Risk Assessment | FCPA Compliance and Ethics Blog

May 27, 2015

Economic Downturn Week, Part III – The Desktop Risk Assessment

Filed under: Best Practices,Compliance,Compliance and Ethics,compliance programs,Department of Justice,FCPA,FCPA Guidance,Risk Assessment,SEC,Ten Hallmarks of an Effective Compliance Program — tfoxlaw @ 10:10 pm
Tags: best practices, compliance, compliance programs, DOJ, FCPA, Risk Assessment, SEC

I continue my exploration of actions you can take to improve your compliance program during an economic downturn with a review of what my colleague Jan Farley, the Chief Compliance Officer (CCO) at Dresser-Rand, called the ‘Desktop Risk Assessment’. Both the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) make clear the need for a risk assessment to inform your compliance program. I believe that most, if not all CCOs and compliance practitioners understand this well articulated need. The FCPA Guidance could not have been clearer when it stated, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” While many compliance practitioners have difficulty getting their collective arms about what is required for a risk assessment and then how precisely to use it; the FCPA Guidance makes clear there is no ‘one size fits all’ for about anything in an effective compliance program.

One type of risk assessment can consist of a full-blown, worldwide exercise, where teams of lawyers and fiscal consultants travel around the globe, interviewing and auditing. Of course this can be a notoriously expense exercise and if you are in Houston, the energy industry or any sector in the economic doldrums about now, this may be something you can even seek funding for at this time. Moreover, you may also be constrained by reduced compliance personnel so that you can not even perform a full-blown risk assessment with internal resources.

However if there is one thing that I learned as a lawyer, which also applies to the compliance field, it is that you are only limited by your imagination. So using the FCPA Guidance’s no ‘one size fits all’ proscription, I would submit that is also true for risk assessments. You might try assessing other areas annually, through a more limited focused risk assessment, literally while staying at your desk and not traveling away from your corporate headquarters.

Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:

Are resources adequate to sustain a culture of compliance?
How are the risks in the C-Suite and the Boardroom being addressed?
What are the FCPA risks related to the supply chain?
How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
Is the documentation adequate to support the program for regulatory purposes?
Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
Communication of information and findings – Are escalation protocols appropriate?
What are the opportunities to improve compliance?

There are a variety of materials that you can review from or at a company that can facilitate such a Desktop Risk Assessment. You can review your company’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.

You could assess your company’s senior management support for your compliance efforts through interviews of high-level personnel such as the Chief Financial Officer (CFO), General Counsel (GC), Head of Sales, Chief Executive Officer (CEO) and all Board, Audit or Compliance Subcommittee members to assess “tone from the top” and their actual knowledge about the Foreign Corrupt Practices Act (FCPA) and your compliance program. You can examine resources dedicated to compliance and also seek to understand the compliance expectations that top management is communicating to its employee base. Finally, you can gauge operational responsibilities for compliance.

Such a review would lead to the next level of assessment, which would be generally labeled as communications within an organization regarding compliance. You can do this by assessing compliance policy communications to company personnel but even more so by reviewing such materials as compliance training and certifications that employees might have in their files. If you did not yet do so, you should also take a look at statements by senior management regarding compliance, such as actions relating to terminating employees who do business in compliance but do not make their quarterly, semi-annual or annual numbers set in budget projections.

A key element of any best practices compliance program is internal and anonymous reporting. This means that you need to review mechanisms on the reporting of suspected compliance violations and the actions taken on any internal reports, including follow-ups to the reporting employees. You should also assess whether those employees who are seeking guidance on compliance for their day-to-day business dealings are receiving not only adequate but timely responses.

I do not think there is any dispute that third parties represent the highest risk to most companies under the FCPA, so a review of your due diligence program is certainly something that should be a part of any risk assessment. But more than simply a review of procedures for due diligence on third party intermediaries, you should also consider the compliance procedures in place for your company’s mergers and acquisitions (M&A) team; focusing on the pre-acquisition phase.

One area that I do not think gets enough play, whether in the FCPA Inc. commentary or in day-to-day practice is looking at what might be called employee commitment to your company’s compliance regime. So here you may want to review your compliance policies regarding employee incentives for compliance. But just as you look at the carrots to achieve compliance with your program, you should also look at the stick, in the form of disciplinary procedures for violations. This means you should see if there have been any disciplinary actions for employee compliance violations and then determine if such discipline has been applied uniformly. If you discipline top sales people in Brazil, you have to discipline your top sales folks in the US for the same or similar violations.

This list is not intended to be a complete list of items, you can pick and choose to form some type of Desktop Risk Assessment but hopefully you can see some of the areas you can assess. My suggestion is that you try identifying and focusing on core compliance components in your organization. Obviously there are probably a million things you could fix. However, you cannot fix everything, so you must make a decision about your primacies, and then act on them. A Desktop Risk Assessment may well help you to do so.

As with the other suggestions I have put forward during the Economic Downturn Week series, if you perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years or so, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. Moreover, when funds and resources do become available to you and the compliance function, you will have a stronger program and one which move towards best-in-class. Finally, do not forget that the FCPA Guidance ends its section on risk with the following, “When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.” By using the Desktop Risk Assessment during an economic downturn, you can answer any regulator who asks what have you done to manage the risks in your company, by using the resources and tools that were available to you.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Leave a Comment

September 4, 2014

Pro Football and the FCPA Professor

Filed under: Best Practices,Compliance,Compliance and Ethics,compliance programs,FCPA,FCPA Professor,Risk Assessment — tfoxlaw @ 5:48 am
Tags: best practices, compliance, compliance programs, FCPA, FCPA Professor, Risk Assessment

For those of us lucky enough to enjoy AAA (or perhaps AA) baseball, disguised as a major league team in our city, today brings harbingers of elation. No the Houston Astros are not moving to a city near you but the National Football League (NFL) begins its 95^th season tonight with a match up of Seattle and Green Bay. I do not care if the Houston Texans are in the toilet again or my beloved Dallas Cowboys will stomp to yet another 8-8 season under the egotistical owner Jerry Jones. I love watching pro football. So for all you pro football aficionados out there, here’s to us!

With the upcoming season now only hours away, I was interested to receive the FCPA Professor’s latest article (as opposed to his latest book The Foreign Corrupt Practices Act In A New Era) entitled “How a Successful Football Organization Can Inform Foreign Corrupt Practices Act Compliance in a Business Organization”. As readers of this blog will know, I often use sports to discuss the nuts and bolts of Foreign Corrupt Practices Act (FCPA) compliance. So it was gratifying to see the FCPA Professor use sports in some of his writings. Further, since he is much better known for his basketball prowess (he went to college on a basketball scholarship), I was particularly gratified when he harkened back to my primary sport of football for his latest paper by stating, “In the spirit of the season, this article highlights four attributes of a successful football organization that can also elevate FCPA compliance in a business organization.” The four attributes are:

Understanding the playbook

While beginning with the proffer that any successful team has playbook that is effectively communicated, the FCPA Professor noted, “understanding the playbook and effectively communicating its contents are essential first steps in managing and minimizing FCPA risk in a business organization. Yet as simple as this sounds, many business organizations fail to take adequate steps to ensure that everyone is actually on the same page when it comes to FCPA compliance.” From this he moves into some thoughts on training.

The Professor cautions against over-complicating your FCPA training. I tell the folks that I train on the FCPA that the one thing I want them to take away is that if their stomach tells them something is wrong or the hair on the back of their neck stands up, just raise your hand and ask for help. The Professor phrases it another way by stating, “Toward this end, the goal of FCPA training should not be to make each participant an expert on the FCPA’s specific elements but rather to provide all participants a pair of FCPA goggles so they can approach their specific job functions able to recognize FCPA risk and report it to the appropriate experts within the business organization.” He concludes this section by stating, “In short, and just as in football, success in the field is best accomplished by an FCPA compliance playbook that engages employees and motivates them to spot risk, which is then effectively communicated to all members of the organization in a language they can actually understand.”

Execution by all team members

Here the Professor makes an interesting observation, which is too often overlooked in the compliance arena. In football there are skill positions such as those people who handle the football. Quarterbacks, running backs and receivers generally are the most well known and well paid. However the Professor notes, “success on the field is more often dependent on execution by the so-called ‘‘grunt players,’’ such as a successful snap by the center, the ability of the offensive line to protect the quarterback and the ability of the defensive line to pressure the quarterback. Indeed, key to building a successful football organization is drafting and cultivating such ‘‘grunt’’ players as evidenced by the frequency in which offensive or defensive linemen are selected in the NFL draft ahead of various ‘‘skilled positions.’’”

In the compliance world, there are skilled players at the top, such as the Chief Compliance Officer (CCO), Chief Financial Officer (CFO), Chief Executive Officer (CEO) and various Board members who may be involved with a company’s compliance function. However many FCPA violations arise out of what the Professor calls the ‘grunt work’ of doing business. To be sure, there was the KBR $148 million bribe paid through its joint venture (JV) for work in Nigeria. But more often it is the spade work of doing business which can lead to a FCPA violation, as the Professor notes, “tax, import/export and securing licenses, permits, certifications and the like—are actionable under the FCPA’s anti-bribery provisions.”

He further notes that compliance must be viewed as a corporate wide function. It is not and should not be viewed as strictly a legal function as “it is also a finance and auditing issue and thus a function that is best achieved holistically throughout a business organization.” I agree with his observations and would urge compliance practitioners to take a look at your compliance program through the eyes of your field team or international business representatives. Moreover by getting these folks to ‘raise their hands’ and get information in your hands, you may be able to stop a compliance issue before it becomes a full FCPA violation.

A flexible playbook

Here the Professor channels his inner FCPA Guidance by noting that a team’s playbook “is uniquely tailored to the strengths and weaknesses of the team based upon its current roster.” In the business world, this means that you need to assess your company’s compliance risks and manage your risks, not those of some other entity. The Professor suggests some basic questions you should start with to make this determination.

Where does your company do business? What are those countries reputations for corruption?
Who are your potential customers? Are they foreign governments or state owned enterprises?
What is your sales model? Do you use third parties in the sales cycle in foreign countries?
How do get your products into foreign countries? Do you use freight forwarders or customs brokers? How about visa processors for your company personnel?
How does your company obtain the necessary licenses, permits, certifications and other necessary paperwork to do business in foreign countries?

Your risk level will depend in large part on answers to these questions. The Professor ends this section with the following, “just like a football playbook that is uniquely tailored to the strengths and weaknesses of the current roster and adjusted throughout the season to incorporate specific opponents, an FCPA compliance playbook that is consistent, yet flexible enough to incorporate specific realities in different countries, can best minimize FCPA scrutiny and enforcement.”

Playing hard, but not too aggressively

In football players certainly want to play hard but face penalties for playing too aggressively. I would add that sometimes there are grey areas in the rules that can get players into trouble. Moreover, just as each football team will have its own risk tolerance, businesses will as well. The Professor states, “The same is true for FCPA compliance. Business organizations, particularly those accountable to shareholders to increase value, should aggressively compete in the global marketplace to gain a competitive edge over competitors. Yet the practical reality is that much of what happens in the global marketplace can also fall into a gray area given the FCPA’s provisions, which have frequently been found to be vague and ambiguous when subjected to judicial scrutiny. The potential of a business organization to find itself on the wrong end of enforcement agency discretion is further compounded if employees seek to justify their conduct under the FCPA’s facilitating-payments exception and affirmative defenses.”

I would guess that the FCPA Professor had fun writing this article. I certainly enjoyed reading it. For any fan of football, I would speculate that you would too. Even if you are not a football fan, I believe that you will gain new and additional insights into some of the ‘nuts and bolts’ of FCPA compliance by reading this article.

You can down the Professor’s article by clicking here.

© Thomas R. Fox, 2014

Comments (1)

August 28, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part III

Today, I conclude a three-part series on risk assessments in your Foreign Corrupt Practices Act (FCPA) or UK Bribery Act anti-corruption compliance program. I previously reviewed some of the risks that you need to assess and how you might go about assessing them. Today I want to consider some thoughts on how to use your risk assessment going forward.

Mike Volkov has advised that you should prepare a risk matrix detailing the specific risks you have identified and relevant mitigating controls. From this you can create a new control or prepare an enhanced control to remediate the gap between specific risk and control. Finally, through this risk matrix you should be able to assess relative remediation requirements.

A manner in which to put into practice some of Volkov’s suggestions was explored by Tammy Whitehouse, in an article entitled “Improving Risk Assessments and Audit Operations”. Her article focused on the how Timken Company, assesses and then evaluates the risks the company has assessed. Once risks are identified, they are then rated according to their significance and likelihood of occurring, and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the audit/monitoring plan, she said. A variety of solutions and tools can be used to manage these risks going forward but the key step is to evaluate and rate these risks.

LIKELIHOOD

Likelihood Rating	Assessment	Evaluation Criteria
1	Almost Certain	High likely, this event is expected to occur
2	Likely	Strong possibility that an event will occur and there is sufficient historical incidence to support it
3	Possible	Event may occur at some point, typically there is a history to support it
4	Unlikely	Not expected but there’s a slight possibility that it may occur
5	Rare	Highly unlikely, but may occur in unique circumstances

‘Likelihood’ factors to consider: The existence of controls, written policies and procedures designed to mitigate risk capable of leadership to recognize and prevent a compliance breakdown; Compliance failures or near misses; Training and awareness programs.

PRIORITY

Priority Rating	Assessment	Evaluation Criteria
1-2	Severe	Immediate action is required to address the risk, in addition to inclusion in training and education and audit and monitoring plans
3-4	High	Should be proactively monitored and mitigated through inclusion in training and education and audit and monitoring plans
5-7	Significant
8-14	Moderate
15-1920-25	LowTrivial	Risks at this level should be monitored but do not necessarily pose any serious threat to the organization at the present time.

Priority Rating: Product of ‘likelihood’ and significance ratings reflects the significance of particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.

At Timken, the most significant risks with the greatest likelihood of occurring are deemed to be the priority risks. These “Severe” risks become the focus of the audit monitoring plan going forward. A variety of tools can be used, such as continuous controls monitoring with tools like those provided by Visual RiskIQ, a relationship-analysis based software such as Catelas or other analytical based tools. But you should not forget the human factor. At Timken, one of the methods used by the compliance group to manage such risk is by providing employees with substantive training to guard against the most significant risks coming to pass and to keep the key messages fresh and top of mind. The company also produces a risk control summary that succinctly documents the nature of the risk and the actions taken to mitigate it.

The key to the Timken approach is the action steps prescribed by their analysis. This is another way of saying that the risk assessment informs the compliance program, not vice versa. This is the method set forth by the DOJ in its FCPA Guidance and in the UK Bribery Act’s Adequate Procedures. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the compliance arena. The model set forth by Timken certainly is a reasoned approach and can provide the articulation needed to explain which steps were taken.

In an article in Compliance Week Magazine, entitled, “Lessons on Risk Assessments from Winnie The Pooh” Jason Medford articulated that a key use of a risk assessment is to assist the internal audit function in developing their internal audit plan. He cited to the Institute of Internal Auditors (IIA) standard 2010.A1, which states “The internal audit activity’s plan of engagements must be based on a documented risk assessment, undertaken at least annually.” He went on to note that “In order to have a truly integrated GRC capability it is necessary for internal auditors to work with other GRC professionals in their organization. They must align their annual audit plan with the organization’s objectives, strategies, and initiatives of the other GRC professionals. They must collaborate, coordinate, and align their audit activities with other GRC professionals to increase visibility, improve efficiency, accountability and collaboration.

Carol Saint, Vice President of Internal Audit for 7-Eleven, who was interview by OCEG President Carol Switzer for the same article said that “We start with a risk assessment, beginning with business units because this is how the organization has designed accountability. We decompose business units into the processes and sub-processes they own and execute. We evaluate how sub-processes align to achievement of strategic objectives: How do they affect the company’s value drivers? Next, we map financial statement lines to the sub-processes to help prioritize from that lens. Finally, for each sub-process we consider specific risks that could hinder achievement of strategic objectives, as well as fraud risks, significant accounting estimates, benchmarking/ hot topics, and ERM risks. We created an “intensity rating” that measures how often a process/sub-process was mentioned in our stakeholder interviews as a risk to the company. And we also considered how cross-functional a process is so that the element of complexity—a risk accelerator—could help determine audit plan priorities. This year’s plan development process was quite intense, but I think we did a good job of creating a baseline so that future risk assessments are more efficient.”

I hope that you have found this series on risk assessments useful. If you have any questions or better yet would like me to work on a risk assessment for your organization, please contact me.

© Thomas R. Fox, 2014

Comments (1)

August 27, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part II

Filed under: Bill Athanas,Bribery Act,Compliance,compliance programs,Department of Justice,Document Document Document,FCPA,FCPA Guidance,Risk Assessment — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, FCPA, FCPA Professor, Risk Assessment

Ed. Note-Today, I continue my three-part posts on risk assessments. Today I take a look at some different ideas on how you might go about assessing your risks.

One of the questions that I hear most often is how does one actually perform a risk assessment? Mike Volkov has suggested a couple of different approaches in his article “Practical Suggestions for Conducting Risk Assessments.” In it Volkov differentiates between smaller companies which might use some basic tools such as “personal or telephone interviews of key employees; surveys and questionnaires of employees; and review of historical compliance information such as due diligence files for third parties and mergers and acquisitions, as well as internal audits of key offices” from larger companies. Such larger companies may use these basic techniques but may also include a deeper dive into high risk countries or high risk business areas. If your company’s sales model uses third party representatives, you may also wish to visit with those parties or persons to help evaluate their risks for bribery and corruption that might well be attributed to your company.

Another noted compliance practitioner, William Athanas, in an article entitled “Rethinking FCPA Compliance Strategies in a New Era of Enforcement”, took a different look at risk assessments when he posited that companies assume that FCPA violations follow a “bell-curve distribution, where the majority of employees are responsible for the majority of violations.” However Athanas believed that the distribution pattern more closely follows a “hockey-stick distribution, where a select few…commit virtually all violations.” Athanas suggests assessing those individuals with the opportunity to interact with foreign officials have the greatest chance to commit FCPA violations. Diving down from that group, certain individuals also possess the necessary inclination, whether a personal financial incentive linked to the transaction or the inability to recognize the significant risks attendant to bribery.

To assess these risks, Athanas suggested an initial determination of the touch-points where the operations of manufacturing companies “intersect with foreign officials vested with discretionary authority.” This will lead to an understanding of the individuals who hold these roles within a company. This means that a simple geographic analysis is but a first step in a risk analysis. Thereafter companies should also focus on “those who authorize and record disbursements, as well as those who represent the company in situations where they may be solicited for payments.” The next step is to determine those company employees who may have the incentive “to pay bribes on the Company’s behalf.” This incentive can come from a variety of forms; such as a company compensation plan, which rewards high producers; employees who do not understand the risk they place the company (and themselves) in by engaging in tactics which violate the FCPA; and, finally, those employees who seek to place their individual interests above those of the company.

Athanas concludes by noting that this limited group of employees, or what he terms the “shaft of the hockey-stick”, is where a company should devote the majority of its compliance resources. With a proper risk assessment, a company can then focus its compliance efforts on “intensive training sessions or focused analysis of key financial transactions — on those individuals with the opportunity and potential inclination to violate the statute.” This focus will provide companies the greatest “financial value and practical worth of compliance efforts.”

Lawler suggests that you combine the scores or analysis you obtain from the corruption markers you review; whether it is the DOJ list or those markers under the UK Bribery Act. From there, create a “rudimentary risk-scoring system that ranks the things to review using risk indicators of potential bribery.” This ensures that high-risk exposures are done first and/or given more time. As with all populations of this type, there is likely to be a normal or ‘bell curve’ distribution of risks around the mean. So 10-15% of exposure falls into the relative low-risk category; the vast majority (70-80%) into the moderate-risk category; and the final 10-15% would be high risk.

Earlier this week I wrote a piece about the Desktop Risk Assessment. I will not repeat the entire blog post here but only use some of the areas you could assess as a starting point for discussion. If you do not have the time, resources or support to conduct a worldwide risk assessment annually, you can take a different approach. You might try assessing other areas annually through a more limited focused risk assessment, which a colleague of mine calls the Desktop Risk Assessment. Some of the areas that such a Desktop Risk Assessment could inquire into might be the following:

Are resources adequate to sustain a culture of compliance?
How are the risks in the C-Suite and the Boardroom being addressed?
What are the FCPA risks related to the supply chain?
How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
Is the documentation adequate to support the program for regulatory purposes?
Is culture, attitude (tone from the top), and knowledge measured? If yes, can we use the information enhance the program?
Disciplinary guidelines – Do they exist and has anyone been terminated or disciplined for a violating policy?
Communication of information and findings – Are escalation protocols appropriate?
What are the opportunities to improve compliance?

This list is not intended to be a complete list of items, you can pick and choose to form some type of Desktop Risk Assessment but hopefully you can see some of the things areas you can assess and deliver any remedial action which may be warranted. Further, if you aim to perform an annual Desktop Risk Assessment with a full worldwide risk assessment every two years or so, you should be in a good position to keep abreast of compliance issues that may change and need more or greater risk management. And do not forget the that the FCPA Guidance ends its section on risk with, “When assessing a company’s compliance program, DOJ and SEC take into account whether and to what degree a company analyzes and addresses the particular risks it faces.”

A completely different approach was articulated by Leonard Shen, Vice President (VP) and Chief Compliance Officer (CCO) at PayPal, in a presentation to Compliance Week. His approach is not the right approach for every company but for those initiating their compliance journey, or a company considering a significant upgrade due to some systemic issue; this approach may be a more effective approach than the traditional risk assessment where a team of lawyers, CPAs and internal auditors assess a company’s compliance environment.

In a company which is initiating its compliance program, it can be perceived as a sea change of culture. However, Shen indicated that he had used an approach which worked to alleviate those types of concerns which also provided enough information to perform a robust assessment which could be used to form the basis of an effective compliance program. He termed this type of approach as one to “engage and educate.” While the approach had a two word name, it actually had three purposes; (1) to engage the employees in what would form the basis for an enhanced compliance program; (2) to educate the employees generally in compliance and ethical behavior; and (3) through the engagement of employees, to gather information which could be used to form the basis of a risk assessment.

Shen and his compliance team traveled to multiple company locations, across the globe, to meet with as many employees as possible. A large number these meetings were town hall settings, and key employee leaders, key stakeholders and employees identified as high risk, due to interaction with foreign governmental official touch-points, were met with individually or in smaller groups. Shen and his team listened to their compliance concerns and more importantly took their compliance ideas back to the home office.

From this engagement, the team received several thousand-employee suggestions regarding enhancements to the company’s compliance program. After returning to the US, Shen and his team winnowed down this large number to a more manageable number, somewhere in the range of a couple of hundred. These formed the basis of a large core of the enhancements to the existing company compliance program. After the enhanced compliance program was rolled out formal training began. During the training, the team was able to give specific examples of how employee input led to the changes in the enhanced program. This engaged the employees and made them feel like they were a part of, and had a vested interest in, the company’s compliance program. This employee engagement led to employee buy-in.

During the town hall meetings, and the smaller more informal group meetings, Shen and his team were doing more than simply listening, they were also training. However, the training was not on specific compliance provisions; it was more generally on overall ethics and how the employees could use compliance as a business tool. Most ethical standards of a company are not found in an existing compliance program, they are found in the general anti-discrimination guidelines and ethical business practices such anti-competitiveness and use of customer confidential information prohibitions. Often these general concepts can be found in a company’s overall Code of Conduct or similar statement of business ethics; workplace anti-discrimination and anti-harassment guidelines can be found in Human Resource policies and procedures.

Concepts such as anti-competitiveness and use of customer and competitor’s illegally obtained confidential information may be found in anti-trust or other business practice focused guidelines.

Shen and his team’s aim on the education component of “engage and educate” was to have the company employee’s start thinking about doing business the ethical way. It was ethical concept based training designed to be in contrast to a rules based approach, where employees believe they are taught the rules, and then try to see how close they can get to the line of violating the compliance rule without actually stepping over the line. Moreover, by having this general ethical business training, it laid the groundwork for the enhancement of the company’s compliance program and the training that would occur when the enhancement was rolled out.

A third key component of the “engage and educate” program is the risk assessment component. Shen’s approach here was not the traditional control-testing model, where documents are pulled and tested against a standard. Shen and his team listened, listened and listened. They listened to their employees concerns and they listened to the compliance issues they raised. As they were listening they began to ask questions about what was done and why. The questioning was not in an adversarial, interrogation mode but ferreting out the employees concerns while having the employees educate the team on the actual procedures that were used in several areas identified as key high risk areas.

Shen emphasized that this was an assessment and not an audit so no detailed forensic work was needed or used. However, by listening, and gently questioning, Shen and his team were able to garner enough information to create a risk assessment profile which informed and became the basis of their compliance program enhancement. Shen and his team did not identify to the company employees that they were engaged in a formal risk assessment. He believed that in many ways, he and his team were able to garner more useful information with which to inform their compliance program enhancement.

Shen’s “engage and educate” approach worked for his company at that point in time. It may not work for other companies as a traditional risk assessment but it does provide a different model if your company is beginning to create their compliance program, or is looking into a major enhancement.

Tomorrow, I will look at how you might use a risk assessment going forward.

© Thomas R. Fox, 2014

Leave a Comment

August 26, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part I

Yesterday, I blogged about the Desktop Risk Assessment. I received so many comments and views about the post, I was inspired to put together a longer post on the topic of risk assessments more generally. Of course I got carried away so today, I will begin a three-part series on risk assessments. In today’s post I will review the legal and conceptual underpinnings of a risk assessment. Over the next couple of days, I will review the techniques you can use to perform a risk assessment and end with a discussion of what to do with the information that you have gleaned in a risk assessment for your compliance program going forward.

One cannot really say enough about risk assessments in the context of anti-corruption programs. Since at least 1999, in the Metcalf & Eddy enforcement action, the US Department of Justice (DOJ) has said that risk assessments that measure the likelihood and severity of possible Foreign Corrupt Practices Act (FCPA) violations identifies how you should direct your resources to manage these risks. The FCPA Guidance stated it succinctly when it said, “Assessment of risk is fundamental to developing a strong compliance program, and is another factor DOJ and SEC evaluate when assessing a company’s compliance program.” The UK Bribery Act has a similar view. In Principal I of the Six Principals of an Adequate Compliance program, it states, “The commercial organisation regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” In other words, risk assessments have been around and even mandated for a long time and their use has not lessened in importance. The British have a way with words, even when discussing compliance, and Principal I of the Six Principals of an Adequate Compliance program says that your risk assessment should inform your compliance program.

Jonathan Marks, a partner in the firm of Crowe Horwath LLP, said the following about risk assessments in his 13-step FCPA Compliance Action Plan, “A comprehensive assessment of the potential bribery and corruption risks – both existing and emerging risks – associated with a company’s products and services, customers, third-party business partners, and geographic locations can serve as the basis for the compliance program. The risk assessment determines the areas at greatest risk for FCPA violations among all types of international business transactions and operations, the business culture of each country in which these activities occur, and the integrity and reputation of third parties engaged on behalf of the company.”

The simple reason is straightforward; one cannot define, plan for, or design an effective compliance program to prevent bribery and corruption unless you can measure the risks you face. Both the both the US Sentencing Guidelines, the UK Bribery Act’s Consultative Guidance list Risk Assessment as the initial step in creating an effective anti-corruption and anti-bribery program.

What Should You Assess?

In 2011, the DOJ concluded three FCPA enforcement actions which specified factors which a company should review when making a Risk Assessment. The three enforcement actions, involving the companies Alcatel-Lucent SA, Maxwell Technologies Inc. and Tyson Foods Inc. all had common areas that the DOJ indicated were FCPA compliance risk areas which should be evaluated for a minimum best practices FCPA compliance program. Both the Alcatel-Lucent and Maxwell Technologies Deferred Prosecution Agreements (DPAs) listed the seven following areas of risk to be assessed.

Geography-where does your Company do business.
Interaction with types and levels of Governments.
Industrial Sector of Operations.
Involvement with Joint Ventures.
Licenses and Permits in Operations.
Degree of Government Oversight.
Volume and Importance of Goods and Personnel Going Through Customs and Immigration.

All of these factors were reiterated in the FCPA Guidance which stated, “Factors to consider, for instance, include risks presented by: the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation and oversight, and exposure to customs and immigration in conducting business affairs.”

These factors provide guidance into some of the key areas that the DOJ apparently believes can put a company at higher FCPA risk. These factors supplement those listed in the UK Bribery Consultative Guidance states, “Risk Assessment – The commercial organization regularly and comprehensively assesses the nature and extent of the risks relating to bribery to which it is exposed.” The Guidance points towards several key risks which should be evaluated in this process. These risk areas include:

Internal Risk – this could include deficiencies in

employee knowledge of a company’s business profile and understanding of associated bribery and corruption risks;
employee training or skills sets; and
the company’s compensation structure or lack of clarity in the policy on gifts, entertaining and travel expenses.

Country risk – this type of risk could include:

(a) perceived high levels of corruption as highlighted by corruption league tables published by reputable Non-Governmental Organizations such as Transparency International;

(b) factors such as absence of anti-bribery legislation and implementation and a perceived lack of capacity of the government, media, local business community and civil society to effectively promote transparent procurement and investment policies; and

Transaction Risk – this could entail items such as transactions involving charitable or political contributions, the obtaining of licenses and permits, public procurement, high value or projects with many contractors or involvement of intermediaries or agents.
Partnership risks – this risk could include those involving foreign business partners located in higher-risk jurisdictions, associations with prominent public office holders, insufficient knowledge or transparency of third party processes and controls.

Another approach was detailed by David Lawler, in his book “Frequently Asked Questions in Anti-Bribery and Corruption”. He broke the risk areas to evaluate down into the following categories: (1) Company Risk, (2) Country Risk, (3) Sector Risk, (4) Transaction Risk and (5) Business Partnership Risk. He further detailed these categories as follows:

Company Risk-Lawyer believes this is “only to be likely to be relevant when assessing a number of different companies – either when managing a portfolio of companies from the perspective of a head office of a conglomerate or private equity house.” High risk companies involve, some of the following characteristics:

Private companies with a close shareholder group;
Large, diverse and complex groups with a decentralized management structure;
An autocratic top management;
A previous history of compliance issues; and/or
Poor marketplace perception.

Country Risk-this area involves countries which have a high reported level or perception of corruption, have failed to enact effective anti-corruption legislation and have a failure to be transparent in procurement and investment policies. Obviously the most recent, annual Transparency International Corruption Perceptions Index can be a good starting point. Other indices you might consider are the Worldwide Governance Indicators and the Global Integrity index.
Sector Risk-these involve areas which require a significant amount of government licensing or permitting to do business in a country. It includes the usual suspects of:

Extractive industries;
Oil and gas services;
Large scale infrastructure areas;
Telecoms;
Pharmaceutical, medical device and health care;
Financial services.

Transaction Risk-Lawyer says that this risk “first and foremost identifies and analyses the financial aspects of a payment or deal. This means that it is necessary to think about where your money is ending up”. Indicia of transaction risk include:

High reward projects;
Involve many contractor or other third party intermediaries; and/or
Do not appear to have a clear legitimate object.

Business Partnership Risk-this prong recognizes that certain manners of doing business present more corruption risk than others. It may include:

Use of third party representatives in transactions with foreign government officials;
A number of consortium partners or joint ventures partners; and/or
Relationships with politically exposed persons (PEPs).

There are a number of ways you can slice and dice your basic inquiry. As with almost all FCPA compliance, it is important that your protocol be well thought out. If you use one, some or all of the above as your basic inquiries into your risk analysis, it should be acceptable for your starting point.

© Thomas R. Fox, 2014

Leave a Comment

August 21, 2014

What Can You Do When Risk Changes in a Third Party Relationship?

Filed under: Best Practices,Compliance,compliance programs,Department of Justice,Due Diligence,FCPA,Risk Management,Third parties,Wall Street Journal — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, Due Diligence, ethics and compliance, FCPA, Foreign Corrupt Practices Act, Risk Assessment, Wall Street Journal, WSJ

The GlaxoSmithKline PLC (GSK) corruption matter in China continues to reverberate throughout the international business community, inside and outside China. The more I think about the related trial of Peter Humphrey and his wife, Yu Yingzeng for violating China’s privacy laws regarding their investigation of who filmed the head of GSK’s China unit head in flagrante delicto with his Chinese girlfriend, the more I ponder the issue of risk in the management of third parties under the Foreign Corrupt Practices Act (FCPA). In an article in the Wall Street Journal (WSJ), entitled “Chinese Case Lays Business Tripwires”, reporters James T. Areddy and Laurie Burkitt explored some of the problems brought about by the investigators convictions.

They quoted Manuel Maisog, chief China representative for the law firm Hunton & Williams LLP, who summed up the problem regarding background due diligence investigations as “How can I do that in China?” Maisog went on to say, “The verdict created new uncertainties for doing business in China since the case hinged on the couple’s admissions that they purchased personal information about Chinese citizens on behalf of clients. Companies in China may need to adjust how they assess future merger partners, supplier proposals or whether employees are involved in bribery.”

I had pondered what that meant for a company that wanted to do business in China, through some type of third party relationship, from a sales representative to distributor to a joint venture (JV). What if you cannot get such information? How can you still have a best practices compliance program around third parties representatives if you cannot get information such as ultimate beneficial ownership? At a recent SCCE event, I put that question to a Department of Justice (DOJ) representative. Paraphrasing his response, he said that companies still need to ask the question in a due diligence questionnaire or other format. What if a third party refuses to answer, citing some national law against disclosure? His response was that a company needs to very closely weigh the risk of doing business with a party that refuses to identify its ownership.

The more that I thought about that answer the more I became convinced that it was not only the right answer under any type of FCPA compliance program but also the right response from a business perspective. A company must know who it is doing business with, for a wide variety of reasons. The current situation in China and even the convictions of Humphrey and Yu do not change this basic premise. You can ask the question. If a party does not want to disclose its ownership, you should consider this in any business relationship going forward.

The Humphrey and Yu conviction do not prevent you from asking the question about ownership. Their convictions mean that you may not be able to verify that information through what many people thought was publicly available information, at least publicly available in the west. I was struck by one line in the Areddy and Burkitt article, “It’s not just that the tactical business practices need to change; it’s the mind set” quoting again from Maisog.

I breakdown the management of third parties under the FCPA into five steps, which are:

Business Justification and Business Sponsor;
Questionnaire to Third Party;
Due Diligence on Third Party;
Compliance Terms and Conditions, including payment terms; and
Management and Oversight of Third Parties After Contract Signing.

The due diligence step is but one of these five. Further due diligence is performed in large part to verify the information that you receive back from a proposed third party. So what if you can longer use avenues previously open to you in markets such as China? Perhaps there are other ways to manage this issue. Areddy and Burkitt also interviewed Jerry Ling, a partner at Jones Day, for the following “companies will need to analyze Chinese accounting documents themselves and conduct more in-person interviews with anyone they want to know more about in China.”

Ling’s point dovetails directly into what I heard from the DOJ representative. There is nothing about the Chinese law, or any other country’s law, which prevents you from asking some basic questions that are found in the Step 2 Questionnaire cited above. You can always ask who the owners of a company are, whether they are direct or beneficial. You can always ask if a company, its owners or its senior management have been involved in any incidents involving bribery and corruption and you can always ask if the company has a Code of Conduct and/or compliance program and whether its owners or senior management are aware of the FCPA and have had training on it.

Assuming the company will answer your questionnaire, the difficulty you may find yourself in now is verifying the information that you receive. In Ronald Reagan parlance, you may trust but you may not be able to verify it. Ling said in the WSJ article that “The challenge now for clients is that it’s hard to get good information.”

However, due diligence is but one step in the management of any third party in a FCPA compliance program. Just as when risk goes up and you increase your management around that risk, the situation is similar in here. Putting it another way, if you cannot obtain private information such as personal identification numbers during the due diligence process, you can put greater management around the other steps that you can take. Further, there has been nothing reported which would suggest that publicly filed corporate licenses or other information that might show ownership can no longer be accessed. Court records and public media searches also seem to still be available.

But what if you simply cannot determine if the information you are provided regarding ownership is accurate or even truthful? You can still work to manage the relationship through your commercial terms by setting your commission or other pay rates at a reasonable amount of scale. If you are dealing with a commissioned sales representative, you can probably manage this area of the relationship by setting the commission in the range of 5%. You can also manage the relationship by reviewing invoices to make sure there is an adequate description of the services provided so that they justify whatever compensation the third party is entitled to receive under the contract. You may also want to schedule such a third party for an audit ahead of other parties to help ensure adherence to your compliance terms and conditions.

There may be times when you cannot verify the true or ultimate beneficial owner of a third party. That does not have to be the end of the analysis. If that situation arises, you may want to see if there are other risk mitigation tools at your disposal. Put another way, if such a red flag arises, can it be cleared? Can it be managed? If your company is looking a major deal for multi-millions and your agent will receive a six or seven figure commission, the risk of not knowing with certainty may be too great because in such a case, an unknown owner could be a government official who has awarded the contract. But if your agent receives a considerably smaller commission and hence there is a considerably small amount of money to constitute a bribe, you may be able to manage that risk through a close and effective relationship management process.

© Thomas R. Fox, 2014

Comments (2)

July 17, 2014

John Bell Hood and the Measurement of Conduct Risk

Filed under: Best Practices,Carol Switzer,Compliance,Compliance and Ethics,compliance programs,Compliance Week,Department of Justice,FCPA Guidance,OCEG,Risk Assessment — tfoxlaw @ 5:45 am
Tags: best practices, compliance, compliance programs, DOJ, OCEG, Risk Assessment

Readers of this blog know I am huge Civil War buff. Growing up in Texas, I only focused on the Southern side as a youngster and while this led to a sometime myopic view of events, in my mid-20s when I did begin to study the Northern side of the war, because I had never seriously studied from that perspective an entire panorama opened up for me.

One thing that never changed however, was the disaster that befell the South from the appointment of John Bell Hood to commander of the Army of Tennessee, which opposed General Sherman’s advance into Georgia since his stunning defeat of the Confederate forces at Chattanooga and later Lookout Mountain in Tennessee in late 1863. On this day 150 years, Confederate President Jefferson Davis replaced General Joseph Johnston with John Bell Hood as commander of the Army of Tennessee. Davis, impatient with Johnston’s defensive strategy in the Atlanta campaign, felt that Hood stood a better chance of saving Atlanta from the forces of Union General William T. Sherman. President Davis selected Hood for his reputation as a fighting general, in contrast to Johnston’s cautious nature. Hood did what Davis wanted and quickly attacked Sherman at Peachtree Creek on July 20 but with disastrous results. Hood attacked two more times, losing both and destroying his army’s offensive capabilities. Over the next two weeks in 1864, Hood’s actions not only led to President Abraham Lincoln’s reelection but spelled, once and for all, the doom of the Confederacy.

I thought about the risks of appointing Hood to command when I read a recent article in the Compliance Week Magazine by Carol Switzer, co-founder and President of the Open Compliance and Ethics Group (OCEG), entitled “A Strategic Approach to Conduct Risk”. Her article was accompanied by an entry in the OCEG Illustrated Series, entitled “Managing Conduct Risk in the GRC Context”, and she also presented thoughts from a Roundtable which included John Brown, Managing Principal, Risk Segment, Financial and Risk Division at Thompson Reuters; Tom Harper, Executive Vice President-General Auditor Federal Home Loan of Chicago and Dr. Roger Miles, Behavioral Risk Lead, Thompson Reuters.

In her article, Switzer pointed to the “Ill-advised risk taking” which led to the near-collapse of the financial sector as the genesis for the creation of the UK’s new Financial Conduct Authority (FCA). But she also noted that conduct risk is something that exists in industries far afield from the financial sector where “sales schemes driven by inappropriate incentive plans and outlandish short-term objectives” can cause severe financial consequences to an organization. As an example of the need for change in the financial section, Switzer quoted Clive Adamson, FCA director of supervision, on the need to address conduct risk, “Achieving an effective conduct- or customer-focused culture is challenging for firms, particularly for those whose focus has been primarily on profitability and shareholder returns. … From what we see, there are key drivers that set and re-enforce this conduct-focused culture, with the most important being clear and ongoing leadership from the top of the organization, constant re-enforcement, hiring practices, incentive structures, effective performance management, and penalties for not doing the right thing, all of which should set the tone for a framework for decision making on a day-by-day basis.”

Switzer continued that “Throughout his speech and other materials published by the FCA, there is a theme that returns over and over again to integrity, leadership, culture, the concept of controls over conduct, and strong risk management—all tied to an outcome of business success. What is this? It is a vision of principled performance—a point of view and approach to business that enables organizations to reliably achieve objectives while addressing uncertainty and acting with integrity. And it is refreshing to see leaders (and in some cases past wrongdoers) in the financial sector rising to the occasion and establishing a principled performance approach to conduct risk, even though they may not yet call it that.”

Harper described conduct risk as follows, “Conduct risk embodies elements of the risks that we have been discussing over the past few years, including not only operational and compliance risk, but also reputational risk and tone-at-the-top. The idea that organizations need to ‘do the right thing’ and balance the immediate pressure of short-term growth and revenue along with meeting the aspirations of equity holders and managers is not new. In the past, conduct risk was primarily mitigated by the long-term focus on the goals of the organization of the board and management.”

In the Illustrated Series piece included with the article, Switzer set out four principles for managing conduct risk. These principles are an excellent starting point for the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption compliance practitioner in that it can be used to evaluate, assess and manage conduct risk in such a context.

Assess Conduct Risks

Miles stated that, “The idea of benchmarking “conduct” as a basis for business, or life in general, is actually of course a very old one. Constraints on behavior are exactly the right direction to go in, though it’s not yet clear how these will be framed, let alone policed. Now with the FCA’s new Risk Outlook 2014, there’s a big step forward. They have a deep commitment to sharing understanding about how various elements of behavior feed through into good and bad product design, into selling or mis-selling.” Based on this Switzer believes that you should first identify potential conduct risks in your business. After such identification, you should conduct a risk and control assessment. From this measure, you can best determine the level of inherent and residual risk. Finally, you should carry out an emerging risk workshop to develop a more complete risk profile.

Establish Risk Appetite

Brown pointed towards the increased complexity in financial institutions as a key problem. As part of the solution, Switzer writes that the first step is to connect the risks, controls and other framework elements to your company’s organization chart. From there, you should determine risk capacity, your company’s current risk profile and its risk appetite. Next you should measure your risk appetite adherence. Finally, you will need to align your risk appetite with your company’s risk governance framework.

Measure and Monitor

Here Switzer suggests that there be a detailed information collection on any issues associated with risk events. It is important from that point, you begin to track key risk indicators. Miles noted that “Managing risks due to behaviors and cultures requires a deep understanding of psychological drivers and developing programs to modify those drivers”; as such measurements would allow your company to begin to move from simple detection and prevention to predictive controls through the use of behavioral and analytical modeling. Finally, you could use the above information to perform scenario analysis on emerging risks.

Communicate and Manage

Switzer advocates that you communicate and train your company’s employees on your organization’s risk culture. You should also work to ensure that employees have accepted their risk conduct appetite metrics. Brown said, “Behavioral drivers will vary around the world based on societal culture. I’ll focus on what might be appropriate for U.S.-based organizations. Most people operate to maximize their personal return, so compensation structures are an obvious avenue to modify conduct. If my bonus or equity compensation is based on specific targets, such as new accounts, loans written, or customer satisfaction index, I will try to maximize those targets.” This is why you should continue to collect all key data about conduct risk in one data repository. Finally, you should also continue to provide reports and analyses on conduct risk to key stakeholders and regulators, if required.

Switzer ended her article with the following quote from Gary Kasparov, “Think about it: After just three opening moves by a chess player, more than 9 million positions are possible. And that’s when only two players are involved in the game. Now imagine all the possibilities faced by companies with a whole host of corporations responding to their new strategies, pricing, and products. The unpredictability is almost unimaginable.” From this she added, “This couldn’t be truer than when facing the myriad challenges presented under the umbrella concern of conduct risk. Masterful strategic planning and execution is essential to stay in the game and win.”

The risks that General Hood was willing to engage in were catastrophic for his army and the Confederacy. If Jefferson Davis had used a risk conduct analysis to think through the effects of elevating Hood to command of the Army of Tennessee the results might have been very different for all involved. Switzer’s article provides a valuable tool for the compliance practitioner to bring to bear on specific conduct which could put a company at risk.

Leave a Comment

March 14, 2014

The Ides of March and Evaluation of Compliance Risk

Filed under: Best Practices,compliance programs,Ethical Leadership,Ethics,FCPA,New York Times,Risk Assessment — tfoxlaw @ 12:01 am
Tags: compliance, compliance programs, compliance risk, FCPA, NYT, risk, Risk Assessment

Tomorrow, March 15 is enshrined as one of the most famous days of all-time, the “Ides of March”. On this day in 44 BC, the “Dictator for Life” Julius Caesar was assassinated by a group of Roman nobleman who did not want Caesar alone to hold power in the Roman Empire. It was however, this event, which sealed the doom of the Roman Republic as his adopted son Octavian first defeated the Republic’s supporters and then his rival Dictator Marc Anthony and became the first Emperor of the new Roman Empire, taking the name Augustus.

One of the more interesting questions in any anti-corruption compliance regime is to what extent your policies and procedures might apply in your dealings with customers. Clearly customers are third parties and in the sales chain but most compliance programs do not focus their efforts on customers. However, some businesses only want to engage with reputable and ethical counter-parties so some companies do put such an analysis into their compliance decision calculus.

However, companies in the US, UK and other countries who do not consider the corruption risk with a customer may need to rethink their position after the recent announcements made by Citigroup Inc. regarding its Mexico operations.

In an article in the New York Times (NYT), entitled “Fraud Exposes Challenges for Citi in Mexico”, reporters Michael Corkery and Jessica Silver-Greenberg wrote about the troubles which have befallen “the bank’s “crown jewel” – a sprawling retail lender called Banamex.” Citigroup recognized there was risk in Banamex, even having, what the reporters said was, a “little black book” which was stated by one un-named top executive to be the “book of redlined clients” and was also described as “an informal tally of Mexican companies” that could imperil the company’s Mexican operations. The bank has come to grief with its involvement in a $400MM fraud “that was discovered last month highlights the limitations of that kind of culling, and more broadly points to the challenges of finding solid lending clients in a country where the line between big business and political cronyism can become blurred.”

While Citigroup blamed this problem on “bad luck and bad actors” the article revealed a more complicated picture. The picture was one where “the bank had been placing large bets on a few risky corporate borrowers”. The $400MM loss involved an oil services company, Oceanografía SA de CV. But the bank also sustained other losses where loans were made to building contractors, which after a Mexican government a policy shift it “effectively killed the developers’ suburban projects” and they were not able to repay the loans.

Moreover, with regard to Oceanografía, the bank itself recognized the inherent danger of doing business with the entity. The article noted that Banamex has extended $585MM in short-term credit to a company that Citigroup itself had warned its own bond investors was “from time to time subject to various accusations, including accusations of corrupt practices.” Oceanografía is a company that provided construction, maintenance and vessel-chartering services to Pemex’s exploration and production subsidiary. However, as the article noted, “Oceanografía’s fortunes, however, changed sharply last month after it became the subject of a new government review that resulted in a suspension of government contracts to Oceanografía for the next 20 months. Banamex had advanced as much $585 million to Oceanografía through an accounts receivable program. The program was supposed to work like this: Banamex would advance money to Oceanografía to provide services to Pemex. The oil giant would then pay back Banamex, verifying invoices provided by Oceanografía to confirm that the work had been completed. In theory, Banamex was relying on Pemex’s ability to pay back the bank.”

Unfortunately for Banamex, much like the developers “which relied on government subsidies to finance their suburban developments, Oceanografía’s business relied on government contracts from Pemex. But when those ties were cut, the problems quickly surfaced. Shortly after the suspension of government contracts to the oil services company, Citigroup said it discovered the fraud at its Mexican unit, involving Oceanografía.”

These losses were coupled with the semi-autonomous relationship that Banamex had with its parent, Citigroup. The article stated, “the bank he [Mr. Medina-Mora] built has been considered something of a “black box” — a highly profitable but not especially transparent unit that was run with great autonomy by its leader, according to current and former bank executives. Sometimes, though, that autonomy rankled other executives in New York, the people said.” Citigroup denied that Banamex was semi-autonomous and in a statement in the article said, “We dispute assertions that the management team is autonomous,” Further, “While Banamex is a subsidiary of Citigroup, it is absolutely subject to the same risk, control, anti-money laundering and technology standards and oversight which are required throughout the company.”

For the compliance practitioner there are several lessons to be garnered from Citigroup’s reported problems and Julius Caesar’s demise on the Ides of March. In Caesar’s case, he wholly ignored the resentment that had been welling up in the Roman aristocracy for his high-handed action in becoming a Dictator. Even on the day in question, he dismissed his personal guard detail as he was going to the Roman Senate and finally, although he allegedly was handed a written communication warning him of his impending doom, he never took the time to read it. In other words, not only did he miss the red flags, he ignored specific warning signs and reduced his risk management capabilities by dismissing his security detail.

Similarly, as reported by the NYT, Citigroup would seem to have missed the warning signs about Oceanografía and if the NYT article is correct, might have actually internally ignored red flags while broadcasting them to bond holding investors. Lastly, whether the Banamex unit was semi-autonomous, as alleged in the article, or not as claimed by Citigroup’s statement, the point is that there must always be oversight. More than simply a ‘second set of eyes’ there should be internal controls which can be reviewed and vetted.

Finally, as noted in the article, the loans in question involved businesses that relied on government contracts, payments or some other form of support. While that may be of some comfort in developing countries, it can also be a source of risk. It also points to another analysis, which is not always considered, that being if a proposition is high reward, it is probably because it is also high risk in some area. While many companies can evaluate high financial risk and hope for attendant high financial reward, they also need to consider how a high corruption risk might factor into their analysis.

Leave a Comment

January 22, 2014

Queen Victoria and Preparing for Your Risk Assessment

Filed under: Best Practices,Bribery Act,compliance programs,Department of Justice,FCPA,FCPA Guidance,Risk Assessment — tfoxlaw @ 6:10 am
Tags: best practices, compliance, compliance programs, Department of Justice, DOJ, ethics and compliance, FCPA, Risk Assessment

On this day in 1901, Queen Victoria died, ending an era in which most of her British subjects know of no other monarch. She was born in 1819 and came to the throne after the death of her uncle, King William IV, in 1837. Her 63-year reign was the longest in British history. She oversaw the growth of the British Empire on which the sun never set. Queen Victoria restored dignity to the English monarchy and ensured its survival as a ceremonial political institution. She also brought a stability to the monarchy that has stayed with the country as well.

How can you bring stability to your compliance program? One of the most important steps that you can take is to regularly assess your risks through a risk assessment. I often hear some of the following questions posed by compliance practitioners regarding risk assessments: What should you put into your risk assessment? How should you plan it? What should be the scope of your risk assessment? These, and other, questions were explored in a recent article in the ACC Docket, entitled “Does the Hand Fit the Glove? Assessing Your Company’s Anti-Corruption Compliance Program” by a quartet of authors: Jonathan Drimmer, Vice President and Assistant General Counsel at Barrick Gold Corp.; Lauren Camilli, Director, Global Compliance Programs at CSC; Mauricio Almar, Latin American Regional Counsel at Halliburton; and Mara V.J. Senn, a partner at Arnold & Porter LLP.

The authors note that with all compliance programs, there is no ‘one-size-fits-all’ so your risk assessment should be tailored for your organization. In this article I will focus on the steps that you need to take leading up to the initiation of a risk assessment. The authors believe that the planning and layout of your risk assessment is a critical element for success by stating the importance of this issue cannot be over-estimated or over-emphasized.

To begin, the design of your risk assessment should be “guided by its scope and purpose.” So if this is your initial risk assessment to begin the implementation phase of a compliance program, one type of risk assessment may be needed. Conversely, if you have a mature compliance program, another type of risk assessment may be called for. If your company has moved into new or different geographic areas or has new product lines, it may require a different inquiry. The authors note, “knowing why you are conducting the assessment and what your goals are up front will make for a more efficient process and allow you to decide how in-depth your review should be.”

The authors next explore the gathering of information and developing a methodology for analyzing the results because “how you choose to gather information and what questions to ask will determine how useful your risk assessment will be for understanding your company’s risks and appropriately responding to them.” You will need to determine the number of employees to interview and who these interviewees should be for the risk assessment. While a questionnaire can be useful, you will need to consider in-person interviews as well. If it is difficult to make an initial identification of who should be interviewed, you can perform a preliminary assessment from a wider audience and then “streamline and tailor the in-person interviews.”

It is important to speak with employees who are generally considered to be ‘high-risk’ for Foreign Corrupt Practices Act (FCPA) purposes. This would include “people who interact with the government, either as customers or as regulators; those responsible for internal financial controls, such as accounting and finance functions; and senior management with the authority to make significant and impacting decisions, such as a primary executive in a local market.” It is also important to include those employees who are the prime interactors with third parties, both on the sales and supply side. This should include employees who have a role in the selection of such third parties for business relations and those employees involved in managing those relationships.

You will need to garner a sense of the company’s structure and goals. Additionally in FCPA enforcement actions and in the FCPA Guidance, the Department of Justice (DOJ) laid out several factors to take into account, such as “the country and industry sector, the business opportunity, potential business partners, level of involvement with governments, amount of government regulation, and oversight and exposure to customs and immigration in conducting business affairs.”

The authors end their section on risk assessment preparation by dividing the areas that they believe are most often visited into three categories: general corruption risks, specific commercial activity and existing corruption controls.

General corruption risks – this category includes the corruption perception risk in the geographic areas where the company does business, directly or indirectly, through third parties. It also includes government touch points whether as a customer or regulator. Finally, it should include the corruption and bribery-related concerns of your business personnel.
Specific commercial activities – this generally relates to third parties; how they are vetted, contracted with and managed. It also includes a review of travel, gifts, entertainment business courtesies, charitable donation and political contributions, mergers and acquisitions.
Existing corruption controls – this area looks at not only financial controls such as monitoring and auditing but also training, employee incentives and hotline.

By laying out this risk assessment plan, you will have a good road map to think through not only how to work across a risk assessment but to begin to think how you can use it going forward. You will need to review and assess your highest risks first and then use that information to remediate any deficiencies going forward. I think what the DOJ wants to see is a well thought out plan for moving forward and forward movement toward the plan’s goal. These steps should help you in this journey.

Leave a Comment

January 8, 2014

Corruption in Turkey and Integrating Your Risk Assessment

Filed under: Anti-Money Laundering,Best Practices,Compliance Convergence,compliance programs,Corruption in Turkey,Risk Assessment — tfoxlaw @ 12:01 am
Tags: best practices, compliance, compliance programs, ethics and compliance, Risk Assessment, Turkey

One of the more public and ongoing corruption scandals in the world right now seems to be happening in Turkey. To say the events and facts are confused is an understatement. At this point there are not any international players who have been implicated but given the breadth and scope of what has come out of that country over the past month or so, it would only appear to be only a matter of time. It began in December when, according to the BBC, “The arrests were carried out as part of an inquiry into alleged bribery involving public tenders, which included controversial building projects in Istanbul. Those detained in the 17 December raids included more than 50 public officials and businessmen – all allies of the prime minister. The sons of two ex-ministers and the chief executive of the state-owned bank, Halkbank, are still in police custody.”

The Prime Minister claims that all of these arrests were simply political theater, generated by supporters of Fethullah Gulen, an influential Islamic scholar living in self-imposed exile in the US. Members of Mr. Gulen’s Hizmet movement are said to hold influential positions in institutions such as the police and the judiciary and the AK Party itself. Many believe the arrests and dismissals reflect a feud within Turkey’s ruling AK Party between those who back the Prime Minister, Recep Tayyip Erdogan. On Tuesday the Prime Minister and his supporters struck back at the police by removing approximately 350 police officers from their positions in the capital, Ankara. The Prime Minister and his supporters have also attacked the judiciary leading the investigation, claiming that it is all politically motivated.

In addition to the obvious turmoil based on the above, the country is feeling the fallout in the international monetary arena. In an article in the Financial Times (FT), entitled “Turkey warns of corruption probe risk”, reporter Daniel Dombey said that the country’s currency, the Turkish lira, had dropped 7.5% since the initial arrests back in December. He quoted the country’s Finance Minister, Mehmet Simsek, who said that there had been “some negative implications for the Turkish macro [economy].” Dombey also noted that the Turkish stock market had dropped almost 12% during the same time frame.

In the 2013 Transparency International (TI) Corruptions Perceptions Index (CPI), Turkey had a score of 50 which gave it a rank of 53 out of the 177 countries listed. It generally had better scores than other countries in southeastern Europe such as Greece and the Balkan countries. Other than Cyprus, it had better CPI scores than most other mid-eastern countries. But what about now and what does this mean for the US based multi-national who is currently doing business in Turkey or considering doing so?

One of the things that a compliance program must have is the flexibility to respond to changing events on the ground. Just as last summer’s GlaxoSmithKline PLC (GSK) corruption scandal in China brought attention to those issues in China, these very public events should bring the attention of your compliance team. My former This Week in FCPA co-host Howard Sklar said that a compliance program needed to be nimble in order to respond to such events in far-flung places. Risks change and they must be evaluated on a regular basis or in response to new facts on the ground, such as those which are present in Turkey.

There may also be more than anti-corruption risk at play in any given situation. If a company only looks at one type of risk, such as anti-corruption, rather than others such as export control or anti-money laundering (AML) it can lead to the concept of what is called the “functional trap” of labeling and compartmentalizing risk. In an article in the June issue of the Harvard Business Review (HBR), entitled “Managing Risks: A New Framework”, authors Robert Kaplan and Annette Mikes declare that good risk discussions must be integrative in order for risk interaction to be evaluated. If not, a business “can be derailed by a combination of small events that reinforce one another in unanticipated ways.”

The authors posit that it is difficult for companies to accurately and adequately discuss risk for a variety of reasons. One of these reasons is the aforementioned silo effect which can lead to a lack of discussion by a wide group regarding a number of risks, for example compliance risk; reputational risk; brand risk; credit risk; human resources risk are but a few of the types of risks mentioned in their article. The authors believe that one of the ways to knock down these silos when it comes to a more complete management of risk is to “anchor their discussions in strategic planning, one integrative process that most well-run companies already have” in place.

The authors cautioned that beyond simply introducing a systematic process for identifying and mitigating key risks, companies should also employ a risk oversight structure. The authors discussed the experience of the Indian IT company, Infosys, which uses a dual structure. It consists of a central team that identifies general strategy risks and then establishes central policy, together with a specialized, decentralized functional team. This second team designs and monitors policies and controls in consultation with local business units. These decentralized teams have the authority and expertise to respond to changes in the company’s risk profile coupled with the nimbleness and agility of being in the field to deal with smaller issues before they become larger problems for the central team back in the corporate office.

I believe that the current political turmoil in Turkey provides an example of the diversity your compliance program and risk assessment must maintain. Just as it is important to perform due diligence on third party representatives, before execution of an appropriate contract, the real work is in managing the relationship. In risk management, you must identify and assess the risk but the real work begins in managing the risk. This is where the rubber meets the road.

Leave a Comment

FCPA Compliance and Ethics Blog

May 27, 2015

Economic Downturn Week, Part III – The Desktop Risk Assessment

September 4, 2014

Pro Football and the FCPA Professor

August 28, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part III

August 27, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part II

August 26, 2014

Risk Assessments-the Cornerstone of Your Compliance Program, Part I

August 21, 2014

What Can You Do When Risk Changes in a Third Party Relationship?

July 17, 2014

John Bell Hood and the Measurement of Conduct Risk

March 14, 2014

The Ides of March and Evaluation of Compliance Risk

January 22, 2014

Queen Victoria and Preparing for Your Risk Assessment

January 8, 2014

Corruption in Turkey and Integrating Your Risk Assessment

January

Blogroll

Pages

Admin

Read by Email

Recent Posts from FCPA Compliance and Ethics Report: FCPA Compliance and Ethics Report

Episode 240-Bill Coffin on Compliance Week 2016

Episode 239-Jonathan Armstong On EU Privacy Shield

Episode 238-John Allen on HR Touch Points in Compliance

Episode 237-Steve McCalmont on the Avior Risk Management Platform

Episode 236-Adam Turteltaub and SCCE CCO Survey