DOJ | FCPA Compliance and Ethics Blog

August 13, 2015

Cymbeline – Doing Virtue and FCPA Compliance

Filed under: Best Practices,Compliance,Compliance and Ethics,Culture,Department of Justice,Doing Compliance,Ethics,FCPA,SEC — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, FT, SEC, Wall Street Journal, WSJ

Commentators still level the hue and cry that it is somehow the fault of the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) that companies continue to violate the Foreign Corrupt Practices Act (FCPA). Things would improve if only the DOJ and SEC would (1) prosecute companies more aggressively; (2) prosecute companies less aggressively; (3) make an example of ‘rogue’ employees who violate their corporate overseers pronouncements not to violate the law; (4) prosecute more corporate executives to ‘send a message’; (5) amend and clarify the FCPA because the concept of do not pay bribes is somehow too complicated for mere mortals to understand; (6) implement a compliance defense because apparently the DOJ does not consider that enough in any decision to prosecute; and/or (7) as The Donald desires, simply do away with the FCPA to restore the ability to pay a fair price for fair corruption.

I thought about all of these varied and contradictory reasons when considering one of Shakespeare’s most enigmatic plays, Cymbeline. In an article in the Wall Street Journal (WSJ) entitled “The Long, Painful Drama of Self-Knowledge”, Stephen Smith considered the character Posthumus who was thought of as virtuous yet, through the crush of the plot, has his virtuous image shattered. Smith poses the question of “Why is Posthumus such a poor leader of himself, and a danger to others?” He answers his own question by saying, “The play suggests that his lack of self-knowledge, along with the flattery of his culture, make him overconfident.” In other words, he was human.

I thought about this analysis in the context of the recent accounting and financial scandal that engulfed the Toshiba Corporation in Japan. For those who did not follow the news, Toshiba announced last month that it had overstated its profits from 2008-2014 by over $1 billion dollars. This was in the face of the company having been publicly recognized for its good governance standards and practices. In an article in the Financial Times (FT), entitled “Japan Inc left shaken by Toshiba scandal”, Kana Inagaki reported, “On paper, it had a structure that gave its external directors the authority to many top executives and an auditing committee to monitor the behaviour of the company’s leaders. It was lauded for its efforts. In 2013, the group was ranked ninth out of 120 publicly traded Japanese companies with good governance practices in a list compiled by the “Japan Corporate Governance Network.””

But it was all a sham as it turned out that chairman of the audit committee was in on the fraud in addition to a plethora of top executives. Kota Ezawa, an analyst at Citigroup was quoted in the piece that “Toshiba was lauded as the frontrunner in governance efforts but that was a misunderstanding. Its governance structure looked good but the execution was not.” Ezawa further stated, “We need to make sure that companies understand that having structures is not enough.” So even a company with $52bn in annual sales must have more than a paper program.

For those who want to point to some defect in the Japanese corporate character, reminding us of the Olympus scandal from 2011, where successive corporate executives covered up long running accounting fraud, Andrew Hill, also writing for the FT in an article entitled “The universal dangers shown by Toshiba’s failings”, says not to point that self-righteous finger quite so quickly. He reminds readers of WorldCom from earlier this century. Being from Houston, I would remind readers of Enron and its accounting fraud as well. Hill cites to the work of Professor Michael Jones to identify four main types of accounting fraud, (1) increasing income, (2) decreasing expenses, (3) increasing assets, and (4) decreasing liabilities. Hill further notes that one common failing in all of these examples is the failure of internal controls. A second key failing is the “Unwillingness to challenge authority, a trait attributed to employees at Toshiba and Olympus — and often given an “only in Japan” spin — is a recurring problem everywhere, from Royal Bank of Scotland under Fred Goodwin to Fifa under Sepp Blatter.”

Hill’s explanation of the how and why of these accounting scandals is as age old as the time of Cymbaline. He wrote, “The most important lesson from Toshiba is about the malign impact of top-down pressure to meet unrealistic targets. Toshiba’s ex-chief executive denies having given direct instructions to staff to inflate profits. But the investigating panel said he told executives to “use every possible measure to achieve profitability” and added that Toshiba’s corporate culture did “not allow employees to go against the will of their superiors”.”

The lessons that Hill finds in the Toshiba accounting scandal are equally applicable to FCPA compliance and enforcement. It is not the DOJ or SEC’s “fault” when companies do not comply with the FCPA. It is up to the companies to which the law applies to comply with it. Make no mistake; it is quite simple not to pay bribes. One only has to wake up and say “I am not paying a bribe today, no matter what the economic benefit is to me”. Yet for a company, it is not easy because you have to not only put the appropriate controls in place, but you have to do compliance by ensuring these controls are executed upon. That was the failing of Toshiba, it had the controls in place but it did not execute on them.

I think this speaks directly as to why FCPA violations continue to occur and be prosecuted. Hill ended his piece by noting, “When aggressive targets, irresistible management pressure and weak controls coincide, misconduct can spread quickly. Rival companies see the inflated numbers and strain to match them. To suggest such weaknesses are confined to one corporate or national culture is a first step into dangerous complacency.” As long as humans are involved with corporations and there are incentives in place for more and greater sales, you will always have the motivation to cut corners and pay bribes. That impulse can be brought on by a bump in salary, a nice bonus, a promotion or sometimes simply keeping your job. That is why a compliance program must be put in place and those controls must be effective.

In Cymbeline the protagonist Posthumus learns that one key component of virtue is prudence. Near the end of his article on Shakespeare’s play Smith writes, “In his story, we glimpse one goal of Shakespearean drama: to help forge just such a character – an integrated human person capable of leading himself and others to peace, with the help of virtue.” For FCPA compliance, as long as there are incentives in place to make money, there will be people who cut corners by paying bribes. Yet companies can temper this by putting an effective compliance program in place and actually doing compliance. Much like Posthumus learns in Cymbeline it is one’s actions which lead to being virtuous; for a company, it is doing compliance that leads to it being called ethical.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Leave a Comment

August 11, 2015

What Goes Downhill May Go Uphill in FCPA Compliance

Filed under: Best Practices,Brazil,Corruption in Brazil,Department of Justice,FCPA,Petrobras — tfoxlaw @ 12:01 am
Tags: best practices, Bribery Act, compliance, compliance programs, Department of Justice, DOJ, FCPA, FT, NYT

Usually the question I am posed is how far down the chain must you go in your due diligence to ensure that your suppliers are in compliance with the Foreign Corrupt Practices Act (FCPA). I would pose that now, after the Petrobras scandal, a company may need to examine the flow in the other direction. I thought about this directional shift when I read an exhaustive report in the Sunday New York Times (NYT) on the Petrobras scandal, entitled “Brazil’s Great Oil Swindle”, by David Segal. The article reviews the genesis of and details the ongoing nature of the Petrobras scandal.

While I have previously written about the other Brazilian companies that have been caught up in the scandal, such as Oderbrecht, Camargo Corrêa and UTC Engenharia, Segal’s article detailed a level of immersion in corruption that should concern every US Company subject to the FCPA and catch the eye of Department of Justice (DOJ) prosecutors handling FCPA cases. It appears that the companies that had direct contracts with Petrobras also colluded in the old-fashioned anti-trust sense, so that not only did they control all the subcontract work done on any Petrobras project but they would also demand bribes from the subcontractors which they then passed up the chain to Petrobras executives and eventually Brazilian politicians. If this scheme turns out to be true, it literally could explode potential FCPA exposure for any US Company doing business on any subcontract where Petrobras was the eventual beneficiary.

Segal reported, “according to prosecutors, these companies stopped competing and started to collaborate. They formed a cartel and decided, in advance, which of them would win a particular deal. A charade competition was orchestrated, and the anointed winner could charge vastly more than it would in a free market.” Further, “A document obtained by prosecutors laid out what it called the “rules of the game.” The trumped-up bidding process was labeled a “sports tournament”, with an assortment of rounds and a “trophy.” There was a no-sore-loser codicil, too: “The teams that participate in a round should honor the rules that have been agreed on, even when they are not the winner.”

But the corruption did not stop simply at these non-Petrobras entities. These companies would demand bribes from their subcontractors that they passed up the line to Petrobras. Segal wrote, “From 1 to 5 percent of the value of a given contract was diverted to those on the receiving end of the scheme, a group that included 50 politicians from six parties, according to prosecutors. Money from cartel members took a circuitous route to politicians’ pockets, passing through ghost corporations whose owners made bribes look like consulting fees.”

Think about all of this for a minute. What happens when everyone and every company associated with a National Oil Company (NOC) is in on the corruption? I thought about this question when I read an article in the Financial Times (FT) by Andres Schipani, entitled “We were terrorized by the drop in oil prices”, where he discussed how the drop in world oil prices has negatively affected Venezuela more than any other top oil producing company. Part of the country’s trouble is the rampant corruption around its NOC PDVSA. Schipani quoted a former minster for the following, “The design of the political economy here only benefits the corrupt.” Moreover, the country is near the bottom of the Transparency International Corruption Perceptions Index (TI-CPI) coming in at 161^st out of 175 countries listed.

Most Chief Compliance Officers (CCOs) and compliance practitioners had focused their third party risk management program around third parties, first on the sales side and then in the Supply Chain (SC). However now companies may well have to look at other relationships, particularly those where the company is a subcontractor involved in a country prone to corruption with a NOC or other key state owned enterprise. Last year the Wall Street Journal (WSJ) in an article entitled “Venezuelan Firm Is Probed In U.S.”, by José De Córdoba and Christopher M. Matthews, reported that a US company ProEnergy Services LLC (ProEnergy), a Missouri based engineering, procurement and construction company, sold turbines to Venezuelan company Derwick Associates de Venezuela SA (Derwick), who provided them to the Venezuelan national power company. The article reported that the DOJ’s “criminal fraud section are reviewing actions of Derwick and ProEnergy for possible violations of the Foreign Corrupt Practices Act”. Derwick was reported to have been “awarded hundreds of millions of dollars in contracts in little more than a year to build power plants in Venezuela, shortly before the country’s power grid began to sputter in 2009”. All of this with a commission rate paid by ProEnergy to Derwick of a reported 5%.

The Brazilian investigation poses far more dire consequences for any US Company that did business with the cartel of Brazilian companies that had locked up the Petrobras work. It means that you need to go back immediately and not only review the underlying due diligence which you did (probably none); then review the contracts with those entities; and, finally, cross-reference to see if there were any contract over-charges which were rebated back to the cartel members. If so, you may well have a serious problem on your hands as any unwarranted rebates, refunds, customer credits or anything else that could have been readily converted into cash to be used to fund a bribe.

This second part is one thing that challenges many compliance officers. The compliance function does not always have visibility into the transactions assigned to specific contracts or projects like your company might be engaged in for Petrobras in Brazil. However it also speaks to the need for transaction monitoring as not simply a cutting edge technique or even best practice but a required financial controls tool that is also applicable to compliance internal controls as well.

As Brazilian prosecutors expand ever outward from Petrobras, US companies subject to the FCPA and UK companies and others subject to the UK Bribery Act would do well to review everything around their Brazilian operations, contracts and dealings. The Petrobras scandal has shown two clear trends to-date. First is that we are far from the end of this scandal. Second, the prosecutors have been fearless so far in following the corruption trail wherever it may go. If they follow it to US companies, they could prosecute them on their own in Brazil for violation of domestic anti-bribery and anti-corruption laws or turn the evidence over to the DOJ. The thing to do now is to get out ahead of this all too certain waterfall.

© Thomas R. Fox, 2015

Comments (1)

July 14, 2015

Great Structures Week II – Structures from Ancient Egypt and Greece

I continue my Great Structures Week with a focus on great structures from the earliest times, ancient Egypt and Greece. I am drawing these posts from The Teaching Company course, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. From Egypt there are of course the Pyramids, of which Ressler says, “They’re important, not just because they’re great structures, but also because they represent some of the earliest human achievements that can legitimately be called engineering. The Great Pyramid of Giza stands today as a testament to the strength and durability of Egyptian structural engineering skills.”

From Greece we derive what Vitruvius called the “Empirical Rules for Temple Design” which define a “single dimensional module equal to the radius of a column in the temple portico, then specify all other dimensions of the building in terms of that module.” These rules are best seen in Greek temples, largely consisting of columns, which are defined as “a structural element that carries load primarily in compression” and beams, which are “structural elements subject to transverse loading and carry load in bending.” My favorite example of the use of columns is seen in the Parthenon; the most famous of all Greek temples still standing.

In many ways these two very different structures stand as the basis of all structural engineering and Great Structures that come later throughout history. For any anti-corruption compliance regime based on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery statutes, the same is true for a Code of Conduct and written policies and procedures. They are both the building blocks of everything that comes thereafter.

In an article in the Society for Corporate Compliance and Ethics (SCCE) Complete Compliance and Ethics Manual, 2^nd Ed., entitled “Essential Elements of an Effective Ethics and Compliance Program”, authors Debbie Troklus, Greg Warner and Emma Wollschlager Schwartz, state that your company’s Code of Conduct “should demonstrate a complete ethical attitude and your organization’s “system-wide” emphasis on compliance and ethics with all applicable laws and regulations.” Your Code of Conduct must be aimed at all employees and all representatives of the organization, not just those most actively involved in known compliance and ethics issues. From the board of directors to volunteers, the authors believe that “everyone must receive, read, understand, and agree to abide by the standards of the Code of Conduct.” This would also include all “management, vendors, suppliers, and independent contractors, which are frequently overlooked groups.” Parethnon

There are several purposes identified by the authors that should be communicated in your Code of Conduct. Of course the overriding goal is for all employees to follow what is required of them under the Code of Conduct. You can do this by communicating what is required of them, to provide a process for proper decision-making and then to require that all persons subject to the Code of Conduct put these standards into everyday business practice. Such actions are some of your best evidence that your company “upholds and supports proper compliance conduct.”

The substance of your Code of Conduct should be tailored to the company’s culture, and to its industry and corporate identity. It should provide a mechanism by which employees who are trying to do the right thing in the compliance and business ethics arena can do so. The Code of Conduct can be used as a basis for employee review and evaluation. It should certainly be invoked if there is a violation. To that end, I suggest that your company’s disciplinary procedures be stated in the Code of Conduct. These would include all forms of disciplines, up to and including dismissal, for serious violations of the Code of Conduct. Further, your company’s Code of Conduct should emphasize it will comply with all applicable laws and regulations, wherever it does business. The Code needs to be written in plain English and translated into other languages as necessary so that all applicable persons can understand it.

The written policies and procedures required for a best practices compliance program are well known and long established. As stated in the FCPA Guidance, “Among the risks that a company may need to address include the nature and extent of transactions with foreign governments, including payments to foreign officials; use of third parties; gifts, travel, and entertainment expenses; charitable and political donations; and facilitating and expediting payments.” Policies help form the basis of expectation and conduct in your company and Procedures are the documents that implement these standards of conduct.

Another way to think of policies, procedures and controls was stated by Aaron Murphy, now a partner at Foley & Lardner, in his book “Foreign Corrupt Practices Act”, when he said that you should think of all three as “an interrelated set of compliance mechanisms.” Murphy went on to say that, “Internal controls are policies, procedures, monitoring and training that are designed to ensure that company assets are used properly, with proper approval and that transactions are properly recorded in the books and records. While it is theoretically possible to have good controls but bad books and records (and vice versa), the two generally go hand in hand – where there are record-keeping violations, an internal controls failure is almost presumed because the records would have been accurate had the controls been adequate.”

Borrowing from an article in the Houston Business Journal (HBJ) by John Allen, entitled “Company policies are source and structure of stability”, I found some interesting and important insights into the role of policies in any anti-corruption compliance program. Allen says that the role of policies is “to protect companies, their employees and consumers, and despite an occasional opposite outcome, that is typically what they do. A company’s policies provide a basic set of guidelines for their employees to follow. They can include general dos and don’ts or more specific safety procedures, work process flows, communication guidelines or dress codes. By establishing what is and isn’t acceptable workplace behavior, a company helps mitigate the risks posed by employees who, if left unchecked, might behave badly or make foolhardy decisions.”

Allen notes that policies “are not a surefire guarantee that things won’t go wrong, they are the first line of defense if things do.” The effective implementation and enforcement of policies demonstrate to regulators and the government that a “company is operating professionally and proactively for the benefit of its stakeholders, its employees and the community it serves.” If it is a company subject to the FCPA, by definition it is an international company so that can be quite a wide community.

Allen believes that there are five key elements to any “well-constructed policy”. They are:

identify to whom the policy applies;
establish the objective of the policy;
explain why the policy is necessary;
outline examples of acceptable and unacceptable behavior under the policy; and
warn of the consequences if an employee fails to comply with the policy.

Allen notes that for polices to be effective there must be communication. He believes that training is only one type of communication. I think that this is a key element for compliance practitioners because if you have a 30,000+ worldwide work force, the logistics alone of such training can appear daunting. Consider gathering small groups of employees, where detailed questions about policies can be raised and discussed, as a powerful teaching tool. Allen even suggests posting Frequently Asked Questions (FAQ’s) in common areas as another technique. And do not forget that one of the reasons Morgan Stanley received a declination to prosecute by the Department of Justice (DOJ) was that it sent out bi-monthly compliance reminder emails to its employee Garth Peterson for the seven years he was employed by the company.

The FCPA Guidance ends its section on policies with the following, “Regardless of the specific policies and procedures implemented, these standards should apply to personnel at all levels of the company.” Allen puts a bit differently in that “it is important that policies are applied fairly and consistently across the organization.” He notes that the issue can be that “If policies are applied inconsistently, there is a greater chance that an employee dismissed for breaching a policy could successfully claim he or she was unfairly terminated.” This last point cannot be over-emphasized. If an employee is going to be terminated for fudging their expense accounts in Brazil, you had best make sure that same conduct lands your top producer in the US with the same quality of discipline.

For a review of what goes into the base structures of a best practices compliance program, I would suggest you check my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

© Thomas R. Fox, 2015

Leave a Comment

July 13, 2015

Great Structures Week I: Vitruvius, the Brooklyn Bridge and Compliance

Filed under: Best Practices,Bribery Act,Compliance,Compliance and Ethics,compliance programs,Department of Justice,FCPA,FCPA Guidance,OECD,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 12:01 am
Tags: best practices, Bribery Act, compliance programs, Department of Justice, DOJ, OECD, The Teaching Company, Vitruvius

I recently completed a course from The Teaching Company, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. It was a wonderful learning experience about some of the world’s greatest structures and the development of structural engineering throughout history. As I worked my way through the course, it occurred to me that many structural engineering concepts are apt descriptors for an anti-corruption compliance program. So today, I will begin the ‘Great Structures Week’ as an entrée into an appropriate topic for your Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption/anti-bribery compliance program. Each day I will discuss a structural engineering concept together with one my favorite examples from Professor Ressler’s course.

To open the series I will consider what makes a structure great. Marcus Vitruvius Pollio (Vitruvius) was a Roman author, architect, and civil engineer during the 1st century BC, known for his work entitled De Architectura. Vitruvius is famous for proclaiming that a structure must exhibit the three qualities of firmitas, utilitas and venustas, meaning that it must be solid, useful and beautiful. These are sometimes termed the Vitruvian Triad and today these are loosely translated that great constructions must have form, function or structure. Form is the arrangement of space and harmony. Function is the measure of usefulness. Structure contains innovative techniques in its creation.

My favorite example of a structure that incorporates all three of these concepts is the Brooklyn Bridge. The beauty of the form follows the functions of the scientific principles that underlie the bridge’s structure. As Ressler noted “Each element of the form of the Brooklyn Bridge serves a structural purpose based on mathematical principles.” First the form itself is one of great beauty. The function remains the same, even if the modes of transport have evolved; the Bridge was designed to carry people from Brooklyn to Manhattan. Yet as Ressler notes, “beyond the aesthetic, these features are a direct reflection of the scientific principles underlying the bridge’s design. They are, in a word, structure – a system of load carrying elements that cause the bridge to stand up.” We have a graceful and elegant design, which operates to safely conduct people over the Hudson River, through an engineering design that allows the structure to act as intended.

This convergence of Vitruvius’ tripartite view of what makes a great structure is an appropriate analogy for a best practices anti-corruption compliance program to facilitate compliance with the FCPA, UK Bribery Act or similar regime. Over the years both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear that each company should have a compliance program that fits its needs. Indeed, in the FCPA Guidance, it could not have been made clearer when it stated, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors. When it comes to compliance, there is no one-size-fits-all program.” The Guidance goes on to state the obvious when it notes, “companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs. Indeed, small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations”.

The Guidance goes on to note, “Compliance programs that employ a “check-the-box” approach may be inefficient and, more importantly, ineffective. Because each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”

Yet when viewed through Vitruvius’ prism, it is clear that an anti-corruption compliance program is much more holistic, with form, function and structure. A good compliance program is really about good financial controls. I think this is one outlook of FCPA compliance which is not discussed enough. Stanley Sporkin, in many ways the progenitor of the law, recognized that if a company was going to engage in corruption it would have to hide such activity through falsified books and records. Hence, he articulated the basis for having the accounting provisions included when Act was originally written and enacted into law. These provisions include both the books and records provision and the internal controls provision. The Guidance says, “the accounting provisions ensure that all public companies account for all of their assets and liabilities accurately and in reasonable detail”. So the form of a compliance program should be largely in financial controls that are baked into a company.

The formula of a compliance program can follow several forms. It can be based on the Ten Hallmarks of an Effective Compliance Program from the FCPA Guidance, the Six Principles of Adequate Procedures as contemplated by the UK Bribery Act; the OECD 13 Good Practices or other formulations such as the Five Elements of an Effective Compliance Program developed by Stephen Martin and Paul McNulty from the law firm of Baker & McKenzie. The form of any of these articulations meets the Vitruvius definition.

Next is the function. Here I think it is appropriate to consider what the FCPA Guidance says regarding internal controls, that being “Internal controls over financial reporting are the processes used by companies to provide reasonable assurances regarding the reliability of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organization regarding integrity and ethics; risk assessments; control activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitoring.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.” This language points to function of any best practices compliance program, to make the company a better-run company.

Finally, in the area of structure it is incumbent to recall that any best practices anti-corruption compliance program continues to evolve. It evolves with technological innovations such as transaction or continuous controls monitoring. But a compliance program must evolve as your company evolves. Changing commercial realities and conditions can create new or increased FCPA compliance risks. Your compliance program needs to be able to detect, assess and manage new risk as your business creates new products; moves into new territories or develops new sales channels. The FCPA Guidance states, “They are dynamic and evolve as the business and the markets change.” To do so, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry.”

For a review of what goes into a best practices compliance program, I would suggest you check out my book, entitled “Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program”, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

© Thomas R. Fox, 2015

Leave a Comment

July 6, 2015

The All-Star Game and Tone at the Top

Filed under: Best Practices,Bribery Act,compliance programs,Department of Justice,FCPA,FCPA Guidance,OECD,Ten Hallmarks of an Effective Compliance Program,Tone at the Top — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act

Today is the 83^rd anniversary of the initial Major League Baseball (MLB) All-Star Game, which took place on this date in 1933, in Chicago’s Comiskey Park. The brainchild of a determined sports editor, the event was designed to bolster the sport and improve its reputation during the darkest years of the Great Depression. The sports editor of the Chicago Tribune convinced his owner to allow him to lobby for the game with MLB’s Commissioner, Kenesaw Mountain Landis, and the owners. To win over the public, they allowed fan balloting for the Game’s players. The proceeds went to a charity for retired baseball players. The Game was a rousing success and has continued as an institution to this day.

The conception and execution of the first All-Star Game shows what a committed tone from top management can create. Last week I wrote a couple of posts dealing with the tone for an organization around compliance with anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA); one on tone in the middle and one on tone at the bottom. As usual, when I begin writing about a topic, I do not seem to be able to start where I thought I would end. So today, with the anniversary of the first MLB All-Star Game in mind, I decided to round out my triumvirate of posts by concluding with some thoughts on Tone at the Top and the reasons why it is so important to any anti-corruption compliance program.

Quite simply, any compliance program starts at the top and flows down throughout the company. Before you arrive at tone in the middle and bottom, it must start with a commitment at the top. All regulatory schemes for anti-corruption compliance recognize this key hypothesis. The concept of an appropriate tone at the top is in the US Sentencing Guidelines for organizations accused of violating the FCPA; the FCPA Guidance; the UK Bribery Act’s Six Principles of Adequate Procedures; and the OECD Good Practice Guidance on Internal Controls, Ethics and Compliance (OECD Good Practices). The reason all of these guidelines incorporate it into their respective practices is that all employees look to the top of the company to see what is important.

The US Sentencing Guidelines reads:

High-level personnel and substantial authority personnel of the organization shall be knowledgeable about the content and operation of the compliance and ethics program … and shall promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

The OECD Good Practices reads:

strong, explicit and visible support and commitment from senior management to the company’s internal controls, ethics and compliance programs or measures for preventing and detecting foreign bribery;

The UK Bribery Act’s Six Principles of Adequate Procedures reads:

The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.

The FCPA Guidance, under the section entitled “Commitment from Senior Management and a Clearly Articulated Policy Against Corruption”, states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. Managers and employees take their cues from these corporate leaders. Thus, DOJ and SEC consider the commitment of corporate leaders to a “culture of compliance” and look to see if this high-level commitment is also reinforced and implemented by middle managers and employees at all levels of a business.” But the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) expect more than simply to have senior management say the right things. They both expect that such message will be pushed down the ranks of an enterprise so that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards. Compliant middle managers, in turn, will encourage employees to strive to attain those standards throughout the organizational structure. In short, compliance with the FCPA and ethical rules must start at the top. DOJ and SEC thus evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”

The FCPA world is riddled with cases where the abject failure of any ethical “Tone at the Top” led to enforcement actions and large monetary settlements. In the two largest monetary settlements of enforcement actions to date, Siemens and Halliburton, for the actions of its former subsidiary KBR, the government specifically noted the companies’ pervasive tolerance for bribery. In the Siemens case, for example, the SEC noted that the company’s culture “had long been at odds with the FCPA” and was one in which bribery “was tolerated and even rewarded at the highest levels”. Likewise, in the Halliburton matter, the government noted that “tolerance of the offense by substantial authority personnel was pervasive” throughout the organization.

So how can a company overcome these employee attitudes and set, or re-set, its “Tone at the Top”? In a 2008 speech to the State Bar of Texas Annual Meeting, reprinted in Ethisphere, Larry Thompson, PepsiCo Executive Vice President (EVP) of Governmental Affairs, General Counsel (GC) and Secretary, discussed the work of Professor Lynn Sharp at Harvard. From Professor Sharp’s writings, Mr. Thompson cited five factors, which are critical in establishing an effective integrity program and to set the right “Tone at the Top”.

The guiding values of a company must make sense and be clearly communicated.
The company’s leader must be personally committed and willing to take action on the values.
A company’s systems and structures must support its guiding principles.
A company’s values must be integrated into normal channels of management decision-making and reflected in the company’s critical decisions.
Managers must be empowered to make ethically sound decisions on a day-to-day basis.

David Lawler, writing in his book “Frequently Asked Questions in Anti-Bribery and Corruption”, boiled it down as follows “Whatever the size, structure or market of a commercial organization, top-level management’s commitment to bribery prevention is likely to include communication of the organization’s anti-bribery stance and appropriate degree of involvement in developing bribery prevention procedures.” Lawler went on to provide a short list of points that he suggests senior management engage in to communicate the type of tone to follow an anti-corruption regime. I had a Chief Executive Officer (CEO) of a client who, after I described his role in a best practices compliance program, observed, “You want me to be the ambassador for compliance.” I immediately averred in the affirmative. The following is a list of things that a CEO can do as an ‘Ambassador of Compliance’:

Reject a ‘do as I say, not as I do’ mentality;
Not just ‘talk-the-talk’ but ‘walk-the-walk’ of compliance;
Oversee creation of a written statement of a zero tolerance towards bribery and corruption;
Appoint and fully resource, with money and headcount, a Chief Compliance Officer (CCO);
Oversee the development of a Code of Conduct and written compliance program implementing it;
Ensure there are compliance metrics on all key business reports;
Provide leadership to middle managers to facilitate filtering of the zero tolerance message down throughout the organization;
Not only have a whistleblowing, reporting or speak up channel but celebrate it;
Keep talking about doing the right thing;
Make sure that you are seen providing your CCO with access to yourself and the Board of Directors.

Coming at it from a different perspective, author Martin Biegelman provides some concrete examples in his book, entitled “Building a World Class Compliance Program – Best Practices and Strategies for Success”. He begins the chapter discussed here with the statement “The road to compliance starts at the top.” There is probably no dispute that a company takes on the tone of its top management. Biegelman cites to a list used by Joe Murphy regarding actions a CEO can demonstrate to set the requisite tone from the Captain’s Chair of any business. The list is as follows:

Keep a copy of the Constitution on your Desk. Have a dog-eared copy of your company’s Code of Conduct on your desktop and be seen using it.
Clout. Make sure your compliance department has authority, influence and budget within the company. Have your Chief Compliance Officer report directly to the Board of Directors.
Make them Accountable. At Senior Executive meetings, have each participant report on what they have done to further the compliance function in their business unit.
Sticks and Carrots. Have both sanctions for violation of company compliance and ethics policies and incentives for doing business in a compliant manner.
Don’t do as I say, Do as I do. Turn down an expensive dinner or trip offered by a vendor. Pass on a gift that you may have received. Turn down a transaction based upon ethical considerations.
Be a Student. Be seen at intra-company compliance training. Take a one or two day course or attend a compliance conference outside your organization.
Award Compliance. You should recognize outstanding compliance efforts with companywide announcements and awards.
The Board. Recruit a nationally known compliance expert to sit on your company’s Board and chair the audit or compliance committee.
Independent Review. Obtain an independent, outside review of your company’s compliance program and report the results to the Board’s Audit Committee.
Vendors. Mandate that all vendors in your Supply Chain embrace compliance and ethics as a business model. If not, pass on doing business with them.
Network. Talk to others in your industry and your peers on how to improve your company’s compliance efforts.

Many companies struggle with some type of metric that can be used for upper management regarding compliance and communication of a company’s compliance values. One technique might be to require the CEO to post companywide emails or other communications once a quarter on some compliance related topic. The CEO’s direct reports would then also be required to email their senior management staff a minimum of once per quarter on a compliance topic. One can cascade this down the company as far as is practicable. Reminders can be set for each communication so that all personnel know when it is time to send out the message. If these communications are timely made, this metric has been met.

I hope that you can use some of the techniques for setting, creating and moving an appropriate tone for compliance throughout your organization. And, of course, enjoy the 2015 All-Star Game. Although the Astros now play in the American League (AL), my heart is still with the National League (NL).

© Thomas R. Fox, 2015

Leave a Comment

June 25, 2015

Custer’s Last Stand and Risk Management

Filed under: Best Practices,Chief Compliance Officer,Compliance,Compliance and Ethics,compliance programs,FCPA,Risk Assessment,Risk Management — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, Risk Management

On this day in 1876 one of the greatest failures in risk management took place when Lieutenant Colonel George Armstrong Custer and his entire 7^th Cavalry were wiped out at the Battle of the Little Big Horn. Custer had split his command into three wings and he took his battalion of 200 or so men down the center of what he thought would be little resistance. Instead he found that he was facing a far superior force of 3000 largely Sioux warriors who quickly overwhelmed and defeated Custer’s command, with all US troops being killed. There is now some debate on whether all the cavalrymen were actually killed by the Native Americans or took their own lives, saving the last bullet for themselves, in western parlance.

Historians have debated over time the reason for Custer’s defeat. Was it arrogance; bad intelligence; faulty command, just plain stupidity or even a wish for martyrdom by Custer? Whichever the cause, it was the worse defeat of the US Army by Native Americans in the Western campaigns of the later 1800s. Today, it might be termed as a faulty assessment and management of the risks involved.

I thought about Custer and his defeat when I read a recent article in the Harvard Business Review (HBR), entitled “Strategy How to Live With Risks”. It presented risk, risk assessments and risk management in a new light, a key acumen being that risk management should be used as a “protection shield, not an action stopper.” It was based upon a research paper by the CEB, entitled “Reducing Risk Management’s Organizational Drag”, which I thought it had some interesting insights for the Chief Compliance Officer (CCO) or compliance practitioner.

The first insight is that, in many instances, companies are assessing risks that are in the rear-view mirror. The author pointed to the Sarbanes-Oxley (SOX) Act, passed in response to the Enron and Worldcom accounting scandals in noting, “In the wake of the 2008 financial crisis many large banks changed their business models, and other companies implemented systems to better manage credit risks or eliminate overreliance on mathematical models.” This type of mentality can lead to what the author says, is “a variation on what military historians call “fighting the last war.” As memories of the recession fade, leaders worry that risk management policies are impeding growth and profits without much gain.” The author went on to quote Matt Shinkman of CEB, a member based advisory company, for the following insight “Firms are questioning whether the models they put in place after the financial crisis are working—and more fundamentally questioning the role of risk management in their organizations.”

This retrospective look back is coupled with what the author says is a decision making process which “is too slow, in part because of an excessive focus on preventing risk” and not managing risk; in other words, companies were slowed down even further by something termed “organizational drag”. Companies need to find new mechanisms to assess and manage risk going forward. The best way to do so, many companies have indicated, is through reorganizing or reprioritizing risk management and the article presented “three best practices” in doing so.

Strike the Right Balance Between Risk and Reward

Recognizing that risk management is often simply ‘just saying no’, the HBR articcle suggests that “Today’s risk managers see their role as helping firms determine and clarify their appetite for risk and communicate it across the company to guide decision making. In some cases this means helping line managers reduce their risk aversion.” The interesting insight I found here is that if an asset is low performing it may be because the management is so risk averse. This may present a CCO or compliance practitioner with an opportunity to increase growth through other risk management solutions that they could implement.

Focus on decisions, not process

This insight is one that CCO and compliance practitioners should think about and try and implement. Recognizing that risk assessments are important, the author believes that risk managers should focus more on decisions concerning risk rather than the process of determining risk. This means, “In addition to relying on paperwork or process, risk managers are turning to tools (such as dashboards that show risks in real time) and training that help employees assess risk. They are also helping companies factor a better understanding of risk into their decision making.”

By having a seat at the senior management’s table, a CCO or compliance practitioner can help identify risk issues early on in planning. This allows a COO to help craft a risk management solution, or even better yet show colleagues how to “spot potential problems and managers see how their projects fit into the company’s overall portfolio of projects, each with its own set of risks.” The author again quoted Shinkman, “This is less about listing risks from a backward-looking perspective and more about picking the right portfolio of risky projects.”

Make employees the first line of defense

The author channels his inner Howard Sklar (water is wet) by stating, “Decisions don’t make themselves, people make them”. However from that insight, the author believes that “smart companies work to improve employees ability to incorporate appropriate levels of risk when making choices.” But this means you must not only adequately train your employees to spot the appropriate risk but you, as CCO must provide them with tools to manage the risk. The author wrote, “Companies are also trying to identify which types of jobs or departments face a disproportionate share of high-risk decisions so that they can aim their training at the right people. They’re focusing that training less on risk awareness and more on simulations or scenarios that let employees practice decision making in risky situations. Finally, risk managers are becoming more involved in employee exit interviews, because people leaving an organization often identify risks that others aren’t able or willing to discuss.”

The article ends by noting that the goal is “to transform risk management from a peripheral function to one with a voice integrated into the day-to-day management” of an organization. That is also viewed as a component of CCO 2.0 and a more mature model of improvement. By focusing on training employees on how to spot Foreign Corrupt Practices Act (FCPA) compliance risks and then providing them with the tools to adequately manage that risk, CCOs can deliver greater value.

© Thomas R. Fox, 2015

Comments (2)

June 24, 2015

Pink Flamingos and the Compliance Audit

Filed under: Audit,Best Practices,Chief Compliance Officer,Compliance,Compliance and Ethics,compliance programs,Department of Justice,FCPA,FCPA Guidance,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, New York Times, NYT

The creator of one of the most ubiquitous symbols of mid-century Americana died earlier this week. Don Featherstone, the creator of the pink plastic lawn flamingo, the ultimate symbol of American lawn kitsch, has died. He was 79. Featherstone, a trained sculptor with a classical art background, created the flamingo in 1957 for plastics company Union Products, modeling it after a bird he saw in National Geographic. Millions of the birds have been sold. Whether you think of the Pink Flamingo as a symbol of Miami Vice, Jon Waters and Devine or for something less salacious, here is to Featherstone, a true original.

While Featherstone created one of the ultimate symbols of the second half of the 20^th century for a generation of South Floridians, the Japanese company Takata Corporation (Takata) continues to be in the news for much less prestigious reasons. As reported in the New York Times (NYT), in an article entitled “Senate Panel Says Tanaka Cut Audits on Safety”, Hiroko Tabuchi and Danielle Ivory said “In the middle of what would become the largest automotive recall in US history, the Japanese airbag manufacturer Takata halted global safety audits to save money”. Interesting (or perhaps ominously might be a better word) Takata responded by saying it had not halted safety audits for products but rather for worker safety. Doesn’t that give you some comfort?

A US Senate committee report found that “Takata halted global safety audits at its manufacturing plants in 2009, a year after Honda had started recalling a small number of cars to replace the airbags.” These audits were later restarted in 2011 but when they found safety issues related to airbag manufacturing in two key plants, “those findings were not shared with Takata’s headquarters in Tokyo, the report said, citing internal emails from Takata’s safety director at the time.” Moreover, “when the safety director returned to the plant months later to conduct a follow-up audit, employees appeared to scramble to create the appearance of a safety committee within the plant.” Finally, and perhaps most damningly, the report cited an internal Takata email which said, “No safety committee, as such, has been formed” at the plants in question.

Foreign Corrupt Practices Act (FCPA) compliance in many ways follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in US corporations. The safety committee and safety audits became mainstays of any best practices in the area of safety for a company. These techniques inform any anti-corruption best practices compliance program, either under the FCPA, UK Bribery Act or any other anti-corruption regime. Indeed audits are specifically delineated in the FCPA Guidance as a way to assist in the continuous monitoring of your compliance regime. Such an audit can be thought of as a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. There are three factors which are critical and unfortunately with Takata seemed to be lacking in its safety audit protocol: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited.

Auditing can take several different forms in an anti-compliance program. As a matter of course, you should audit the compliance program in your own organization. A forensic audit can collect and analyze accounting and internal-controls evidence in your compliance regime. This information can be used to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of a forensic audit can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Further, an internal audit can review a compliance process to determine if employees are following prescribed processes or internal controls, in an operational Sarbanes-Oxley (SOX) or FCPA compliance audit.

In addition to the collection and analysis of evidence, an auditor’s objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. Obviously one of the functions of such an audit is to determine if further investigation is warranted.

Now imagine if this scenario had been followed by Takata. The lack of a safety committee is a glaring omission at any manufacturing facility. Simply noting this and reporting it up the chain could have gone some way towards preventing the situation the company now finds itself in; with a worldwide recall of up to 32 million vehicles. The same is true for a compliance audit. Just as monitoring can provide information to you on a more real-time basis; a compliance audit compliments this real-time oversight with a much deeper dive into what has happened on a historical basis.

The recent BHP Billiton FCPA enforcement action is certainly one to look at in this context. Although there was a committee set up to review gifts and travel requests for the company’s 2008 Olympic hospitality program, the committee did not fulfill this charge. It was alleged in the Securities and Exchange Committee (SEC) settlement documents that this committee was never intended to pass muster on the applications for tickets and travel for government officials but was simply there to provide guidance.

Once again this situation points out the difference between having a paper compliance program in place and the actual doing of compliance. Even with an appropriate oversight structure in place BHP Billiton did not do the work of compliance by evaluating the applications for travel and tickets to the Beijing Olympics but left it to the devices of the business unit employees who were making the requests and ultimately most directly benefited from the gifting.

Another area ripe for audit in your compliance program is your third parties. While there is no one specific list of transactions or other items which should be audited when it comes to your third parties below are some of the areas you may wish to consider reviewing:

Contracts with supply chain vendors to confirm that the appropriate FCPA compliance terms and conditions are in place.
Determine that actual due diligence took place on the third party vendor.
Review the FCPA compliance training program for any vendor; both the substance of the program and attendance records.
Does the third party vendor have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous, hotline or any other reporting mechanism.
Does the third party vendor have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
Review expense reports for employees in high risk positions or high risk countries.
Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
Review the overall structure of the third party vendor’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party vendor’s compliance program designed to identify risks and what has been the result of any so identified?
Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party vendor.
With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

The compliance function still is behind the safety function in terms of maturity. Because of this there are many lessons which a Chief Compliance Officer (CCO) or compliance practitioner can draw upon from our colleagues in safety. The safety audit is certainly a technique that can be drafted into your compliance program. But as the ongoing Takata air bag debacle demonstrates, your audit only works if you actually perform it. In other words, the protocol is simple, everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.

Leave a Comment

June 22, 2015

George Carlin and Erga Omnes: the Petrobras Bribery Scandal Expands

Filed under: Best Practices,compliance programs,Corruption in Brazil,Department of Justice,FCPA,Petrobras,Wall Street Journal,WSJ — tfoxlaw @ 12:01 am
Tags: BBC, best practices, compliance, compliance programs, corruption, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, Wall Street Journal, WSJ

On this date in 2008 George Carlin died. If you grew up in the late 1960s or early 1970s and you had anti-parental or anti-establishment inklings, which of course all teenagers do, you knew about George Carlin. In the early 1960s, Carlin was a relatively clean-cut, conventional comic. But around 1970, he reinvented himself as an eccentric, biting social critic and commentator. In this new incarnation, Carlin began appealing to a younger, hipper audience. He grew out his hair and added a beard together with a wardrobe in the stereotypically hippie style.

Carlin’s comedy also became counter-culture, not Cheech and Chong, hippy-dippy dopers, but with pointed jokes about religion, politics yet with frequent references to drugs. His second album with his new routine, FM/AM, won a Grammy Award for Best Comedy Recording. My favorite cut was the 11 O’Clock News. But it was his third album Class Clown that had, what I believe, to be the greatest comedy monologue ever, the profanity-laced routine “Seven Words You Can Never Say on Television.” When it was first broadcast on New York radio, a complaint led the Federal Communications Commission (FCC) to ban the broadcast as “indecent.” The US Supreme Court later upheld the order, which remains in effect today. The routine made Carlin a hero to his fans and got him in trouble with radio brass as well as with law enforcement; he was even arrested several times, once during an appearance in Milwaukee, for violating obscenity laws.

Interestingly I thought about Carlin and his pokings of the Establishment (AKA The Man) when I read several articles over the weekend about the recent spate of arrests around the Petrobras bribery and corruption scandal. In article in the Wall Street Journal (WSJ), entitled “Brazil Probe Sweeps Up Corporate Magnates” Will Connors, Rogerio Jelmayer and Paul Kiernan reported that “Brazilian officials arrested the heads of two Latin American construction giants, alleging they helped to mastermind a cartel that stole billions of dollars from state-run oil company Petrobras with the help of corrupt politicians to whom they paid kickbacks.” Also arrested with the heads of the two companies, Marcelo Odebrecht, head of Odebrecht SA and Chief Executive Officer (CEO) of Andrade Gutierrez, Otávio Azevedo.

The WSJ article reported that “Odebrecht is Latin America’s largest construction conglomerate, with business in the U.S., Europe and Africa, and whose head, Marcelo Odebrecht, is a household name in Brazil. Andrade Gutierrez has business in 40 countries. The privately owned companies are deeply involved in the development of stadiums and infrastructure for the 2016 Summer Olympics in Rio de Janeiro.” Moreover, Odebrecht is reported to have “a presence in 21 countries”. Obviously a question is if the company had engaged in bribery and corruption in Brazil, did they do so in any of the other countries in which they are doing business?

Interestingly, these arrests “come months after the heads of other construction companies were detained by Brazilian authorities.” Indeed in a BBC article in , entitled “Petrobras scandal: Top construction bosses arrested in Brazil”, David Gallas said, “Odebrecht had been named by former Petrobras executives as one of the companies that allegedly paid bribes in exchange for contracts with the oil firm, but until now the firm had not been targeted by investigators.” The WSJ article quoted Brazilian prosecutor Carlos Fernando dos Santos Lima who said at a news conference that the executives from the two companies had not been arrested earlier as the entities, “had a more sophisticated system for making the alleged bribe payments, using foreign bank accounts in Switzerland, Monaco and Panama, so it took longer to prove their case.” David Fleischer, a Brasilia based political analyst, quoted in the WSJ article was even more circumspect. He said, “The prosecutors are very careful. If you’re going after big fish you want to make sure you can take them down.”

Brazilian police said the arrests were “Erga omnes” which the WSJ translated from Latin as “towards all”. I thought about that statement in light of the ongoing debate about enforcement of the Foreign Corrupt Practices Act (FCPA) here in the US. On one side is the Chamber of Commerce and their allies who raise the ever-burgeoning cry that the Department of Justice (DOJ) needs to prosecute the invidious ‘Rogue employees’ who violate the FCPA. You will notice they never want the DOJ to look at the executives who might facilitate payment of bribes in the first place; whether through faux commitment to doing business in compliance, failing to properly allocate resources to compliance and ethics, simply rewarding those employees who git ‘er done no matter what the circumstances or (my favorite) putting a paper program in place and calling it a best practices compliance program.

Indeed those progenitors of relaxed enforcement want the DOJ to back off and let them do business the old fashioned way. However, if the bribery and corruption news from the first half of this year has told the world anything, it is about the dire effects of allowing such illegal conduct to take place and warning against slacking off laws which mandate doing business without bribery and corruption. In another WSJ article, entitled “Roots of a Brazilian Scandal That Weighs Heavily on the Nation’s Economy, Politics”, Marla Dickerson noted, “The scandal has crippled Petrobras, Brazil’s largest and most important company. In late April, the company wrote off more than $16 billion related to losses from graft and overvalued assets. The company’s woes have all but paralyzed the nation’s oil and gas sector. Hurt by slumping oil prices and strapped for cash, Petrobras has slashed investments, sparking a wave of credit downgrades, bankruptcies and layoffs among its suppliers that the weighed on Brazil’s economy.”

I wonder what George Carlin might have thought about all of this. He might have said that what else would you expect but I am relatively certain he would have done so while also sticking his thumb in the eye of The Man.

For a YouTube version of the 11 O’Clock News, click here.

For a YouTube version of the 7 words you can never say on television, click here.

Leave a Comment

June 19, 2015

Tribute to John David Crow and an Innovation Strategy for Your Compliance Program

Filed under: Best Practices,Compliance,compliance programs,Department of Justice,FCPA,FCPA Guidance,Harvard Business Review,IAP,Innovation,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, DOJ, FCPA, Harvard Business Review, HBR

John David Crow died Wednesday. Until Johnny Football, he was the only football player from Texas A&M University to win the Heisman Trophy. He played under the legendary Paul ‘Bear’ Bryant at A&M and for all of Bryant’s success, Crow was the his only player to win the award given annually to the nation’s best collegiate football player. Crow had a productive professional football career making the Pro-Bowl four times. He was also the Athletic Director at A&M from 1989 to 1993. So here’s to John David Crow, one of the Junction Boys and one of the greatest players in the history of Texas A&M. Finally, let me say something I almost never say, Gig ‘Em, John David.

I thought about John David Crow and his legacy of greatness when I read an article in the June issue of the Harvard Business Review (HBR), entitled “You Need an Innovation Strategy”, by Gary P. Pisano. While Pisano’s article dealt more generally with innovation in marketing, I found it highly relevant for the Chief Compliance Officer (CCO) or compliance practitioner, particularly in the context a Foreign Corrupt Practices Act (FCPA) compliance program. Earlier this week, the Department of Justice (DOJ) announced the resolution of a FCPA investigation involving IAP Worldwide Services, Inc. (IAP) via a Non-Prosecution Agreement (NPA). In the NPA, the company committed to implementing and enhancing a best practices FCPA compliance program. Listed at element 18 of its compliance program is the following: “The Company will conduct periodic reviews and testing of its anti-corruption compliance code, policies, and procedures designed to evaluate and improve their effectiveness in preventing and detecting violations of anti-corruption laws and the Company’s anti-corruption code, policies, and procedures, taking into account relevant developments in the field and evolving international and industry standards.”[Emphasis supplied]

This means that the DOJ expects innovation in your compliance program to keep up with evolving international and industry standards. This requires you to implement an innovation strategy. While Pisano’s article does not specifically focus on compliance, I found that its concepts would help a CCO or compliance practitioner sustain the mandate for innovation in a compliance regime. Pisano’s article begins by stating the problem that many companies face is that “innovation remains a frustrating pursuit.” While acknowledging that failure to execute is an issue, Pisano believes the issue is deeper than simply a failure to execute, he believes there is a “lack of an innovation strategy.”

I found some of his basic definitions most useful for the compliance practitioner to think through innovation in the compliance function. Pisano wrote, “A strategy is nothing more than a commitment to a set of coherent, mutually reinforcing policies or behaviors aimed at achieving a specific competitive goal. Good strategies promote alignment among diverse groups within an organization, clarify objectives and priorities, and help focus efforts around them. Companies regularly define their overall business strategy (their scope and positioning) and specify how various functions – such as marketing, operations, finance, and R&D – will support it. But during my more than two decades studying and consulting for companies in a broad range of industries, I have found that firms rarely articulate strategies to align their innovation efforts with their business strategies.”

The key to success is something that every CCO or compliance practitioner should take to heart. Paraphrasing Pisano for the compliance practitioner is that the compliance function “should articulate an innovation strategy that stipulates how their [compliance] innovation efforts will support the overall business strategy.” Moreover, “creating an innovation strategy involves determining how innovation will create value for customers [of compliance, i.e. Employees], how the company will capture that [compliance] value, and which types of [compliance] innovation to pursue.”

Pisano posed several questions around this key area of connecting innovation to strategy. Initially he asked, “How will innovation create value for potential customers?” In my formula, customers become employees or others who will make use of your compliance innovation going forward. Here you should focus on the benefit for your end-using customer. Your innovation can make compliance faster, easier, quicker, more nimble and so on. But focus on that creation of value going forward. Pisano’s next question was “How will the company capture a shore of the value its innovations generate?” He suggests companies think through how to “keep their own position in the [compliance] ecosystem strong” through innovation. Pisano next asked, “What types of innovation will allow the company to create and capture value, and what resources should each type receive?” Here Pisano notes two major forms of innovation equally applicable to the CCO or compliance practitioner. They are a change in technology and a change in a business process. Both are equally valid.

Another problem that Pisano addresses is termed “overcoming prevailing winds” and this means that innovation can be driven downward or backward if there is not sufficient management support. This means not only must there be sufficient resource allocations but management must also incentivize the business units to proceed with implementing the innovations, particularly “when an organization needs to change its prevailing patterns.”

Another area Pisano addresses is “managing trade-offs” because it is inherent in any innovation strategy that there will be trade-offs. Here he terms the two key differences as “supply-push” and “demand-pull”. The supply-push approach comes when your innovation is focused on something that does not yet exist, for example if you are initially implementing a FCPA compliance regime. The demand-pull approach works more closely with your existing customer base to determine what they might need and work to implement innovation around those needs.

Interestingly Pisano ends his article with a discussion about “the leadership challenge”. I say interestingly because I would have thought that was required up front as it is the function of senior management to create the capacity for innovation in the first instance. Pisano writes, “There are four essential tasks in creating and implementing an innovation strategy.” Task 1 is to “answer the question “How are we expecting innovation to create value for customers and for our company?” and then explain that to the organization.” Task 2 “is to create a high-level plan for allocating resources to the different kinds of innovation.” Task 3 is “to manage trade-offs. Because every function will naturally want to serve its own interests, only senior leaders can make the choices that are best for the whole company.” Finally, task 4 dovetails with what almost every DOJ/SEC speaker I have ever heard say when they talk about the basics of any best practices compliance program. It is that “innovation strategies must evolve. Any strategy represents a hypothesis that is tested against the unfolding realities of markets, technologies, regulations, and competitors. Just as product designs must evolve to stay competitive, so too must innovation strategies. Like the process of innovation itself, an innovation strategy involves continual experimentation, learning, and adaptation.”

Pisano’s article provides the CCO or compliance practitioner with a framework to think through to help bring the innovation to a compliance program. I would have put leadership first, both in the compliance department and at senior management level. But however you go about it, you must recognize that your compliance program will have to evolve. That is one of the key differences between those who advocate static compliance standards embodied in a written compliance program and those who advocate that it is Doing Compliance that creates an active, vibrant and effect compliance program.

Leave a Comment

June 18, 2015

The War of 1812 and the IAP Worldwide Services Non-Prosecution Agreement

Filed under: Department of Justice,FCPA,IAP,Non-Prosecution Agreements — tfoxlaw @ 12:01 am
Tags: compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act

On this day, 203 years ago, President James Madison signed a Declaration of War against Great Britain inaugurating the War of 1812. The cause of the war was multi-faceted; the formal reason given was the British impressment of American sailors and the economic blockade of Europe. But the real reason may have simply been the warmongers who had been agitating for war against Britain for several years as an excuse to attack (and hopefully take over) Canada. For those of you who did not study geography too closely, that latter hope was forlorn as Canadians twice repulsed American invasions during the war.

That does not mean the War of 1812 was ultimately unsuccessful for the ‘War Hawks’. America got two great songs out of the war. The first was our National Anthem, the Star Spangled Banner, which celebrated victory over the British at Baltimore. The second was the top hit single of 1959, The Battle of New Orleans, which celebrated Andrew Jackson’s defeat of the British in the Battle of New Orleans, which was fought after the signing of the peace treaty that ended the war. Also that peace treaty, which America and Great Britain signed has remained unbroken to this day.

I thought about this view of the results of the War of 1812 when I read the Foreign Corrupt Practices Act (FCPA) enforcement action involving IAP Worldwide Services, Inc. (“IAP” or “the company”) and its former Vice President (VP), James Rama. The company received a Non-Prosecution Agreement (NPA) as a result of the enforcement action but agreed to a fine of $7.1MM. Rama pled guilty to a single count of conspiracy to violate the FCPA and is awaiting sentencing but his sentence will be capped out at “five years of imprisonment, a fine of the greater of $250,000 or twice the gross gain or loss, full restitution, a special assessment, and three years of supervised release” according to his Plea Agreement.

What it is difficult to determine from the company NPA and Rama Plea Agreement is what conduct the company engaged in which led to the NPA because clearly both the company and Rama engaged in conduct that violated the FCPA. In its Press Release the Department of Justice (DOJ) said, “Based on a variety of factors, including but not limited to IAP’s cooperation, the Criminal Division entered into a non-prosecution agreement with the company.” In the NPA these factors were given some meat with the following boilerplate language, “(a) the Company has cooperated with the Offices, including conducting an extensive internal investigation, voluntarily making U.S. and foreign employees available for interviews, and collecting, analyzing, and organizing voluminous evidence and information for the Offices; (b) the Company has engaged in remediation, including disciplining the officers and employees responsible for the corrupt payments or terminating their employment, enhancing its due diligence protocol for third-party agents and consultants, and instituting heightened review of proposals and other transactional documents for relevant Company contracts; (c) the Company has committed to continue to enhance its compliance program and internal controls, including ensuring that its compliance program satisfies the minimum elements set forth in Attachment C to this Agreement; and (d) the Company has agreed to continue to cooperate with the Offices in any ongoing investigation of the conduct of the Company and its officers, directors, employees, agents, and consultants relating to possible violations under investigation by the Offices.”

Since I cannot determine from beyond the above description what the company did to achieve its NPA, I will use the same analysis that I did in ascertaining what we Americans got out of the War of 1812. For the NPA did go into detail about the bribery scheme used by the company and Rama, which were clearly violative of the FCPA. Rama was a VP of the company until he signed and became an independent contractor to the organization, through his consulting entity, Ramaco. Ramaco was created, in part, to hide the involvement of IAP in the bidding process with the Kuwaiti Ministry of the Interior to provide nationwide surveillance for the country.

The bid for this project had two phases. In Phase I, a consultant would assist the Kuwaiti government to select the final contractor who would implement the nationwide surveillance for the country in Phase II. By hiding its involvement through Ramaco, IAP could reap the benefits of winning both phases, which it did. However the illegals acts of IAP and Ramaco did not end with this subterfuge but were in fact just beginning.

The Phase I contract awarded to Ramaco was worth $4MM. IAP and Ramaco agreed to rebate one-half of the amount, through a Kuwaiti third party agent back to certain representatives of the Kuwaiti government as bribe payments. In addition to this 50% figure of the contract price, IAP and Ramaco understood that this Kuwaiti third party contractor would “inflate its invoices to IAP by charging IAP for the total amount of both the legitimate services that Kuwaiti Company was providing and the payments that Kuwaiti Company was funneling to Kuwaiti Consultant without listing or otherwise disclosing the payments that were funneled to Kuwaiti Consultant.” According to the NPA, these monies were specifically “provided as bribes to Kuwaiti government officials to assist IAP in obtaining and retaining the KSP Phase I contract and to obtain the Phase II contract.”

The NPA also specified meetings which were held in the company’s headquarters in Arlington VA and that monies to be paid as bribes were wired out of a company bank account in the US to Kuwait.

All of these facts would lead me to opine that this case was egregious. There was a US company, setting up a scheme to pay bribes through both a US person, who was a former employee, and a foreign third party agent. Meetings to facilitate the scheme were held in the US and monies to fund bribes were wired out of a US bank account. There was nothing reported in the NPA which indicated that the company self-disclosed this FCPA violation. While there were statements of cooperation and remediation going forward, there was nothing other than the standard boilerplate language generally seen in NPAs.

So while the NPA does provide the Chief Compliance Officer (CCO) or compliance practitioner a good set of facts to test against in their organization, that would appear to be about it. Other than, of course, it is always better to cooperate than not. So much like what we Americans got out of the War of 1812, not much substance can be ascertained from the company’s NPA and Rama’s Plea Agreement.

For a YouTube clip of Johnny Horton singing The Battle of New Orleans, on the Ed Sullivan Show, click here.

Leave a Comment

FCPA Compliance and Ethics Blog

August 13, 2015

Cymbeline – Doing Virtue and FCPA Compliance

August 11, 2015

What Goes Downhill May Go Uphill in FCPA Compliance

July 14, 2015

Great Structures Week II – Structures from Ancient Egypt and Greece

July 13, 2015

Great Structures Week I: Vitruvius, the Brooklyn Bridge and Compliance

July 6, 2015

The All-Star Game and Tone at the Top

June 25, 2015

Custer’s Last Stand and Risk Management

June 24, 2015

Pink Flamingos and the Compliance Audit

June 22, 2015

George Carlin and Erga Omnes: the Petrobras Bribery Scandal Expands

June 19, 2015

Tribute to John David Crow and an Innovation Strategy for Your Compliance Program

June 18, 2015

The War of 1812 and the IAP Worldwide Services Non-Prosecution Agreement

January

Blogroll

Pages

Admin

Read by Email

Recent Posts from FCPA Compliance and Ethics Report: FCPA Compliance and Ethics Report

Episode 240-Bill Coffin on Compliance Week 2016

Episode 239-Jonathan Armstong On EU Privacy Shield

Episode 238-John Allen on HR Touch Points in Compliance

Episode 237-Steve McCalmont on the Avior Risk Management Platform

Episode 236-Adam Turteltaub and SCCE CCO Survey