Jonathan Marks’ 13 Step FCPA Compliance Action Plan

Back in December 2010, we noticed a tweet by Jonathan Marks where he mentioned that he had developed a 13-step action plan for Foreign Corrupt Practices Act (FCPA) compliance programs. We were certainly intrigued by this information but, alas, there was no link to the document or information, so we took the direct approach and DM’d Jonathan to ask if he would be willing to share with us the 13-step action plan, which he was willing to do. So today’s blog will begin with a reminder of the incredible tools that are available to the FCPA compliance practitioner through today’s internet.

I met Jonathan (virtually) through LinkedIn and his hosting of the LinkedIn group ‘Fraud Pentagon.’ Through his profile I was able to discover Jonathan’s interesting professional journey, he is the Partner In-Charge of the Fraud, Ethics and Anti-Corruption practice at Crowe Horwath and has worked with the US Attorney’s office, the FBI, the IRS Criminal Investigation Division and US Customs officials during his career. Jonathan has also served as the Chief Audit Executive at several public companies and is a Certified Public Accountant, Certified Fraud Examiner and is certified in financial forensics.

I spoke to Jonathan to find out how he developed this plan and he told us that from his meetings with clients on the issue of compliance over the years, he wanted to develop a non-legalistic approach that he could easily convey to clients. So he studied the available literature, talked to others in the compliance arena and sought counsel from US government agencies tasked with enforcing the FCPA to come up with a framework by which a company could review its FCPA compliance program, assess where the program is in terms of best practices, and then use the same action plan as a guide for implementing some or all of the best practices.

Jonathan’s 13-step action plan includes the following:

1.    Assisting in obtaining top-level commitment from boards and senior executives, setting the “tone from the top”

2.    Executing a Corruption and Bribery Risk assessment that drives the compliance program and modifies it accordingly

3.    Improving/Strengthening Internal Controls

4.    Structuring and Defining Roles & Responsibilities

5.    Performing Risk-based Third Party Due Diligence

6.    Developing Clear, Practical, Current and Accessible Policies and Procedures

7.    Documenting a Detailed Multi-year Compliance Plan

8.    Defining Appropriate Disciplinary Procedures

9.    Ensuring Robust Monitoring and Review (Utilizing Internal Audit)

10. On-going Training

11. Violation Reporting System is in Place and Multi-lingual

12. Reviewing Ancillary Risk Mitigation Procedures

13. Performing Independent Compliance Program Testing Annually

During our phone conversation, Jonathan indicated that while his 13-step action plan was designed with the FCPA in mind, it is also a solid basis for any company to use when reviewing, creating or implementing an “adequate procedures” program under the UK Bribery Act. Jonathan also shared with us some of the literature and references he had used to put his 13-step action plan together. These included the US Sentencing Guidelines, the OECD Good Practices, blog postings and articles discussing best practices and information he had gleaned from attending seminars and conferences. We applaud Jonathan for developing his action plan and making it available for discussion in our blog. We hope that it can be of assistance to the FCPA compliance practitioner.

We also want to take this opportunity to emphasize the wealth of material which is available, at no charge, to the FCPA compliance practitioner. The genesis of this posting came through Twitter, which has an active group of FCPA compliance and ethics professions tweeting throughout the day. We have also been able to obtain a large amount of helpful material through joining only a portion of the  LinkedIn groups which discuss issues related to the FCPA compliance practitioner; which include: FCPA – Foreign Corrupt Practices Act – Anti-Corruption Compliance Group; Society of Corporate Compliance and Ethics (SCCE); Dow Jones Risk & Compliance;  Anti-Corruption Professionals; AML, FCPA, and Investigative Due Diligence Thought Leadership; The Forum for Chief Compliance Officers and Chief Risk Officers and Anti-Corruption Compliance Asia. This list is by no means complete but is a small sample of what is available to you and sometimes you are able to meet like-minded professionals such as Jonathan Marks.

Jonathan Marks can be reached via email at jonathantmarks@verizon.net and phone at 267-261-4947.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

 

EFFECTIVE COMPLIANCE TRAINING

Effective Compliance Training

“Conducting effective training programs” is listed in the 2005 Federal Sentencing Guidelines as one of the factors the Department of Justice will take into account when a company, accused of an FCPA violation, is being evaluated for a sentence reduction. The Sentencing Guidelines mandate states “(4) (A) The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to the individuals referred to in subdivision (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals’ respective roles and responsibilities.”

But what is an “effective training program”? Andrea Wrage has written in her blog Wragblog and Ethisphere Magazine that she believes there are two general approaches to ethics and compliance training. The first approach focuses on knowledge of the rules “as clear and sharp as barbed wire” so that the cowboys in the company will not run wild. This is the approach most US in-house lawyers feel is required for their company’s operations teams and is generally designed to help avoid criminal liability.

The second is to train on ethical values and is more prevalent in Europe where ethics and compliance are more designed to communicate a company’s underlying corporate values in its operations. This approach anticipates that most employees are decent and law-abiding and will not knowingly engage in bribery and corruption. Additionally, you can never create enough rules to govern every situation and train each employee on every rule so a company must hire trustworthy people and give them sufficient information to make the correct ethical and compliant decision. Ms. Wrage characterizes the two different approaches as “ethics” vs. “values”.

Both approaches have merit but both can catastrophically fail without the other components of an effective compliance program. Although it was not brought down by an FCPA violation, the Enron Code of Ethics was viewed (at least at one time) as one of the strongest in the energy industry. And not to focus on US companies only, Siemens had one of the most robust Codes of Ethics for a European company before its multi-billion dollar (or euro-take your pick) fine and profit disgorgement. So the training on both of these company’s “Gold Standard” codes of ethics did not turn out to be too helpful.

So what should a company’s training focus on to be “effective” under the Sentencing Guidelines? It appears that effective ethics and compliance training should emphasize both approaches. Americans are long taught what the rules are in whatever life they choose. They expect to be told what the rules will be so that they know where the line is drawn that they should not step over. Probably the single comment I have heard the most when putting on ethics and compliance training in the US is “Just tell me what I can and can’t do”. However, really effective training requires that employees be able to apply the rules to the incredibly wide and ever-changing situations which confront them in the real world. This is where communicating a company’s values are important. In other words, how would your conduct look if it was plastered on You Tube the next week?

This is the first of a two-part series on ethics and compliance training.

——————–
This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication.

© Thomas R. Fox, 2010

What is your compliance relationship with your business partners?

Most companies understand that certain business relationship present more risk than others. This situation is also present under the FCPA. In its 2008 Anti-Bribery and Anti-Corruption Survey, KPMG noted that 76% of the respondents reported that assessing FCPA risk was “challenging”. Further 82% of respondents reported that performing effective due diligence on third parties was noted to be “challenging”. This information was reported from a survey of 103 business executives who have direct responsibility for FCPA compliance within their organizations.

This is in contrast to some companies such as GE and HP which make clear upfront that they demand robust compliance business practices from the third parties with which they do business; including vendors, suppliers and channel operations business partners. GE states in its Integrity Guide for Suppliers, Contractors and Consultants, “Suppliers that transact business with GE are also expected to comply …and adhere to the standards of business conduct consistent with GE’s obligations as set forth in the ‘GE Compliance Obligations…”. In October, 2009, HP sent an announcement out to its over 155,000 channel partners that they had to complete compliance training (and pay for it) by the end of October or risk losing their status with HP.

What is your compliance relationship with business partners?