FCPA Compliance and Ethics Blog

March 2, 2015

Farewell to Mr. Spock and Risk Assessment Under COSO

Mr. SpockLeonard Nimoy died last Friday. He will be forever associated with the role of Mr. Spock in the original Star Trek television show which premiered in 1966. The original series ran for only three years but had a full life in syndication up through this day. He also reprised the role in six movies featuring the crew of the original series and in the recent reboot.

Mr. Spock was about a personal character for me as I ever saw on television. For a boy going through the insanity of adolescence and the early teen years, I found Mr. Spock and his focus on logic as a way to think about things. He pursued this path while dealing with his half human side, which compelled emotions. This focus also led me to explore Mediations by Marcus Aurelius. But more than simply logic and being a tortured soul, Mr. Spock and his way looking at things and Star Trek with its reach for the stars ethos inspired me when it came out and still does to this day.

Mr. Spock and his pursuit of logic inform today’s blog post. Every compliance practitioner is aware of the need for a risk assessment in any best practices compliance program; whether that program is based on the US Foreign Corrupt Practices Act (FCPA), UK Bribery Act or some other compliance law or regime. While the category of risk assessment is listed as Number 3 in the Ten Hallmarks of an Effective Compliance Program in the FCPA Guidance, both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) intone that your compliance journey begins with a risk assessment for two basic reasons. The first is that you must know the corruption risks your company faces and second, a risk assessment is your road map going forward to manage those risks.

Interestingly Risk Assessment is the second objective in the Committee of Sponsoring Organizations of the Treadway Commission (COSO) Cube. In its volume entitled “Internal Control – Integrated Framework”, herein ‘the Framework Volume’, it recognizes that “every entity faces a variety of risks from external and internal sources.” This objective is designed to provide a company with a “dynamic and iterative process for identifying and assessing risks.” For the compliance practitioner none of this will sound new or even insightful, however the COSO Framework requires a component of management input and oversight that was perhaps not as well understood. The Framework Volume says that “Management specifies objectives within the category relating to operations, reporting and compliance with such clarity to be able to identify and analyze risks to those objectives.” But management’s role continues throughout the process as it must consider both internal and external changes which can effect or change risk “that may render internal controls ineffective.” This final requirement is also important for any anti-corruption compliance internal control. Changes are coming quite quickly in the realm of anti-corruption laws and their enforcement. Management needs to be cognizant of these changes and changes that its business model may make in the delivery of goods or services which could increase risk of running afoul of these laws.

The objective of Risk Assessment consists of four principles. They are:

Principle 6 – “The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to the objectives.”

Principle 7 – “The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.”

Principle 8 – “The organization considers the potential for fraud in assessment risks to the achievement of objectives.”

Principle 9 – “The organization identifies and assesses changes that could significantly impact the system of internal control.”

Principle 6 – Suitable Objectives 

Your risk analysis should always relate to stated objectives. As noted in the Framework Volume, it is management who is responsible for setting the objectives. Rittenberg explained, “Too often, an organization starts with a list of risks instead of considering what objectives are threatened by the risk, and then what control activities or other actions it needs to take.” In other words your objectives should form the basis on which your risk assessments are approached.

Principle 7 – Identifies and Analyzes Risk 

Risk identification should be an ongoing process. While it should begin at senior management, Rittenberg believes that even though a risk assessment may originate at the top of an organization or even in an operating function, “the key is that an overall process exists to determine how risks are identified and managed across the entity.” You need to avoid siloed risks at all costs. The Framework Volume cautions that “Risk identification must be comprehensive.”

Principle 8 – Fraud Risk 

Every compliance practitioner should understand that fraud exists in every organization. Moreover, the monies that must be generated to pay bribes can come from what may be characterized as traditional fraud schemes, such as employee expense account fraud, fraudulent third party contracting and payments and even fraudulent over-charging and pocketing of the differences in sales price. This means that is should be considered as an important risk analysis. It is important that any company follow the flow of money and if the Fraud Triangle is present, management be placed around such risk.

Principle 9 – Identifies and Analyzes Significant Change

It really is true that if there is one constant in business, it is that there will always be change. The Framework Volume states, “every entity will require a process to identify and assess those internal and external factors that significantly affect its ability to achieve its objectives. Rittenberg intones that companies “should have a formal process to identify significant changes, both internal and external, and assess the risks and approaches to mitigate the risk” in a timely manner.

Today’s blog post is a tribute to Mr. Spock as he, Star Trek and its characters continue to teach us lessons which we can apply in business going forward. It is the process of compliance which informs your program going forward. A risk assessment is recognized by sources as diverse as the DOJ, SEC and COSO as a necessary step. Just as Mr. Spock, the Science Officer onboard the Enterprise, was required to assess the risk to the ship and crew from a scientific perspective, a risk assessment can give you the tools to not only assess the corruption compliance risk to your company but a road map to managing that risk. So farewell to my long time friend Mr. Spock, you gave to me more than I ever gave back to you. I can think of no more fitting tribute to Spock than to say Live Long and Prosper.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 25, 2015

Doing Less with Less and the Unification of Germany

Sqeezed Piggy BankI am attending the SCCE Utilities and Energy Conference in Houston this week. As usual, the SCCE has put on a great event for the compliance practitioner. This year there is live blogging by Kortney Nordum so there should be much about the conference up on the SCCE blogsite, this week and into the future. Lizza Catalano has put together a first rate program for compliance practitioners of many stripes. As an added benefit, SCCE Chief Executive Officer (CEO) Roy Snell has brought some cold weather down to Houston for the event for our late February enjoyment. While it was 80 on Saturday, today is was a balmy 36 courtesy of our Minnesotan guests.

As you might guess the current economic downturn is on everyone’s mind and a subject of much conversation. Last week I wrote a post about the depression of oil and gas prices in the energy space and some of the increased Foreign Corrupt Practices Act (FCPA) or other anti-corruption risks that might well arise from this economic downturn. Over the next couple of days, I want to explore how a Chief Compliance Officer (CCO) or compliance practitioner might think through responses to this increased compliance risk. Today I will focus on doing less with less. Tomorrow I will suggest some technological solutions.

I have been around long enough to see more than one of these economic events in the energy space. While not suggesting that we Texans never learn not to repeat our mistakes, they do seem to have a pattern. Prices drop precipitously, companies who are overstocked, over-leverage or generally over-panic; over-react and cut head count and spending dramatically to some level that is not based on rational economic analysis. Then they get some handle on where the numbers might be heading and the cuts start to flatten out and some type of equilibrium is reached.

Right now, in the energy space, we are in the cutting phase. That means loss of personnel (head count) and loss of resources even if it was calculated last year based on a summer or fall 2014 economic projection in your annual budgeting process. This means one thing you will need get for a quarter or two will be financial resources to place the personnel your compliance function may have lost. This means that you will have to figure out a way to accomplish more with fewer resources. While I often advocate that the compliance function can and should draw on other disciplines such as Human Resources (HR), IT, Internal Audit and Marketing for support; those functions have most probably been ‘right-sized’ as well so they may not be able to assist the compliance function as much they could have previously.

Now would be a very good time to put into practice what Dresser-Rand CCO Jan Farley often says, “Don’t sweat the small (compliance) stuff.” Farley often speaks about the need not to waste your scarce compliance resources on areas or matters that are low compliance risks. But to do this, you need to understand what are your highest compliance risks. Since you will not have additional resources to perform such an analysis, I would suggest now would be a very good time for you to assess your compliance program and your business model to see what are your highest risks. If you believe there are several, you can fprioritize them. This exercise will give you the basis to deliver your ever-scarcer compliance resources to your highest risk areas.

While I do not believe the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) will be sympathetic to some unsubstantiated claim along the lines of ‘I did my best with what I had’; they also made clear in the FCPA Guidance that “An effective compliance program promotes “an orga­nizational culture that encourages ethical conduct and a commitment to compliance with the law.” Such a program protects a company’s reputation, ensures investor value and confidence, reduces uncertainty in business transactions, and secures a company’s assets. A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations.” (emphasis supplied)

So while the DOJ and SEC will not accept you bald-faced claims that our company simply did not have the money to spend on compliance, they will most-probably consider a compliance program where you have looked at your risks, in the context of this economic downturn, and delivered the compliance resources you do have to those risks. But the key is Document, Document, and Document your decision-making calculus and your implementation. (Stephen Martin would probably add here that if your annual spend on Yellow Post-It Notes is a factor of 10X your compliance spend, this approach would not be deemed credible.)

In her On work column in the Financial Times (FT), Lucy Kellaway wrote about this the concept of doing less with less for the corporate executive personally, in an article entitled, “No need to ‘lean in’ when laziness can be just as effective”. She cited to the Prussian General Helmuth von Moltke for “devising one of the world’s fist management matrices” when he assessed his officers on two scales: “clever v. dim and lazy v. energetic.” From this he came up with four permutations:

  • Dim and lazy – Good at executing orders.
  • Dim and energetic – Very dangerous, as they take the wrong decisions.
  • Clever and energetic – Excellent staff officers.
  • Clever and lazy – Top field commanders as they get results.

The point of Kellaway’s article has direct implications for the CCO or compliance practitioner currently facing an economic downturn, “It is only by being lazy that we become truly efficient, and come to see what is important and what is not.” Kellaway cautioned “the sort of laziness to encourage is not the slobbish variety that means you do bad work. That is not laziness: it is stupidity. Instead, we need the clever version that comes from knowing there is an opportunity cost to every minute we spend working, so we must use our time wisely.”

From the compliance perspective, this translates directly into using your compliance resources wisely. So whether you want to cite the Prussian general who unified Germany, columnist Kellaway, Dresser-Rand CCO Farley or this article’s theme of doing less with less, I would suggest to you there is a manner to maintain “A well-constructed, thought­fully implemented, and consistently enforced compliance and ethics program helps prevent, detect, remediate, and report misconduct, including FCPA violations” even in an economic downturn.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

 

February 24, 2015

Victory or Death: William Barret Travis and the Obligations of a CCO

William Barret TravisToday in 1836, Alamo commander William Barret Travis issued his famous ‘Victory or Death’ plea for reinforcements. It was short so I quote it in full:

To the People of Texas & All Americans in the World:

Fellow citizens & compatriots—I am besieged, by a thousand or more of the Mexicans under Santa Anna—I have sustained a continual Bombardment & cannonade for 24 hours & have not lost a man. The enemy has demanded a surrender at discretion, otherwise, the garrison are to be put to the sword, if the fort is taken—I have answered the demand with a cannon shot, & our flag still waves proudly from the walls. I shall never surrender or retreat. Then, I call on you in the name of Liberty, of patriotism & everything dear to the American character, to come to our aid, with all dispatch—The enemy is receiving reinforcements daily & will no doubt increase to three or four thousand in four or five days. If this call is neglected, I am determined to sustain myself as long as possible & die like a soldier who never forgets what is due to his own honor & that of his country—Victory or Death.

William Barret Travis

Lt. Col. Comdt

While Thermopylae will always go down as the greatest ‘Last Stand’ battle in history, the Alamo is right up there in contention for Number 2. Like all such battles sometimes the myth becomes the legend and the legend becomes the reality. In Thermopylae, the myth is that 300 Spartans stood against the entire 10,000 man Persian Army. However there was also a force of 700 Thespians (not actors; but citizens from the City-State of Thespi) and a contingent of 400 Thebans who fought and died alongside the 300 Spartans. Somehow, their sacrifice has been lost to history.

Likewise, the legend that lifts the battle of the Alamo to the land of myth is the line in the sand. The story goes that William Barret Travis, on the day before the final attack, when it was clear that no reinforcements would arrive in time and everyone who stayed would perish; called all his men into the plaza of the compound. He then pulled out his saber and drew a line in the ground. He said that they were surrounded and would all likely die if they stayed. Any man who wanted to stay and die for Texas should cross the line and stand with him. Only one man, Moses Rose, declined to cross the line. The immediate survivors of the battle did not relate this story after they were rescued and this line in the sand tale did not appear until the 1880s.

But the thing about ‘last stand’ battles is they generally turn out badly for the losers.  Very badly. I thought about this when the former head of the Foreign Corrupt Practices Act (FCPA) unit at the Department of Justice (DOJ), Chuck Duross, said at Compliance Week a couple of years ago that he viewed anti-corruption compliance officials as “The Alamo” in terms of the last line of defense in the context of preventing violations of the FCPA. I gingerly raised my hand and acknowledged his tribute to the great state of Texas but pointed out that all the defenders were slaughtered, so perhaps another analogy was appropriate. Everyone had a good laugh back then at the conference. But in reflecting on the history of my state and what the Alamo means to us all; I have wondered if my initial response too facile?

What happens to a Chief Compliance Officer (CCO) or compliance practitioner when they have to make a stand? Do they make the ultimate corporate sacrifice? Will they receive the equivalent of a corporate execution as the defenders of the Alamo received? This worrisome issue has certainly occurred even if the person ‘resigned to pursue other opportunities.’ My fellow FCPA Blog Contributing Editor Michael Scher has been a leading voice for the protection of compliance officers, as have Donna Boehme and Michael Volkov. In a post entitled “Michael Scher Talks to the Feds” he said, “a compliance officer (CO) working in Asia asked for recognition and protection: “A CO will not stand up against the huge pressure to maintain compliance standards if he does not get sufficient protection under law. Most COs working in overseas operations of U.S. companies are not U.S. citizens, but they usually are first to find the violations. Since the FCPA deals with foreign corruption, how could the DOJ and SEC not protect these COs?”” In the same post, he asked the following of the DOJ and SEC “Wal-Mart’s compliance officers and professionals allegedly were intentionally obstructed by senior executives from conducting a compliance review and subjected to career-ending retaliation. If confirmed, will the DOJ and SEC’s settlement demonstrate that such harassment of compliance professionals is not condoned? Will the DOJ and SEC also make it clear that compliance officers working for multi-national companies like Wal-Mart in countries outside of America will receive the same protections as those working in America?”

Writing about the MF Global scandal in the New York Times (NYT) in an article entitled “Another View: MF Global’s Corporate Governance Lesson” Michael Peregrine stated that the “compliance officer is the equivalent of a “protected class” for governance purposes, and the sooner leadership gets that, the better.” Particularly in the post Sarbanes Oxley (SOX) world, a company’s CCO is a “linchpin in organizational efforts to comply with applicable law.” When a company fires, or asks him/her to resign, it is a significant decision for all involved in corporate governance and should not be solely done at the discretion of the Chief Executive Officer (CEO). Jonathan Marks has long advocated that the departure of a CCO from a company is such a material event that it should be disclosed by public companies.

In the area of anti-money laundering (AML) compliance professionals, Reuters, in an article entitled “Bankers anxious over anti-money-laundering push to go after individuals”, reported that at the Securities Industry Financial Markets Association conference, John Davidson, E*Trade Financial’s global head of AML, said that the “new push by regulators and lawmakers to hold individuals, rather than just institutions, accountable for regulatory violations involving money laundering is spooking members of the U.S. financial industry.” He further said that this aggressive trend and a new vigorous AML bill, introduced in Congress by Representative Maxine Waters entitled “Holding Individuals Accountable and Deterring Money Laundering Act”, were all “a little scary.” He found the movement towards more AML enforcement against individuals “an incredibly disturbing trend.” The reason it is so scary, an un-named top level compliance officer said, is “that compliance officers at the largest Wall Street institutions were feeling especially nervous because the power structures in those institutions sometimes did not give compliance officers enough authority to act.”

Upon further reflection I now believe the Alamo reference appropriate for compliance officers. It is because sometimes we have to draw a line in the sand to management. And when we do, we have to cross that line to get on the right side of the issue, the consequences be damned. This means that while you not only have to make hard decisions you may have accept employment separation if your company disregards your advice and engages in illegal activity. I do not pretend that to be a easy decision or one lightly made but CCOs have a different role in a corporation from that of a General Counsel (GC) and no amount of pining about attorney ethical obligations will change that dynamic.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 20, 2015

Assessing Internal Compliance Controls – Part II

Assessing Internal Controls IIn this blog post I continue my exploration of how you should assess your compliance internal controls using the Committee of Sponsoring Organization of the Treadway Organization (COSO), publication “Internal Controls – Integrated Framework, Illustrative Tools for Assessing Effectiveness of a System of Internal Controls” (herein ‘the Illustrative Guide’), as a starting point and basis for discussion. You will recall from my series on compliance internal controls under the COSO 2013 Framework there are five objectives: (1) Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information and Communication; and (5) Monitoring Activities. Today I will review issues around compliance internal control assessments on Control Environment and Risk Assessments.

First are some general definitions that you need to consider in your evaluation. A compliance internal control must be both present and functioning. A control is present if the “components and relevant principles exist in the design and implementation of the system of [compliance] internal control to achieve the specified objective.” A compliance internal control is functioning if the “components and relevant principles continue to exist in the conduct of the system of [compliance] internal controls to achieve specified objectives.”

I. Control Environment

Under the objective of Control Environment there are five principles which you will need to assess. The five principles are:

  1. The organization demonstrates a commitment to integrity and ethical values. Here you can look to see if there is a training program to help make employees cognizant of the importance of doing business ethically and in compliance with the standard’s of your company’s Code of Conduct. Also is there specific training on the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other relevant anti-corruption/anti-bribery legislation which may govern your organization? Next does your company have in place any process to evaluate “individuals against published integrity and ethics policy”? Finally, do you have in place any process to “identify and address deviations in the organization”?
  2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. Under this Principle you must DOCUMENT the active involvement of your company’s Board of Directors. So not only must risk assessments be performed and evaluated by senior management, they must also be evaluated by the Board, separate and apart from senior management. A Board must also document its review of any remediation plans and monitoring activities.
  3. Management establishes, with board oversight, structures, reporting lines and appropriate authorities and responsibility in pursuit of the objectives. This Principle deals primarily with reporting lines and structures so you will need to consider not only the structure of your business but also whether or not both clear and sufficient reporting lines have been established throughout the company. The next analysis is to move down the chain to see if there definitions and assignments for your compliance function. Lastly you need to assess whether there are sufficient parameters around the responsibilities of the compliance function and if there are limitations which should be addressed.
  4. The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with the objectives. Under this Principle you will need to review the policies and procedures to make sure you have the minimum required under a best practices compliance program and then evaluate and address any shortcomings. This Principle also has a more personnel focus by requiring you to consider whether your organization attracts, develops and retains sufficient compliance personnel and is there an appropriate succession plan in place if someone ‘wins the lottery’ on the way to work.
  5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of the objective. Under this Principle review is required to determine whether the Board established and communicated the mechanisms to hold employees accountable for your compliance internal controls. As suggested in the FCPA Guidance, there should be both a carrot and stick approach, so for the carrot is there some type of Board, senior management or employee compensation based on whether they did their assignments in compliance with your Code of Conduct or are bonuses based strictly on a sales formulation? For the stick, have any employees ever been disciplined under your compliance regimes?

II. Risk Assessment

This objective has four Principles that require assessment. They are (numbers follow the COSO Framework):

  1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives which include Operations Objectives, External Financial Reporting Objectives, External Non-Financial Reporting Objectives, Internal Reporting Objectives and Compliance Objectives. Here I think the key is the documentation of several different topics and issues relating to your company and how it operations. This means you will need to assess such diverse concepts as what are your senior management’s choices for business and compliance? You will need to consider and assess tolerances for risk as demonstrated by such issues as operations and financial performance goals. Finally, it can be used as a basis for committing of compliance resources going forward.
  2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. This Principle requires you to take a look at not only your compliance organization but also your business structure including entity, subsidiary, division, operating unit, and functional levels. You should assess the involvement of your compliance function at each point identified and the appropriate levels of management therein. Finally, from the compliance perspective, you should attempt to estimate not only the significance of compliance risks identified in the risk assessment but also determine how to respond to such identified compliance risks.
  3. The organization considers the potential for fraud in assessing risks to the achievement of objectives. Bribery and corruption can be categorized as forms of fraud. Rather than being fraud against the company to obtain personal benefits it can be fraud in the form of bribery and corruption of foreign government officials. For the compliance internal control assessment around this Principle I would urge you to ‘follow the money’ in your organization and consider the mechanisms by which employees can generate the funds sufficient to pay bribes. Many of these are simply fraud schemes so you should consider this within the compliance context and assess incentive and pressures on employees to make their numbers or be fired. You should also assess your employees’ attitudes and rationalizations regarding same.
  4. The organization identifies and assesses changes that could significantly impact the system of internal control. This Principle speaks to the need of your organization to maintain personnel competent to use the risk assessment going forward. But it also requires you to assesses changes in the external environment, assess changes in the business model or other significant business changes and, finally, to consider any changes in compliance leadership and how that would impact this Principle.

I often say that good compliance is simply good business. These COSO objectives are not only important from the compliance perspective but they also speak to the issue of overall process in your organization. The more you can burn these activities into the DNA of your company, the better run your organization will be going forward. Auditing against the COSO standards will provide your management with greater information on the health of your organization and satisfy your legal requirements under the FCPA.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 17, 2015

Gary Owens, Laugh-In and Accountability in Your Compliance Program

Gary OwensIf you were alive at all during the 1960s, you will recall that one of the cultural phenomenon’s was NBC’s television show Laugh-In. It was brought to you from the NBC studios in beautiful downtown Burbank and featured one very droll player, who always played himself, Gary Owens, as the show’s announcer – Gary Owens. Owens died last week and I was surprised but pleased to learn in reading his obituary in the New York Times (NYT) that he was also the voice for several cartoon characters in the Jay Ward stable (home of Rocky and Bullwinkle) and he was the voice of Space Ghost which had a renaissance during the early years of the Cartoon Network.

I thought about Owens’ role on Laugh-In not only as the straight man but also the character, who in many ways brought accountability to the manic show when I read this week’s article by Adam Bryant in his NYT Corner Office column, entitled “Making a Habit of Accountability”, which featured his interview of Natarajan Chandrasekaran, the Chief Executive Officer (CEO) of Tata Consulting Services. Chandrasekaran was raised on a farm and one of the things that he learned early on from his farmer father was “the value of money and the value of time. So he made us account for things. It wasn’t that there was a right or wrong way, but he wanted us to be accountable for what we did.”

I considered this concept of accountability in your best practices anti-corruption compliance program, whether based upon the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other program. With the Department of Justice’s (DOJ) recent pronouncements that it will more aggressively prosecute individuals for FCPA violations, perhaps companies should emphasize accountability more in their compliance programs. By doing so, perhaps employees might understand that there really is their personal liberty on the line when they engage in something which might even approach a FCPA violation. Further, by emphasizing personal accountability, companies could demonstrate more pro-active approaches to compliance that the DOJ wants to see going forward.

Chandrasekaran’s remarks went beyond simply emphasizing personal accountability. He also spoke about accountability in the context of a company’s overall culture. In particular I found his thoughts about accountability, learning and culture quite insightful. He said, “Learning cannot be achieved by mandate. It has to be achieved by culture.” He added, “In our executive team meetings, we share experiences and case studies about failures and successes.”

But beyond simply this insight there should also be accountability for helping others achieve the company’s overall goals. While he did not limit it to compliance, I still found it applicable to a best practice compliance regime when he said, “Everybody has to take some accountability for other people, and look for ways to make small contributions to help others. Looking after people has to become everybody’s responsibility. Innovation and caring for people are cultures; they are not departments.” He did admit that such a change would not happen overnight and indeed he has been emphasizing this message for five years at Tata because “It takes time to build that culture.”

Chandrasekaran also had an insight into compliance through his views on company structure. Tata is a flat organization, with multiple business units. He did this so the largest number of employees would feel empowered to make decisions and work collaboratively. While I recognize that such views might be antithetical to US based companies with a more ‘command and control’ approach, Chandrasekaran explained that the leaders of those units are expected “to work together. We said the power of our company will be driven by how well they work together. In some of our bigger monthly meetings, we will start with people presenting examples of their collaborations.”

I considered all of the above in the greater context of a best practices anti-corruption compliance program. One of the things that the FCPA Guidance emphasized was the inter-relatedness of each component of your compliance program. While you might have greater risk in the area of third parties or doing business in certain areas of the world where there are higher perceptions of corruption, you should not pick and choose what prongs of a compliance program you implement. Each step builds upon one another and should all point to accountability for your actions in decision-making calculus for business decisions and their implementations.

However the concept of accountability is not one that is spelled out in the FCPA Guidance or in any formulation of a best practices compliance regime. Yet it is clear that accountability is something that underlies what a compliance program is trying to achieve. Just as Chandrasekaran learned early on there is a value to things; there is a value to time and there is a value to money. So they should be accounted for in the way you do business.

This might best be described as oversight of your compliance program. The issue your company should focus on here is whether employees are accountable within the ambit of your compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are accountable to the compliance program.

Two mechanisms to do so are through the techniques of monitoring, which is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. A second tool is auditing, which is generally viewed as a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it is effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to hold employees accountable to doing business under your compliance regime and Code of Conduct. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. While it may seem that accountability means looking over every employees shoulder, it should not simply be seen as the workplace equivalent of parental oversight. Chandrasekaran explained that how you conduct yourself at work can have a huge impact on other employees. He said, “it’s sometimes very hard to imagine, early in your career, how much impact you can have. If you’re in a job and in an organization, the impact you can make is huge, because it’s all about being part of a group that’s driving impact. So look for those opportunities.” If you look for ways to demonstrate accountability you can influence a wide variety of others going forward.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 12, 2015

Maurice Gilbert, CCI and Ten Questions A Board Should Consider About Compliance

Maurice GilbertFor those of you in the compliance world who do not know Maurice Gilbert, you should. I could probably write an entire post on the number of hats that he wears. For the Chief Compliance Officer (CCO) or compliance practitioner, two of the most significant are as Managing Director at Consileum Inc., which I consider to be one of the premier compliance related search firms in America and as Founder and Managing Editor of Corporate Compliance Insights, known as CCI in the compliance world (full disclosure – I blog and write for CCI). If you are looking for some of the country’s top compliance talent for a corporate compliance position Maurice should be about the first person you call when even thinking about such a task. He can help you to define the scope of the position and then craft the position to attract some great talent for you to consider. Of course, you should always know one of the country’s top compliance talent recruiters because you never know when the right opportunity might be presented by a client to Maurice and you could perfectly fill the bill.

However it is his other hat that I want to highlight today. As Founder and Managing Editor of one of the top online compliance resources, Maurice leads a team that continually generates and posts some of the most insightful and useful pieces of information around the entire panoply of issues related to compliance. From my world of anti-corruption compliance, to trade-compliance, corporate boards and governance, auditing and much more, CCI is a resource you should have on your favorites toolbar. It was through Maurice and CCI that I was introduced to the writings and assorted wisdom of Jim DeLoach, who is one of my favorite contributors to read on CCI.

DeLoach is a Managing Director with global consulting firm Protiviti. He regularly writes and blogs on issues relating to Enterprise Risk Management (ERM). He put out such great material and a plethora of it that Maurice persuaded him to put it together for us in an eBook, entitled “Making Risk Management Work for You. In the section entitled “10 Questions You Should Ask About Risk Management”, DeLoach lists 10 questions he says that a board and senior management should think about when considering ERM. I have used this section as a basis to reformulate the questions from a compliance perspective.

  • What are the company’s top compliance risks, how severe is their impact and how likely are they to occur? – Just as managing enterprise risk at a strategic level requires focus, the same is true for compliance. This requires you limiting your top risks to a handful so they can accurately be assessed and managed. DeLoach suggests that you should be emphasizing no more than five to 10 risks. Furthermore, “Day-to-day risks are an ongoing operating responsibility.”
  • How often does the company refresh its assessment of the top [compliance] risks? – As the Department of Justice (DOJ) continually reminds us, your compliance risk assessment process should be responsive to change in the business environment. It is now mandatory that teams have in place “a robust process for identifying and prioritizing the critical [compliance] risks, including emerging [compliance] risks, is vital to an evergreen view of the top risks.”
  • Who owns the top compliance risks and is accountable for results, and to whom do they report? – While this might seem self-evident in any best practices compliance program it is not always opaque within an organization. Clearly your CCO should own the top compliance risks and manage them but there should also be proper board oversight and reporting. DeLoach warns, “Gaps and overlaps in risk ownership should be minimized, if not eliminated.”
  • How effective is the company in managing its top [compliance] risks? – Just how effective is your compliance regime is a key question that any CCO or compliance practitioner needs to be thinking about on a regular basis. However, for the board and senior management level, there should be “a robust process for managing and monitoring each of the critical [compliance] risks.” Moreover, your “risk management capabilities must be improved continuously as the speed and complexity of business change.”
  • Are there any organizational “blind spots” around [compliance] warranting attention? – Some practitioners believe that the entire Foreign Corrupt Practices Act (FCPA) enforcement regime is a failure because companies are still engaging in bribery and corruption. But the simple fact is that since corporations are made up with people there will always likely be wrongdoers. DeLoach notes that “Cultural issues and dysfunctional behavior can undermine the effectiveness of [compliance] risk management and lead to inappropriate risk taking or the undermining of established policies and processes.” He cites several examples including “lack of transparency, conflicts of interest, a shoot-the-messenger environment and/or unbalanced compensation structures may encourage undesirable behavior and compromise the effectiveness of risk management.”
  • Does the company understand the key assumptions underlying its [compliance] strategy and align its competitive intelligence process to monitor external factors for changes that could alter those assumptions? – You might not think it could happen in a compliance regime but if a company fails to recognize that its business paradigm is changing, it could be too late to affect an appropriate compliance strategy for a new product line/service offering or breaking into a new geographic territory. Here DeLoach believes that while “no one knows for sure what will happen that could invalidate the company’s strategic assumptions in the future, monitoring the validity of key assumptions over time as the business environment changes is a smart thing to do.”
  • Does the company articulate its risk appetite and define risk tolerances for use in managing the business? – This is one area that always bears discussion. For some companies there is enough business in the middle of the road that they feel like they do not have to go up to the line of a FCPA violation to garner sales, while other companies have done deals that may have been lawful but, at the end of the day, had awful consequences for the business. Just because you can do something does not mean you should do it and a large part of such a calculus is round your risk appetite dialogue. DeLoach believes such ongoing conversations can assist to “bring balance to the conversation around which risks the enterprise should take, which risks it should avoid and the parameters within which it should operate going forward. The risk appetite statement is decomposed into risk tolerances to address the question, “How much variability are we willing to accept as we pursue a given business objective?” For example, separate risk toler­ances may be expressed differently for objec­tives relating to earnings variability, interest rate exposure, and the acquisition, develop­ment and retention of people.”
  • Does the company’s [compliance] risk reporting provide management and the board information they need about the top risks and how they are managed? – Compliance reporting should begin with relevant information about the critical compliance risks and how those compliance risks are managed. DeLoach believes that some of the questions you should be asking under this prong are along the lines of the following: “Are there opportunities to enhance the [compliance] risk reporting process to make it more effective and efficient? Is there a process for moni­toring and reporting critical [compliance] risks and emerging [compliance] risks to executive management and the board?”
  • Is the company prepared to respond to extreme [compliance] events? – DeLoach calls it an extreme event but I would ask, what will you do if your company is on the front page of the New York Times (NYT), Wall Street Journal (WSJ), Financial Times (FT) or any other similar media outlet for a compliance related violation or issue? Do you have a response plan in place? More so “Has it prioritized its high-impact, low-likeli­hood risks in terms of their reputational effect, velocity to impact and persistence of impact, as well as the enterprise’s response readiness?”
  • Does the board have the requisite skill sets to provide effective [compliance] risk oversight? – This goes to the heart of frustrations from both the compliance function side and the board side of the equation. Does your board and senior management have specific FCPA or other relevant anti-corruption training and understand your business model well enough to provide input regarding critical compliance risk issues on a timely basis? From the board’s perspective they may feel the information they receive is asymmetrical and that they do not receive enough material information to render good decision-making. From the CCO or compliance practitioner’s perspective, they may feel that they cannot get enough time in front of the board, audit committee or senior management to properly educate them on the issues.

I have only scratched the surface of DeLoach’s thoughts on ERM. I urge you to go to the CCI site and download the entire work. Did I mention the best thing about CCI and DeLoach’s book? It is free on the CCI site. So after you download DeLoach’s book, stick on the site and noodle around to find something that interests you or could be of assistance in your compliance practice. Don’t forget to check out CCI’s job listing because Maurice has that other hat that he wears as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 11, 2015

COSO and Internal Controls – Part V

Internal ControlsThis post concludes my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adhering to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Framework. Today I want to look at the fifth component, Monitoring Activities. In its Executive Summary of the 2013 Framework, COSO said, “Ongoing evaluations, separate evaluations, or some combination of the two are used to ascertain whether each of the five components of internal control, including controls to effect the principles within each component, is present and functioning. Ongoing evaluations, built into business processes at different levels of the entity, provide timely information. Separate evaluations, conducted periodically, will vary in scope and fre­quency depending on assessment of risks, effectiveness of ongoing evaluations, and other management considerations. Findings are evaluated against criteria established by regulators, recognized standard-setting bodies or management and the board of directors, and deficiencies are communicated to management and the board of direc­tors as appropriate.”

However, as with the other components of the COSO Cube, Monitoring Activities are part of an inter-related whole and cannot be taken in singularly. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said this objective “applies to all five components of internal control, and the nature of monitoring should fit the organization, its dependence on IT, and the effectiveness of monitoring providing relevant feedback on the other components, including the effectiveness of control activities.” I heartily agree with the author when he says that he believes monitoring will take on increased importance. For the Chief Compliance Officer (CCO) or compliance practitioner, Monitoring Activities has been growing in importance over the past few years and will continue to do so in the future. In their Five Principles of an Effective Compliance Program, developed by Paul McNulty and Stephen Martin at the law firm of Baker and McKenzie, they listed oversight as Principle 5, including ongoing monitoring and this is reinforced in the 2013 COSO Framework.

In an article in Corporate Compliance Insights, entitled “Implementing COSO’s 2013 Framework: 10 Questions that Need to be Answered”, Ron Kral explained that it is important to “ensure that adequate controls are ‘present’ in support of all relevant principles and the components before launching into efforts to prove that the controls are “functioning.” Remember that all relevant principles must be present and functioning in order for a company to safely conclude that their ICFR is effective. Aligning the design of controls to the 17 principles in order to see any gaps early in the implementation process will help ensure adequate time to remediate and test for operating effectiveness.” The same is equally, if not more so, true for your company’s compliance function.

The Monitoring Activities objective consists of two principles. They are:

(1) Principle 16 – “The organization selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.”

(2) Principle 17 – “The organization evaluates and communicates internal control deficiencies timely to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.”

Principle 16 – Ongoing evaluation

Rittenberg stresses that this Principle requires that “Monitoring should include ongoing or ‘continuous monitoring’ whenever such monitoring is reliable, timely and cost-effective.” This clearly incorporates McNulty and Martin’s dictate that Principle No. 5 consists of not only auditing but ongoing monitoring as well. The reason is simple; they are complementary tools to test the effectiveness of your compliance regime. The same is true of internal controls. But this Principle clearly expects your organization to engage in both types of oversight, monitoring and auditing.

For the CCO or compliance practitioner, there are several different areas and concepts you will need to consider going forward. A current risk assessment or other evaluation of business changes should be considered based upon some type of baseline understanding of your underlying compliance risk. Whatever you select it will need to be integrated with your ongoing business processes, adjusted as appropriate through ongoing risk assessments and objectively evaluated. 

Principle 17 – Communication of internal control deficiencies

This final Principle speaks to deficiencies and their correction. Rittenberg notes it requires a determination of what might constitute a deficiency in your internal control, who in your company is responsible for “taking corrective action and whether there is evidence that the corrective action was taken”. If that does not sound like McNulty Maxim No. 3 What did you do when you found out about it? I do not know what does.

Therefore, under this Principle the CCO will need to take timely and determined action to correct any deficiencies which might appear in your compliance regime. It will require you to assess results, communicate the deficiencies up the chain to the board or Audit Committee, correct and then monitor the corrective action going forward. Adapting Kral, I would urge that every key internal compliance control in support of the 17 Principles should “conclude upon by management in terms of their adequacy of design and operating efficiency.”

Monitoring Activities should bring together your entire compliance program and give you a sense of whether it is running properly. Both ongoing monitoring and auditing are tools the CCO and compliance practitioner should use in support of this objective. Near the end of his section on this objective, Rittenberg states, “Monitoring is a key component of the internal control framework because effective monitoring (a) recognizes the dynamics of change within an organization, and (b) provides the basis for corrective action on a timely basis.” I would add that it allows you to evaluate the effectiveness of that corrective action as well.

This concludes my exploration of COSO and internal compliance controls. While I have cited directly to the language of the COSO 2013 Framework, I hope that you now have a sense of how these concepts directly relate to your company’s compliance program. With the Securities and Exchange Commission’s (SEC) invigorated interest in internal controls, I believe that through adherence to these five objectives and 17 Principles will allow you to not only withstand such government scrutiny but also have a better run organization.COSO Cube. jpg

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 10, 2015

COSO and Internal Controls – Part IV

Internal ControlsThis post continues my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adhering to the Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 Framework. Today I want to look at the fourth component, Information and Communication. In its Executive Summary of the 2013 Framework, COSO said, “Information is necessary for the entity to carry out internal control responsibilities to support the achievement of its objectives. Management obtains or generates and uses relevant and quality information from both internal and external sources to support the functioning of other components of internal control. Communication is the continual, iterative process of providing, sharing, and obtaining necessary information. Internal communication is the means by which information is disseminated throughout the orga­nization, flowing up, down, and across the entity. It enables personnel to receive a clear message from senior management that control responsibilities must be taken seriously. External communication is twofold: it enables inbound communication of relevant exter­nal information, and it provides information to external parties in response to require­ments and expectations.”

However, as with the other components of the COSO Cube, Information and Communication are not to be taken in a vacuum. Indeed, one of the more interesting aspects of this objective is that it runs not only vertically but also horizontally. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said that this objective “is not a one-way street: information needs to be generated at operational levels and communicated across and up the organization to enhance decision-making.” Moreover, he believes this means that while it may be the responsibility of more senior managers to have the requirement to develop, create and implement policies and procedures; they have to be communicated downward in the organization and there should be feedback back up the organization regarding this process. Finally, as Rittenberg continues, “information and communication must be fully integrated with the other components of the Framework, most especially those of monitoring and risk assessment.”

The objective of Information and Communication consists of three principles. They are:

(1) Principle 13 – “The organization obtains (or generates) and uses relevant, quality information to support the functioning of internal control.”

(2) Principle 14 – “The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.”

(3) Principle 15 – “The organization communicates with external parties regarding matters affecting the functioning of internal control.”

A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives and that the 17 Principles are readily adaptable to compliance. I think they are more than simply adaptable as they provide a clear road map for the Chief Compliance Officer (CCO) or compliance practitioner on how to set up the right compliance controls. Finally, I believe that the Securities and Exchange Commission (SEC) will measure your company’s internal controls against each of these 17 Principles and if you cannot map your internal controls to them and provide audit evidence, you may well in FCPA hot water.

Principle 13 – Use of relevant and quality information

Rittenberg notes this Principle requires that “Relevant, timely and quality information needs to be assessed by management and others to help identify” several areas with in a company. For the CCO or compliance practitioner this means that you need to identify relevant data, which can include both internal and external data. The hard part is to move that data to actionable information. Rittenberg also suggests that you need to consider the characteristics of the information and “whether or not such information is being used correctly and timely.”

 Principle 14 – Communication up and down the organization about internal controls

This is the Principle that brings the up and down and indeed horizontal action required for Information and Communication. Rittenberg notes it relates to how information is communicated internally but he adds “it is equally important that such information be communicated to those with responsibilities over operation and compliance objectives, as well as reporting objectives.” Finally, he cautions that entities should assess whether there are any “gaps in the communication process”.

Therefore, under this Principle you will need to determine several different things from the compliance perspective. Does the Board communicate in a downward mechanism that gets its relevant instructions to the CCO or compliance function? Does the CCO or compliance function communicate upwards with the Board? Note that this Principle clearly reinforces an access component for the compliance function. But it also specifies the horizontal communication that I referred to above to ascertain that policies and procedures are effectively spread throughout an organization.

Principle 15 – Communication with external parties regarding internal controls

This Principle requires that a company communicate with relevant external parties. Rittenberg provides an excellent CCO or compliance practitioner example when he cites to the need for companies to communicate with third parties about relevant Codes of Conduct or similar documents, which might apply to them. He also pointed to the example of information about a hotline that could be provided to a third party to report any FCPA related issues. But more than a company sharing its relevant compliance information with contracted third parties, whether they be on the sales side or in the supply chain, this Principle recognizes “that outside parties can provide information to management on the effectiveness of internal controls…and regulatory communication.”

Obviously there must be communications lines up and down from the Board but also within an organization for dissemination of the appropriate compliance related information. For this Principle, the CCO or compliance practitioner should also evaluate the communication lines to third parties. This communication can flow both ways, as noted, with compliance obligations to third parties but also information in the form of compliance issues back from third parties.

Information and Communication requires a wide range of information to go up and down the corporate chain. The article “3 Challenging Principles in COSO’s Framework: A Closer Look at Principles 2, 4 and 13” relates that “People who understand the objectives, risks and controls of the information flows necessary for accounting transactions and the preparation of financial statements are critical both on the side of management and the external auditor.” This may require reliance on those with technical skills far greater than management can bring to bear. Additionally, “organizations may want to consider creating an inventory of information requirements (both from internal and external sources), maintaining written data flow processes, implementing robust controls over spreadsheets, maintaining sound data repositories and instituting a data governance program.  A data governance program will go a long way toward establishing and communicating the necessary pillars for [Information and Communication], including roles and responsibilities.” Fortunately for the CCO or compliance professional there is “no single recipe” for success with the Information and Communication objective. You can bring a wide range of talents, skills and imagination to bear on the objective.COSO Cube. jpg

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 9, 2015

COSO and Internal Controls – Part III

Dean SmithThis post continues my exploration of internal controls and how companies can demonstrate compliance with the internal controls requirement under the Foreign Corrupt Practices Act (FCPA) by adhering to the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) 2013 Framework. To help introduce today’s topic, I cannot think of a much more appropriate person to honor than Dean Smith, who died yesterday. Smith coached the North Carolina Tar Heels basketball team for 36 years. He retired with 879 victories, a winning percentage of 77.6% and two NCAA championships. He was one of the true giants of college coaching and the game of basketball itself. He will be missed but certainly never forgotten. If there was ever a coach that epitomized internal controls and frameworks, it was Dean Smith.

I restart my discussion of the COSO 2013 Framework with a look at the third component, Control Activities. In its Executive Summary of the 2013 Framework, COSO said these “are the actions established through policies and procedures that help ensure that management’s directives to mitigate risks to the achievement of objectives are carried out. Control activities are performed at all levels of the entity, at various stages within business processes, and over the technology environment. They may be preventive or detective in nature and may encompass a range of manual and automated activities such as authorizations and approvals, verifications, reconciliations, and busi­ness performance reviews. Segregation of duties is typically built into the selection and development of control activities. Where segregation of duties is not practical, manage­ment selects and develops alternative control activities.”

However, as with the other components of the COSO Cube, Control Activities are not to be taken in a vacuum. Larry Rittenberg, in his book COSO Internal Control-Integrated Framework, said the Control Activities “have traditionally received the most attention of the component” but noted that the real-world experience since the initial implementation of the COSO Framework back in 1992 has demonstrated that “the effectiveness of control activities must be evaluated with the context of the other five components.” Moreover, he believes that these conditions are aided by a company’s policies and procedures, which should help to lessen and manage risk going forward. Finally, Control Activities should be performed at all levels in the business process cycle within an organization.

The objective of Control Activity consists of three principles. They are:

(1) Principle 10 – “The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.”

(2) Principle 11 – “The organization selects and develops general control activities over technology to support the achievement of the objectives.”

(3) Principle 12 – “The organization deploys control activities through policies that establish what is expected and procedures to put policies into action.”

A White Paper, entitled “The Updated COSO Internal Control Framework”, emphasized the inter-related nature of the five objectives when it noted “The risk assessment driven by the company’s management provides a context for designing the Control Activities necessary to reduce risks to an acceptable level (Principles 10, 11 and 12). Note that Principle 10 deals with the selection and development of control activities that mitigate risk to the achievement of compliance objectives, and Principle 12 deals with the development of control activities through established policies and procedures. Principle 11 addresses the impact of controls over general technology to the extent they impact the achievement of control activities.”

Principle 10 – Control Activities to mitigate risk

Rittenberg noted that there is no “silver bullet” in selecting the right internal controls. Yet when combined with your risk assessment, this Principle would point to an integration of your policies, procedures and overall corporate responsibilities, which should be chosen “sufficiently to reduce the risk of not achieving the objectives to an acceptable level.” You should consider your relevant business processes, evaluate your mix of control activities and then consider at what levels within your organization they are applied. But Rittenberg cautions that you should not “begin an analysis of control activities with a list of controls and check off whether they are present or not present. Rather, controls should be assessed in relationship to the risk being mitigated.” 

Principle 11 – Control Activities over general technology

Last week I had a series of guest posts from Joe Oringel of Visual Risk IQ regarding the use of data analytics in your compliance program. The use of technology will be greater and more important going forward. I would certainly expect the Securities and Exchange Commission (SEC) to focus on a company’s use of technology in any evaluation of its overall compliance program.

Therefore, under this Principle you will need to determine not only the use of technology in your compliance related internal controls but also the use of such technology in your overall company business process. To do so, you will need to consider your technology infrastructure, around compliance internal controls, security management of the same and then use this information to move forward to obtain and implement the most appropriate technology around your compliance internal controls.

Principle 12 – Control Activities established through policies and procedures

This Principle should be the most familiar one to the compliance practitioner as it points to the establishment of policies and procedures to support deployment of your compliance regime. It also sets out the responsibility and accountability for executing policies and procedures, specifies and assures corrective action as required and mandates periodic reassessment. Interestingly it also directs that there be competent personnel in place to do so. Rittenberg noted, “Responsibilities for control activities should be identified through policies and various procedures. Processes should be in place to ensure that all aspects are implemented and working.”

While the objective of Control Activities should be the most familiar to the Chief Compliance Officer (CCO) or compliance practitioner, you may well think of it in a way that basketball fans thought of Dean Smith’s Four Corners offense; in other words boring. However, just as Smith’s innovation was based on crisp focus and outstanding teamwork, this objective demonstrates the inter-relatedness of all the five COSO objectives. It is your Control Environment and then Risk Assessment that should lead you to this point. It is the Control Activities objective that lays the groundwork for a living, breathing compliance program going forward.COSO Cube. jpg

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

February 6, 2015

Arsenale and Incentivizing Compliance

ArsenaleI continue with a Venice themed blog post today by focusing on the Arsenale. No this is no a precursor to that famous north London football club, the Arsenal Gunners, but the district in Venice where one of the main commercial enterprises of the city took place, that being ship building and ship repair. At one point, the Arsenale employed almost 10% of the city’s workforce or 12,000 people. This was in the mid 1200s to the 1400s when Venice was at or near the height of its trading and financial power. The Arsenale developed the first production line for the building of ships, when, of course, it was all done by hand. The equipment developed to drag ships up on shore and repair was simply amazing. Appropriately, the Arsenale is now an Italian naval facility.

But I also picked up some interesting compliance insights in learning more about the Arsenale. The ship building techniques were of such a high level and importance to the city that they were viewed as state secrets. To protect against the loss of such valuable intellectual property, the Venetian city fathers put in a series of incentives and punishments that can help inform your best practices compliance program up to this day. First, and foremost, Venice forbade any skilled worker from leaving the city to go to work at a neighboring or rival city; the first non-compete and still widely used by corporate America today. Second was the punishment that if you were caught passing secret, you were summarily executed only after excruciating torture; while these techniques are not as widely used by corporate America today I am sure there are some non-enlightened corporate leaders who might like to re-institute one or both practices.

However over on the incentive side there were several mechanisms the City of Venice used to help make the Arsenale work force more loyal and desirous to stay in their jobs, all for the betterment of themselves and their city. The first was job security. The Arsenale was so busy for so many years that lay-offs were unheard of. Even if someone lost their job, through injury, mishap or worse; they received enough of compensation that they could live in the city. Finally, when a worker died, the company provided not only funeral expenses but would assist in taking care of the family through stipends or finding other work for family members.

This dual focus on keeping the state secrets of ship building and repair within the City of Venice reminded me of one of the points that representatives of the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) continually remind compliance practitioners about when discussing any best practices compliance program; whether based on the Ten Hallmarks of an Effective Compliance Program, as articulated in their jointly released FCPA Guidance, or some other articulation such as in a Deferred Prosecution Agreement (DPA) Attachment C. They continually remind Chief Compliance Officers (CCOs) and compliance practitioners that any best practices compliance program should have both incentives and discipline as a part of the program.

Regarding disincentives for violating the Foreign Corruption Practices Act (FCPA), the Guidance is clear in stating, “DOJ and SEC will thus consider whether, when enforcing a compliance program, a company has appropri­ate and clear disciplinary procedures, whether those proce­dures are applied reliably and promptly, and whether they are commensurate with the violation. Many companies have found that publicizing disciplinary actions internally, where appropriate under local law, can have an important deterrent effect, demonstrating that unethical and unlawful actions have swift and sure consequences.”

However, the Guidance is equally clear that there should be incentives for not only following your own company’s internal Code of Conduct but also doing business the right way, i.e. not engaging in bribery and corruption. On incentives, the Guidance says, “DOJ and SEC recognize that positive incentives can also drive compliant behavior. These incentives can take many forms such as personnel evaluations and promotions, rewards for improving and developing a company’s compliance pro­gram, and rewards for ethics and compliance leadership. Some organizations, for example, have made adherence to compliance a significant metric for management’s bonuses so that compliance becomes an integral part of management’s everyday concern.” But the Guidance also recognizes that incentives need not only be limited to financial rewards as sometime simply acknowledging employees for doing the right thing can be a powerful tool as well.

All of this was neatly summed up in the Guidance with a quote from a speech given in 2004 by Stephen M. Cutler, the then Director, Division of Enforcement, SEC, entitled, “Tone at the Top: Getting It Right”, to the Second Annual General Counsel Roundtable, where Director Cutler said the following:

[M]ake integrity, ethics and compliance part of the promotion, compensation and evaluation processes as well. For at the end of the day, the most effective way to communicate that “doing the right thing” is a priority, is to reward it. Conversely, if employees are led to believe that, when it comes to compensation and career advancement, all that counts is short-term profitability, and that cutting ethical corners is an ac­ceptable way of getting there, they’ll perform to that measure. To cite an example from a different walk of life: a college football coach can be told that the graduation rates of his players are what matters, but he’ll know differently if the sole focus of his contract extension talks or the decision to fire him is his win-loss record.

All of this demonstrates that incentives can take a wide range of avenues. At the recently held ACI FCPA Bootcamp in Houston, TX, one of the speakers said that the Houston based company Weatherford, annually awards cash bonuses of $10,000 for employees who go above and beyond in the area of ethics and compliance for the company. While some might intone that is to be expected from a company that only recently concluded a multi-year and multi-million dollar enforcement action; as the speaker said if you want emphasize a change on culture, not much says so more loudly than awarding that kind of money to an employee.

While I am sure that being handed a check for $10,000 is quite a nice prize, you can also consider much more mundane methods to incentivize compliance. You can make a compliance evaluation a part of any employee’s overall evaluation for some type of year end discretionary bonus payment. It can be 5%, 10% or even up to 20%. But once you put it in writing, you need to actually follow it.

But incentives can be burned into the DNA of a company through the hiring and promotion processes. There should be a compliance component to all senior management hires and promotions up to those august ranks within a company. Your Human Resources (HR) function can be a great aid to your cause in driving the right type of behavior through the design and implementation of such structures. Employees know who gets promoted and why. If someone who is only known for hitting their numbers continually is promoted, however they accomplished this feat will certainly be observed by his or her co-workers.

Just as the fathers of Venice viewed the workers of the Arsenale as critical to the well-being of their city, senior managers need to understand the same about their work force. In places like Texas, employees typically are incentivized with some enlightened remark along the lines of “You should just be happy you even have a job.” Fortunately there are real world examples of how corporate incentives can work into a compliance regime. The City of Venice long ago showed how such incentives could help it maintain a commercial advantage. Fortunately the DOJ and SEC still understand those valuable lessons and continue to talk about them as well.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 5,087 other followers