I end my One Month to a Better Board series with a discussion from the recently released Justice Department Evaluation of Corporate Compliance Programs as it relates to a Board of Directors. In an area of inquiry entitled, “Oversight” the DOJ asked three basic questions which we have explored throughout this series. The questions presented by the DOJ were:
In addition to specifically stating that a Board of Directors must have a compliance subject matter expert going forward, it opines there should be a Board level committee dedicated to compliance as well. I have previously explored questions a Board should ask a Chief Compliance Officer (CCO). Today I want to focus some attention on questions by a Board of Directors around the Compliance Committee itself. To facilitate the answers to these DOJ questions, I have ended this series with a list of 20 questions below which reflect the oversight role of directors. These are questions which the Board should ask of both senior management and the Board itself. The questions are not intended to be an exact checklist, but rather a way to provide insight and stimulate discussion on the topic of compliance. The questions provide directors with a basis for critically assessing the answers they get and digging deeper as necessary.
The comments summarize the most current thinking on the issues and the practices of leading organizations. Although the questions apply to most medium to large organizations, the answers will vary according to the size, complexity and sophistication of each individual organization.
Part I: Understanding the Role and Value of the Compliance Committee
Part II: Building an Effective Compliance Committee
Part III: Directed to the Board
Part IV: Enhancing the Board’s Performance Effectiveness
Part V: Merging Roles of the Compliance Committees
Three Key Takeaways
This podcast considers the differences between forecasting and risk assessment is that risk assessment attempts to consider things which forecasting either did not reliably predict for, or those things which the forecasting models have raised as potential outcomes which could be troubling, critical themes and issues. As Locwin explained, “What you’re trying to do then is decide on how you would address these. Risk assessments will percolate to the top of the list, your risk registry. Those items which are most consequential for your organization, whatever it happens to be. Again, just like forecasting, risk assessments apply to every organization.”
Within the context of an anti-corruption compliance program, you are trying to make adjustments based on the risks of violation of the law, out in the marketplace. For instance, in a compliance forecast, third-party risk should be considered at the top of your ordinal list of risk and you should consider a multitude of factors such as the operating procedures, processes and systems and training. Of course, the execution of that process is a critical component as well.
There are three core areas upon which Directors should focus their attention regarding to help establish and maintain an effective compliance program. They are: (1) structure, (2) culture and (3) risk management.
This area consists of questions which will aid in determining the fundamental sense of a company’s overall compliance program. The questions should begin with the basics of the program through to how the program operates in action. Some of the structural questions Board members should ask are the following.
This area of inquiry should focus on the culture of the organization regarding compliance. Board members should have an understanding of what message is being communicated not only from senior management but also middle management. Equally important, the Board needs to understand what message is being heard at the lowest levels within the company. Some of the cultural questions Board members should ask are the following.
Risk Management Questions
Board members need to understand the company’s process being used to identify emerging risks, their evaluation and management. Such risk analysis would be broader than simply a compliance risk assessment and should be tied to other broader corporate matters.
Three Key Takeaways
Where does “Tone at the Top” start. With any public and most private US companies, it is at the Board of Directors. But what is the role of a company’s Board in FCPA compliance? We start with several general statements about the role of a Board in US companies. First a Board should not engage in management but should engage in oversight of a CEO and senior management. The Board does this through asking hard questions, risk assessment and identification.
In a recent White Paper, entitled “Risk Intelligence Governance-A Practical Guide for Boards” the firm of Deloitte & Touche laid out six general principles to help guide Boards in the area of compliance risk governance. I have adapted them for the Board role around compliance.
All of these factors can be easily adapted to FCPA compliance and ethics risk management oversight. Initially it must be important that the Board receive direct access to such information on a company’s policies on this issue. The Board must have quarterly or semi-annual reports from a company’s Chief Compliance Officer to either the Audit Committee or the Compliance Committee. This commentator recommends that a Board create a Compliance Committee as the Audit Committee may more appropriately deal with financial audit issues. A Compliance Committee can devote itself exclusively to non-financial compliance, such as FCPA compliance. The Board’s oversight role should be to receive such regular reports on the structure of the company’s compliance program, its actions and self-evaluations. From this information the Board can give oversight to any modifications to managing FCPA risk that should be implemented.
There is one other issue regarding the Board and risk management, including FCPA risk management, which should be noted. It appears that the Securities and Exchange Commission (SEC) desires Boards to take a more active role in overseeing the management of risk within a company. The SEC has promulgated Reg SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company which fails to make it to fines, penalties or profit disgorgement.
Three Key Takeaways
In this special live, on location episode, Jay Rosen and I discuss the recent SCCE 2017 Utilities and Energy Conference held in Washington DC. He hit on the highlights, topics, vendors and key note speakers. We also discuss the impact of the recently released DOJ Evaluation of Corporate Compliance Programs. Finally we have a guest appearance by Jim Moore, recently installed as SVP at Trust Point International. For a copy of the Evaluation of Corporate Compliance Programs, click here. For my two blog posts on the Evaluation, Part I and Part I
In this episode I visit with Morrison Forrester partner James Koukios on the firm's December newsletter on the Top Ten International Anti-Corruption Developments for December 2016. James and I visit about some of the lesser known highlights from the month of December 2016 in the global enforcement of anti-corruption.
In this final five days of my One Month to a Better Board series, I will look at inquiries and questions a Board can take to help the organization actually do compliance going forward. I begin with an exploration of how can a Board work to incorporate the compliance function into a long-term business strategy of the organization. A Board can do so by engaging with the Chief Compliance Officer and compliance function through having a strong Board which is committed to doing business ethically and incompliance with anti-corruption laws such as the FCPA and engaging actively with the CCO and compliance function. This post will begin a discuss of various tools and techniques a Board can use and engage to move to this level of engagement.
The first point is to develop a framework for incorporating compliance into your long-term strategy. This framework draws from the State Street Global Advisors’ strategy for sustainability and adapts it to compliance. To set up the framework for evaluation of the compliance function is a three-step process, which you can use to determine how comprehensive you compliance program is as a starting point.
Step 1-has the company identified the compliance issues relevant to the Board?
Step 2-has the company assessed and incorporated those compliance issues into its long-term strategy?
Step 3-has the company communicated its approach to compliance and the influence of those factors on its overall strategy?
From this initial inquiry you can move into some specific questions that the Board can use to determine the overall state of your company’s compliance program. First a Board can work to identify compliance issues material to your organization. This can be accomplished with compliance related key performance indicators, which a Board should then prioritize to elevate their impact on compliance. A Board should consider these through the life-cycle of a business line or geographic sales area. Next the Board should work to move compliance into both the long-term strategy for the company and also have the CCO detail the long-term strategy for the compliance function.
Drawing from the February release Justice Department Evaluation of Corporate Compliance Programs (Evaluation), the Board should actively work to incorporate compliance into the long term capital allocation of the company. Obviously the earlier the investment the better as it brings benefits such as benefits through brand differentiation, lowering the risk profile of the company and improving nimbleness in market responses
The Board should oversee the incorporate of KPIs into senior management performance evaluations and compensation. Once again building upon the Evaluation which asks how the company monitors its senior leadership’s behavior and how senior leadership modelled proper behavior to subordinates, the Board should make certain systems are in place to quantify or measure performance related to compliance issues, should establish performance goals against which they measure compliance achievement and finally disclose to shareholders the material compliance issues that drive compensation, the specific goals or performance targets that
management has to achieve and report on the actual performance against established goals to justify compensation payouts.
Finally the Board should work to communicate the influence of compliance factors on overall corporate strategy by demonstrating how compliance was integrated into the business. Not only is this good from a business perspective and shareholder expectation but also as the DOJ Evaluation makes clear what the government expects is the operationalization of compliance going forward.
These general factors will lead us into more specific questions that a Board can pose as we continue one month to a better board for a best practices compliance program.
Three Key Takeaways
In this episode, I begin a three-podcast series on risk management in compliance with Ben Locwin, Director of Global R&D at BioGen and an operational strategist in pharma and healthcare, to explore risk forecast, risk assessment and risk monitoring for the compliance profession. Today we consider forecasting in the risk management process.
Yesterday, I considered the Board of Director’s role in hiring of senior executives and in other key positions and corporate positions and corporate relationships. Today I want to consider the Board’s role in succession planning. In an article entitled, “Advancing Board Refreshment Through the Director Succession Planning Process” authors William Libit and Todd Freier posited that a Board’s ability to “refresh itself on a regular basis can help ensure it maintains a proper mix of experience and expertise to meet the organization’s current and long term needs.”
While noting that there is no ‘one-size-fits-all-approach’ to succession planning, the authors believe there are some key traits you should consider in succession planning. To facilitate this theorem, the authors laid out a seven-step approach for Director succession planning.
Three Key Takeaways
What is the role of a Board of Directors in hiring senior executives, Chief Compliance Officers and even other Board members? I recently explored this issue with Candice Tal, founder and CEO of Infortal, a global security and risk management consulting company. Tal began by noting, that a bad senior executive hire can cost a company much more than simply dollars. She noted, the “financial costs in day-to-day operations easily can quadruple that of a regular employee, but it can also impact the company’s corporate governance and Board of Directors if that executive hire was found to be involved with unethical and illegal activities. Not even a signed contract can protect a company if an executive hire’s unethical actions come to the attention of the national media. Fiduciary risk and exposure for the board of directors cannot be overlooked.”
She pointed to the example of Yahoo! and its hire of Scott Thompson back in 2012. It turned out that Thompson had incorrect information on his online biography regarding his academic credentials. As Tal noted, “implications went beyond the activist shareholder accusations to reflect on the board of directors for not vetting his background more carefully. The company may have been exposed to claims of providing false information to the SEC and potential stockholder law suits. Thompson’s 120-day tenure at Yahoo! cost the company over $7 million and seriously tarnished the company’s reputation in the business community.”
The key is that a company engage in an executive due diligence investigation rather than simply a routine or even executive-level background investigation. Tal explained that an executive background search, is “typically limited to a 5 component review of: criminal records, employment verification, degree or education verification, social security validation, address verification and sometimes credit history.” Such searches are “very limited searches.”
Conversely, executive due diligence, “looks in-depth at all available public records sources: criminal history, civil litigation issues, financial and legal issues, relationships with other companies and board advisory positions, reputation, misrepresented education and overstated work history, behavioral history (for example litigiousness), and, in particular, undisclosed or adverse issues.” While it is generally “more costly than executive background checks and takes more time, the information gathered is extremely valuable and can save a company substantially more. A high quality due diligence review can find important information which would not be returned in a routine executive background check.”
Infortal has found that up to 20% of executive search candidates fail a deep level due diligence investigation. Now consider how many senior executive slots your company has and add to that seats on the Board of Directors and you can quickly see the risk of failure to consider an executive due diligence search when promoting or hiring. Moreover, you need an executive level due diligence in other business situations as well, including the senior management of new business acquisitions brought into your organization through a merger or other acquisition, selecting new Board members, screening corporate Boards of Directors and of course, for third party business partners and other agents in the sales and supply chain channels.
Three Key Takeaways
In this episode, Matt Kelly and myself take a deep dive into the Department of Justice (DOJ) recent release, entitled “Evaluation of Corporate Compliance Programs” (Evaluation), which went up on the Fraud Section website on February 8.
The document is an 11-part list of questions which encapsulates the DOJ’s most current thinking on what constitutes a best practices compliance program. Within the list are some 46 different questions that a Chief Compliance Officer (CCO) or compliance practitioner can use to benchmark a compliance program. In short, it is an incredibly valuable and most significantly useful resource for every compliance practitioner.
The Evaluation, most generally, follows the DOJ and Securities and Exchange Commission’s (SEC) seminal Ten Hallmarks of an Effective Compliance Program, released in the 2012 FCPA Guidance. If there is one over-riding theme in the Evaluation, it is the DOJ’s emphasis on doing compliance as the questions posed are designed to test how far down your compliance program is incorporated into the fabric of your organization. The Evaluation is not simply a restatement of the Ten Hallmarks, as it clearly incorporates the DOJ’s evolution in what constitutes a best practices compliance program, and it certainly builds upon the information put forward in the DOJ’s FCPA Pilot Program regarding effective compliance programs, most particularly found in Prong 3 Remediation.
The bribery and corruption case of GlaxoSmithKline PLC (GSK) resonated across the corporate globe. While many questions are still unanswered, one that seems to be at the forefront of the inquiry was where was the GSK Board of Directors? This matter demonstrates role of a Board of Directors is becoming more important and more of a critical part of any effective compliance program.
In an article in the NACD Directorship, entitled “Corruption in China and Elsewhere Demands Board Oversight”, Eric Zwisler and Dean Yoost noted that as “Boards are ultimately responsible for risk oversight” any Board of a company with operations in China “needs to have a clear understanding of its duties and responsibilities under the FCPA and other international laws, such as the U.K. Bribery Act”. Why should China be on the radar of Boards? Since 2010, over 25% of all FCPA enforcement actions have derived from China.
Corruption can be endemic in China. Further FCPA enforcement actions have made clear that Chinese businesses are quite adept at appearing compliant while hiding unacceptable business practices. A Board of Directors should be aware that a well-crafted compliance program must be complemented with a thorough understanding of frontline business practices and constant auditing of actual practices, not just a paper compliance program. This means that both monitoring and auditing should be visible to the board. Echoing one of the Board’s roles, as articulated in the FCPA Guidance, the authors believe that a “board must ensure that the human resources committed to compliance management and reporting relationships are commensurate with the level of compliance risk.” So if that risk is perceived to be high in a country, such as China, the Board should follow the prescription in the Guidance which states “the amount of resources devoted to compliance will depend on the company’s size, complexity, industry, geographical reach, and risks associated with the business. In assessing whether a company has reasonable internal controls, DOJ and SEC typically consider whether the company devoted adequate staffing and resources to the compliance program given the size, structure, and risk profile of the business.”
To help achieve these goals, the authors suggest a list of questions that they believe every director should ask about a company’s business in China.
Third parties generally present the most risk under a FCPA compliance program and that as much as 95 percent of reported FCPA cases involve the use of third-party intermediaries such as agents. However, in China all potential opportunities retain some level of compliance related issues. As joint ventures and the acquisition of Chinese entities are important business strategies for many western companies, it is important to have Board oversight in the mergers and acquisition process.
The authors understand that “non-compliant business practices and how to bring these into compliance is often a major and defining deal risk.” But, more importantly, it is a company’s “inability to understand actual business practices, the impact of those practices on the core business, and effectively dealing with a transition plan is one of the main reasons why joint ventures and acquisitions fail.” So even if the conduct of an acquisition target was legal or tolerated in its home country, once that target is acquired and subject to the FCPA or Bribery Act, such conduct must stop. However, if such conduct ends, it may so devalue the core assets of the acquired entity so as to ruin the business basis for the transaction. The authors cite back to the FCPA Guidance and its prescribed due diligence in the pre-acquisition stage as a key to this dilemma. But those guidelines also make clear that post-acquisition integration is a must to avoid FCPA liability if the illegal conduct continues after the transaction is completed.
The authors conclude by articulating that many Boards are not engaged enough to understand the way that their company is conducting business, particularly in a business environment as challenging as China. They believe that a Board should have a “detailed understanding of the business if it is to be an effective safeguard against fraud or corrupt practices.” They remind us that not only should a Board understand the specific financial risks to a company if a FCPA violation is uncovered; but perhaps more importantly the “potential impact on the corporate culture and the risk to the company’s reputation, including the reputations of individual board members.” Finally, the authors believe that “effective oversight of corruption in China will only become increasingly more important”. That may be the most important lesson for any Board collective or Board member individually to take away from the ongoing GSK corruption and bribery scandal.
Three Key Takeaways
For some additional reading see:
1.) Mike Volkov Article on Monitors
2.) Jay Rosen Weekend Read
The "Real" FCPA, SCCE + Hello Goodbye
3.) Kristy Grant-Hart on The Top Five Myths about ISO-37001 Exposed
4.) Jay Rosen new contact info
Jay Rosen, CCEP
Vice President, Business Development
Affiliated Monitors, Inc.
Mobile (310) 729-6746
Toll Free (866)-201-0903
Today I want to consider a couple of failures at the Board level around bribery and corruption.
VimpelCom sought to enter the telecom market through the acquisition of a local player, Unitel, as an entrée into the Uzbekistan market. Unitel made clear to VimpelCom that to have access to, obtain and retain business in the Uzbeki telecom space, VimpelCom would have to, according to the VimpelCom DPA, “regularly pay Foreign Officials millions of dollars” who was Gulnara Karimova, the daughter of the then President of the country. VimpelCom also acquired another entity Butzel, that was at least partially owned by an Uzbeki government official, who hid their interest through a shell company, which was known to VimpelCom. VimpelCom did not articulate a legitimate business reason for the deal and paid $60MM for Buztel.
As laid out in the VimpleCom’s Information, its senior management was well aware of the potential FCPA risk. The Information stated, “From the beginning of VIMPELCOM’s deliberations concerning its entry into Uzbekistan, there was an acknowledgment of the serious FCPA risks associated with certain VIMPELCOM management’s recommendation to purchase Buztel in addition to Unitel… Documents prepared for the December 13, 2005 Finance Committee meeting explained that Buztel was owned by a Russian company “and a partner” without further detailing the identity of the “partner” who was in fact Ms. Karimova. The materials documented that “[t]hrough a local partner, [VIMPELCOM was] in a preferred position to purchase both assets . . . .”” The Finance Committee “identified the likelihood of corruption and expressed concerns.” Even with these reservations, the Finance Committee failed to identify the local partners.
But there was even more specific cautions around a FCPA violation when one Finance Committee member ““expressed concern on the structure of the deal and FCPA issues” and noted “that if [VIMPELCOM] goes into this deal under this structure and if the structure violates the FCPA picture, [VIMPELCOM’s] name could be damaged.”” The Finance Committee voted to move forward with the Buztel portion of the transaction “provided that all issues related to the FCPA should be resolved.”
These concerns moved up to the VimpelCom Board of Directors. In a December, 2005 Board meeting, “the likelihood of corruption was further discussed” and that “there was a recognition that a thorough analysis was needed to ensure that the Buztel payment was not merely a corrupt pretext for other services and favors. There were also numerous requests to ensure that the deal complied with the FCPA. Ultimately, VIMPELCOM’s board approved the Buztel and Unitel acquisitions, with a condition that FCPA analysis from an international law firm be provided to VIMPELCOM.”
Here VimpelCom management defrauded its own Board of Directors. The Information states, “VIMPELCOM’s management then sought FCPA advice that could be used to satisfy the board’s requirement while allowing VIMPELCOM to proceed with a knowingly corrupt deal. Despite the known risks of Foreign Official’s involvement in Buztel, certain VIMPELCOM management obtained FCPA legal opinions from an international law firm supporting the acquisition of Unitel and Buztel; however, certain VIMPELCOM management did not disclose to the law firm Foreign Official’s known association with Buztel. As a result, the legal opinion did not address the critical issue identified by the VIMPELCOM board as a prerequisite to the acquisition. Management limited the law firm’s FCPA review of the transaction to ensure that the legal opinion would be favorable. Having obtained a limited FCPA legal opinion designed to ostensibly satisfy the board’s requirement, certain VIMPELCOM management then proceeded with the Buztel acquisition and corrupt entry into the Uzbek market.”
b. Fraudulent Stock Transfer
But that was only the start as VimpelCom then entered into a partnership with the foreign official who was given an ownership interest in Unitel, through the shell corporation. The shell company held an option to sell this interest back to VimpelCom in 2009. It would appear that the owner of the shell corporation was well known within both VimpelCom and Unitel but both entities referred to this person as the “partner” or “local partner”. VimpelCom set up partnership where, “Shell Company obtained an indirect interest of approximately 7% in Unitel for $20 million, and Shell Company received an option to sell its shares back to Unitel in 2009 for between $57.5 million and $60 million for a guaranteed net profit of at least $37.5 million.”
VimpelCom’s Board was required to and did approve the partnership but as with the original acquisition, “approval again was conditioned on “FCPA analysis by an international law firm” and required that the “the identity of the Partner . . . [be] presented to and approved by the Finance Committee.” VIMPELCOM received an FCPA opinion on the sale of the indirect interest in Unitel to Shell Company on or about August 30, 2006. The FCPA advice VIMPELCOM received was not based on important details that were known to certain VIMPELCOM management and that certain VIMPELCOM management failed to provide to outside counsel, including Foreign Official’s control of Shell Company. In addition, documents, including minutes from the Finance Committee’s meeting on August 28, 2006, failed to identify the true identity of the local partner by name while noting the “extremely sensitive” nature of the issue.”
Some three years later, the shell company exercised its option to be bought out of the partnership for $57.5MM, after having invested $20MM. This netted a profit of $37.5MM. Unfortunately for all involved, they routed the payments for the transaction through financial institutions in the US, thereby creating FCPA jurisdiction.
Another FCPA enforcement action involved the Tulsa-based company BizJet, which had four senior executives convicted for their participation in a bribery scheme. But this case also involved the Board of Directions. In the Criminal Information it stated, that in November 2005, “at a Board of Directors meeting of the BizJet Board, Executive A and Executive B discussed with the Board that the decision of where an aircraft is sent for maintenance work is generally made by the potential customer’s director of maintenance or chief pilot, that these individuals are demanding $30,000 to $40,000 in commissions, and that BizJet would pay referral fees in order to gain market share.”
In both cases, this is where the rubber hits the road. If a company is willing to commit bribery and engage in corruption to secure business no amount of doing compliance is going to help. If senior management is ready, willing and able to lie, cheat and steal, the Board is the final backstop to prevent such conduct. Both the VimpelCom and BizJet Boards sorely failed in their compliance duties.
Three Key Takeaways
What are metrics for a Board around compliance? Former Assistant Attorney General Leslie Caldwell laid out some that the Justice Department would consider in a review of compliance programs. These metrics are:
These requirements move beyond simply having the correct ‘Tone at the Top’ which every Board should articulate. They charge the Board with a substantive role in the actual doing of compliance going forward. One of my concerns is this metric sets up Board members and senior management for prosecution under the Foreign Corrupt Practices Act (FCPA) in the new era of the Yates Memo where companies are required to investigate and turn over individuals to the DOJ for prosecution if they want to receive any credit for cooperation. Of course, the Yates Memo also articulated the DOJ’s stated intention to more aggressively prosecute individuals as well.
You begin with two questions. First, does the Board of Directors exercise independent review of a company’s compliance program? Second, is the Board of Directors provided information sufficient to enable the exercise of independent judgment?
Boards of Directors should take a more active role in overseeing the management of risk within a company. Now this includes having a FCPA compliance program in place and actively oversee that function. This means if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward. Some of the areas for hard questions include
There are several paths a Board of Directors can take to fulfill this duty. Obviously the full Board can be apprised of compliance issues and handle them appropriately. However this may be unwieldy or not workable if there is a large Board and the compliance function only has limited time to present a quarterly and annual report. The Audit Committee is usually considered a natural venue for the compliance function to report to as it handles issues somewhat related to compliance already.
Through the convergence of the Yates Memo and these metrics, it is time for companies to create a Compliance Committee separate and a part from the Audit Committee. This Board-level Compliance Committee would be charged with oversight of FCPA compliance and ethics but could also be the reporting venue for anti-money laundering compliance (AML), export control compliance and all other such disciplines within an organization. Further after the Volkswagen emissions-testing scandal, not only have a robust compliance program but direct and transparent Board oversight may be the only thing stopping injury to your reputation from a competitor’s illegal or unethical conduct.
Three Key Takeaways
This episode is dedicated to the chaotic (at best) first three weeks of the Trump administration.
For the Cordery Compliance client alert on Privacy Shield, see here
For Jay’s post see, Where Do Politics End and Ethics & Compliance Begin?
For Matt Kelly’s posts see the following:
For Tom Fox’s posts on these topics see the following:
The members of the Everything Compliance panel include:
In this episode, Matt Kelly and I take a deep dive into the new Microsoft security analysis tool, Secure Score which will rate a company's IT and data security protocols. We use his blog post on the topic, "Microsoft Cybersecurity Tool May Prompt Compliance" as a starting point to consider the Big Brother implications, two-step security features, AI issues and all of this ties directly into the corporate compliance function.
In an article in the Corporate Board magazine, entitled “Successful Board Investigations” by David Bayless and Tammy Albarrán, partners in the law firm of Covington & Burling LLP posited seven considerations to facilitate a successful board investigation.
The appearance of partiality undermines the objectivity and credibility of an investigation. That means you should not use your regular counsel. The authors cite to the Securities and Exchange Commission (SEC) analysis of how independent board members truly are to explain the need for independent counsel. They state, “the SEC considers the following criteria when determining whether (and how much) to credit self-policing, self-reporting, remediation and cooperation” which will consist of the following factors:
Jim McGrath has written and spoken about the need to utilize specialized counsel in any serious investigation. If a board is leading an investigation, I would submit by definition it is serious. Your investigation needs to lead by a lawyer with significant experience in conducting internal investigations; a strong background in criminal or SEC enforcement; and has substantive experience in the particular area of law at issue.
In any FCPA or other anti-corruption investigation, there will be the need for a wider variety of subject matter experts (SME’s) than a compliance professional. If there are accounting issues, forensic accountants might be needed. In this day and age, an electronic discovery consultant is often required, and can be a cost effective option for gathering and processing electronic data for review.
There are two types of conflicts of interest that may come to light during an investigation. First is the one which comes up when the law firm or lawyers conducting the investigation are those whose prior legal advice has some bearing on the matters being investigated because a company’s regular outside lawyers represent the company. During an internal investigation, however, the lawyers may be hired by, and represent, the board or its committee. The second occurs when a lawyer or law firm jointly represents the board and employees at the company as regulators have become increasingly concerned with joint representations. The trickier question is what to do when there simply is a risk that representing one client could limit the lawyers’ duties to the other. So in these situations, joint representation may not be appropriate.
Whistleblowers have become more important and taking their allegations seriously is paramount. This does not mean trying to find out who the whistleblowers might be to punish or stifle them, even if they are located outside the United States and therefore do not have protections under these laws. They can still get hefty bounties. Regulators are very wary of boards that do not satisfactorily evaluate a whistleblower’s complaint based on a perception of the whistleblower himself, as opposed to the substance of the complaint.
These types of investigations are long and very costly. They can easily spin out of cost control. But, by trying to manage these costs, a board might be perceived as placing improper limits on the investigation. The “goal is to strike the right balance between the cost of the investigation and its thoroughness and credibility.” To do so, flexibility is an important ingredient. The scope of what to investigate is not a static, one-time decision. It can, and usually does, evolve.
While there may be instances in which, due to complexity and the nature of allegations involved, a written report is necessary, there may be times when an oral report delivered to a board is better than a written report for “a written report may be easier to follow and appear to be the logical conclusion to an investigation, it is an expensive and time-consuming endeavor, and it comes with great risk.” The authors indicate three reasons for this position.
The authors conclude their piece by stating, “By keeping in mind the issues addressed above, the board will be better prepared for the investigation and readily able to exercise good judgment throughout the review. A well-conducted investigation by the board may spare the company further disruption and costs associated with follow-on investigations by the regulators, or at the very least minimize the company’s exposure.”
Three Key Takeaways
Third parties remain the highest risk in the anti-bribery/anti-corruption space. However many CCOs and compliance professionals do not focus on the supply chain for potential risk and rewards that they do for the sales side of the business. How can compliance professionals become better versed in these issues? One of the answers is provide by for those in the compliance space, Financial Research Associates and Compliance Week with the Third Party Risk Management and Oversight Conference to be held in NYC on March 20 & 21, 2016. In this episode I visit with Conference Chair, Melissa Evans, on the upcoming event.
Best of all listeners to this podcast will receive a discount to the event. You can receive a 15% discount off the regular price by entering the Code CMP 161. For more information on the event, check out the website by clicking here.
Many companies have an investigation protocol in place when a potential Foreign Corruption Practices Act (FCPA) or other legal issue arises? However, many Boards of Directors do not have the same rigor when it comes to an investigation, which should be conducted or led by the Board itself. The consequences of this lack of foresight can be problematic, because if a Board of Directors does not get an investigation which it handles right, the consequences to the company, its reputation and value can all be quite severe.
In an article in the Corporate Board magazine, entitled “Successful Board Investigations” by David Bayless and Tammy Albarrán, partners in the law firm of Covington & Burling LLP write about five key goals that any investigation led by a Board of Directors must meet. They are:
Three Key Takeaways
In this episode, I visit with Linda Lattimore, developer of Cross Sector law which assists lawyer and companies in developing expertise around corporate social responsibility.
One of the ongoing questions from members of Board of Directors is how to resolve the tension between oversight and managing. I recently had the opportunity to visit with Joe Howell, the Executive Vice President (EVP) of Workiva, Inc. on this subject. Howell has worked on and with Boards of Directors at various companies and I wanted to garner his understanding of the role of a Board and both senior management and a Chief Compliance Officer (CCO). Howell had a short response which I thought was an excellent starting point to understand the role; put sand in the shoes of management.
The key to such a metaphor succeeding is that a Board of Directors, “by continuing to challenge management on these scenarios that management has considered and the stories management is telling itself about what could go wrong”, can “help get management out of its comfort zone by and large executive teams begin to believe themselves when they talk about how well they’re doing. The independent challenge that the board can offer putting the little bit of sand in the shoe to make sure that you’re thinking about things carefully can cause you to step back and really focus your resources where they're needed.”
Board’s do this by posing questions to management that help them challenge their own assumptions, especially those assumptions which senior management is most confident about. Howell said that Board’s “need to help senior management consider the things that management is so sure about that maybe are going to play out the way that they expect. For example, the things that can hurt investors more than anything else is a surprise. Chaos does not help investors in general. The things that surprise investors frequently are the things that also surprise management. Does management consider all of the things that can go wrong and have they built an environment where they can both help prevent those things from happening and detect them when they’re small and they can actually do something about them.”
Howell noted the role of the Board is not management but oversight, focusing on governance. To do so, an effective Board should challenge senior management not only on what they have planned for but what they may not have considered or may not even know about. He said, “one very good example is the whole, the reputation of those stakeholders involved in the company and that can be the management team itself, the employees, and the board members themselves.” This is because reputational damage hurts everyone. Howell went on to state, “it’s very important as we go through some of the ways the board can help management in that role. I think the things that really make a difference to management is when the board is able to be an effective devil’s advocate. Not managing management but helping them in their governing role by helping management to step back and think critically of their own underlying assumptions and biases.”
One of continuing struggles I hear from Board members is asymmetrical information, largely due from the siloed nature of company information and structures. Howell acknowledged, “These sorts of barriers are pervasive in any company of any size that has a particularly operations and different product lines and different markets and different countries and different time zones. These limitations in the free flow of information by themselves create a risk to the organization, to the investors of the organization, to the employees of the organization and the board’s ability to ask questions. If nothing else in their governance control creates this reminder to management to open up itself to itself and listen carefully to its own organization and be able to link information to all of the places it needs to be fed.”
I asked Howell to further explain his phase “open itself up to itself and listen”. He provided the following example, “how can the Chief Financial Officer make sure that he is giving all the information that the Chief Compliance Officer needs to do his job? Those questions from the board can be very valuable in making sure that the Chief Financial Officer doesn’t forget these issues and the Chief Compliance Officer has an opportunity to engage constructively with the Chief Financial Officer and others in the organization.”
Somewhat counter-intuitively, Howell noted that when it comes to the Board’s oversight role around internal controls, less is often more. This occurs by helping management understand a company can overdo a control environment, “in the sense that when management guides controls around risks that are not going to be the most serious risks to the company, that they end up building excessive amounts of energy and protection where they're not really needed. That you as a management team end up deluding your attention and deluding your resources.”
Howell went on to explain it is simply a matter of resources, “When things do go wrong, you’re in effect spread so thin that you don’t see those risks coming at you. The real question where less is more can be very valuable is when the board continues to challenge the management team on the scenarios that could play out. That could be devastating to an organization where risk really matters.”
I asked Howell if he could provide any discrete examples and he pointed to the food service industry for the following., “For example, in a food service company or a restaurant company, if there were contamination or if there were things that could happen either at the plant or by people who are touching the food. Those are very serious risks that a company needs to both be mindful of and to be able to prevent. If something goes wrong, you need to be able to detect early. When customers of the company or others are hurt that there’s a consequence of failures that can be devastating.”
In another example Howell said he had seen situations where internal “controls that are used for financial reporting for example, when examined in the light of where the risk really exists for the company, the companies have been able to reduce their controls actually by as many as half and improve their overall control environment and reduce the aggregate risk to the company. It’s interesting that even spending less money on controls by having fewer controls can improve the overall comfort that the company and its management and investors are protected from risk.”
A Board is not simply there to be a rubber stamp for senior management. It must exercise independent judgment, action and oversight. Further, it is the Board’s role to ask hard, difficult and probing questions to make sure management is not only doing its job but has considered other risk possibilities.
Three Key Takeaways
In this episode, Jay Rosen and I review the recent Super Bowl LI from the compliance perspective; mining the Patriots 'for the ages' comeback and the Atlanta collapse for lessons for the compliance practitioner.
James Doty, Acting Commissioner of the Public Company Accounting Oversight Board (PCAOB) was once asked if the Board or its sub-committee which handles audits was a part of a company’s internal financial controls. He answered that yes, he believed that was one of the roles of an Audit Committee or full Board. I had never thought of the Board as an internal control but the more I thought about it, the more I realized it was an important insight for any Chief Compliance Officer or compliance practitioner as it also applies as a compliance internal control.
In the FCPA Guidance, in the Ten Hallmarks of an Effective Compliance Program, there are two specific references to the obligations of a Board. The first in Hallmark No. 1 , which states, “Within a business organization, compliance begins with the board of directors and senior executives setting the proper tone for the rest of the company.” The second is found under Hallmark No. 3, entitled “Oversight, Autonomy and Resources”, where it discusses that the CCO should have “direct access to an organization’s governing authority, such as the board of directors and committees of the board of directors (e.g., the audit committee).” Further, under the US Sentencing Guidelines, the Board must exercise reasonable oversight on the effectiveness of a company’s compliance program. The Department of Justice’s (DOJ) Prosecution Standards posed the following queries: (1) Do the Directors exercise independent review of a company’s compliance program? and (2) Are Directors provided information sufficient to enable the exercise of independent judgment? Doty’s remarks drove home to me the absolute requirement for Board participation in any best practices or even effective anti-corruption compliance program.
Board liability for its failure to perform its assigned function in any compliance program is well known. David Stuart, an attorney with Cravath, Swaine & Moore LLP, noted that FCPA compliance issues can lead to personal liability for directors, as both the Securities and Exchange Commission (SEC) and DOJ have been “very vocal about their interest in identifying the highest-level individuals within the organization who are responsible for the tone, culture, or weak internal controls that may contribute to, or at least fail to prevent, bribery and corruption”. He added that based upon the SEC’s enforcement action against two senior executives at Nature’s Sunshine Products, “Under certain circumstances, I could see the SEC invoking the same provisions against audit committee members—for instance, for failing to oversee implementation of a compliance program to mitigate risk of bribery”. It would not be too far a next step for the SEC to invoke the same provisions against audit committee members who do not actively exercise oversight of an ongoing compliance program.
Further, the SEC has made clear that it believes a Board should take a more active role in overseeing the management of risk within a company. The SEC has promulgated Regulation SK 407 under which each company must make a disclosure regarding the Board’s role in risk oversight which “may enable investors to better evaluate whether the board is exercising appropriate oversight of risk.” If this disclosure is not made, it could be a securities law violation and subject the company, which fails to make it, to fines, penalties or profit disgorgement.
I believe that a Board must not only have a corporate compliance program in place but actively oversee that function. Further, if a company’s business plan includes a high-risk proposition, there should be additional oversight. In other words, there is an affirmative duty to ask the tough questions. But it is more than simply having a compliance program in place. The Board must exercise appropriate oversight of the compliance program and indeed the compliance function. The Board needs to ask the hard questions and be fully informed of the company’s overall compliance strategy going forward.
A Board’s oversight is part of effective compliance controls, then the failure to do so may result in something far worse than bad governance. Such inattention could directly lead to a FCPA violation and could even form the basis of an independent SOX violation as to the Board.
Three Key Takeaways
The basic framework for internal controls is derived from the COSO Model developed by the Committee of Sponsoring Organizations of the Treadway Commission in 1992 (COSO). This model has become the standard for an internal control framework and provides a structure to ensure companies address the key elements that should result in an effective system of internal controls. Using the COSO Model, as modified in 2013, provides a very supportable approach when regulators challenge whether a company has effective internal controls. The COSO Model defines internal controls in a pyramid, from bottom to top, as follows: (a) Control environment, (b) Risk assessment, (c) Control activities, (d) Information and communication, and (e) Monitoring.
Which internal controls does a company need to institute? Each company defines its internal controls to fit its business by determining what the Company wishes to protect and what type of control environment does it want to have in place. This means that they can be less formal in smaller companies but still effective if the focus is on the right risks. For anti-corruption risks, the most common control needs have been identified as follows: (i) Dealings with third parties; (ii) Gifts and entertainment, and (iii) Charitable donations. Yet even within those categories, a wide range of risks exists, depending on a company’s business practices. A Top Down ‘Check-the-box’ generic set of policies will not likely result in effective controls.
The process to determine which internal controls are needed will be of some familiarity to the compliance professional. It all starts with a risk assessment to establish the corporate policies which are applicable, tailored to the company, and sufficiently specific. The risk assessment will also help to identify the types of transactions across the company which should be addressed (gifts and entertainment, maintenance of bank accounts and movement of cash, dealings with third parties, etc.). The next step is to prepare a set of documents which define the control objectives to be in place for each type of transaction – example: Controls will be in place to ensure no vendor has been added to the vendor master file until complete due diligence has been completed and the vendor has been approved in accordance with Corporate policies. Thereafter, you need to document how the controls will be performed and how they will be evidenced and then incorporate the control procedures into applicable work instructions and job descriptions.
Each business location, determine the specific controls needed to accomplish each control objective. In many companies, a disparity of operating practices and accounting systems will result in different controls being needed. While this assignment may seem overwhelming it can be done in reasonable stages, pursuant to a specific implementation plan - it does not have to be done all at once for the entire company.
Internal controls for a Board or Board Compliance Committee should be broken down into five concepts:
Three Key Takeaways