The Sioux at Little Bighorn and Using Risk Going Forward

I recently wrote about the stupidity of General Custer and the defeat of his Calvary at Little Bighorn as a lead in for the failure to adequately assess and then manage risks in a Foreign Corrupt Practices Act (FCPA) compliance program. I received the following comment from a reader:

As a military history buff, I note that your comments on risk assessment reflect a very limited view of the battle. The Sioux made superb use of reconnaissance, fire and maneuver. The cavalry’s underestimation of the military skills of their Indian enemies were immediately assessed and dealt with aplomb and considerable skill. The great lesson to be learned from the Battle of the Little Big Horn is that there is great opportunity in exploiting the tactical stupidity of the overconfident. Reminds me of Napoleon and Prince Alexander at the Platzen Heights of Austerlitz. 

This comment made an excellent point that risk assessment and risk management are not simply to be viewed as negatives or a drag on business. These concepts are also valid in aiding companies to do business by exploitation of strategic risk. This point was driven home most clearly in the recent book by well-known risk management guru Norman Marks, entitled World-Class Risk Management. 

Marks’ thesis on this issue is that “It is essential that management take enough risk! If they take no risk, the organization will fail. So risk management is about taking the right risks for the organization at the desired levels, balancing the opportunities on the upside and the potential for harm on the downside” [emphasis in original]. I once heard former Chairman of Citigroup, John Reed say the reason a car has brakes is not to make it safer but so that you can drive faster. It is the same concept. FCPA compliance programs are often viewed as brakes on doing business. At best they slow things down and at worst the Chief Compliance Officer (CCO) is Dr. No from the Land of No.

However, as Marks points out in his chapter entitled “What is Risk and Why is Risk Management Important?”, it is a serious flaw to only see risk as a negative and indeed to limit risk management to the negative. He wrote, “Treating risk as only negative and overlooking the idea that organizations need to take risks in pursuit of their objectives. Effective risk management enables an organization to exploit opportunities and take on additional risk while staying in control and thereby, creating and preserving value.” He goes on to explain that a company should “understand the uncertainty between where we are and where we want to go so that we can take the right risks and optimize outcomes”.

These outcomes should be determined through an organization determining its risk appetite. Here Marks commented on the definition found in the COSO 2013 Framework for risk appetite by saying it is “the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.” As pointed out by the comment to my blog post on risk assessment and risk management, I focused on risks that were not properly assessed and not properly managed, leading to catastrophic results. But the comment pointed out that when properly used a risk assessment can lead to better management of risk and allow a company to take greater risk because it can manage the scenario more effectively. Marks stated this concept as “think of risk as a range: the low end is the minimum level of risk you are willing to take because you have the ability to accept risk, and recognize that taking the risk is essential to achieving your objective. The high end is the maximum level of risk you can afford to take.”

In the FCPA context, I think this is most clearly seen in the area of third party risk management. There are five steps to the lifecycle of third party management: (1) business justification; (2) questionnaire; (3) due diligence and its evaluation; (4) contract with compliance terms and conditions; and (5) post-contract management. If circumstances are such that you cannot fully perform all five steps to your satisfaction, this puts pressure on the remaining steps. In other words, while your risk may go up if one cannot be fully performed, it may well be that the additional risk can be mediated in another step.

The robustness of your third party risk management program can give you the ability to move forward and use third parties for a business advantage. Say you want to hire a royal family member from a certain foreign country as a third party representative. While at first blush this might seem to be prohibited under the FCPA, there are two Opinion Releases that hold that the mere hiring of a royal family member does not violate the FCPA. In Opinion Release 10-03 the Department of Justice (DOJ) reviewed the following factors of whether a Royal Family Member is a foreign governmental official, the factors were: “(i) how much control or influence the individual has over the levers of governmental power, execution, administration, finances, and the like; (ii) whether a foreign government characterizes an individual or entity as having governmental power; and (iii) whether and under what circumstances an individual (or entity) may act on behalf of, or bind, a government.”

Then in Opinion Release 12-01, the DOJ went further and added a duties test to what was believe to be a status test only. After initially noting that “A person’s mere membership in the royal family of the Foreign Country, by itself, does not automatically qualify that person as a “foreign official”” the DOJ goes on to reiterate its long held position that each question must turn on a “fact-intensive, case-by-case analysis” for resolution. The DOJ follows with a list of factors that should be considered. They include:

1. The structure and distribution of power within a country’s government;
2. A royal family’s current and historical legal status and powers;
3. The individual’s position within the royal family; an individual’s present and past positions within the government;
4. The mechanisms by which an individual could come to hold a position with governmental authority or responsibilities (such as, for example, royal succession);
5. The likelihood that an individual would come to hold such a position;
6. An individual’s ability, directly or indirectly, to affect governmental decision-making; and the (ubiquitous)
7. Numerous other factors.

Additionally the DOJ recognized some of the risk management techniques that had been put into place by the company requesting the Opinion. These risk management techniques were having a robust anti-corruption compliance program and requiring one from the third party that had employed the royal family member. There was full transparency by the US Company in hiring the royal family member. The compensation was disclosed, was within a reasonable range and was appropriate for the services delivered to the company and the contract between the parties had appropriate FCPA compliance terms and conditions.

I had initially thought that the import of Opinion Release 12-01 was creative lawyering to create a new test around the hiring of royal family member and foreign government officials. However re-reading it in light of the comment to my earlier blog post and of Marks’ book, it can also be seen as an example of how using risk management can be a positive for a business going forward. I would posit to CCOs or compliance practitioners there may be ways to do business in compliance with the FCPA if you think of using your FCPA compliance program as a way to better manage risk to do business rather than simply saying something will violate your compliance program without thinking through how such a compliance risk could be managed effectively.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

The Ides of March and Evaluation of Compliance Risk

Tomorrow, March 15 is enshrined as one of the most famous days of all-time, the “Ides of March”. On this day in 44 BC, the “Dictator for Life” Julius Caesar was assassinated by a group of Roman nobleman who did not want Caesar alone to hold power in the Roman Empire. It was however, this event, which sealed the doom of the Roman Republic as his adopted son Octavian first defeated the Republic’s supporters and then his rival Dictator Marc Anthony and became the first Emperor of the new Roman Empire, taking the name Augustus.

One of the more interesting questions in any anti-corruption compliance regime is to what extent your policies and procedures might apply in your dealings with customers. Clearly customers are third parties and in the sales chain but most compliance programs do not focus their efforts on customers. However, some businesses only want to engage with reputable and ethical counter-parties so some companies do put such an analysis into their compliance decision calculus.

However, companies in the US, UK and other countries who do not consider the corruption risk with a customer may need to rethink their position after the recent announcements made by Citigroup Inc. regarding its Mexico operations.

In an article in the New York Times (NYT), entitled “Fraud Exposes Challenges for Citi in Mexico”, reporters Michael Corkery and Jessica Silver-Greenberg wrote about the troubles which have befallen “the bank’s “crown jewel” – a sprawling retail lender called Banamex.” Citigroup recognized there was risk in Banamex, even having, what the reporters said was, a “little black book” which was stated by one un-named top executive to be the “book of redlined clients” and was also described as “an informal tally of Mexican companies” that could imperil the company’s Mexican operations. The bank has come to grief with its involvement in a $400MM fraud “that was discovered last month highlights the limitations of that kind of culling, and more broadly points to the challenges of finding solid lending clients in a country where the line between big business and political cronyism can become blurred.”

While Citigroup blamed this problem on “bad luck and bad actors” the article revealed a more complicated picture. The picture was one where “the bank had been placing large bets on a few risky corporate borrowers”. The $400MM loss involved an oil services company, Oceanografía SA de CV. But the bank also sustained other losses where loans were made to building contractors, which after a Mexican government a policy shift it “effectively killed the developers’ suburban projects” and they were not able to repay the loans.

Moreover, with regard to Oceanografía, the bank itself recognized the inherent danger of doing business with the entity. The article noted that Banamex has extended $585MM in short-term credit to a company that Citigroup itself had warned its own bond investors was “from time to time subject to various accusations, including accusations of corrupt practices.” Oceanografía is a company that provided construction, maintenance and vessel-chartering services to Pemex’s exploration and production subsidiary. However, as the article noted, “Oceanografía’s fortunes, however, changed sharply last month after it became the subject of a new government review that resulted in a suspension of government contracts to Oceanografía for the next 20 months. Banamex had advanced as much $585 million to Oceanografía through an accounts receivable program. The program was supposed to work like this: Banamex would advance money to Oceanografía to provide services to Pemex. The oil giant would then pay back Banamex, verifying invoices provided by Oceanografía to confirm that the work had been completed. In theory, Banamex was relying on Pemex’s ability to pay back the bank.”

Unfortunately for Banamex, much like the developers “which relied on government subsidies to finance their suburban developments, Oceanografía’s business relied on government contracts from Pemex. But when those ties were cut, the problems quickly surfaced. Shortly after the suspension of government contracts to the oil services company, Citigroup said it discovered the fraud at its Mexican unit, involving Oceanografía.”

These losses were coupled with the semi-autonomous relationship that Banamex had with its parent, Citigroup. The article stated, “the bank he [Mr. Medina-Mora] built has been considered something of a “black box” — a highly profitable but not especially transparent unit that was run with great autonomy by its leader, according to current and former bank executives. Sometimes, though, that autonomy rankled other executives in New York, the people said.” Citigroup denied that Banamex was semi-autonomous and in a statement in the article said, “We dispute assertions that the management team is autonomous,” Further, “While Banamex is a subsidiary of Citigroup, it is absolutely subject to the same risk, control, anti-money laundering and technology standards and oversight which are required throughout the company.”

For the compliance practitioner there are several lessons to be garnered from Citigroup’s reported problems and Julius Caesar’s demise on the Ides of March. In Caesar’s case, he wholly ignored the resentment that had been welling up in the Roman aristocracy for his high-handed action in becoming a Dictator. Even on the day in question, he dismissed his personal guard detail as he was going to the Roman Senate and finally, although he allegedly was handed a written communication warning him of his impending doom, he never took the time to read it. In other words, not only did he miss the red flags, he ignored specific warning signs and reduced his risk management capabilities by dismissing his security detail.

Similarly, as reported by the NYT, Citigroup would seem to have missed the warning signs about Oceanografía and if the NYT article is correct, might have actually internally ignored red flags while broadcasting them to bond holding investors. Lastly, whether the Banamex unit was semi-autonomous, as alleged in the article, or not as claimed by Citigroup’s statement, the point is that there must always be oversight. More than simply a ‘second set of eyes’ there should be internal controls which can be reviewed and vetted.

Finally, as noted in the article, the loans in question involved businesses that relied on government contracts, payments or some other form of support. While that may be of some comfort in developing countries, it can also be a source of risk. It also points to another analysis, which is not always considered, that being if a proposition is high reward, it is probably because it is also high risk in some area. While many companies can evaluate high financial risk and hope for attendant high financial reward, they also need to consider how a high corruption risk might factor into their analysis.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014