Great Structures Week I: Vitruvius, the Brooklyn Bridge and Compliance

I recently completed a course from The Teaching Company, entitled “Understanding the World’s Greatest Structures: Science and Innovation from Antiquity to Modernity”, taught by Professor Stephen Ressler. It was a wonderful learning experience about some of the world’s greatest structures and the development of structural engineering throughout history. As I worked my way through the course, it occurred to me that many structural engineering concepts are apt descriptors for an anti-corruption compliance program. So today, I will begin the ‘Great Structures Week’ as an entrée into an appropriate topic for your Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption/anti-bribery compliance program. Each day I will discuss a structural engineering concept together with one my favorite examples from Professor Ressler’s course.

To open the series I will consider what makes a structure great. Marcus Vitruvius Pollio (Vitruvius) was a Roman author, architect, and civil engineer during the 1st century BC, known for his work entitled De Architectura. Vitruvius is famous for proclaiming that a structure must exhibit the three qualities of firmitas, utilitas and venustas, meaning that it must be solid, useful and beautiful. These are sometimes termed the Vitruvian Triad and today these are loosely translated that great constructions must have form, function or structure. Form is the arrangement of space and harmony. Function is the measure of usefulness. Structure contains innovative techniques in its creation.

My favorite example of a structure that incorporates all three of these concepts is the Brooklyn Bridge. The beauty of the form follows the functions of the scientific principles that underlie the bridge’s structure. As Ressler noted “Each element of the form of the Brooklyn Bridge serves a structural purpose based on mathematical principles.” First the form itself is one of great beauty. The function remains the same, even if the modes of transport have evolved; the Bridge was designed to carry people from Brooklyn to Manhattan. Yet as Ressler notes, “beyond the aesthetic, these features are a direct reflection of the scientific principles underlying the bridge’s design. They are, in a word, structure – a system of load carrying elements that cause the bridge to stand up.” We have a graceful and elegant design, which operates to safely conduct people over the Hudson River, through an engineering design that allows the structure to act as intended.

This convergence of Vitruvius’ tripartite view of what makes a great structure is an appropriate analogy for a best practices anti-corruption compliance program to facilitate compliance with the FCPA, UK Bribery Act or similar regime. Over the years both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have made clear that each company should have a compliance program that fits its needs. Indeed, in the FCPA Guidance, it could not have been made clearer when it stated, “Individual companies may have different compliance needs depending on their size and the particular risks associated with their businesses, among other factors. When it comes to compliance, there is no one-size-fits-all program.” The Guidance goes on to state the obvious when it notes, “companies may consider a variety of factors when making their own determination of what is appropriate for their specific business needs. Indeed, small- and medium-size enterprises likely will have different compliance programs from large multi-national corporations”.

The Guidance goes on to note, “Compliance programs that employ a “check-the-box” approach may be inefficient and, more importantly, ineffective. Because each compliance program should be tailored to an organization’s specific needs, risks, and challenges, the information provided below should not be considered a substitute for a company’s own assessment of the corporate compliance program most appropriate for that particular business organization. In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.”

Yet when viewed through Vitruvius’ prism, it is clear that an anti-corruption compliance program is much more holistic, with form, function and structure. A good compliance program is really about good financial controls. I think this is one outlook of FCPA compliance which is not discussed enough. Stanley Sporkin, in many ways the progenitor of the law, recognized that if a company was going to engage in corruption it would have to hide such activity through falsified books and records. Hence, he articulated the basis for having the accounting provisions included when Act was originally written and enacted into law. These provisions include both the books and records provision and the internal controls provision. The Guidance says, “the accounting provisions ensure that all public companies account for all of their assets and liabilities accurately and in reasonable detail”. So the form of a compliance program should be largely in financial controls that are baked into a company.

The formula of a compliance program can follow several forms. It can be based on the Ten Hallmarks of an Effective Compliance Program from the FCPA Guidance, the Six Principles of Adequate Procedures as contemplated by the UK Bribery Act; the OECD 13 Good Practices or other formulations such as the Five Elements of an Effective Compliance Program developed by Stephen Martin and Paul McNulty from the law firm of Baker & McKenzie. The form of any of these articulations meets the Vitruvius definition.

Next is the function. Here I think it is appropriate to consider what the FCPA Guidance says regarding internal controls, that being “Internal controls over financial reporting are the processes used by compa­nies to provide reasonable assurances regarding the reliabil­ity of financial reporting and the preparation of financial statements. They include various components, such as: a control environment that covers the tone set by the organi­zation regarding integrity and ethics; risk assessments; con­trol activities that cover policies and procedures designed to ensure that management directives are carried out (e.g., approvals, authorizations, reconciliations, and segregation of duties); information and communication; and monitor­ing.” Moreover, “the design of a company’s internal controls must take into account the operational realities and risks attendant to the company’s business, such as: the nature of its products or services; how the products or services get to market; the nature of its work force; the degree of regulation; the extent of its government interaction; and the degree to which it has operations in countries with a high risk of corruption.” This language points to function of any best practices compliance program, to make the company a better-run company.

Finally, in the area of structure it is incumbent to recall that any best practices anti-corruption compliance program continues to evolve. It evolves with technological innovations such as transaction or continuous controls monitoring. But a compliance program must evolve as your company evolves. Changing commercial realities and conditions can create new or increased FCPA compliance risks. Your compliance program needs to be able to detect, assess and manage new risk as your business creates new products; moves into new territories or develops new sales channels. The FCPA Guidance states, “They are dynamic and evolve as the business and the markets change.” To do so, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its custom­ers, the laws that govern its actions, and the standards of its industry.”

For a review of what goes into a best practices compliance program, I would suggest you check out my book, entitled “Doing Compliance: Design, Create, and Implement an Effective Anti-Corruption Compliance Program”, which is available through Compliance Week. You can review the book and obtain a copy by clicking here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

What’s Going On? Some Questions Regarding UK Regarding Anti-Bribery Enforcement

For my money, the greatest R&B single ever was Marvin Gaye’s 1971 smash hit “What’s Going On?” While I knew that Gaye, who died in 1984, had been posthumously inducted to the Rock and Roll Hall of Fame in 1987; I did not know that he had a a three-octave vocal range or that he  was ranked at number 6 on Rolling Stone’s list of the Greatest Singers of All Time. Gaye also ranked high on music magazines’ lists, ranking at number 18 on the 100 Greatest Artists of All Time on the  music magazine, Rolling Stone and he ranked number 20 on VH-1’s list of 100 Greatest Artists of All Time. See if you want to hear some of the most beautiful and heartfelt singing, head over to YouTube for a clip of Gaye belting out the classic.

I thought about the song’s title recently as over the past couple of weeks there have been some interesting articles appearing in interviews, reports and a London court ruling which raise some difficult questions as to just what may be going on at the UK Serious Fraud Office (SFO) regarding its enforcement of the UK Bribery Act and the ongoing ability of the SFO to bring enforcement actions for those companies which engage in bribery or otherwise violate the Bribery Act.

The Interview and Questions on Enforcement of Corporate Hospitality Requirements

It all began with an interview, given by David Green, Director of the SFO, to the Daily Mail on September 2. As reported in thebriberyact.com, Director Green said the following:

‘We are not interested in that sort of case. We are interested in hearing that a large company has mysteriously come second in bidding for a big contract. The sort of bribery we would be investigating would not be tickets to Wimbledon or bottles of champagne. We are not the “serious champagne office”.’

The briberyact.com guys, Barry Vitou and Richard Kovalevsky Q.C., made clear their feelings on this statement by Director Green when they said “Hopefully the latest comments from the new SFO Director will kill off some of the scaremongering that has gone before among the media and some legal advisers.” The Bribery Act and its corporate hospitality requirements are “not rocket science.” They believe that   “Companies should put in place proper procedures to deal with corporate hospitality in line with SFO guidance. Broadly speaking, “this means companies should think about their corporate hospitality process, and pick a number above which approval is required. If you want you can pick some more numbers above which a higher level of approval is required.”

The Briberyact.com guys do not believe that the “SFO is unlikely to be bringing a stand alone Bribery Act prosecution over corporate hospitality.” They also believe that the key in justifying your actions with gifts and entertainment “is to be able to justify why you picked approval thresholds and that the policy is actually followed. Both should be well documented.” In other words, you should have a policy, follow that policy and then document whatever decisions that you make under your policy.

However, a contrary position was taken by Alexandra Wrage, President of Trace International, who wrote in a blog post in CorporateCounsel.com, entitled “When Governments Undermine Antibribery Compliance Efforts”. Wrage asked the following question regarding Director Green’s advice on corporate hospitality, “So where does Green’s advice leave in-house compliance officers?” She went on to state that she believed such advice left compliance practitioners “arguing for frugality in the face of a restrictive law that the SFO has announced it isn’t too bothered about enforcing. There are few U.S. compliance departments that would deem a day at Wimbledon as “reasonable” hospitality. In the U.S., the argument is: this is permitted, as long as we’re reasonable. The argument for companies with operations in the U.K. must be: this is not permitted under the law, but the SFO, at least for now, will not investigate such matters.” She ended her piece with the following, “It is difficult enough to guide a company through the morass of antibribery compliance when the threat of enforcement is real and management is focused not only on the ethics of the situation, but also legal risk. It is indeed more difficult when the enforcement agency itself makes light of the chances of prosecution and trivializes the very decisions with which compliance departments struggle. The UK Bribery Act may offer the clarity compliance officers have long hoped for, but it raises a new question for companies with U.K. operations that may be more challenging than the last: When do boundaries really matter to the SFO and, in turn, to employees?”

The TI Exporting Corruptions Report

On September 6, Transparency International (TI) published its 8th annual progress report on OECD Convention enforcement, entitled “Exporting Corruption”. The OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions, adopted in 1997, requires each signatory country, of which the United Kingdom is a member, to make foreign bribery a crime. TI believes that such laws are a key instrument for curbing the export of corruption globally because the 39 signatory countries are responsible for two-thirds of world exports and three-quarters of foreign investment. The OECD Working Group on Bribery conducts a follow-up monitoring program which reviews the parties’ implementation of the Convention’s provisions. Nine to ten country reviews are issued each year. This 8^th annual progress report represents an independent assessment of the status of OECD Convention enforcement, based on reports from our national chapters in 37 OECD Convention countries (excluding Iceland and Russia). Countries are classified in four enforcement categories this year: Active, Moderate, Little and No enforcement.

TI opined in its report that “The UK Government must strengthen its anti-bribery effort by ensuring that the Serious Fraud Office (SFO) has adequate resources to investigate and prosecute bribery”. Although IT noted that under the Bribery Act, prosecutions had increased over the past year, “cutbacks to the SFO could see a decline in future UK enforcement. The Government has cut more than a third of the SFO’s budget in the last four years, hampering the prosecutor’s ability to tackle complex and damaging bribery cases.” Chandu Krishnan, Executive Director of Transparency International UK, was quoted in a Press Release as stating, “If the Government is serious about fighting corruption, it should not be cutting resources for enforcing the legislation designed to do just that. We must ensure that the SFO is not outgunned by those it should be prosecuting, who incidentally can usually afford the best legal advice available. The SFO should never be in a position where it is unable to investigate and prosecute cases due to a lack of resources.”

The Court Finding – Bribery as a (legal) way of doing business?

As reported in a Bloomberg.com post by Leonid Bershidsky, entitled “Russian Graft Goes Legit in London”, a London court recently found that influence-peddling in Russia is an “internationally recognized business arrangement.” In a recent decision, London’s Commercial Court found that the legal Russian concept of “krysha” where a “powerful person, often a government or law-enforcement official, who defends their interests and protects them from predators in return for a piece of the action” can be enforced in a English civil court. Bershidsky wrote that “Flimsy as the arrangement sounds, it’s how business is still often done in Russia when the help of a government official or facilitator is needed. I have personally seen such schemes in action. A private businessman, who is to all intents and purposes the owner of a business, takes on a raking bureaucrat as a silent and undocumented partner. The bureaucrat is not allowed to own his stake officially. He relies on his influence to guarantee that the businessman won’t ignore the arrangement.”

The plaintiff had sought to enforce a “krysha” arrangement where there was no written contract. The Court did not hold that such payments were bribes, corruption or otherwise illegal, but instead held there was not sufficient evidence of a binding contract. The invidious of this arrangement is clear in that money is being paid for ‘influence’ and such payments are kept “off-books” via an undeclared ownership structure. In other words, about as many Red Flags as you can get. If such arrangements are legal in Russia, why are they not anywhere else in the world?

All of the above may leave many compliance practitioners scratching their heads and wondering what is going on in the UK. Hopefully there will be some clarity, for the better, in the coming months.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

The Five Essential Elements of a Corporate Compliance Program – Part II

Tuesday morning, at the University Club of Chicago, Stephen Martin and I will co-present at a Foreign Corrupt Practices Act (FCPA) event hosted by Kreller. If you are in or near Chicago, I hope that you can join us for this presentation. The title of our presentation is “Anti-Corruption/FCPA Developments & Best Practices” and we will focus on a concept that Stephen and his partners at the law firm of Baker & McKenzie have developed which are five essential elements of a corporate compliance program. In Part I, I discussed the background to the development of the five essential elements. In today’s installment, Part II, I will detail the remaining elements in the five elements of an essential compliance program.

III.             Standards and Controls

Generally, every company has three levels of standards and controls. (1) Code of Conduct. Every company should have a Code of Conduct which should express its ethical principles. However, a Code of Conduct is not enough. (2) Standards and Policies. Every company should have standards and policies in place that build upon the foundation of the Code of Conduct and articulate Code-based policies, which should cover such issues as bribery, corruption and accounting practices. (3) Procedures. Every Company should then ensure that enabling procedures are implemented to confirm those policies are implemented, followed and enforced.

FCPA compliance best practices now require companies to have additional standards and controls, including, for example, detailed due diligence protocols for screening third-party business partners for criminal backgrounds, financial stability and improper associations with government agencies. Ultimately, the purpose of establishing effective standards and controls is to demonstrate that your compliance program is more than just words on a piece of paper.

IV.              Training

Another pillar of a strong compliance program is properly training company officers, employees and third parties on relevant laws, regulations, corporate policies and prohibited conduct. Simply conducting training usually is not enough. Enforcement officials want to be certain the messages in the training actually get through to employees. The Department of Justice’s (DOJ) expectations of effectiveness are measured by who a company trains, how the training is conducted and how often training occurs.

There are several key elements to training. First is that you need to train the right people. You must prioritize which audience to educate by starting your training program in higher risk markets and focus on directors, officers and sales employees who may have direct contact with government officials or deal with state-owned entities. Again, focus initially on training country managers in your company’s high-risk markets, then expand geographically and through the ranks of employees.

Second, in high risk markets and for high risk employees or third parties you should conduct live, annual training. Enforcement officials have made it clear that live, in-person training is the preferred method in high-risk markets and also that it should be regular and frequent. Another benefit of live training is the immediate feedback from employees that would be much less likely to occur during a webinar or other remote training. Lastly, during live training, employees are more likely to make casual mention of a potentially risky practice, giving you the opportunity to address it before it becomes a larger problem.

It is important that you pay attention to what employees say during training. This is because training can alert you to potential problems based on the type of questions employees ask and their level of receptiveness to certain concepts. For example, during training employees might ask specific questions about important compliance considerations such as their interactions with government officials or gift-giving practices. Such questions can raise red flags and uncover issues that should be reviewed and addressed quickly.

Thirdly, you should tailor your training to each country. This means that employing a generic script for compliance training is a mistake. To be effective, training programs should be customized by region, country, industry, areas of compliance and types of employee. In addition to Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and OECD guidelines, focus on compliance risks in the country where the employees being trained are working. For example: In China, address the many corruption risks involved in dealing with state-owned entities.

V.                 Oversight – including monitoring, auditing and responses

The issue your company should focus on here is whether employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. Two of the seven compliance elements in the US Sentencing Guidelines call for companies to monitor, audit and respond quickly to allegations of misconduct. These three highlighted activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

Many companies fall short on effective monitoring. This can sometimes be attributed to confusion about the differences between monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, you should not assume that because your company conducts audits that it’s effectively monitoring. A robust program should include separate functions for auditing and monitoring. While unique in protocol, however, the two functions are related and can operate in tandem. Monitoring activities can sometimes lead to audits. For instance if you notice a trend of suspicious payments in recent monitoring reports from Indonesia, it may be time to conduct an audit of those operations to further investigate the issue.

Your company should establish a regular monitoring system to spot issues and address them. Effective monitoring means applying a consistent set of protocols, checks and controls tailored to your company’s risks to detect and remediate compliance problems on an ongoing basis. To address this, your compliance team should be checking in routinely with local finance departments in your foreign offices to ask if they’ve noticed recent accounting irregularities. Regional directors should be required to keep tabs on potential improper activity in the countries they manage. Additionally the global compliance committee should meet or communicate as often as every month to discuss issues as they arise. These ongoing efforts demonstrate your company is serious about compliance.

Finally, as was emphasized again with the recent Pfizer Deferred Prosecution Agreement (DPA), your company should establish protocols for internal investigations and disciplinary action. The Pfizer “Enhanced Compliance Obligations” included the following on investigative protocols: (a) On-site visits by an FCPA review team comprised of qualified personnel from the Compliance, Audit and Legal functions who have received FCPA and anti-corruption training; (b) Review of a representative sample, appropriately adjusted for the risks of the market, of contracts with, and payments to, individual foreign government officials or health care providers, as well as other high-risk transactions in the market; (c) Creation of action plans resulting from issues identified during the proactive reviews; these action plans will be shared with appropriate senior management and should contain mandatory remedial steps designed to enhance anti-corruption compliance, repair process weaknesses, and deter violations; and (d) a review of the books and records of a sample of distributors which, in the view of the FCPA proactive review team, may present corruption risk. Prior to such an investigation, however, the company should have procedures – including document preservation protocols, data privacy policies, and communication systems designed to manage and deliver information efficiently – in place to make sure every investigation is thorough and authentic.

Finally, and consistent with Stephen Martin’s Baker & McKenzie partner Paul McNulty’s Maxim Three (What did you do about it?), is your remediation efforts. Your company should remediate problems quickly. A key concept behind the oversight element of compliance is that if companies are policing themselves on compliance-related issues, the government won’t have to do it for them. Remediation, then, is an important component of oversight. If your company’s sales force in Thailand is engaged in potentially improper activity due to a lack of adequate training, remediate the deficiency and schedule that training now. In the end, it’s not enough to just gather information and identify compliance problems through monitoring and auditing. To fulfill this essential element of compliance, you also have to respond and fix the problems.

Stephen Martin and the Baker & McKenzie team have put together an excellent resource for the compliance practitioner in their five essential elements of a corporate compliance program. I hope that you can attend our FCPA event this week. For those of you who cannot attend in person, you can email me for the slide deck and other materials after the event.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Lessons Learned on Compliance and Ethics

When my daughter was 7 she wrote and published her first book. When I asked her how she did it, she replied “Dad, it’s easy to write a book, you just sit down and do it.” I thought about that sage wisdom for many years before I sat down and started writing this blog. While I did not set out to write a book about compliance when I began blogging, I did hope  to bring some of the things I have learned about the nuts and bolts of compliance to other practitioners. After several years of writing this blog, one of my mentors in this field, Dick Cassin, who writes the FCPA Blog, suggested I collate some of my pieces and publish a book. So there are now two published authors in the Fox family.

In this volume I have collected some of my posts which I think will help guide you in your own journey through the world of anti-corruption and anti-bribery compliance. I have broken the book down into the following chapters:

Some Thoughts on Best Practices – This chapter charts some of the evolving standards of a best practices compliance program, with articles on the thoughts of Department of Justice (DOJ) representatives; guidelines from the US Sentencing Commission; standards from the OECD; and comments on the UK Bribery Act.

The Nuts and Bolts of Compliance – This chapter includes articles regarding the ‘How To’ of compliance inside a corporation. As any in-house practitioner knows, the practice of law inside of a corporation is very different from private practice. I try to bring an in-house perspective and provide guidance on how to perform the day-to-day work of implementing, assessing and enhancing a compliance program, inside a corporation.

Investigations, Enforcement Actions and Legal Issues – In this chapter I discuss ongoing investigations, enforcement actions which resulted in Deferred or Non-Prosecution Agreements and legal issues. From this discussion you, the reader, should be able to understand the Department of Justice’s most current thinking on compliance issues.

Summing It All Up – This chapter highlights some of the top enforcement actions and compliance issues which companies have faced. These articles provide more than just ‘tea leaf’ readings of where enforcement is going across the globe and will provide to you solid guidance in your compliance program going forward.

I have included the full text of the Foreign Corrupt Practices Act (FCPA) as well as the Department of Justice’s “Lay Person’s Guide to the FCPA“.

I know that you will find this book useful in your compliance practice and I hope that you will purchase it. It is available for the very reasonable price of $19.99 and you can order it on Amazon.com by clicking here.

Will No One Rid Me of this Meddlesome Priest?

Tone at the Top has become a phrase inculcated in the compliance world. The reason it is so important to any compliance program is because it does actually matter. Any compliance program starts at the top and flows down throughout the company. The concept of appropriate tone at the top is in the US Sentencing Guidelines for organizations accused of violating the Foreign Corrupt Practices Act (FCPA); the Department of Justice’s (DOJ) best practices for effective compliance programs which have been released with each Deferred Prosecution Agreement (DPA) over the past year; the UK Bribery Act’s Six Principles of Adequate Procedures; and the OECD Good Practices. The reason all of these guidelines incorporate it into their respective practices is that all employees look to the top of the company to see what is important. Or to quote my colleague Mike Volkov, who quoted Bob Dylan, in opining “You don’t need to be a weatherman to know which way the wind blows”.

The US Sentencing Guidelines reads:

High-level personnel and substantial authority personnel of the organization shall be knowledgeable about the content and operation of the compliance and ethics program … and shall promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.

The OECD Good Practices reads:

1. strong, explicit and visible support and commitment from senior management to the company’s internal controls, ethics and compliance programs or measures for preventing and detecting foreign bribery;

The UK Bribery Act Guidance for the Six Principles of Adequate Procedures reads:

The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.

Attachment C, to each DPA released in the past year, has the following

2. [The Company] will ensure that its senior management provides strong, explicit, and visible support and commitment to its corporate policy against violations of the anti-corruption laws and its compliance code.

The Foreign Corrupt Practices Act (FCPA) world is riddled with cases where the abject failure of any ethical “Tone at the Top” led to enforcement actions and large monetary settlements. In the two largest monetary settlements of enforcement actions to date, Siemens and Halliburton, for the actions of its former subsidiary KBR, the government specifically noted the companies’ pervasive tolerance for bribery. In the Siemens case, for example, the Securities and Exchange Commission (SEC) noted that the company’s culture “had long been at odds with the FCPA” and was one in which bribery “was tolerated and even rewarded at the highest levels”. Likewise, in the KBR case, the government noted that “tolerance of the offense by substantial authority personnel was pervasive” throughout the organization.

In addition to the two cases set out above, in a 2003 report, the Commission on Public Trust and Private Enterprise cited a KPMG survey covering selected US industries; found that 37 percent of employees had, in the previous year, observed misconduct that they believed could result in a significant loss of public trust if it were to become known. This same KPMG survey found that employees reported a variety of types of misconduct and that the employees believed this misconduct is caused most often by factors such as indifference and cynicism; pressure to meet schedules; pressure to hit unrealistic earnings goals; a desire to succeed or advance careers; and a lack of knowledge of standards.

So how can a company overcome these employee attitudes and replace the types of corporate cultures which apparently pervaded at News Corp and re-set its “Tone at the Top”? In a 2008 speech to the State Bar of Texas Annual Meeting, reprinted in Ethisphere, Larry Thompson, PepsiCo Senior Vice President of Governmental Affairs, General Counsel and Secretary, discussed the work of Professor Lynn Sharp at Harvard. From Professor Sharp’s writings, Mr. Thompson cited five factors which are critical in establishing an effective integrity program and to set the right “Tone at the Top”.

1. The guiding values of a company must make sense and be clearly communicated.
2. The company’s leader must be personally committed and willing to take action on the values.
3. A company’s systems and structures must support its guiding principles.
4. A company’s values must be integrated into normal channels of management decision making and reflected in the company’s critical decisions.
5. Managers must be empowered to make ethically sound decisions on a day-to-day basis.

So whether with malicious intent or simply said out of frustration, when Henry II uttered the words which are the title of today’s posting, it set the tone for the four knights which overheard him. They set off and murdered Thomas Becket. Perhaps less starkly into today’s world, if the tone from the top is that you must meet you quarterly numbers or the company will find someone else to do the job; that is the message that will come across to company employees. But whether you are the King of England, the CEO of a Fortune 500 company or simply in a leadership position in your company; the tone does matter.

=======================================================

Episode 13 of This Week in FCPA is up. Check out Howard Sklar and myself on this week’s topics.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Berland on the OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance

One of the three generally sourced cited as a benchmark of the elements of an effective compliance program is the Organization for Economic Co-operation and Development (OECD) Good Practice Guidance on Internal Controls, Ethics, and Compliance. In the June issue of the Society of Corporate Compliance and Ethics Magazine (SCCE) (Vol. 7 / No. 3) was an article by our colleague Russ Berland on these elements. Given the recently released Bribery Act Guidance referenced this document, we believed a review of these elements was appropriate.

Berland began with a background discussion of the genesis of the Working Group on Bribery in International Transactions Organization for the OECD and its development of the specific elements of a compliance program. In his article Berland, lists 12 specific instructions for companies to utilize as a basis to construct an effective compliance program upon. They are:

1. A culture of compliance with the appropriate “tone at the top”.
2. Clearly articulated and visible policy against bribery and corruption.
3. It must be the duty of every employee to company with a company’s anti-bribery program.
4. One or more senior officers in charge of the compliance program who must report directly to the Board or appropriate Board Committee.
5. Design the compliance program to prevent and detect bribery and corruption.
6. Make the program applicable to third party business partners.
7. Have a system of internal financial controls in place to ensure that bribery and corruption cannot be hidden.
8. Have periodic communications and training on the compliance program.
9. Provide positive support for employees to comply with the compliance program.
10. Consistently discipline employees for violations of the compliance program.
11. Provide guidance and advice for employees on the compliance program.
12. The compliance program should be periodically re-assessed and re-evaluated to take into account new developments.

Near the end of his article, Berland asks the question, will DOJ prosecutors find a company’s FCPA compliance program “effectively designed when it was based on the OECD guidance?” Much like Socrates (in that he knows the answer to his question), Berland responds “The answer should be yes.” We heartily agree and thank Russ for his much needed article providing specific guidance on what the OECD finds to be the elements of an effective compliance program.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Ongoing Compliance Assessments: FCPA, UK Bribery Act and OCED Best Practices

One of the requirements consistent throughout the Principles of Federal Prosecution of Business Organization (US Sentencing Guidelines) and its section on corporate compliance programs; the Organization for Economic Co-operation and Development (OECD) Good Practice Guidance on Internal Controls, Ethics, and Compliance, and the UK Bribery Act’s Consultative Guidance is the need for continued assessment of an anti-corruption and anti-bribery compliance program. This posting will review the specifics of each of these documents and will provide to the compliance and ethics practitioner some ideas on how to implement what each of these protocols stress is key component of any best practices compliance program.

US Sentencing Guidelines

The US Sentencing Guidelines state that there should be periodic reviews of a company’s compliance program, utilizing internal resources, such as a company’s Internal Audit function, and outside professional consultants. The OECD Good Practice states that a compliance program should be periodically re-assessed and re-evaluated to take into account any new developments. The UK Bribery Act Consultative Guidance, recently released by the UK Ministry of Justice, requires ongoing monitoring and review by noting that a compliance program and procedures should be reviewed regularly and a company should consider whether an “external verification [of the compliance program] would help.”

Speaking at the Compliance Week 2010 Annual Conference, Assistant Attorney General for the Criminal Division of the US Department of Justice, Lanny Breuer, indicated that such an external verification or assurance of the effectiveness of a compliance program is a key component to assist a company in maintaining a ‘best practices’ FCPA compliance program. He noted that it is through a mechanism such as an ongoing assessment that a company could continue to evaluate its own compliance program with reference to compliance standards which are evolving on a world wide basis.

OECD

In this same speech, Breuer cited as a benchmark for a best practices compliance and ethics program the protocols set forth in the OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance. In this protocol the OECD suggested that “periodic reviews of the ethics and compliance programs or measures, designed to evaluate and improve their effectiveness in preventing and detecting foreign bribery, taking into account relevant developments in the field, and evolving international and industry standards.” Writing in the Society of Corporate Compliance and Ethics Magazine (SCCE) (Vol. 7 / No. 3), Russ Berland explained that this guidance meant that companies should regularly reassess their anti-bribery and anti-corruption compliance program to evaluate and improve its overall effectiveness. Although he did not give a time frame for this regular assessment, Berland noted that any such assessment “should take into account new developments in the area and evolving standards.

UK Bribery Act

Principle Six of the UK Bribery Act’s Consultation Guidance discusses the need for ongoing monitoring and review. The Principle states “The commercial organization institutes monitoring and review mechanisms to ensure compliance with relevant policies and procedures and identifies any issues as they arise. The organization implements improvements where appropriate.” The reasons for this continued monitoring was to ensure that if, external events like government changes, corruption convictions, or negative press reports occur, an appropriate compliance response is triggered. The Guidance noted that it would be prudent for companies to consult the publications of relevant trade bodies or regulators that could highlight examples of good or bad practice. Organizations should also ensure that their procedures take account of external methods of issue identification and reporting as a result of the statutory requirements applying to their supporting institutions, for example money laundering regulations reporting by accountants and solicitors.

The Consultative Guidance provided advice for companies which covered several specific suggestions. The senior management of higher risk and larger organizations may wish to consider whether to commission external verification or assurance of the effectiveness of anti-bribery and anti-corruption policies. An independent review can provide to a company, which is undergoing structural change or entering new markets, with an insight into the strengths and weaknesses of its anti-bribery policies and procedures and in identifying areas for improvement. Such independent assessment would also enhance a company’s credibility with business partners or to restore market confidence following the discovery of a bribery incident, to help meet the requirements of both voluntary or industry initiatives and any future pre-qualification requirements.

Ongoing Assessment as ‘Best Practices’

All three cornerstones of guidance available to the Foreign Corrupt Practices Act (FCPA) compliance practitioner include ongoing assessments as a key component of any best practices program. The text of each document and the remarks by commentators make clear the reasons for such an ongoing assessment. Not only do best practices evolve but companies and business evolve. An assessment is key to measuring where your program currently stands to allow you to know where it needs to be updated.

Attention should be paid to who and how the assessment is conducted. The entity, be it a law firm; professional consultant or other, which designed the FCPA compliance program for your company should not be the assessor. Such assessment would obviously be a conflict of interest. Additionally a drafter usually has blind spots when assessing one’s own work. An outside FCPA compliance professional should be engaged to assess your compliance policy, at no less than every two years, to review and make recommendations to keep your program at the best practices standard.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2010

So…When Does Compliance and Ethics No Longer Matter?

In a post yesterday on TheAtlantic.com, Daniel Indiviglio posed the question “Does Hurd’s New Oracle Gig Prove Business Ethics Don’t Matter?” Indiviglio noted that while Mark Hurd’s missteps at H-P may have been “incredibly dumb”; the decisions he made which led to his ouster did not relate to his business acumen. Indiviglio quoted Bloomberg to explain the value that Oracle must have seen in hiring Hurd:

At H-P, Hurd more than tripled profit by cutting costs and expanding beyond the company’s core business of computers and printers. He oversaw an acquisition spree of more than $20 billion, letting the company branch out into services, networking equipment and smart phones. Oracle, which also has bulked up through takeovers, would draw on Hurd’s background blending software and hardware as it expands into server sales.

Indiviglio noted that it would appear that Oracle “thinks Hurd’s talent for business-making trumps his poor [ethical] decision-making elsewhere.” While recognizing that in certain professional service businesses, such as auditing, integrity is everything; conversely in other types of businesses where profit motives may not be connected to good ethics, an emphasis on integrity may not jeopardize business as much and as “long as poor decisions don’t compromise profit, they [business ethics] will eventually be forgotten.”

We have previously discussed the importance of “Tone at the Top” and our colleague Lindsay Walker has guest blogged on the subject in “Integrating Ethics and Compliance into the Entire Organization”. We both believe that a Company’s ethics and compliance culture are set by the very top levels of management. The reason is that this is the very ‘tone’ which company employees pick up on and use as the basis of their de facto guidance about what one can and cannot do; instead of following a written Code of Ethics. In most industries there is [almost] always an apocryphal ethics story along the lines of ‘In some unknown country an un-named Regional Manager is alleged to have said the following: “If I violate the Code of Ethics, I may or may not get caught. If I violate the Code of Ethics and get caught, I may or may not be disciplined. But if I miss my numbers for two consecutive quarters I will be terminated.” ‘

In the Foreign Corrupt Practices Act (FCPA) compliance world, we wonder what the Department of Justice (DOJ) or Securities and Exchange Commission (SEC) would think about a company which had such an attitude regarding compliance. Both the DOJ and SEC also appear to believe that a Company’s ethics and compliance culture are set by the very top levels of management as the US Sentencing Guidelines read, in part, “High-level personnel and substantial authority personnel of the organization shall … promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” The DOJ has also cited to the Organization for Economic Co-operation and Development (OECD) Good Practice Guidance on Internal Controls, Ethics, and Compliance as a guide to best practices in the compliance arena. The OECD lists 12 specific guidelines for companies to utilize as a basis to construct an effective compliance program. The list includes at least two points that seem to bear weight on this issue. They are:

1. A culture of compliance with the appropriate “tone at the top”.

* * *

3. It must be the duty of every employee to observe a company’s compliance program.

So take some time to think about the message you believe Oracle is sending to its employees by hiring Mark Hurd?

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2010

Is Your Compliance Department Real and Alive?

Speaking at the IQPC 2010 Internal and Regulatory Investigations in Oil and Gas Conference, Nick Lumley, General Counsel of Centrica Storage, discussed how Centrica is using compliance policies and procedures as a business enabler. As a relatively new corporate entity, Centrica was able to create its own Code of Conduct and compliance culture within the past decade. Lumley emphasized that neither he nor the Company wanted a checklist culture of compliance but one that was vibrant within the Company. 

One of the key items stressed by Lumley to make compliance vibrant was not only that a culture of compliance had to be real and alive within a company, but that the Compliance Department itself must also be real and alive. By this he meant that the Compliance Department had to be not only flesh and blood people that the rest of the company could relate to but the department had to be an active part of the company’s business. 

Lumley used several examples of techniques used by Centrica to drive home the former point. At Centrica compliance begins when a new employee comes on board; the employee is given a Compliance orientation from a Compliance Department representative just as they would a HR orientation and this is the practice for a couple of reasons. Initially, it prevents an employee from simply ticking a box that “yes, I reviewed the Code of Conduct”; it allows a new employee to receive real in-person training on the Code, learn what is expected of them as a Centrica employee and to allow for interaction on this aspect of Centrica’s philosophy of compliance. Equally important is that it puts a human face on Centrica’s Compliance Department from the beginning. As a result of this orientation the new employee knows both the Company’s commitment to compliance and a Compliance Professional that he or she may contact if the need arises. 

The last point leads into what Lumley termed a key component of the overall compliance strategy; that the Compliance department must be ‘real and alive’. The Compliance department must be available to assist all employees on compliance related matters; each employee must know that they can go to the Compliance Department and that their concerns will be addressed and responded to in a reasonable time. While Lumley did not list any metrics on response times, he believed that the Compliance Department was able to timely address the vast majority of questions and issues quickly and efficiently for the Company’s workforce. 

In a recent article published in the Society of Corporate Compliance and Ethics Magazine (SCCE) (Vol. 7 / No. 3), Russ Berland discussed the Organization for Economic Co-operation and Development OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance. One of the factors listed speaks directly to this real and alive component of a compliance program, which states the following: 

Companies should consider, inter alia, the following good practices for ensuring effective internal controls, ethics, and compliance programmes or measures for the purpose of preventing and detecting foreign bribery: 

                                                *          *          *

11. effective measures for: 

i) providing guidance and advice to directors, officers, employees, and, where appropriate, business partners, on complying with the company’s ethics and compliance programme or measures, including when they need urgent advice on difficult situations in foreign jurisdictions;

ii) internal and where possible confidential reporting by, and protection of, directors, officers, employees, and, where appropriate, business partners, not willing to violate professional standards or ethics under instructions or pressure from hierarchical superiors, as well as for directors, officers, employees, and, where appropriate, business partners, willing to report breaches of the law or professional standards or ethics occurring within the company, in good faith and on reasonable grounds; and

iii) undertaking appropriate action in response to such reports. 

Centrica has taken a forward step to make its Compliance Department an integral part of the company’s overall business strategy. Therefore enabling its business units to better assess their compliance risks and thereby move forward conducting business in a compliant manner. The emphasis on real and alive helps make it accessible to all employees and this accessibility will hopefully lead to, not only, doing more and better business for the Company but may also help to prevent any compliance questions or issues from becoming compliance violations. 

So ask yourself is your Compliance Department real and alive to the employees? 

To see a video of Mr. Lumley’s presentation, click here.

 This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

 

© Thomas R. Fox, 2010

HOTLINES AS A FCPA COMPLIANCE TOOL

Employees are a company’s best source of information about what is going on in the company. It is certainly a best practice for a company to listen to its own employees, particularly to help improve its processes and procedures. But more than listening to its employees, a company should provide a safe and secure route for employees to escalate their concerns. This is the underlying rationale behind an anonymous reporting system within any organization. This concept is one key components of a Foreign Corrupt Practices Act (FCPA) compliance and ethics ‘best practices’ program. Both the Principles of Federal Prosecution of Business Organization (US Sentencing Guidelines) and the OECD Good Practice Guidance on Internal Controls, Ethics, and Compliance (“OCED Good Practices”) list, as one of their components, an anonymous reporting mechanism by which employees can report compliance and ethics violations. This concept, in the FCPA world, is usually referred to as a “Hotline”. This article will discuss how the use of a Hotline can assist a company with its overall FCPA compliance and ethics efforts.

The US Sentencing Guidelines state:

(C) to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization’s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation.

The OECD Good Practices states:

v) companies to provide channels for communication by, and protection of, persons not willing to violate professional standards or ethics under instructions or pressure from hierarchical superiors, as well as for persons willing to report breaches of the law or professional standards or ethics occurring within the company in good faith and on reasonable grounds, and should encourage companies to take appropriate action based on such reporting;

Confidential reporting is critical to any organization, not only from the legal requirements which specify that such a mechanism be available for employees, but also to allow escalation of compliance and ethics issues in a manner which is safe for employees and can lead the discovery of significant FCPA compliance issues. Two recent examples of employees reporting issues include the Daimler and, the ongoing, Avon matters. A company’s commitment to a hotline provides a means by which employees can elevate compliance and ethics concerns before they become full blown FCPA enforcements actions.

While there is no generally accepted industry standard regarding the implementation and employment of Hotline, Ethicspoint, in a White Paper, entitled “It’s Not Your Father’s Hotline”, suggested the following as the ‘best practices’ for internal Hotlines:

1. Availability-a Hotline should be available 24 hours a day/7 days a week and toll-free. It should be available in the native tongue of the person utilizing it so if your work force uses more than one language for inter-company communications, your Hotline should reflect this as well.
2. Escalation-after a report is received through the Hotline it should be distributed to the appropriate person or department for action and oversight. This would also include resolution of the information presented, if warranted and consistent application of the investigation process throughout the pendency of the matter.
3. Follow-Up-there should be a mechanism for follow-up with the Hotline reporter, even if the report is made anonymously. This allows the appropriate person within your organization to substantiate the report or obtain additional information at an early stage, if appropriate.
4. Oversight-the information communicated through the Hotline should be available to the appropriate Board Committee or Management Committee in the form of statistical summaries and that an audit trail be available to the appropriate oversight group of actions taken and resolution of any information reported through the Hotline.

The Hotline can be a key company tool in an effective FCPA compliance program. Properly advertised and then utilized, it can assist a company to learn about issues and take appropriate actions before these issues erupt into more serious problems. Lastly the proper maintenance of a Hotline can not only allow a company to track compliance issues as they come into the system and document its response but also use this information as an ongoing audit of its FCPA compliance system.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2010