There is nothing like an internal whistleblower report about a FCPA violation, the finding of such an issue or (even worse) a subpoena from the DOJ to trigger the Board of Directors and senior management attention to the compliance function and the company’s compliance program. Such an event can trigger much gnashing of teeth and expressions of outrage followed immediately by proclamations “We are an ethical company.” However it may well be the time for a very serious reality check.
The DOJ Evaluation of Corporate Compliance Programs focuses this question in Prong 7 with the following: Response to Investigations –What has been the process for responding to investigative findings? You may find yourself in the position that you will have to have some very frank discussions about what to expect in terms of costs and time outlays. While much of these discussions will focus on the investigative process and those costs, these discussions will allow you to begin to talk about remediation going forward and begin to explain why money must be budgeted for the remediation process.
One of the things rarely considered is how the investigation triggers the remediation process and what the relationship is between the two. When issues arise warranting an investigation that would rise to the Board of Directors level and potentially require disclosure to the government, there is usually a flurry of attention and activity. Everyone wants to know what is going on. Russ Berland, the Chief Compliance Officer at Dematic Inc. has noted, “for that short moment in time, you have everyone’s full attention.” Yet it can still be “a tricky place, because you get your fifteen minutes to really get everyone’s full attention, and then from then on, you’re fighting with everybody else for their attention, just like the normal things in business life. It’s, they’re coming in and saying, “Okay, here’s the situation as we know it now, there is an investigation path, and corresponding to that, here’s what we think is the remediation path and some outlines of what it’s going to take,” often with some dollar signs attached to it.”
You need to explain the costs to the Board and senior management. As Berland said, you need to be upfront and candid in firmly stating, “For us to get to this place, this is what it’s going to cost.” Moreover, you need to be able to show how some companies paid very large amounts, not just in the eventual fine and penalty but also in other costs. Berland went on to say, “We want to show you how people have lost money by having to write big checks, because they didn’t take this seriously, and saved money, because they didn’t have to write as big a check, because they took this very seriously, and your return on investment here is going to be very high if you do this well.” This is easier with the information that was provided in the 2016 DOJ Pilot Program around FCPA enforcement as it demonstrated how much discount a company can receive below the minimum range of the Sentencing Guidelines for remediation.
One of the most difficult parts is that the investigation is often done in a way in which the investigators want to maintain as tight a control over the information and privilege as they possibly can. The remediation really requires output from the investigation to understand where the risk points are and where the gaps are, both in the compliance program and the internal controls. There’s a tension there, and it needs to be structured in a way that information can be shared with those who are designing the remediation without fear of compromising the investigation.
Dan Chapman, CCO at Vimpelcom and formerly CCO at Parker Drilling, also believes that costs must be adequately discussed to set proper expectations. These include both direct costs and, even more importantly, a discussion of indirect costs to the company. He noted that “the biggest cost to a company during an investigation is the diversion of management resources” and, as he further explained, “kind of everything stops to focus on the investigation.” This indirect cost comes through largely the time commitment of senior management. He further explained, “if senior management has to commit 20% of their time, that’s 20% that’s not going towards revenue generating, shareholder value protecting activities.”
Yet, how can you communicate that to somebody who has not gone through a full blown internal investigation then coupled with a federal investigation with the DOJ and Federal Bureau of Investigation (FBI) involved? Understanding that the all-encompassing nature of such an event is difficult to articulate, Chapman goes through some of his past experiences as touch points. He said, “I talk about past experiences. One example would be at a past company, my first week on the job, they had a worldwide conference for all the senior managers from around the world. At that meeting, I asked all the senior executives, you know, C-level executives. I said, “Over the last few years, have you spent 5% of your time on the matter? They’d raise their hands. Then I kept escalating it: 10%, 15%. Hands didn’t go down until about 20%. Then I explained to them, to the audience, I said, “So if you got 5%, 10%, 15% more than your senior management, where would this company be?” I think that’s helpful, but there’s not great way to quantify it. It’s kind of like quantifying compliance generally. How do you quantify the absence of non-compliance? How do you quantify what could have been? How do you quantify the opportunity costs of managements time?”
You can explain the upside of compliance and do that in a manner that juxtaposes the cost. Chapman said you could mention things such as, “If you have clear policies and people know what to do, think how much easier your life would be. Instead of having to make calls and figure it out on your own every single time, you had clear policy.” The same types of arguments come into play in areas generally considered the purview of HR, i.e. recruiting and retention.
About recruiting Chapman posed the following for consideration, “Think about recruiting. Where do your new hires out of college come from? Where do they get their information about your company? If they Google your company, what’s one of the first things they see if you’ve been in trouble? They Google it, and they’ll get a penalty, or they’ll get some news article about the wrongdoings.” He also points out retention of current employees by asking, “How you would feel if everybody at this company felt good about working here, and no one felt embarrassed by what happened. Would that help retention?”
Yet even more than these types of points about employees in the organization, Chapman believes it is important to make it personal to the highest level of the organization and try to make it as real and personal to your audience as possible. He says he asks the Board and senior management “What about you? How do you feel about being involved in it? Rather than being something that’s out there, the company, what about you? How do you feel about being here?”
Obviously, the investigation will be critical for you to help understand what remediation your compliance program will need going forward. As Berland said, “Somebody found a way to get around your system. Maybe they colluded to overcome the internal controls. Maybe there was a group that simply wasn’t well trained, didn’t understand, or there was a group that was extremely well trained, and decided to do it anyway. But somehow, there are issues in your system, and by system, the overall system of the executive tone, the governance, the compliance program, the internal controls, all at a meta level.”
It is axiomatic that you cannot finds gaps in your compliance system until you stress test it. Viewed in this light, your compliance failures can be viewed as such a stress test. Berland said, “Well, guess what, you just got handed a stress test, and this is where the system broke down. Now you know there’s a gap. Well, absent the investigation, as painful and difficult as that is, that gap would have just been sitting there.” The investigation will raise information to you about the failures of your compliance program that you may not have known existed previously.
While there will be a desire by some folks to not give out any information about the investigation until it is completed and there is a final report, you must resist this at all costs. If the results of the investigation are not made available to you as the CCO or the compliance professional charged with remediating the compliance program, any such remediation will be extremely difficult, because, as Berland noted, “you’re just going off suppositions and guesses.”
He advocates there be a solid line of communication between the people who are doing the investigation and the people who are leading the remediation. Otherwise, you can only begin your remediation in the most general terms and you will not be able to deal with specific gaps in your compliance program or risks that need to be managed.
Such an approach can also be a recipe for disaster. First, and foremost, the DOJ will not give you credit and you may lose the types of benefits articulated in the FCPA Pilot Program. Moreover, the executive attention will have dissipated, or, as Berland said, “When you’ve got the energy, use it.”
What about the always-dreaded ‘Where Else’ question in any FCPA investigation? Berland believes the key is “anticipating the question is going to come up, and having an answer ready, which is, “We are going to do a comprehensive risk assessment of the remainder of the company. We are not going to go out and look under every leaf and every, you know, check every tree, but we are going to do a very extensive risk assessment, and we’ll be able to come back and tell you that we don’t think there is a likelihood of other issues in other places.””
However, the answer could be equally something along the lines that ““we have found a high likelihood and we’re going to continue to take deeper and deeper considers that section until we know if something happened or not.” That was an acceptable answer. It was, you know, “here's the slice of the pie where we know something is happening, and here’s the process to look at the rest, given it really is kind of a risk assessment plus going forward.””
Three Key Takeaways