misconduct, the professional shall: (a) refuse to consent to the decision; (b) escalate the matter, including to the highest governing body, as appropriate; (c) if serious issues remain unresolved after exercising “a” and “b”, consider resignation; and (d) report the decision to public officials when required by law.” As commentary to this rule, the SCCE said, “The duty of a compliance and ethics professional goes beyond a duty to the employing organization, inasmuch as his/her duty to the public and to the profession includes prevention of organizational misconduct. The CEP should exhaust all internal means available to deter his/her employing organization, its employees and agents from engaging in misconduct. The CEP should escalate matters to the highest governing body as appropriate, including whenever: a) directed to do so by that body, e.g., by a board resolution; b) escalation to management has proved ineffective; or c) the CEP believes escalation to management would be futile. CEPs should consider resignation only as a last resort, since CEPs may be the only remaining barrier to misconduct. A letter of resignation should set forth to senior management and the highest governing body of the employing organization in full detail and with complete candor all of the conditions that necessitate his/her action. In complex organizations, the highest governing body may be the highest governing body of a parent corporation.”

What about compensation? The Department of Justice (DOJ) has made clear that it expects a CCO to resign if the company refuses advice and violates the Foreign Corrupt Practices Act (FCPA). The former head of the DOJ-FCPA unit Chuck Duross went so far as to compare CCOs and compliance practitioners to the Texans at the Alamo. To be fair to Duross, I think he was focusing more on the line in the sand part of the story, while I took that to mean they were all slaughtered for what they believed in. But whichever interpretation you may choose to put on it, the DOJ clearly expects a CCO to stand up and if a CEO does not like what they say, he or she must resign. This puts CCOs and compliance practitioners in a very difficult position, particularly if there is no exit compensation for doing the right thing by standing up.

I think the next step should be for the DOJ and Securities and Exchange Commission (SEC) to begin to discuss the need for contractual protection of CCOs and other compliance practitioners against retaliation for standing up against corruption and bribery. The standard could simply be one that protects a CCO and other compliance practitioners against termination without cause. Just as the SEC is investigating whether companies are trying to muzzle whistleblowers through post-employment Confidentiality Agreements, I think they should consider whether CCOs and other compliance practitioners need more employment protection. I think the SEC should also consider the proposals of Marks regarding the required 8K or other public reporting of the dismissal or resignation of any CCO. Finally, I would expand on Peregrine’s suggestion and require that a company Board of Directors approve any dismissal of a CCO. With these protections in place, a CCO or compliance practitioner would have the ability to confront management who might take business decisions that violate the FCPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

 

January 12, 2015

Get Your Tootsie-Frootsie Ice Cream; Hiring as Part of Your Compliance Program

Tootise-Frootsie Ice CreamOne of my great loves is the Marx Brothers. I fell in love with their rapid-fire wiseacre remarks as a teenager and have been enthralled with them since then. I have seen all of their movies, most of their television appearances and even read some of their radio scripts. I was reminded of the their unique brand of comedy and contribution to the great good when I read an article in the Financial Times (FT) by Danny Leigh, entitled “Souped-up comedy”. Leigh wrote the article around the British Film Institute’s (BFI) 2015 season, which includes a year-long retrospective of Marx Brothers movies. To honor both the BFI and my beloved Marx Brothers, this week, I am featuring series of Marx Brothers themed blog posts.

Today, I want to look at what many believe is one of their funniest skits, which comes from the MGM-released movie A Day at the Races, the “Tootsie-Frootsie” Ice Cream/Code Book scene. Tony (Chico) poses as an ice-cream vendor outside the racetrack – he is actually a con artist selling racing tips on horses. He knows that in the next race, he can win with 10-1 odds with a bet on Sun-Up, but he needs the cash. So he sets up the scam as gullible victim Dr. Hackenbush (Groucho) arrives at the racetrack to bet two dollars on Sun-Up. Hackenbush is advised by Tony to bet on Rosie, a 40-1 shot. At the betting window, Hackenbush bets two dollars on Rosie, but the bookie tells him the race is already over – Sun-Up was the winner. Hackenbush realizes he has been taken. He thinks for a moment, then dumps the books back in the cart and takes the scammer’s place waiting for a victim, crying: ”Get your Tootsie-Frootsie. Nice ice cream. Nice Tootsie-Frootsie ice cream.”

I thought about the Tootsie-Frootsie ice cream scene in the context of hiring and Foreign Corrupt Practices Act (FCPA) compliance. One of the theories of conventional wisdom about anti-corruption compliance is that you will never be able to reach 5% of your workforce with compliance training because they are predisposed to lie, cheat and steal anyway. Whether they are simply sociopaths, scumbags or just bad people; it really does not matter. No amount of training is going to convince them to follow the rules, such as the FCPA, UK Bribery Act or even foreign domestic laws against bribery and corruption, consider the Chinese domestic laws that GlaxoSmithKline PLC (GSK) was convicted under, they were of no import to such people. They do not think such laws apply to them and they will lie, cheat and steal no matter what industry they are in and what training you provide to them. But knowing such people exist and they may be able to lie, con or otherwise dissimilate their way into your organization does not protect your company from FCPA liability when they inevitably violate the law by engaging in bribery and corruption. It is still the responsibility of your company to prevent and detect such conduct and then remediate if it occurs. Simply put, if you hire Chico, you are going to get a Tootsie-Frootsie ice cream.

I thought about these concepts when reading an article in the Corner Office column of the New York Times (NYT), entitled “Three Keys to Hiring: Skill, Will and Fit”, by Adam Bryant where he reported on an interview with Marla Malcolm Beck, the Chief Executive Officer (CEO) of Bluemercury. She had several lessons that I thought would be helpful for Chief Compliance Officer (CCO) or compliance practitioner in general and in particular when trying to have your company avoid bringing in the five per-center mentioned above.

Be Passionate

Beck related an early leadership lesson that she learned during college, she ran unopposed to be President of a student organization. Since she was unopposed, she ran no campaign but did not receive a majority of votes and therefore was not elected to the position. So she tried to learn from her mistakes, “In the second election, someone ran against me, but I had interviewed a lot of people about why I didn’t get the position the first time, and they said I wasn’t human enough, I wasn’t passionate enough. So I talked more about the mission and my dreams for the organization, and I think people respected me for getting up there again, and I got most of the votes.” For the compliance practitioner or CCO, I think the message here is both communication and passion. If you do not believe in the anti-corruption compliance regime that you are pushing, it will be nearly impossible for the rest of your far-flung corporate work force to believe in it. Talk about compliance and the positive aspects of your program for your company. If you sit in your office, situated as Dr. No in the Land of NO, you and your program will get NOwhere fast.

Problem Solving

Another valuable lesson that Beck related was one she learned early on in her entrepreneurial career and it related to problem solving. She said, “Early on, I kept a lot of the hard problems to myself. Not only did that put more pressure on me, but also people can start working on the wrong things, and you have no way to course-correct if you don’t give them the “why.” I don’t think I was brave enough early on, and I’m more brave now about not keeping things to myself — things that are working, things that are not working, and just being more fluid with communication. I still catch myself now when I’m asking people to do things, and I have to go back to why it’s important and why we need to do this as a company.”

As a CCO or compliance practitioner, you will never have enough time to answer every question, nor should you. If you can provide your employee base the tools to make the right call, I think you will find most of the time they will. In a compliance leadership role, you should have two overriding goals: (1) burn compliance into the DNA of your company deeply enough that the business folks will come up with the right response almost all the time, and (2) be there when they cannot do so. Beck’s query of “why it’s important and why we need to do this as a company.”

The Hiring Process

I found Beck’s remarks on hiring the most interesting. I have long argued that Human Resources (HR) is a key component in any best practices anti-corruption compliance program. This is particularly true in hiring and promotion of employees to senior management. Avoiding the hiring or promotion of the sociopaths, or even the Chico’s of the world, is a key tool that HR brings to the table. Beck’s approach is to take a short interview technique in which she attempts to assess, Skill, Will and Fit. She said, “I’ll ask, “What’s the biggest impact you had at your past organization?” It’s important that someone takes ownership of a project that they did, and you can tell based on how they talk about it whether they did it or whether it was just something that was going on at the organization. Will is about hunger, so I’ll ask, “What do you want to do in five or 10 years?” That tells you a lot about their aspirations and creativity. If you’re hungry to get somewhere, that means you want to learn. And if you want to learn, you can do any job. In terms of fit, I’m looking for people who have some sort of experience with a smaller company. At big companies, your job is really one little piece of the pie. I need someone who can make things happen and is comfortable with ambiguity.”

Through such a structured series of questions, a properly trained HR professional can begin to assess whether an employee might have a propensity to engage in bribery and corruption. By adding information about your company’s values towards doing business ethically and in compliance, you can introduce this topic at either the interview evaluating process or in the promotion process. While true sociopaths will most certainly lie to you, perhaps even convincingly, by introducing the topic at such a pre-employment stage, they may be encouraged to take their skills elsewhere. Or you can just get your Tootsie-Frootsie ice cream.

For a clip of the Get Your Tootsie-Frootsie Ice Cream scene on YouTube, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015TexasBarToday_TopTen_Badge_Large

December 11, 2014

On Compliance Leadership: From Edward VIII to LeBron James

Will, Kate and LeBronOn this day in 1936 King Edward VIII became the first English monarch to voluntarily abdicate the throne. He chose to abdicate after the British government, public and the Church of England condemned his decision to marry the American divorcée Wallis Warfield Simpson. On the evening of December 11, he gave a radio address in which he explained, “I have found it impossible to carry on the heavy burden of responsibility and to discharge the duties of king, as I would wish to do, without the help and support of the woman I love.” Despite these protestations of love requiring his abdication, recent scholarship has suggested the King was forced out because of his sympathy to Hitler’s Germany. Indeed I recently saw a documentary, which went so far as to say that the King had agreed to re-assume the monarch’s throne if Germany had successfully invaded England. Whatever the reason or reasons, on December 12, 1936 his younger brother, the Duke of York, was proclaimed King George VI. England was certainly better off for it.

I thought about this excellent example of extremely poor leadership and what a Chief Compliance Officer (CCO) or compliance practitioner might be able to learn from it in the context of a couple of articles I recently came across in the Financial Times (FT). The first was by Andrew Hill in his ‘On Management’ column and was entitled “The dangers of a rising C-level for the business environment”. While the focus of the article was on chief executives, I found some of Hill insights also applicable to a CCO. Hill expressed concern about how chief executives embody “the fallacy of infallibility.” He decried that “The corporate world is similarly deluded in thinking that individual chief executives are a wonder drug that can be injected into ailing businesses. It is better to think of companies as systems. They may not work at all without some sort of hierarchy. But they work much better if managers and leaders recognise that they are merely a single, if important, component and that effective procedures and clear designation of individuals’ roles and responsibilities help the whole work smoothly.”

He cited to the example of one un-named chief executive who “said he had just two ways to influence the company: by setting the tone and culture and by “building the machine”.” I would translate this into process. Hill recognized that “Reliance on mechanical process alone is clearly dangerous. It could “induce mindlessness.” Rigorous procedures and training should instead free innovators to take the necessary risks and leaders to react in the right way to inevitable challenges.”

This means that training employees and giving them the tools to succeed should be a more important skill than simply following orders. If you train your business team in the basics of compliance and then provide the right support to them, it can help bake compliance into the DNA of a company. Simply put a top-down compliance program dictated from the corporate office in the US or UK will not be as effective as a CCO or compliance practitioner getting out into the field and getting the business team to view themselves as compliance colleagues and assume responsibility for doing compliance in everyday transactions.

The second article was by psychologist Naomi Shragai and was entitled “Bloated and shrunken egos both prove bad for business”. Shragai began her article with the following observation, “We are rarely the best judge of our own skills and achievements. Even with the best intentions, we tend to overrate or underrate our abilities. Deluding ourselves that we are better than we are boosts our confidence and helps us to recover from setbacks. Identifying faults in others, the company or circumstances is easier on the ego than believing any deficiency lies within. The problem with this attitude is that it is rooted in a misguided belief that there is nothing to learn or correct.” She also described the contradictory when she wrote, “At the opposite end of the continuum are people who underplay their abilities and tend to see the fault in themselves rather than in others. They might overcompensate for what they perceive as deficiencies in themselves by working hard, but, stuck in a cycle of negativity, they generally fail to take responsibility for their own development.”

Shragai suggests dealing with the former is important because in the long run “their behaviour needs to be managed early before it becomes self-reinforcing and harms the business…Let him or her know that you are not judging the person but the work.” For the latter behavior, she suggests, “The underconfident need to take more responsibility for listening to what others are saying by consciously tuning into reality rather than slipping into negative thoughts…Help them to recognise their skills by presenting them with concrete evidence of their accomplishments.”

From these two articles, I synthesized the importance of the process of compliance. The more that you can make compliance about process, the more you can take out the egos, the over-confident and under-confident out of the equation. But it is much more than a process, as it requires training and providing tools to the employee base and those employees on the front lines in high risk countries, areas, products and services so that they can deal with the situations which they might confront.

As a CCO or compliance practitioner, that means you have to get out of the corporate headquarters, put boots on the ground and learn what your business team’s challenges might be going forward. It also means to instruct them specifically on how to deal with situations where they may be faced with requests to pay bribes and the difference between bribes and extortion. If an employee is faced with a danger to his or her health, safety or liberty it is encumbent on you not only explain the difference but also absolutely support them to remedy or rectify the situation. As Hill said in his article, “building the machine” is a key way to influence a company. But once you build that machine, you have to support it and keep it running.

So today I would ask you to reflect on what the abdication of Edward VIII meant for the UK and even up until today with the current monarch, Queen Elizabeth II. You might even consider Prince William and Princess Kate hanging out with LeBron James.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

December 4, 2014

Sherlock Holmes and Innovation in the Compliance Function – Part IV, The Valley of Fear

Valley of FearToday I conclude my dual-themed week of blog posts featuring Conan Doyle’s four Sherlock Holmes novels and innovation in the compliance function. As the compliance profession matures and we move into what I call the era of CCO 2.0. Today we celebrate Doyle’s final novel, The Valley of Fear. This novel was written in 1914 and serialized in the Strand Magazine between 1914 1915. It was notable for two reasons. The first that it was at least inspired by events in America involving the Molly Maguires, the Pinkerton Agency and its undercover agent James McParland.

In this story, Holmes decodes a cipher from Professor Moriarty’s organization for a person named Douglas in Birlstone. It is discovered that there is a corpse who was an assassin sent to kill Mr. Douglas. Douglas literally blew the head off of his American assassin and dressed the body as himself. Holmes intoned that a dumb-bell weighed down the killer’s clothes in a moat. The assassin left a calling card, monikerred VV341, which was a code for the Vermissa Valley Lodge 341. This was a reference to undercover work that Douglas did years before for the Pinkerton Agency when he went undercover, first with Freemen in Chicago, then west to a desolate mountain coal mine area, to take down corrupt murderers who ran the Valley Freemen Lodge. Years later the US criminals enlisted Professor Moriarty to find Douglas. Holmes warns Douglas to flee England. The second item of interest is that Moriarty prevails as the story ends with Mrs. Douglas wiring Holmes that her husband was lost overboard on his way to South Africa.

I thought about this final Holmes novel, with its multi-continent settings, when I read another article on innovation in the December issue of the Harvard Business Review (HBR), entitled “Managing Yourself Getting Virtual Teams Right”, by Keith Ferrazzi. As any compliance function will have a truly global reach and most likely a number of personnel in cities across the globe, virtual compliance teams are almost a given. The author states, “The appeal of forming virtual teams is clear. Employees can manage their work and personal lives more flexibly, and they have the opportunity to interact with colleagues around the world. Companies can use the best and lowest-cost global talent and significantly reduce their real estate costs.” But in the compliance arena this may go past a simple appeal and become a true need. This means that mastering this most valuable and necessary tool is a skill that any Chief Compliance Officer (CCO) or compliance practitioner will need to become proficient in using.

While this skill may seem straightforward or even intuitive, the author believes that efficient use of virtual teams can greatly increase productivity. He believes that “there are four must-haves: the right team, the right leadership, the right touchpoints, and the right technology. By following simple high-return practices for each, managers can maximize the productivity of teams they must lead virtually.” 

The Right Team

The author believes that your team composition is your beginning point. He says you need to consider the right people, the right size and the right roles. This means that the virtual team members have the appropriate set of abilities, such as “good communication skills, high emotional intelligence, an ability to work independently, and the resilience to recover from the snafus that inevitably arise. Awareness of and sensitivity to other cultures is also important in global groups.” He believes this equates to a team that is no larger than 10 people. For roles the author suggests an approach which “defines three tiers of team members: core, operational, and outer. The core consists of executives responsible for strategy. The operational group leads and makes decisions about day-to-day work but doesn’t tackle the larger issues handled by the core. And the outer network consists of temporary or part-time members who are brought in for a particular stage of the project because of their specialized expertise.” 

The Right Leadership

Here the author cites to key behaviors that are critical in virtual teams. The first is trust. He said you should provide the opportunity for the team members to get to know each other as people, if only through the virtual format. Once trust is established the next step is foster open dialogue or what he calls “Observable candor” because without frankness among the team it will not succeed. Finally, it is important to clarify goals and guidelines or “the importance of establishing a common purpose or vision, while also framing the work in terms of team members’ individual needs and ambitions. Explain to everyone why you are coming together and what benefits will result, and then keep reiterating the message.”

The Right Touchpoints

The author believes that even virtual teams will need to come together at certain key points. He identifies three: kickoff; onboarding and milestones. Getting together at kickoff will allow everyone to put a face with a name and will help to set “expectations for trust and candor, and clarifying team goals and behavioral guidelines. Eye contact and body language help to kindle personal connections and the “swift trust” that allows a group of strangers to work together before long-term bonds develop.” Onboarding is when you bring a new person onto the virtual team and Ferrazzi explains that it can be intimidating to come on board a team after it is up and running. He suggests bringing a new person to the corporate office and welcome them in person. Finally, Ferrazzi says that even the most dedicated teams can lose momentum as team members begin to feel disconnected. To counter-act this, he suggests bringing the full team together at certain intervals.

The Right Technology

Ferrazzi believes that even the best virtual teams “can be felled by poor technology.” He identifies conference calling, direct calling and text messaging and virtual team rooms all which can make the virtual team experience “open and searchable, making it easy for existing teams to find subject-matter experts or review their own work and for ad hoc teams to form around business-related passions.” Ferrazzi cited to one example where, when data on employee resource use was made available, “a few interested parties self-organized into a virtual project team to create a system that documents individuals’ cost savings over time. As people began to compete for the biggest savings, the company benefited.”

The earliest virtual teams were formed to facilitate innovation among top experts around the world who didn’t have time to travel. However in today’s corporate environment, teams of physically dispersed employees are more often just a necessity of doing business. The compliance function will almost always be dispersed across a wide multi-national area. Some of the tips presented herein can help you run a more efficient organization while allowing greater flexibility going forward.

This post will conclude this week’s Sherlock Holmes-Innovation in the compliance function series. I hope that you have enjoyed it and benefited from it as well. As we move to CCO 2.0, many of these soft skills will become more and more important in the doing of compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

November 4, 2014

Tribute to Jack Bruce – Finding Talent to Support Your Compliance Function

Jack BruceJack Bruce died last week. He was simply one of the greatest rock and roll bassist of all-time, as in ever. He helped form Rock’s first super group Cream when he joined with guitarist Eric Clapton and drummer Ginger Baker to create some of the most memorable music from the 1960s forward. What is your favorite Cream song? Whatever it is Jack Bruce probably wrote it, and you probably thought it was Eric Clapton. For me its Badge with the most haunting bass solo opening of any song I can imagine. I once heard an interview with Jack Bruce and he said he understood what that solo meant to him but what he never anticipated and frankly could not understand was why it was so important to so many other people. That is just the way some music is; once it gets in your soul, it does not leave.

Jack Bruce was also the lead singer of Cream. Once again I am sure you thought it was Eric Clapton, who had much more fame throughout his career. Bob Lefsetz, in his blog post tribute, simply entitled “Jack Bruce”, said, “So, so long Jack Bruce, on the one hand you were born too young, before the Internet era, before everyone could know every detail of your life and hold you close to their bosom. That’s right, we know very little about Jack Bruce, just a few details, his music speaks for him, and ultimately that’s grand.”

I thought about just how little I knew about Jack Bruce, even in relation to his two Cream band-mates, in another context recently. This perspective is also British but comes to us from a very different source. Periodically the UK government declassifies very old documents; sometimes 30 years old, sometimes 50 years old, sometimes even older. This means that historians in particular and the public in general will receive new or supplemental information about past events. It also means that certain events from World War II (WWII) are still being discovered or even re-evaluated due to this declassification process.

Recently the UK government had another such release. One of the more interesting pieces was about a man named Eric Roberts. His tale was told in an article in the On Management column in the Financial Times (FT), entitled “The spy left out in the cold is a tale all bosses should read”, by Andrew Hill. Roberts was a lowly bank clerk at Westminster Bank, which he joined when he was 17. “He worked in various branches. He rose, but not very far, to be a lower-middle grade clerk, who took a couple of holidays in Germany and enjoyed ju-jitsu and judo. He had a family and lived near Epsom. In 1935, the bank sent him on a seven-week “machine accountancy” course. But he also worked undercover for MI-5, controlling and neutralizing hundreds of Nazi sympathizers and “fifth columnists in Britain, by himself”. Hill called him a “genius spy”.

The most surprising thing about Roberts was not his spy work for MI-5 on behalf of his country but something very different and something every Chief Compliance Officer (CCO) and compliance practitioner needs to consider in their respective role. Hill wrote, “The most interesting thing brought to light from the National Archives last week was the note from one of his managers, in answer to a request to release him for war work. It read: “What we would like to know here is what are the particular and especial qualifications of Mr. Roberts – which we have not been able to perceive – for some particular work of national military importance?”

Columnist Hill wrote, “there is something shocking about the dismissive ‘which we have not been able to perceive’ from his superior.” He goes on to state, “It raises the question of how many ‘geniuses’ are languishing with large organizations, and how those organizations can discover and use their neglected talent.” I thought about that in the context of a CCO, compliance practitioner and the compliance function in general. How many of us are very good at “recognizing the true depth of their staff”? However, for the compliance function in general I think this question has wider implications about the doing of compliance in an organization.

The success of a compliance function is largely an organization based on its ability to influence decisions and actions in a company. This means that the CCO, compliance practitioner and compliance function must work in collaboration with other groups in a company. In a top-down, command and control organization, it may be a matter of having the top management set the right tone. But often it is much more that something that simply.

Hill reports, “Studies of those influencers [within an organization] are rarely in positions that the formal hierarchy considers influential.” This insight is particularly important for the CCO or compliance practitioner who wants to leverage others in an entity to help move compliance forward. One of the best examples I can think of is around third party representatives. The FCPA Guidance makes clear that when it comes to a company’s sales-side representatives, “companies should have an understanding of the business rationale for including the third party in the transaction. Among other things, the company should understand the role of and need for the third party and ensure that the contract terms specifically describe the ser­vices to be performed.” I believe that the best person to fulfill this requirement is a business unit sponsor who not only knows what skills or services a third party can bring to your company but also why they should be used in the place of others who your organization may have a contract with or another outside third party.

But the role of a business sponsor does not end there. One of the five steps in the management of third parties is managing the relationship after the contract is signed. One of the ways to do this is through having your business sponsor be the first point of contact with a third party representative. This business sponsor can and should meet with the third party representative on a regular basis. This business sponsor might even be trained so that he or she could provide the very basics of first-line compliance training. Even at the very least, a business sponsor should be able to talk about your company’s values as reflected in your Code of Conduct, Code of Ethics or other statement of values. This business sponsor can even be trained to provide front-line audit services by spot reviewing invoices to ascertain that they meet requirements, the products or services have been delivered to your company and there are no charges that raise Red Flags. Once again your business sponsor does not have to be a subject matter expert (SME) on auditing but he or she should know your business well enough and, having written the Business Justification, understand why your company’s use of this third party is so business critical that they can at least evaluate the basics set down in an invoice.

This all drives home the need to recognize folks with potential in your organization and the ability to develop that talent. One of the keys in doing so for the CCO or compliance practitioner is to get out of the office and meet business unit employees. Hill believes that by simply getting out of the office and meeting with such employees, you can tie into the “powerful side-effect of encouraging trust between colleagues”. Hill ends his piece with the story of another English bank clerk who apparently showed some talents in other fields, the American TS Eliot, who worked at Lloyds. One bank officer said of Eliot that he “did not see why Eliot mightn’t even become Branch Manager” one day.

There is talent for a compliance function throughout your organization. But in the case of Westminster bank and its putative spy-in-residence Eric Roberts the bank did not even try to find out his talents.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

October 29, 2014

Doing Compliance-The Book

Doing ComplianceI have consistently tried to bring a ‘Nuts and Bolts’ approach to my writing about compliance. Last year when describing some of my writing on the building blocks of a Foreign Corrupt Practices Act (FCPA) compliance program to my friend Mary Flood, she said “That’s great but what about actually doing compliance?” Fortunately for me, she did not ask how as there is no telling just how much hot water answering that question would have gotten me into! Her idea about writing a book which a compliance practitioner could use as a one-volume reference for the everyday work of anti-corruption compliance was the genesis of my most recent hardbound book, Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program. I am pleased to announce that the book is hot off the presses and now available for purchase through Compliance Week in the US and Ark Publishing in the UK.

Just as the world becomes more flat for business and commercial operations, it is also becoming so for anti-corruption and anti-bribery enforcement. Any company that does business internationally must be ready to deal with a business environment with these new realities. My book is designed to be a one-volume work which will give to you some of the basics of creating and maintaining an anti-corruption and anti-bribery compliance program which will meet any business climate you face across the globe. I have based my discussion of a best practices compliance program on what the Criminal Division of the US Department of Justice (DOJ) and Enforcement Division of the Securities and Exchange Commission (SEC) set out in their jointly produced “FCPA - A Resource Guide to the U.S. Foreign Corrupt Practices Act”, the FCPA Guidance, the ‘Ten Hallmarks of an Effective Compliance Program.” The FCPA Guidance wisely made clear that there is no ‘one-size-fits-all’ approach when it stated, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors.” Thus, the book is written to provide insight into the aspects of compliance programs that DOJ and SEC assesses, recognizing that companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs.

This book does not discuss the underlying basis of the FCPA, the UK Bribery Act or any other anti-corruption or anti-bribery legislation. I have assumed the reader will have a modicum of knowledge of these laws. If not, there are several excellent works, which can provide that framework. The book is about doing business in compliance with these laws. As with all Americans, I appreciate any list that is deca-based, so the format of 10 hallmarks resonates with me. I have used this basic ten-part organization in laying out what I think you should consider in your anti-corruption and anti-bribery compliance program. In addition to presenting my own views in these areas, I also set out the views of both FCPA practitioners and commentators from other areas of business study and review. The book includes the following:

Chapter 1 - Where It All Begins: Commitment from Senior Management and a Clearly Articulated Policy against Corruption  It all begins at the Top, what should management say and do? ‘Tone at the Top’ is a great buzz word but how does a company truly get the message of compliance down through the ranks? This chapter discusses the techniques management can use to move the message of compliance down through middle management and into the lower ranks of the company.

Chapter 2 - Some Written Controls: Code of Conduct and Compliance Policies and Procedures  The Cornerstone of your anti-bribery/anti-corruption compliance program is set out in your written standards and internal controls which consist of a Code of Conduct, Compliance Policy and implementing Procedures. This chapter discusses what should be in the written basics of your compliance program and how best to implement these controls.

Chapter 3 - For the CCO: Oversight, Autonomy, and Resources The role and function of a Chief Compliance Officer (CCO) in any compliant organization cannot be overstated. Simply naming a CCO is no longer enough to meet even the minimum requirements of best practices. One of the key areas that the DOJ will review is how is a CCO allowed to fulfill his role. Does the position have adequate resources? Does it have autonomy and support in the corporate environment? Does the Board of Directors exercise appropriate oversight? This chapter reviews the Compliance Function, Oversight, Autonomy and Resources and relates structuring the compliance function in an organization.

Chapter 4 - The Cornerstone of Your Compliance Program: Risk Assessment It all begins here, as a risk assessment is the road map to managing your compliance risk. The implementation of an effective compliance program is more than simply following a set of accounting rules or providing effective training. Compliance issues can touch many areas of your business and you need to know not only what your highest risks are, but where to marshal your efforts in moving forward. A risk assessment is designed to provide a big picture of your overall compliance obligations and then identify areas of high risk so that you can prioritize your resources to tackle these high-risk areas first. This chapter discusses what risks you should assess, the process for doing so and using that information going forward.

Chapter 5 - Getting Out on the Road: Training and Continuing Advice Once you have designed and implemented your compliance program, the real work begins and you must provide training on the compliance program and continuing advice to your company thereafter. This means that another pillar of a strong compliance program is properly training company officers, employees, and third parties on relevant laws, regulations, corporate policies, and prohibited conduct. However merely conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The expectations for effectiveness are measured by who a company trains, how the training is conducted, and how often training occurs. This chapter discusses getting the message of compliance out to your employees.

Chapter 6 - Do As I Do & As I Say: Incentives and Disciplinary Measures Any effective compliance program will use a variety of tools to help ensure that it is followed. This means that you must employ both the carrot of incentives and the stick of disciplinary measures to further compliance. How can you burn compliance into the DNA of your company? Discipline has long been recognized as an important aspect of a compliance regime but more is now required. This chapter relates structuring compliance into the fabric of your company through hiring, promotion of personnel committed to compliance and how to reward them for doing business ethically and in compliance with the FCPA.

Chapter 7 – Your Greatest Source of FCPA Exposure: Third Parties and How to Manage the Risk Third Parties are universally recognized as the highest risk in any compliance program. Indeed it is estimated that well over 90% of all FCPA enforcement actions involve third parties. Therefore it is important how to manage this highest risk for an anti-corruption program. This chapter provides a five-step process for the investigation and management of any third party relationship; from agents in the sales chain to vendors in the supply chain.

Chapter 8 – How Do I Love Thee: Confidential Reporting and Internal Investigations In any company, your best source about not only the effectiveness of your compliance program but any violations are your own employees. This means that you must design and implement a system of confidential reporting to get your employees to identify issues and then have an effective internal investigation of any issues brought to your attention. Your own employees can be your best source of information to prevent a compliance issue from becoming a FCPA violation. This chapter provides the best practices for setting up internal reporting and investigating claims of compliance violations.

Chapter 9 - How to Get Better: Improvement: Periodic Testing and Review Once you have everything up and running you still need to not only periodically oil but also update the machinery of compliance. You do this through the step of continuous improvement, which is the use of monitoring and auditing to review and enhance your compliance regime going forward. A company should focus on whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program.

Chapter 10 - Should I or Shouldn’t I? Mergers and Acquisitions The last thing you want to bring in through an acquisition is another company’s FCPA violation for which your company must pay the piper; also known as buying a FCPA violation. Effectively managing your mergers and acquisitions (M&A) process can help you to identify risk areas in a potential acquisition and then remediate any issues in the post-acquisition integration phase. This chapter gives you the most recent pronouncements on how to avoid FCPA exposure in this key area of corporate growth and to use the M&A function to proactively manage compliance.

Chapter 11 – A Few Words about Facilitation Payments One of the key differences between the US FCPA and UK Bribery Act is that the US law allows facilitation payments. However, in today’s interconnected world, to allow one part of your company to make facilitation payments while UK subsidiaries or others covered by the UK Bribery Act are exempted out from your standard on facilitation payments has become an administrative nightmare. This chapter explores what is a facilitation payment, how the policing of your internal policy has become more difficult and some companies which have been investigated regarding their facilitation payments. It also provides guidelines for you to follow should your company decide to allow them going forward.

So with thanks to Mary Flood for the idea, Matt Kelly, the Editor of Compliance Week for the publishing platform and Helen Roche & Laura Slater and the rest of the team at Ark Publishing for getting me through the publishing process in a professional manner, I am published to announce that Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program is now available for purchase.

You can purchase a copy of Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program in the US by clicking here. You can purchase a copy of Doing Compliance: How to Design, Create, and Implement an Effective Anti-Corruption Compliance Program in the UK by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com. © Thomas R. Fox, 2014

September 17, 2014

Use of Influence in the Compliance Function

IMG_1213One of the challenges for any Chief Compliance Officer (CCO) is how to influence the conduct and actions in a corporate environment, particularly as compliance is viewed as non-revenue generating and usually does not exist simply to protect the company, which is how the legal department is often viewed. Folks like myself who came into compliance from the legal function tend to think of a top-down approach where compliance is centralized at the corporate officer, usually in the United States. But because the role is very different than that of a General Counsel (GC), a CCO needs to bring another skill set to bear to do his or her job. In a session at the SCCE 2014 Compliance and Ethics Institute, SCCE Chief Executive Officer (CEO) Roy Snell and Jenny O’Brien, CCO at United Health Care, talked about the techniques that a CCO can use to influence decision making in a company in order to do business in compliance and ethically.

Snell began the session with some basic questions about why there are positions such as a CCO and why there is a compliance function within an organization. After all, departments like legal and internal audit have existed in business organizations for up to at least a few hundred years. He posed two questions that I found interesting “Why are we here?” and “What did those who came before us to fail to do?” He listed some of the scandals from the late 90s and early 00s such as Enron, WorldCom, HealthSouth, Adelphia and others where he believed that the problems, which led to the disintegration of these organizations, were well known within the companies themselves. So the situation was not that people did not find the problems, the issue was that the people inside these organizations did not fix the problems. Snell believed that the persons who could and would have stood up to raise questions or say this should stop lacked some skill or ability to influence others to make the right decision. He concluded that such business and ethical collapses were a failure of influence.

This led into his presentation with O’Brien about techniques for a CCO to employ to help influence decision-making within an organization. They labeled them as the “Seven Steps of Influence” and they are as follows:

  1. Collaboration. O’Brien emphasized that as a CCO you need to know your company’s business. If you are new to an organization she said you must take time to learn the business. You should sit in on sales meetings and, when appropriate, you should go out on sales call. Channeling her inner Atticus Finch, she characterized this as walking in the shoes of the business leaders you are assisting. By doing so, you will not only understand the products and services that your company offers but also the challenges that your business development team will face out in the world.
  2. Here O’Brien emphasized that she has to work constantly at active listening, which is listening, thinking and then speaking, and not just jump into the middle of a conversation, talk to people in a manner that will address their concerns. When you do speak you should be prepared to make the case for the compliance proposition that you are trying to get across. She noted that as a CCO or compliance practitioner, you should strive to be relevant in every interaction you have with your senior management peers. O’Brien said that sometimes it means speaking up at meetings or other forums but sometimes it means listening. You should try to develop a rapport with your business team and this rapport can lead to trust building.
  3. Relationships. Snell opened his remarks on this topic by intoning that by relationships he did not mean inter-personal relationships. He believes that it is mainly through relationships with other functions in an organization that a CCO or compliance practitioner can best bring influence to bear. It all begins with building trust with others within your organization. Invest time to find others in your organization that you want to work and with those with whom you desire to build relationships. Snell believes that some of the more key relationships that a CCO or compliance practitioner can develop are with the audit function, the legal department, Human Resources, IT and corporate communications. Snell said that when one of these groups offered to help him move the ball forward in compliance he always viewed it as a positive and wanted to work with these and other corporate groups. He did not view it as a turf war at all. The only thing that he said he requested were the terms of working together. Of those, he said the most important was that if another group in the company took on some project related to compliance, such an internal audit, that the group finish whatever they take on.
  4. Humility. O’Brien believes that humility is important because it empowers. Moreover, it can empower others to expand the circle of influence and get others in a corporation to influence an ever-expanding circle on behalf of compliance. The CCO does not need center stage. She reiterated her belief that business units should solve compliance issues, as compliance is really just another business process. Further, through such influence where you can get the business unit resources to solve a compliance problem, you will hold down the costs of the compliance function. She ended by noting that it is not about being right but about moving the compliance ball forward in the right direction.
  5. Negotiation. Here Snell said that negotiation should not be about the dichotomy of winning and losing an argument or debate. A CCO should strive to redefine what a win might look like or what a win might consist of for a business unit employee. He said that when faced with such a confrontation, he would try to determine what both sides wanted then give them something else in addition to what they thought they wanted. He provided the example of a CCO quietly listening and when the room is just right and all the participants are worn out, you, as the compliance practitioner, throw out an idea where the apparent loser in the argument receives even more than they thought they were asking for in the requesting. A CCO can be considered a mediator not just simply an enforcer or Dr. No from the Land of No. He ended by saying that as a compliance practitioner you need to learn the art of compromise.
  6. Triple ‘C’. What do the three C’s stand for? Calm, cool and collected. O’Brien believes that all company employees, up and down the chain, are watching the CCO. For this reason, she said that as a compliance practitioner you should be poker faced. To this end she keeps the sign “Keep Calm and Carry On” in her office. She believes that the Triple C’s are important because organizations look to the CCO to solve complex issues with simple solutions. When faced with a compliance issue or an obstacle you should endeavor to keep everything on an even keel and never let them see you sweat.
  7. Credibility. The final of the seven pillars was that the CCO role needs to be adequately scoped and that the accountabilities need to be clearly defined. Put another way, what is your job scope as the CCO and what is the function of the compliance department? What is your accountability to decide the resolution to an issue? Snell agreed with O’Brien that there should be business unit ownership for every issue that comes into the compliance department. Yet, as a CCO, you must demonstrate your value as a non-revenue function. This may require you to get out of your office and put on a PR campaign for compliance. Finally, Snell ended by saying that a CCO needs to guard their independence in job function and reporting. You must make clear that you will have independent reporting up to the Board or Audit Committee of the Board.

Snell concluded by reminding us all that influencing is not a one-time activity. It is ongoing. Tying back to his original question of why the compliance function exists in the quantum it does today, he said that he believes a CCO or compliance practitioner exists to help influence a company to build a better business environment by acting more ethically and responsibility. By moving the ball forward in this manner, it may well lead to a country’s economy to be trusted which could well lead to greater economic development.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

September 11, 2014

King Arthur’s Roundtable – The CCO as Chief Collaboration Officer

RoundtableMany commentators such as Donna Boehme and Mike Volkov often talk about what is required for the position of Chief Compliance Officer (CCO), both in terms of corporate support and skills as a leader of a company’s compliance function. But in many ways a CCO can be seen as a collaborator because so much of the job is working with and interfacing with various functions within a business. I thought about that concept when I read an article in the Corner Office section of the New York Times (NYT) entitled “Titles Don’t Matter. Teamwork Does.” by Adam Bryant where he interviewed and profiled Girish Navani, Chief Executive Officer (CEO) of eClinincalWorks, a provider of clinical information systems.

I found Navani’s leadership style focusing on collaboration to be a good model for a CCO or compliance practitioner because what the compliance function needs to bring is a partnership to help the business and other units do business in compliance with the relevant legal and regulatory scheme. In the world of anti-bribery and anti-corruption that means compliance with the Foreign Corrupt Practices Act (FCPA), UK Bribery Act and similar laws. Navani said that his leadership style is to be as open as possible. One of the techniques that he uses is to have an oval table for meetings. No doubt channeling his inner King Arthur (or perhaps Richard Harris playing King Arthur), the configuration of the table actually seems to facilitate conversation and learning.

Another interesting insight was that Navani structures his company around teams. I thought this could be something that the compliance function could use in its dealings with business units because compliance is really a partnership with the business units and compliance spans multiple functions within any company. I also found another leadership insight from Navani’s leadership style. Navani said he continues “to learn every day. Leadership to me is many different qualities. Some are very basic. You’ve go to be approachable, humble and hard-working. Then there are ones regarding how you treat people. I listen more now. Before, I’d speak all the time. I will still do a lot of talking in meetings, but I absorb others opinions more. And I’m completely open to being told “no”. Questioning my own decision-making with others in the room is fine.”

I found that last point quite useful to consider. Coming out of the legal department and into compliance, I did not always take kindly to being told ‘no’ by someone from the business unit. I thought every pushback was some type of pressure test looking for weakness or tension. However, Navani’s style brings up the useful reminder that often the business function can assist compliance in learning how to perform the function more quickly or more efficiently. Certainly the business can assist the compliance function in understanding the highest risks that a company should focus on managing. In such a partnership role, compliance and the business unit can compliment each other to stop wasting time on immaterial risks so that resources can be delivered to the company’s highest risks.

Navani also stressed accountability. At his company “You’ve got to be accountable to yourself first, and you’ve got to be accountable to your team.” This certainly has application to the compliance function as well. One of the battles that compliance can fight is to be ‘The Land of No’ and the CCO is the head of it, or ‘Dr. No’. However by stressing accountability and creating transparency in the compliance process, I believe that a CCO can go a long way towards ameliorating that misperception.

I also found Navani’s techniques for hiring instructive for compliance. He said, “I look for the heart first. I don’t ask for direct experience.” He expects a modicum of professional expertise by the questions he asks most often are “Do you want to win? What drives you every day? Why health care IT? Can you spend 10 years of your career here? What do you want to do in those 10 years?” Navani went on to say that if he received satisfactory responses to those queries the technical aspects of a position can be taught. But he strives to see if a candidate’s heart is in the right place.

In addition to using these questions to ferret out candidates who will not work with his company, Navani uses these questions to set both a tone and expectation. The message he sends is “We’re not going to stifle you. If you can think out of the box, you will.” Navani believes that by hiring such employees they have the opportunity to become game changers at his company. Now imagine if you could have your Human Resource function use the hiring process to ask questions around attitudes around business ethics or other compliance issues. It would have the dual effect of allowing your company to have a front line inquiry that might weed out those who might be prone to cutting corners through bribery and corruption. But equally important would be the expectation set on the high value your company has on compliance and business ethics. The message would begin pre-hire, set again during employee orientation training and continued throughout the employment tenure.

Through migrating some of these leadership techniques that Navani espoused into your compliance tool-kit; a CCO or compliance professional can help to shift a company’s conversation around compliance. You can move from simply being seen as a safety backstop to one of developing and implementing solutions. Some of the other insights that I drew from Navani include setting out your core function of compliance. A compliance function should be able to offer expertise and insight into solutions. One part of that may be delivering data and other information to the business function to help them make better economic decisions for the company. But another way might be through compliance coaching advocacy.

Navani’s leadership once again demonstrates that if your compliance function shows integrity and responsibility, it can lead to greater teamwork between departments. Many business units fear that the compliance function will take away control of the business process from them. However by demonstrating that compliance is really in partnership, this can move a long way to alleviating this concern.

And do not forget the Round Table.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

July 29, 2014

Bringing It All Home, the Two Tough Cookies Wrap It Up For You, Part II

Tales from the CryptNote-I asked the Two Tough Cookies if they could put together a series of blog posts wrapping up the lessons they have seen and learned and written about in their series of Tales from the Crypt. They graciously put together a series of posts on the seven elements of an effective compliance program from their 10 tales of Business Conduct. Today, Part II of a Three Part Series…

3. Exercise Due Diligence to Avoid Delegation of Authority to Unethical Individuals

This one is tough, especially in global organizations. In many countries, you simply cannot run a background check, as criminal records are not public. In others, you can run them, but the criminal offense must be related to the job to exclude the candidate from being hired.   In yet others, you can run them, but you can’t use them due to overly strict privacy rules. Then there’s the matter of cost relating to doing all this due diligence. The best thing you can do is determine the following:

  • First, is your business subject to a potential FCPA violation? If you are not “at risk” of public corruption because you are not engaging at any level with foreign government officials, then half the battle is won. Of course, you still run the risk of commercial corruption (bribes, kick backs, etc. with trading partners), but at least the spectre of government sanctions is not looming so large over you.
  • If you are “at risk” of an FCPA violation (you have interaction with govt. officials, including customs) have you developed a robust due diligence program, based on some corruption index to determine the level of due diligence required for your staff, your trading partners?
  • Have you identified your red flags thoroughly to spot anomalies in your business that would signal a deeper view is recommended?
  • Do you have staff to conduct the due diligence, or a vendor to do it on your behalf?
  • Are background checks run on everyone, or just certain individuals, or certain risk areas?
  • Have you taken a hard look at your gift policies to determine whether or not there are glaring holes that could give rise to inappropriate influence in business dealings?
  • Have you taken cultural considerations under advisement in your gift policies? Are they more stringent, or lax, compared to the US? Are the gift policies in Russia different than the gift policies in the US, because someone convinced someone else that you just can’t get things done without greasing a palm here or there?
  • Do you have a formal committee reviewing all charitable contributions, or, are ‘charitable contributions” acceptable as “facilitation” to get non-discretionary government functions moving along? Does your organization allow “facilitation payments” – if so, you better take a second, third, fourth look….

The point I’d like to emphasize here is that even companies that make it on the “World’s Most Ethical Companies” list also make it to the DOJ’s investigation list for foreign corruption, or violation of embargoes, sanctions, and the like. People interpret rules when the rules change, depending on the country. People then make mistakes in favor of what makes business sense to them, in their country, in their environment. You just have to make sure you’ve done what’s reasonable to prevent those mistakes.

  1. Communicate and Educate Employees on Compliance and Ethics Programs

Here’s where the tone from the top, middle and bottom are key to your culture. This is probably the most important thing you want to measure. I am fond of saying 90% of a good ethics & compliance program is communication, and 10% is actions/deeds. While deeds do speak louder than words, it’s the communications – what you say, how you say it, what you mean by it, your intent – that frames up the actions of others.     So you want to measure

  • Are the messages the same, the deeper you get into the organization? Is the understanding of the messages cascading from above the same the further down you go? Easy enough to measure with post-learning survey tools. Give all top, middle, and lower management the same “meeting in a box” and see if the understanding after delivery is the same. Reminds me of that campfire game, where the story starts at one end of the circle, and is completely different by the time the last person hears the tale. Your objective, of course, is to ensure that every person in the corporate audience hears the same message, and has the same take-aways, no matter who is telling the tale.
  • What kind of audience do you have? Does everyone have access to a computer, or do you have the challenge of manufacturing workers, with multiple languages and facilities to manage, and no technical means of reaching them? Have you done what’s necessary to ensure your training and communications mechanisms address every type of audience, or are pockets left out of the mix?
  • What learning aids do you have to help with understanding the code of conduct? Are the examples you use for harassment appropriate for your audience? Do you have a team of global reviewers who will not only preview your training, but offer suggestions on how to localize it to make it appropriate, meaningful and relevant to the teams they serve? If so, do they look at all communications pieces, or only certain ones? If only certain ones, which ones? And why?
  • Are there any leaders who go above and beyond when you launch your annual or quarterly training? I had an Asian business President who made sure he took the course the first day it was launched, and then sent a message to his leadership team about what he learned from the course, and what he wanted them to take away to their teams after they took the course. All of his team had the course done within the first month. I wanted to clone the guy, I swear!

I’m also reminded of mandatory harassment training I gave in Brazil one year. I relied upon the canned on-line training to help with my meeting amongst management, who all spoke English well. I was planning on asking them to cascade the messages to their teams while I was there, but they pointed out that the training was a farce. Women, they told me, wanted wolf calls lobbed in their direction in Brazil – it was not only culturally acceptable, but encouraged. This was substantiated by the several women in the room. Check. Fortunately, I had other examples at the ready to use for a facilitated session, which I vetted with the women on the team prior to delivery. Lesson learned? Make sure your ethics & compliance steering committee has global membership, and are willing to preview your training and communications prior to launch to ensure cultural relevance. If you don’t do this, your ethics & compliance program will be perceived as a joke. Not a desirable outcome, I would say….

  1. Monitor and Audit Compliance and Ethics Programs for Effectiveness

So, how do you measure a non-event? I often ponder…. The challenge in highly ethical organizations is that you have, at first blush, very little to measure. If everyone’s doing a good job, how do you measure effectiveness. Is it because you have a great program that you have absolutely no calls on the hotline? Or is it that everyone is trembling in fear of retaliation the reason for no calls to the hotline? Hmmm.

Some of the things you can measure include

  • Indicators and ‘yardsticks’ – do you crawl, walk, or run to goals?
  • Do you seek periodic stakeholder feedback (including E&C council input)
  • What kind of documentation do you collect – trend analyses of HelpLine metrics, feedback on program enhancements as they are implemented, feedback on training and communications
  • Do you routinely conduct a “Lessons Learned” exercise after substantiated hotline calls?
  • Does your HR team engage in site assessments when a location, facility, or team seems to have a lot of issues that arise from a single manager or set of team leaders?
  • How often are your Code, policies, procedures updated and reviewed?   Are they tested for readability and understanding? Are they just published, or is training introduced for new policies as they are issued?
  • Do you conduct risk assessments and/or change training or communications based on perceived risk areas?
  1. Ensure Consistent Enforcement and Discipline of Violations

Does your organization allow for mistakes? Many will say they do, but when the rubber meets the road, you will find that they can be unforgiving for some transgressions, and unbelievably forgiving for others…. You will want to measure

  • Whether or not there appears to be wiggle room when folks stray. Deeds in this aspect do speak louder than words.
  • Are roles and responsibilities clearly defined, with escalation clauses when things go wrong?
  • Does your organization communicate when things go wrong as well as when things go right? I know one organization that struggled mightily when I suggested we let everyone know what actions we took for certain code violations. The attorneys were all worried that someone would sue, of course, but in the end, integrity prevailed. We were able to sanitize the situations in such a way to communicate what had been done, and what discipline was taken, without anyone learning personal details. Importantly, it drew a virtual line in the sand by publicizing transgression and discipline, so that people knew boundaries. Of course, this was after years of me observing that discipline seemed to be discretionary within the organization, and as a result, trust in management “doing right” was eroding significantly. It didn’t hurt that my observations were followed by multiple hotline calls saying the same thing… but it should never get to that point, should it?

Also measure whether or not policies and communications:

  • Encourage reporting
  • Identify resources to raise concerns
  • Prohibit retaliation for good faith concerns
  • Identifies management as the primary resource for issues or concerns
  • The average timeline to resolve complaints
  • Whether or not you benchmark reports that express fear of retaliation or unwillingness to consult with management first. This is tough to do, unless you build it in to your hotline reporting mechanism as a “customer service” function at the end of every call or report, actively soliciting this very feedback when a report is made.
  1. Respond Appropriately to Incidents and Take Steps to Prevent Future Incidents

So, you are at the point where you have confidence you have the right policies and procedures in place to keep yourselves honest. But in case someone didn’t get the memo of “expected behavior” you have to make sure you respond appropriately, and take steps to avoid future missteps. One organization I worked at realized the culture of an acquired subsidiary was so awful that it opted to sell it off rather than try to fix it. They had other issues in the larger organization, but they knew a bad deal when they saw it, and took steps to rid themselves of an untenable position. Another organization I worked at kept throwing money at a subsidiary, when it probably would have been better to toss in the towel. Different organization, different results, neither perfect, but it fit them as they saw things.

When gauging the culture of your organization, some things you want to look at are the rewards and sanctions for behavior:

Positive rewards:

  • Retention of employment
  • Recognition
  • Appreciation
  • Commendation
  • Monetary or stock reward

Negative sanctions:

  • Termination or Suspension
  • Demotion
  • Probation
  • Appraisal comments/warnings
  • Reduction in compensation or bonus

You also want to measure your Performance Appraisal Systems, and look to see whether or not they include sections on:

  • Demonstrated Ethics and values in workplace conduct
  • Good communication skills
  • Building trust with stakeholders
  • Being fair or equitable
  • Maintaining a high level of quality or integrity in decision-making
  • Reporting Concerns
  • Empowering subordinates to reporting concerns
  • Training and development initiatives for the team

Tomorrow the Two Tough Cookies sum it all up…

This publication contains general information only and is based on the experiences and research of the authors. The authors are not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The authors, their affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Authors give their permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the authors.

 

June 9, 2014

Why the Compliance Function is Different Than the Legal Function

Joseph WelchI have long been proud of my profession. I would often tell students that they ware about to join a profession which extended as far back as Demosthenes, who practiced his closing orations against crashing sea waves so that the full Greek demos might hear him when he closed a trial. Further, while thoughts of Atticus Finch are never far from a Southern lawyer’s mind, if not aspirations to emulate him, today we celebrate a real life lawyer who did the profession proud. It was on this day, 60 years ago in 1954 that Joseph Welch, then Special Counsel to the US Army, unmasked Senator Joseph McCarthy for what he and his hearings into communism were. In response to McCarthy’s charge, that Frederick G. Fisher a young associate in Welch’s law firm had been a long-time member of an organization that was a “legal arm of the Communist Party,” Welch responded, “Until this moment, Senator, I think I never really gauged your cruelty or your recklessness.” Welch then uttered these immortal lines, “Have you no sense of decency, sir, at long last?” The audience applauded Welch’s stinging comeback. The hearings closed one week later. The US Senate officially condemned McCarthy for contempt against his colleagues later that year.

Unfortunately the legal profession took one in the eye last week when General Motors (GM) released its internal investigation into the company’s failure to recall millions of defective small cars, and found no evidence of a cover-up. As reported by Bill Vlasic in a New York Times (NYT) article, entitled “G.M. Lawyers Hid Fatal Flaw, From Critics and One Another”, stated the GM law department did not come out of this matter looking too well. Vlasic said that “interviews with victims, their lawyers and current and former G.M. employees, as well as evidence in the report itself, paint a more complete picture: The automaker’s legal department took actions that obscured the deadly flaw, both inside and outside the company.”

While GM’s General Counsel (GC), Michael Millikin, survived dismissal in the aftermath of the internal investigation, he certainly did not come out as a GC who was particularly engaged with what was going on in his own department. Vlasic reported, “At least three senior lawyers are among the employees who lost their jobs as a result of the investigation conducted by the former United States attorney Anton R. Valukas… One of the lawyers dismissed this week was William Kemp, who had been orchestrating G.M.’s legal strategy and in-house investigations of the defective ignition switch for more than two years before the recall. Yet it was not until early February, days after a high-level committee finally ordered the switch recall, that Mr. Kemp informed Mr. Millikin of the deadly consequences of the flawed part. G.M. has linked 13 deaths and 54 crashes to the defect.” Two other lawyers reported to have been dismissed, as a result of the internal investigation, were Lawrence Buonomo, head of product litigation, and Jennifer Sevigny.

Equally damning were the internal investigations report that during safety meetings relating to the ignition switch failure, “Mr. Valukas said employees he interviewed told him they had refrained from taking notes in safety meetings “because they believed G.M. lawyers did not want notes taken.”” Beyond this ban on note taking, Vlasic said “The secrecy factor extended to how some employees kept or discarded old emails. According to two former G.M. officials, company lawyers conducted annual audits of some employees’ emails that could be used as evidence in lawsuits against the company.” While GM euphemistically called this email deleting program “information life-cycle management,” when the purpose is to remove evidence that could be used against the company in lawsuits, it once again shines a very bad light on my legal profession brethren.

This sordid tale of the complicity of the GM legal department is all part of what GM Chief Executive Officer (CEO) Mary Barra “denounced as a “pattern of incompetence and neglect” at the company that allowed a defective part to exist in its vehicles for more than 10 years.” But more than simply causing the corpse of Atticus Finch to spin over in his fictional grave, the GM legal department’s role in the company’s debacle points to something that Donna Boehme and Mike Volkov have been articulating and writing about for some time. It is not simply that the Chief Compliance Officer (CCO) needs to be out from under the roof of the GC’s office; it is that the compliance function is different than the legal function.

When I initially went in-house, it was made clear to me that the role of the in-house department in the company I worked for was to protect the company. When I became a GC, I took that role to heart and felt like I was the company’s lawyer (even if the CEO felt like I was his lawyer). But as Boehme points out in her article in the June 2014 issue of the SCCE Magazine, entitled “Toldya. (Reason #119 why Compliance is not a subset of Legal),” there are distinct differences in approaches to doing compliance from practicing law. She said, “one thing is clear – the two functions have very different mindsets, mandates and priorities.” She notes that the legal department mandate is to “advise and protect the company.” However, Boehme believes that the compliance mandate is much broader. She writes, “Compliance, on the other hand, is tasked with detecting and preventing misconduct.” The compliance mandate includes constant vigilance on the integrity of the compliance program, protecting internal whistleblowers (in part to demonstrate to others that it is safe to come forward), and supporting a culture of accountability, especially at levels of management.

I might say that a corporate legal department’s role has traditionally been seen to protect the company from problems, while the role of the compliance function is to remedy problems. Here you can think of McNulty’s Maxim No. 3 – What did you do to fix it when you found out about it? But Boehme takes it a step further by noting, “A well-run compliance program requires hundreds of judgments, big and small, to be made on a weekly basis. The company with the political will to elevate their chief compliance officer to a “separate but equal” status in the C-suite will benefit from those judgments being made with an independent compliance mindset, and not “Always Legal but Occasionally Compliance” prism.”

I often repeat the legal truism that bad facts make bad law. Make no mistake about it; the GM ignition switch imbroglio is very bad. But the GM legal department’s role in the company’s ongoing scandal, clearly points out the difference between the roles of legal and compliance. I am sure that the GM lawyers involved, and those who were terminated, thought their job was to defend the company at all costs. But I have never met a CCO who felt that way. They believe that their job is to prevent, detect and remedy any compliance issues that arise. You cannot do that if you are instructing others not to take notes in relevant meetings, deleting potentially incriminating emails and hiding from your boss that there is a real problem out that that must be dealt with.

For the rest of you out there who are lawyers and reading this, remember Joseph Welch today as a far better example of our historical brethren.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,155 other followers