The Sioux at Little Bighorn and Using Risk Going Forward

I recently wrote about the stupidity of General Custer and the defeat of his Calvary at Little Bighorn as a lead in for the failure to adequately assess and then manage risks in a Foreign Corrupt Practices Act (FCPA) compliance program. I received the following comment from a reader:

As a military history buff, I note that your comments on risk assessment reflect a very limited view of the battle. The Sioux made superb use of reconnaissance, fire and maneuver. The cavalry’s underestimation of the military skills of their Indian enemies were immediately assessed and dealt with aplomb and considerable skill. The great lesson to be learned from the Battle of the Little Big Horn is that there is great opportunity in exploiting the tactical stupidity of the overconfident. Reminds me of Napoleon and Prince Alexander at the Platzen Heights of Austerlitz. 

This comment made an excellent point that risk assessment and risk management are not simply to be viewed as negatives or a drag on business. These concepts are also valid in aiding companies to do business by exploitation of strategic risk. This point was driven home most clearly in the recent book by well-known risk management guru Norman Marks, entitled World-Class Risk Management. 

Marks’ thesis on this issue is that “It is essential that management take enough risk! If they take no risk, the organization will fail. So risk management is about taking the right risks for the organization at the desired levels, balancing the opportunities on the upside and the potential for harm on the downside” [emphasis in original]. I once heard former Chairman of Citigroup, John Reed say the reason a car has brakes is not to make it safer but so that you can drive faster. It is the same concept. FCPA compliance programs are often viewed as brakes on doing business. At best they slow things down and at worst the Chief Compliance Officer (CCO) is Dr. No from the Land of No.

However, as Marks points out in his chapter entitled “What is Risk and Why is Risk Management Important?”, it is a serious flaw to only see risk as a negative and indeed to limit risk management to the negative. He wrote, “Treating risk as only negative and overlooking the idea that organizations need to take risks in pursuit of their objectives. Effective risk management enables an organization to exploit opportunities and take on additional risk while staying in control and thereby, creating and preserving value.” He goes on to explain that a company should “understand the uncertainty between where we are and where we want to go so that we can take the right risks and optimize outcomes”.

These outcomes should be determined through an organization determining its risk appetite. Here Marks commented on the definition found in the COSO 2013 Framework for risk appetite by saying it is “the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.” As pointed out by the comment to my blog post on risk assessment and risk management, I focused on risks that were not properly assessed and not properly managed, leading to catastrophic results. But the comment pointed out that when properly used a risk assessment can lead to better management of risk and allow a company to take greater risk because it can manage the scenario more effectively. Marks stated this concept as “think of risk as a range: the low end is the minimum level of risk you are willing to take because you have the ability to accept risk, and recognize that taking the risk is essential to achieving your objective. The high end is the maximum level of risk you can afford to take.”

In the FCPA context, I think this is most clearly seen in the area of third party risk management. There are five steps to the lifecycle of third party management: (1) business justification; (2) questionnaire; (3) due diligence and its evaluation; (4) contract with compliance terms and conditions; and (5) post-contract management. If circumstances are such that you cannot fully perform all five steps to your satisfaction, this puts pressure on the remaining steps. In other words, while your risk may go up if one cannot be fully performed, it may well be that the additional risk can be mediated in another step.

The robustness of your third party risk management program can give you the ability to move forward and use third parties for a business advantage. Say you want to hire a royal family member from a certain foreign country as a third party representative. While at first blush this might seem to be prohibited under the FCPA, there are two Opinion Releases that hold that the mere hiring of a royal family member does not violate the FCPA. In Opinion Release 10-03 the Department of Justice (DOJ) reviewed the following factors of whether a Royal Family Member is a foreign governmental official, the factors were: “(i) how much control or influence the individual has over the levers of governmental power, execution, administration, finances, and the like; (ii) whether a foreign government characterizes an individual or entity as having governmental power; and (iii) whether and under what circumstances an individual (or entity) may act on behalf of, or bind, a government.”

Then in Opinion Release 12-01, the DOJ went further and added a duties test to what was believe to be a status test only. After initially noting that “A person’s mere membership in the royal family of the Foreign Country, by itself, does not automatically qualify that person as a “foreign official”” the DOJ goes on to reiterate its long held position that each question must turn on a “fact-intensive, case-by-case analysis” for resolution. The DOJ follows with a list of factors that should be considered. They include:

1. The structure and distribution of power within a country’s government;
2. A royal family’s current and historical legal status and powers;
3. The individual’s position within the royal family; an individual’s present and past positions within the government;
4. The mechanisms by which an individual could come to hold a position with governmental authority or responsibilities (such as, for example, royal succession);
5. The likelihood that an individual would come to hold such a position;
6. An individual’s ability, directly or indirectly, to affect governmental decision-making; and the (ubiquitous)
7. Numerous other factors.

Additionally the DOJ recognized some of the risk management techniques that had been put into place by the company requesting the Opinion. These risk management techniques were having a robust anti-corruption compliance program and requiring one from the third party that had employed the royal family member. There was full transparency by the US Company in hiring the royal family member. The compensation was disclosed, was within a reasonable range and was appropriate for the services delivered to the company and the contract between the parties had appropriate FCPA compliance terms and conditions.

I had initially thought that the import of Opinion Release 12-01 was creative lawyering to create a new test around the hiring of royal family member and foreign government officials. However re-reading it in light of the comment to my earlier blog post and of Marks’ book, it can also be seen as an example of how using risk management can be a positive for a business going forward. I would posit to CCOs or compliance practitioners there may be ways to do business in compliance with the FCPA if you think of using your FCPA compliance program as a way to better manage risk to do business rather than simply saying something will violate your compliance program without thinking through how such a compliance risk could be managed effectively.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Custer’s Last Stand and Risk Management

On this day in 1876 one of the greatest failures in risk management took place when Lieutenant Colonel George Armstrong Custer and his entire 7^th Cavalry were wiped out at the Battle of the Little Big Horn. Custer had split his command into three wings and he took his battalion of 200 or so men down the center of what he thought would be little resistance. Instead he found that he was facing a far superior force of 3000 largely Sioux warriors who quickly overwhelmed and defeated Custer’s command, with all US troops being killed. There is now some debate on whether all the cavalrymen were actually killed by the Native Americans or took their own lives, saving the last bullet for themselves, in western parlance.

Historians have debated over time the reason for Custer’s defeat. Was it arrogance; bad intelligence; faulty command, just plain stupidity or even a wish for martyrdom by Custer? Whichever the cause, it was the worse defeat of the US Army by Native Americans in the Western campaigns of the later 1800s. Today, it might be termed as a faulty assessment and management of the risks involved.

I thought about Custer and his defeat when I read a recent article in the Harvard Business Review (HBR), entitled “Strategy How to Live With Risks”. It presented risk, risk assessments and risk management in a new light, a key acumen being that risk management should be used as a “protection shield, not an action stopper.” It was based upon a research paper by the CEB, entitled “Reducing Risk Management’s Organizational Drag”, which I thought it had some interesting insights for the Chief Compliance Officer (CCO) or compliance practitioner.

The first insight is that, in many instances, companies are assessing risks that are in the rear-view mirror. The author pointed to the Sarbanes-Oxley (SOX) Act, passed in response to the Enron and Worldcom accounting scandals in noting, “In the wake of the 2008 financial crisis many large banks changed their business models, and other companies implemented systems to better manage credit risks or eliminate overreliance on mathematical models.” This type of mentality can lead to what the author says, is “a variation on what military historians call “fighting the last war.” As memories of the recession fade, leaders worry that risk management policies are impeding growth and profits without much gain.” The author went on to quote Matt Shinkman of CEB, a member based advisory company, for the following insight “Firms are questioning whether the models they put in place after the financial crisis are working—and more fundamentally questioning the role of risk management in their organizations.”

This retrospective look back is coupled with what the author says is a decision making process which “is too slow, in part because of an excessive focus on preventing risk” and not managing risk; in other words, companies were slowed down even further by something termed “organizational drag”. Companies need to find new mechanisms to assess and manage risk going forward. The best way to do so, many companies have indicated, is through reorganizing or reprioritizing risk management and the article presented “three best practices” in doing so.

Strike the Right Balance Between Risk and Reward

Recognizing that risk management is often simply ‘just saying no’, the HBR articcle suggests that “Today’s risk managers see their role as helping firms determine and clarify their appetite for risk and communicate it across the company to guide decision making. In some cases this means helping line managers reduce their risk aversion.” The interesting insight I found here is that if an asset is low performing it may be because the management is so risk averse. This may present a CCO or compliance practitioner with an opportunity to increase growth through other risk management solutions that they could implement.

Focus on decisions, not process

This insight is one that CCO and compliance practitioners should think about and try and implement. Recognizing that risk assessments are important, the author believes that risk managers should focus more on decisions concerning risk rather than the process of determining risk. This means, “In addition to relying on paperwork or process, risk managers are turning to tools (such as dashboards that show risks in real time) and training that help employees assess risk. They are also helping companies factor a better understanding of risk into their decision making.”

By having a seat at the senior management’s table, a CCO or compliance practitioner can help identify risk issues early on in planning. This allows a COO to help craft a risk management solution, or even better yet show colleagues how to “spot potential problems and managers see how their projects fit into the company’s overall portfolio of projects, each with its own set of risks.” The author again quoted Shinkman, “This is less about listing risks from a backward-looking perspective and more about picking the right portfolio of risky projects.”

Make employees the first line of defense

The author channels his inner Howard Sklar (water is wet) by stating, “Decisions don’t make themselves, people make them”. However from that insight, the author believes that “smart companies work to improve employees ability to incorporate appropriate levels of risk when making choices.” But this means you must not only adequately train your employees to spot the appropriate risk but you, as CCO must provide them with tools to manage the risk. The author wrote, “Companies are also trying to identify which types of jobs or departments face a disproportionate share of high-risk decisions so that they can aim their training at the right people. They’re focusing that training less on risk awareness and more on simulations or scenarios that let employees practice decision making in risky situations. Finally, risk managers are becoming more involved in employee exit interviews, because people leaving an organization often identify risks that others aren’t able or willing to discuss.”

The article ends by noting that the goal is “to transform risk management from a peripheral function to one with a voice integrated into the day-to-day management” of an organization. That is also viewed as a component of CCO 2.0 and a more mature model of improvement. By focusing on training employees on how to spot Foreign Corrupt Practices Act (FCPA) compliance risks and then providing them with the tools to adequately manage that risk, CCOs can deliver greater value.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

More Lessons From Workplace Safety for the Compliance Practitioner

I have long believed that the compliance discipline has quite a bit to learn from the area of safety in the workplace. This is not only because I believe that the changes in corporate attitudes about safety presage many of the current debates about how to ‘do compliance’ but also because many of the processes and procedures that a safety professional utilizes can be translated into a process for the compliance professional. In a recent Compliance Week article, entitled, “Risk-Management Lessons From The Depths” Richard M. Steinberg reviewed the newly released book Trapped Under the Sea, by Neil Swidey, which is about a catastrophic accident that occurred during the construction of a waste treatment plant in Boston Harbor.

Steinberg’s article focused on the risk management issues, which led to the deaths of men working on a tunnel, dug far beneath Boston Harbor that transported waste out to sea before its release. Steinberg began by looking at the pre-operation factors which laid the “seeds of disaster” leading to the tragedy. (1) There were tight deadlines to be met, “with a federal judge ready to impose huge fines and penalties if they were not”; (2) An inexperienced executive director of the governmental water resources authority overseeing the project, who was suffering from a stress condition his doctor said was off the charts, who was most critically “clearly intimidated by the prime contractor’s chief executive”; and (3) The prime contractor was already in the red on the project, behind schedule and incurring millions of dollars in penalties, rising every day.

With the project, and many jobs on the line, the stress level on the management team grew. Swidey noted that as “organizational behavior research shows that, “As trust levels go down within a group, group members’ creativity and willingness to seek new options also decreases. When intense time pressures are added to the mix, opposing sides tend to become even more fixed in their positions, relying more on cognitive shortcuts. They’re unable to work collaboratively to solve a problem because they have become locked in an adversarial contest: if you win, I lose.”” The actual planning of the key event which led to the catastrophic failure “fell to sub-contractors, with two men calling the shots: Roger Rouleau, who relied on the technical capability of the other man he was to oversee, Harald Grob. The subs needed to please the prime contractor, or risk ruin. Ultimately, those overseeing the project ended up relying on these two men to make some critical final decisions.” As Steinberg noted, “although there was a major general contractor, several sub-contractors, the governmental water resources authority, and the Occupational Safety and Health Administration involved, with a number of smart and seasoned people, the key decisions were left to one sub-contractor, who wasn’t even properly supervised by his boss.”

Steinberg said that the post accident analysis discovered the following:

• There were a series of small, bad decisions, none of which on its own would have been enough to produce a disaster, but together elevated risk to new heights.
• There was a dangerous cocktail of time, money, stubbornness, and frustration near the end of an over-budget, long-delayed project. The major players desperately needed the project to be concluded. They closed their eyes and hoped the plan made sense.
• Serious failings tend to happen late in projects, when confidence runs high and tolerance for delay dips especially low.
• Another factor at play here is EQ, or emotional quotient, which is differentiated from IQ. EQ is the ability to read, process, and manage the emotions of people around you, as well as your own.
• Executives with real authority put a higher value on Grob’s “fresh eyes and can-do attitude” than on their own intimate knowledge of the project and common sense. And doing so afforded them distance from the risks associated with the project.
• It turns out there was a much safer and better approach that wasn’t even considered until much later. Why? The battling parties became so fixed in their positions they could no longer trust the other side’s intentions. They fell prey to the “availability bias” where decisions are based on what was most available to them—in this case, Grob’s plan.

For the anti-corruption practitioner, the lessons from this disaster and Swidley’s book are myriad. Beyond the simple ‘just get it done’ prescription that a Chief Compliance Officer (CCO) often hears about business deals are some clear and direct markers. The first and foremost is that when something is high reward, there is generally a high risk involved. In the case of the Boston Harbor disaster, the high risk was the technology used to supply air to the men working in the tunnel that collapsed, however it had never been adequately tested. In fact the technology was not even understood.

From this the next lesson is to always understand the complete parameters of the transaction. If a party’s role is not set out or well explained, you must make the appropriate inquiries to determine the role. If you have a third party, you should know its role and that role should be specified in its contractual duties so that any compensation payable to the third party can be assessed against some type of standard.

If someone will not answer the direct questions that you pose, you need to have the authority to get those answers. The sub-contractor involved, Grob, refused to brook any criticism of his clearly outlandish plan by refusing to even answer questions about it. Steinberg wrote, “Grob’s bristling when the men raised concerns about his plan, and stressing his rank in the organization chart, made matters much worse.” This means, as a compliance professional, if you cannot get the necessary answers, you have to be able to say No.

As a project moves towards its end, it sometimes takes on a life of its own, which seems to have happened here. This is the time that a compliance professional must remain ever vigilant; dotting every ‘i’ and crossing every ‘t’, to make certain that the company’s internal compliance protocols are followed. As Steinberg noted, “The more people do something without suffering a bad outcome, the harder it becomes for them to remain aware of the risks associated with that behavior.”

I have previously written that there are many lessons to be learned by the compliance discipline from the field of workplace safety. While I still believe that the biggest lesson is that an entire corporate culture can change, just as I have seen safety now become priority Number 1 in the energy industry; there are significant process lessons to be garnered from the study of catastrophic safety system failures. Steinberg’s article and Swidey’s book make an excellent starting point.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Scam Artists from Texas and Compliance Risk Management

Billie Sol Estes died yesterday and when it comes to scam artists from the great state of Texas, before there was Allen Stanford and his magical Certificates of Deposits located in his private bank in Antigua, there was Billie Sol Estes. Before Sir Allen came along, Billie Sol had a 50 year run as the King of Texas Swindlers. He was most well-known for his scam involving phony financial statements and non-existent fertilizer tanks to loot a federal crop subsidy program. He went to jail for mail fraud over this scheme, although his conviction was later over-turned. But his lasting legacy may be the following quote by former Associated Press (AP) correspondent Mike Cochran, who recalled writing how Estes made millions of dollars in phone fertilizer tanks scam and noted “how many city slickers from New York or Chicago can make a fortune selling phantom cow manure?”

Billie Sol’s risk tolerance was quite high and his implementation of a risk management plan may have seemed, well, rather 1950ish. Hopefully your company is a tad more mature in this process. But after you have identified a compliance risk, what should the next steps be for a company’s Chief Compliance Officer (CCO)? This question was explored in an article by C. J. Rathbun, in the May/June issue of Compliance and Ethics Professional Magazine, in an article entitled “You’ve identified a corporate risk—what next?”. Rathbun believes that any consideration of such an identified risk will be in the context of three key questions:

1. The severity of the risk weighed against the company’s appetite for risk.
2. How the company has performed in the past on managing similar risks and if so, what the impact might be on the company if the risk actually occurred.
3. The probability or likelihood of the risk event occurring.

I.                   The Compliance Report

Rathbun explained that a CCO needs to consider several questions when shaping the report which will go to the management group or Chief Executive Officer (CEO) to make any decision on whether a new risk should be accepted. These questions include:

• Who is the audience for the report? Will it be the CEO, Board of Directors or some other senior management group or council? Further, what is the level of trust between the CCO and those constituent groups? Has the CCO been elevated to a C-Suite level position within the company? Could the audience be a regulatory body or perhaps even a Judge?
• What is your company’s organizational structure? In this question you need to consider how decisions of this dimension are usually made in your company.
• What reputational risk for the company should be anticipated? This is the Wall Street Journal (or New York Times) questions. How would your CEO feel if he woke up to read about your company and its decision being on the front page of the Wall Street Journal?
• What should be incorporated into the report? Should other business concerns be incorporated into the report, such as financial or other legal issues?
• How should the report be presented? In what format or with what technology should the report be presented? Will the group or person tasked with making the decision accept a written report or will it simply be a high-level PowerPoint presented to a Board of Directors?

 II.                Weighing the Options

Once the report is considered and the options weighed, what are some of the possible outcomes that a company may utilize? Rathbun breaks the options down to four. The first is risk avoidance, where a company decides that the risk is simply too great. The second option is risk management, where the company implements procedures to manage the risk and then monitors the risk closely. The third is risk shifting where some portion of the risk is transferred through insurance or other mechanism. Fourth, and finally, is that the company can simply accept the risk, so risk acceptance.

III.             Implementation

Rathbun believes that the risk management choice is the one which may well take the most work, particularly for a CCO. You may be required to create new policies and procedures to assist in the risk management process. Any new policies and procedures will need to be implemented with attendant training for the affected employees. There will need to be follow-up monitoring to ensure engagement and accountability.

IV.              Confirming Changes in Behavior

Rathbun articulates that are two mechanisms by which a “checkback” can be performed on policies, procedures, actions and employee accountability. These two mechanisms are monitoring and auditing. Monitoring is a commitment to reviewing and detecting compliance programs in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis. Auditing is a more limited review that targets a specific business component, region or market sector during a particular timeframe in order to uncover and/or evaluate certain risks, particularly as seen in financial records. However, more aggressive approaches may be required such as the addition of follow-up assessments to confirm effective management of the new risk.

Rathbun cautions that the use of more standard tools to “checkback” should also be utilized. These include compliance by third parties, testing or otherwise gauging employee knowledge regarding the risk management program and even hotline complaints. Rathbun also suggests that relatively new tools such as transaction monitoring, relationship monitoring and real-time party monitoring of third parties should be considered.

V.                 End Goal

Rathbun believes that the end goal should be “to allow the company to identify a growing concern before it becomes an issue—before consumers are harmed or regulators become concerned.” While a well-structured program does require vigilance it also allows the opportunity for continuous improvement for your company. Rathbun concludes by stating that your goal should be to “help ensure that you and your company ‘will get the first crack’ at addressing a problem, if one occurs.”

I found the Rathbun article to provide a good method for the compliance practitioner to think through, then design and implement a risk management plan, within the context of your overall compliance program. Although she never states it, a key component that she outlined is the Document, Document, Document component of any compliance program. The Department of Justice and Securities and Exchange Commission said in their FCPA Guidance “In the end, if designed carefully, implemented earnestly, and enforced fairly, a company’s compliance program—no matter how large or small the organization—will allow the company generally to prevent violations, detect those that do occur, and remediate them promptly and appropriately.” I believe that you can achieve such a carefully designed and earnestly implemented risk management program by using Rathbun’s suggestions.

Finally, if a long, tall Texan comes to you wanting to borrow money against some fertilizer tanker; do not just turn and walk, run in the other direction.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

How Do You Change to a Culture of Compliance? Go See The Twilight Zone Movie

As a compliance practitioner, how often have your heard something along the lines of “But we’ve always done it that way” or [my favorite] “That’s the way those people do business”? As a recovering trial lawyer, I spent the first 18 years of my career largely defending companies which were sued for catastrophic injury claims. From this vantage point, I saw the cost to corporations in the form of jury awards and insurance premiums that they paid for commercial general insurance coverage. A large part of it was due to the fact that safety was not mission critical to most of the companies that I represented.

However, this began to change in the late 1980s/early 1990s. Companies began to make clear, in a very public manner that safety was the No. 1 priority for them. One of the most public changes was at Exxon after the Exxon Valdez oil spill, where senior management made it clear that as closely as Exxon’s management watched costs, it also made clear to every worker that the one cardinal sin was skimping on safety. I recently saw an article, from a completely unrelated industry which made the same type of change, published in the online journal Slate, entitled “How tragedy on the set of the 1983 feature-length adaptation of The Twilight Zone changed the way movies are made”, where author Robert Weintraub reviewed the changes in movie-making safety after a horrific accident, on the set of the movie The Twilight Zone, led to the death of three actors.

The deaths occurred in a scene where the actor Vic Morrow was carrying two child actors to safety from a bombing raid. With cameras rolling, the helicopter which was bombing the children’s village was engulfed in fireballs forcing it down into a river where the actors waded. As a hundred or so people looked on, the right skid of the aircraft crushed 6-year-old actor Renee Chen. The helicopter then toppled over, and its main blade sliced through Morrow and 7-year-old actor Myca Dinh.

There were civil suits against the studio and the film’s director John Landis, which were all settled. However, Landis and three others were criminally charged for involuntary manslaughter where they were all found not guilty by a Los Angeles jury in 1985. As horrible as all of this was Weintraub found that “some good did come of it.” The movie making culture was changed in three significant ways in the industries approach to safety.

Movie Industry Response

The first change noted by Weintraub was in the industry’s attitude and approach to safety. At Warner Bros., Vice President John Silvia “convened a committee that created standards for every aspect of filmmaking, from gunfire to fixed-wing aircraft to smoke and pyrotechnics.” All the unions and guilds in the business were represented. The committee’s codicils were collected into a group of standards called Safety Bulletins. The studios then issued a manual to their employees based on the bulletins, known as the Injury and Illness Prevention Program. Every time there was a serious accident on a movie site, a New Safety Bulletin was issued.

Insurance Industry Response

The insurance industry made sure that safety provisions stuck, though the reason the insurance industry did so was market based. Weintraub noted that before disaster on The Twilight Zone movie set, insurance companies did not view the movie business as a source of profit. Because of the low level of safety on film sets, the likelihood of an accident and payout was just too high for carriers to make money. However, after the incident, the movie industry’s commitment to improving safety, along with increasing budgets, made Hollywood a better risk and therefore allowed greater profits to be made by insurers. With more affordable insurance rates to underwrite movie shoots, such liability insurance became a basic part of the movie-making business. But this meant that, in large part, the movie industry had to dance “to the insurance industry’s tune. The insurance companies want to know everything. They want your resume, the resumes of everyone participating. They want to see your licensing, a list of materials, the number of people working on each shot, the distance they will each be from the explosive, the number of fire extinguishers available on set. Then the fire department comes out to look at what you’re doing, and they have a long list of safety criteria to meet, too. It’s a pain in the butt, sure, but that’s the way it is.”

Risk Management

The Twilight Zone disaster also led to the creation of a Risk Management position for movie making. Weintraub quoted Chris Palmer, a risk management consultant who was a part of the original committee which created the safety standards, who said “The Twilight Zone accident created my job. It was a sea change in the movie industry. No one in risk management was ever on set before then.” Unlike the insurance industry, which helps companies manage risks through financial instruments, risk management attempts to avoid or at least control risk.

Risk managers like Palmer become involved in a film long before principal photography begins, scanning scripts for issues, starting with the location. Weintraub quoted Palmer again for the following, “If you want to shoot in the Caribbean during hurricane season,” Palmer says, “you’ve got a problem, unless you have a specific plan in place to protect the production.” Additionally, a risk manager such as Palmer can act as a safety valve, similar to an anonymous reporting line in a compliance program. One of Palmer’s jobs on a movie set is to step in when crew members want to play it safe but feel their careers would be in jeopardy if they spoke up. Palmer was quoted as saying “I can’t be terminated by the director or producer. … That takes the pressure off the crew because it can be intimidating to be the one to stand up and say ‘hold on.’”

I found the major point of the article to be that a company can change the way it does business. I personally observed the energy industry become more conscious about safety and introduce it into every level of a company’s DNA. Weintraub’s article made it clear that the movie industry also made a sea change of culture when it came to safety. So the next time you hear the mindless prattle of “But we’ve always done it that way” point them to the changes in safety over the past 20 years. And the next thing you should consider is going to the head of your company’s Safety Group to sit down and get some ideas on how to change your company’s compliance culture.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

Napoleon’s Invasion of Russia and Risk Management

Today, June 12 is the traditional date given for Napoleon’s invasion of Russia. I cannot think of a better anniversary to use to introduce the discussion of risk management.  Do you think he made a risk assessment so that he could manage his risks? If he did, what were his risks and how would he go about managing them. While more of a post-mortem than risk assessment, the chart at the right is probably the best statistical graphic ever drawn. It shows a data map drawn by Charles Joseph Minard, showing the losses suffered by Napoleon’s army in the Russian campaign of 1812. Beginning at the Polish-Russian border, the thick band shows the size of the army at each position. The path of Napoleon’s retreat from Moscow in the bitterly cold winter is depicted by the dark lower band, which is tied to temperature and time scales. Certainly an excellent visual representation.

I thought about risk assessments and risk management when pondering that as companies become more mature in their compliance programs, they can use the information generated in a risk assessment in a variety of ways to facilitate an overall risk management program. In an article in the June issue of the Harvard Business Review, entitled “Managing Risks: A New Framework”, authors Robert Kaplan and Annette Mikes posit that the initial step a company must take to create an effective risk management system is to understand “the qualitative distinctions among the types of risk that an organization faces.” The authors have separated business risk into three categories: (1) Preventable Risks; (2) Strategy Risks; and (3) External Risks. They state that companies should design their risk management strategies to each category because what may be an adequate risk management strategy for the management of preventable risks is “wholly inadequate” for the management of strategy or external risks.

Category I: Preventable Risks. These are internal risks, arising from within an organization. The authors believe that “companies should seek to eliminate these risks since they get no strategic benefits for taking them on.” The authors specifically mention anti-corruption and anti-bribery risks as falling in this category. This risk category is best managed through active prevention both through operational processes and training employees’ behaviors and decisions towards a stated goal. The control model to manage preventable risks is to develop an integrated culture and compliance model. Such a system would typically consist of a Code of Conduct or Business Ethics, standard operating procedures, internal controls to spell out the requirement and internal audit to test efficiencies. The role of the Compliance Department in managing Category I risks is to coordinate and oversee the compliance program and then revise the program’s controls as needed on an ongoing basis, all the while acting as independent overseers or the risk management function to the business units.

Category II: Strategy Risks. These risks are those which a company may accept in some form because they are “not inherently undesirable.” In other words, a company may be willing to accept some types of risks in this category so that it may increase profits. This category of risk cannot be managed through the rules based system used for preventable risks, instead the authors believe that “you need a risk management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur.”

The authors list several specific techniques to use as the control model for strategic risks. These include “interactive discussions about risks to strategic objectives drawing on tools” such as heat maps and key risk indicator scorecards. The Compliance Department’s role here is to run risk management workshops and risk review meetings, usually acting as the “devil’s advocate” to the business units involved. Another key role of the Compliance Department is the marshaling and the delivery of resources allocated to mitigate the strategic risk events identified in this process. Finally, the authors believe that the relationship of the Compliance Department to the business units in managing a Category II strategic risk is to act as “independent facilitators, independent experts or embedded experts.”

Category III: External Risks. These are risks which arise outside the company’s control and may even be beyond its influence. This type of risk would be a natural disaster or economic system shutdown, such as a recession or depression. The authors here note that as companies cannot prevent such risks, their risk management strategy must focus on the identification of the risk beforehand so that the company can mitigate the risk as much as possible. Recognizing the maxim that ‘you don’t know what you don’t know’; the authors see the control model for Category III risks as “envisioning risks through: tail-risk assessments and stress testing; scenario planning; and war-gaming” with the management team. Under this Category III risk, the authors believe that the relationship of the Compliance Department to the business units is to either complement the strategy team or to “serve as independent facilitators of envisioning exercises.”

The authors conclude with a discussion of the leadership challenge in managing risks, which they believe is quite different than managing strategy. The reason is that managers “find it antithetical to their culture to champion processes that identify the risks to strategies they helped to formulate.” Nevertheless without such preparation, the authors believe that companies will not be able to weather risks which turn into serious storms under the right conditions. They believe that the key element is that the risk management team must have a direct reporting line to senior management because “a company’s ability to weather [risk] storms depends very much on how seriously executives take their risk-management function when the sun is shining and there are no clouds on the horizon.” I could not have said it better myself.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

JP Morgan and Risk: Mission Creep, Mission Expansion, Mission Explosion

In an article in today’s Financial Times (FT), entitled “JP Morgan shows the futility of fighting complexity”, Sallie Frawcheck posited that the JP Morgan trading loss demonstrated that regulators are fighting the wrong battle regarding risk. She believes that the main reason for the problems engulfing JP Morgan was that the size and complexity of the company’s trading positions were so great that the company is still coming to terms with just how large the loss will be and how JP Morgan can unwind itself from those trading positions.

She believes that one of the solutions would be for regulators to “turn their attention to the issue of understanding how much risk the banks are taking in total, fixing measurements of risk that have fallen short and then making certain that banks have enough capital to support that risk.” However, she also warns that if a bank’s risk assessments are “unable to keep up with the complexity of certain types of trades [such as the ones at issue] or sub-businesses, then the activities should not be allowed in a regulated banking entity. Full stop.” [emphasis mine]

Her article brought up one of the ongoing battles that I continually fought as an in-house counsel, both in my transactional attorney role and compliance professional role and that battle was Mission Creep; leading to Mission Expansion; leading to Mission Explosion. In the transaction world, this would occur when parties contract for the provision of specific services or specific goods and then the contract is used as a basis for a completely different product or service. So if my client provides engineering services, there will be terms and conditions appropriate for a services contract. These terms could spread or assign risk to one party or the counter-party through such clauses as warranty, indemnity, limitation of liability, confidentiality and insurance. However, if the relevant business units of each party then decided to use the contract for the purchase of raw products the scope of the contract has changed or Mission Creep has begun. If the client then asks for the engineering services company to lead the fabrication of the raw materials we have sped up to Mission Expansion. If this Creep and Expansion continue for any length of time, we will move to Mission Explosion.

The risks which were agreed upon for services work are far different for the purchase and delivery of goods. The risks are even more divergent if fabrication of the products are required. These changes in risks can affect the risk management clauses detailed above. A services warranty is usually quite different from a product or even Original Equipment Manufacturers (OEM) warranty. If an indemnity is fault based, are products purchased under a contract which covers engineering services only? What about your limitation of liability – is it limited to the value of a contract, what if the contract for fabrication of the entire systems crashes burns, injures or kills someone? What about Intellectual Property (IP) indemnity for goods and products vs. services delivered? The list of questions is almost endless.

In the compliance world this Mission Creep, Mission Expansion, Mission Explosion trichotomy plays out when a company moves into a new geographic area or product line. Have the compliance risks been adequately evaluated? Have they been evaluated at all? Perhaps more importantly has the relevant business unit communicated to the Compliance Department these new initiatives so that the compliance risks can be assessed?

The failure by JP Morgan to properly assess its risk or use risk intelligence correctly may have indeed had its genesis in the complexity of the trading positions the company was taking. But Frawcheck’s article pointed out that it is not simply complexity which can lead to failure in the assessment and management of risk. In JP Morgan’s case, it may be that one step on the Mission Creep continuum led to more steps of Mission Explosion, which inevitably led to Mission Explosion. But, whatever the reason, I think one of the clear lessons from the JP Morgan debacle is if your risk assessment cannot determine what your risk is or your risk intelligence cannot evaluate your risk assessment in a meaningful way, you need to slow things down until you can do so. Or as Sallie Frawcheck said: Full Stop!

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012