Mergers and Acquisitions Under the FCPA, Part II

Yesterday I began a three part series on mergers and acquisitions under the Foreign Corrupt Practices Act (FCPA). In Part I, I reviewed what you should accomplish in the pre-acquisition stage. Today I want to look at what you should do with the information that you obtain in your pre-acquisition compliance due diligence.

Jay Martin, Chief Compliance Officer (CCO) at BakerHughes Inc. suggests an approach that reviews key risk factors to move forward. Martin has laid out 15 key risk factors of targets under a FCPA analysis, which he believes should prompt a purchaser to conduct extra careful, heightened due diligence or even reconsider moving forward with an acquisition under extreme circumstances.

1. A presence in a BRIC (Brazil, Russia, India and China) country and other countries whose corruption risk is high, for example, a country with a Transparency International CPI rating of 5 or less;
2. Participation in an industry that has been the subject of recent anti-bribery or FCPA investigations, for example, in the oil and energy, telecommunications, or pharmaceuticals sectors;
3. Significant use of third-party agents, for example, sales representatives, consultants, distributors, subcontractors, or logistics personnel (customs, visas, freight forwarders, etc.)
4. Significant contracts with a foreign government or instrumentality, including state-owned or state-controlled entities;
5. Substantial revenue from a foreign government or instrumentality, including a state-owned or state-controlled entity;
6. Substantial projected revenue growth in the foreign country;
7. High amount or frequency of claimed discounts, rebates, or refunds in the foreign country;
8. A substantial system of regulatory approval, for example, for licenses and permits, in the country;
9. A history of prior government anti-bribery or FCPA investigations or prosecutions;
10. Poor or no anti-bribery or FCPA training;
11. A weak corporate compliance program and culture, in particular from legal, sales and finance perspectives at the parent level or in foreign country operations;
12. Significant issues in past FCPA audits, for example, excessive undocumented entertainment of government officials;
13. The degree of competition in the foreign country;
14. Weak internal controls at the parent or in foreign country operations; and
15. In-country managers who appear indifferent or uncommitted to U.S. laws, the FCPA, and/or anti-bribery laws.

In evaluating answers to the above inquiries or those you might develop on your own, you may also wish to consider some type of risk rating for the responses, to better determine is the amount of risk that your company is willing to accept to do so you will need to both assess risk and subsequently evaluate that risk. Borrowing from a matrix developed by Michele Abraham from Timken Co., I have found Timken’s matrix for risk rating and assessment useful. Risks should initially be identified and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the your post-acquisition remediation plan going forward. A risk-rating guide similar to the following can be used.

LIKELIHOOD

Likelihood Rating	Assessment	Evaluation Criteria
1	Almost Certain	High likely, this event is expected to occur
2	Likely	Strong possibility that an event will occur and there is sufficient historical incidence to support it
3	Possible	Event may occur at some point, typically there is a history to support it
4	Unlikely	Not expected but there’s a slight possibility that it may occur
5	Rare	Highly unlikely, but may occur in unique circumstances

 

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs. Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

The key to such an approach is the action steps prescribed by their analysis. This is another way of saying that the pre-acquisition risk assessment informs the post-acquisition remedial actions to the target’s compliance program. This is the method set forth in the FCPA Guidance. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the mergers and acquisitions arena. The model set forth by Michele Abraham of Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

It is also important that after the due diligence is completed, and if the transaction moves forward, the acquiring company should attempt to protect itself through the most robust contract provisions that it can obtain, these would include indemnification against possible FCPA violations, including both payment of all investigative costs and any assessed penalties. An acquiring company should also include reps and warranties in the final sales agreement that the entire target company uses for participation in transactions as permitted under local law; that there is an absence of government owners in company; and that the target company has made no corrupt payments to foreign officials. Lastly, there must be a rep that all the books and records presented to the acquiring company for review were complete and accurate.

To emphasize all of the above, the DOJ stated in the Pfizer Deferred Prosecution Agreement (DPA), in the mergers and acquisition context, that a company is to ensure that, when practicable and appropriate on the basis of a FCPA risk assessment, new business entities are only acquired after thorough risk-based FCPA and anti-corruption due diligence is conducted by a suitable combination of legal, accounting, and compliance personnel. When such anti-corruption due diligence is appropriate but not practicable prior to acquisition of a new business for reasons beyond a company’s control, or due to any applicable law, rule, or regulation, an acquiring company should continue to conduct anti-corruption due diligence subsequent to the acquisition and report to the DOJ any corrupt payments or falsified books and records.

Tomorrow in Part III, I will take a look at your post-acquisition actions in the mergers and acquisition context.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

How to Introduce Change into Your FCPA Compliance Program (Without Blowing It Up)

Thucydides or Herodotus; Herodotus or Thucydides. Which is your favorite? I admit to vacillating between the two. Thucydides wrote about the end of the Athenian dynasty from the Peloponnesian War and the debacle of the Sicilian Invasion. Herodotus wrote about the beginnings of the Golden Age of the Greek City State through the defeat of the Persian Invasion of Greece. Slogging through both is never easy but it is far and away worth the effort. One of the things that both of these ancient authors wrote about was massive change.

I recently read a book review of a couple of new volumes which looked at these authors and thought about the changes wrought when implementing or enhancing a Foreign Corrupt Practices Act (FCPA) compliance program. In making a large change, most compliance practitioners think of bringing it all to a company in one fell swoop. This is usually based on a Board of Directors or senior management directive to ‘get it done’. Sometimes this can simply be overwhelming to the compliance practitioner or information overload to the troops in the field, particularly those outside the US. However, a recent article in the MIT Sloan Management Review, entitled “How to Change an Organization Without Blowing It Up”, suggests that a different approach might be appropriate. In this article, author Karen Golden-Biddle writes that there is a middle ground between wholesale change and tentative pilot projects which could allow an organization to operate more effectively.

The author believes that “Too often, conventional approaches to organizational transformation resemble the Big Bang theory.” Further, that this “Big Bang transformation attempts often fail, fostering employee discontent and producing mediocre solutions with little lasting impact.” To overcome this she believes that “organizations can seed transformation by collectively uncovering “everyday disconnects” — the disparities between our expectations about how work is carried out and how it actually is. The discovery of such disconnects encourages people to think about how the work might be done differently.”

She suggests that there are three techniques for discovering these disconnects and turning them into a way to “seed transformation from the bottom up.” These three techniques are (1) Work Discovery; (2) Better Practices; and (3) Test Training. I will look at all three and discuss how a compliance practitioner can bring them to bear to help move a compliance program forward.

I.                   Work Discovery – Examine Firsthand the Work Where It Is Actually Conducted

The author states that “instead of assuming that you know if the work process will be successful as it is designed, you should examine it firsthand, “as it is actually conducted.”” This will allow a company to “turn the (inevitable) surprises you uncover into assets.” She advises that senior management needs to actually see how the organization works to understand not only the expectations that they have set but also to uncover disconnects in the process. She cautions that this is not the same as a pilot project but rather should be viewed as part of a larger exploration of how a system might become the best that it can be. Put another way, the initial “design and rollout was always connected with the larger possibility, even though the possibility was in the process of becoming defined.”

For the compliance practitioner, this examination ‘in the field’ allows you to find the  disconnect in the proposed compliance program or changes to facilitate the reconsideration of expectations in the program or understanding of how the program is designed to be conducted, but further allows you to  entertain new possibilities  of how to make the program work better. Compliance professionals can talk through the proposed changes to generate insights and possibilities for change and help company employees understand what the program changes will be and how the compliance program will work in their day-to-day operations.

II.                Better Practices – Instead of Adopting the Best Practices of Others, Screen Your Work Through Those Best Practices in Order to Generate New Ideas

Often times, particularly in the compliance arena, companies will simply review and determine the best compliance practices and then adopt them into their organization. This approach was certainly not suggested by the recently released Department of Justice (DOJ) and Securities and Exchange Commission (SEC) FCPA Guidance, where it stated “When it comes to compliance there is no one-size-fits-all program.” This sentiment was echoed by Golden-Biddle when she recommended that a company should not simply adopt another organization’s best practices, but instead should screen the way work gets done in your company and use those other’s best practices in order to generate new ideas. “In other words, use best practices to generate even better practices.”

However other companies’ best practices can be more effectively used as a discovery technique, enabling people to go beyond replication and discover new methods for meaningful change. The author opines that by studying other companies’ best practices as a discovery technique this will allow employees to compare their expectations of how a new system or program will work as it is currently constituted with what might be offered by the best practice. Further, “this discovery tool imports the unfamiliar in the form of others’ best practices and pairs them with the familiar. Exploring this pairing enables people to move beyond their expectations and tease out new possibilities that are suggested by best practices elsewhere. Overlaying your current practices with someone else’s best practices in this way generates better practices — better than best because they are relevant in highly specific ways to your organization’s work.”

Ways that a compliance practitioner might do this is to ask the following questions. First, what would you do differently as a result of the new compliance practice and what might you wish to incorporate into the company’s compliance practices? Next, is there anything in the new compliance policy that was not included that you believe should have been or are there any issues in the new policy which you did not know how to address when using the new policy?

III.             Test Training – Use Training to Experiment With Emergent Possibilities for the Way Work Will Be Done

This part may be the most intriguing and useful as the author advocates that you can use training to develop new possibilities so that “Instead of locking down standard operating procedures during training, experiment with other, potentially better possibilities for changing the way the work will get done.” Training typically comes at the end of a policy/program revamp or enhancement. However, the use of the phrase “test training” means something different than the usual corporate training. She says that it allows a company to uncover the “disconnects between people’s expectations for how proposed solutions might operate and the actual experience of the solution in experimental settings such as training or trials. This enables people to see and come to understand what they don’t know about the solution as well as to continue to shape it for implementation, often in significant ways.”

This type of testing would allow the compliance practitioner to obtain insights from those in the field on not only what does not work but also what might work better. Consider training on a third party management program. You would usually walk the designated training group through all of the steps your policy would entail. But those in the training test group might suggest new, other or different information that might be relevant to evaluate a third party in the context of compliance. But also such “test training” provides an opportunity to find out what is not being discovered through the third party investigation process and provide the opportunity to suggest a new solution.

Golden-Biddle ends her article with five points that she believes Discovery Techniques can bring to an organization. They are:

1. Achieve the benefits of transformation without risking wholesale disruption of operations.
2. Build a culture of continuous improvement that is embraced by leadership and employees throughout the organization.
3. Avoid the often exorbitant costs of Big Bang transformation associated with wholesale replacement of employees.
4. Leverage existing employee knowledge and experience for transformation.
5. Cultivate collective, not just individual, capacity in surfacing disconnects and generating new insights and ideas that seed transformation.

To her list I would add one more but I might put it as Number 1 on the list. It is that you bring your employees into the process. By listening to them and incorporating their ideas on what works and what does work, they not only become invested in the final compliance product but they feel like you care about what they think. That may be the biggest reason to take up some of Golden-Biddle’s Discovery Techniques.

If you want to look at how change blew things up, pick up a copy of Herodotus or Thucydides and settle down for a long winter’s read.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013