Foreign Corrupt Practices Act | FCPA Compliance and Ethics Blog

August 20, 2015

BNY Mellon and Lessons Learned In Hiring Family Members – Part II

Filed under: Best Practices,BNY Mellon,Bribery and Corruption,Compliance,Compliance and Ethics,compliance programs,Doing Compliance,FCPA,SEC — tfoxlaw @ 4:37 am
Tags: best practices, compliance, compliance programs, FCPA, Foreign Corrupt Practices Act, SEC

In yesterday’s post I reviewed the Securities and Exchange Commission (SEC) Foreign Corrupt Practices Act (FCPA) enforcement action involving the Bank of New York Mellon Corporation (BNY Mellon) around its hiring of sons and nephews of foreign governmental officials to obtain or retain business from certain foreign Sovereign Wealth Funds. I discussed the underlying facts and penalties assessed against BNY Mellon as laid out in the SEC Cease and Desist Order (the “Order”). Today I want to provide some guidance on what this enforcement action may mean for companies going forward when hiring the sons and daughters or close family relatives of foreign government officials.

The first thing to remember is there is nothing in the FCPA which prohibits the hiring of a son, daughter or close family member of a foreign government official. What the FCPA does make illegal is an action where a company “or any officer, director, employee, or agent acting on behalf of such issuer, in order to obtain or retain business, from corruptly giving or authorizing the giving of, anything of value to any foreign official for the purposes of influencing the official or inducing the official to act in violation of his or her lawful duties, or to secure any improper advantage, or to induce a foreign official to use his influence with a foreign governmental instrumentality to influence any act or decision of such government or instrumentality.” [citation omitted]

The actions of BNY Mellon were clearly designed to not simply curry favor with the foreign governmental officials involved but also to either grow the business or help to retain what the company already had in place with the un-named foreign Sovereign Wealth Fund. At this point most companies have a written FCPA compliance program in place; consisting of policies and procedures. Note, this does not mean that the compliance program is effective because for a compliance program to be effective, a company must actually be doing compliance. Many FCPA enforcement actions occur because an exception was granted to a policy or procedure and either the reason for granting the exception was inappropriate or there was no documentation as to why the exception was granted. In the case of BNY Mellon, it was the latter.

BNY Mellon offered high value, high prestige summer internship programs for “undergraduates as well as a separate summer program for postgraduates actively pursuing a Master of Business Administration (MBA) or similar degree. Admission to the BNY Mellon postgraduate internship program was highly competitive and characterized by stringent hiring standards.” The main purpose of these internships was to give BNY Mellon an opportunity to evaluate the interns as potential permanent hires to the company. There was a designated track for nomination to the internship program and internal company evaluation prior to offering candidates an intern position. In other words, there were policies and procedures around the process but BNY Mellon did not follow them.

Hiring Process

The first Red Flag, which BNY Mellon seemingly ignored in this entire process, was that each of the candidates were recommended to the firm by foreign governmental officials who held control of business relations between Sovereign Wealth Funds and the bank. Their requests that their close family relations be hired by BNY Mellon was contra to the banks own process of selecting candidates for its internship program from a exclusive group of universities and colleges in the US and UK. The Order noted, “Successful applicants had to achieve a minimum grade point average, and had to advance through multiple rounds of interviews in addition to having relevant prior work experience and a demonstrated affinity for and interest in financial services work.”

None of these indicia were present in the hiring of the foreign governmental official’s relatives at issue. There was no evidence the candidates met any of BNY Mellon’s own internal criteria for consideration to the internship program. Indeed, as the Order stated, “as recent graduates not enrolled in any degree program, the Interns did not meet the basic entrance standard for a BNY Mellon postgraduate internship.” Finally, to top it off, all three were hired sight unseen and “BNY Mellon decided to hire the Interns before even meeting or interviewing them.”

The Internships

But BNY Mellon’s violative conduct did not stop by simply hiring the three close family relatives for its internship program. The three persons got benefits far more than simply a regular internship program. BNY Mellon designed special “Bespoke” internship programs for the three interns. As requested by their fathers and uncle, the three interns received “customized work experiences” which “were not regular undergraduate or graduate summer internships at all, but customized one-of-a-kind training programs. The internships were valuable work experience, and the requesting officials derived significant personal value in being able to confer this benefit on their family members.”

The internships were abnormally long, lasting six months, which was twice the normal length. Additionally they were “rotational in nature, meaning that Interns A, B and C had the opportunity to work in a number of different BNY Mellon business units, enhancing the value of the work experience beyond that normally provided to BNY Mellon interns.”

The Costs

In addition to the exceptions granted in the hiring process and the internships themselves, BNY Mellon also paid out money and non-monetary benefits in a manner different to others in the internship program. The Order stated, “BNY Mellon determined, because Interns A and B had already graduated from college, that Interns A and B should be paid above the normal salary scale for BNY Mellon undergraduate interns but below the scale for postgraduate interns. Intern C was unpaid. BNY Mellon also coordinated obtaining visas for all three of the Interns so that they could travel from the Middle East to work in the countries in which they were placed. BNY Mellon paid the legal fees and filing costs related to the visas. As the BNY Mellon Asset Management employee responsible for arranging two of the three internships wrote in a contemporaneous e-mail, the internships constituted an “expensive favor” for the requesting foreign official.” Indeed the Order cited to an email from one BNY Mellon employee who wrote, “I am working on an expensive ‘favor’ for [Official X] – an internship for his son and cousin (don’t mention to him as this is not official).” Further, BNY Mellon knew the request and accommodation was unethical, if not illegal, as the same employee wrote in another email, ““[W]e have to be careful about this. This is more of a personal request . . . [Official X] doesn’t want

[the Middle Eastern Sovereign Wealth Fund] to know about it.” The same employee later directed his administrative assistant to refrain from sending email correspondence concerning Official X’s internship request “because it was a personal favor.”

Lessons Learned Going Forward

I must emphasize once again that there is nothing illegal around the hiring of a close family member of a foreign governmental official. It does however present a higher risk for indicia of bribery and corruption and violation of the FCPA. A higher FCPA risk means you need to evaluate that risk more closely and manage that risk accordingly.

The obvious starting point for any hiring of a close family member of a foreign governmental official is whether the candidate is qualified for the position. If they are not qualified it is ‘Full Stop’ at that point. In the case of BNY Mellon there was no evidence any of the candidates had the academic background, the academic credentials, leadership traits or intangible skills to meet the bank’s normal internship hiring criteria. As with any other anomaly granted in a company’s normal process, there must be a documented reason for the exception, review by appropriate authority of the exception and documentation as to why the exception was granted. None of these steps were present in the BNY Mellon matter. Put another way, if you are hiring a family member or close relative of a foreign government official for any reason other than merit, it had better be a darn good one and well-documented as to your decision-making calculus with appropriate senior management oversight.

But your risk management does not stop simply with the hiring process. If the foreign governmental official is the person who made the request for the hiring of the family member, this is a Red Flag not to be overlooked. Your analysis needs to be on the role of that foreign governmental official in awarding new business to your company or in retaining old business. If the foreign governmental official has direct or even strong indirect control over such business relation, this may present such a direct conflict of interest, this may be a risk that you cannot manage. A good rule of thumb here is whether there is full transparency in the hiring with the foreign government involved with your company. In the case of BNY Mellon, they did not want anyone in the Sovereign Wealth Fund to know BNY Mellon had hired the son or nephew. That is a clear sign transparency is lacking and someone, somewhere is engaging in unethical conduct, if not breaking the law.

Finally, if you do decide to move forward and hire the close family member, you need to assign that new hire to work not associated with the business relationship between your company and the foreign government involved. Just as in the lifecycle of third party management, managing the relationship after a contract is inked is in many ways the most critical element; the same is true in the employment relationship involving close family members of foreign government officials.

Ultimately, you need to have internal controls to ensure effective compliance going forward. You cannot have customer relationship managers making the calls on hiring which over-ride the Human Resources (HR) procedures. There must be not only HR review but also mechanisms to flag for compliance review such hires. Lastly, there needs to be sufficient senior management oversight because this is such a high-risk proposition.

I hope you have enjoyed and found this two-part series on the BNY Mellon FCPA enforcement action and the lessons learned from it useful. The SEC Order provides a clear road map to the Chief Compliance Officer (CCO), compliance practitioner, HR professional or anyone else who reads it on the steps you should take in the hiring of a close family member of a foreign government official with which you are doing business. It may take some additional effort than simply having your business unit employees make the call on who to award prestigious internships to in order to obtain or retain business but in the long run you will have a better run company for doing so. FCPA enforcement is not a game and by doing compliance will make your company a more accurtely operated entity.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Leave a Comment

August 13, 2015

Cymbeline – Doing Virtue and FCPA Compliance

Filed under: Best Practices,Compliance,Compliance and Ethics,Culture,Department of Justice,Doing Compliance,Ethics,FCPA,SEC — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, FT, SEC, Wall Street Journal, WSJ

Commentators still level the hue and cry that it is somehow the fault of the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) that companies continue to violate the Foreign Corrupt Practices Act (FCPA). Things would improve if only the DOJ and SEC would (1) prosecute companies more aggressively; (2) prosecute companies less aggressively; (3) make an example of ‘rogue’ employees who violate their corporate overseers pronouncements not to violate the law; (4) prosecute more corporate executives to ‘send a message’; (5) amend and clarify the FCPA because the concept of do not pay bribes is somehow too complicated for mere mortals to understand; (6) implement a compliance defense because apparently the DOJ does not consider that enough in any decision to prosecute; and/or (7) as The Donald desires, simply do away with the FCPA to restore the ability to pay a fair price for fair corruption.

I thought about all of these varied and contradictory reasons when considering one of Shakespeare’s most enigmatic plays, Cymbeline. In an article in the Wall Street Journal (WSJ) entitled “The Long, Painful Drama of Self-Knowledge”, Stephen Smith considered the character Posthumus who was thought of as virtuous yet, through the crush of the plot, has his virtuous image shattered. Smith poses the question of “Why is Posthumus such a poor leader of himself, and a danger to others?” He answers his own question by saying, “The play suggests that his lack of self-knowledge, along with the flattery of his culture, make him overconfident.” In other words, he was human.

I thought about this analysis in the context of the recent accounting and financial scandal that engulfed the Toshiba Corporation in Japan. For those who did not follow the news, Toshiba announced last month that it had overstated its profits from 2008-2014 by over $1 billion dollars. This was in the face of the company having been publicly recognized for its good governance standards and practices. In an article in the Financial Times (FT), entitled “Japan Inc left shaken by Toshiba scandal”, Kana Inagaki reported, “On paper, it had a structure that gave its external directors the authority to many top executives and an auditing committee to monitor the behaviour of the company’s leaders. It was lauded for its efforts. In 2013, the group was ranked ninth out of 120 publicly traded Japanese companies with good governance practices in a list compiled by the “Japan Corporate Governance Network.””

But it was all a sham as it turned out that chairman of the audit committee was in on the fraud in addition to a plethora of top executives. Kota Ezawa, an analyst at Citigroup was quoted in the piece that “Toshiba was lauded as the frontrunner in governance efforts but that was a misunderstanding. Its governance structure looked good but the execution was not.” Ezawa further stated, “We need to make sure that companies understand that having structures is not enough.” So even a company with $52bn in annual sales must have more than a paper program.

For those who want to point to some defect in the Japanese corporate character, reminding us of the Olympus scandal from 2011, where successive corporate executives covered up long running accounting fraud, Andrew Hill, also writing for the FT in an article entitled “The universal dangers shown by Toshiba’s failings”, says not to point that self-righteous finger quite so quickly. He reminds readers of WorldCom from earlier this century. Being from Houston, I would remind readers of Enron and its accounting fraud as well. Hill cites to the work of Professor Michael Jones to identify four main types of accounting fraud, (1) increasing income, (2) decreasing expenses, (3) increasing assets, and (4) decreasing liabilities. Hill further notes that one common failing in all of these examples is the failure of internal controls. A second key failing is the “Unwillingness to challenge authority, a trait attributed to employees at Toshiba and Olympus — and often given an “only in Japan” spin — is a recurring problem everywhere, from Royal Bank of Scotland under Fred Goodwin to Fifa under Sepp Blatter.”

Hill’s explanation of the how and why of these accounting scandals is as age old as the time of Cymbaline. He wrote, “The most important lesson from Toshiba is about the malign impact of top-down pressure to meet unrealistic targets. Toshiba’s ex-chief executive denies having given direct instructions to staff to inflate profits. But the investigating panel said he told executives to “use every possible measure to achieve profitability” and added that Toshiba’s corporate culture did “not allow employees to go against the will of their superiors”.”

The lessons that Hill finds in the Toshiba accounting scandal are equally applicable to FCPA compliance and enforcement. It is not the DOJ or SEC’s “fault” when companies do not comply with the FCPA. It is up to the companies to which the law applies to comply with it. Make no mistake; it is quite simple not to pay bribes. One only has to wake up and say “I am not paying a bribe today, no matter what the economic benefit is to me”. Yet for a company, it is not easy because you have to not only put the appropriate controls in place, but you have to do compliance by ensuring these controls are executed upon. That was the failing of Toshiba, it had the controls in place but it did not execute on them.

I think this speaks directly as to why FCPA violations continue to occur and be prosecuted. Hill ended his piece by noting, “When aggressive targets, irresistible management pressure and weak controls coincide, misconduct can spread quickly. Rival companies see the inflated numbers and strain to match them. To suggest such weaknesses are confined to one corporate or national culture is a first step into dangerous complacency.” As long as humans are involved with corporations and there are incentives in place for more and greater sales, you will always have the motivation to cut corners and pay bribes. That impulse can be brought on by a bump in salary, a nice bonus, a promotion or sometimes simply keeping your job. That is why a compliance program must be put in place and those controls must be effective.

In Cymbeline the protagonist Posthumus learns that one key component of virtue is prudence. Near the end of his article on Shakespeare’s play Smith writes, “In his story, we glimpse one goal of Shakespearean drama: to help forge just such a character – an integrated human person capable of leading himself and others to peace, with the help of virtue.” For FCPA compliance, as long as there are incentives in place to make money, there will be people who cut corners by paying bribes. Yet companies can temper this by putting an effective compliance program in place and actually doing compliance. Much like Posthumus learns in Cymbeline it is one’s actions which lead to being virtuous; for a company, it is doing compliance that leads to it being called ethical.

© Thomas R. Fox, 2015

Leave a Comment

July 29, 2015

What Would Dr. Seuss Say about an Allowance?

Filed under: Accounting Records violations,Administrative Proceedings,compliance programs,Department of Justice,FCPA,Internal Controls,Mead Johnson,SEC — tfoxlaw @ 12:01 am
Tags: accounting provisions, Books and Records, Department of Justice, FCPABlog, Foreign Corrupt Practices Act, Internal Controls

Earlier this month we had the release of a second book by Harper Lee, “Go Set a Watchman”, which was miraculously discovered having been written some 50+ years ago. This week, there was another release from a (now deceased) author from a newly discovered source. I of course refer to the release yesterday of the new Dr. Seuss book “What Pet Should I Get?”, published Random House, which informs today’s compliance lesson.

The book was discovered by Seuss’ widow, as noted in the Sunday New York Times (NYT) Book Review article, entitled “Dr. Seuss Book: Yes They Found it in a Box”, when she decided to “have the rest of his notes and sketches appraised, that they closely examined the contents of that box. They found a set of brightly colored alphabet flash cards, some rough sketches titled “The Horse Museum,” and a manila folder marked “Noble Failures,” with whimsical drawings that he had been unable to find a place for in his stories. But alongside the orphaned sketches was a more complete project labeled “The Pet Shop,” 16 black-and-white illustrations, with text that he had typed on paper and taped to the drawings. The pages were stained and yellowed, but the story was all there, in Dr. Seuss’ unmistakable rollicking rhymes.” This finding became the book, What Pet Should I Get?

Reading this discovery made me ponder about how a child would pay for the pet they wanted and of course my thoughts turned to that age-old parenting quandary – the allowance. It is always a question of great interest for both parents and children. As with many things involving parent/child relationships, my views have evolved. As a teenager, I certainly had the view that an allowance was a God-given right and the more the better. I would only note that my parents did not share those views. As the father of a teenaged daughter, my views reached the much fuller expression of spoiling my daughter as often as possible. Which one is correct? I still do not have a final answer.

I thought about the ongoing debate and dialogue over the allowance when I read the Foreign Corrupt Practices Act (FCPA) enforcement action brought by the Securities and Exchange Commission (SEC) against Mead Johnson Nutrition Company (Mead Johnson). The matter was resolved via SEC Administrative proceeding that concluded with a Cease and Desist Order being agreed to by the parties. Mead Johnson agreed to pay a fine of $12.3MM which consisted of profit disgorgement of $7.7MM, prejudgment interest of $1.26MM and a civil penalty of $3MM. Kara Brockmeyer, Chief of the SEC Enforcement Division’s FCPA Unit, said in a SEC Press Release, “Mead Johnson Nutrition’s lax internal control environment enabled its subsidiary to use off-the-books slush funds to pay doctors and other health care professionals in China to recommend its baby formula and give the company marketing access to mothers.”

The enforcement action turned on violations of the accounting provisions of the FCPA. This is where the ‘allowance’ issue comes into the discussion. According to the Cease and Desist Order, “certain employees of Mead Johnson China improperly compensated HCPs, who were foreign officials under the FCPA, to recommend Mead Johnson’s infant formula to, and to improperly provide contact information for, expectant and new mothers.” One of Mead Johnson’s sales channels in China was through distributors. To facilitate this illegal conduct, funding to the distributors, called the “Distributor Allowance”, was diverted to make illegal payments. The Cease and Desist Order stated, “Although the Distributor Allowance contractually belonged to the distributors, certain members of Mead Johnson China’s workforce exercised some control over how the money was spent, and certain Mead Johnson China employees provided specific guidance to distributors concerning the use of the funds. Mead Johnson China staff also maintained certain records related to Distributor Allowance expenditure by distributors. In addition, Mead Johnson China used some of the funds to reimburse Mead Johnson China’s sales personnel for a portion of their marketing and other expenditures on behalf of Mead Johnson China.”

This tactic was clearly a violation of the company’s books and records obligations under the FCPA. By doing so, Mead Johnson was able to hide its payments to doctors and health care providers (HCPs) from not only regulators but the company’s shareholders as well. As the Cease and Desist Order noted, the company’s “records were incomplete and did not reflect that a portion of Distributor Allowance was being used contrary to Mead Johnson’s policies.” Finally, the Cease and Desist Order concluded, “Up through 2013, certain Mead Johnson China employees made payments to HCPs using funds maintained by third parties. These funds and payments from the funds were not accurately reflected on Mead Johnson China’s books and records. The books and records of Mead Johnson China were consolidated into Mead Johnson’s books and records. As a result of the misconduct of Mead Johnson China, Mead Johnson failed to make and keep books, records, and accounts, which, in reasonable detail, accurately and fairly reflected its transactions as required by Section 13(b)(2)(A) of the Exchange Act.”

However Mead Johnson did not stop with books and records violations. The Distributor Allowance manipulation allowed the China business unit to “improperly compensate HCPs was contrary to management’s authorization and Mead Johnson’s internal policies. Mead Johnson failed to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that Mead Johnson China’s funding of marketing and sales expenditures through third-party distributors was done in accordance with management’s authorization.” Once again the Cease and Desist Order concluded, “Up through 2013, Mead Johnson failed to devise and maintain an adequate system of internal accounting controls to ensure that Mead Johnson China’s method of funding marketing and sales expenditures through third-party distributors was not used for unauthorized purposes, such as improperly compensating Chinese HCPs to recommend Mead Johnson’s products. As a result of such failure, the improper payments to HCPs occurred contrary to management’s authorizations, in violation of Section 13(b)(2)(B) of the Exchange Act.”

In an interesting twist Mead Johnson, based on an allegation of potential FCPA violations in China, performed an internal investigation on its China unit in 2011 and came up with no evidence. Somewhat dryly the SEC noted that the company did not make any self-disclosure around these allegations and “did not thereafter promptly disclose the existence of this allegation in response to the Commission’s inquiry into this matter.”

Yet after a second internal investigation in 2013 they turned up evidence of FCPA violations, the company “undertook significant remedial measures including: termination of senior staff at Mead Johnson China; updating and enhancing financial accounting controls; significantly revising its compliance program; enhancing Mead Johnson’s compliance division, adding positions including a second senior-level position; establishing new business conduct controls and third party due-diligence procedures and contracts; establishing a unit in China that monitors compliance and controls in China on an on-going basis; and providing employees with a method to have immediate access the company’s policies and requirements.”

While there was no statement regarding self-disclosure, the company did cooperate extensively with the SEC after the company was called to task. The Cease and Desist Order noted, “Mead Johnson subsequently provided extensive and thorough cooperation. Mead Johnson voluntarily provided reports of its investigative findings; shared its analysis of documents and summaries of witness interviews; and responded to the Commission’s requests for documents and information and provided translations of key documents. These actions assisted the Commission staff in efficiently collecting valuable evidence, including information that may not have been otherwise available to the staff.”

There are several lessons to be learned from the Mead Johnson enforcement action. If it was not clear from the GlaxoSmithKline PLC (GSK) imbroglio in China in 2013-14, your internal investigation must be thorough. Performing an investigation, finding no FCPA violations only to have a regulator sitting on your shoulder and later finding such evidence is never good. The SEC also reaffirmed its clear intention to continue to enforce the accounting provisions of the FCPA, with or without a parallel Department of Justice (DOJ) enforcement action. Companies must also take heed on their internal controls. Clearly certain China business unit employees had developed a work-around of the compliance internal controls by requiring the distributors to use their allowances to pay bribes. Internal controls must not only exist but they must be effective. That means you have to test their effectiveness, not simply tick the box that you have put them in place.

Finally, and I think Dr. Seuss’ compliance lesson is that when you give out an allowance, while you may restrict some of its uses, you certainly should not direct where the money is spent. Every kid knows that if you are told where to spend your allowance, it is really not your allowance. Perhaps Mead Johnson would do well to remember that long lost lesson from childhood.

© Thomas R. Fox, 2015

Leave a Comment

July 17, 2015

Great Structures Week V – The Tacoma Narrow Bridge Failure and Preventing Failure in Your Compliance Program

Filed under: Best Practices,Compliance,Compliance and Ethics,compliance programs,FCPA,Third parties — tfoxlaw @ 12:01 am
Tags: best practices, compliance programs, Department of Justice, FCPA, Foreign Corrupt Practices Act

I conclude my Great Structures Week with a focus on structural engineering failures: suspension bridges and the challenges of wind in their construction and maintenance. I am drawing these posts from The Great Courses offering, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. In his chapter on suspension bridges he notes that the “Tacoma Narrows Bridge was the third longest span in the world when it opened to the world, this month of July in 1940.” Yet it collapsed only four months later, in one of the most famous visual images of a bridge’s collapsing. This is due to the “inherent flexibility of cable as a structural form”. A bridge can move in longitudinal vibration, that is up and down and in torsion, where it twists from side-to-side.

Most people recognize unstiffened suspension bridges as old as man and engineering itself. It was not until the 1820s that serious study was brought to bear on the issue of wind-related collapse of suspension bridges. The initial solution was to simply use more weight to reinforce the span. However, while that solution did bring some stability, it reinforced damage as the structure became a textbook example of Newton’s Second Law of Motion, which states that the acceleration of an object is dependent upon two variables – the net force acting upon the object and the mass of the object; meaning that once a heavy weight is in motion, it is more resistant to deceleration.

Yet it was scientific methodology that led to the disaster with the Tacoma Narrows Bridge. An engineer named Leon Moisseiff had developed a theory that long spanned suspension bridges were heavy enough that they did not require stiffening trusses because “their mass stabilized them against wind-induced vibrations.” However this theory failed to take into account how air flows around a bridge and the “dynamic response of the structural system.” Ressler concludes this section by stating, “this case has become a classic symbol of the dangers of arrogance born of overconfidence in science-based design methods, and belt-and-suspenders engineering has made a bit of a comeback.”

I thought about the catastrophic failure of the Tacoma Narrows Bridge in the context of one of the greatest risks in Foreign Corrupt Practices Act (FCPA) compliance; that being third parties. Many non-compliance corporate employees assume that if a third party passes due diligence muster; they are in the clear. After all, you cannot stop a third party from making a bribe or other corrupt payment. Fortunately the Department of Justice (DOJ) does not take such a myopic view as many business types. Under the FCPA, a company is responsible for the actions of its third party representatives.

The real work around your third party compliance program begins after the contract is signed and it is in the management of the third party relationship. While the FCPA Guidance itself only provides that “companies should undertake some form of ongoing monitoring of third-party relationships”. Diana Lutz, writing in the White Paper by The Steele Foundation entitled “Global anti-corruption and anti-bribery program best practices”, said, “As an additional means of prevention and detection of wrongdoing, an experienced compliance and audit team must be actively engaged in home office and field activities to ensure that financial controls and policy provisions are routinely complied with and that remedial measures for violations or gaps are tracked, implemented and rechecked.”

Carol Switzer, writing in the Compliance Week magazine, set out a five-step process for managing corruption risks, which I have adapted for third parties.

Screen – Monitor third party records against trusted data sources for red flags.
Identify – Establish helplines and other open channels for reporting of issues and asking compliance related questions by third parties.
Investigate – Use appropriately qualified investigative teams to obtain and assess information about suspected violations.
Analyze – Evaluate data to determine “concerns and potential problems” by using data analytics, tools and reporting.
Audit – Finally, your company should have regular internal audit reviews and inspections of the third party’s anti-corruption program; including testing and assessment of internal controls to determine if enhancement or modification is necessary.

Additionally there several different functions in a company that play a role in the ongoing monitoring of the third party. While there is overlap, I believe that each role fulfills a critical function in any best practices compliance program.

Relationship Manager

There should be a Relationship Manager for every third party which your company does business. The Relationship Manager should be a business unit employee who is responsible for monitoring, maintaining and continuously evaluating the relationship between your company and the third party.

Compliance Professional

Just as a company needs a subject matter expert (SME) in anti-bribery compliance to be able to work with the business folks and answer the usual questions that come up in the day-to-day routine of doing business internationally, third parties also need such access. A third party may not be large enough to have its own compliance staff so I advocate a company providing such a dedicated resource to third parties. This role can also include anti-corruption training for the third party, either through onsite or remote mechanisms. The compliance practitioner should work closely with the relationship manager to provide advice, training and communications to the third party.

Oversight Committee

A company can have an Oversight Committee review documents relating to the full panoply of a third party’s relationship with the company. It can be a formal structure or some other type of group but the key is to have the senior management put a ‘second set of eyes’ on any third parties who might represent a company in the sales side. In addition to the basic concept of process validation of your management of third parties, as third parties are recognized as the highest risk in FCPA or Bribery Act compliance, this is a manner to deliver additional management of that risk.

After the commercial relationship has begun the Oversight Committee should monitor the third party relationship on no less than an annual basis. This annual audit should include a review of remedial due diligence investigations and evaluation of any new or supplement risk associated with any negative information discovered from a review of financial audit reports on the third party. The Oversight Committee should review any reports of any material breach of contract including any breach of the requirements of the Company Code of Ethics and Compliance. In addition to the above remedial review, the Oversight Committee should review all payments requested by the third party to assure such payment is within the company guidelines and is warranted by the contractual relationship with the third party. Lastly, the Oversight Committee should review any request to provide the third party any type of non-monetary compensation and, as appropriate, approve such requests.

Audit

A key tool in managing the relationship with a third party post-contract is auditing the relationship. I hope that you will have secured audit rights, as that is an important clause in any compliance terms and conditions. Your audit should be a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which your compliance terms and conditions are followed.

Perhaps now you will understand why I say that managing the relationship of your third party’s is where the real work of your FCPA compliance program comes to the fore. It also demonstrates a key difference in having a paper compliance program and doing compliance. Having a paper compliance program is simple but doing compliance is not always easy; you have to work at it to maintain an effective program.

I hope that you have enjoyed this week’s offering based around some of the world’s greatest structures, their engineering concepts and innovations and how they all related to a best practices compliance program. I am a huge fan of The Great Courses offerings and if you are interested in learning in a great many areas it is one of the best resources available to you. For a more detailed discussion of how you can develop and implement a best practices anti-corruption compliance program, I hope you will check my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

For a dramatic video of the collapse of the Tacoma Narrows Bridge on YouTube, click here.

© Thomas R. Fox, 2015

Leave a Comment

July 16, 2015

Great Structures Week IV – The Gothic Cathedral and Compliance Incentives

Filed under: Best Practices,Compliance,Compliance and Ethics,compliance programs,FCPA — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, FCPA, Foreign Corrupt Practices Act

I continue my Great Structures Week with focus on great structural engineering and its innovations in the medieval world – that being the Gothic Cathedral. I am drawing these posts from The Great Courses offering, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. When it comes to Gothic Cathedrals, Ressler notes that they are a rich case study in the development of “architecture and the limits of empirical design, literally written into the walls of the buildings.”

The innovation of the Gothic Cathedral was to use elements of the Roman basilica but to add “height and light, featuring ever taller naves, pierced by ever-larger clerestory windows, and delineated by ever-more-slender engaged columns”. The first innovation came with the pointed arch followed by ribbing on the columns to help stiffen and strength them more effectively. However the truly dynamic innovation was the creation of flying buttresses, which were huge additional columns outside the structure yet were designed to become load-bearing members so the highest point inside the cathedrals could be filled by light through ornately stained glass windows. Two of the finest examples of these Gothic Cathedrals are both found in France. They are the Cathedral of Our Lady at Chartres and Cathedral of St. Stephens at Bourges.

Just as the medieval world built up the structural engineering techniques from their forebears, as your compliance regime matures you can implement more sophisticated strategies to make your Foreign Corrupt Practices Acct (FCPA) compliance program a part of the way your company does business. Using an article in the Spring 2014 issue of the MIT Sloan Management Review, entitled “Combining Purpose with Profits”, as a basis, I have developed six core principles for incentives, for the compliance function in a best practices compliance program.

1. Compliance incentives don’t have to be elaborate or novel. The first point is that there are only a limited number of compliance incentives that a company can meaningfully target. Evidence suggests the successful companies are the ones that were able to translate pedestrian-sounding compliance incentive goals into consistent and committed action.
2. Compliance incentives need supporting systems if they are to stick. People take cues from those around them, but people are fickle and easily confused, and gain and hedonic goals can quickly drive out compliance incentives. This means that you will need to construct a compliance function that provides a support system to help them operationalize their pro-incentives at different levels, and thereby make them stick. The specific systems which support incentives can be created specifically to your company but the key point is that they are delivered consistently because it signals that management is sincere.
3. Support systems are needed to reinforce compliance incentives. One important form of a supporting system for compliance incentives “Is to incorporate tangible manifestations of the company’s pro-social goals into the day-to-day work of employees.” Make the rewards visible. As stated in the FCPA Guidance, “Beyond financial incentives, some companies have highlighted compliance within their organizations by recognizing compliance professionals and internal audit staff. Others have made working in the company’s compliance organization a way to advance an employee’s career.”
4. Compliance incentives need a “counterweight” to endure. Goal-framing theory shows how easy it is for compliance incentives to be driven out by gain or hedonic goals, so even with the types of supporting systems it is quite common to see executives bowing to short-term financial pressures. Thus, a key factor in creating enduring compliance incentives is a “counterweight”; that is, any institutional mechanism that exists to enforce a continued focus on a nonfinancial goal. This means that in any financial downturn compliance incentives are not the first thing that gets thrown out the window and if my oft-cited hypothetical foreign Regional Manager misses his number for two quarters, he does not get fired. So the key is that the counterweight has real influence; it must hold the leader to account.
5. Compliance incentive alignment works in an oblique, not linear, way. The authors state, “In most companies, there is an implicit belief that all activities should be aligned in a linear and logical way, from a clear end point back to the starting point. The language used — from cascading goals to key performance indicators — is designed to reinforce this notion of alignment. But goal-framing theory suggests that the most successful companies are balancing multiple objectives (pro-social goals, gain goals, hedonic goals) that are not entirely compatible with one another, which makes a simple linear approach very hard to sustain.” What does this mean in practical terms for your compliance program? If you want your employees to align around compliance incentives, your company will have to “eschew narrow, linear thinking, and instead provide more scope for them to choose their own oblique pathway.” This means emphasizing compliance as part of your company’s DNA on a consistent basis — “the intention being that by encouraging individuals to do “good,” their collective effort leads, seemingly as a side-effect, to better financial results. The logic of “[compliance first], profitability second” needs to find its way deeply into the collective psyche of the company.”
6. Compliance incentive initiatives can be implemented at all levels. Who at your company is responsible for pursuing compliance incentives? If you head up a division or business unit, it is clearly your job to define what your pro-social goals are and to put in place the supporting structures and systems described here. But what if you are lower in the corporate hierarchy? It is tempting to think this is “someone else’s problem,” but actually there is no reason why you cannot follow your own version of the same process.

Looking for some specific compliance obligations to measure against? You could start with the following examples of compliance obligations that are measured and evaluated.

For Senior Management

• Lead by example in your own conduct and in the decisions you take, to the resources and time you commit to compliance.
• Facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally.
• Support specific initiatives from the Chief Executive Officer (CEO), legal and compliance functions.

For Middle Management

• Demonstrate, facilitate and proactively practice in day-to-day activities the key compliance competencies, both internally and externally.
• Support specific initiatives from the legal and compliance functions.
• Ensure that all employees, agents and contractors directly or indirectly reporting to you fully complete all required training and communications in a timely manner.
• Provide full cooperation with investigations conducted by the compliance or legal functions of any alleged violation of compliance policies.
• Include the Chief Compliance Officer (CCO) or another legal or compliance function representative in your management meetings at least twice per year, per geography.
• Identify instances of non-compliance and support compliance monitoring and reporting systems.
• Partner with compliance in resolving compliance issues.

For Business Development or Company Sales Representatives

• Certify that all employees, agents and contractors directly or indirectly reporting to you have fully reported all sales and marketing interactions with all government officials in a timely manner.
• Certify that all employees, agents and contractors directly or indirectly reporting to you have fully, promptly and accurately reported all expenses with third party sales representatives have occurred.

The Gothic Cathedral is one of the greatest structural engineering feats mankind has ever created. It combined a dimension of height not surpassed for nearly 1000 years with an ingress of light not previous seen in structures. This use of light facilitated the development of the artistry of stained-glass windows.

For a review of what goes into the incentive structures of a best practices compliance program, I would suggest you check my book Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.
© Thomas R. Fox, 2015

Leave a Comment

July 6, 2015

The All-Star Game and Tone at the Top

Filed under: Best Practices,Bribery Act,compliance programs,Department of Justice,FCPA,FCPA Guidance,OECD,Ten Hallmarks of an Effective Compliance Program,Tone at the Top — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act

Today is the 83^rd anniversary of the initial Major League Baseball (MLB) All-Star Game, which took place on this date in 1933, in Chicago’s Comiskey Park. The brainchild of a determined sports editor, the event was designed to bolster the sport and improve its reputation during the darkest years of the Great Depression. The sports editor of the Chicago Tribune convinced his owner to allow him to lobby for the game with MLB’s Commissioner, Kenesaw Mountain Landis, and the owners. To win over the public, they allowed fan balloting for the Game’s players. The proceeds went to a charity for retired baseball players. The Game was a rousing success and has continued as an institution to this day.

The conception and execution of the first All-Star Game shows what a committed tone from top management can create. Last week I wrote a couple of posts dealing with the tone for an organization around compliance with anti-corruption laws such as the Foreign Corrupt Practices Act (FCPA); one on tone in the middle and one on tone at the bottom. As usual, when I begin writing about a topic, I do not seem to be able to start where I thought I would end. So today, with the anniversary of the first MLB All-Star Game in mind, I decided to round out my triumvirate of posts by concluding with some thoughts on Tone at the Top and the reasons why it is so important to any anti-corruption compliance program.

Quite simply, any compliance program starts at the top and flows down throughout the company. Before you arrive at tone in the middle and bottom, it must start with a commitment at the top. All regulatory schemes for anti-corruption compliance recognize this key hypothesis. The concept of an appropriate tone at the top is in the US Sentencing Guidelines for organizations accused of violating the FCPA; the FCPA Guidance; the UK Bribery Act’s Six Principles of Adequate Procedures; and the OECD Good Practice Guidance on Internal Controls, Ethics and Compliance (OECD Good Practices). The reason all of these guidelines incorporate it into their respective practices is that all employees look to the top of the company to see what is important.

The US Sentencing Guidelines reads:

High-level personnel and substantial authority personnel of the organization shall be knowledgeable about the content and operation of the compliance and ethics program … and shall promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

The OECD Good Practices reads:

strong, explicit and visible support and commitment from senior management to the company’s internal controls, ethics and compliance programs or measures for preventing and detecting foreign bribery;

The UK Bribery Act’s Six Principles of Adequate Procedures reads:

The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.

The FCPA Guidance, under the section entitled “Commitment from Senior Management and a Clearly Articulated Policy Against Corruption”, states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company. Managers and employees take their cues from these corporate leaders. Thus, DOJ and SEC consider the commitment of corporate leaders to a “culture of compliance” and look to see if this high-level commitment is also reinforced and implemented by middle managers and employees at all levels of a business.” But the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) expect more than simply to have senior management say the right things. They both expect that such message will be pushed down the ranks of an enterprise so that “A strong ethical culture directly supports a strong compliance program. By adhering to ethical standards, senior managers will inspire middle managers to reinforce those standards. Compliant middle managers, in turn, will encourage employees to strive to attain those standards throughout the organizational structure. In short, compliance with the FCPA and ethical rules must start at the top. DOJ and SEC thus evaluate whether senior management has clearly articulated company standards, communicated them in unambiguous terms, adhered to them scrupulously, and disseminated them throughout the organization.”

The FCPA world is riddled with cases where the abject failure of any ethical “Tone at the Top” led to enforcement actions and large monetary settlements. In the two largest monetary settlements of enforcement actions to date, Siemens and Halliburton, for the actions of its former subsidiary KBR, the government specifically noted the companies’ pervasive tolerance for bribery. In the Siemens case, for example, the SEC noted that the company’s culture “had long been at odds with the FCPA” and was one in which bribery “was tolerated and even rewarded at the highest levels”. Likewise, in the Halliburton matter, the government noted that “tolerance of the offense by substantial authority personnel was pervasive” throughout the organization.

So how can a company overcome these employee attitudes and set, or re-set, its “Tone at the Top”? In a 2008 speech to the State Bar of Texas Annual Meeting, reprinted in Ethisphere, Larry Thompson, PepsiCo Executive Vice President (EVP) of Governmental Affairs, General Counsel (GC) and Secretary, discussed the work of Professor Lynn Sharp at Harvard. From Professor Sharp’s writings, Mr. Thompson cited five factors, which are critical in establishing an effective integrity program and to set the right “Tone at the Top”.

The guiding values of a company must make sense and be clearly communicated.
The company’s leader must be personally committed and willing to take action on the values.
A company’s systems and structures must support its guiding principles.
A company’s values must be integrated into normal channels of management decision-making and reflected in the company’s critical decisions.
Managers must be empowered to make ethically sound decisions on a day-to-day basis.

David Lawler, writing in his book “Frequently Asked Questions in Anti-Bribery and Corruption”, boiled it down as follows “Whatever the size, structure or market of a commercial organization, top-level management’s commitment to bribery prevention is likely to include communication of the organization’s anti-bribery stance and appropriate degree of involvement in developing bribery prevention procedures.” Lawler went on to provide a short list of points that he suggests senior management engage in to communicate the type of tone to follow an anti-corruption regime. I had a Chief Executive Officer (CEO) of a client who, after I described his role in a best practices compliance program, observed, “You want me to be the ambassador for compliance.” I immediately averred in the affirmative. The following is a list of things that a CEO can do as an ‘Ambassador of Compliance’:

Reject a ‘do as I say, not as I do’ mentality;
Not just ‘talk-the-talk’ but ‘walk-the-walk’ of compliance;
Oversee creation of a written statement of a zero tolerance towards bribery and corruption;
Appoint and fully resource, with money and headcount, a Chief Compliance Officer (CCO);
Oversee the development of a Code of Conduct and written compliance program implementing it;
Ensure there are compliance metrics on all key business reports;
Provide leadership to middle managers to facilitate filtering of the zero tolerance message down throughout the organization;
Not only have a whistleblowing, reporting or speak up channel but celebrate it;
Keep talking about doing the right thing;
Make sure that you are seen providing your CCO with access to yourself and the Board of Directors.

Coming at it from a different perspective, author Martin Biegelman provides some concrete examples in his book, entitled “Building a World Class Compliance Program – Best Practices and Strategies for Success”. He begins the chapter discussed here with the statement “The road to compliance starts at the top.” There is probably no dispute that a company takes on the tone of its top management. Biegelman cites to a list used by Joe Murphy regarding actions a CEO can demonstrate to set the requisite tone from the Captain’s Chair of any business. The list is as follows:

Keep a copy of the Constitution on your Desk. Have a dog-eared copy of your company’s Code of Conduct on your desktop and be seen using it.
Clout. Make sure your compliance department has authority, influence and budget within the company. Have your Chief Compliance Officer report directly to the Board of Directors.
Make them Accountable. At Senior Executive meetings, have each participant report on what they have done to further the compliance function in their business unit.
Sticks and Carrots. Have both sanctions for violation of company compliance and ethics policies and incentives for doing business in a compliant manner.
Don’t do as I say, Do as I do. Turn down an expensive dinner or trip offered by a vendor. Pass on a gift that you may have received. Turn down a transaction based upon ethical considerations.
Be a Student. Be seen at intra-company compliance training. Take a one or two day course or attend a compliance conference outside your organization.
Award Compliance. You should recognize outstanding compliance efforts with companywide announcements and awards.
The Board. Recruit a nationally known compliance expert to sit on your company’s Board and chair the audit or compliance committee.
Independent Review. Obtain an independent, outside review of your company’s compliance program and report the results to the Board’s Audit Committee.
Vendors. Mandate that all vendors in your Supply Chain embrace compliance and ethics as a business model. If not, pass on doing business with them.
Network. Talk to others in your industry and your peers on how to improve your company’s compliance efforts.

Many companies struggle with some type of metric that can be used for upper management regarding compliance and communication of a company’s compliance values. One technique might be to require the CEO to post companywide emails or other communications once a quarter on some compliance related topic. The CEO’s direct reports would then also be required to email their senior management staff a minimum of once per quarter on a compliance topic. One can cascade this down the company as far as is practicable. Reminders can be set for each communication so that all personnel know when it is time to send out the message. If these communications are timely made, this metric has been met.

I hope that you can use some of the techniques for setting, creating and moving an appropriate tone for compliance throughout your organization. And, of course, enjoy the 2015 All-Star Game. Although the Astros now play in the American League (AL), my heart is still with the National League (NL).

© Thomas R. Fox, 2015

Leave a Comment

June 25, 2015

Custer’s Last Stand and Risk Management

Filed under: Best Practices,Chief Compliance Officer,Compliance,Compliance and Ethics,compliance programs,FCPA,Risk Assessment,Risk Management — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, Risk Management

On this day in 1876 one of the greatest failures in risk management took place when Lieutenant Colonel George Armstrong Custer and his entire 7^th Cavalry were wiped out at the Battle of the Little Big Horn. Custer had split his command into three wings and he took his battalion of 200 or so men down the center of what he thought would be little resistance. Instead he found that he was facing a far superior force of 3000 largely Sioux warriors who quickly overwhelmed and defeated Custer’s command, with all US troops being killed. There is now some debate on whether all the cavalrymen were actually killed by the Native Americans or took their own lives, saving the last bullet for themselves, in western parlance.

Historians have debated over time the reason for Custer’s defeat. Was it arrogance; bad intelligence; faulty command, just plain stupidity or even a wish for martyrdom by Custer? Whichever the cause, it was the worse defeat of the US Army by Native Americans in the Western campaigns of the later 1800s. Today, it might be termed as a faulty assessment and management of the risks involved.

I thought about Custer and his defeat when I read a recent article in the Harvard Business Review (HBR), entitled “Strategy How to Live With Risks”. It presented risk, risk assessments and risk management in a new light, a key acumen being that risk management should be used as a “protection shield, not an action stopper.” It was based upon a research paper by the CEB, entitled “Reducing Risk Management’s Organizational Drag”, which I thought it had some interesting insights for the Chief Compliance Officer (CCO) or compliance practitioner.

The first insight is that, in many instances, companies are assessing risks that are in the rear-view mirror. The author pointed to the Sarbanes-Oxley (SOX) Act, passed in response to the Enron and Worldcom accounting scandals in noting, “In the wake of the 2008 financial crisis many large banks changed their business models, and other companies implemented systems to better manage credit risks or eliminate overreliance on mathematical models.” This type of mentality can lead to what the author says, is “a variation on what military historians call “fighting the last war.” As memories of the recession fade, leaders worry that risk management policies are impeding growth and profits without much gain.” The author went on to quote Matt Shinkman of CEB, a member based advisory company, for the following insight “Firms are questioning whether the models they put in place after the financial crisis are working—and more fundamentally questioning the role of risk management in their organizations.”

This retrospective look back is coupled with what the author says is a decision making process which “is too slow, in part because of an excessive focus on preventing risk” and not managing risk; in other words, companies were slowed down even further by something termed “organizational drag”. Companies need to find new mechanisms to assess and manage risk going forward. The best way to do so, many companies have indicated, is through reorganizing or reprioritizing risk management and the article presented “three best practices” in doing so.

Strike the Right Balance Between Risk and Reward

Recognizing that risk management is often simply ‘just saying no’, the HBR articcle suggests that “Today’s risk managers see their role as helping firms determine and clarify their appetite for risk and communicate it across the company to guide decision making. In some cases this means helping line managers reduce their risk aversion.” The interesting insight I found here is that if an asset is low performing it may be because the management is so risk averse. This may present a CCO or compliance practitioner with an opportunity to increase growth through other risk management solutions that they could implement.

Focus on decisions, not process

This insight is one that CCO and compliance practitioners should think about and try and implement. Recognizing that risk assessments are important, the author believes that risk managers should focus more on decisions concerning risk rather than the process of determining risk. This means, “In addition to relying on paperwork or process, risk managers are turning to tools (such as dashboards that show risks in real time) and training that help employees assess risk. They are also helping companies factor a better understanding of risk into their decision making.”

By having a seat at the senior management’s table, a CCO or compliance practitioner can help identify risk issues early on in planning. This allows a COO to help craft a risk management solution, or even better yet show colleagues how to “spot potential problems and managers see how their projects fit into the company’s overall portfolio of projects, each with its own set of risks.” The author again quoted Shinkman, “This is less about listing risks from a backward-looking perspective and more about picking the right portfolio of risky projects.”

Make employees the first line of defense

The author channels his inner Howard Sklar (water is wet) by stating, “Decisions don’t make themselves, people make them”. However from that insight, the author believes that “smart companies work to improve employees ability to incorporate appropriate levels of risk when making choices.” But this means you must not only adequately train your employees to spot the appropriate risk but you, as CCO must provide them with tools to manage the risk. The author wrote, “Companies are also trying to identify which types of jobs or departments face a disproportionate share of high-risk decisions so that they can aim their training at the right people. They’re focusing that training less on risk awareness and more on simulations or scenarios that let employees practice decision making in risky situations. Finally, risk managers are becoming more involved in employee exit interviews, because people leaving an organization often identify risks that others aren’t able or willing to discuss.”

The article ends by noting that the goal is “to transform risk management from a peripheral function to one with a voice integrated into the day-to-day management” of an organization. That is also viewed as a component of CCO 2.0 and a more mature model of improvement. By focusing on training employees on how to spot Foreign Corrupt Practices Act (FCPA) compliance risks and then providing them with the tools to adequately manage that risk, CCOs can deliver greater value.

Comments (2)

June 24, 2015

Pink Flamingos and the Compliance Audit

Filed under: Audit,Best Practices,Chief Compliance Officer,Compliance,Compliance and Ethics,compliance programs,Department of Justice,FCPA,FCPA Guidance,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, New York Times, NYT

The creator of one of the most ubiquitous symbols of mid-century Americana died earlier this week. Don Featherstone, the creator of the pink plastic lawn flamingo, the ultimate symbol of American lawn kitsch, has died. He was 79. Featherstone, a trained sculptor with a classical art background, created the flamingo in 1957 for plastics company Union Products, modeling it after a bird he saw in National Geographic. Millions of the birds have been sold. Whether you think of the Pink Flamingo as a symbol of Miami Vice, Jon Waters and Devine or for something less salacious, here is to Featherstone, a true original.

While Featherstone created one of the ultimate symbols of the second half of the 20^th century for a generation of South Floridians, the Japanese company Takata Corporation (Takata) continues to be in the news for much less prestigious reasons. As reported in the New York Times (NYT), in an article entitled “Senate Panel Says Tanaka Cut Audits on Safety”, Hiroko Tabuchi and Danielle Ivory said “In the middle of what would become the largest automotive recall in US history, the Japanese airbag manufacturer Takata halted global safety audits to save money”. Interesting (or perhaps ominously might be a better word) Takata responded by saying it had not halted safety audits for products but rather for worker safety. Doesn’t that give you some comfort?

A US Senate committee report found that “Takata halted global safety audits at its manufacturing plants in 2009, a year after Honda had started recalling a small number of cars to replace the airbags.” These audits were later restarted in 2011 but when they found safety issues related to airbag manufacturing in two key plants, “those findings were not shared with Takata’s headquarters in Tokyo, the report said, citing internal emails from Takata’s safety director at the time.” Moreover, “when the safety director returned to the plant months later to conduct a follow-up audit, employees appeared to scramble to create the appearance of a safety committee within the plant.” Finally, and perhaps most damningly, the report cited an internal Takata email which said, “No safety committee, as such, has been formed” at the plants in question.

Foreign Corrupt Practices Act (FCPA) compliance in many ways follows some of the paths laid out by corporate safety departments some 20-30 years ago when safety became much more high profile in US corporations. The safety committee and safety audits became mainstays of any best practices in the area of safety for a company. These techniques inform any anti-corruption best practices compliance program, either under the FCPA, UK Bribery Act or any other anti-corruption regime. Indeed audits are specifically delineated in the FCPA Guidance as a way to assist in the continuous monitoring of your compliance regime. Such an audit can be thought of as a systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the compliance criteria are fulfilled. There are three factors which are critical and unfortunately with Takata seemed to be lacking in its safety audit protocol: (1) an effective audit program which specifies all necessary activities for the audit; (2) having competent auditors in place; and (3) an organization that is committed to being audited.

Auditing can take several different forms in an anti-compliance program. As a matter of course, you should audit the compliance program in your own organization. A forensic audit can collect and analyze accounting and internal-controls evidence in your compliance regime. This information can be used to produce a fact-based report that can inform the decision-making process in inquiries, investigations and dispute resolution. The by-products of a forensic audit can include remediation strategies to help a company mitigate and remedy procedural or internal-controls gaps that allowed the underlying issue to occur. Further, an internal audit can review a compliance process to determine if employees are following prescribed processes or internal controls, in an operational Sarbanes-Oxley (SOX) or FCPA compliance audit.

In addition to the collection and analysis of evidence, an auditor’s objective is to attest to the credibility of assertions that are under examination, such as the material accuracy of financial statements for which the audited company’s management is responsible. Obviously one of the functions of such an audit is to determine if further investigation is warranted.

Now imagine if this scenario had been followed by Takata. The lack of a safety committee is a glaring omission at any manufacturing facility. Simply noting this and reporting it up the chain could have gone some way towards preventing the situation the company now finds itself in; with a worldwide recall of up to 32 million vehicles. The same is true for a compliance audit. Just as monitoring can provide information to you on a more real-time basis; a compliance audit compliments this real-time oversight with a much deeper dive into what has happened on a historical basis.

The recent BHP Billiton FCPA enforcement action is certainly one to look at in this context. Although there was a committee set up to review gifts and travel requests for the company’s 2008 Olympic hospitality program, the committee did not fulfill this charge. It was alleged in the Securities and Exchange Committee (SEC) settlement documents that this committee was never intended to pass muster on the applications for tickets and travel for government officials but was simply there to provide guidance.

Once again this situation points out the difference between having a paper compliance program in place and the actual doing of compliance. Even with an appropriate oversight structure in place BHP Billiton did not do the work of compliance by evaluating the applications for travel and tickets to the Beijing Olympics but left it to the devices of the business unit employees who were making the requests and ultimately most directly benefited from the gifting.

Another area ripe for audit in your compliance program is your third parties. While there is no one specific list of transactions or other items which should be audited when it comes to your third parties below are some of the areas you may wish to consider reviewing:

Contracts with supply chain vendors to confirm that the appropriate FCPA compliance terms and conditions are in place.
Determine that actual due diligence took place on the third party vendor.
Review the FCPA compliance training program for any vendor; both the substance of the program and attendance records.
Does the third party vendor have a hotline or any other reporting mechanism for allegations of compliance violations? If so how are such reports maintained? Review any reports of compliance violations or issues that arose through anonymous, hotline or any other reporting mechanism.
Does the third party vendor have written employee discipline procedures? If so have any employees been disciplined for any compliance violations? If yes review all relevant files relating to any such violations to determine the process used and the outcome reached.
Review expense reports for employees in high risk positions or high risk countries.
Testing for gifts, travel and entertainment which were provided to, or for, foreign governmental officials.
Review the overall structure of the third party vendor’s compliance program. If the company has a designated compliance officer to whom, and how, does that compliance officer report? How is the third party vendor’s compliance program designed to identify risks and what has been the result of any so identified?
Review a sample of employee commission payments and determine if they follow the internal policy and procedure of the third party vendor.
With regard to any petty cash activity in foreign locations, review a sample of activity and apply analytical procedures and testing. Analyze the general ledger for high-risk transactions and cash advances and apply analytical procedures and testing.

The compliance function still is behind the safety function in terms of maturity. Because of this there are many lessons which a Chief Compliance Officer (CCO) or compliance practitioner can draw upon from our colleagues in safety. The safety audit is certainly a technique that can be drafted into your compliance program. But as the ongoing Takata air bag debacle demonstrates, your audit only works if you actually perform it. In other words, the protocol is simple, everyone understands you need to audit, but try and cut costs or corners and you will pay for it in the long run.

Leave a Comment

June 23, 2015

Fraud and the Detection of the Sources for Bribery

Filed under: Best Practices,Chief Compliance Officer,Compliance,compliance programs,FCPA,Fraud,Supply Chain,Third parties — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, FCPA, Foreign Corrupt Practices Act

In a recent White Paper authored by Peter Smith for OFS Portal, entitled “Procurement and Fraud in the Supply Chain”, where he examined “fraud linked to procurement and supply chain activities.” Smith focuses on where fraud can occur in the procurement process. From this starting point, he suggests “mitigating actions that organisations can take to protect themselves against fraud.” I found this article to be an excellent review of Supply Chain (SC) activities which the Chief Compliance Officer (CCO) or compliance practitioner could put to good use in reviewing their company’s Foreign Corrupt Practices Act (FCPA) anti-corruption and anti-bribery regime.

A. The Problem – How Does Fraud Happen?

Smith starts by classifying fraud in way which will assist the reader in understanding how it occurs. He believes there are “three critical factors to consider: the perpetrator(s), the plan and the point of failure.” The perpetrator is the one “behind the fraud and either executes it directly or through others.” In the anti-corruption world of the FCPA, this can be through an agent or a supplier who is working to help execute the fraud.

Interestingly, in the area of these third parties (and hence the greatest area of risk for FCPA compliance practitioners to consider) Smith notes that “The plan and point of failure factors are linked in that often the plan relies on the point of failure. In other words, most frauds take advantage in some weakness in the process, technology, policy or systems of combination of those.” Smith writes that there are three key phases “in the procurement life-cycle that can be considered; (1) the supplier selection phase; (2) the contract negotiation and award phase; and (3) the contract delivery management phase.”

Phase I – Supplier Selection and Qualification

This phase should be well known to the compliance practitioner as a part of the third party life-cycle management step denominated as due diligence. But Smith asks that you consider factors other than simply whether someone is on the Denied Parties List (DNP) or is a Politically Exposed Person (PEP). He suggests that you consider misrepresentation by the third party in the nature of “concealing the true nature of its business, history or ownership when it bids for the work.” He also points out that through collusion and cartels, persons or entities can work to control a market. If you did any work with Petrobras over the years, you will certainly recognize that many if its approved suppliers operated in this manner. Given what we now know about how corrupt Petrobras was, this is not too surprising.

But Smith also suggests that employees may be involved in skewing the selection process towards a corrupt agent or other partner. He recommends reviewing the bid process to see if there was bias in the competition, which would push an otherwise arms-length award to a corrupt partner. This could occur through biased competition through specification, where an employee would “construct a specification that makes it likely or inevitable that a particular supplier will win the competitive process.” The next is biased competition through tailoring the evaluation process which gives weight to the specific strengths of a corrupt third party. Finally, Smith points out that there can be biased competition through information leakage when a company employee will leak confidential information to a third party to give them an advantage in the bidding process.

Phase II – Contracting

Smith says the “next critical point at which fraud can take place is during the contract negotiations and in agreeing the detailed terms and conditions.” Moreover, Smith believes this stage is critical if often overlooked because “the seeds are often sown at the contracting stage.” Scenarios can include where there is a certain level of ‘local content’ required “but without any clear contractual mechanism to explain how it will be measured or policed.” As any CCO or other FCPA compliance practitioner would recognize, local content is one of the easiest ways to get into FCPA high risk so managing that risk is critical. I found Smith’s concern with setting out the clear legal terms and conditions around any such requirement as a good way to manage the high risk.

Phase III – Contract Delivery and Management

Here Smith laid several different fraud schemes which could facilitate a bribery plan. The first is fake invoices which can rely on “poor processes within an organisation” to spot. However this scheme can also rely on a company insider to approve such fabrications. Next is “volume over-invoicing”. In this scheme, while a supplier does supply some goods or services, the invoice is raised for more than has been delivered. If there is a scheme to create a pot of money to be used to fund bribes, there will need to be an internal company accomplice to “smooth the way by authorizing receipts or invoices.” Next there is “price-related over-invoicing” the third party will over-price the goods or services, above what is allowed under the contract. Another scheme set out by Smith is “invoice diversion” where “a legitimate payment that should go to a certain supplier is diverted to a third party fraudulently.” Another scheme can simply be to ease the contract terms and conditions which allow the third party to receive a benefit with nothing in return being delivered back to the company. Finally, there is what Smith details as one of the “toughest frauds to detect”, that being the delivery of lower quality products than is contractually specified.

B.The Solution – How to Reduce Fraud

Smith believes that fraud prevention can be built around a troika of concepts. (1) You need to have “effective procurement and spend management policies in place. (2) You must “use appropriate and robust processes”. (3) Finally “applying the right technology to support and manage those processes.” In his paper he followed the same outline on how to reduce the instances of fraud.

Phase I – Supplier Selection and Qualification

While a clear procurement policy is the starting point, it is only the starting point. Having a transparent process is important as well as adequate supplier qualification details. He notes that multiple sign-offs should be in place to ensure that one person does not control the entire process. This should also be incorporated into the communications trail with the competitors to ensure that no one third party receives confidential information. Obviously an appropriate level of due diligence should be applied to confirm that not only are the third party’s who they represent themselves to be but that they are also qualified to do the work or deliver the services. Finally, there should be controls around onboarding “so that firms who are actually going to be suppliers go through more rigorous checks before they are accepted onto” the Vendor Master List.

Phase II – Contracting

Obviously the starting point for any business relationship should be a well-drafted contract. However, for larger organizations Smith believes that “a contracts database or contract lifecycle management system is essential.” To the greatest extent possible there should be standard compliance and legal terms and conditions, coupled with an “appropriate level of sign-off and approvals management for contracts.” Finally, segregation of duties (SOD’s) “to make sure that there are checks and balances and that no one person holds too much power in the process.”

Phase III – Contract Delivery and Management

As I often say in the lifecycle management of third parties, the real work begins when the contract is signed. Smith believes that many of the routes of fraud, “can be closed off by taking a few precautions” which include some of the following steps. First and foremost is “no purchase order, no pay” but this also means there should be an invoice from the vendor which is matched to the contract for accuracy. Once again checks and balances, SOD’s for sign-offs and approvals must be built into your payment system. There should be controls around changes to the contract and, more importantly, changes to any payment details. Lastly, ongoing oversight and monitoring through controls analytics and auditing should be employed on the back end to verify delivery of goods or services.

I found Smith’s White Paper to be an excellent review for the CCO or compliance practitioner around not only the mechanism of how fraud occurs but a review of the techniques for fraud prevention. While his concepts may seem like a review for the compliance practitioner, it also allows you to think through how corruption might take place in your organization. The briber has to get the money from some source and Smith’s White Paper can give you insights on where you might look.

Leave a Comment

June 22, 2015

George Carlin and Erga Omnes: the Petrobras Bribery Scandal Expands

Filed under: Best Practices,compliance programs,Corruption in Brazil,Department of Justice,FCPA,Petrobras,Wall Street Journal,WSJ — tfoxlaw @ 12:01 am
Tags: BBC, best practices, compliance, compliance programs, corruption, Department of Justice, DOJ, FCPA, Foreign Corrupt Practices Act, Wall Street Journal, WSJ

On this date in 2008 George Carlin died. If you grew up in the late 1960s or early 1970s and you had anti-parental or anti-establishment inklings, which of course all teenagers do, you knew about George Carlin. In the early 1960s, Carlin was a relatively clean-cut, conventional comic. But around 1970, he reinvented himself as an eccentric, biting social critic and commentator. In this new incarnation, Carlin began appealing to a younger, hipper audience. He grew out his hair and added a beard together with a wardrobe in the stereotypically hippie style.

Carlin’s comedy also became counter-culture, not Cheech and Chong, hippy-dippy dopers, but with pointed jokes about religion, politics yet with frequent references to drugs. His second album with his new routine, FM/AM, won a Grammy Award for Best Comedy Recording. My favorite cut was the 11 O’Clock News. But it was his third album Class Clown that had, what I believe, to be the greatest comedy monologue ever, the profanity-laced routine “Seven Words You Can Never Say on Television.” When it was first broadcast on New York radio, a complaint led the Federal Communications Commission (FCC) to ban the broadcast as “indecent.” The US Supreme Court later upheld the order, which remains in effect today. The routine made Carlin a hero to his fans and got him in trouble with radio brass as well as with law enforcement; he was even arrested several times, once during an appearance in Milwaukee, for violating obscenity laws.

Interestingly I thought about Carlin and his pokings of the Establishment (AKA The Man) when I read several articles over the weekend about the recent spate of arrests around the Petrobras bribery and corruption scandal. In article in the Wall Street Journal (WSJ), entitled “Brazil Probe Sweeps Up Corporate Magnates” Will Connors, Rogerio Jelmayer and Paul Kiernan reported that “Brazilian officials arrested the heads of two Latin American construction giants, alleging they helped to mastermind a cartel that stole billions of dollars from state-run oil company Petrobras with the help of corrupt politicians to whom they paid kickbacks.” Also arrested with the heads of the two companies, Marcelo Odebrecht, head of Odebrecht SA and Chief Executive Officer (CEO) of Andrade Gutierrez, Otávio Azevedo.

The WSJ article reported that “Odebrecht is Latin America’s largest construction conglomerate, with business in the U.S., Europe and Africa, and whose head, Marcelo Odebrecht, is a household name in Brazil. Andrade Gutierrez has business in 40 countries. The privately owned companies are deeply involved in the development of stadiums and infrastructure for the 2016 Summer Olympics in Rio de Janeiro.” Moreover, Odebrecht is reported to have “a presence in 21 countries”. Obviously a question is if the company had engaged in bribery and corruption in Brazil, did they do so in any of the other countries in which they are doing business?

Interestingly, these arrests “come months after the heads of other construction companies were detained by Brazilian authorities.” Indeed in a BBC article in , entitled “Petrobras scandal: Top construction bosses arrested in Brazil”, David Gallas said, “Odebrecht had been named by former Petrobras executives as one of the companies that allegedly paid bribes in exchange for contracts with the oil firm, but until now the firm had not been targeted by investigators.” The WSJ article quoted Brazilian prosecutor Carlos Fernando dos Santos Lima who said at a news conference that the executives from the two companies had not been arrested earlier as the entities, “had a more sophisticated system for making the alleged bribe payments, using foreign bank accounts in Switzerland, Monaco and Panama, so it took longer to prove their case.” David Fleischer, a Brasilia based political analyst, quoted in the WSJ article was even more circumspect. He said, “The prosecutors are very careful. If you’re going after big fish you want to make sure you can take them down.”

Brazilian police said the arrests were “Erga omnes” which the WSJ translated from Latin as “towards all”. I thought about that statement in light of the ongoing debate about enforcement of the Foreign Corrupt Practices Act (FCPA) here in the US. On one side is the Chamber of Commerce and their allies who raise the ever-burgeoning cry that the Department of Justice (DOJ) needs to prosecute the invidious ‘Rogue employees’ who violate the FCPA. You will notice they never want the DOJ to look at the executives who might facilitate payment of bribes in the first place; whether through faux commitment to doing business in compliance, failing to properly allocate resources to compliance and ethics, simply rewarding those employees who git ‘er done no matter what the circumstances or (my favorite) putting a paper program in place and calling it a best practices compliance program.

Indeed those progenitors of relaxed enforcement want the DOJ to back off and let them do business the old fashioned way. However, if the bribery and corruption news from the first half of this year has told the world anything, it is about the dire effects of allowing such illegal conduct to take place and warning against slacking off laws which mandate doing business without bribery and corruption. In another WSJ article, entitled “Roots of a Brazilian Scandal That Weighs Heavily on the Nation’s Economy, Politics”, Marla Dickerson noted, “The scandal has crippled Petrobras, Brazil’s largest and most important company. In late April, the company wrote off more than $16 billion related to losses from graft and overvalued assets. The company’s woes have all but paralyzed the nation’s oil and gas sector. Hurt by slumping oil prices and strapped for cash, Petrobras has slashed investments, sparking a wave of credit downgrades, bankruptcies and layoffs among its suppliers that the weighed on Brazil’s economy.”

I wonder what George Carlin might have thought about all of this. He might have said that what else would you expect but I am relatively certain he would have done so while also sticking his thumb in the eye of The Man.

For a YouTube version of the 11 O’Clock News, click here.

For a YouTube version of the 7 words you can never say on television, click here.

Leave a Comment

FCPA Compliance and Ethics Blog

August 20, 2015

BNY Mellon and Lessons Learned In Hiring Family Members – Part II

August 13, 2015

Cymbeline – Doing Virtue and FCPA Compliance

July 29, 2015

What Would Dr. Seuss Say about an Allowance?

July 17, 2015

Great Structures Week V – The Tacoma Narrow Bridge Failure and Preventing Failure in Your Compliance Program

July 16, 2015

Great Structures Week IV – The Gothic Cathedral and Compliance Incentives

July 6, 2015

The All-Star Game and Tone at the Top

June 25, 2015

Custer’s Last Stand and Risk Management

June 24, 2015

Pink Flamingos and the Compliance Audit

June 23, 2015

Fraud and the Detection of the Sources for Bribery

June 22, 2015

George Carlin and Erga Omnes: the Petrobras Bribery Scandal Expands

January

Blogroll

Pages

Admin

Read by Email

Recent Posts from FCPA Compliance and Ethics Report: FCPA Compliance and Ethics Report

Episode 240-Bill Coffin on Compliance Week 2016

Episode 239-Jonathan Armstong On EU Privacy Shield

Episode 238-John Allen on HR Touch Points in Compliance

Episode 237-Steve McCalmont on the Avior Risk Management Platform

Episode 236-Adam Turteltaub and SCCE CCO Survey