FCPA Compliance and Ethics Blog

December 11, 2013

Keep Your Hand on the Control

#14748 Hand on the Throttle by Karl-Heinz Morawietz 2011-01-27Yesterday Nelson Mandela’s casket was driven to the state capital where he will lay in state until his funeral on Sunday 15th December. Dignitaries from all over the world will attend. Mandela was praised for his non-violent approach to ending apartheid in South Africa and his leadership in the peaceful transition of power. But he was also recognized as incorruptible. So today we honor that aspect of his career.

I am continually amazed at the seemingly disparate current events which provide tangible lessons for the compliance practitioner. In an article in the New York Times (NYT), entitled “Hearings on San Francisco Crash Set to Explore Broader Problems”, reporter Matthew L. Wald wrote about the upcoming National Transportation Safety Board (NTSB) hearings on the deadly plane crash last July at San Francisco International Airport. Investigators quickly were able to determine the immediate cause of the crash; that being the pilots failure to monitor their airspeed. However these hearings will go further and try to determine more basic reasons which led to the pilots to make the decisions which caused or contributed to the disaster.

The first was an over-reliance on technology. Crews for the airline involved, Asiana, are “accustomed to programming the autopilot to land their planes” rather than manually taking over during the landing procedure. The first problem was compounded and became disaster when a second problem apparently arose which was that the pilots had “evidently limited ability to manage the ubiquitous automated systems in the cockpit.” So they flew expecting the auto-pilot to land the plane but did not realize or appreciate that the auto-throttle portion of the system was in the off position. The article was clear that, even with these reasons, the problems which led to the crash were “more broad than bad pilots.”

The reliance on technology or big data has become an issue in the Foreign Corrupt Practices Act (FCPA) or other anti-corruption laws such as the UK Bribery Act. The Department of Justice (DOJ) has brought up the tool of transaction monitoring as a best practice at least since the Morgan Stanley Declination. But, just as these tools are important to the compliance practitioner, it is important to keep in mind that one of the remedies certain US based airlines have come up with will make it harder for crews to overlook problems like low airspeed, even when a plane’s auto-pilot is turned on during a descent. The solution is elegant for its simplicity, certain airlines mandated that “a pilot keep a hand on the throttle, to sense its position, during descent.” Simple, elegant and cost effective I would add.

For the compliance professional this also means a compliance program is more than simply about numbers and systems. As Paul McNutly and Stephen Martin say in their five essential elements of an effective compliance program, it is important to not only understand but ascertain if your employees are staying with the compliance program. Even after all the important ethical messages from management have been communicated to the appropriate audiences and key standards and controls are in place, there should still be a question of whether the company’s employees are adhering to the compliance program. Two of the seven compliance elements in the Federal Sentencing Guidelines call for companies to monitor, audit, and respond quickly to allegations of misconduct. These three highlighted activities are key components enforcement officials look for when determining whether companies maintain adequate oversight of their compliance programs.

The next area that the NTSB hearings will look at is training and procedures. One thing that US pilots are trained on and given a wide berth to do is to “speak up if they sense a problem, even if the pilot at the controls has seniority, and to listen to subordinates.” Recognizing that part of the issue here is cultural, because South Korean crews “have had trouble with those procedures”,  the clear message here is training. For the compliance practitioner, the message is also clear, again it is training, training and training. Whether you call it a ‘Speak Up, Speak Out’ or ‘Raise Your Hand’ culture, such a system must be put in place to allow an employee who senses a problem to get that information to people who can take a more focused look at the problem.

But, more than training, the company has to commit to more than having a system. The company must commit to listening. One of the biggest changes in the airlines cockpits is that more senior pilots are instructed listen to junior pilots. The same must be true in a company. The company has to listen to employee concerns. This requirement to listen has been made even stronger with the Dodd-Frank Whistleblower provisions. But the clear message for the compliance practitioner is that speaking up and listening are a two-way exercise.

Just as in every catastrophic accident, in almost every circumstance regarding a compliance issue which becomes a FCPA violation, there is at some point a situation where an employee did not report a situation or event up to an appropriate level for additional review. This failure to escalate led to the issue not reaching the right people in the company for review/action/resolution and the issue later became more difficult and more expensive to deal with in the company. This means that a company needs to have a culture in place to not only allow elevation but to actively encourage elevation. Additionally, both a structure and process for that structure must exist. Lastly, while a whistleblower process or hotlines are necessary these should not be viewed as the only systems which allow an employee to escalate a concern. In the cockpit it means a junior pilot can speak directly to a more senior pilot.

One of the things that I have learned practicing compliance is that process is very important. But the investigation into the Asiana crash shows that keeping your hand on the throttle to understand the pulse of things is a very good technique to maintain.

—————————————————————————————————————————————————————–

Please join myself and Eddie Cogan, CEO of Catelas as we discuss Risk-Based 3rd Party Vetting, Screening and Monitoring Strategies for High Risk Jurisdictions Thursday, December 12. For information and registration click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2013

April 14, 2011

FCPA Compliance: Documentation Is a Key

Paul McNulty, former United States Deputy Attorney General has provided perspective that there are three general areas of inquiry the Department of Justice (DOJ) would assess regarding an enforcement action. First: “What did you do to stay out of trouble? Second: “What did you do when you found out?” and Third: “What remedial action did you take?” He also discusses that as a key component, a company must document its overall compliance efforts.

Former federal prosecutor Stephen Martin, currently the General Counsel of Corpedia, discusses the key component of documentation when he and I speak across the country on current compliance best practices in our World-Check sponsored Foreign Corrupt Practices Act (FCPA) events. To respond to any of these inquiries a company must document what it does for its compliance efforts. However, more than simply the ability to document the results of your company’s compliance efforts is the ability of a company to quickly and efficiently respond to a prosecutor’s request for information in a timely manner.

We recently wrote about the proactive use of the results of your compliance program, as advocated by William Athanas in his article “Demonstrating “Systemic Success” in FCPA Compliance: Identifying and Maintaining Evidence to Respond to Government Investigations . . . Before They Begin.” From this article I derived three key take a ways; which are document, document and then document. If your compliance program does not document its successes there is simply no evidence that it has succeeded. In addition to providing to your company support to put forward to the DOJ, it is the only manner in which to gage the overall effectiveness of your compliance program. Put another way, if you don’t document it, you cannot measure it and if you cannot measure it, you cannot refine it.

One of the mechanisms to help both in your documentation and delivery of this documentation is audit analytics. ACL Services, in a White Paper entitled “Don’t Get Bitten by the FCPA”, advocated the use of audit analytics to assist in creating and accessing the necessary documentation to enable your company to continue to compare and update its compliance program and provides a readily assessable written record to present to any DOJ official.

Another company, Visual Risk IQ, has a software product which performs continuous controls monitoring involving the monitoring of data. This system will enable your company to not only record and analyze a large amount of financial information but will allow you to readily document whether any payments are outside of any established norm. This established norm can be derived from against a businesses’ own standard or an accepted industry standard. Therefore if a payment, distribution or other financial payment, or remuneration into a foreign business partner is outside an established norm, thus creating a Red Flag, such information can be tagged for further investigation and such record is documented and readily accessible.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

March 14, 2011

What a Prosecutor Might Ask During a FCPA Investigation?

Hopefully, one area that many compliance practitioners will not have much experience in is dealing with prosecutors, at least in the in-house, corporate context. Further it may be the case that most in-house lawyers come from a civil law background, as opposed to the criminal law side of the legal profession. Therefore, if an in-house compliance practitioner is required to disclose to, and work with, a federal prosecutor, the in-house practitioner usually does not have experience to draw upon in connection with the types of inquiries a Department of Justice (DOJ) prosecutor might ask during a Foreign Corrupt Practices Act (FCPA) investigation.

Over the past 9 months, and continuing for the next several months, I have been privileged to tour the US with World Check discussing various aspects of the FCPA. Another member of the team is Stephen Martin, the General Counsel of Corpedia. Stephen worked as a prosecutor in the DOJ during the Clinton administration before moving into the corporate world and has a wealth of knowledge on the types of inquiries that a prosecutor might ask during the pendency of a FCPA investigation. In his presentation Stephen suggests that, during a FCPA inquiry, your company might be asked some of the following questions:

  • What resources were apportioned for compliance? If you plead that you did your best given the resources your company allocated to the compliance department, a simple question that a prosecutor might ask is along the lines of “How much did your company spend last year on yellow sticky notepads, or pencils or paper clips, you get the picture, $1MM or more? Is, or are, those items business critical but compliance is not?
  • How do I know your risk assessment was objective? Did your company bring in an outside profession to perform the risk assessment under which your compliance program is based? Under the US Sentencing Guidelines, in implementing [the elements of an effective compliance and ethics program] the “organization shall periodically assess the risk of criminal conduct and shall take appropriate steps to design, implement, or modify each requirement [as set forth in the elements] to reduce the risk of criminal conduct identified in this process”. Can you demonstrate that you periodically assessed your risk and if so how was it done?
  • Were compliance risks in the C-Suite and Boardroom addressed? Even if your compliance policy is thorough in the ranks of the organization, were those at the highest level also a part of your overall compliance strategy. Not only was there an appropriate “Tone at the Top” but was this communicated throughout your organization? Was your Board active and engaged? Was there thorough reporting to the Board. Where are the records to document both?
  • How was risk examined at the vendor/agent level? Did your risk assessment look at both your sales distribution model and the individuals or entities involved and has your company assessed its compliance risk with vendors in the supply chain? If yes, what methodology did your company use? How is both the methodology and results documented? If your raw work product was not retained, does your final report provide sufficient detail on the methodology that your company utilized?
  • Was culture and attitude measured? This begins with the tone at the middle and lower ranks of your organization. Did the measure come down from on high ( i.e.: the Top) and if so did it percolate throughout the ranks of this organization? Has your company surveyed its employee’s attitudes regarding compliance? As with your risk assessment(s), what was the methodology and how valid is it and the results?
  • How was knowledge assessed? Although this is related to the above inquiry, the focus is somewhat different. If you had live training, did you interview employees to determine the results? If there was computer training, did you require any type of test after the completion of the course and did you require some form of passing grade? How did you document the results?
  • Was anyone terminated or disciplined as a result of the risk assessment? Most companies understand the need to discipline or terminate employees as a result of a FCPA investigation which finds a violation. However if your company has never terminated or even disciplined any employees as a result of a compliance assessment, this may bode poorly for you in the eyes of a prosecutor. Has your company ever looked at its top sales persons or agents outside the US in a detailed, systematic way to determine if they are within your compliance guidelines? If so what was the methodology, what was the result and how is all of this documented?
  • Who among the governing authority of your company received the final report or was briefed on the outcome? While this is related to the 2nd question above, it goes further. If the very highest level was not so engaged, it speaks poorly on your company’s commitment to compliance. The Board needs to demonstrate commitment to full engagement in both the successes and the non-successes and be involved in using lessons learned to resolve any problems which may have arisen.
  • How was the risk assessment outcome used? While it certainly is a positive step to follow the sentencing guidelines and perform a risk assessment, such assessment should be utilized. The UK Ministry of Justice says that your risk assessment should “inform” your compliance program. A prosecutor might conclude that your program lacks strength and vitality if your company does not use what it may have learned in a risk assessment to make any necessary or even changes suggested by a risk assessment.

This list is not exhaustive and there will be many, many more queries, both large and small from any prosecutor. However, this sample makes clear that your ability to respond, and respond with documentation, will be critical in establishing your company’s credibility in the compliance area.

—————————————————————————————————————————————————————–

Stephen and I will be continuing our FCPA presentations, hosted by World Check this spring. All of the events are free and CLE is provided. Our upcoming schedule is as follows and if you are in one of these areas I hope you can join us.

Tuesday, April 5-Portland. For details, click here.

Wednesday, April 6, Seattle. For details, click here.

Thursday, April 7, Denver. For details, click here.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

 

Blog at WordPress.com.