The Sioux at Little Bighorn and Using Risk Going Forward

I recently wrote about the stupidity of General Custer and the defeat of his Calvary at Little Bighorn as a lead in for the failure to adequately assess and then manage risks in a Foreign Corrupt Practices Act (FCPA) compliance program. I received the following comment from a reader:

As a military history buff, I note that your comments on risk assessment reflect a very limited view of the battle. The Sioux made superb use of reconnaissance, fire and maneuver. The cavalry’s underestimation of the military skills of their Indian enemies were immediately assessed and dealt with aplomb and considerable skill. The great lesson to be learned from the Battle of the Little Big Horn is that there is great opportunity in exploiting the tactical stupidity of the overconfident. Reminds me of Napoleon and Prince Alexander at the Platzen Heights of Austerlitz. 

This comment made an excellent point that risk assessment and risk management are not simply to be viewed as negatives or a drag on business. These concepts are also valid in aiding companies to do business by exploitation of strategic risk. This point was driven home most clearly in the recent book by well-known risk management guru Norman Marks, entitled World-Class Risk Management. 

Marks’ thesis on this issue is that “It is essential that management take enough risk! If they take no risk, the organization will fail. So risk management is about taking the right risks for the organization at the desired levels, balancing the opportunities on the upside and the potential for harm on the downside” [emphasis in original]. I once heard former Chairman of Citigroup, John Reed say the reason a car has brakes is not to make it safer but so that you can drive faster. It is the same concept. FCPA compliance programs are often viewed as brakes on doing business. At best they slow things down and at worst the Chief Compliance Officer (CCO) is Dr. No from the Land of No.

However, as Marks points out in his chapter entitled “What is Risk and Why is Risk Management Important?”, it is a serious flaw to only see risk as a negative and indeed to limit risk management to the negative. He wrote, “Treating risk as only negative and overlooking the idea that organizations need to take risks in pursuit of their objectives. Effective risk management enables an organization to exploit opportunities and take on additional risk while staying in control and thereby, creating and preserving value.” He goes on to explain that a company should “understand the uncertainty between where we are and where we want to go so that we can take the right risks and optimize outcomes”.

These outcomes should be determined through an organization determining its risk appetite. Here Marks commented on the definition found in the COSO 2013 Framework for risk appetite by saying it is “the amount of risk, on a broad level, an organization is willing to accept in pursuit of value. Each organization pursues various objectives to add value and should broadly understand the risk it is willing to undertake in doing so.” As pointed out by the comment to my blog post on risk assessment and risk management, I focused on risks that were not properly assessed and not properly managed, leading to catastrophic results. But the comment pointed out that when properly used a risk assessment can lead to better management of risk and allow a company to take greater risk because it can manage the scenario more effectively. Marks stated this concept as “think of risk as a range: the low end is the minimum level of risk you are willing to take because you have the ability to accept risk, and recognize that taking the risk is essential to achieving your objective. The high end is the maximum level of risk you can afford to take.”

In the FCPA context, I think this is most clearly seen in the area of third party risk management. There are five steps to the lifecycle of third party management: (1) business justification; (2) questionnaire; (3) due diligence and its evaluation; (4) contract with compliance terms and conditions; and (5) post-contract management. If circumstances are such that you cannot fully perform all five steps to your satisfaction, this puts pressure on the remaining steps. In other words, while your risk may go up if one cannot be fully performed, it may well be that the additional risk can be mediated in another step.

The robustness of your third party risk management program can give you the ability to move forward and use third parties for a business advantage. Say you want to hire a royal family member from a certain foreign country as a third party representative. While at first blush this might seem to be prohibited under the FCPA, there are two Opinion Releases that hold that the mere hiring of a royal family member does not violate the FCPA. In Opinion Release 10-03 the Department of Justice (DOJ) reviewed the following factors of whether a Royal Family Member is a foreign governmental official, the factors were: “(i) how much control or influence the individual has over the levers of governmental power, execution, administration, finances, and the like; (ii) whether a foreign government characterizes an individual or entity as having governmental power; and (iii) whether and under what circumstances an individual (or entity) may act on behalf of, or bind, a government.”

Then in Opinion Release 12-01, the DOJ went further and added a duties test to what was believe to be a status test only. After initially noting that “A person’s mere membership in the royal family of the Foreign Country, by itself, does not automatically qualify that person as a “foreign official”” the DOJ goes on to reiterate its long held position that each question must turn on a “fact-intensive, case-by-case analysis” for resolution. The DOJ follows with a list of factors that should be considered. They include:

1. The structure and distribution of power within a country’s government;
2. A royal family’s current and historical legal status and powers;
3. The individual’s position within the royal family; an individual’s present and past positions within the government;
4. The mechanisms by which an individual could come to hold a position with governmental authority or responsibilities (such as, for example, royal succession);
5. The likelihood that an individual would come to hold such a position;
6. An individual’s ability, directly or indirectly, to affect governmental decision-making; and the (ubiquitous)
7. Numerous other factors.

Additionally the DOJ recognized some of the risk management techniques that had been put into place by the company requesting the Opinion. These risk management techniques were having a robust anti-corruption compliance program and requiring one from the third party that had employed the royal family member. There was full transparency by the US Company in hiring the royal family member. The compensation was disclosed, was within a reasonable range and was appropriate for the services delivered to the company and the contract between the parties had appropriate FCPA compliance terms and conditions.

I had initially thought that the import of Opinion Release 12-01 was creative lawyering to create a new test around the hiring of royal family member and foreign government officials. However re-reading it in light of the comment to my earlier blog post and of Marks’ book, it can also be seen as an example of how using risk management can be a positive for a business going forward. I would posit to CCOs or compliance practitioners there may be ways to do business in compliance with the FCPA if you think of using your FCPA compliance program as a way to better manage risk to do business rather than simply saying something will violate your compliance program without thinking through how such a compliance risk could be managed effectively.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

Marx Brothers Compliance Week Continues – The Stateroom Scene and High-Risk

I continue my exploration of the Marx Brothers’ movies by looking at the famous Stateroom scene from the MGM release A Night at the Opera. In researching this I was somewhat stunned to find that the scene was written and developed with the Brothers by that silent comedy great Buster Keaton, who was at the time a gag writer for MGM. Talk about provenance for a scene, one of the greatest purveyors of gags (Keaton) writing for three of the greatest screen comedians, the Brothers Marx.

The scene starts with Driftwood discovering that Fiorello, Tomasso, and Baroni snuck onto the boat by stowing away in his steamer trunk. Fiorello and Tomasso have to hide out in the room while parades of people walk in to use the cabin or to carry out their duties. Crammed into this little space at the end of the scene are Driftwood, Fiorello, Tomasso, Baroni, two cleaning ladies who make up the bed, a manicurist, a ship’s engineer and his assistant, a girl looking for her aunt, a maid (“I come to mop up.” “You’ll have to start on the ceiling.”), and four waiters with trays of food (prompting Driftwood’s classic line: “Is it my imagination, or is it getting crowded in here?”). Eventually there are 15 people in Driftwood’s tiny cabin. The mass of humanity tumble out into the hallway when Mrs. Claypool opens the door. I particularly like the way they sped up the film for the dénouement.

I thought about the Stateroom scene in the context of an article in the New York Times Magazine, entitled “The Wreck of the Kulluk”, and an article in the New York Times (NYT) by Joe Nocera, entitled “The Moral of the Kulluk.” The Magazine piece was an except from Of Ice and Men to be published later this month by Deca, authored by McKenzie Funk. In his longform piece he detailed the miss-steps that led to the grounding and sinking of the Shell Oil Company drill rig Kulluk after an unsuccessful attempt to drill for oil in the Artic Ocean. It was a tale of greed, high-risk drilling for oil and the attendant potential for a high reward and, at the end of the day, safety and engineering shortcuts that cost Shell the loss of the drill rig and the end of the potential of Artic drilling for the foreseeable future. The tale itself if riveting but for the Chief Compliance Officer (CCO) or compliance practitioner it had many key elements which should be considered for an anti-corruption compliance program under the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-bribery laws.

The US Geological Service had estimated that the Artic held “nearly a quarter of the world’s undiscovered petroleum.” Moreover, when Shell put its plan in place, it was reeling from an accounting scandal. Funk said that the purchase of the Kulluk and drilling for oil in the Artic “was important not because Shell needed oil in 2005. The company had plenty of oil. It was important because Shell had spent the previous year engulfed in a scandal involving what are known as proved reserves”. This meant that “Shell still had to show to investors that it’s long-term future was as bright as it once looked”, i.e. before the accounting scandal.

For an energy production company such as Shell, drilling in the Artic Ocean is about the most difficult place left on earth in which to try and drill. In 2012, Shell was the world’s largest corporation and clearly thought it was up to the task. Funk wrote, “It was on track to spend $6 billion preparing for Arctic Alaska, and that March the Obama administration approved exploratory drilling. The task that remained was not to tame the frontier so much as to bring it within reach, to bind Arctic Alaska to the rest of the world. Shell imagined a future of new ports, new airports and permanent rigs.”

The journey of the Kulluk up to the Artic Sea was delayed and had several problems that would later haunt the drill rig. However, Shell was able to claim a victory as it actually began drilling in October 2012, but then shortly had to depart due to unanticipated ice floes threatening the drill rig. The Kulluk began the long tow out from the Artic Sea to its homeport in Seattle. However the boat towing it was so badly damaged it had to break off the tow. Shell then made the fateful decision not to leave the Kulluk in port in Dutch Harbor, because as Funk noted “If the Kulluk was in an Alaskan port on New Year’s Day, [Shell] executives believed, it would be subject to a state oil-facilities tax of as much as $6 million. In late December, a spokesman confirmed Shell’s fears in an email to a longtime reporter at a local newspaper, The Dutch Harbor Fisherman, writing, “It’s fair to say the current tax structure related to vessels of this type influenced the timing of our departure.””

This fateful decision, not to spend the winter in Dutch Harbor, Alaska, led to the beaching of the drill rig after it had broken free from its tow cables in stormy weather and hit the Alaskan coast. Funk concluded, “In the early hours of New Year’s Day [2013], the Coast Guard flew over the wreck. In aerial photos published around the world, the rig was dwarfed by the auburn, grass-covered hills of the uninhabited island where it had finally come to a rest.”

In his article Nocera wrote of some of the highlights he took away from Funk’s piece. He said, “Despite spending $6 billion preparing to explore for oil in this remote part of the world, it didn’t plan adequately, and it cut too many corners. According to the Coast Guard, which investigated the Kulluk disaster, not only had Shell’s risk management been “inadequate,” but there also had been a significant number of “potential violations of law and regulations.”” Nocera identified three key risk factors that were not managed. First was the weather. The second is the US government’s (or any government’s) ability to regulate such a high-risk venture.

Just as there were too many people in the Marx Brothers’ Stateroom, sometimes the risk is so high that a company cannot operate safely. The same is true in compliance. Sometimes a company cannot do business within the parameters of the FCPA. In such a case, a CCO needs to speak up and say so. Mike Volkov, the Two Tough Cookies and Donna Boehme oft-times tell us that part of the job of a compliance practitioner is to say No when it needs to be said. Joe Nocera certainly is not against oil companies drilling in inhospitable locations or their making money. Yet he concluded the lesson in the story of the Kulluk disaster is oil companies are not in position to drill for oil in the Artic safely. It is simply too risky. If a deal is so high-risk, the chances of completing it without engaging in conduct which violates the FCPA cannot be reasonably assured, it is time for compliance to step up and say No. If Shell had understood and managed its risk more prudently, it would not be out $6bn in losses from the Kulluk disaster.

For a YouTube clip of the Stateroom scene, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

The Ides of March and Evaluation of Compliance Risk

Tomorrow, March 15 is enshrined as one of the most famous days of all-time, the “Ides of March”. On this day in 44 BC, the “Dictator for Life” Julius Caesar was assassinated by a group of Roman nobleman who did not want Caesar alone to hold power in the Roman Empire. It was however, this event, which sealed the doom of the Roman Republic as his adopted son Octavian first defeated the Republic’s supporters and then his rival Dictator Marc Anthony and became the first Emperor of the new Roman Empire, taking the name Augustus.

One of the more interesting questions in any anti-corruption compliance regime is to what extent your policies and procedures might apply in your dealings with customers. Clearly customers are third parties and in the sales chain but most compliance programs do not focus their efforts on customers. However, some businesses only want to engage with reputable and ethical counter-parties so some companies do put such an analysis into their compliance decision calculus.

However, companies in the US, UK and other countries who do not consider the corruption risk with a customer may need to rethink their position after the recent announcements made by Citigroup Inc. regarding its Mexico operations.

In an article in the New York Times (NYT), entitled “Fraud Exposes Challenges for Citi in Mexico”, reporters Michael Corkery and Jessica Silver-Greenberg wrote about the troubles which have befallen “the bank’s “crown jewel” – a sprawling retail lender called Banamex.” Citigroup recognized there was risk in Banamex, even having, what the reporters said was, a “little black book” which was stated by one un-named top executive to be the “book of redlined clients” and was also described as “an informal tally of Mexican companies” that could imperil the company’s Mexican operations. The bank has come to grief with its involvement in a $400MM fraud “that was discovered last month highlights the limitations of that kind of culling, and more broadly points to the challenges of finding solid lending clients in a country where the line between big business and political cronyism can become blurred.”

While Citigroup blamed this problem on “bad luck and bad actors” the article revealed a more complicated picture. The picture was one where “the bank had been placing large bets on a few risky corporate borrowers”. The $400MM loss involved an oil services company, Oceanografía SA de CV. But the bank also sustained other losses where loans were made to building contractors, which after a Mexican government a policy shift it “effectively killed the developers’ suburban projects” and they were not able to repay the loans.

Moreover, with regard to Oceanografía, the bank itself recognized the inherent danger of doing business with the entity. The article noted that Banamex has extended $585MM in short-term credit to a company that Citigroup itself had warned its own bond investors was “from time to time subject to various accusations, including accusations of corrupt practices.” Oceanografía is a company that provided construction, maintenance and vessel-chartering services to Pemex’s exploration and production subsidiary. However, as the article noted, “Oceanografía’s fortunes, however, changed sharply last month after it became the subject of a new government review that resulted in a suspension of government contracts to Oceanografía for the next 20 months. Banamex had advanced as much $585 million to Oceanografía through an accounts receivable program. The program was supposed to work like this: Banamex would advance money to Oceanografía to provide services to Pemex. The oil giant would then pay back Banamex, verifying invoices provided by Oceanografía to confirm that the work had been completed. In theory, Banamex was relying on Pemex’s ability to pay back the bank.”

Unfortunately for Banamex, much like the developers “which relied on government subsidies to finance their suburban developments, Oceanografía’s business relied on government contracts from Pemex. But when those ties were cut, the problems quickly surfaced. Shortly after the suspension of government contracts to the oil services company, Citigroup said it discovered the fraud at its Mexican unit, involving Oceanografía.”

These losses were coupled with the semi-autonomous relationship that Banamex had with its parent, Citigroup. The article stated, “the bank he [Mr. Medina-Mora] built has been considered something of a “black box” — a highly profitable but not especially transparent unit that was run with great autonomy by its leader, according to current and former bank executives. Sometimes, though, that autonomy rankled other executives in New York, the people said.” Citigroup denied that Banamex was semi-autonomous and in a statement in the article said, “We dispute assertions that the management team is autonomous,” Further, “While Banamex is a subsidiary of Citigroup, it is absolutely subject to the same risk, control, anti-money laundering and technology standards and oversight which are required throughout the company.”

For the compliance practitioner there are several lessons to be garnered from Citigroup’s reported problems and Julius Caesar’s demise on the Ides of March. In Caesar’s case, he wholly ignored the resentment that had been welling up in the Roman aristocracy for his high-handed action in becoming a Dictator. Even on the day in question, he dismissed his personal guard detail as he was going to the Roman Senate and finally, although he allegedly was handed a written communication warning him of his impending doom, he never took the time to read it. In other words, not only did he miss the red flags, he ignored specific warning signs and reduced his risk management capabilities by dismissing his security detail.

Similarly, as reported by the NYT, Citigroup would seem to have missed the warning signs about Oceanografía and if the NYT article is correct, might have actually internally ignored red flags while broadcasting them to bond holding investors. Lastly, whether the Banamex unit was semi-autonomous, as alleged in the article, or not as claimed by Citigroup’s statement, the point is that there must always be oversight. More than simply a ‘second set of eyes’ there should be internal controls which can be reviewed and vetted.

Finally, as noted in the article, the loans in question involved businesses that relied on government contracts, payments or some other form of support. While that may be of some comfort in developing countries, it can also be a source of risk. It also points to another analysis, which is not always considered, that being if a proposition is high reward, it is probably because it is also high risk in some area. While many companies can evaluate high financial risk and hope for attendant high financial reward, they also need to consider how a high corruption risk might factor into their analysis.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

More Lessons From Workplace Safety for the Compliance Practitioner

I have long believed that the compliance discipline has quite a bit to learn from the area of safety in the workplace. This is not only because I believe that the changes in corporate attitudes about safety presage many of the current debates about how to ‘do compliance’ but also because many of the processes and procedures that a safety professional utilizes can be translated into a process for the compliance professional. In a recent Compliance Week article, entitled, “Risk-Management Lessons From The Depths” Richard M. Steinberg reviewed the newly released book Trapped Under the Sea, by Neil Swidey, which is about a catastrophic accident that occurred during the construction of a waste treatment plant in Boston Harbor.

Steinberg’s article focused on the risk management issues, which led to the deaths of men working on a tunnel, dug far beneath Boston Harbor that transported waste out to sea before its release. Steinberg began by looking at the pre-operation factors which laid the “seeds of disaster” leading to the tragedy. (1) There were tight deadlines to be met, “with a federal judge ready to impose huge fines and penalties if they were not”; (2) An inexperienced executive director of the governmental water resources authority overseeing the project, who was suffering from a stress condition his doctor said was off the charts, who was most critically “clearly intimidated by the prime contractor’s chief executive”; and (3) The prime contractor was already in the red on the project, behind schedule and incurring millions of dollars in penalties, rising every day.

With the project, and many jobs on the line, the stress level on the management team grew. Swidey noted that as “organizational behavior research shows that, “As trust levels go down within a group, group members’ creativity and willingness to seek new options also decreases. When intense time pressures are added to the mix, opposing sides tend to become even more fixed in their positions, relying more on cognitive shortcuts. They’re unable to work collaboratively to solve a problem because they have become locked in an adversarial contest: if you win, I lose.”” The actual planning of the key event which led to the catastrophic failure “fell to sub-contractors, with two men calling the shots: Roger Rouleau, who relied on the technical capability of the other man he was to oversee, Harald Grob. The subs needed to please the prime contractor, or risk ruin. Ultimately, those overseeing the project ended up relying on these two men to make some critical final decisions.” As Steinberg noted, “although there was a major general contractor, several sub-contractors, the governmental water resources authority, and the Occupational Safety and Health Administration involved, with a number of smart and seasoned people, the key decisions were left to one sub-contractor, who wasn’t even properly supervised by his boss.”

Steinberg said that the post accident analysis discovered the following:

• There were a series of small, bad decisions, none of which on its own would have been enough to produce a disaster, but together elevated risk to new heights.
• There was a dangerous cocktail of time, money, stubbornness, and frustration near the end of an over-budget, long-delayed project. The major players desperately needed the project to be concluded. They closed their eyes and hoped the plan made sense.
• Serious failings tend to happen late in projects, when confidence runs high and tolerance for delay dips especially low.
• Another factor at play here is EQ, or emotional quotient, which is differentiated from IQ. EQ is the ability to read, process, and manage the emotions of people around you, as well as your own.
• Executives with real authority put a higher value on Grob’s “fresh eyes and can-do attitude” than on their own intimate knowledge of the project and common sense. And doing so afforded them distance from the risks associated with the project.
• It turns out there was a much safer and better approach that wasn’t even considered until much later. Why? The battling parties became so fixed in their positions they could no longer trust the other side’s intentions. They fell prey to the “availability bias” where decisions are based on what was most available to them—in this case, Grob’s plan.

For the anti-corruption practitioner, the lessons from this disaster and Swidley’s book are myriad. Beyond the simple ‘just get it done’ prescription that a Chief Compliance Officer (CCO) often hears about business deals are some clear and direct markers. The first and foremost is that when something is high reward, there is generally a high risk involved. In the case of the Boston Harbor disaster, the high risk was the technology used to supply air to the men working in the tunnel that collapsed, however it had never been adequately tested. In fact the technology was not even understood.

From this the next lesson is to always understand the complete parameters of the transaction. If a party’s role is not set out or well explained, you must make the appropriate inquiries to determine the role. If you have a third party, you should know its role and that role should be specified in its contractual duties so that any compensation payable to the third party can be assessed against some type of standard.

If someone will not answer the direct questions that you pose, you need to have the authority to get those answers. The sub-contractor involved, Grob, refused to brook any criticism of his clearly outlandish plan by refusing to even answer questions about it. Steinberg wrote, “Grob’s bristling when the men raised concerns about his plan, and stressing his rank in the organization chart, made matters much worse.” This means, as a compliance professional, if you cannot get the necessary answers, you have to be able to say No.

As a project moves towards its end, it sometimes takes on a life of its own, which seems to have happened here. This is the time that a compliance professional must remain ever vigilant; dotting every ‘i’ and crossing every ‘t’, to make certain that the company’s internal compliance protocols are followed. As Steinberg noted, “The more people do something without suffering a bad outcome, the harder it becomes for them to remain aware of the risks associated with that behavior.”

I have previously written that there are many lessons to be learned by the compliance discipline from the field of workplace safety. While I still believe that the biggest lesson is that an entire corporate culture can change, just as I have seen safety now become priority Number 1 in the energy industry; there are significant process lessons to be garnered from the study of catastrophic safety system failures. Steinberg’s article and Swidey’s book make an excellent starting point.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

JPMorgan Chase and Compliance Risk

Most of the business news over the past few days has been dominated by JPMorgan Chase & Co (JPM) and its announced $2.3 billion trading loss. Early on there was focus on  JPM’s trading operations in London as the cause of this massive loss and even one trader, nicknamed the “London Whale”, has fuelled the debate about banks taking such large positions which caused or may have helped to cause these massive losses. The news stories intimated that these losses may have been the work of this ‘rogue trader’ who worked for the company in its London operation. However, an article in the Saturday Wall Street Journal (WSJ), entitled “Bank Order Led to Losing Trades”, reporters Dan Fitzpatrick, Robin Sidel and David Enrich wrote that the company told the traders to “make the bets aimed at shielding the bank from the market fallout of Europe’s deepening mess. But instead of shrinking the risk, their complicated bets may have backfired into losses as much as $200MM a day”.

One of area that is an important part of a minimum best practices compliance program under the Foreign Corrupt Practices Act (FCPA) or the UK Bribery Act is risk assessment. Indeed in a recent video podcast on the site MainJustice.com, Kimberly Parker, a partner at WilmerHale, said that both the Department of Justice (DOJ) and the UK Serious Fraud Office (SFO) have made clear that a risk assessment is now the key initial step in crafting a compliance program under either the FCPA or Bribery Act. However, from information available to-date, it is not clear how JPM may have assessed its risk which led to it instructing its traders to make such risky bets. Yet the Bank must have thought its risk was quite high to bet up to $200MM per day the other way in an attempt to manage said risk.

So it would appear that not only does a company need to assess its risk but it must also judge that risk. This is termed ‘risk intelligence’ and it appears that such intelligence was sorely lacking in the case of JPM. In an article, coincidentally also appearing in the Saturday WSJ, entitled “How to Beat the Odds at Judging Risk”, author Dylan Evans reviewed how two different groups, weathermen and gamblers, gauge probabilities. He believes that these two groups “have managed to overcome these biases and are thus able to estimate probabilities more accurately than the rest of us.” He termed this phenomenon as “high intelligence with respect to risk.” He cited to Sarah Lichtenstein for three characteristics of groups with high intelligence with respect to risk. First, these groups “tend to be comfortable with assigning numerical probabilities to possible outcomes.” Second, such groups “make predictions only on a narrow range of topics.” Third, these groups “tend to get prompt and well-defined feedback, which increases the chance that they will incorporate new information into their understanding.”

Evans wrote that both weathermen and gamblers received “prompt and well-defined feedback” for their predictions. Weathermen usually know the next day if their forecast is correct and gamblers received almost instantaneous results with the next roll of the dice, turn of a card or drop of a roulette ball. The key for gamblers seems to be in the quantification of wins and losses; they can review these strategies in order to learn from their mistakes.

Most compliance practitioners use a risk assessment to manage risk going forward. However, I believe that one of the lessons which can be learned from the JPM debacle is that a compliance program requires more than a risk assessment and management of the quantified risk. You need to use risk intelligence to learn from the risk and help your company anticipate FCPA or Bribery Act compliance issues that may arise from your business model, geographic sales locations or interactions with foreign government officials. Evans concludes his article by stating that given the right conditions and right self-reflection and practice, we can make substantial improvement to our risk intelligence.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012