FCPA Compliance and Ethics Blog

April 27, 2015

King Arthur Week, King Arthur and Leadership – Part I

King ArthurI have been studying the legend of King Arthur and thought it would be good idea to have a week of blog posts around the legend of King Arthur, the Roundtable and his knights. Today I begin with King Arthur and some leadership lessons that might apply to a Chief Compliance Officer (CCO), compliance practitioner or others who might be responsible for an anti-corruption compliance program based on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or similar anti-bribery law.

According to the legends, King Arthur achieved quite a bit in one lifetime. He, established a kingdom, ruled his castle, Camelot and brought peace and order to the land based on law, justice, and morality. He founded an order known as the Knights of the Round Table where in all knights are seated as equals around the table, symbolizing equality, unity, and oneness. Nicole Lastimado, in a blog post entitled “Characteristics of a Good Leader :), identified five characteristics that she believed made Arthur a good leader.

Adapting Lastimado King Arthur was (1) Honest, in that he displayed sincerity, integrity, and candor in his actions. (2) Intelligent, because he read and studied. (3) Courageous, because he had the perseverance to accomplish a goal, regardless of the seemingly insurmountable obstacles. (4) Imaginative because he adapted by making timely and appropriate changes in his thinking, plans, and methods. Finally, (5) Inspiring, because through demonstrating confidence, he inspired his knights and those in his Kingdom to reach for new heights. I would add as a separate category that Arthur led from the front.

I thought about those qualities when I read a couple of recent articles in the Houston Chronicle. The first was by the Chronicle Business Columnist, L. M. Sixel, entitled “Leaders possess the keys to safety”, and the second was an Op-Ed entitled “Trust Shaken”. Both articles discussed corporate issues that have led to catastrophic injuries or even deaths and more importantly how the entities involved reacted. The first article discussed safety at the workplace and the second health issues in the processing of food products.

In her article Sixel, wrote, “A company truly interesting in making sure its workers are safe has to come up with ways to make it easy and risk-free to bring up potential safety problems.” Moreover, the corporate attitude which fosters this “starts with leadership.” She cited to Frank Reiner, the president of the Chlorine Institute, who recently said in a speech to the group’s annual conference in Houston “You have to eliminate the fear.” Additionally, “Once the cause is identified, similar accidents can be prevented, he said. The message that people are free to come forward to talk about what went wrong and why has to come from the top down. Identifying problems not only is everyone’s responsibility but also a companywide expectation.”

Equally important is for a company to learn from its mistakes. Obviously there should be a root cause analysis after a disaster. At the same conference, the Keynote Speaker, John E. Michel, a retired U.S. Air Force brigadier general and author of The Art of Positive Leadership: Becoming a Person Worth Following, said “After a disaster, there is a big investigation to find out why it happened and fix the problem before it can happen again. Sometimes, whole fleets are grounded after an airline crash.” However Michel noted that it is important to keep learning even if there is no disaster. Michel “likes to pay attention to “near misses” and learn from the times things could have gone horribly wrong but didn’t” and that “There are debriefing sessions even when things go well on a flight mission and there are always tweaks to be made.”

Another speaker at the conference Mark Briggs, area director of the Houston South office for OSHA, noted it was important for employees to feel their suggestions and comments around safety are considered by management, saying “You have to show you care and that’s its not just a one-month project.” If management shows that it takes employee recommendations around safety seriously, it will help employees down the chain feel more secure about bringing them to management’s attention.

The Chronicle Op-Ed piece focused on one of the most beloved institutions in the great state of Texas – Blue Bell Ice Cream. Unfortunately for Blue Bell, in March there were five cases of listeria in Kansas, linked to a Blue Bell plant. Three of those persons died, “although a Kansas health official stated that the listeriosis was not the cause of death.” The Chronicle piece noted that after that initial discovery, “multiple strains of listeria have been found in its Brenham and Oklahoma plants, almost 500 miles apart, according to the CDC [Center for Disease Control and Prevention]. Possible explanations include lax safety standards, extremely bad luck striking twice or some undisclosed manufacturing issue.”

A The Texas Tribune article by Terri Langford, entitled “State Health Tests Prodded Blue Bell Recall, said, “The crisis for Blue Bell began on March 13, when Kansas officials determined that Listeria-tainted portions of the company’s ice cream made it into products served to five hospital patients between January 2014 and January 2015. Of the five who became ill, three died. By March 24, Kansas officials traced the source of the listeria to Blue Bell’s plant in Broken Arrow, Okla., built by the Texas company in 1992. On April 3, the Centers for Disease Control had traced Blue Bell’s Listeria strain to six other patients going back to 2010. Four had been hospitalized in Texas for unrelated problems when they became sick from listeria. Five days later, on April 8, the CDC had identified two clusters of Blue Bell listeria victims. The strains were traced to the plants in Oklahoma and Texas.”

Yet it was not until Blue Bell was notified by a representative from the Texas Department of State Health Services, that “lab tests on two Blue Bell ice cream flavors — Mint Chocolate Chip and Chocolate Chip Cookie Dough — came back “presumptive positive” for the deadly bacteria Listeria monocytogenes” that the company announced it was pulling product from its shelves for testing.

What are the lessons from for the CCO or compliance practitioner? You should channel your inner King Arthur and lead. You have to lead management to understand that one of the best sources of information on your own business is your employees. There is a reason the FCPA Guidance lists internal reporting as one of the Ten Hallmarks of an Effective Compliance Program. You must give employees a way to report misconduct and then you must use that information to investigate and communicate to employees going forward. If there are lessons to be learned use those lessons for in-house compliance training. If a true catastrophe or disaster befalls the company, do not wait to remediate. Do so as soon as is practicable, not when the government calls.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 15, 2015

Five Step Process for Transaction and Continuous Controls Monitoring

Five Step ProcessMost Chief Compliance Officers (CCOs) and compliance practitioners understand the need for transaction monitoring. Whether it be as a part of your overall monitoring of third parties, employees, or to test the overall effectiveness of internal controls and compliance, transaction monitoring is clearly a part of a best practices compliance program. Further, while most compliance practitioners are aware of the tools which can be applied to transaction monitoring, they may not be as aware of how to actually engage in the process. Put another way, how do you develop a methodology for building a transactional monitoring process that yields sustainable, repeatable results?

I recently put that question to one of the leaders in the field, Joe Oringel, co-founder and principal at Visual Risk IQ. He explained to me that their firm has dissected data analytics and transaction monitoring into a five-step process they call QuickStart, which facilitates applying the process iteratively across a two to four month time frame. These iterations allow for, and reinforce the methodology’s repeated and practical application and reapplication. The five steps are (1) Brainstorm, (2) Acquire and Map Data, (3) Write Queries, (4) Analyze and Report, and (5) Refine and Sustain.

Brainstorm

Under this step, the transactional monitoring specialist, subject matter expert (SME), such as one on the Foreign Corrupt Practices Act (FCPA) or other anti-corruption law, and the compliance team members sit down and go through a multi-item list to better understand the objectives and set the process going forward. The brainstorming session will include planning the monitoring objectives and understanding the data sources available to the team. Understanding relationships between the monitoring objectives and data sources is essential to the monitoring process. During brainstorming, the company’s risk profile and its existing internal controls should be reviewed and discussed. Finally, there should be a selection of the transaction monitoring queries and a prioritization thereon. This initial meeting should include company representatives from a variety of disciplines including compliance, audit, IT, legal and finance departments, sales and business development may also need to be considered for this initial brainstorming session.

While the rest of the steps may seem self-evident in any transaction monitoring process, it is the brainstorming step which sets the Visual Risk IQ approach apart. This is because business knowledge is critical to sustaining and improving the transaction monitoring process. And because the process is iterative, periodic meetings to further understand the business pulse allow the most useful data to be monitored through the system. 

Acquire and Map Data

The second step is to obtain the data. There may be a need to discuss security considerations, whether or how to redact or mask sensitive data, and ensure files are viewable only by team members with a “need to know”. Balancing, which consists of comparing the number of records, checksums, and controls totals between the source file (as computed by the file export) and then re-calculated number of records, checksums, and control totals (as computed by a file import utility). Balancing is performed to make sure that no records are dropped or somehow altered, and that the files have integrity. Somewhat related is making sure that the version of the files used is the “right” one. For example if you are required to obtain year-end data year-end close could be weeks after the closing entries have been actually recorded, depending on the departments engaged in the year end processes.

Types of systems of record could include Enterprise Resource Planning (ERP) data from multiple transaction processing systems, including statistics on numbers and locations of vendors, brokers and agents. You may also want to consider watch lists from organizations such as the Office of Foreign Asset Control (OFAC), the Transparency International – Corruption Perceptions Index (TI-CPI), lists of Politically Exposed Persons (PEPs) or other public data source information. Some of the data sources include information from your vendor master file, general ledger journals, payment data from accounts payable, P-cards or your travel and entertainment system(s). You should also consider sales data and contract awards, as correlation between spending and sales as these may be significant. Finally, do not forget external data sources such as your third party transactional data. All data should initially be secured and then transmitted to the transaction monitoring tool. Of course you need to take care that your transaction monitoring tool understands and properly maps this data in the form that is submitted.

Write Queries

This is where the FCPA SME brings expertise and competence to assist in designing the specific queries to include in the transaction monitoring process. It could be that you wish to focus on the billing of your third parties; your employee spends on gifts, travel and entertainment or even petty cash outlays. From the initial results that you receive back you can then refine your queries and filter your criteria going forward. Some of the queries could include the following:

  • Business courtesies to foreign officials;
  • Payments to brokers or consultants;
  • Payments to service intermediaries;
  • Payments to vendors in high risk markets;
  • Round dollar disbursements;
  • Political contributions or charitable donations; and
  • Facilitation payments.

Analyze and Report

In this process step, you are now ready to begin substantive review and any needed research of potential exceptions and reporting results. Evaluating the number of potential exceptions and modifying queries to yield a meaningful yet manageable number of potential exceptions going forward is critical to long-term success. You should prioritize your initial results by size, age and source of potential exception. Next you should perform a root cause analysis of what you might have uncovered. Finally at this step you can prioritize the data for further review through a forensic review. An example might be if you look at duplicate payments or vendor to employee conflicts. Through such an analysis you determine if there were incomplete vendor records, whether duplicate payments were made and were such payments within your contracts terms and conditions.

Refine and Sustain

This is the all-important remediation step. You should use your root cause analysis and any audit information to recalibrate your compliance regime as required. At this step you should also apply the lessons you have learned for your next steps going forward. You should refine, through addition or deletion of your input files, thresholds for specific queries, or other query refinements. For example, if you have set your dollar limits so low that too many potential exceptions resulted for a thoughtful review, you might raise your dollar threshold for monitoring. Conversely if your selected amount was so low that it did not generate sufficient transactions, you could lower your parameter limits. Finally, you can use this step to determine the frequency of your ongoing monitoring.

Oringel concluded by emphasizing the iterative nature of this process. If you can establish your extraction and mapping rules, using common data models within your organization, you can use them to generate risk and performance checks going forward. Finally, through thoughtful use of transaction monitoring parameters, you can create metrics that you can internally benchmark your compliance regime against over time to show any regulators who might come knocking.

For further information on this process, contact Joe Oringel at Joe.Oringel@VisualRiskIQ.com

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 13, 2015

Brazilian Corruption Scandal Expands Past Petrobras – Is a FCPA Country Sweep Next?

BroomThe Brazilian corruption scandal took a new turn last week, when the Brazilian government announced that it was investigating the country’s health ministry and the state-owned bank Caixa Econômica Federal (Caixa). As reported by Rogerio Jelmayer and Luciana Magalhaes in the Wall Street Journal (WSJ), in an article entitled “Corruption Scandal in Brazil Gets Bigger”, the schemes were similar to those used in the Petrobras scandal, where inflated contracts were awarded to contractors who kick backed the overcharges to those in position to award the business.

This expansion of Brazilian government investigation is also the first reported instance of companies outside the energy sector or those doing business with the Brazilian state-owed enterprise Petrobras being investigated by the Brazilian government. Over the years there have been several Foreign Corrupt Practices Act (FCPA) enforcement actions regarding US companies doing business in Brazil. With this expansion of the Petrobras corruption scandal to other government departments and state-owned entities, a new chapter may be opening. This new chapter may bring not only Brazilian domestic bribery and corruption scrutiny but also draw the attention of US or UK regulators, such as the Department of Justice (DOJ), Securities and Exchange Commission (SEC) or the UK Serious Fraud Office (SFO).

In the health ministry the area of contracts under investigation were those for advertising. The WSJ article said, “the cost of advertising contracts was inflated by as much as 10%, prosecutors said, with the surplus also passed along to politicians. The health ministry said all its advertising contracts meet the legal requirements, and it will investigate the allegations and cooperate with police and prosecutors.” It certainly is comforting when the government says it will cooperate with investigators.

But perhaps more interesting was the timing of the allegations against the country’s third largest state-owned bank Caixa. While the allegations around the scope and extent of the bribery were similar to those made against the Brazilian health ministry, the declarations of these new investigations coincided with the announcement last week by the government Finance Minister Joaquim Levy and Caixa Chief Executive Officer (CEO) Miriam Belchior for “an initial public offering [IPO] in the insurance joint venture it has with French insurer CNP Assurances.”

What do you think the comfort level will be for institutional investors about now in this IPO? I wonder if under IPO rules and regulations in Brazil, whether the CEO must certify either the financial statement as accurate or that there is no evidence of corruption in the organization? Even those in Brazil recognize the gravity of these allegations against Caixa. Luis Santacreu, a banking analyst at the Brazilian rating agency Austin Ratings, said that he thought this announcement would make the IPO more difficult and “the allegations against Caixa show it needs to improve its governance.”

These two developments demonstrate the difficulties that international companies may have in doing business in Brazil going forward. It is not difficult to believe that a country sweep on those doing business in Brazil, with the Brazilian government or with Brazilian state-owned enterprises, may well be coming. Given the recent 2014 World Cup and the upcoming 2016 Olympics, it would not seem too great a stretch for the DOJ or SEC to begin to look at US companies with significant amounts of commerce with and in Brazil.

While we have not seen evidence of country sweeps to-date, there has been evidence of industry sweeps in FCPA enforcement. The FCPA Professor, in a blog post entitled “Industry Sweeps”, posted an article from FCPA Dean Homer Moyer, entitled “The Big Broom of FCPA Industry Sweeps”. In his article, Moyer said that an industry sweep is the situation where the DOJ and/or SEC will focus “on particular industries – pharmaceuticals and medical devices come to mind — industry sweeps are investigations that grow out of perceived FCPA violations by one company that enforcement agencies believe may reflect an industry-wide pattern of wrongdoing.” Moyer further wrote, “Industry sweeps are often led by the Securities and Exchange Commission (“SEC”), which has broad subpoena power as a regulatory agency, arguably broader oversight authority than prosecutors. They are different from internal investigations or traditional government investigations, and present different challenges to companies. Because the catalyst may be wrongdoing in a single company, agencies may have no evidence or suspicion of specific violations in the companies subject to an industry sweep. A sweep may thus begin with possible cause, not probable cause. In sweeps, agencies broadly solicit information from companies about their past FCPA issues or present practices. And they may explicitly encourage companies to volunteer incriminating information about competitors.”

As a compliance professional, one of the key takeaways from the Brazilian corruption scandal is that you should take a very hard and detailed look at your company. With the spread of Brazilian investigations around corruption, we can see that these scandals are not be limited to only the energy or energy-related service industry. One of the first things you can begin to do is to review the list of third parties who might work with the Brazilian government or with Brazilian state-owned enterprises. You should begin by asking such questions as:

  • What is the ownership of the third party? Is there a business justification for the relationship?
  • Is there anyone in the company who is responsible for maintaining the relationship? Is there ongoing accountability?
  • How is the relationship being managed?
  • Are you engaging in any transaction monitoring?
  • Are you engaging in any relationship monitoring?
  • What is the estimated or budgeted size of the spend with the third party?

While the GlaxoSmithKline PLC (GSK) investigation has reverberated throughout the China, I think that the Brazilian corruption scandals will be with us for some time. As bad as it seems about now, and it certainly appears bad, there are many lessons that the compliance practitioner can not only draw from but use for teaching moments within your company. For if you are doing business with the Brazilian government or with Brazilian state-owned enterprises it may not be “if you are subject to a FCPA sweep” but only “when”.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 8, 2015

The WPA and More Productive Compliance Meetings

WPA LogoOn this day 80 years ago, Congress created the Works Progress Administration (WPA), a central part of President Franklin D. Roosevelt’s New Deal. The WPA was established under the Emergency Relief Appropriation Act, as a means of creating government jobs for some of the nations many unemployed. Under the direction of Harry L. Hopkins, the WPA employed approximately 8 million people who worked on 1.4 million public projects before it was disbanded in 1943. Its programs were extremely popular and contributed significantly to Roosevelt’s landslide reelection in 1936.

I have always been amazed at the variety of works that the WPA had a hand in creating, from vast public building projects like the construction of highways, bridges, and dams to the careers of several important American artists, including Jackson Pollock and Willem de Kooning. Many of the most interesting art deco buildings still in use were built during the 1930s through the auspices of the WPA.

While the WPA constructed and led to many good works during its existence, one of the banes of corporate existence is the number of meetings that one must attend. Even worse than the raw number of meetings is the lack of any good that comes out of most meetings. Most meeting organizers have no clue how to run a successful or even useful meeting. I thought about this when I read a recent article in the Houston Business Journal (HBJ), entitled “10 ways to make your next meeting more productive by Dana Manciagli.

Manciagli began her piece by noting that researchers from the London School of Economics and Harvard University found that business leaders “spend 60% of their time in meetings, and only 15% working alone.” While this statistic alone is troubling enough, when you overlay that with the number of meetings where nothing is accomplished, it is clear to me you have a complete waste of time and resources. I do recognize that some companies have taken accomplishing nothing in meetings as a matter of corporate policy. General Motors (GM) took this to an art form in the well-documented GM Nod, which signified that there was agreement on an issue but that no one would actually do anything about it.

But for those who might want to actually accomplish something in a meeting, Manciagli pointed to Andrea Driessen whom she described as “chief boredom buster” at Seattle-based No More Bored Meetings . How is that for a moniker and company name? Manciagli related Driessen’s top ten tips for developing, running and ultimately having a successful meeting.

  1. Be a Know-it-all

Manciagli writes that because it is “natural to disengage when meeting content isn’t relevant. The most effective meeting hosts review all potential agenda segments to determine whether they apply to all attendees. If participants already know a particular content slice, then simply don’t cover that segment for the broader audience. Or if you have vastly different levels of awareness in the room, divide people accordingly to ensure maximum relevance for all.” Of course this means you will need to put some thought into your pre-meeting planning.

  1. No Problem? No Meeting!

We have all been subjected to it, the daily, weekly, monthly meeting check-in to see how the project is progressing. But Manciagli believes that “many of these less-than-productive meetings could be canceled or shortened if we identified the problem the meeting is intended to solve. And if we can’t find an identifiable problem, then don’t have the meeting.” Manciagli concludes, “Sometimes, it’s that simple.”

  1. Get Real

This is another pre-meeting planning point. Do you try to squeeze 13 action items for discussion and resolution into a 30-minute meeting? Conversely you do not need to book a 60-minute window to handle a couple of points. If you can handle a matter via email or need to go offline, do so.

  1. Prioritize, Prioritize, Prioritize!

Like its related cousin, Document, Document and Document, this phase should be more than simply a catchword. It should be an action item in your meeting planning process. Tackle your important issues first to “save time and solve your most pressing problem.”

  1. Play “Pass the Pad” To Avoid Late Arrivals

The biggest offender of this rule is, unfortunately, us lawyers. Why, because we are always (in our eyes) the most important. Yet not being able to start because someone is not present or having to repeat points is one of the worst problems there is around efficient meetings. The article notes, “Meeting productivity suffers when people arrive late, and the punctual are penalized.” Her solution is to require the latecomer to take notes in the meeting, writing “People learn quickly that they can either be on time, or become the dreaded note-taker if they are late. As host, you’ll see positive behavior change with little effort on your part.”

  1. Be a Meeting Bouncer

Manciagli tactfully writes about that “common meeting malady: the tangent talker.” I would perhaps less tactfully say there are way too many people who like to hear the sound of their own voices way too much. Manciagli suggests a little humor by “naming a tangent officer who monitors and records tangents for later. Use that parking lot! And you can lighten it up by using a toy police badge.” Nothing like a little corporate shame to keep things moving.

  1. Make it Multi-Sensory

It is not simply millennials who respond to social media. Most people do better when they are visually engaged. Manciagli suggests using more than simply oral presentations, use other tools, including the following: “Graphic illustration, in which someone draws out ideas in real time; Customer testimonials that emotionally inspire; Quizzes and games; Product demos; Surprise guests; Props that foster kinesthetic learning.”

  1. PPPPP

Everyone understands the Five P rule, aka prior planning prevents poor performance. As a meeting host, this means you must absolutely be prepared prior to the meeting. If there are technical issues, you should pass out that information prior to the meeting. Manciagli pointed out that “the more skin we all have in the game, the more likely we are to own and be accountable to group outcomes.”

  1. Hire an “Accountant”

Accountability. How many meetings have you attended where there was no accountability? Manciagli believes “Most meetings lack built-in accountability structures.” She gives the tangible hint to “ask everyone to record at least one goal related to the meeting that they’ll commit to completing in the next week or month, and have them check in with one another. Teams gain measurable accountability, and you get recognized for generating stronger results tied to your meetings.”

  1. Remember: Humor is No Joke

Humor has a big use in meetings, “The power of humor — if used effectively within the meeting mix — is no laughing matter. Indeed, there is a strong business case to be made for laughing while learning.” It can also lower the stress level in meetings, once again if used properly.

I am sure that you have your own horror stories of aimless, wandering meetings that go nowhere painfully slow. As a Chief Compliance Officer (CCO) or compliance practitioner, one of your most valuable items in a corporation is time. You can set an example about running an efficient and productive meeting and then lead your company down the path laid out in the article. Who knows, the results of what you start in your company may last as long as WPA work.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 6, 2015

Tribute To Eddie LeBaron and CCO as Compliance Project Sponsor

Eddie LeBaronToday we celebrate Eddie LeBaron, who died last week. LeBaron was a diminutive pro quarterback for 11 seasons in the National Football League (NFL) in the 1950s and 1960s. He was also a lawyer and decorated veteran, having been awarded the Bronze Star during the Korean Conflict. In his New York Times (NYT) obituary, Frank Litsky wrote “In a position where players are now routinely 6 feet 3 inches or taller, LeBaron was 5-foot-7, and his weight never reached 170 pounds. But he had no fear of scrambling.” LeBaron quarterbacked the Dallas Cowboys from 1960 to 1963, before handling the reins of Coach Tom Landry’s offense over to Don Meredith with his retirement. After his retirement he worked as a color analyst for CBS Sports, who covered the NFL in those days. One of the things that I remember from his commentary work was the need for planning in any game plan. It was one of the first things I recall learning about pro football.

One of the skills you may be called upon as a Chief Compliance Officer (CCO) or compliance practitioner is the initiation, integration or enhancement of a Foreign Corrupt Practices Act (FCPA) compliance solution into an organization. Most assuredly, one of the things that is not taught in law school or in any compliance course is project management. As CCO, you may either lead such a project on a day-to-day basis or you may take the role of project sponsor, while delegating the day-to-day running of the project to a compliance practitioner in your group.

I thought about this issue when reading a recent article in the MIT Sloan Management Review, entitled “How Executive Sponsors Influence Project Success”, by Timothy J. Kloppenborg and Debbie Tesch. In their article they note, “The role of a project sponsor is often overlooked. But for every stage of a project, there are key executive sponsor behaviors that can make the difference between success and failure.” I found their article has some excellent tips for the CCO or compliance practitioner who may be facing such a task. The authors break the project life cycle stage into four stages: (1) Initiating Stage; (2) Planning Stage; (3) Executing Stage; and (4) Closing Stage.

I.   Initiating Stage

In this stage there are three key activities that a sponsor should pursue. First, the sponsor needs to set the performance standards. This “can be accomplished in the project charter by stating goals about the project’s strategic value and how it will be measured.” But beyond the written details there must be a “clear understanding of expectations about performance” of which dialogue is critical. Second, the project sponsor must mentor the project manager, whose key responsibility is to explain, “how the project fits into the big picture, defining the performance standards and helping the project manager set priorities.” Finally, the project manager must establish the project priorities, with the “most compelling” questions being “what needs to happen first and how should conflicts by settled?”

II.  Planning Stage

In the Planning Stage the authors believe that there are two critical project sponsor behaviors. The first is to “ensure planning” activities are completed by providing “leadership so that the project manager and team can set goals that align with the vision and broader organizational goals. The second is to “develop productive relationships with stakeholders”. This means frequent meetings and communications. Interestingly, the project sponsor should not only see that “needs are identified and understood” but also make “sure that stakeholders’ emotional concerns are given adequate consideration.” Admittedly this is not something lawyers do particularly well but it is mandatory for the CCO or compliance professional.

III.  Executing Stage

In the Execution Stage the authors identify three elements. First the project sponsor must “ensure adequate and effective communication.” This means that regular communications must occur as the project progresses “to make sure that expectations are met.” However this may require the project sponsor to “stand ready to manage the organizational politics with internal and external stakeholders.” Second, a project sponsor must work to help “maintain relationships with stakeholders.” This element helps facilitate the project manager and project team communications noted in the first element. Here the project sponsor should be “open to direct feedback from team members” to ensure that expectations are met. Finally, the project sponsor should work to “ensure quality” by practicing “appropriate decision-making methods and work to resolve issues fairly.”

IV.  Closing Stage

Finally, in the Closing Stage the authors write that there are two elements that project sponsors should emphasize. The first is to “identify and capture lessons learned.” They should be properly “categorized, stored and distributed in such a manner that future project teams will be able to understand and capitalize on”. The second element is to “ensure that capabilities and benefits are realized.” Capabilities, the authors suggest, “could include employees becoming more committed and more capable”. Further, that processes are “more effective and efficient.” Benefits relates to “verifying that the deliverables that were specified at the beginning were actually provided, work correctly and satisfy customer needs.”

To the extent they know much about project management, most CCOs or compliance practitioners are aware of the “iron triangle” of factors to determine a project success. The authors define these as “cost, schedule and performance.” But the authors’ research has led them to conclude that for a project to be a success it must meet an organization’s expectations. The next evaluative point is did the project come in on time, within budget and to the project’s specifications? Finally, did the project succeed in bringing its touted positive benefits to the organization?

By using the steps the authors have outlined, a CCO can think through the organization and ongoing performance of a project to set it up for success. Equally importantly for the CCO, if the project management has been delegated to compliance team members or with other disciplines inside your organization, such as legal, internal audit, IT or human resources; the continued involvement of a CCO as the project sponsor can be key component. The authors posit, “for every project stage, there are success factors that project sponsors should consider” and that a CCO must engage in an ongoing and continual dialogue with the project manager. Finally, key lessons learned should be captured and used down the road to help facilitate other projects or issues as applicable.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 2, 2015

Managing Your Third Parties in a FCPA Compliance Program

7K0A0501The building blocks of any Foreign Corrupt Practices Act (FCPA) anti-corruption compliance program lay the foundations for a best practices compliance program. For instance in the lifecycle management of third parties, most compliance practitioners understand the need for a business justification, questionnaire, due diligence, evaluation and compliance terms and conditions in contracts. However, as many companies mature in their compliance programs, the issue of third party management becomes more important. It is also the one where the rubber meets the road of actually doing compliance.

In the March/April issue of Supply Chain Management Review is an article by Mark Trowbridge, entitled “Put it in Writing: Sharpening Contracts Management to Reduce Risk and Boost Supply Chain Performance”, that provides some useful insights into the management of the third party relationship. While the focus of the article was about having a “strategic approach to contracts management” I found the author’s “five ways to start professionalizing your approach to outsourcing contracts” as steps a compliance practitioner can use in the management of third party relationships, both on the sales side and those which come into your company through the Supply Chain.

By taking his analysis into the compliance realm, I believe there are concrete steps you can take going forward. The key is to have a strategic approach to how you structure and manage your third party relationships. This may mean more closely partnering with your third parties to help manage the anti-corruption compliance risk. It would certainly lead towards enabling your company to “control risk while optimizing the performance” of your third parties. To achieve these goals, I have revised Trowbridge’s prescriptions from suppliers to third parties.

I. Consolidate Third Parties but Retain Redundancy

It is incumbent that consolidation in your third party relationships on the Supply Chain side to a smaller number of suppliers will “yield better cost leverage.” From the compliance perspective it also should make the entire third party lifecycle easier to manage, particularly steps 1-4. However a company must not “over-consolidate” by going down to a single source supplier. Trowbridge advocates a diversified supplier base, with a technique he calls “dual-sourcing”. From the compliance perspective, you may want to have a primary and secondary third party that you work with in a service line or geographic area to retain this redundancy.

II. Keep Tabs on Subcontracted Work

This is one area that requires an appropriate level of management. If your direct contracting party has the right or will need to subcontract some work out, you need to have visibility into this from the compliance perspective. You will need to require and monitor that your direct third party relationship has your approved compliance terms and conditions in their contracts with their subcontractors. You will also need to test that proposition. In other words, you must require, trust and then verify.

III. When Disaster Strikes, Make Sure Your Company is Legally Protected Too

This is where your compliance terms and conditions will come into play. One of the things that I advocate is a full indemnity if your third party violates the FCPA and your company is dragged into an investigation because of the third party’s actions. Such an indemnity may not be worth too much but if you do not have one, there will be no chance to recoup any of your legal or investigative costs. Another important clause is that any FCPA violation is a material breach of contract. This means that you can legally, under the terms of the contract, terminate it immediately, with no requirement for notice and cure. Once again you may be somewhat constrained by local laws but if you do not have the clause, you will have to give written notice and an opportunity to cure. This notice and cure process may be too long to satisfy the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) during the pendency of a FCPA investigation. Finally, you need a clause that requires your third party to cooperate in any FCPA investigation. This means cooperation with you and your designated investigation team but it may also mean cooperation with US governmental authorities as well.

You also need the ability to move between third parties if the need arises. This is the redundancy issue raised above. You do not want to be stuck with no approved freight forwarders or other transporters in a certain geographic area. If a compliance related matter occurs, you may well need certain contractual rights to move your work and to require your prime third party to cooperate with the transition to your secondary third party.

IV. Keep Track of Your Third Parties’ Financial Stability

This is one area that is not usually discussed in the compliance arena around third parties but it seems almost self-evident. You can certainly imagine the disruption that could occur if your prime third party supplier in a country or region went bankrupt; but in the compliance realm there is another untoward Red Flag that is raised in such circumstances. Those third parties under financial pressure may be more easily persuaded to engage in bribery and corruption than third parties that stand on a more solid financial footing. You can do this by a simple requirement that your third party provide annual audited financial statements. For a worldwide logistics company, this should be something easily accomplished.

Trowbridge says, “Automated financial tracking tools can also be used to keep track of material changes in a supplier’s financial stability.” You should also use your in-house relationship manager to regularly visit key third party relationships so an on-the-ground assessment can be a part of an ongoing conversation between your company and your third parties.

V. Formalize Incentives for Third Party Performance

One of the key elements for any third party contract under the FCPA or UK Bribery Act is the compensation issue. If the commission rate is too high, it could create a very large pool of money that could be used to pay bribes. It is mandatory that your company link any commission or payment to the performance of the third party. If you have a long-term stable relationship with a third party, you can tie compensation into long-term performance, specifically including long-term compliance performance. This requires the third party to put skin into the compliance game so that they have a vested, financial interest in getting things done in compliance with the FCPA or other anti-corruption compliance regime.

Additionally, as Trowbridge notes, “The fact is, linking contractual compensation to performance does make a significant difference in supplier performance. This is especially valuable when agreed upon key performance indicator (KPI) metrics can be accurately tracked.” This would seem to be low hanging for the compliance practitioner. If you cannot come up with some type of metric from the compliance perspective, you can work with your business relationship team to develop such compliance KPIs.

While Trowbridge’s article focused on the suppliers, I found his ideas easily transferable to the compliance field. Near the end of the article Trowbridge suggested ranking suppliers based upon a variety of factors including performance, length of relationship, benchmarking metrics and KPIs. This is a way for the compliance practitioner to have an ongoing risk ranking for third parties that can work as a preventative and even proscription prong of a compliance program and allow the delivery of compliance resources to those third parties that might need or even warrant them.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

April 1, 2015

Supply Chain as a Source of Compliance Innovation

Supply ChainOn this day we celebrate the greatest upset in the history of the NCAA Basketball Tournament, when Villanova beat Georgetown for the 1985 national championship. Georgetown was the defending national champion and had beaten Villanova at each of their regular season meetings. In the final the Wildcats shot an amazing 79% from the field, hitting 22 of 28 shots plus 22 of 27 free throws. Wildcats forward Dwayne McCain, the leading scorer, had 17 points and 3 assists. The Wildcats’ 6’ 9” center Ed Pinckney outscored 7’ Hoyas’ center, Patrick Ewing, 16 points to 14 and 6 rebounds to 5 and was named MVP of the Final Four. It was one of the greatest basketball games I have ever seen and certainly one for the ages.

I thought about this game when I read an article in the most recent issue of Supply Chain Management Review by Jennifer Blackhurst, Pam Manhart and Emily Kohnke, entitled “The Five Key Components for SUPPLY CHAIN”. In their article the authors asked “what does it take to create meaningful innovation across supply chain partners?” Their findings were “Our researchers identify five components that are common to the most successful supply chain innovation partnerships.” The reason innovation in the Supply Chain is so important is that it is an area where companies cannot only affect costs but can move to gain a competitive advantage. To do so companies need to see their Supply Chain third parties as partners and not simply as entities to be squeezed for costs savings. By doing so, companies can use the Supply Chain in “not only new product development but also [in] process improvements”.

I found their article resonated for the compliance professional as well. It is almost universally recognized that third parties are your highest Foreign Corrupt Practices Act (FCPA) risk. What if you could turn your Supply Chain from being considered a liability under the FCPA to an area that brings innovation to your compliance program? This is an area that not many compliance professionals have mined so I think the article is a useful starting point. The authors set out five keys to successful innovation spanning Supply Chain partners. They are: “(1) Don’t Settle for the Status Quo; (2) Hit the Road in Order to Hit Your Metrics; (3) Send Prospectors Not Auditors; (4) Show Me Yours and I’ll Show You Mine; and (5) Who’s Running the Show?”

Don’t Settle for the Status Quo

This means that you should not settle for simply the status quo. Innovation does not always come from a customer or even an in-house compliance practitioner. Here the key characteristics were noted to be “cooperative, proactive and incremental”. The authors emphasize that “you need to be leading the innovation change rather than catching up from behind.” If a company in your Supply Chain can suggest a better method to do compliance, particularly through a technological solution, it may be something you should well consider.

Hit the Road in Order to Hit Your Metrics

To truly understand your compliance risk from all third parties, including those in the Supply Chain, you have to get out of the ivory tower and on the road. This is even truer when exploring innovation. You do not have hit the road with the “primary goal to be the inception point for innovation” but through such interactions, innovation can come about “organically”. There is little downside for a compliance practitioner to go and visit a Supply Chain partner and have a “face-to-face meeting simply to get to know the partner better and more precisely identify that partner’s needs.”

Send Prospectors Not Auditors

While an audit clause is critical in any Supply Chain contract, both from a commercial and FCPA perspective, the authors believe that “Too often firms use supply chain managers as auditors when they are dealing with supply chain partners.” The authors call these types of managers “innovation partners.” Every third party should have a relationship manager, whether that third party is on the sales side or the Supply Chain side of the business. Moreover, the innovation partners are “able to see synergies where [business] partners can work together for the benefit of everyone involved.”

Show Me Yours and I’ll Show You Mine

Here the authors note, “Trust plays an extremely important role in supply chain innovation. Firms in successful innovations discussed a willingness to share resources and rewards and to develop their partners’ capabilities.” The authors believe that “Through the process of developing trust, firms understand their partner’s strategic goals.” I cannot think of a more applicable statement about FCPA compliance. Another way to consider this issue is that if your Supply Chain partner has trust in you and your compliance program, they could be more willing to work with you on the prevent and detect prongs of compliance regimes. Top down command structures may well be counter-productive.

Who’s Running the Show?

I found this point particularly interesting as for the authors, this prong means “who is doing what, but also what each firm is bringing to the relationship in terms of resources and capabilities.” In the compliance regime it could well lead to your Supply Chain partner taking a greater role in managing compliance in a specific arena or down a certain set of vendors. Your local Supply Chain partner might be stronger in the local culture, which could allow it to lead to collaborations by other vendors in localized anti-corruption networks or roundtables to help move the ball forward for doing business in compliance with the FCPA or other anti-corruption laws such as the UK Bribery Act.

The authors ended by remarking, “we noticed that leveraging lean and process improvement was mentioned by virtually every firm.” This is true in the area of process improvement, which is the essential nature of FCPA compliance. Another interesting insight from the authors was that utilization can increase through such innovation in the Supply Chain. Now imagine if you could increase your compliance process performance by considering innovations from your Supply Chain third parties? The authors conclude by stating that such innovation could lead to three “interesting outcomes 1) The trust and culture alignment is strengthened through the partnership innovation process leading to future innovations and improvement; 2) firms see what is needed in terms of characteristics in a partner firm so that they can propagate the success of prior innovations to additional partners; 3) by engaging supply chain partners as innovation partners, both sides reap rewards in a low cost, low risk, highly achievable manner.” With some innovation Villanova coach Rollie Massimino led his team over the prohibitive favorite Georgetown, and you may be able to tap into a resource immediately available at your fingertips, your Supply Chain.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 31, 2015

Do Your Executives Have (Compensation) Skin in the Game?

Whymper and MatterhornThis year marks the 150th anniversary of the ascent of the most famous mountain in Europe, the Matterhorn. On Bastille Day, in 1865, four British climbers and three guides were the first climbers to reach the summit. In an article in the Financial Times (FT), entitled “In Whymper’s steps”, Edward Douglas wrote, “It was a defining moment in the history of mountaineering, arguably as pivotal as the first ascent of Everest. Before this calamity climbing was a quirky minority pastime and Zermatt an indigent and obscure village. All that changed on July 14, 1865. As locals cheerfully acknowledge, the Matterhorn disaster enthralled the public around the world and sparked an unprecedented tourist boom.”

The disaster had befallen the climbing team on its descent after having scaled the summit. The team was led by Edward Whymper. As they were coming back down, they were all tied together with rope. When one of the team slipped, he knocked over his guide and “their weight on the rope pulled off the next man…and a fourth climber as well.” Only expedition leader Whymper and two Swiss guides, a father and son duo from Zermott, survived the disaster when “they dug in and the rope tightened – then snapped – leaving them to watch in horror as the bodies of their companions cartwheeled thousands of feet down the mountain.” The depiction of the disaster by the French artist Gustave Doré captures for me the full horror of the tragedy.

Yesterday I wrote about the role of compensation in your best practices compliance program. Today I want to focus on the same issue but looking at senior management and compensation. I thought about this inter-connectedness of compensation in a compliance program, focusing up the corporate ladder when I read a recent article in the New York Times (NYT) by Gretchen Morgenson, in her Fair Game column, entitled “Ways to Put the Boss’s Skin In the Game”. Her piece dealt with a long-standing question about how to make senior executives more responsible for corporate malfeasance? Her article had some direct application to anti-corruption compliance programs such as those based on the US Foreign Corrupt Practices Act (FCPA) or UK Bribery Act. Morgenson said the issue was “Whenever a big corporation settles an enforcement matter with prosecutors, penalties levied in the case – and they can be enormous – are usually paid by the company’s shareholders. Yet the people who actually did the deeds or oversaw the operations rarely so much as open their wallets.”

She went on to explain that it is an economic phenomenon called “perverse incentive” which is one where “corporate executives are encouraged to take outsized risks because they can earn princely amounts from their actions. At the same time, they know that they rarely have to pay any fines or face other costly consequences from their actions.” To help remedy this situation, the idea has come to the fore about senior managers putting some ‘skin in the game’. Her article discussed three different sources for this initiative.

The first is a current proxy proposal in front of Citigroup shareholders which “would require that top executives at the company contribute a substantial portion of their compensation each year to a pool of money that would be available to pay penalties if legal violations were uncovered at the bank.” Further, “To ensure that the money would be available for a long enough period – investigations into wrongdoing take years to develop – the proposal would require that the executives keep their pay in the pool for 10 years.”

The second came from William Dudley, the President of the Federal Reserve Bank of New York, who made a similar suggestion in a speech last fall. His proscription involved a performance bond for the actions of bank executives. Morgenson quoted Dudley from his speech, “In the case of a large fine, the senior management and material risk takes would forfeit their performance bond. Not only would this deferred debt compensation discipline individual behavior and decision-making, but it would provide strong incentives for individuals to flag issues when problems develop.”

Morgenson reported on a third approach which was delineated in an article in the Michigan State Journal of Business and Securities Law by Greg Zipes, “a trial lawyer for the Office of the United States Trustee, the nation’s watchdog over the bankruptcy system, who also teaches at the New York University School for Professional Studies.” The article is entitled, “Ties that Bind: Codes of Conduct That Require Automatic Reductions to the Pay of Directors, Officers and Their Advisors for Failures of Corporate Governance”. Zipes proposal is to create a “contract to be signed by a company’s top executives that could be enforced after a significant corporate governance failure. Executives would agree to pay back 25 percent of their gross compensation for the three years before the beginning of improprieties. The agreement would be in effect whether or not the executives knew about the misdeeds inside their company.”

As you might guess, corporate leaders are somewhat less than thrilled at the prospect of being held accountable. Zipes was cited for the following, “Corporate executives are unlikely to sign such codes of conduct of their own volition.” Indeed Citibank went so far as to petition the Securities and Exchange Commission (SEC) “for permission to exclude the policy from its 2015 shareholder proxy.” But the SEC declined to do and at least Citibank shareholders will have the chance to vote on the proposal.

In the FCPA compliance context, these types of proposals seem to me to be exactly the type of response that a company or its Board of Directors should want to put in place. Moreover, they all have the benefit of a business solution to a legal problem. In an interview for her piece, Morgenson quoted Zipes as noting, “This idea doesn’t require regulation and its doesn’t require new laws. Executives can sign the binding code of conduct or not, but the idea is that the marketplace would reward those who do.” For those who might argue that senior executives can not or should not be responsible for the nefarious actions of other; they readily take credit for “positive corporate activities in which they had little role or knew nothing about.” Moreover, under Sarbanes-Oxley (SOX), corporate executives must make certain certifications about financial statement and reporting so there is currently some obligations along these lines.

Finally, perhaps shareholders will simply become tired of senior executives claiming they could not know what was happening in their businesses; have their fill of hearing about some rogue employee(s) who went off the rails by engaging in bribery and corruption to obtain or retain business; and not accept that leaders should not be held responsible.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 30, 2015

Compensation Incentives in a Best Practices Compliance Program

Compensation IncentivesOne of the areas that many companies have not paid as much attention to in their Foreign Corrupt Practices Act (FCPA) anti-corruption compliance programs is compensation. However the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have long made clear that they view incentives, rewarding those employees who do business in compliance with their employer’s compliance program, as one of the ways to reinforce the compliance program and the message of compliance. As far back as 2004, the then SEC Director of Enforcement, Stephen M. Cutler, said “[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it.” The FCPA Guidance states the “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership.”

In a Harvard Business Review (HBR) article, entitled “The Right Way to Use Compensation, Mark Roberge, Chief Revenue Officer of HubSpot, wrote about his company’s design and redesign of its employee’s compensation system to help drive certain behaviors. The piece’s subtitle indicated how the company fared in this technique as it read, “To shift strategy, change how you pay your team.” Several interesting ideas were presented, which I thought could be applicable for the Chief Compliance Officer (CCO) or compliance practitioner when thinking about compensation as a mechanism in a best practices compliance program.

Obviously Roberge and HubSpot were focused on creating and retaining a customer base for a start-up company. However because the company was a start-up, I found many of their lessons to be applicable for the compliance practitioner. As your compliance program matures and your strategy shifts, “it’s critical that the employees who bring in the revenue-the sales force-understand and behave in ways that support the new strategy. The sales compensation system can help ventures achieve that compliance.” The prescription for you as the compliance practitioner is to revise the incentive system to focus your employees on the goals of your compliance program. This may mean that you need to change the incentives as the compliance programs matures; from installing the building blocks of compliance to burning anti-corruption compliance into the DNA of your company.

Roberge wrote that there were three key questions you should ask yourself in modifying your compensation incentive structure. First, is the change simple? Second, is the changed aligned with your company values? Third, is the effective on behavior immediate due to the change?

Simplicity

Your employees should not need “a spreadsheet to calculate their earnings.” This is because if “too many variables are included, they may become confused about which behaviors” you are rewarding. Keep the plan simple and even employee KISS, Keep it simple sir, when designing your program. If you do not do so, your employees might fall back on old behaviors that worked in the past. Roberge notes, “It should be extraordinarily clear which outcomes you are rewarding.”

The simplest way to incentive employees is to create metrics that they readily understand and are achievable in the context of the compliance program that you are trying to implement or enhance. This can start with attending Code of Conduct and compliance program training. Next might be a test to determine how much of that training was retained. It could be follow up, online training. It could mean instances of being a compliance champion in certain areas, whether with your employee base or third party sales force.

Alignment

As the CCO or compliance practitioner, you need to posit the most important compliance goal your entity needs to achieve. From there you should determine how your compensation program can be aligned with that goal. Roberge cautions what the DOJ and SEC both seem to understand, that you should not “underestimate the power of your compensation plan.” You can tweak your compliance communication, be it training, compliance videos, compliance reminders or other forms of compliance messaging but it is incumbent to remember that “if the majority of your company’s revenue is generated by salespeople, properly aligning their compensation plan will have greater impact than anything else.”

The beauty of this alignment prong is that it works with your sales force throughout the entire sales channel. So if your sales channel is employee based then their direct compensation can be used for alignment. However such alignment also works with a third party sales force such as agents, representatives, channel ops partners and even distributors. Here Roberge had another suggestion regarding compensation that I thought had interesting concepts for third parties, the holdback or even clawback. This would come into place at some point in the future for these third parties who might meet certain compliance metrics that you design into your third party management program.

Immediacy

Finally, under immediacy, it is important that such structures be put in place “immediately” but in a way that incentives employees. Roberge believes that “any delay in the good (or bad) behavior and the related financial outcome will decrease the impact of the plan.” As a part of immediacy, I would add there must be sufficient communication with your employee or other third party sales base. Roberge suggested a town hall meeting or other similar event where you can communicate to a large number of people.

Even in the world of employee compensation incentives, there should be transparency. He cautioned that transparency does not mean the design of the incentive system is a “democratic process. It was critical that the salespeople did not confuse transparency and involvement with an invitation to selfishly design the plan around their own needs.” However, he did believe that the employee base “appreciated the openness, even when the changes were not favorable to their individual situations.” Finally, he concluded, “Because of this involvement, when a new plan was rolled out, the sales team would understand why the final structure was chosen.”

So just as Roberge, working with HubSpot as a start-up, learned through this experience “the power of a compensation plan to motivate salespeople not only to sell more but to act in ways that support a start-up’s evolving business model and overall strategy”; you can also use your compensation program as such an incentive. For the compliance practitioner one of the biggest reasons is to first change a company’s culture to make compliance more important but to then burn it into the fabric of your organization. But you must be able to evolve in your thinking and professionalism as a compliance practitioner to recognize the opportunities to change and then adapt your incentive program to make the doing of compliance part of your company’s everyday business process.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

March 12, 2015

Protections for CCOs from Wrongful Termination

Wrongful TerminationThis week the Houston Texans unceremoniously cut the franchise’s greatest player in its short history, receiver Andre Johnson. This was after his being hauled into the office of the head coach and being told that he would only need to work half as hard next year. As reported by Jerome Solomon in the Houston Chronicle article entitled “Move inevitable, but team bungles its handling”, Head Coach Bill O’Brien told Johnson that his catch total would drop from the 84 he has averaged in his 12 year career with the Texans down to “around 40 passes next season.” But O’Brien went on to add the team’s certain Hall of Fame receiver “wasn’t likely to be a starter next season, definitely not for all of the games.” So much for playing your best player at his position on a full-time basis, but hey, at least the information was made public.

Now imagine you are a Chief Compliance Officer (CCO) and have been one of your company’s senior management for the better part of the past 12 years. While you may not have been the most important member of the management team you certainly have helped navigate the company through rough compliance waters. Now imagine the company Chief Executive Officer (CEO) who tells you that although he has no one in mind to replace you (other than a less experienced and a smaller-salaried compliance specialist) your services will only be needed half the time in the coming year. What if this is in response to advice the head of the company did not like? What should the response be?

You can consider the departure from MF Global of its Chief Risk Officer, the financial services equivalent of a CCO. As reported in a New York Times (NYT) article entitled “MF Global’s Risk Officer Said to Lack Authority” Ben Protess and Azam Ahmed reported that the company replaced its Chief Risk Officer, Michael Roseman, after he “repeatedly clashed with Mr. Corzine [the CEO] over the firm’s purchase of European sovereign debt.” He was given a large severance package and left the company. When he left, there was no public reason given. His replacement was brought into the position with reduced authority.

If you are a public company, you may well need to heed the advice of fraud and compliance expert Jonathan Marks, a partner at Crowe Horwath LLP, who advocates that any time a CCO, a key executive, is dismissed it should be an 8K reporting event because the departure may be a signal of a change in the company’s attitude towards compliance or an alleged ethical breach had taken place. A similar view was expressed by Michael W. Peregrine in a NYT article entitled “Another View: MF Global’s Corporate Governance Lesson”, where he wrote that a “compliance officer is the equivalent of a “protected class” for governance purposes, and the sooner leadership gets that, the better.” Particularly in the post Sarbanes-Oxley world, a company’s CCO is a “linchpin in organizational efforts to comply with applicable law.” When a company fires (or asks him/her to resign), it is a significance decision for all involved in corporate governance and should not be solely done at the discretion of the CEO alone.

In its Code of Ethics for Compliance and Ethics Professionals, the Society for Corporate Compliance and Ethics (SCCE) has postulated Rule 1.4, which reads, “If, in the course of their work, CEPs become aware of any decision by their employing organization which, if implemented, would constitute misconduct, the professional shall: (a) refuse to consent to the decision; (b) escalate the matter, including to the highest governing body, as appropriate; (c) if serious issues remain unresolved after exercising “a” and “b”, consider resignation; and (d) report the decision to public officials when required by law.” As commentary to this rule, the SCCE said, “The duty of a compliance and ethics professional goes beyond a duty to the employing organization, inasmuch as his/her duty to the public and to the profession includes prevention of organizational misconduct. The CEP should exhaust all internal means available to deter his/her employing organization, its employees and agents from engaging in misconduct. The CEP should escalate matters to the highest governing body as appropriate, including whenever: a) directed to do so by that body, e.g., by a board resolution; b) escalation to management has proved ineffective; or c) the CEP believes escalation to management would be futile. CEPs should consider resignation only as a last resort, since CEPs may be the only remaining barrier to misconduct. A letter of resignation should set forth to senior management and the highest governing body of the employing organization in full detail and with complete candor all of the conditions that necessitate his/her action. In complex organizations, the highest governing body may be the highest governing body of a parent corporation.”

What about compensation? The Department of Justice (DOJ) has made clear that it expects a CCO to resign if the company refuses advice and violates the Foreign Corrupt Practices Act (FCPA). The former head of the DOJ-FCPA unit Chuck Duross went so far as to compare CCOs and compliance practitioners to the Texans at the Alamo. To be fair to Duross, I think he was focusing more on the line in the sand part of the story, while I took that to mean they were all slaughtered for what they believed in. But whichever interpretation you may choose to put on it, the DOJ clearly expects a CCO to stand up and if a CEO does not like what they say, he or she must resign. This puts CCOs and compliance practitioners in a very difficult position, particularly if there is no exit compensation for doing the right thing by standing up.

I think the next step should be for the DOJ and Securities and Exchange Commission (SEC) to begin to discuss the need for contractual protection of CCOs and other compliance practitioners against retaliation for standing up against corruption and bribery. The standard could simply be one that protects a CCO and other compliance practitioners against termination without cause. Just as the SEC is investigating whether companies are trying to muzzle whistleblowers through post-employment Confidentiality Agreements, I think they should consider whether CCOs and other compliance practitioners need more employment protection. I think the SEC should also consider the proposals of Marks regarding the required 8K or other public reporting of the dismissal or resignation of any CCO. Finally, I would expand on Peregrine’s suggestion and require that a company Board of Directors approve any dismissal of a CCO. With these protections in place, a CCO or compliance practitioner would have the ability to confront management who might take business decisions that violate the FCPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

 

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,190 other followers